linuxfoundation · lukaszgryglicki · Apr 16, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,19 @@
+name: "CodeQL Config for EasyCLA Go Backend"
+
+# Additional queries for Go security analysis
+queries:
+  - uses: security-and-quality
+  - uses: security-extended
+
+# Custom rules for Go backend
+disable-default-queries: false
+
+# Paths to analyze
+paths:
+  - cla-backend-legacy/
+
+# Paths to ignore
+paths-ignore:
+  - cla-backend-legacy/resources/
+  - cla-backend-legacy/bin/
+  - cla-backend-legacy/vendor/
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,61 +1,55 @@
----
-# Copyright The Linux Foundation and each contributor to CommunityBridge.
-# SPDX-License-Identifier: MIT
-
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
 updates:
-  - package-ecosystem: "npm" # See documentation for possible values
-    directory: "/cla-landing-page" # Location of package manifests
+  # Enable version updates for npm (existing)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+
+  # Enable version updates for npm in cla-frontend-project-console
+  - package-ecosystem: "npm"
+    directory: "/cla-frontend-project-console"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+
+  # Enable version updates for npm in cla-frontend-corporate-console
+  - package-ecosystem: "npm"
+    directory: "/cla-frontend-corporate-console"
     schedule:
       interval: "monthly"
     open-pull-requests-limit: 3
-    ignore:
-      - dependency-name: "serverless"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-      - dependency-name: "serverless-domain-manager"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-  - package-ecosystem: "npm" # See documentation for possible values
-    directory: "/cla-backend" # Location of package manifests
+
+  # Enable version updates for npm in cla-frontend-contributor-console
+  - package-ecosystem: "npm"
+    directory: "/cla-frontend-contributor-console"
     schedule:
       interval: "monthly"
     open-pull-requests-limit: 3
-    ignore:
-      - dependency-name: "serverless"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-      - dependency-name: "serverless-domain-manager"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/cla-backend" # Location of package manifests
+
+  # Enable version updates for Python dependencies in cla-backend
+  - package-ecosystem: "pip"
+    directory: "/cla-backend"
     schedule:
       interval: "monthly"
     open-pull-requests-limit: 3
-    ignore:
-      - dependency-name: "serverless"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-      - dependency-name: "serverless-domain-manager"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-  - package-ecosystem: "npm" # See documentation for possible values
-    directory: "/cla-backend-go" # Location of package manifests
+
+  # Enable version updates for Go dependencies in cla-backend-go
+  - package-ecosystem: "gomod"
+    directory: "/cla-backend-go"
     schedule:
       interval: "monthly"
     open-pull-requests-limit: 3
-    ignore:
-      - dependency-name: "serverless"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-      - dependency-name: "serverless-domain-manager"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-  - package-ecosystem: "gomod" # See documentation for possible values
-    directory: "/cla-backend-go" # Location of package manifests
+
+  # NEW: Enable version updates for Go dependencies in cla-backend-legacy
+  - package-ecosystem: "gomod"
+    directory: "/cla-backend-legacy"
     schedule:
       interval: "monthly"
     open-pull-requests-limit: 3
-    ignore:
-      - dependency-name: "serverless"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-      - dependency-name: "serverless-domain-manager"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+    reviewers:
+      - "lukaszgryglicki"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
diff --git a/.github/license-report.tpl b/.github/license-report.tpl
@@ -0,0 +1,6 @@
+{{- range . }}
+Package: {{ .Name }}
+License: {{ .LicenseName }}
+License URL: {{ .LicenseURL }}
+---
+{{- end }}
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: Go Version
         run: go version
       - name: Setup Node
@@ -40,7 +40,7 @@ jobs:
           python-version: '3.11'
           cache: 'pip'
       - name: Cache Go modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ github.workspace }}/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -110,3 +110,49 @@ jobs:
       - name: Go Lint
         working-directory: cla-backend-go
         run: make lint
+
+      - name: Go Setup CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: |
+          go mod tidy
+
+      - name: Go Build CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: |
+          make lambdas
+
+      - name: Go Test CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: go test ./...
