Merge pull request #1746 from GSA/main

5/30/25 Production Deploy

Author: ccostino

.ds.baseline

@@ -136,7 +136,253 @@
         "line_number": 18,
         "is_secret": false
       }
+    ],
+    ".github/workflows/checks.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": ".github/workflows/checks.yml",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 28,
+        "is_secret": false
+      },
+      {
+        "type": "Basic Auth Credentials",
+        "filename": ".github/workflows/checks.yml",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 45,
+        "is_secret": false
+      }
+    ],
+    ".github/workflows/daily_checks.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": ".github/workflows/daily_checks.yml",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 71,
+        "is_secret": false
+      },
+      {
+        "type": "Basic Auth Credentials",
+        "filename": ".github/workflows/daily_checks.yml",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 87,
+        "is_secret": false
+      }
+    ],
+    "app/enums.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "app/enums.py",
+        "hashed_secret": "12322e07b94ee3c7cd65a2952ece441538b53eb3",
+        "is_verified": false,
+        "line_number": 123,
+        "is_secret": false
+      }
+    ],
+    "app/notifications/receive_notifications.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "app/notifications/receive_notifications.py",
+        "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65",
+        "is_verified": false,
+        "line_number": 29,
+        "is_secret": false
+      }
+    ],
+    "deploy-config/sandbox.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "deploy-config/sandbox.yml",
+        "hashed_secret": "113151dd10316fcb0d5507b6215d78e2f3fe9e54",
+        "is_verified": false,
+        "line_number": 11,
+        "is_secret": false
+      }
+    ],
+    "sample.env": [
+      {
+        "type": "Basic Auth Credentials",
+        "filename": "sample.env",
+        "hashed_secret": "5b98cf4c3d794c8af1fcd7991e89cd4e52fb42a4",
+        "is_verified": false,
+        "line_number": 16,
+        "is_secret": false
+      }
+    ],
+    "tests/app/clients/test_document_download.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/clients/test_document_download.py",
+        "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f",
+        "is_verified": false,
+        "line_number": 14,
+        "is_secret": false
+      }
+    ],
+    "tests/app/clients/test_performance_platform.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tests/app/clients/test_performance_platform.py",
+        "hashed_secret": "76bb66c38ac4046bf73cd4a2c35a2b0af94aeb61",
+        "is_verified": false,
+        "line_number": 84,
+        "is_secret": false
+      }
+    ],
+    "tests/app/dao/test_services_dao.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/dao/test_services_dao.py",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 289,
+        "is_secret": false
+      }
+    ],
+    "tests/app/dao/test_users_dao.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/dao/test_users_dao.py",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 69,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/dao/test_users_dao.py",
+        "hashed_secret": "f2c57870308dc87f432e5912d4de6f8e322721ba",
+        "is_verified": false,
+        "line_number": 199,
+        "is_secret": false
+      }
+    ],
+    "tests/app/db.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/db.py",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 90,
+        "is_secret": false
+      }
+    ],
+    "tests/app/notifications/test_receive_notification.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/notifications/test_receive_notification.py",
+        "hashed_secret": "913a73b565c8e2c8ed94497580f619397709b8b6",
+        "is_verified": false,
+        "line_number": 27,
+        "is_secret": false
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tests/app/notifications/test_receive_notification.py",
+        "hashed_secret": "d70eab08607a4d05faa2d0d6647206599e9abc65",
+        "is_verified": false,
+        "line_number": 57,
+        "is_secret": false
+      }
+    ],
+    "tests/app/notifications/test_validators.py": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "tests/app/notifications/test_validators.py",
+        "hashed_secret": "6c1a8443963d02d13ffe575a71abe19ea731fb66",
+        "is_verified": false,
+        "line_number": 672,
+        "is_secret": false
+      }
+    ],
+    "tests/app/service/test_rest.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/service/test_rest.py",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 1285,
+        "is_secret": false
+      }
+    ],
+    "tests/app/test_cloudfoundry_config.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/test_cloudfoundry_config.py",
+        "hashed_secret": "e5e178db7317356946d13e5d2da037d39ac61c71",
+        "is_verified": false,
+        "line_number": 12,
+        "is_secret": false
+      },
+      {
+        "type": "Basic Auth Credentials",
+        "filename": "tests/app/test_cloudfoundry_config.py",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 14,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/test_cloudfoundry_config.py",
+        "hashed_secret": "cfd48edeb81ba7d48cbddcf1eeede25ba67057e8",
+        "is_verified": false,
+        "line_number": 33,
+        "is_secret": false
+      }
+    ],
+    "tests/app/user/test_rest.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/user/test_rest.py",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 110,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/app/user/test_rest.py",
+        "hashed_secret": "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33",
+        "is_verified": false,
+        "line_number": 864,
+        "is_secret": false
+      }
+    ],
+    "tests/notifications_utils/clients/antivirus/test_antivirus_client.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/notifications_utils/clients/antivirus/test_antivirus_client.py",
+        "hashed_secret": "932b25270abe1301c22c709a19082dff07d469ff",
+        "is_verified": false,
+        "line_number": 16,
+        "is_secret": false
+      }
+    ],
+    "tests/notifications_utils/clients/encryption/test_encryption_client.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/notifications_utils/clients/encryption/test_encryption_client.py",
+        "hashed_secret": "f1e923a9667de11be6a210849a8651c1bfd81605",
+        "is_verified": false,
+        "line_number": 13,
+        "is_secret": false
+      }
+    ],
+    "tests/notifications_utils/clients/zendesk/test_zendesk_client.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/notifications_utils/clients/zendesk/test_zendesk_client.py",
+        "hashed_secret": "913a73b565c8e2c8ed94497580f619397709b8b6",
+        "is_verified": false,
+        "line_number": 16,
+        "is_secret": false
+      }
     ]
   },
-  "generated_at": "2025-05-12T16:45:34Z"
+  "generated_at": "2025-06-02T13:22:36Z"
 }

