Deploy to prod

.github/dependabot.yml

@@ -4,7 +4,8 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "sunday"
 
   # Enable version updates for Python/Pip - Production
   - package-ecosystem: "pip"
@@ -13,4 +14,10 @@ updates:
     directory: "/"
     # Check for updates to GitHub Actions every weekday
     schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "sunday"
+    allow:
+      # Allow both direct and indirect updates for all packages
+      - dependency-type: "all"
+    # Allow up to 10 dependencies for pip dependencies
+    open-pull-requests-limit: 10

.github/workflows/ci.yml

@@ -24,10 +24,10 @@ jobs:
     steps:
 
       - name: Checkout Code Repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
 
       - name: Set up Python 3.9
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9
           cache: pip
@@ -67,10 +67,10 @@ jobs:
     steps:
 
       - name: Checkout Code Repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: pip
@@ -91,20 +91,20 @@ jobs:
           ANVIL_API_SERVICE_ACCOUNT_FILE: foo
 
       - name: Upload coverage data
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: coverage-data
+          name: coverage-data-mysql-${{ strategy.job-index }}
           path: .coverage.*
 
   pytest-sqlite:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout Code Repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
 
       - name: Set up Python 3.8
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.8
           cache: pip
@@ -125,9 +125,9 @@ jobs:
           ANVIL_API_SERVICE_ACCOUNT_FILE: foo
 
       - name: Upload coverage data
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: coverage-data
+          name: coverage-data-sqlite-${{ strategy.job-index }}
           path: .coverage.*
 
   coverage:
@@ -137,21 +137,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.10'
 
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install --upgrade coverage "django<4" django-coverage-plugin
+
       - name: Download coverage data
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
-          name: coverage-data
+          path: ./artifacts/
+
+      - name: Merge coverage files
+        run: |
+          mv ./artifacts/coverage-data*/.coverage* .
+          ls -la .coverage*
 
       - name: Combine coverage data
         run: |

.github/workflows/combine-prs.yml

@@ -95,7 +95,7 @@ jobs:
             console.log('Combined: ' + combined);
             return combined
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v4.1.1
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       # Creates a branch with other PR branches merged together

.github/workflows/gitleaks.yml

@@ -0,0 +1,19 @@
+name: gitleaks
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * *" # run once a day at 4 AM
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts.

.gitleaksignore

@@ -0,0 +1,4 @@
+2f8573f44abd55cd30367f673bbbcb4ebc4861bd:test.secrets:generic-api-key:1
+2f8573f44abd55cd30367f673bbbcb4ebc4861bd:test.secrets:generic-api-key:2
+faa490c4de15c23401525ebf6ad532e2bd724e5e:config/settings/base.py:generic-api-key:83
+faa490c4de15c23401525ebf6ad532e2bd724e5e:config/settings/base.py:generic-api-key:84

.pre-commit-config.yaml

@@ -27,6 +27,11 @@ repos:
         args: ['--config=setup.cfg']
         additional_dependencies: [flake8-isort]
 
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks
+
 
 # sets up .pre-commit-ci.yaml to ensure pre-commit dependencies stay up to date
 ci:

config/settings/base.py

@@ -32,8 +32,6 @@
 # https://docs.djangoproject.com/en/dev/ref/settings/#use-i18n
 USE_I18N = True
 # https://docs.djangoproject.com/en/dev/ref/settings/#use-l10n
-USE_L10N = True
-# https://docs.djangoproject.com/en/dev/ref/settings/#use-tz
 USE_TZ = True
 # https://docs.djangoproject.com/en/dev/ref/settings/#locale-paths
 LOCALE_PATHS = [str(ROOT_DIR / "locale")]
@@ -214,7 +212,9 @@
 FORM_RENDERER = "django.forms.renderers.TemplatesSetting"
 
 # http://django-crispy-forms.readthedocs.io/en/latest/install.html#template-packs
-CRISPY_TEMPLATE_PACK = "bootstrap4"
+# https://github.com/django-crispy-forms/crispy-bootstrap5
+CRISPY_ALLOWED_TEMPLATE_PACKS = "bootstrap5"
+CRISPY_TEMPLATE_PACK = "bootstrap5"
 
