Install rails template

.github/workflows/ci-app-rails.yml

@@ -0,0 +1,46 @@
+name: CI app-rails
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app-rails/**
+      - .github/workflows/ci-app-rails.yml
+  pull_request:
+    paths:
+      - app-rails/**
+      - .github/workflows/ci-app-rails.yml
+
+defaults:
+  run:
+    working-directory: ./app-rails
+
+jobs:
+  # As an enhancement, it is possible to share the built docker image and share
+  # it across jobs as described in:
+  # https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts#passing-data-between-jobs-in-a-workflow
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # https://github.com/docker/compose/issues/1973
+      - name: Create required env files
+        working-directory: ./
+        run: |
+          touch ./app-rails/.env
+
+      - run: make lint
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - run: make init-container
+      - run: make precompile-assets
+
+      - name: Start tests
+        run: make test

.grype.yml

@@ -0,0 +1,18 @@
+# List of vulnerabilities to ignore for the anchore scan
+# https://github.com/anchore/grype#specifying-matches-to-ignore
+# More info can be found in the https://github.com/navapbc/template-infra/blob/main/docs/infra/vulnerability-management.md file
+
+# Please add safelists in the following format to make it easier when checking
+# Package/module name: URL to vulnerability for checking updates
+#  Versions:     URL to the version history
+#  Dependencies: Name of any other packages or modules that are dependent on this version
+#                 Link to the dependencies for ease of checking for updates
+#  Issue:         Why there is a finding and why this is here or not been removed
+#  Last checked:  Date last checked in scans
+# - vulnerability: The-CVE-or-vuln-id # Remove comment at start of line
+
+ignore:
+  # These settings ignore any findings that fall into these categories
+  - fix-state: not-fixed
+  - fix-state: wont-fix
+  - fix-state: unknown

.template-application-rails-version

@@ -0,0 +1 @@
+4474a89cf50565a00d5b82358ffd07a32eb2b37a

app-rails/.dockerignore

@@ -0,0 +1,37 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file for more about ignoring files.
+
+# Ignore git directory.
+/.git/
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore all environment files (except templates).
+/.env*
+!/.env*.erb
+
+# Ignore all default key files.
+/config/master.key
+/config/credentials/*.key
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles, but keep the directory.
+/tmp/pids/*
+!/tmp/pids/.keep
+
+# Ignore storage (uploaded files in development and any SQLite databases).
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/.keep
+
+# Ignore assets.
+/node_modules/
+/app/assets/builds/*
+!/app/assets/builds/.keep
+/public/assets

app-rails/.gitattributes

@@ -0,0 +1,9 @@
+# See https://git-scm.com/docs/gitattributes for more about git attribute files.
+
+# Mark the database schema as having been generated.
+db/schema.rb linguist-generated
+
+# Mark any vendored files as having been vendored.
+vendor/* linguist-vendored
+config/credentials/*.yml.enc diff=rails_credentials
+config/credentials.yml.enc diff=rails_credentials

app-rails/.gitignore

@@ -0,0 +1,53 @@
+# See https://help.github.com/articles/ignoring-files for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile '~/.gitignore_global'
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore installed gems.
+/vendor/bundle/*
+!/vendor/bundle/.keep
+
+# Ignore all environment files (except templates).
+/.env*
+/*.env*
+!/.env*.erb
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles, but keep the directory.
+/tmp/pids/*
+!/tmp/pids/
+!/tmp/pids/.keep
+
+# Ignore storage (uploaded files in development and any SQLite databases).
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/
+!/tmp/storage/.keep
+
+/public/assets
+
+# Ignore master key for decrypting credentials and more.
+/config/master.key
+/config/credentials/*
+
+# Ignore development log.
+/log/development.log
+
+/app/assets/builds/*
+!/app/assets/builds/.keep
+
+/node_modules/*
+!/node_modules/.keep
+
+# Testing
+coverage/*

