New namespace #361

jjstratton · 2025-06-25T13:31:53Z

These are all the pipelines for the new namespace - they will delete the old pipelines so only merge when we are ready to do that

sonarqubecloud · 2025-06-25T13:32:44Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

.github/workflows/build-push-clamav-client.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}-client:dev .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}-client:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}-client:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Dev Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag ccversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/ccversion: .*/ccversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} clamavclient image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, we will add a permissions block at the root of the workflow. This block will define the minimal permissions required for the workflow to function correctly. Based on the actions used in the workflow, the following permissions are needed:

contents: write for committing and pushing changes to the repository.

packages: write for pushing Docker images to the Artifactory registry.

The permissions block will be added after the name field in the workflow file.

.github/workflows/build-push-form-handler.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev -f form_handler/Dockerfile .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Dev Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag fhversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/fhversion: .*/fhversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} formhandler image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for the workflow to function correctly. Based on the operations performed in the workflow, the following permissions are recommended:

contents: read for reading repository contents.

pull-requests: write for updating Helm values and committing changes.

The permissions block can be added at the root level of the workflow to apply to all jobs or within the build job to limit permissions to that specific job.

.github/workflows/build-push-ingestor.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev -f ingestor/Dockerfile .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Dev Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag iversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/iversion: .*/iversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} ingestor image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the operations performed in the workflow, the following permissions are recommended:

contents: read for accessing repository files.

pull-requests: write for updating Helm values and committing changes.

The permissions block can be added at the root level of the workflow to apply to all jobs or within the build job to limit permissions to that specific job.

.github/workflows/build-push-mail-net.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Dev Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag mnversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/mnversion: .*/mnversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} mailnet image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the operations performed in the workflow, the following permissions are likely required:

contents: read for reading repository contents.

pull-requests: write for updating Helm values and committing changes.

The permissions block can be added at the root level of the workflow to apply to all jobs, or it can be added specifically to the build job. In this case, adding it at the root level is recommended for simplicity.

.github/workflows/build-push-paybc.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev -f paybc_api/Dockerfile .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Dev Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag pbcversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/pbcversion: .*/pbcversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} paybc image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for the workflow to function correctly. Based on the operations performed in the workflow, the following permissions are likely required:

contents: read for accessing repository files.

pull-requests: write for updating Helm values and committing changes.

The permissions block can be added at the root level of the workflow to apply to all jobs or within the build job to limit permissions to that specific job.

.github/workflows/build-push-validator.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev -f validator/Dockerfile .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Dev Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag vversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/vversion: .*/vversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} validator image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, we will add a permissions block at the root of the workflow file. This block will explicitly define the minimal permissions required for the workflow to function. Based on the workflow's operations, it needs read access to the repository contents and write access to pull requests. We will set contents: read and pull-requests: write as the permissions.

.github/workflows/build-push-web-form.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Dev Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag wfversion: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/wfversion: .*/wfversion: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} webform image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, add a permissions block at the root level of the workflow file to explicitly define the least privileges required for the workflow. Since the workflow involves operations like reading repository contents and pushing changes, the permissions should be limited to contents: read and pull-requests: write. This ensures that the GITHUB_TOKEN has only the necessary access.

The permissions block should be added after the name field and before the on field in the workflow file. No additional imports or dependencies are required for this fix.

.github/workflows/build-push-writer.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Build Image
+        working-directory: ${{env.WORKING_DIRECTORY}}
+        run: |
+          docker build -t artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev -f writer/Dockerfile .
+
+      - name: Docker Push to Artifactory
+        run: |
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+          format: 'table'
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL


To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the workflow's operations, it appears that only contents: read is necessary, as the workflow does not modify repository contents or interact with issues or pull requests.

The permissions block can be added at the root level of the workflow to apply to all jobs. This ensures that the GITHUB_TOKEN has restricted access throughout the workflow.