 # FIXTURES
 # ------------------------------------------------------------------------------
@@ -370,14 +370,14 @@
 ANVIL_API_SERVICE_ACCOUNT_FILE = env("ANVIL_API_SERVICE_ACCOUNT_FILE")
 # Specify workspace adapters.
 ANVIL_WORKSPACE_ADAPTERS = [
-    "primed.miscellaneous_workspaces.adapters.TemplateWorkspaceAdapter",
     "primed.dbgap.adapters.dbGaPWorkspaceAdapter",
     "primed.cdsa.adapters.CDSAWorkspaceAdapter",
+    "primed.miscellaneous_workspaces.adapters.OpenAccessWorkspaceAdapter",
+    "primed.miscellaneous_workspaces.adapters.SimulatedDataWorkspaceAdapter",
+    "primed.miscellaneous_workspaces.adapters.ResourceWorkspaceAdapter",
     "primed.miscellaneous_workspaces.adapters.ConsortiumDevelWorkspaceAdapter",
+    "primed.miscellaneous_workspaces.adapters.TemplateWorkspaceAdapter",
     "primed.miscellaneous_workspaces.adapters.DataPrepWorkspaceAdapter",
-    "primed.miscellaneous_workspaces.adapters.ResourceWorkspaceAdapter",
-    "primed.miscellaneous_workspaces.adapters.SimulatedDataWorkspaceAdapter",
-    "primed.miscellaneous_workspaces.adapters.OpenAccessWorkspaceAdapter",
 ]
 ANVIL_ACCOUNT_ADAPTER = "primed.primed_anvil.adapters.AccountAdapter"
 
@@ -386,4 +386,3 @@
 # Specify the subject for AnVIL account verification emails.
 ANVIL_ACCOUNT_LINK_EMAIL_SUBJECT = "Verify your AnVIL account email"
 ANVIL_ACCOUNT_VERIFY_NOTIFICATION_EMAIL = "[email protected]"
-ANVIL_CDSA_GROUP_NAME = "PRIMED_CDSA"

config/settings/local.py

@@ -77,3 +77,6 @@
     "ANVIL_DATA_ACCESS_GROUP_PREFIX", default="DEV_PRIMED"
 )
 ANVIL_CDSA_GROUP_NAME = env("ANVIL_CDSA_GROUP_NAME", default="DEV_PRIMED_CDSA")
+ANVIL_CC_ADMINS_GROUP_NAME = env(
+    "ANVIL_CC_ADMINS_GROUP_NAME", default="DEV_PRIMED_CC_ADMINS"
+)

config/settings/production.py

@@ -168,3 +168,5 @@
 # ANVIL_DBGAP_APPLICATION_GROUP_PREFIX = "PRIMED_DBGAP_ACCESS"
 # ANVIL_CDSA_GROUP_PREFIX = "PRIMED_CDSA_ACCESS"
 ANVIL_DATA_ACCESS_GROUP_PREFIX = "PRIMED"
+ANVIL_CC_ADMINS_GROUP_NAME = "PRIMED_CC_ADMINS"
+ANVIL_CDSA_GROUP_NAME = "PRIMED_CDSA"

config/settings/test.py

@@ -30,6 +30,7 @@
 ANVIL_API_SERVICE_ACCOUNT_FILE = "foo"
 ANVIL_DATA_ACCESS_GROUP_PREFIX = "TEST_PRIMED"
 ANVIL_CDSA_GROUP_NAME = "TEST_PRIMED_CDSA"
+ANVIL_CC_ADMINS_GROUP_NAME = "TEST_PRIMED_CC_ADMINS"
 
 # template tests require debug to be set
 # get the last templates entry and set debug option

primed/cdsa/adapters.py

@@ -10,9 +10,10 @@ class CDSAWorkspaceAdapter(BaseWorkspaceAdapter):
     type = "cdsa"
     name = "CDSA workspace"
     description = (
-        "Workspaces containing data from the Consortium Data Sharing Agreement."
+        "Workspaces containing data from the Consortium Data Sharing Agreement"
     )
-    list_table_class = tables.CDSAWorkspaceTable
+    list_table_class_staff_view = tables.CDSAWorkspaceStaffTable
+    list_table_class_view = tables.CDSAWorkspaceUserTable
     workspace_form_class = WorkspaceForm
     workspace_data_model = models.CDSAWorkspace
     workspace_data_form_class = forms.CDSAWorkspaceForm

