Release 1.80 [to master]

.ebextensions/25-load-sgid-env.config

@@ -0,0 +1,41 @@
+# loads SGID environment variables to a .env file from SSM 
+
+commands:
+  01-create-env:
+    command: "/tmp/create-env.sh"
+
+files:
+  "/tmp/create-env.sh":
+      mode: "000755"
+      content : |
+        #!/bin/bash
+        ENV_NAME=$(/opt/elasticbeanstalk/bin/get-config environment -k SSM_PREFIX)
+
+        ENV_VARS=("SGID_CLIENT_ID" "SGID_CLIENT_SECRET" "SGID_PRIVATE_KEY")
+
+        echo "Set AWS region"
+        aws configure set default.region ap-southeast-1
+
+        TARGET_DIR=/etc/gogovsg
+
+        echo "Checking if ${TARGET_DIR} exists..."
+        if [ ! -d ${TARGET_DIR} ]; then
+            echo "Creating directory ${TARGET_DIR} ..."
+            mkdir -p ${TARGET_DIR}
+            if [ $? -ne 0 ]; then
+                echo 'ERROR: Directory creation failed!'
+                exit 1
+            fi
+        else
+            echo "Directory ${TARGET_DIR} already exists!"
+        fi
+
+        echo "Creating config for ${ENV_NAME} in ${AWS_REGION}"
+
+        for ENV_VAR in "${ENV_VARS[@]}"; do
+            echo "Running for this ${ENV_NAME}"
+            echo "Fetching ${ENV_VAR} from SSM"
+            VALUE=$(aws ssm get-parameter --name "${ENV_NAME}_${ENV_VAR}" --with-decryption --query "Parameter.Value" --output text)
+            echo "${ENV_VAR}=${VALUE}" >> $TARGET_DIR/.env
+            echo "Saved ${ENV_VAR}"
+        done

.github/workflows/ci.yml

@@ -31,9 +31,9 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - name: Cache Node.js modules
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           # npm cache files are stored in `~/.npm` on Linux/macOS
           path: ~/.npm
@@ -55,9 +55,9 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - name: Cache Node.js modules
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           # npm cache files are stored in `~/.npm` on Linux/macOS
           path: ~/.npm
@@ -66,11 +66,15 @@ jobs:
             ${{ runner.OS }}-node-
             ${{ runner.OS }}-
       - run: npm ci --legacy-peer-deps
-      - run: npm run test
-      - name: Coveralls
-        uses: coverallsapp/github-action@master
+      - name: Configure Datadog Test Visibility
+        uses: datadog/test-visibility-github-action@v2
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          languages: js
+          service: gogovsg
+          api_key: ${{ secrets.DD_API_KEY }}
+      - run: npm run test
+        env:
+          NODE_OPTIONS: -r ${{ env.DD_TRACE_PACKAGE }}
   testcafe:
     name: End To End Tests
     runs-on: ubuntu-22.04
@@ -79,9 +83,9 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - name: Cache Node.js modules
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           # npm cache files are stored in `~/.npm` on Linux/macOS
           path: ~/.npm
@@ -91,7 +95,15 @@ jobs:
             ${{ runner.OS }}-
       - run: npm ci --legacy-peer-deps
       - run: echo CLOUDMERSIVE_KEY=${{secrets.CLOUDMERSIVE_KEY}} >> .env
+      - name: Configure Datadog Test Visibility
+        uses: datadog/test-visibility-github-action@v2
+        with:
+          languages: js
+          service: gogovsg
+          api_key: ${{ secrets.DD_API_KEY }}
       - run: npm run test:e2e-headless
+        env:
+          NODE_OPTIONS: -r ${{ env.DD_TRACE_PACKAGE }}
   integration:
     name: Integration Tests
     runs-on: ubuntu-22.04
@@ -100,9 +112,9 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - name: Cache Node.js modules
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           # npm cache files are stored in `~/.npm` on Linux/macOS
           path: ~/.npm
@@ -113,7 +125,15 @@ jobs:
       - run: npm ci --legacy-peer-deps
       - run: npm run dev &
       - run: sleep 270
+      - name: Configure Datadog Test Visibility
+        uses: datadog/test-visibility-github-action@v2
+        with:
+          languages: js
+          service: gogovsg
+          api_key: ${{ secrets.DD_API_KEY }}
       - run: npm run test:integration
+        env:
+          NODE_OPTIONS: -r ${{ env.DD_TRACE_PACKAGE }}
   gatekeep:
     name: Determine if Build & Deploy is needed
     outputs:
@@ -142,9 +162,9 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - name: Cache Node.js modules
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           # npm cache files are stored in `~/.npm` on Linux/macOS
           path: ~/.npm
@@ -229,10 +249,10 @@ jobs:
     if: needs.gatekeep.outputs.proceed == 'true'
     steps:
       - uses: actions/checkout@v2
-      - name: Use Node.js 16.x
+      - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - run: |
           echo SERVERLESS_SERVICE=gogovsg >> $GITHUB_ENV;
           if [[ $GITHUB_REF == $STAGING_BRANCH ]]; then
@@ -296,7 +316,8 @@ jobs:
       - name: serverless deploy
         uses: opengovsg/[email protected]
         with:
-          args: -c "serverless plugin install --name serverless-plugin-include-dependencies && serverless deploy --stage=$BRANCH_ENV --conceal --verbose"
+          # serverless-plugin-include-dependencies v6 onwards requires node 18
+          args: -c "serverless plugin install --name [email protected] && serverless deploy --stage=$BRANCH_ENV --conceal --verbose"
           entrypoint: /bin/bash
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -353,10 +374,10 @@ jobs:
     if: needs.gatekeep.outputs.proceed == 'true'
     steps:
       - uses: actions/checkout@v2
-      - name: Use Node.js 16.x
+      - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - run: |
           echo SERVERLESS_SERVICE=edu >> $GITHUB_ENV; 
           if [[ $GITHUB_REF == $STAGING_BRANCH ]]; then
@@ -422,7 +443,8 @@ jobs:
       - name: serverless deploy
         uses: opengovsg/[email protected]
         with:
-          args: -c "serverless plugin install --name serverless-plugin-include-dependencies && serverless deploy --stage=$BRANCH_ENV --conceal --verbose"
+          # serverless-plugin-include-dependencies v6 onwards requires node 18
+          args: -c "serverless plugin install --name [email protected] && serverless deploy --stage=$BRANCH_ENV --conceal --verbose"
           entrypoint: /bin/bash
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -479,10 +501,10 @@ jobs:
     if: needs.gatekeep.outputs.proceed == 'true'
     steps:
       - uses: actions/checkout@v2
-      - name: Use Node.js 16.x
+      - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: '16.x'
+          node-version: '18.x'
       - run: |
           echo SERVERLESS_SERVICE=health >> $GITHUB_ENV;
           if [[ $GITHUB_REF == $STAGING_BRANCH ]]; then
@@ -548,7 +570,8 @@ jobs:
       - name: serverless deploy
         uses: opengovsg/[email protected]
         with:
-          args: -c "serverless plugin install --name serverless-plugin-include-dependencies && serverless deploy --stage=$BRANCH_ENV --conceal --verbose"
+          # serverless-plugin-include-dependencies v6 onwards requires node 18
+          args: -c "serverless plugin install --name [email protected] && serverless deploy --stage=$BRANCH_ENV --conceal --verbose"
           entrypoint: /bin/bash
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

