Release v1.9-20260304 — Security Patch

.github/workflows/deploy.dev.yml

@@ -50,15 +50,18 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@v3.5.3          
-      -
-        name: Update Cloud Foundry Public Key and Repository
-        run: |
-          wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo gpg --dearmor -o /usr/share/keyrings/cli.cloudfoundry.org.gpg
-          echo "deb [signed-by=/usr/share/keyrings/cli.cloudfoundry.org.gpg] https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list
-          sudo apt-get update
       -
         name: Install Cloud Foundry CLI
-        run: sudo apt-get install -y cf8-cli
+        run: |
+          # Download CF CLI v8 directly (avoids flaky Debian repo/GitHub CDN 500s)
+          for i in 1 2 3; do
+            curl -fsSL "https://packages.cloudfoundry.org/stable?release=linux64-binary&version=v8&source=github" -o /tmp/cf-cli.tgz && break
+            echo "Retry $i: CF CLI download failed, retrying in 10s..."
+            sleep 10
+          done
+          tar -xzf /tmp/cf-cli.tgz -C /tmp
+          sudo install /tmp/cf8 /usr/local/bin/cf
+          cf version
       -
         name: Cloud Foundry Login
         env:

Dockerfile

@@ -1,19 +1,23 @@
-## Node Building Image
+# Node Building Image
 FROM node:20
 
-# create app directory
+# Install Python and required packages
+RUN apt-get update && apt-get install -y \
+    python3 \
+    python3-pip \
+    python3-venv \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create app directory
 WORKDIR /opt/api
 
-# install app dependencies
+# Install app dependencies
 COPY package*.json ./
 COPY .sequelizerc ./
 COPY .snyk ./
 
-# Running it locally you need to set the JWT_SECRET environment variable: 
-# ENV JWT_SECRET=abc123
-
+# Setup logging
 RUN touch winston.log.json
-
 RUN yarn cache clean
 
 # Get environment argument passed in
@@ -25,36 +29,35 @@ ENV NODE_ENV=${environment:-$default_environment}
 
 # Set SNYK TOKEN environment variable
 ARG SNYK_TOKEN
-ENV SNYK_TOKEN ${SNYK_TOKEN}
+ENV SNYK_TOKEN=${SNYK_TOKEN}
 RUN yarn global add snyk@latest
-RUN snyk auth ${SNYK_TOKEN}
-
+RUN snyk auth "$SNYK_TOKEN"
 
 # Check environment and install dependencies
-# Note: When the NODE_ENV environment variable is set to 'production' npm 
-#       will not install modules listed in devDependencies
-# Reference: https://docs.npmjs.com/cli/v8/commands/npm-install
 RUN yarn install
 
+# Create and activate Python virtual environment
+RUN python3 -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+# Install ML package in virtual environment
+RUN pip3 install git+https://github.com/GSA/srt-ml.git@dev
+
 # Bundle app source
 COPY server/ ./server
 
-
 # Get Login.gov Certs
 COPY bin/copy_certs.sh ./
 COPY certs/ ./certs
-
-
 ARG LOGIN_PRIVATE_KEY
 ENV LOGIN_PRIVATE_KEY=${LOGIN_PRIVATE_KEY}
 RUN /opt/api/copy_certs.sh
 
-
-#see https://docs.cloudfoundry.org/devguide/deploy-apps/push-docker.html
+# See https://docs.cloudfoundry.org/devguide/deploy-apps/push-docker.html
 COPY docker/conf/passwd /etc/passwd
 
-# expose port
+# Expose port
 EXPOSE 8080
 
-# start app
+# Start app
 CMD [ "node", "server/server.js" ]

cf/manifest.dev.yml

@@ -2,7 +2,7 @@
 applications:
 - name: srt-api-dev
   memory: 512M
-  disk_quota: 2048M
+  disk_quota: 4096M  # Increased from 2048M
 #  health-check-type: process # don't re-enable....move to port 8080 if you have problems
   instances: 1
   env: