Merge branch 'main' into devsecops/bethbeza/manage-dependabot-schedule

.environment/chatops/help.txt

@@ -3,7 +3,7 @@ ACTION
 USAGE
     [<@bot>] gh-deploy [<branch>] to [<branch>] [OPTIONAL: for <owner/repo>]
 EXAMPLES
-    @DevBot gh-deploy master to trialfrontend1
+    @DevBot gh-deploy main to trialfrontend1
 ==========================================================================
 ACTION
     Lock branch to prevent deployments
@@ -26,4 +26,4 @@ USAGE
     [<@bot>] gh-run [<workflow file>] [OPTIONAL: <owner/repo> <branch>] [OPTIONAL: --inputs <a:b,c:d>] 
 EXAMPLES
     @DevBot gh-run destroy_demo_environment.yml --inputs env_name:demo1
-    @DevBot gh-run destroy_demo_environment.yml CDCgov/prime-reportstream master --inputs env_name:demo1
+    @DevBot gh-run destroy_demo_environment.yml CDCgov/prime-reportstream main --inputs env_name:demo1

.environment/gitleaks/gitleaks-config.toml

@@ -3,45 +3,36 @@ title = "PRIME ReportStream Gitleaks Configuration"
 # Global allowlist
 [allowlist]
     description = "Allow-list for files and paths"
-    files = [
-        '(.*?)(bin|doc|gif|iml|jar|jp(e)?g|pdf|png|xlsx)$',
-        '^\.?gitleaks-config.toml$',
-        '^\.?gitleaks.report.json$',
-        '^package-lock\.json$',
-        'cleanslate.sh.log',
-        'yarn\.lock$',
-    ]
     paths = [
-        '.environment/sftp-conf',
-        '.environment/soap_service/',
-        '.github/scripts/stale_items_report/',
-        '.idea/',
-        '.terraform/providers/',
-        'frontend/dist',
-        'frontend/node_modules/',
-        'frontend/src/assets',
-        'frontend-react/build/',
-        'frontend-react/node_modules/',
-        'frontend-react/src/components/ReportStreamHeader.tsx',
-        'prime-router/.gradle/',
-        'prime-router/.vault/env/',
-        'prime-router/build/',
-        'prime-router/build.gradle.kts',
-        'prime-router/docs/dependency-graph-full/dependency-graph-full.txt',
-        'prime-router/docs/schema_documentation/',
-        'prime-router/docs/design/design/auth/auth-design.md',
-        'prime-router/docs/getting_started.md',
-        'prime-router/frontend/src/assets/fonts',
-        'prime-router/frontend/src/assets/img',
-        'prime-router/frontend/src/assets/pdf',
-        'prime-router/frontend/src/assets/webfonts',
-        'prime-router/src/main/kotlin/cli/tests/TestKeys.kt',
-        'prime-router/src/test/csv_test_files/input/',
-        'prime-router/src/test/kotlin/credentials/CredentialTests',
-        'prime-router/src/test/',
-        'prime-router/src/main/resources/metadata',
-        '.environment/gitleaks/gitleaks-config.toml',
-        'exp/as2/keystore_steps.md',
+        # package manager files
+        'package-lock\.json$',
+        'yarn\.lock$',
+        # ide
+        '\.idea\/',
+        # misc
+        '(.*?)(bin|doc|gif|iml|jar|jp(e)?g|pdf|png|xlsx)$',
+        # devops
+        '\.terraform\/providers\/',
+        '^\.environment\/gitleaks\/gitleaks-config\.toml$',
+        '^\.environment\/sftp-conf\/',
+        '^\.environment\/soap_service\/',
+        '^\.github\/scripts\/stale_items_report\/',
+        # backend
+        '^prime-router\/\.gradle\/',
+        '^prime-router\/.vault\/env\/',
+        '^prime-router\/build\/',
+        '^prime-router\/build\.gradle\.kts',
+        '^prime-router\/docs\/dependency-graph-full/dependency-graph-full\.txt',
+        '^prime-router\/docs\/schema_documentation/',
+        '^prime-router\/docs\/design/design/auth/auth-design\.md',
+        '^prime-router\/docs\/getting_started\.md',
+        '^prime-router\/src\/main\/kotlin\/cli\/tests\/TestKeys\.kt',
+        '^prime-router\/src\/test\/csv_test_files\/input\/',
+        '^prime-router\/src\/test\/kotlin\/credentials\/CredentialTests',
+        '^prime-router\/src\/test\/',
+        '^prime-router\/src\/main\/resources\/metadata',
+        # frontend
+        '^frontend-react\/public\/assets\/',
     ]
 
 [[rules]]

