CredentialEngine · arielr-lt · Oct 20, 2025 · Oct 20, 2025 · Oct 20, 2025 · Oct 20, 2025
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -3,12 +3,9 @@ name: Build and push
 
 on:
   push:
-    branches: ["eks-infrastructure","staging","main","production"]
+    branches: ["eks-infrastructure","staging","main","master","production","sandbox"]
 
   workflow_dispatch:
-    inputs:
-      environment:
-        description: 'Build & Push'
 
 permissions:
   id-token: write
@@ -31,8 +28,21 @@ jobs:
       image: ${{ steps.img.outputs.image }}
 
     steps:
-      - name: Checkout code
+      - name: Checkout code (with submodules)
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - name: Verify submodules present
+        run: |
+          git submodule status
+          if [ ! -d vendor/grape-middleware-logger ]; then
+            echo "Submodule vendor/grape-middleware-logger is missing" >&2
+            exit 1
+          fi
+          ls -la vendor/grape-middleware-logger | sed -n '1,50p'
+
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -55,6 +65,12 @@ jobs:
           TAG="$DATE_TAG.$BUILD_NUM"
           echo "tag=$TAG" >> "$GITHUB_OUTPUT"
 
+      - name: Compute ref tag (branch name)
+        id: ref
+        run: |
+          REF_TAG=$(echo "${GITHUB_REF_NAME}" | tr '[:upper:]' '[:lower:]' | sed -E 's#[^a-z0-9._-]+#-#g')
+          echo "ref_tag=$REF_TAG" >> "$GITHUB_OUTPUT"
+
       - name: Build Docker image (multi-stage)
         uses: docker/build-push-action@v5
         with:
@@ -64,7 +80,7 @@ jobs:
           push: true
           tags: |
             ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.tag.outputs.tag }}
-            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:staging
+            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.ref.outputs.ref_tag }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 

diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "vendor/grape-middleware-logger"]
+	path = vendor/grape-middleware-logger
+	url = https://github.com/soverin/grape-middleware-logger.git
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -13,6 +13,7 @@ AllCops:
   Exclude:
     - "bin/**/*"
     - "db/migrate/**/*"
+    - "vendor/**/*"
 
 Bundler/OrderedGems:
   Enabled: false

diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-3.4.6
+3.4.7
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@
 FROM registry.access.redhat.com/ubi10/ubi-minimal:10.0-1758185635 AS builder
 
 ARG PLAT=x86_64
-ARG RUBY_VERSION=3.4.6
+ARG RUBY_VERSION=3.4.7
 ENV APP_PATH=/app/
 ENV LANGUAGE=en_US:en
 ENV LANG=C.UTF-8
@@ -70,6 +70,22 @@ RUN set -eux; \
 
