Merge branch 'main' into feat/view-users-groups

# Conflicts:
#	frontend/web/components/pages/UsersAndPermissionsPage.tsx

.dockerignore

@@ -12,3 +12,4 @@ Dockerfile
 .ebignore
 .ebextensions
 .direnv
+.github

.github/actions/api-deploy-ecs/action.yml

@@ -130,7 +130,7 @@ runs:
               },
               "InputTransformer": {
                 "InputPathsMap":{"project_id":"$.detail.project_id"},
-                "InputTemplate": "{ \"containerOverrides\": [ { \"name\": \"flagsmith-api-migration\", \"command\": [\"migrate-identities\", <project_id>], \" environment \":[{\"PROJECT_METADATA_TABLE_NAME_DYNAMO\":\"flagsmith_project_metadata\"}]}]}"
+                "InputTemplate": "{ \"containerOverrides\": [ { \"name\": \"flagsmith-api-migration\", \"command\": [\"migrate_to_edge\", <project_id>], \" environment \":[{\"PROJECT_METADATA_TABLE_NAME_DYNAMO\":\"flagsmith_project_metadata\"}]}]}"
                 }
                 }
                 ]'

.github/actions/docker-build-report-to-pr/action.yml

@@ -0,0 +1,46 @@
+name: Report Docker Build status to PR
+description: Create or update PR comment related to Docker build
+
+inputs:
+  image-tag:
+    description: Full image tag
+    required: false
+  build-status:
+    description: Build status in short format
+    required: false
+  security-report-status:
+    description: Security report status in short format
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    - uses: peter-evans/find-comment@v3
+      id: find-comment
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        body-includes: 'Docker builds report'
+
+    - uses: chuhlomin/render-template@v1.4
+      if: ${{ !inputs.image-tag }}
+      id: render-header
+      with:
+        template: .github/docker_build_comment_template.md
+
+    - uses: peter-evans/create-or-update-comment@v4
+      if: ${{ !inputs.image-tag }}
+      with:
+        comment-id: ${{ steps.find-comment.outputs.comment-id }}
+        edit-mode: replace
+        issue-number: ${{ github.event.pull_request.number }}
+        body: ${{ steps.render-header.outputs.result }}
+
+    - uses: peter-evans/create-or-update-comment@v4
+      if: ${{ inputs.image-tag }}
+      with:
+        comment-id: ${{ steps.find-comment.outputs.comment-id }}
+        edit-mode: append
+        issue-number: ${{ github.event.pull_request.number }}
+        body: >
+          | `${{ inputs.image-tag }}` | ${{ inputs.build-status }} | ${{ inputs.security-report-status }} |

.github/actions/e2e-tests/action.yml

@@ -43,7 +43,7 @@ runs:
           npm run test -- ${{ inputs.tests }}
         max_attempts: 2
         retry_on: error
-        timeout_minutes: 10
+        timeout_minutes: 20
       env:
         E2E_TEST_TOKEN: ${{ inputs.e2e_test_token }}
         SLACK_TOKEN: ${{ inputs.slack_token }}

.github/docker_build_comment_template.md

@@ -1,5 +1,4 @@
-{{ .message }}
+#### Docker builds report
 
-| Image           | Build Status       | Security report             |
-| --------------- | ------------------ | --------------------------- |
-| {{ .imageTag }} | {{ .buildStatus }} | {{ .securityReportStatus }} |
+| Image | Build Status | Security report |
+| ----- | ------------ | --------------- |

.github/pull_request_template.md

@@ -1,6 +1,5 @@
 Thanks for submitting a PR! Please check the boxes below:
 
-- [ ] I have run [`pre-commit`](https://docs.flagsmith.com/platform/contributing#pre-commit) to check linting
 - [ ] I have added information to `docs/` if required so people know about the feature!
 - [ ] I have filled in the "Changes" section below?
 - [ ] I have filled in the "How did you test this code" section below?

