Merge branch 'main' into platform/bill/16143

.github/actions/build-vars/action.yml

@@ -170,7 +170,7 @@ runs:
             - 'frontend-react/**/!(*.md)'
             - '.github/actions/build-vars/action.yml'
             - '.github/actions/build-frontend/action.yml'
-            - '.github/workflows/frontend_ci.yml'          
+            - '.github/workflows/frontend_ci.yml'
           terraform:
             - 'operations/app/terraform/**/!(*.md)'
             - '.github/workflows/validate_terraform.yml'
@@ -215,7 +215,7 @@ runs:
         else
           echo "has_router_change=${{ steps.filter.outputs.router }}" >> $GITHUB_OUTPUT
         fi
-    
+
     - name: Determine if frontend changed
       if: github.event_name != 'schedule'
       id: frontend_change_result
@@ -234,7 +234,7 @@ runs:
           echo "has_frontend_change=${{ steps.filter.outputs.frontend_react }}" >> $GITHUB_OUTPUT
         fi
 
-    - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+    - uses: azure/login@v2
       if: inputs.sp-creds != 'false'
       with:
         creds: ${{ inputs.sp-creds }}

.github/actions/checksum-validate/README.md

@@ -0,0 +1,94 @@
+# Checksum Validate Action
+
+[![Test Action](https://github.com/JosiahSiegel/checksum-validate-action/actions/workflows/test_action.yml/badge.svg)](https://github.com/JosiahSiegel/checksum-validate-action/actions/workflows/test_action.yml)
+
+## Synopsis
+
+1. Generate a checksum from either a string or shell command (use command substitution: `$()`).
+2. Validate if checksum is identical to input (even across multiple jobs), using a `key` to link the validation attempt with the correct generated checksum.
+   * Validation is possible across jobs since the checksum is uploaded as a workflow artifact
+
+## Usage
+
+```yml
+jobs:
+  generate-checksums:
+    name: Generate checksum
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: Generate checksum of string
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test string
+          input: hello world
+
+      - name: Generate checksum of command output
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test command
+          input: $(cat action.yml)
+
+  validate-checksums:
+    name: Validate checksum
+    needs:
+      - generate-checksums
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: Validate checksum of valid string
+        id: valid-string
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test string
+          validate: true
+          fail-invalid: true
+          input: hello world
+
+      - name: Validate checksum of valid command output
+        id: valid-command
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test command
+          validate: true
+          fail-invalid: true
+          input: $(cat action.yml)
+
+      - name: Get outputs
+        run: |
+          echo ${{ steps.valid-string.outputs.valid }}
+          echo ${{ steps.valid-command.outputs.valid }}
+```
+
+## Workflow summary
+
+### ✅ test string checksum valid ✅
+
+### ❌ test string checksum INVALID ❌
+
+## Inputs
+
+```yml
+inputs:
+  validate:
+    description: Check if checksums match
+    default: false
+  key:
+    description: String to keep unique checksums separate
+    required: true
+  fail-invalid:
+    description: Fail step if invalid checksum
+    default: false
+  input:
+    description: String or command for checksum
+    required: true
+```
+
+## Outputs
+```yml
+outputs:
+  valid:
+    description: True if checksums match
+```

.github/actions/checksum-validate/action.yml

@@ -0,0 +1,111 @@
+# action.yml
+name: Checksum Validate Action
+description: Generate and validate checksums
+branding:
+  icon: 'lock'
+  color: 'orange'
+inputs:
+  validate:
+    description: Check if checksums match
+    default: false
+  key:
+    description: String to keep unique checksums separate
+    required: true
+  fail-invalid:
+    description: Fail step if invalid checksum
+    default: false
+  input:
+    description: String or command for checksum
+    required: true
+outputs:
+  valid:
+    description: True if checksums match
+    value: ${{ steps.validate_checksum.outputs.valid }}
+
+runs:
+  using: "composite"
+  steps:
+
+    # CHECKSUM START
+    - name: Generate SHA
+      uses: nick-fields/[email protected]
+      with:
+        max_attempts: 5
+        retry_on: any
+        timeout_seconds: 10
+        retry_wait_seconds: 15
+        command: |
+          function fail {
+              printf '%s\n' "$1" >&2
+              exit "${2-1}"
+          }
+          input_cmd="${{ inputs.input }}" || fail
+          sha="$(echo "$input_cmd" | sha256sum)"
+          echo "sha=$sha" >> $GITHUB_ENV
+          echo "success=true" >> $GITHUB_ENV
+
+    - name: Get input SHA
+      if: env.success
+      id: input_sha
+      shell: bash
+      run: echo "sha=${{ env.sha }}" >> $GITHUB_OUTPUT
+
+    - name: Get input SHA
+      if: env.success != 'true'
+      shell: bash
+      run: |
+        echo "failed to generate sha"
+        exit 1
+    # CHECKSUM END
+
+    # UPLOAD FILE START
+    - name: Create checksum file
+      if: inputs.validate != 'true'
+      shell: bash
+      run: |
+        echo "${{ steps.input_sha.outputs.sha }}" > "${{ github.sha }}-${{ inputs.key }}.txt"
+
+    - name: Upload checksum file
+      if: inputs.validate != 'true'
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+      with:
+        name: "${{ github.sha }}-${{ inputs.key }}.txt"
+        path: "${{ github.sha }}-${{ inputs.key }}.txt"
+        retention-days: 5
+    # UPLOAD FILE END
+
+    # VALIDATE FILE START
+    - name: Download checksum file
+      if: inputs.validate == 'true'
+      uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
+      with:
+        name: "${{ github.sha }}-${{ inputs.key }}.txt"
+
+    - name: Validate pre and post checksums
+      if: inputs.validate == 'true'
+      id: validate_checksum
+      shell: bash
+      run: |
+        echo "${{ steps.input_sha.outputs.sha }}" > "${{ github.sha }}-${{ inputs.key }}-2.txt"
+        DIFF=$(diff -q "${{ github.sha }}-${{ inputs.key }}-2.txt" "${{ github.sha }}-${{ inputs.key }}.txt") || true
+        codevalid=true
+        if [ "$DIFF" != "" ]
+        then
+          codevalid=false
+        fi
+        echo "valid=$codevalid" >> $GITHUB_OUTPUT
+
+    - name: Create summary
+      if: inputs.validate == 'true'
+      run: |
+        # Use ternary operator to assign emoji based on validity
+        emoji=${{ steps.validate_checksum.outputs.valid == 'true' && '✅' || '❌' }}
+        valid=${{ steps.validate_checksum.outputs.valid == 'true' && 'valid' || 'INVALID' }}
+        echo "### $emoji ${{ inputs.key }} checksum $valid $emoji" >> $GITHUB_STEP_SUMMARY
+      shell: bash
+    # VALIDATE FILE END
+
+    - name: Fail if invalid checksum
+      if: inputs.validate == 'true' && steps.validate_checksum.outputs.valid == 'false' && inputs.fail-invalid == 'true'
+      run: exit 1
+      shell: bash