 COPY Gemfile Gemfile.lock .ruby-version $APP_PATH
 
+# Ensure path-based gems from submodules are available to Bundler
+# Copy the grape-middleware-logger submodule before bundle install
+COPY vendor/grape-middleware-logger $APP_PATH/vendor/grape-middleware-logger
+
+# Some gemspecs use `git ls-files`; submodule `.git` files reference parent repo
+# which is not present in the image. Reinitialize as a standalone git repo.
+RUN set -eux; \
+    if [ -d "$APP_PATH/vendor/grape-middleware-logger" ]; then \
+      cd "$APP_PATH/vendor/grape-middleware-logger"; \
+      # If .git is a file (submodule link), remove it and init a new repo
+      if [ -e .git ] && [ ! -d .git ]; then rm -f .git; fi; \
+      git init -q; \
+      git add -A || true; \
+      git -c user.email=builder@example -c user.name=builder commit -q -m "vendored submodule snapshot" || true; \
+    fi
+
 RUN mkdir -p ./vendor && \
     mkdir -p ./vendor/cache
 COPY local_packages/grape-middleware-logger-2.4.0.gem ./vendor/cache/
@@ -107,7 +123,10 @@ RUN mkdir -p /runtime/usr/local /runtime/etc /runtime/usr/bin /runtime/usr/lib64
     # Ruby runtime from /usr/local
     mkdir -p /runtime/usr/local/bin /runtime/usr/local/lib && \
     cp -a /usr/local/bin/ruby /runtime/usr/local/bin/ && \
-    cp -a /usr/local/bin/gem /usr/local/bin/rake /usr/local/bin/bundle /usr/local/bin/bundler /runtime/usr/local/bin/ 2>/dev/null || true && \
+    cp -a /usr/local/bin/gem /runtime/usr/local/bin/ 2>/dev/null && \
+    cp -a /usr/local/bin/rake /runtime/usr/local/bin/ 2>/dev/null && \
+    cp -a /usr/local/bin/bundle /runtime/usr/local/bin/ 2>/dev/null && \
+    cp -a /usr/local/bin/bundler /runtime/usr/local/bin/ 2>/dev/null && \
     cp -a /usr/local/lib/ruby /runtime/usr/local/lib/ && \
     cp -a /etc/pki /runtime/etc/ && \
     cp -a /etc/ssl /runtime/etc/ || true && \
@@ -120,10 +139,10 @@ RUN mkdir -p /runtime/usr/local /runtime/etc /runtime/usr/bin /runtime/usr/lib64
     cp -a /usr/bin/openssl /runtime/usr/bin/ && \
     # Copy PostgreSQL client binaries, dereferencing symlinks if present
     for b in \
-      /usr/bin/psql /usr/bin/pg_dump /usr/bin/pg_restore \
-      /usr/pgsql-17/bin/psql /usr/pgsql-17/bin/pg_dump /usr/pgsql-17/bin/pg_restore; do \
-      [ -f "$b" ] || continue; \
-      cp -aL "$b" /runtime/usr/bin/ 2>/dev/null || true; \
+    /usr/bin/psql /usr/bin/pg_dump /usr/bin/pg_restore \
+    /usr/pgsql-17/bin/psql /usr/pgsql-17/bin/pg_dump /usr/pgsql-17/bin/pg_restore; do \
+    [ -f "$b" ] || continue; \
+    cp -aL "$b" /runtime/usr/bin/ 2>/dev/null || true; \
     done && \
     mkdir -p /runtime/usr/lib64/ossl-modules && \
     cp -a /usr/lib64/ossl-modules/* /runtime/usr/lib64/ossl-modules/ 2>/dev/null || true
@@ -135,12 +154,12 @@ COPY openssl.cnf /runtime/etc/pki/tls/openssl.cnf
 # Auto-collect shared library dependencies for Ruby, native gems, and psql
 RUN set -eux; \
     mkdir -p /runtime/usr/lib64; \
-    targets="/usr/local/bin/ruby /usr/bin/psql /usr/bin/pg_dump /usr/bin/pg_restore"; \
+    targets="/usr/local/bin/ruby /usr/bin/psql /usr/bin/pg_dump /usr/bin/pg_restore /usr/bin/git"; \
     if [ -d "$APP_PATH/vendor/bundle" ]; then \
     sofiles=$(find "$APP_PATH/vendor/bundle" -type f -name "*.so" || true); \
     targets="$targets $sofiles"; \
     fi; \
-    for t in $targets; do \
+    for t in "$targets"; do \
     [ -f "$t" ] || continue; \
     ldd "$t" | awk '/=> \/|\//{print $3}' | sed -e 's/(0x[0-9a-fA-F]\+)//g' | grep -E '^/' || true; \
     done | sort -u | while read -r lib; do \
@@ -186,6 +205,9 @@ RUN set -eux; \
     cp -a /usr/lib64/libgdbm.so.*          /runtime/usr/lib64/ 2>/dev/null || true; \
     # App
     cp -a $APP_PATH /runtime/app; \
+    # Git client for gems that call `git` at runtime
+    if [ -x /usr/bin/git ]; then cp -a /usr/bin/git /runtime/usr/bin/git; fi; \
+    if [ -d /usr/libexec/git-core ]; then mkdir -p /runtime/usr/libexec && cp -a /usr/libexec/git-core /runtime/usr/libexec/git-core; fi; \
     # Timezone data for TZInfo
     mkdir -p /runtime/usr/share && cp -a /usr/share/zoneinfo /runtime/usr/share/zoneinfo; \
     chmod +x /tmp/docker-entrypoint.sh; cp /tmp/docker-entrypoint.sh /runtime/usr/bin/docker-entrypoint.sh
@@ -194,7 +216,7 @@ RUN set -eux; \
 FROM registry.access.redhat.com/ubi10/ubi-micro:10.0-1754556444
 
 ENV APP_PATH=/app/
-ARG RUBY_VERSION=3.4.6
+ARG RUBY_VERSION=3.4.7
 ENV PATH="/usr/local/bin:$PATH"
 ENV LD_LIBRARY_PATH="/usr/lib64:/lib64:/usr/local/lib"
 ENV OPENSSL_MODULES="/usr/lib64/ossl-modules"

diff --git a/Gemfile b/Gemfile
@@ -9,7 +9,7 @@ gem 'fiddle', '~> 1.1'
 gem 'grape', '= 2.2.0'
 gem 'grape-entity', '~> 1.0'
 gem 'grape-kaminari', '~> 0.4'
-gem 'grape-middleware-logger', '~> 2.4.0'
+gem 'grape-middleware-logger', path: 'vendor/grape-middleware-logger'
 gem 'hashie', '~> 5.0'
 gem 'hashie-forbidden_attributes', '~> 0.1'
 gem 'jsonpath', '~> 1.1'
@@ -22,7 +22,7 @@ gem 'pundit', '~> 2.5'
 gem 'rack-contrib', '~> 2.5'
 gem 'rack-cors', '~> 2.0'
 gem 'rake', '~> 13.2'
-gem 'rdoc', '~> 6.13'
+gem 'rdoc', '~> 6.15.0'
 gem 'rubyzip', '~> 2.4', require: 'zip'
 gem 'swagger-blocks', '~> 3.0.0'
 
@@ -63,7 +63,7 @@ gem 'pg_search', '~> 2.3'
 gem 'dotenv', '~> 3.1', groups: %i[development test]
 
 # Background processing
-gem 'activejob', '= 8.0.2', require: 'active_job'
+gem 'activejob', '= 8.0.2.1', require: 'active_job'
 gem 'sidekiq', '= 7.3.8'
 gem 'sidekiq-failures', '~> 1.0'
 
@@ -79,6 +79,10 @@ gem 'reline', '~> 0.6'
 # For lokilogger
 gem 'http'
 
+# Vulnerability fixes
+gem 'rack', '~> 2.2.20'
+gem 'rexml', '>= 3.4.4'
+
 # Development tools
 group :development do
   gem 'grape-raketasks'