.environment/gitleaks/run-gitleaks.sh

@@ -230,7 +230,8 @@ esac
 if [[ ${RC?} != 0 ]]; then
     error "(return code=${RC?}) Your code may contain secrets, consult the output above and/or one of the following files for more details:"
     error "     - ${REPO_ROOT?}/${REPORT_JSON?}"
-    error "     - ${REPO_ROOT?}/${LOGFILE?}"
+    # no log file currently, check the output of whatever ran this
+    # error "     - ${REPO_ROOT?}/${LOGFILE?}"
 fi
 
 exit ${RC?}

.github/CODEOWNERS

@@ -6,6 +6,8 @@
 /operations/            @cdcgov/PRIME-ReportStream-DevOps
 /CODEOWNERS             @cdcgov/PRIME-ReportStream-DevOps
 /prime-router/          @cdcgov/PRIME-ReportStream-CODEOWNERS-backend
+/prime-router/src/main/resources/metadata/fhir_transforms/senders/Flexion          @cdcgov/trusted-intermediary
+/prime-router/settings/STLTs/Flexion          @cdcgov/trusted-intermediary
 
 # The CODEOWNERS file takes the last matching line into account. You can make definitions with empty owners to specify paths/files without an owner.
 /prime-router/settings/prod/

.github/ISSUE_TEMPLATE/platform-epic-template.md

@@ -8,22 +8,28 @@ assignees: ''
 ---
 
 ## Outcome/Objective 
+<!--- State the high-level business or product outcome you want to achieve.-->
 
 ## Description 
+<!---Links to product(s) brief or description of the work involved.-->
 
 ## Product Requirement(s) 
+<!---Outline the specific  business tasks or changes needed to achieve the outcome. (can be a link)-->
 
 ## Use Case(s)
+<!---Give specific use cases of what needs to be achieved or supported-->
 
 ## Dependencies
+<!---Identify any systems, teams, or external factors that need to be in place-->
 
 ## Acceptance criteria  
+<!---List measurable criteria that will confirm when the technical /business requirements have been met-->
 
 ## Technical Requirement(s)
 <!---
-- Architecture: What existing patterns and frameworks will be used for this work? What new ones will be added? What additional libraries need to be used?
+- Architecture: What existing patterns and frameworks will this work use? What new ones will be added? What additional libraries need to be used?
 - Data model: What changes are there to the data model, and how will those changes be implemented (i.e. requires migration)?
 - APIs: What existing services are involved? What new ones will be added?
 - Technical Constraint(s) 
 - Integrations: What integrations are involved?
--->
+-->

.github/ISSUE_TEMPLATE/up-receiver-migration-set-up-receiver-settings.md

@@ -19,9 +19,9 @@ As a developer, I want to compare the messages generated from the Covid and Univ
 ### Dev Notes:
 
 - [ ] Fetch [STLT] organization settings from production and load them locally
-- [ ] Use the attached SimpleReport covid postman collection and make sure the message gets routed to [STLT] locally. Modify the message to meet [STLT] filter if needed [Simple Report Covid.postman_collection](https://github.com/CDCgov/prime-reportstream/blob/master/prime-router/docs/onboarding-users/samples/SimpleReport/Simple%20Report%20Covid.postman_collection.json)
-- [ ] Make a copy of the [STLT] organization settings to onboard them to the UP. See How to Migrate an existing receiver to the UP documentation for more details: https://github.com/CDCgov/prime-reportstream/blob/master/prime-router/docs/onboarding-users/migrating-receivers.md
-- [ ] Use this Postman collection to send a FHIR bundle the UP and make sure the message gets routed to the new UP [STLT] receiver. You may need to update the Simple Report sender to use the simple-report-sender-transform.yml if it's not using it. [Simple Report UP.postman_collection](https://github.com/CDCgov/prime-reportstream/blob/master/prime-router/docs/onboarding-users/samples/SimpleReport/Simple%20Report%20UP.postman_collection.json)
+- [ ] Use the attached SimpleReport covid postman collection and make sure the message gets routed to [STLT] locally. Modify the message to meet [STLT] filter if needed [Simple Report Covid.postman_collection](https://github.com/CDCgov/prime-reportstream/blob/main/prime-router/docs/onboarding-users/samples/SimpleReport/Simple%20Report%20Covid.postman_collection.json)
+- [ ] Make a copy of the [STLT] organization settings to onboard them to the UP. See How to Migrate an existing receiver to the UP documentation for more details: https://github.com/CDCgov/prime-reportstream/blob/main/prime-router/docs/onboarding-users/migrating-receivers.md
+- [ ] Use this Postman collection to send a FHIR bundle the UP and make sure the message gets routed to the new UP [STLT] receiver. You may need to update the Simple Report sender to use the simple-report-sender-transform.yml if it's not using it. [Simple Report UP.postman_collection](https://github.com/CDCgov/prime-reportstream/blob/main/prime-router/docs/onboarding-users/samples/SimpleReport/Simple%20Report%20UP.postman_collection.json)
 - To migrate the Covid translation settings start by looking at their current translation settings. If the receiver uses  any of the following settings you will need to create a receiver schema:
 	- receivingApplicationName
 	- receivingApplicationOID
@@ -45,7 +45,7 @@ As a developer, I want to compare the messages generated from the Covid and Univ
     - useOrderingFacilityName not STANDARD
     - receivingOrganization
     - stripInvalidCharsRegex
-    
+
 - More documentation on how to set-up these transforms in the UP will be provided, but for now you can look for examples on how to set this up in either the NY-receiver-transforms or CA-receiver-transforms
 
 - If the receiver uses any of those transforms you will need to create a receiver transform under `metadata/hl7_mapping/receivers/STLTs/` and update the receiver settings to point to this schema.
@@ -60,11 +60,10 @@ As a developer, I want to compare the messages generated from the Covid and Univ
 - If there are no major differences we can move on to sending test messages to the STLTs staging environment.
 