.github/workflows/codeql-analysis.yml

@@ -3,7 +3,7 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
@@ -12,60 +12,45 @@ on:
     # The branches below must be a subset of the branches above
     branches: [develop]
   schedule:
-    - cron: '0 21 * * 3'
+    - cron: '0 10 * * *'
 
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-22.04
+    name: Analyze (${{matrix.language}})
+    runs-on: ${{(matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest'}}
+    timeout-minutes: ${{(matrix.language == 'swift' && 120) || 360}}
+    permissions:
+      # Required for all workflows
+      security-events: write
+
+      # Required to fetch internal or private CodeQL packs
+      packages: read
+
+      # Only required for workflows in private repositories
+      actions: read
+      contents: read
 
     strategy:
       fail-fast: false
       matrix:
-        # Override automatic language detection by changing the below list
-        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
-        language: ['javascript']
-        # Learn more...
-        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
-
+        include:
+          - language: javascript-typescript
+            build-mode: none
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{matrix.language}}
+          build-mode: ${{matrix.build-mode}}
+
+          # Pull config from https://github.com/opengovsg/codeql-config/blob/prod/codeql-config.yml
+          config-file: opengovsg/codeql-config/codeql-config.yml@prod
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{matrix.language}}'

.gitpod.Dockerfile

@@ -9,8 +9,8 @@ RUN sudo apt-get update \
 RUN sudo mkdir -p /docker-entrypoint-initaws.d
 RUN sudo chown gitpod /docker-entrypoint-initaws.d
 
-# Installs IBMPlexSans-Regular.ttf for QRCodeService.
-RUN sudo wget https://github.com/IBM/plex/blob/master/IBM-Plex-Sans/fonts/complete/ttf/IBMPlexSans-Regular.ttf?raw=true -O /usr/share/fonts/truetype/IBMPlexSans-Regular.ttf
+# Installs IBMPlexSans-Regular.otf for QRCodeService.
+RUN sudo wget https://github.com/IBM/plex/blob/master/packages/plex-sans/fonts/complete/otf/IBMPlexSans-Regular.otf?raw=true -O /usr/share/fonts/truetype/IBMPlexSans-Regular.otf
 RUN sudo fc-cache -f
 
 USER gitpod