.github/actions/deploy-backend/action.yml

@@ -332,10 +332,7 @@ runs:
 
     - name: Validate function app checksum
       if: inputs.checksum-validation == 'true'
-
-      uses: JosiahSiegel/checksum-validate-action@ebdf8c12c00912d18de93c483b935d51582f9236
-      ## DevSecOps - Aquia (Replace) uses: ./.github/actions/checksum-validate-action
-
+      uses: ./.github/actions/checksum-validate
       with:
         key: backend
         validate: true

.github/actions/vpn-azure/action.yml

@@ -63,7 +63,7 @@ runs:
         fi
       shell: bash
 
-    - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+    - uses: azure/login@v2
       if: inputs.sp-creds
       with:
         creds: ${{ inputs.sp-creds }}

.github/dependabot.yml

@@ -125,6 +125,11 @@ updates:
     schedule:
       interval: "daily"
 
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/checksum-validate"
+    schedule:
+      interval: "daily"
+
   # Frontend
   - package-ecosystem: "npm"
     directory: "/frontend-react"

.github/workflows/alert_cert_expire.yml

@@ -5,6 +5,9 @@ on:
     # The workflow runs every day at 8:07am
     - cron: "7 13 * * *"  #UTC-5
 
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   check-certificates:
     runs-on: ubuntu-latest
@@ -23,7 +26,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Add Runner IP to Key Vault Firewall
         run: |
@@ -48,7 +51,7 @@ jobs:
           echo "LIST<<$EOF" >> $GITHUB_OUTPUT
           cat certificates.json >> $GITHUB_OUTPUT
           echo "$EOF" >> $GITHUB_OUTPUT
-      
+
       - name: Slack Notification
         if: ${{ steps.format_out.outputs.LIST  != '' }}
         uses: ./.github/actions/notifications

.github/workflows/alert_resource_costs.yml

@@ -7,6 +7,7 @@ on:
 env:
   ALERT_THRESHOLD: 60
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
 
 jobs:
   alert_costs:
@@ -23,7 +24,7 @@ jobs:
       - name: Login into Azure
         uses: ./.github/actions/vpn-azure
         with:
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Run Az Cost CLI
         id: az-cost
@@ -59,7 +60,7 @@ jobs:
           message: |
             Resource Group \`${{ matrix.rg }}\` is exceeding the cost threshold and is ${{ steps.env-age.outputs.age_in_days }} days old.
             If still running and no longer needed, please [destroy](https://github.com/CDCgov/prime-reportstream/actions/workflows/destroy_demo_environment.yml).
-            
+
             * **Cost per day: 💲${{ steps.az-cost.outputs.result }}**
             * **Provisioned by: \`${{ steps.last-pusher.outputs.username }}\`**
             * **Last Change Date: \`${{ steps.last-pusher.outputs.last_change_date }}\`**

.github/workflows/alert_terraform_changes.yml

@@ -4,6 +4,10 @@ on:
   schedule:
     # The workflow runs every day at 8:20am
     - cron: "7 13 * * *"  #UTC-5
+
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   alert_tf_changes:
     name: Check Terraform plan for ${{ matrix.env }}
@@ -24,7 +28,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           tf-auth: true
 
       - name: Collect Terraform stats

.github/workflows/build_hub.yml

@@ -21,6 +21,7 @@ env:
   # These are for CI and not credentials of any system
   DB_USER: prime
   DB_PASSWORD: changeIT!
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
 
 jobs:
   pre_job:
@@ -64,7 +65,7 @@ jobs:
           version: ${{ github.run_id }}
           upload-build: false
           run-integration-tests: true
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Generate New Schema Docs
         working-directory: ./