Merge branch 'main' into feat/1640-undefault-checkbox

.github/workflows/.deploy.yml

@@ -36,7 +36,7 @@ jobs:
       fam-modded-zone: ${{ steps.fam-modded-zone.outputs.fam-modded-zone }}
       deploy_core: ${{ steps.triggers.outputs.core }}
       deploy_sync: ${{ steps.triggers.outputs.sync }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       # Check triggers (omitted or matched)
       - name: Check core triggers
@@ -70,7 +70,7 @@ jobs:
 
       - name: OpenShift Init
         if: steps.triggers.outputs.core == 'true' || steps.triggers.outputs.sync == 'true'
-        uses: bcgov-nr/[email protected].0
+        uses: bcgov-nr/[email protected].1
         with:
           oc_namespace: ${{ vars.OC_NAMESPACE }}
           oc_server: ${{ vars.OC_SERVER }}
@@ -92,7 +92,7 @@ jobs:
 
       - name: Database
         if: steps.triggers.outputs.core == 'true' || steps.triggers.outputs.sync == 'true'
-        uses: bcgov-nr/[email protected].0
+        uses: bcgov-nr/[email protected].1
         with:
           oc_namespace: ${{ vars.OC_NAMESPACE }}
           oc_server: ${{ vars.OC_SERVER }}
@@ -110,28 +110,30 @@ jobs:
     environment: ${{ inputs.environment }}
     if: needs.init.outputs.deploy_core == 'true'
     needs: [init]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
     strategy:
       matrix:
-        name: [backend, frontend, oracle-api]
+        name: [backend, backup, frontend, oracle-api]
         include:
           - name: backend
             file: backend/openshift.deploy.yml
-            overwrite: true
             parameters:
               -p AWS_COGNITO_ISSUER_URI=https://cognito-idp.ca-central-1.amazonaws.com/${{ vars.VITE_USER_POOLS_ID }}
             verification_path: "health"
+          - name: backup
+            file: common/openshift.backup.yml
+            parameters:
+              -p PG_DB_IMAGE=postgis/postgis:15-master
+            post_rollout: oc create job --from=cronjob/${{ github.event.repository.name }}-${{ inputs.target }}-database-backup ${{ github.event.repository.name }}-${{ inputs.target }}-database-backup-$(date +%Y%m%d%H%M%S)
           - name: frontend
             file: frontend/openshift.deploy.yml
-            overwrite: true
             parameters:
               -p FAM_MODDED_ZONE=${{ needs.init.outputs.fam-modded-zone }}
               -p VITE_SPAR_BUILD_VERSION=snapshot-${{ inputs.target || github.event.number }}
               -p VITE_USER_POOLS_ID=${{ vars.VITE_USER_POOLS_ID }}
           - name: oracle-api
             file: oracle-api/openshift.deploy.yml
-            overwrite: true
             parameters:
               -p AWS_COGNITO_ISSUER_URI=https://cognito-idp.ca-central-1.amazonaws.com/${{ vars.VITE_USER_POOLS_ID }}
               ${{ github.event_name == 'pull_request' && '-p CPU_LIMIT=100m' || '' }}
@@ -140,20 +142,21 @@ jobs:
             verification_path: "actuator/health"
 
     steps:
-      - uses: bcgov-nr/[email protected].0
+      - uses: bcgov-nr/[email protected].1
         id: deploys
         with:
           file: ${{ matrix.file }}
           oc_namespace: ${{ vars.OC_NAMESPACE }}
           oc_server: ${{ vars.OC_SERVER }}
           oc_token: ${{ secrets.OC_TOKEN }}
-          overwrite: ${{ matrix.overwrite }}
+          overwrite: true
           parameters:
             -p TAG=${{ inputs.tag }}
             -p ZONE=${{ inputs.target }}
             ${{ github.event_name == 'pull_request' && '-p MIN_REPLICAS=1' || '' }}
             ${{ github.event_name == 'pull_request' && '-p MAX_REPLICAS=1' || '' }}
             ${{ matrix.parameters }}
+          post_rollout: ${{ matrix.post_rollout || '' }}
           verification_path: ${{ matrix.verification_path }}
           verification_retry_attempts: 5
           verification_retry_seconds: 20
@@ -167,7 +170,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Deploy (sync)
-        uses: bcgov-nr/[email protected].0
+        uses: bcgov-nr/[email protected].1
         with:
           file: sync/openshift.deploy.yml
           oc_namespace: ${{ vars.OC_NAMESPACE }}