.github/workflows/.reusable-docker-build.yml

@@ -50,6 +50,25 @@ on:
         description: Whether to update the build status in a PR comment
         required: false
         default: false
+      trivy-db-repository-source:
+        type: string
+        description: Souce repository to pull Trivy database from
+        required: false
+        default: ghcr.io/aquasecurity/trivy-db:latest
+      trivy-java-db-repository-source:
+        type: string
+        description: Source repository to pull Trivy Java database from
+        required: false
+        default: ghcr.io/aquasecurity/trivy-java-db:1
+      trivy-db-repository:
+        type: string
+        description: Destination repository to store Trivy database in
+        required: false
+        default: ghcr.io/flagsmith/trivy-db:latest
+      trivy-java-db-repository:
+        type: string
+        description: Destination repository to store Trivy Java database in
+        default: ghcr.io/flagsmith/trivy-java-db:latest
     outputs:
       image:
         description: Resulting image specifier
@@ -96,33 +115,6 @@ jobs:
             ${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }}
           tags: ${{ inputs.tags }}
 
-      - uses: chuhlomin/render-template@v1.4
-        if: inputs.comment
-        id: render-comment-initial
-        with:
-          template: .github/docker_build_comment_template.md
-          vars: |
-            message: "`${{ inputs.image-name }}` is being built... :hourglass_flowing_sand:"
-            imageTag: "Pending :hourglass_flowing_sand:"
-            buildStatus: "Building :hourglass_flowing_sand:"
-            securityReportStatus: "${{ inputs.scan && 'Pending :hourglass_flowing_sand:' || 'Skipped' }}"
-
-      - uses: peter-evans/find-comment@v3
-        if: inputs.comment
-        id: find-comment
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          body-includes: '`${{ inputs.image-name }}` '
-
-      - uses: peter-evans/create-or-update-comment@v4
-        if: inputs.comment
-        id: add-comment
-        with:
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          edit-mode: replace
-          issue-number: ${{ github.event.pull_request.number }}
-          body: ${{ steps.render-comment-initial.outputs.result }}
-
       - name: Build and push image
         id: build
         uses: depot/build-push-action@v1
@@ -156,23 +148,30 @@ jobs:
           echo ::add-mask::$DEPOT_TOKEN
           echo depot-token=$DEPOT_TOKEN >> $GITHUB_OUTPUT
 
-      - uses: chuhlomin/render-template@v1.4
-        if: inputs.comment
-        id: render-comment-on-finished-build
+      - name: Report build finish
+        uses: ./.github/actions/docker-build-report-to-pr
+        if: inputs.comment && !inputs.scan
         with:
-          template: .github/docker_build_comment_template.md
-          vars: |
-            message: "`${{ inputs.image-name }}` image build finished :sparkles: ${{ inputs.scan && 'Executing security scan...' || '' }}"
-            imageTag: "`${{ steps.image-tag.outputs.image-tag }}`"
-            buildStatus: "Finished :white_check_mark:"
-            securityReportStatus: "${{ inputs.scan && 'Pending :hourglass_flowing_sand:' || 'Skipped' }}"
-
-      - uses: peter-evans/create-or-update-comment@v4
-        if: inputs.comment
+          image-tag: ${{ steps.image-tag.outputs.image-tag }}
+          build-status: 'Finished :white_check_mark:'
+          security-report-status: 'Skipped'
+
+      - uses: oras-project/setup-oras@v1
+
+      - name: Pull and republish Trivy databases
+        uses: nick-fields/retry@v3
         with:
-          comment-id: ${{ steps.add-comment.outputs.comment-id }}
-          edit-mode: replace
-          body: ${{ steps.render-comment-on-finished-build.outputs.result }}
+          shell: bash
+          command: |
+            oras pull --no-tty ${{ inputs.trivy-db-repository-source }}
+            oras pull --no-tty ${{ inputs.trivy-java-db-repository-source }}
+            oras push ${{ inputs.trivy-db-repository }} db.tar.gz:$MIME_TYPE+gzip --artifact-type $MIME_TYPE+json
+            oras push ${{ inputs.trivy-java-db-repository }} javadb.tar.gz:$MIME_TYPE+gzip --artifact-type $MIME_TYPE+json
+          max_attempts: 5
+          retry_on: error
+          timeout_minutes: 20
+        env:
+          MIME_TYPE: application/vnd.aquasec.trivy.db.layer.v1.tar
 
       - name: Run Trivy vulnerability scanner
         id: trivy
@@ -185,34 +184,29 @@ jobs:
         env:
           TRIVY_USERNAME: ${{ inputs.ephemeral && 'x-token' || github.actor }}
           TRIVY_PASSWORD: ${{ inputs.ephemeral && steps.depot-token.outputs.depot-token || secrets.GITHUB_TOKEN }}
+          TRIVY_DB_REPOSITORY: ${{ inputs.trivy-db-repository }}
+          TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-java-db-repository }}
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         if: inputs.scan && (success() || failure())
         with:
+          category: ${{ inputs.image-name }}
           sarif_file: trivy-results.sarif
 