.github/actions/setup-project/action.yml

@@ -15,7 +15,10 @@ runs:
         python-version: "3.12.3"
     - name: Install poetry
       shell: bash
-      run: pip install poetry==1.8.5
+      run: pip install poetry==2.1.3
+    - name: Install poetry export
+      shell: bash
+      run: poetry self add poetry-plugin-export
     - name: Downgrade virtualenv to compatible version
       shell: bash
       run: pip install "virtualenv<20.30"

.github/workflows/checks.yml

@@ -87,12 +87,20 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-project
       - name: Create requirements.txt
-        run: poetry export --without-hashes --format=requirements.txt > requirements.txt
-      - uses: pypa/gh-action-pip-audit@v1.0.8
+        run: poetry export --output requirements_tmp.txt --without-hashes
+      - name: Filter requirements.txt
+        run: grep -v "oscrypto@ git" requirements_tmp.txt > requirements.txt
+      - name: Verify requirements.txt
+        run: ls -l requirements.txt
+      - name: Print requirements.txt
+        run: |
+          echo "Contents of requirements.txt:"
+          cat requirements.txt
+      - uses: pypa/gh-action-pip-audit@v1.1.0
         with:
           inputs: requirements.txt
           ignore-vulns: |
-            PYSEC-2022-43162
+            PYSEC-2023-312
 
   static-scan:
     runs-on: ubuntu-latest

.github/workflows/daily_checks.yml

@@ -26,10 +26,20 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-project
       - name: Create requirements.txt
-        run: poetry export --without-hashes --format=requirements.txt > requirements.txt
+        run: poetry export --output requirements_tmp.txt --without-hashes
+      - name: Filter requirements.txt
+        run: grep -v "oscrypto@ git" requirements_tmp.txt > requirements.txt
+      - name: Verify requirements.txt
+        run: ls -l requirements.txt
+      - name: Print requirements.txt
+        run: |
+          echo "Contents of requirements.txt:"
+          cat requirements.txt
       - uses: pypa/gh-action-pip-audit@v1.1.0
         with:
           inputs: requirements.txt
+          ignore-vulns: |
+            PYSEC-2023-312
       - name: Upload pip-audit artifact
         uses: actions/upload-artifact@v4
         with:

.github/workflows/deploy-demo.yml

@@ -44,7 +44,7 @@ jobs:
       run: make bootstrap
 
     - name: Create requirements.txt
-      run: poetry export --without-hashes --format=requirements.txt > requirements.txt
+      run: poetry export --output requirements.txt
 
     - name: Deploy to cloud.gov
       uses: cloud-gov/cg-cli-tools@main

.github/workflows/deploy-prod.yml

@@ -48,7 +48,7 @@ jobs:
       run: make bootstrap
 
     - name: Create requirements.txt
-      run: poetry export --without-hashes --format=requirements.txt > requirements.txt
+      run: poetry export --output requirements.txt
 
     - name: Deploy to cloud.gov
       uses: cloud-gov/cg-cli-tools@main

.github/workflows/deploy.yml

@@ -50,7 +50,7 @@ jobs:
       run: make bootstrap
 
     - name: Create requirements.txt
-      run: poetry export --without-hashes --format=requirements.txt > requirements.txt
+      run: poetry export --output requirements.txt
 
     - name: Deploy to cloud.gov
       uses: cloud-gov/cg-cli-tools@main

Makefile

@@ -16,8 +16,7 @@ GIT_HOOKS_PATH ?= $(shell git config --global core.hooksPath || echo "")
 .PHONY: bootstrap
 bootstrap: ## Set up everything to run the app
 	make generate-version-file
-	poetry lock --no-update
-	poetry install --sync --no-root
+	poetry sync --no-root
 	poetry run pre-commit install
 	createdb notification_api || true
 	createdb test_notification_api || true
@@ -26,8 +25,7 @@ bootstrap: ## Set up everything to run the app
 .PHONY: bootstrap-with-git-hooks
 bootstrap-with-git-hooks:  ## Sets everything up and accounts for pre-existing git hooks
 	make generate-version-file
-	poetry lock --no-update
-	poetry install --sync --no-root
+	poetry sync --no-root
 	git config --global --unset-all core.hooksPath
 	poetry run pre-commit install
 	git config --global core.hookspath "${GIT_HOOKS_PATH}"
@@ -112,19 +110,19 @@ test: ## Run tests and create coverage report
 
 .PHONY: py-lock
 py-lock: ## Syncs dependencies and updates lock file without performing recursive internal updates
-	poetry lock --no-update
-	poetry install --sync
+	poetry sync --no-root
+	poetry lock
 
 .PHONY: freeze-requirements
 freeze-requirements: ## Pin all requirements including sub dependencies into requirements.txt
-	poetry export --without-hashes --format=requirements.txt > requirements.txt
+	poetry export --output > requirements.txt
 
 .PHONY: audit
 audit:
 	poetry requirements > requirements.txt
 	poetry requirements --dev > requirements_for_test.txt
-	poetry run pip-audit -r requirements.txt
-	poetry run pip-audit -r requirements_for_test.txt
+	poetry run pip-audit -r requirements.txt --skip-editable
+	poetry run pip-audit -r requirements_for_test.txt --skip-editable
 
 .PHONY: static-scan
 static-scan: