Merge pull request #432 from open-plan-tool/fix/security

Update project dependencies

Author: paulapreuss

.envs/epa.postgres

@@ -1,6 +1,6 @@
 EPA_SECRET_KEY=v@p9^=@lc3#1u_xtx*^xhrv0f3fli1(+8ik^k@g-_bzmexb0$7n
 DEBUG=False
-TRUSTED_HOST=127.0.0.1:8080
+TRUSTED_HOST=http://127.0.0.1:8000
 EMAIL_HOST_IP=127.0.0.1
 USE_PROXY=False
 PROXY_ADDRESS=http://proxy_address:port

.github/dependabot.yml

@@ -0,0 +1,33 @@
+# Config for Dependabot updates. See Documentation here:
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Update GitHub actions in workflows
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+
+  # Enable version updates for Docker
+  # We need to specify each Dockerfile in a separate entry because Dependabot doesn't
+  # support wildcards or recursively checking subdirectories. Check this issue for updates:
+  # https://github.com/dependabot/dependabot-core/issues/2178
+  - package-ecosystem: 'docker'
+    # Look for a `Dockerfile` in the directory
+    directory: 'app/compose/production/app_postgres/'
+    schedule:
+      interval: 'monthly'
+    ignore:
+      - dependency-name: '*'
+        update-types:
+          - 'version-update:semver-major'
+          - 'version-update:semver-minor'
+
+  # Enable version updates for Python/Pip - Production
+  - package-ecosystem: 'pip'
+    # Look for a `requirements.txt` in the `root` directory
+    # also 'setup.cfg', '.python-version' and 'requirements/*.txt'
+    directory: '/'
+    schedule:
+      interval: 'monthly'

.github/workflows/black_linter.yml

@@ -0,0 +1,60 @@
+name: CI
+
+# Enable Buildkit and let compose use it to speed up image building
+env:
+  DOCKER_BUILDKIT: 1
+  COMPOSE_DOCKER_CLI_BUILD: 1
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - "README.md"
+
+  push:
+    branches: ["main"]
+    paths-ignore:
+      - "README.md"
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  linter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code Repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version-file: '.python-version'
+
+      - name: Run pre-commit
+        uses: pre-commit/action@v3.0.1
+        with:
+          extra_args: --config app/.pre-commit-config.yaml --files $(git ls-files app)
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code Repository
+        uses: actions/checkout@v6
+
+      - name: Build the Stack
+        run: docker compose -f docker-compose-local.yml build app_pg
+
+      - name: Check DB Migrations
+        run: docker compose -f docker-compose-local.yml run --rm app_pg python manage.py makemigrations --check
+
+      - name: Run DB Migrations
+        run: docker compose -f docker-compose-local.yml run --rm app_pg python manage.py migrate
+
+      - name: Run Tests
+        run: docker compose -f docker-compose-local.yml run --rm app_pg python manage.py test
+
+      - name: Tear down the Stack
+        if: always()
+        run: docker compose -f docker-compose-local.yml down

.github/workflows/ci.yml

@@ -0,0 +1,58 @@
+name: Tag release on prod
+
+on:
+  push:
+    branches: ['production']
+
+permissions:
+  contents: write
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout (full history for tags)
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Read version from epa/settings.py
+        id: version
+        run: |
+          set -euo pipefail
+          VERSION=$(python - <<'PY'
+          import re
+          p = "epa/settings.py"
+          s = open(p, "r", encoding="utf-8").read()
+          m = re.search(r'APP_VERSION_NUMBER\s*=\s*"([^"]+)"', s)
+          if not m:
+              raise SystemExit(f"Could not find APP_VERSION_NUMBER in {p}")
+          print(m.group(1))
+          PY
+                    )
+                    echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+                    echo "Detected version: $VERSION"
+
+      - name: Create and push tag if missing
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          set -euo pipefail
+          TAG="v${VERSION}"
+
+          # If tag already exists locally or remotely, do nothing
+          if git rev-parse -q --verify "refs/tags/${TAG}" >/dev/null; then
+            echo "Tag ${TAG} already exists (local)."
+            exit 0
+          fi
+          if git ls-remote --tags origin "${TAG}" | grep -q "${TAG}"; then
+            echo "Tag ${TAG} already exists (remote)."
+            exit 0
+          fi
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git tag -a "${TAG}" -m "Release ${TAG}"
+          git push origin "${TAG}"
+          echo "Pushed tag ${TAG}"

.github/workflows/tag-on-prod.yml

@@ -0,0 +1 @@
+3.12

.python-version

@@ -21,7 +21,7 @@ This repository contains the code for the user interface. The simulations are pe
 
 Prior to be able to develop locally, you might need to install postgres, simply google `install postgres` followed by your os name (`linux/mac/windows`)
 
