First, intro Codespaces with some cool slides! Next, let's open the repo and walk through a couple things before launching a Codespace.
This repo has a custom devcontainer.json file, so you won't have the default kitchen sink image. If you want, the source code to the default image is here. It's a lot to look at, so this one is both simple and custom. :)
It installs and configures some custom extensions in VS Code (here), spins up all the containers defined in docker-compose.yml, and starts the Flask app. The ports are labelled and privately exposed by default.
Now launch a new Codespace from the main branch. Expose port 5000 publicly, then copy "Local Address" URL. Send a repo webhook to that URL (type application/json), appended by /webhook. It'll look something like this https://your-codespace-url-5000.githubpreview.dev/webhook.
Note how it populates the test_webhook table with the repo owner, repo name, and timestamp with this SQL query, pasted below.
SELECT * FROM test_webhook;
Note how fast it launched? It's prebuilt off the main branch. The setting is controlled here. Prebuilds are run automatically from GitHub Actions and you can see the output of the latest builds here. This is a pretty small image, so builds don't take long, but for larger or more complicated repositories this can save 20+ minutes on custom image builds!
No chat is complete without policy and governance. You should walk through this at the organization level and check out the documentation. ❤️
This repo uses FlywayDB to manage the database schema in git. The schema and config files are all in the sql directory. Docker Compose will run flyway migrate on the empty database, which is great for development and testing. FlywayDB will apply the versioned migrations, then seed a table with some data in a repeatable migration. It's also a PR check run by a GitHub Actions workflow here, and it will always print the logs in case it's needed for troubleshooting.
An example of it failing because of an invalid schema change is in this pull request. Note how it's unable to merge because this is a required check.
Don't use this as your main demo for security stuff. It's not supposed to replace more mature demos, only to highlight a couple things that have come up as edge cases where I didn't have an easy answer. This is a really REALLY simple Flask app.
It has some "code smells" found through the security-and-quality query pack (here), visible in the Security dashboard. It should find some unused imports and variables that are declared and not used.
Not part of Advanced Security, but perhaps worth mentioning is that the super-linter helps us maintain clean code by linting the Python code with this workflow. The blog post does a great job summarizing how awesome this Action truly is.
There's nothing much to see here other than some pull requests for out of date dependencies and an overview of the security alerts for it. The dependabot.yml file is a nice example of it checking for dependencies in multiple languages and the documentation is excellent.
There's some scrum-y things in this repo too. The first is an issue template and workflow that opens a weekly planning issue to run sprint planning, using this Action. The schedule can be changed as needed in the workflow. The workflow is currently disabled because this is a demo repo and I don't want it to be annoying anyone.
Next is a pair of shiny project boards. Both have a bit of automation built in to explore too. :)