 
-### Acceptance Criteria 
+### Acceptance Criteria
 - [ ] Created and sent data to [STLT] through the covid pipeline locally
 - [ ] Created and sent data to [STLTS] through the universal pipeline locally
 - [ ] Migrated  Covid receiver translation settings to the UP receiver settings
 - [ ] Successfully generated a message with migrated UP receiver settings
 - [ ] Review transforms settings with the team
 - [ ] Compared messages from the covid and universal pipelines and documented differences and review with team
-

.github/actions/build-vars/action.yml

@@ -103,8 +103,8 @@ runs:
     - name: Set Build Environment - STAGING
       id: build_staging
       if: |
-        (github.event_name != 'pull_request' && github.ref_name == 'master') ||
-        (github.event_name == 'pull_request' && github.base_ref == 'master')
+        (github.event_name != 'pull_request' && github.ref_name == 'main') ||
+        (github.event_name == 'pull_request' && github.base_ref == 'main')
       shell: bash
       run: |
         echo "env_name=staging" >> $GITHUB_OUTPUT
@@ -170,7 +170,7 @@ runs:
             - 'frontend-react/**/!(*.md)'
             - '.github/actions/build-vars/action.yml'
             - '.github/actions/build-frontend/action.yml'
-            - '.github/workflows/frontend_ci.yml'          
+            - '.github/workflows/frontend_ci.yml'
           terraform:
             - 'operations/app/terraform/**/!(*.md)'
             - '.github/workflows/validate_terraform.yml'
@@ -215,7 +215,7 @@ runs:
         else
           echo "has_router_change=${{ steps.filter.outputs.router }}" >> $GITHUB_OUTPUT
         fi
-    
+
     - name: Determine if frontend changed
       if: github.event_name != 'schedule'
       id: frontend_change_result
@@ -234,7 +234,7 @@ runs:
           echo "has_frontend_change=${{ steps.filter.outputs.frontend_react }}" >> $GITHUB_OUTPUT
         fi
 
-    - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+    - uses: azure/login@v2
       if: inputs.sp-creds != 'false'
       with:
         creds: ${{ inputs.sp-creds }}

.github/actions/checksum-validate/README.md

@@ -0,0 +1,94 @@
+# Checksum Validate Action
+
+[![Test Action](https://github.com/JosiahSiegel/checksum-validate-action/actions/workflows/test_action.yml/badge.svg)](https://github.com/JosiahSiegel/checksum-validate-action/actions/workflows/test_action.yml)
+
+## Synopsis
+
+1. Generate a checksum from either a string or shell command (use command substitution: `$()`).
+2. Validate if checksum is identical to input (even across multiple jobs), using a `key` to link the validation attempt with the correct generated checksum.
+   * Validation is possible across jobs since the checksum is uploaded as a workflow artifact
+
+## Usage
+
+```yml
+jobs:
+  generate-checksums:
+    name: Generate checksum
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: Generate checksum of string
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test string
+          input: hello world
+
+      - name: Generate checksum of command output
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test command
+          input: $(cat action.yml)
+
+  validate-checksums:
+    name: Validate checksum
+    needs:
+      - generate-checksums
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: Validate checksum of valid string
+        id: valid-string
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test string
+          validate: true
+          fail-invalid: true
+          input: hello world
+
+      - name: Validate checksum of valid command output
+        id: valid-command
+        uses: ./.github/actions/checksum-validate@ebdf8c12c00912d18de93c483b935d51582f9236
+        with:
+          key: test command
+          validate: true
+          fail-invalid: true
+          input: $(cat action.yml)
+
+      - name: Get outputs
+        run: |
+          echo ${{ steps.valid-string.outputs.valid }}
+          echo ${{ steps.valid-command.outputs.valid }}
+```
+
+## Workflow summary
+
+### ✅ test string checksum valid ✅
+
+### ❌ test string checksum INVALID ❌
+
+## Inputs
+
+```yml
+inputs:
+  validate:
+    description: Check if checksums match
+    default: false
+  key:
+    description: String to keep unique checksums separate
+    required: true
+  fail-invalid:
+    description: Fail step if invalid checksum
+    default: false
+  input:
+    description: String or command for checksum
+    required: true
+```
+
+## Outputs
+```yml
+outputs:
+  valid:
+    description: True if checksums match
+```