-1. Create a virtual environment
+1. Create a virtual environment using `python=3.12`
 2. Activate your virtual environment
 3. Move to the `app` folder with `cd app`
 4. Install local development dependencies with `pip install -r requirements/local.txt`
@@ -35,18 +35,18 @@ SQL_HOST=localhost
 SQL_PORT=5432
 TRUSTED_HOST=http://127.0.0.1:8000
 DEBUG=(True|False)
-MVS_HOST_API=<the simulation server you wish to use>
+MVS_API_HOST=<the simulation server you wish to use>
 ```
-6. Execute the `local_setup.sh` file (`. local_setup.sh` on linux/mac `bash local_setup.sh` on windows) you might have to make it executable first. Answer yes to the question
-7. Start the local server with `python manage.py runserver`
-8. You can then login with `testUser` and `ASas12,.` or create your own account
+6. Set up pre-commit hooks with `pre-commit install`
+7. Execute the `local_setup.sh` file (`. local_setup.sh` on linux/mac `bash local_setup.sh` on windows) you might have to make it executable first. Answer yes to the question
+8. Start the local server with `python manage.py runserver`
+9. You can then login with `testUser` and `ASas12,.` or create your own account
 
 ## Deploy using Docker Compose
 The following commands should get everything up and running, using the web based version of the MVS API.
 
 You need to be able to run docker-compose inside your terminal. If you can't you should install [Docker desktop](https://www.docker.com/products/docker-desktop/) first.
 
-
 * Clone the repository locally `git clone --single-branch --branch main https://github.com/open-plan-tool/gui.git open_plan_gui`
 * Move inside the created folder (`cd open_plan_gui`)
 * Edit the `.envs/epa.postgres` and `.envs/db.postgres` environment files
@@ -55,20 +55,21 @@ You need to be able to run docker-compose inside your terminal. If you can't you
    * The value assigned to the variables `POSTGRES_DB`, `POSTGRES_USER`, `POSTGRES_PASSWORD` in `.envs/db.postgres` should match the ones of
    the variables `SQL_DATABASE`, `SQL_USER`, `SQL_PASSWORD` in `.envs/epa.postgres`, respectively
 
-   * Define an environment variable `MVS_HOST_API` in `.envs/epa.postgres` and set the url of the simulation server
+   * Define an environment variable `MVS_API_HOST` in `.envs/epa.postgres` and set the url of the simulation server
    you wish to use for your models (for example `MVS_API_HOST="<url to your favorite simulation server>"`), you can deploy your own [simulation server](https://github.com/open-plan-tool/simulation-server) locally if you need
 
     * Assign the domain of your website (including `http://` or `https://`) to `TRUSTED_HOST` , see https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins for more information
 
 Next you can either provide the following commands inside a terminal (with ubuntu you might have to prepend `sudo`)
-* `docker-compose --file=docker-compose-postgres.yml up -d --build`
-* `docker-compose --file=docker-compose-postgres.yml exec -u root app_pg sh initial_setup.sh` (this will also load a default testUser account with sample scenario).
+* `docker-compose --file=docker-compose-local.yml up -d --build`
+* `docker-compose --file=docker-compose-local.yml exec -u root app_pg sh initial_setup.sh` (this will also load a default testUser account with sample scenario).
+
 
 Or you can run a python script with the following command
 * `python deploy.py`
 
 Finally
-* Open browser and navigate to http://localhost:8080: you should see the login page of the open_plan app
+* Open browser and navigate to http://localhost:8000: you should see the login page of the open_plan app
 * You can then login with `testUser` and `ASas12,.` or create your own account
 
 ### Proxy settings (optional)
@@ -85,7 +86,7 @@ If you use a proxy you will need to set `USE_PROXY=True` and edit `PROXY_ADDRESS
 ## Tear down (uninstall) docker containers
 To remove the application (including relevant images, volumes etc.), one can use the following commands in terminal:
 
-`docker-compose down --file=docker-compose-postgres.yml -v`
+`docker-compose down --file=docker-compose-local.yml -v`
 
 you can add `--rmi local` if you wish to also remove the images (this will take you a long time to rebuild the docker containers from scratch if you want to redeploy the app later then)
 

README.md

@@ -12,7 +12,6 @@ package-lock.json
 Pipfile
 Pipfile.lock
 webpack.config.js
-.babelrc.json
 .dockerignore
 
 # **

app/.babelrc.json

@@ -3,25 +3,45 @@
 
 exclude: 'docs|node_modules|vendors|migrations|.git|.tox'
 default_stages: [pre-commit]
-fail_fast: true
+minimum_pre_commit_version: "3.2.0"
+
+default_language_version:
+  python: python3.12
 
 repos:
--   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.2.0
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
     hooks:
-    -   id: trailing-whitespace
-    -   id: end-of-file-fixer
-    -   id: check-yaml
-    -   id: check-json
-    -   id: check-added-large-files
-    -   id: requirements-txt-fixer
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-json
+      - id: check-toml
+      - id: check-xml
+      - id: check-yaml
+      - id: debug-statements
+      - id: check-case-conflict
+      - id: check-docstring-first
+      - id: detect-private-key
 
--   repo: https://github.com/pre-commit/mirrors-jshint
-    rev: v2.13.6
+  # Run the Ruff linter.
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.9.3
     hooks:
-    - id: jshint
+      # Linter
+#      - id: ruff
+#        args: [--fix, --exit-non-zero-on-fix]
+      # Formatter
+      - id: ruff-format
 
--   repo: https://github.com/psf/black
-    rev: 24.8.0
-    hooks:
-    -   id: black
+## Run the djLint linter
+#  - repo: https://github.com/djlint/djLint
+#    rev: v1.36.4
+#    hooks:
+#      - id: djlint-reformat-django
+#      - id: djlint-django
+
+# sets up .pre-commit-ci.yaml to ensure pre-commit dependencies stay up to date
+ci:
+  autoupdate_schedule: monthly
+  skip: []
+  submodules: false