primed/cdsa/migrations/0010_alter_historicalsignedagreement_status_and_more.py

@@ -0,0 +1,44 @@
+# Generated by Django 4.2.7 on 2023-12-04 23:27
+
+from django.db import migrations
+import model_utils.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("cdsa", "0009_signedagreement_add_field_status"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="historicalsignedagreement",
+            name="status",
+            field=model_utils.fields.StatusField(
+                choices=[
+                    ("active", "Active"),
+                    ("withdrawn", "Withdrawn"),
+                    ("lapsed", "Lapsed"),
+                ],
+                default="active",
+                max_length=100,
+                no_check_for_status=True,
+                verbose_name="status",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="signedagreement",
+            name="status",
+            field=model_utils.fields.StatusField(
+                choices=[
+                    ("active", "Active"),
+                    ("withdrawn", "Withdrawn"),
+                    ("lapsed", "Lapsed"),
+                ],
+                default="active",
+                max_length=100,
+                no_check_for_status=True,
+                verbose_name="status",
+            ),
+        ),
+    ]

primed/cdsa/migrations/0011_signedagreement_add_replaced_status.py

@@ -0,0 +1,46 @@
+# Generated by Django 4.2.8 on 2024-01-18 23:49
+
+from django.db import migrations
+import model_utils.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("cdsa", "0010_alter_historicalsignedagreement_status_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="historicalsignedagreement",
+            name="status",
+            field=model_utils.fields.StatusField(
+                choices=[
+                    ("active", "Active"),
+                    ("withdrawn", "Withdrawn"),
+                    ("lapsed", "Lapsed"),
+                    ("replaced", "Replaced"),
+                ],
+                default="active",
+                max_length=100,
+                no_check_for_status=True,
+                verbose_name="status",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="signedagreement",
+            name="status",
+            field=model_utils.fields.StatusField(
+                choices=[
+                    ("active", "Active"),
+                    ("withdrawn", "Withdrawn"),
+                    ("lapsed", "Lapsed"),
+                    ("replaced", "Replaced"),
+                ],
+                default="active",
+                max_length=100,
+                no_check_for_status=True,
+                verbose_name="status",
+            ),
+        ),
+    ]

primed/cdsa/models.py

@@ -99,14 +99,17 @@ class SignedAgreementStatusMixin:
 
     class StatusChoices(models.TextChoices):
         ACTIVE = "active", "Active"
-        """SignedAgreements that are currently active."""
+        """SignedAgreements that are currently active."""  # pragma: no cover
 
         WITHDRAWN = "withdrawn", "Withdrawn"
         """SignedAgreements that have been withdrawn for some reason (e.g., PI changed institution,
         study no longer wanted to participate.)"""
 
         LAPSED = "lapsed", "Lapsed"
-        """SignedAgreements from a AgreementMajorVersion that is no longer valid."""
+        """SignedAgreements from a AgreementMajorVersion that is no longer valid."""  # pragma: no cover
+
+        REPLACED = "replaced", "Replaced"
+        """SignedAgreements that have been replaced by a newer version."""  # pragma: no cover
 
     STATUS = StatusChoices.choices
 

primed/cdsa/tables.py

@@ -295,7 +295,7 @@ def render_date_shared(self, record):
             return "—"
 
 
-class CDSAWorkspaceTable(tables.Table):
+class CDSAWorkspaceStaffTable(tables.Table):
     """A table for the CDSAWorkspace model."""
 
     name = tables.Column(linkify=True)
@@ -324,10 +324,10 @@ class Meta:
         order_by = ("name",)
 
 
-class CDSAWorkspaceLimitedViewTable(tables.Table):
+class CDSAWorkspaceUserTable(tables.Table):
     """A table for the CDSAWorkspace model."""
 
-    name = tables.Column()
+    name = tables.Column(linkify=True)
     billing_project = tables.Column()
     cdsaworkspace__data_use_permission__abbreviation = tables.Column(
         verbose_name="DUO permission",

primed/cdsa/tests/factories.py

@@ -126,3 +126,4 @@ def authorization_domains(self, create, extracted, **kwargs):
 
     class Meta:
         model = models.CDSAWorkspace
+        skip_postgeneration_save = True

primed/cdsa/tests/test_models.py

@@ -304,6 +304,11 @@ def test_status_field(self):
         )
         self.assertEqual(instance.status, instance.StatusChoices.LAPSED)
         instance.full_clean()
+        instance = factories.SignedAgreementFactory.create(
+            status=models.SignedAgreement.StatusChoices.REPLACED
+        )
+        self.assertEqual(instance.status, instance.StatusChoices.REPLACED)
+        instance.full_clean()
 
         # not allowed
         instance = factories.SignedAgreementFactory.create(status="foo")