Merge pull request #16 from TelosLabs/11-security-configuration

Security Configuration, CI
TelosLabs · Jul 6, 2024 · f626c6c · f626c6c
2 parents 362d9d9 + 31ef735
commit f626c6c
Show file tree

Hide file tree

Showing 11 changed files with 306 additions and 4 deletions.
diff --git a/.database_consistency.todo.yml b/.database_consistency.todo.yml
@@ -0,0 +1,5 @@
+---
+Profile:
+  self_ref:
+    MissingIndexChecker:
+      enabled: false
diff --git a/.github/PULL_REQUEST_TEMPLATE/default.md b/.github/PULL_REQUEST_TEMPLATE/default.md
@@ -0,0 +1,29 @@
+## Description
+
+Please include a summary of the change. Also, include any additional information that you think is important for reviewers to know. Link to a related issue if applicable.
+
+## How has this been tested?
+
+Please mark the tests that you ran to verify your changes. If difficult to test, consider providing instructions so reviewers can test.
+
+- [ ] Manual testing
+- [ ] System tests
+- [ ] Unit tests
+- [ ] None
+
+## Checklist
+
+- [ ] CI pipeline is passing
+- [ ] My code follows the conventions of this project
+- [ ] I have performed a self-review of my code
+- [ ] I have commented on my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation (if applicable)
+- [ ] I have added seed data to the database (if applicable)
+
+## Release tasks
+
+Add any tasks that need to be done before/after the release of this feature.
+
+## Screenshots/Loom
+
+This section is relevant in case we want to share progress with the team, otherwise, it can be omitted.
diff --git a/.github/workflows/github-actions.yml b/.github/workflows/github-actions.yml
@@ -0,0 +1,91 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "**"
+
+env:
+  CI: true
+  RSPEC_RETRY_RETRY_COUNT: 3
+  RAILS_ENV: test
+  RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+
+jobs:
+  linters:
+    name: Linters
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Ruby and install gems
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Setup Node
+        uses: actions/setup-node@v4
+      - name: Run RuboCop
+        run: bundle exec rubocop
+      - name: Run ERB Lint
+        run: bundle exec erblint --lint-all
+      - name: Run StandardJS
+        run: |
+          npm install standard --global
+          standard
+      - name: Run spell checker
+        uses: crate-ci/typos@master
+
+  security:
+    name: Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Ruby and install gems
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Run brakeman
+        run: |
+          bundle exec brakeman -w3
+      - name: Run bundler-audit
+        run: |
+          bundle exec bundle-audit check --update
+
+  code_quality:
+    name: Code quality
+    runs-on: ubuntu-latest
+    if: ${{ github.ref_name != 'main' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Ruby and install gems
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Run rubycritic
+        run: |
+          bundle exec rubycritic --mode-ci main --no-browser
+      - name: Run database consistency
+        run: |
+          bundle exec rails db:test:prepare
+          bundle exec database_consistency -c .database_consistency.todo.yml
+
+  tests:
+      name: Tests
+      runs-on: ubuntu-latest
+      steps:
+        - uses: actions/checkout@v4
+        - name: Set up Ruby
+          uses: ruby/setup-ruby@v1
+          with:
+            bundler-cache: true
+        - name: Setup DB
+          run: |
+            bundle exec rails db:test:prepare
+        - name: Run tests
+          run: |
+            bundle exec rspec
diff --git a/.lefthook.yml b/.lefthook.yml
@@ -0,0 +1,18 @@
+pre-commit:
+  parallel: true
+  commands:
+    ruby-linter:
+      glob: "*.{rb,rake}"
+      run: bundle exec rubocop -a --force-exclusion {staged_files}
+      stage_fixed: true
+    erb-linter:
+      glob: "*.erb"
+      run: bundle exec erblint --lint-all {staged_files}
+    js-linter:
+      glob: "*.js"
+      run: standard --fix {staged_files}
+      stage_fixed: true
+    fix-typos:
+      exclude: '\.(pdf|ttf|jpg|png|csv)$'
+      run: typos --write-changes {staged_files}
+      stage_fixed: true
diff --git a/.reek.yml b/.reek.yml
@@ -0,0 +1,3 @@
+detectors:
+  IrresponsibleModule:
+    enabled: false
diff --git a/.rubycritic.yml b/.rubycritic.yml
@@ -0,0 +1,6 @@
+branch: 'main' # default is master
+threshold_score: 2 # default is 0
+minimum_score: 95 # default is 0
+paths:
+  - "app/"
+  - "config/"
diff --git a/Gemfile b/Gemfile
@@ -31,16 +31,23 @@ gem "tzinfo-data", platforms: %i[windows jruby]
 
 group :development, :test do
   # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem
+  gem "better_errors"
+  gem "binding_of_caller"
+  gem "brakeman"
+  gem "bundle-audit"
+  gem "database_consistency"
   gem "debug", platforms: %i[mri windows]
   gem "dotenv"
   gem "erb_lint", require: false
+  gem "letter_opener"
   gem "pry-byebug"
   gem "rspec-rails"
   gem "rubocop-capybara", require: false
   gem "rubocop-performance", require: false
   gem "rubocop-rails", require: false
   gem "rubocop-rspec", require: false
   gem "rubocop-rspec_rails", require: false
+  gem "rubycritic"
   gem "standard"
 end