app-rails/.rspec

@@ -0,0 +1 @@
+--require spec_helper

app-rails/.rubocop.yml

@@ -0,0 +1,8 @@
+require:
+  - rubocop-rspec
+inherit_gem:
+  pundit: config/rubocop-rspec.yml
+  rubocop-rails-omakase: rubocop.yml
+AllCops:
+  TargetRubyVersion: 3.3.1
+

app-rails/.ruby-version

@@ -0,0 +1 @@
+3.3.1

app-rails/Dockerfile

@@ -0,0 +1,123 @@
+# syntax = docker/dockerfile:1
+
+# Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
+ARG RUBY_VERSION=3.3.1
+
+
+##########################################################################################
+# BASE: Shared base docker image
+##########################################################################################
+FROM registry.docker.com/library/ruby:$RUBY_VERSION-slim as base
+
+# Rails app lives here
+WORKDIR /rails
+
+# Set production environment
+ENV RAILS_ENV="production" \
+    BUNDLE_DEPLOYMENT="1" \
+    BUNDLE_PATH="/usr/local/bundle"
+
+# Start the server by default, this can be overwritten at runtime
+EXPOSE 3000
+
+
+##########################################################################################
+# BUILD: Throw-away build stage
+##########################################################################################
+FROM base as build
+
+# Install packages needed to build gems
+RUN apt-get update -qq && \
+    apt-get install --no-install-recommends -y build-essential git libpq-dev libvips pkg-config npm
+
+# Install npm packages
+COPY package.json package-lock.json ./
+
+# Install npm packages
+RUN npm install
+
+
+##########################################################################################
+# DEV: Used for development and test
+##########################################################################################
+FROM build as dev
+
+ENV RAILS_ENV="development"
+
+# Install packages needed for development
+RUN apt-get update -qq && \
+    apt-get install --no-install-recommends -y postgresql-client graphviz && \
+    rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+# Install application gems for development
+COPY Gemfile Gemfile.lock ./
+RUN bundle config set --local without production && \
+    bundle install && \
+    rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
+
+# Copy application code
+COPY . .
+
+CMD ["./bin/dev"]
+
+
+##########################################################################################
+# RELEASE-BUILD: Throw-away build stage for RELEASE
+##########################################################################################
+FROM build as release-build
+
+# Install application gems for production
+COPY Gemfile Gemfile.lock ./
+RUN bundle config set --local without development test && \
+    bundle install && \
+    rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
+
+# Copy application code
+COPY . .
+
+# Precompile bootsnap code for faster boot times
+RUN bundle exec bootsnap precompile --gemfile app/ lib/
+
+# Precompiling assets for production without requiring secret RAILS_MASTER_KEY
+RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
+
+
+##########################################################################################
+# RELEASE: Used for production
+##########################################################################################
+FROM base as release
+
+# Set production environment
+ENV RAILS_ENV="production" \
+    BUNDLE_DEPLOYMENT="1" \
+    BUNDLE_PATH="/usr/local/bundle"
+
+# Install packages needed for deployment
+RUN apt-get update -qq \
+    && apt-get install -y --no-install-recommends \
+        curl \
+        libvips \
+        postgresql-client \
+        python-is-python3 \
+        python3-venv \
+        unzip \
+        wget \
+    && rm -rf /var/lib/apt/lists /var/cache/apt/archives \
+    && curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" \
+    && unzip awscli-bundle.zip \
+    && ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws \
+    && rm -rf ./awscli-bundle awscli-bundle.zip
+
+# Install custom db migrate script
+COPY bin/db-migrate /usr/bin/
+
+# Copy built artifacts: gems, application
+COPY --from=release-build /usr/local/bundle /usr/local/bundle
+COPY --from=release-build /rails /rails
+
+# Run and own only the runtime files as a non-root user for security
+RUN useradd rails --create-home --shell /bin/bash && \
+    chown -R rails:rails db log storage tmp
+USER rails:rails
+
+CMD ["./bin/rails", "server"]