+
+      - name: Go Lint CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: make lint
+
+      # Security scanning for Go Legacy Backend
+      - name: Go Security Scan (Gosec)
+        uses: securecodewarrior/github-action-gosec@master
+        with:
+          args: '-fmt sarif -out gosec-results.sarif ./...'
+        continue-on-error: true
+
+      - name: Upload Gosec SARIF to GitHub Security Tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: cla-backend-legacy/gosec-results.sarif
+          category: gosec-legacy-backend
+
+      - name: Go Vulnerability Check (govulncheck)
+        working-directory: cla-backend-legacy
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
+        continue-on-error: true
+
+      - name: Static Analysis (staticcheck)
+        working-directory: cla-backend-legacy
+        run: |
+          go install honnef.co/go/tools/cmd/staticcheck@latest
+          staticcheck ./...
+        continue-on-error: true
diff --git a/.github/workflows/cla-backend-legacy-deploy-dev.yml b/.github/workflows/cla-backend-legacy-deploy-dev.yml
@@ -0,0 +1,112 @@
+---
+# Copyright The Linux Foundation and each contributor to CommunityBridge.
+# SPDX-License-Identifier: MIT
+
+name: Build and Deploy CLA Legacy Backend to DEV
+on:
+  push:
+    branches:
+      - dev
+    paths:
+      - 'cla-backend-legacy/**'
+      - '.github/workflows/cla-backend-legacy-deploy-dev.yml'
+
+permissions:
+  # These permissions are needed to interact with GitHub's OIDC Token endpoint to fetch/set the AWS deployment credentials.
+  id-token: write
+  contents: read
+
+env:
+  AWS_REGION: us-east-1
+  STAGE: dev
+  DD_VERSION: ${{ github.sha }}
+
+jobs:
+  build-deploy-legacy-dev:
+    runs-on: ubuntu-latest
+    environment: dev
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Go Version
+        run: go version
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam::395594542180:role/github-actions-deploy
+          aws-region: us-east-1
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: ${{ github.workspace }}/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Configure Git to clone private Github repos
+        run: git config --global url."https://${TOKEN_USER}:${TOKEN}@github.com".insteadOf "https://github.com"
+        env:
+          TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB  }}
+          TOKEN_USER: ${{ secrets.PERSONAL_ACCESS_TOKEN_USER_GITHUB }}
+
+      - name: Add OS Tools
+        run: sudo apt update && sudo apt-get install file -y
+
+      - name: Go Setup CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: |
+          go mod tidy
+
+      - name: Go Build CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: |
+          make lambdas
+
+      - name: Go Test CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: go test ./...
+
+      - name: Go Lint CLA Legacy Backend
+        working-directory: cla-backend-legacy
+        run: make lint
+
+      - name: Setup Deployment
+        working-directory: cla-backend-legacy
+        run: |
+          npm install
+
+      - name: EasyCLA Legacy Backend Deployment us-east-1
+        working-directory: cla-backend-legacy
+        run: |
+          if [[ ! -f bin/legacy-api-lambda ]]; then echo "Missing bin/legacy-api-lambda binary file. Exiting..."; exit 1; fi
+          if [[ ! -f serverless.yml ]]; then echo "Missing serverless.yml file. Exiting..."; exit 1; fi
+          # Create empty env.json if it doesn't exist
+          echo '{}' > env.json
+          npx serverless deploy --force --stage ${STAGE} --region us-east-1 --verbose
+
+      - name: EasyCLA Legacy Backend Service Check
+        run: |
+          sudo apt install curl jq -y
+
+          # Development environment endpoints to test
+          declare -r v1_url="https://apigo.lfcla.${STAGE}.platform.linuxfoundation.org/v1/health"
+          declare -r v2_url="https://apigo.lfcla.${STAGE}.platform.linuxfoundation.org/v2/health"
+
+          echo "Validating v1 backend using endpoint: ${v1_url}"
+          curl --fail -XGET ${v1_url} || echo "v1 health endpoint check failed (expected for now)"
+
+          echo "Validating v2 backend using endpoint: ${v2_url}"
+          curl --fail -XGET ${v2_url} || echo "v2 health endpoint check failed (expected for now)"