       - name: Render scan results URL
         id: scan-results-url
+        if: inputs.scan
         run: >
           echo scan-results-url=${{ format('{0}/{1}/security/code-scanning?query=pr%3A{2}+path%3Aflagsmith%2F{3}',
           github.server_url, github.repository, github.event.pull_request.number, inputs.image-name) }} >>
           $GITHUB_OUTPUT
 
-      - uses: chuhlomin/render-template@v1.4
-        id: render-comment-on-finished-scan
-        if: inputs.scan && inputs.comment
-        with:
-          template: .github/docker_build_comment_template.md
-          vars: |
-            message: "`${{ inputs.image-name }}` image build and security scan finished :sparkles:"
-            imageTag: "`${{ steps.image-tag.outputs.image-tag }}`"
-            buildStatus: "Finished :white_check_mark:"
-            securityReportStatus: "${{ format('[Results]({0}) :white_check_mark:', steps.scan-results-url.outputs.scan-results-url) }}"
-
-      - uses: peter-evans/create-or-update-comment@v4
-        if: inputs.scan && inputs.comment
+      - name: Report scan results URL
+        uses: ./.github/actions/docker-build-report-to-pr
+        if: inputs.comment && inputs.scan
         with:
-          comment-id: ${{ steps.add-comment.outputs.comment-id }}
-          edit-mode: replace
-          body: ${{ steps.render-comment-on-finished-scan.outputs.result }}
+          image-tag: ${{ steps.image-tag.outputs.image-tag }}
+          build-status: 'Finished :white_check_mark:'
+          security-report-status:
+            "${{ format('[Results]({0}) :white_check_mark:', steps.scan-results-url.outputs.scan-results-url) }}"

.github/workflows/.reusable-docker-e2e-tests.yml

@@ -27,6 +27,10 @@ on:
         description: The runner label to use. Defaults to `ubuntu-latest`
         required: false
         default: ubuntu-latest
+    secrets:
+      gcr-token:
+        description: A token to use for logging into Github Container Registry. If not provided, login does not occur.
+        required: false
 
 jobs:
   run-e2e:
@@ -38,16 +42,20 @@ jobs:
       packages: read
       id-token: write
 
+    env:
+      GCR_TOKEN: ${{ secrets.gcr-token }}
+
     steps:
       - name: Cloning repo
         uses: actions/checkout@v4
 
       - name: Login to Github Container Registry
+        if: ${{ env.GCR_TOKEN }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ env.GCR_TOKEN }}
 
       - name: Set up Depot CLI
         uses: depot/setup-action@v1
@@ -64,7 +72,7 @@ jobs:
             make test
           max_attempts: 2
           retry_on: error
-          timeout_minutes: 10
+          timeout_minutes: 20
         env:
           opts: ${{ inputs.tests }}
           API_IMAGE: ${{ inputs.api-image }}

.github/workflows/api-pull-request.yml

@@ -53,9 +53,6 @@ jobs:
         if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
         run: make install-packages
 
-      - name: Run Linters
-        run: make lint
-
       - name: Create analytics database
         env:
           PGPASSWORD: postgres

.github/workflows/conventional-commit.yml

@@ -0,0 +1,27 @@
+name: Conventional Commit
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+jobs:
+  conventional-commit:
+    name: Conventional Commit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR Conventional Commit title
+        uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: | # mirrors changelog-sections in the /release-please-config.json
+            feat
+            fix
+            infra
+            ci
+            docs
+            deps
+            perf
+            refactor
+            test
+            chore

.github/workflows/platform-docker-build-test-publish.yml

@@ -50,6 +50,14 @@ jobs:
       secrets: |
         github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }}
 
+  docker-build-api-test:
+    name: Build API Test Image
+    uses: ./.github/workflows/.reusable-docker-build.yml
+    with:
+      target: api-test
+      image-name: flagsmith-api-test
+      scan: false
+
   docker-build-e2e:
     name: Build E2E Image
     uses: ./.github/workflows/.reusable-docker-build.yml