Merge pull request #171 from amazeeio/dev

release: linting, dependabot, & add cache-control middleware

Author: dan2k3k4

.github/dependabot.yaml

@@ -0,0 +1,58 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    github-actions:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: docker
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    docker:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: pip
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    pip:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: npm
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    pip:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"

.github/dependency-review-config.yaml

@@ -0,0 +1,12 @@
+# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
+allow-licenses:
+- 'Apache-2.0'
+- 'BSD-2-Clause'
+- 'BSD-2-Clause-FreeBSD'
+- 'BSD-3-Clause'
+- 'ISC'
+- 'MIT'
+- 'PostgreSQL'
+- 'Python-2.0'
+- 'X11'
+- 'Zlib'

.github/workflows/dependency-review.yaml

@@ -0,0 +1,20 @@
+name: dependency review
+on:
+  pull_request:
+    branches:
+    - main
+    - dev
+  merge_group:
+    types:
+    - checks_requested
+permissions: {}
+jobs:
+  dependency-review:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1
+      with:
+        config-file: .github/dependency-review-config.yaml

.github/workflows/helm-package-publish.yml

@@ -137,7 +137,7 @@ jobs:
           for chart in */; do
             chart_name=$(basename "$chart")
             echo "Testing chart: $chart_name"
-            helm template test-$chart_name "$chart_name" > /dev/null
+            helm template "test-$chart_name" "$chart_name" > /dev/null
             echo "✅ $chart_name chart template test passed"
           done
 

.github/workflows/lint.yaml

@@ -0,0 +1,27 @@
+name: lint
+on:
+  pull_request:
+    branches:
+    - main
+    - dev
+  merge_group:
+    types:
+    - checks_requested
+permissions: {}
+jobs:
+  lint-python:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # v3.5.1
+  lint-actions:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0
+      with:
+        args: -color

.github/workflows/ossf-analysis.yaml

@@ -0,0 +1,31 @@
+name: OSSF scorecard
+on:
+  push:
+    branches:
+    - main
+permissions: {}
+jobs:
+  ossf-scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Run analysis
+      uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Publish the results for public repositories to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`, regardless
+        # of the value entered here.
+        publish_results: true
+    - name: Upload SARIF results to code scanning
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5
+      with:
+        sarif_file: results.sarif

.github/workflows/publish.yml

@@ -2,7 +2,8 @@ name: Publish Docker Images
 
 on:
   push:
-    branches: [ dev ]
+    branches:
+    - dev
 
 env:
   REGISTRY: ghcr.io
@@ -15,6 +16,9 @@ jobs:
     permissions:
       contents: read
       packages: write
+      # required by attest-build-provenance
+      id-token: write
+      attestations: write
 
     steps:
     - name: Checkout repository
@@ -41,6 +45,7 @@ jobs:
           type=sha,prefix={{branch}}-
 
     - name: Build and push backend Docker image
+      id: docker-build-push
       uses: docker/build-push-action@v5
       with:
         context: .
@@ -51,11 +56,21 @@ jobs:
         cache-from: type=gha
         cache-to: type=gha,mode=max
 
+    - name: Attest container image
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-digest: ${{steps.docker-build-push.outputs.digest}}
+        subject-name: ghcr.io/${{github.repository}}-backend
+        push-to-registry: true
+
   build-and-push-frontend:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+      # required by attest-build-provenance
+      id-token: write
+      attestations: write
 
     steps:
     - name: Checkout repository
@@ -82,6 +97,7 @@ jobs:
           type=sha,prefix={{branch}}-
 
     - name: Build and push frontend Docker image
+      id: docker-build-push
       uses: docker/build-push-action@v5
       with:
         context: ./frontend
@@ -90,4 +106,11 @@ jobs:
         tags: ${{ steps.meta-frontend.outputs.tags }}
         labels: ${{ steps.meta-frontend.outputs.labels }}
         cache-from: type=gha
-        cache-to: type=gha,mode=max
+        cache-to: type=gha,mode=max
+
+    - name: Attest container image
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-digest: ${{steps.docker-build-push.outputs.digest}}
+        subject-name: ghcr.io/${{github.repository}}-frontend
+        push-to-registry: true

Makefile

@@ -116,4 +116,8 @@ migration-downgrade:
 
 migration-stamp:
 	@read -p "Enter revision to stamp: " revision; \
-	python3 scripts/manage_migrations.py stamp "$$revision"
+	python3 scripts/manage_migrations.py stamp "$$revision"
+
+.PHONY: lint
+lint:
+	ruff check

README.md

@@ -1,5 +1,8 @@
 # amazee.ai
 
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11464/badge)](https://www.bestpractices.dev/projects/11464)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/amazeeio/amazee.ai/badge)](https://securityscorecards.dev/viewer/?uri=github.com/amazeeio/amazee.ai)
+
 This repository contains the backend and frontend services for the amazee.ai application. The project is built using a modern tech stack including Python FastAPI for the backend, Next.js with TypeScript for the frontend, and PostgreSQL for the database.
 
 

app/api/audit.py

@@ -1,8 +1,8 @@
 from fastapi import APIRouter, Depends, Query, HTTPException, status
 from sqlalchemy.orm import Session
-from typing import List, Optional
+from typing import Optional
 from datetime import datetime
-from sqlalchemy import distinct, text, cast, String
+from sqlalchemy import distinct, cast, String
 from app.db.database import get_db
 from app.api.auth import get_current_user_from_auth
 from app.schemas.models import AuditLogResponse, PaginatedAuditLogResponse, AuditLogMetadata