[v6 PROD RELEASE] - dev -> master

.circleci/config.yml

@@ -68,6 +68,7 @@ workflows:
           branches:
             only:
               - develop
+              - pm-2539
 
     # Production builds are exectuted only on tagged commits to the
     # master branch.

.env.sample

@@ -143,6 +143,11 @@ SERVICEACC02_CID="devadmin1"
 SERVICEACC02_SECRET="devadmin1"
 SERVICEACC02_UID="100000027"
 
-# Note: Registration default password is no longer configurable; for social/SSO
-# registrations without a provided password, a unique 16-character random
-# password is generated at registration time.
+# Note: Registration default password is no longer configurable; for social/SSO
+# registrations without a provided password, a unique 16-character random
+# password is generated at registration time.
+
+
+# Prisma configuration
+
+IDENTITY_SERVICE_PRISMA_TIMEOUT=10000

.github/workflows/trivy.yaml

@@ -0,0 +1,34 @@
+name: Trivy Scanner
+
+permissions:
+  contents: read
+  security-events: write
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+jobs:
+  trivy-scan:
+    name: Use Trivy
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy scanner in repo mode
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,UNKNOWN"
+          scanners: vuln,secret,misconfig,license
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"

src/api/role/role.service.spec.ts

@@ -390,13 +390,16 @@ describe('RoleService', () => {
       ).rejects.toThrow(NotFoundException);
     });
 
-    it('should throw ConflictException if assignment already exists', async () => {
+    it('should ignore duplicate assignment if already exists', async () => {
       mockPrisma.role.count.mockResolvedValue(1);
       mockPrisma.roleAssignment.create.mockRejectedValue({ code: 'P2002' });
 
       await expect(
         service.assignRoleToSubject(roleId, subjectId, operatorId),
-      ).rejects.toThrow(ConflictException);
+      ).resolves.toBeUndefined();
+      expect(mockLogger.warn).toHaveBeenCalledWith(
+        `Attempt to assign role ${roleId} to subject ${subjectId} which already exists. Ignoring duplicate.`,
+      );
     });
   });
 

src/api/role/role.service.ts

@@ -376,18 +376,15 @@ export class RoleService {
     } catch (error) {
       if (error.code === Constants.prismaUniqueConflictcode) {
         this.logger.warn(
-          `Attempt to assign role ${roleId} to subject ${subjectId} which already exists.`,
+          `Attempt to assign role ${roleId} to subject ${subjectId} which already exists. Ignoring duplicate.`,
         );
-        throw new ConflictException(
-          `Role ${roleId} is already assigned to subject ${subjectId}.`,
-        );
-      } else {
-        this.logger.error(
-          `Failed to assign role ${roleId} to subject ${subjectId}: ${error.message}`,
-          error.stack,
-        );
-        throw error;
+        return;
       }
+      this.logger.error(
+        `Failed to assign role ${roleId} to subject ${subjectId}: ${error.message}`,
+        error.stack,
+      );
+      throw error;
     }
   }
 

src/shared/member-prisma/member-prisma.service.ts

@@ -6,6 +6,16 @@ export class MemberPrismaService
   extends MemberPrismaClient
   implements OnModuleInit, OnModuleDestroy
 {
+  constructor() {
+    super({
+      transactionOptions: {
+        timeout: process.env.IDENTITY_SERVICE_PRISMA_TIMEOUT
+          ? parseInt(process.env.IDENTITY_SERVICE_PRISMA_TIMEOUT, 10)
+          : 10000,
+      },
+    });
+  }
+
   async onModuleInit() {
     await this.$connect();
   }