.github/workflows/push-to-prod.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set Conditions
+        run: |
+          if [[ "${{ env.IMAGE_NAME }}" == "clamav-client" ]]; then
+            echo "IMAGE_PREFIX=cc" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "form-handler" ]]; then
+            echo "IMAGE_PREFIX=fh" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "ingestor" ]]; then
+            echo "IMAGE_PREFIX=i" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "mail-net" ]]; then
+            echo "IMAGE_PREFIX=mn" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "paybc" ]]; then
+            echo "IMAGE_PREFIX=pbc" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "validator" ]]; then
+            echo "IMAGE_PREFIX=v" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "web-form" ]]; then
+            echo "IMAGE_PREFIX=wf" >> $GITHUB_ENV
+          else
+            echo "Unknown application: ${{ env.IMAGE_NAME }}"
+          fi
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Backup Prod Image
+        run: |
+          docker pull artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:prod
+          docker tag artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:prod artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:prod-backup
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:prod-backup
+
+      - name: Docker Pull to Artifactory
+        run: |
+          docker pull artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:test
+
+      - name: Docker Tag and Push to Artifactory
+        run: |
+          docker tag artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:test artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:prod
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:prod
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Test Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag ${{ env.IMAGE_PREFIX }}version: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/${{ env.IMAGE_PREFIX }}version: .*/${{ env.IMAGE_PREFIX }}version: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, we will add a permissions block at the root of the workflow file. This block will define the minimal permissions required for the workflow to function correctly. Based on the workflow's operations, it needs read access to contents for cloning the repository and write access to contents for committing and pushing changes. Additionally, it may require packages: write for interacting with Docker images in Artifactory.

The permissions block will be added after the name field and before the on field in the workflow file.

.github/workflows/push-to-test.yaml

+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set Conditions
+        run: |
+          if [[ "${{ env.IMAGE_NAME }}" == "clamav-client" ]]; then
+            echo "IMAGE_PREFIX=cc" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "form-handler" ]]; then
+            echo "IMAGE_PREFIX=fh" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "ingestor" ]]; then
+            echo "IMAGE_PREFIX=i" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "mail-net" ]]; then
+            echo "IMAGE_PREFIX=mn" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "paybc" ]]; then
+            echo "IMAGE_PREFIX=pbc" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "validator" ]]; then
+            echo "IMAGE_PREFIX=v" >> $GITHUB_ENV
+          elif [[ "${{ env.IMAGE_NAME }}" == "web-form" ]]; then
+            echo "IMAGE_PREFIX=wf" >> $GITHUB_ENV
+          else
+            echo "Unknown application: ${{ env.IMAGE_NAME }}"
+          fi
+
+      - name: Login to Artifactory
+        uses: docker/login-action@v1
+        with:
+          registry: artifacts.developer.gov.bc.ca
+          username: ${{ secrets.ARTIFACTORY_USERNAME }}
+          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+      # Get SHORT_SHA for the version
+      - name: Get short SHA
+        id: short_sha
+        run: |
+          echo "::set-output name=SHORT_SHA::$(git rev-parse --short HEAD)"
+          echo "Short SHA: $SHORT_SHA"
+
+      - name: Docker Pull to Artifactory
+        run: |
+          docker pull artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev
+
+      - name: Docker Tag and Push to Artifactory
+        run: |
+          docker tag artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:dev artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:test
+          docker push artifacts.developer.gov.bc.ca/${{env.REPO_KEY}}-${{env.IMAGE_NAME}}/${{env.IMAGE_NAME}}:test
+
+      - name: Set GitOps SSH Key
+        uses: webfactory/ssh-agent@v0.5.4
+        with:
+          ssh-private-key: ${{ secrets.RSBC_SSH_KEY }}
+
+      - name: Update Helm Test Values and Commit
+        id: helm
+        run: |
+
+          echo "Updating ${{ env.BRANCH_NAME }} helm  values to trigger ArgoCD deployment "
+
+          # Commit and push the changes
+          git config --global user.email "actions@github.com"
+          git config --global user.name "RSBC-APR GitHub Actions"
+          git clone -b ${{ env.BRANCH_NAME }} --single-branch git@github.com:bcgov-c/tenant-gitops-f0392a.git
+
+          # Navigate to the directory containing your Helm values file for the environment develop -> DEV, test -> test
+
+          cd tenant-gitops-f0392a/charts
+
+          # Update the Helm values file with the new image tag and version
+          DATETIME=$(date +'%Y-%m-%d %H:%M:%S')  # Get current date and time
+          echo "Updating tag ${{ env.IMAGE_PREFIX }}version: to ${{ steps.short_sha.outputs.SHORT_SHA }}"
+
+          sed -i "s/${{ env.IMAGE_PREFIX }}version: .*/${{ env.IMAGE_PREFIX }}version: v-${{ steps.short_sha.outputs.SHORT_SHA }} # Image Updated on $DATETIME/" ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          git add .
+
+          git add ../deploy/${{ env.VALUES_FILE }}_values.yaml
+
+          # Repackage Helm Chart      
+
+          cd gitops
+
+          helm dependency build
+
+          git add .
+
+          git commit -m "Update ${{ env.BRANCH_NAME }} image tag"
+
+          # pull any changes
+          git pull origin ${{ env.BRANCH_NAME }}
+          git push origin ${{ env.BRANCH_NAME }}  # Update the branch name as needed


