Merge branch 'main' into chore/package_prisma

Author: bryan-robitaille

.github/workflows/internal_packages_publish.yml

@@ -6,6 +6,9 @@ on:
       - main
     paths:
       - "packages/**/package.json"
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
 
 jobs:
   publish-internal-packages:
@@ -15,7 +18,7 @@ jobs:
       - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           fetch-depth: 2
-          
+
       - name: Node.JS Setup
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
@@ -37,5 +40,3 @@ jobs:
             yarn npm publish --access public
             cd ../..
           done
-        env:
-          YARN_NPM_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}

.github/workflows/pr-review-client-deploy.yml

@@ -22,6 +22,8 @@ env:
   COGNITO_USER_POOL_ID: ${{ secrets.STAGING_COGNITO_USER_POOL_ID}}
   GITHUB_SHA: ${{ github.sha }}
   HCAPTCHA_SITE_KEY: ${{ vars.STAGING_HCAPTCHA_SITE_KEY }}
+  ZITADEL_URL: https://auth.forms-staging.cdssandbox.xyz
+  API_URL: https://api.forms-staging.cdssandbox.xyz
 
 permissions:
   id-token: write
@@ -71,6 +73,8 @@ jobs:
             --build-arg COGNITO_APP_CLIENT_ID=$COGNITO_APP_CLIENT_ID \
             --build-arg COGNITO_USER_POOL_ID=$COGNITO_USER_POOL_ID \
             --build-arg HCAPTCHA_SITE_KEY=$HCAPTCHA_SITE_KEY \
+            --build-arg ZITADEL_URL=$ZITADEL_URL \
+            --build-arg API_URL=$API_URL \
             --build-arg NEXT_DEPLOYMENT_ID=$GITHUB_SHA .
 
       - name: Push Docker image to ECR
@@ -123,10 +127,15 @@ jobs:
             aws lambda wait function-active --function-name $FUNCTION_NAME-$PR_NUMBER
             aws lambda add-permission \
               --function-name $FUNCTION_NAME-$PR_NUMBER \
-              --statement-id FunctionURLAllowPublicAccess \
+              --statement-id AllowPublicInvokeFunctionUrl \
               --action lambda:InvokeFunctionUrl \
               --principal "*" \
               --function-url-auth-type NONE > /dev/null 2>&1
+            aws lambda add-permission \
+              --function-name $FUNCTION_NAME-$PR_NUMBER \
+              --statement-id AllowPublicInvokeFunction \
+              --action lambda:InvokeFunction \
+              --principal "*" > /dev/null 2>&1
 
             URL="$(aws lambda create-function-url-config --function-name $FUNCTION_NAME-$PR_NUMBER --auth-type NONE | jq .FunctionUrl)"
             echo "URL=$URL" >> $GITHUB_ENV

.github/workflows/prod-build-push-container.yml

@@ -12,6 +12,8 @@ env:
   COGNITO_APP_CLIENT_ID: ${{secrets.PRODUCTION_COGNITO_APP_CLIENT_ID}}
   COGNITO_USER_POOL_ID: ${{ secrets.PRODUCTION_COGNITO_USER_POOL_ID}}
   HCAPTCHA_SITE_KEY: ${{ vars.PRODUCTION_HCAPTCHA_SITE_KEY }}
+  ZITADEL_URL: https://auth.forms-formulaires.alpha.canada.ca
+  API_URL: https://api.forms-formulaires.alpha.canada.ca
 
 permissions:
   id-token: write
@@ -33,6 +35,8 @@ jobs:
           --build-arg COGNITO_USER_POOL_ID=$COGNITO_USER_POOL_ID \
           --build-arg INDEX_SITE=true \
           --build-arg HCAPTCHA_SITE_KEY=$HCAPTCHA_SITE_KEY \
+          --build-arg ZITADEL_URL=$ZITADEL_URL \
+          --build-arg API_URL=$API_URL \
           --build-arg NEXT_DEPLOYMENT_ID=$TAG_VERSION .
 
       - name: Configure AWS credentials using OIDC

.github/workflows/s3-backup.yml

@@ -5,6 +5,7 @@ on:
     - cron: "0 6 * * *"
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
@@ -19,22 +20,17 @@ jobs:
         persist-credentials: false
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
-        aws-access-key-id: ${{ secrets.AWS_S3_BACKUP_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }}
+        role-to-assume: ${{ secrets.AWS_S3_BACKUP_IAM_ROLE_ARN }}
+        role-session-name: S3Backup
         aws-region: ca-central-1
 
-    - name: Create ZIP bundle
+    - name: Upload zip to S3 bucket
       run: |
         ZIP_FILE=`basename ${{ github.repository }}`-`date '+%Y-%m-%d'`.zip
         zip -rq "${ZIP_FILE}" .
-        mkdir -p ${{ github.repository }}
-        mv "${ZIP_FILE}" ${{ github.repository }}
-
-    - name: Upload to S3 bucket
-      run: |
-        aws s3 sync . s3://${{ secrets.AWS_S3_BACKUP_BUCKET }} --exclude='*' --include='${{ github.repository }}/*'
+        aws s3 cp "${ZIP_FILE}" s3://${{ secrets.AWS_S3_BACKUP_BUCKET }}/${{ github.repository }}/"${ZIP_FILE}"
 
     - name: Notify Slack channel if this job failed
       if: ${{ failure() }}

.github/workflows/staging-build-push-container.yml

@@ -17,6 +17,8 @@ env:
   COGNITO_APP_CLIENT_ID: ${{secrets.STAGING_COGNITO_APP_CLIENT_ID}}
   COGNITO_USER_POOL_ID: ${{ secrets.STAGING_COGNITO_USER_POOL_ID}}
   HCAPTCHA_SITE_KEY: ${{ vars.STAGING_HCAPTCHA_SITE_KEY }}
+  ZITADEL_URL: https://auth.forms-staging.cdssandbox.xyz
+  API_URL: https://api.forms-staging.cdssandbox.xyz
 
 permissions:
   id-token: write
@@ -36,6 +38,8 @@ jobs:
             --build-arg COGNITO_APP_CLIENT_ID=$COGNITO_APP_CLIENT_ID \
             --build-arg COGNITO_USER_POOL_ID=$COGNITO_USER_POOL_ID \
             --build-arg HCAPTCHA_SITE_KEY=$HCAPTCHA_SITE_KEY \
+            --build-arg ZITADEL_URL=$ZITADEL_URL \
+            --build-arg API_URL=$API_URL \
             --build-arg NEXT_DEPLOYMENT_ID=$GITHUB_SHA .
 
       - name: Configure AWS credentials using OIDC

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "4.3.0"
+  ".": "4.5.0"
 }