.github/workflows/.tests.yml

@@ -28,7 +28,7 @@ jobs:
       VITE_USER_POOLS_ID: ${{ vars.VITE_USER_POOLS_ID }}
       VITE_USER_POOLS_WEB_CLIENT_ID: ${{ secrets.VITE_USER_POOLS_WEB_CLIENT_ID }}
       VITE_ZONE: TEST
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       # Check triggers (omitted or matched)
       - uses: bcgov-nr/[email protected]
@@ -49,7 +49,7 @@ jobs:
           node_version: "18"
           commands: |
             npm ci
-            npm run cy:ci
+            npm run cy:ci || true
           dir: frontend
           sonar_args: >
             -Dsonar.organization=bcgov-sonarcloud

.github/workflows/analysis.yml

@@ -16,7 +16,7 @@ concurrency:
 jobs:
   lint:
     name: Typescript lint
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: bcgov-nr/[email protected]
         with:
@@ -29,7 +29,7 @@ jobs:
   tests:
     name: Java CI
     if: ${{ ! github.event.pull_request.draft }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         dir: [backend, oracle-api]
@@ -56,11 +56,11 @@ jobs:
   trivy:
     name: Security Scan
     if: ${{ ! github.event.pull_request.draft }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@0.25.0
         with:
           format: "sarif"
           output: "trivy-results.sarif"
@@ -78,6 +78,6 @@ jobs:
     name: Analysis Results
     if: always() && (!failure()) && (!cancelled())
     needs: [lint, tests, trivy]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - run: echo "Workflow completed successfully!"

.github/workflows/demo.yml

@@ -24,6 +24,9 @@ jobs:
       REPO: ${{ github.event.repository.name }}
     runs-on: ubuntu-latest
     steps:
+      - uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: "4"
       - name: Point DEMO URL to Existing Service
         run: |
           # Set Up Routing

.github/workflows/job-nightly.yml

@@ -18,6 +18,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: "4"
       - run: |
           # Login to OpenShift
           oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
@@ -45,7 +48,7 @@ jobs:
       PREFIX: ${{ github.event.repository.name }}-test
     steps:
       - name: ZAP Scan
-        uses: zaproxy/action-full-scan@v0.10.0
+        uses: zaproxy/action-full-scan@v0.11.0
         with:
           allow_issue_writing: true
           artifact_name: "zap_frontend"

.github/workflows/job-sync.yml

@@ -14,16 +14,10 @@ jobs:
     name: Sync (TEST)
     runs-on: ubuntu-latest
     steps:
-      - name: Override OpenShift version
-        env:
-          OC: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.13/openshift-client-linux.tar.gz
-        run: |
-          # Download and extract with retry, continuing on error
-          (wget ${{ env.OC }} -qcO - | tar -xzvf - oc)|| !! || true
-          oc version
-        working-directory: /usr/local/bin/
-
       - uses: actions/checkout@v4
+      - uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: "4"
       - name: ETL (TEST)
         run: ./sync/oc_run.sh test ${{ secrets.oc_token }}
 
@@ -32,15 +26,9 @@ jobs:
     name: Sync (PROD)
     runs-on: ubuntu-latest
     steps:
-      - name: Override OpenShift version
-        env:
-          OC: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.13/openshift-client-linux.tar.gz
-        run: |
-          # Download and extract with retry, continuing on error
-          (wget ${{ env.OC }} -qcO - | tar -xzvf - oc)|| !! || true
-          oc version
-        working-directory: /usr/local/bin/
-
       - uses: actions/checkout@v4
+      - uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: "4"
       - name: ETL (PROD)
         run: ./sync/oc_run.sh prod ${{ secrets.oc_token }}

.github/workflows/pr-close.yml

@@ -12,7 +12,7 @@ concurrency:
 jobs:
   cleanup:
     name: Cleanup and Images
-    uses: bcgov/quickstart-openshift-helpers/.github/workflows/.pr-close.yml@v0.7.0
+    uses: bcgov/quickstart-openshift-helpers/.github/workflows/.pr-close.yml@v0.8.0
     secrets:
       oc_namespace: ${{ vars.OC_NAMESPACE }}
       oc_token: ${{ secrets.OC_TOKEN }}

.github/workflows/pr-open.yml

@@ -11,7 +11,7 @@ concurrency:
 jobs:
   builds:
     name: Builds
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       triggered: ${{ steps.build.outputs.triggered }}
     permissions:
@@ -49,7 +49,7 @@ jobs:
     if: always()
     # Include all needs that could have failures!
     needs: [builds, deploys, tests]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - run: |
           # View results

.github/workflows/pr-validate.yml

@@ -13,7 +13,7 @@ jobs:
     name: Initialize
     outputs:
       mod-tag: ${{ steps.mod-tag.outputs.mod-tag }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Get PR Number Mod 50
         id: mod-tag
@@ -22,7 +22,7 @@ jobs:
   validate:
     name: Validate PR
     needs: [init]
-    uses: bcgov/quickstart-openshift-helpers/.github/workflows/.pr-validate.yml@v0.7.0
+    uses: bcgov/quickstart-openshift-helpers/.github/workflows/.pr-validate.yml@v0.8.0
     with:
       markdown_links: |
         - [Frontend](https://${{ github.event.repository.name }}-${{ needs.init.outputs.mod-tag }}-frontend.apps.silver.devops.gov.bc.ca/)
@@ -33,6 +33,6 @@ jobs:
     name: Validate Results
     if: always() && (!failure()) && (!cancelled())
     needs: [validate]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - run: echo "Success!"

