Merge main into production for deployment#302
Merged
Merged
Conversation
docs: improve README deployment section
Add Actionlint Checks
Bumps [on-headers](https://github.com/jshttp/on-headers) to 1.1.0 and updates ancestor dependency [express-session](https://github.com/expressjs/session). These dependencies need to be updated together. Updates `on-headers` from 1.0.2 to 1.1.0 - [Release notes](https://github.com/jshttp/on-headers/releases) - [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md) - [Commits](jshttp/on-headers@v1.0.2...v1.1.0) Updates `express-session` from 1.18.1 to 1.18.2 - [Release notes](https://github.com/expressjs/session/releases) - [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md) - [Commits](expressjs/session@v1.18.1...v1.18.2) --- updated-dependencies: - dependency-name: on-headers dependency-version: 1.1.0 dependency-type: indirect - dependency-name: express-session dependency-version: 1.18.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [form-data](https://github.com/form-data/form-data) and [@cypress/request](https://github.com/cypress-io/request). These dependencies needed to be updated together. Updates `form-data` from 4.0.0 to 4.0.4 - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.0...v4.0.4) Updates `@cypress/request` from 3.0.1 to 3.0.8 - [Release notes](https://github.com/cypress-io/request/releases) - [Changelog](https://github.com/cypress-io/request/blob/master/CHANGELOG.md) - [Commits](cypress-io/request@v3.0.1...v3.0.8) --- updated-dependencies: - dependency-name: form-data dependency-version: 4.0.4 dependency-type: indirect - dependency-name: "@cypress/request" dependency-version: 3.0.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tmp](https://github.com/raszi/node-tmp) from 0.2.1 to 0.2.4. - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](raszi/node-tmp@v0.2.1...v0.2.4) --- updated-dependencies: - dependency-name: tmp dependency-version: 0.2.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…acb442647 chore(deps): bump on-headers and express-session
chore(deps-dev): bump tmp from 0.2.1 to 0.2.4
…ce0825ddf chore(deps): bump form-data and @cypress/request
Bumps [axios](https://github.com/axios/axios) from 1.7.4 to 1.8.2. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.7.4...v1.8.2) --- updated-dependencies: - dependency-name: axios dependency-version: 1.8.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…mock/axios-1.8.2 chore(deps): bump axios from 1.7.4 to 1.8.2 in /signon-mock
Bumps [axios](https://github.com/axios/axios) from 1.7.4 to 1.8.2. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.7.4...v1.8.2) --- updated-dependencies: - dependency-name: axios dependency-version: 1.8.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [form-data](https://github.com/form-data/form-data) from 4.0.0 to 4.0.4. - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.0...v4.0.4) --- updated-dependencies: - dependency-name: form-data dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
….8.2 chore(deps): bump axios from 1.7.4 to 1.8.2
…mock/form-data-4.0.4 chore(deps): bump form-data from 4.0.0 to 4.0.4 in /signon-mock
Bumps and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together. Updates `brace-expansion` from 2.0.1 to 2.0.2 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.2) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.2) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 2.0.2 dependency-type: indirect - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…mock/multi-c22e25d29b chore(deps): bump brace-expansion in /signon-mock
…service attacks This addresses a CodeQL issue which flagged that the auth routes were not covered by rate-limiting. A global limit on all routes was chosen as reasonable use of the app functionality shouldn't require many server calls (once logged in data is fetched only at the user's request). A limit of 20 requests per IP seemed suitable in order to not interfere with genuine use of the tool while providing some protection against denial-of-service.
fix: IA-1609 implement request rate-limiting per CodeQL issue #24
…n behind GCP load-balancer 'trust proxy' must be set to 2 when deployed behind GCP load-balancing in order to correctly identify the requestor's IP address rather than that of the load-balancer. This is required for per-user rate-limiting. See also - https://cloud.google.com/load-balancing/docs/https#x-forwarded-for_header
…bal-rate-limiting fix: IA-1609 - configure trust proxy setting to find requestor IP when behind GCP load-balancer
IA-1609: move setting the trust proxy to before middleware init
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
Author
|
Converting to draft while the flagged codeql issue is addressed - PR here |
The workflows currently have unlimited read/write permissions. This change sets all permissions to contents:read unless explicitly required by a specific action. Both the actions/create-release@v1 and rickstaa/action-create-tag@v1 actions need to make changes to the repo for release. Docs showing required permissions for creating releases and tags: https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents This addresses https://github.com/alphagov/govuk-knowledge-graph-search/security/code-scanning/1.
…ons_issue ci: explicitly set required permissions on GitHub Actions Workflows
JonathanHallam
approved these changes
Sep 24, 2025
Contributor
JonathanHallam
left a comment
JonathanHallam
left a comment
There was a problem hiding this comment.
I'm approving this because it's working in staging but may the record reflect that I'm deeply unhappy with this deploy pattern and we need to get a ci/cd pipeline running so we don't have to do stuff like this
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There are many commits in this release as there have been many commits to main without a corresponding release to production for around 8 months.
Staging env has all of these changes and seems to be running fine throughout my manual testing. Automated tests are also still all passing.
The downside to releasing by a merge into another branch is that we don't get the nice commit summary compared to if we created a tagged release but that is the way the repo is setup currently.