To fix the issue, add a permissions block to the root of the workflow file. This block will explicitly define the permissions for the GITHUB_TOKEN, limiting its access to the minimum required for the workflow's operations. Based on the workflow's functionality, the contents: read permission is sufficient, as the workflow does not require write access to repository contents.

The permissions block should be added at the top level of the workflow file, ensuring it applies to all jobs in the workflow. This change will enhance security by restricting the GITHUB_TOKEN permissions.

shaunmillargov

Thanks Jessica

jjstratton added 18 commits May 15, 2025 14:08

updated namespace

b2287cb

syntax

0f1c1c0

took out step

7f698d2

testing out repo

4d2a9e8

updated writer

c4eda88

updated pipelines

f7b73fd

updated piepline

e8830fc

pipelines

3a8e740

updated pipelines

3c52f8b

pipelines

e3fe63e

updated naming

5792842

took out old pipelines, added trivy

9dd5cfc

added gitops build step

2f2bb43

updated env vars

0c7277a

updated path

874360d

updated path

36e908e

added gitops build step

82f07f3

added test and prod actions

11b5fe1

jjstratton requested a review from shaunmillargov June 25, 2025 13:31

jjstratton self-assigned this Jun 25, 2025

jjstratton added the DO NOT MERGE label Jun 25, 2025

github-advanced-security bot found potential problems Jun 25, 2025

View reviewed changes

shaunmillargov approved these changes Jun 25, 2025

View reviewed changes

@@ -1,2 +1,5 @@
             name: clamav-client-build-and-push-dev
+            permissions:
+              contents: write
+              packages: write

@@ -1,2 +1,5 @@
             name: web-form-build-and-push-dev
+            permissions:
+              contents: read
+              pull-requests: write

@@ -13,2 +13,5 @@
+            permissions:
+              contents: read
             env:

@@ -1,2 +1,5 @@
             name: Push to Test
+            permissions:
+              contents: write
+              packages: write

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

New namespace #361

New namespace #361

Uh oh!

jjstratton commented Jun 25, 2025

Uh oh!

sonarqubecloud bot commented Jun 25, 2025

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

shaunmillargov left a comment

Uh oh!

Uh oh!

New namespace #361

Are you sure you want to change the base?

New namespace #361

Uh oh!

Conversation

jjstratton commented Jun 25, 2025

Uh oh!

sonarqubecloud bot commented Jun 25, 2025

Quality Gate passed

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

shaunmillargov left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!