backend/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.3.3</version>
+    <version>3.3.4</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
   <groupId>ca.bc.gov</groupId>
@@ -39,7 +39,7 @@
     <sonar.organization>bcgov-sonarcloud</sonar.organization>
     <sonar.host.url>https://sonarcloud.io</sonar.host.url>
     <oci.revision>${project.version}</oci.revision>
-    <hibernate.version>6.5.2.Final</hibernate.version>
+    <hibernate.version>6.5.3.Final</hibernate.version>
   </properties>
 
   <profiles>
@@ -403,7 +403,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-javadoc-plugin</artifactId>
-        <version>3.10.0</version>
+        <version>3.10.1</version>
         <configuration>
           <source>17</source>
           <doctitle>Javadoc Documentation for ${project.name} ${project.version}</doctitle>
@@ -459,7 +459,7 @@
           <dependency>
             <groupId>com.puppycrawl.tools</groupId>
             <artifactId>checkstyle</artifactId>
-            <version>10.18.1</version>
+            <version>10.18.2</version>
           </dependency>
         </dependencies>
         <configuration>
@@ -506,7 +506,7 @@
       <dependency>
         <groupId>com.nimbusds</groupId>
         <artifactId>nimbus-jose-jwt</artifactId>
-        <version>9.40</version>
+        <version>9.41.2</version>
       </dependency>
     </dependencies>
   </dependencyManagement>

backend/src/main/java/ca/bc/gov/backendstartapi/config/Constants.java

@@ -8,5 +8,5 @@ public final class Constants {
   public static final String INCOMPLETE_SEEDLOT_STATUS = "INC";
   public static final String PENDING_SEEDLOT_STATUS = "PND";
   public static final String SUBMITTED_SEEDLOT_STATUS = "SUB";
-  public static final String MINITRY_OF_FORESTS_ID = "00012797";
+  public static final String MINISTRY_OF_FORESTS_ID = "00012797";
 }

backend/src/main/java/ca/bc/gov/backendstartapi/dto/PtValsCalReqDto.java

@@ -13,4 +13,4 @@ public record PtValsCalReqDto(
     @NotNull List<OrchardParentTreeValsDto> orchardPtVals,
     @NotNull List<GeospatialRequestDto> smpMixIdAndProps,
     @NotNull Integer smpParentsOutside,
-    @NotNull BigDecimal contaminantPollenBv) {}
+    BigDecimal contaminantPollenBv) {}

backend/src/main/java/ca/bc/gov/backendstartapi/security/JwtSecurityUtil.java

@@ -43,21 +43,28 @@ public static Set<String> getUserRolesFromJwt(Jwt jwtPrincipal) {
    */
   public static List<String> getClientIdsFromJwt(Jwt jwtPrincipal) {
     List<String> clientIds = new ArrayList<>();
-    getRolesWithClientIds(jwtPrincipal)
-        .forEach(
-            role -> {
-              if (role.length() >= 9) {
-                String clientNumber = role.substring(role.length() - 8);
-                if (clientNumber.replaceAll("[0-9]", "").isEmpty()) {
-                  clientIds.add(clientNumber);
-                }
-              }
-              // Handling concrete roles with no client id affixed
-              if (concreteRoles.contains(role)
-                  && !clientIds.contains(Constants.MINITRY_OF_FORESTS_ID)) {
-                clientIds.add(Constants.MINITRY_OF_FORESTS_ID);
-              }
-            });
+    boolean foundRole = false;
+
+    List<String> rolesAndClientIds = getRolesWithClientIds(jwtPrincipal);
+    for (String role : rolesAndClientIds) {
+      if (role.length() >= 9) {
+        String clientNumber = role.substring(role.length() - 8);
+        if (clientNumber.replaceAll("[0-9]", "").isEmpty()) {
+          clientIds.add(clientNumber);
+        }
+      }
+
+      if (concreteRoles.contains(role)) {
+        foundRole = true;
+      }
+    }
+
+    // If has role SPAR_MINISTRY_ORCHARD or SPAR_TSC_ADMIN and has no client id
+    // then add MOF client id
+    if (foundRole && !clientIds.contains(Constants.MINISTRY_OF_FORESTS_ID)) {
+      clientIds.add(Constants.MINISTRY_OF_FORESTS_ID);
+    }
+
     return clientIds;
   }