From GDX accessibility audit conducted in July 2021.

Issue

This text beneath the numbers is very small and difficult to read, particularly for those with low vision:

Suggestion

Increase text size to at least 14px

We discussed in button-inc#14 but haven't implemented yet in our first branching model agreements button-inc#18, the opportunity to adopt and enforce Conventional Commits. Might we consider enforcing that with a Gitlint guardrail (sample config) in a pre-commit hook (sample config)? This would unblock the option of using standard-version to automate the release process in a manner compliant with SemVer. If this adds value to our process, we'd likely want a releasing team agreement (sample agreement) to be part of this issue.

Browser: Safari Version 14.0.3
Environments: TEST and PROD

Signed in as a public sector user, I started drafting a SWU opportunity. When I got to the Proposal Deadline and Assignment Date fields, I could not type anything into the fields, nor see any date picker.

As a developer
I want to use prettier
to ensure code is consistently formatted

• enable prettier in local pre-commit
• enable prettier in CI pre-commit
• run prettier against the entire codebase

No Project Lifecycle Badge found in your readme!

Hello! I scanned your readme and could not find a project lifecycle badge. A project lifecycle badge will provide contributors to your project as well as other stakeholders (platform services, executive) insight into the lifecycle of your repository.

What is a Project Lifecycle Badge?

It is a simple image that neatly describes your project's stage in its lifecycle. More information can be found in the project lifecycle badges documentation.

What do I need to do?

I suggest you make a PR into your README.md and add a project lifecycle badge near the top where it is easy for your users to pick it up :). Once it is merged feel free to close this issue. I will not open up a new one :)

Platforms Services sent an email on January 7 indicating that they would be reducing OCP quotas in February 2022.

We need to review our the Digital Marketplace tools namespace to ensure that we will be able to operate the application with reduced resources.

Acceptance Criteria:

• Application operation under reduced resources reviewed
• If reduced resources insufficient, request additional resources from Platform Services
• Verify no Jenkins instances running in app
• Resources set to:
• requests.cpu: 2 cores
• limits.cpu: 4 cores

Email from Platform Services:

What is happening?

We are introducing a series of quota reductions on the Private Cloud OpenShift Platform in order to free up the “reserved but not used” resources, which will increase our return of investment and allow us to continue accepting new apps on the Platform. The quota for CPU resource for all tools namespaces in the Silver cluster will be reduced in early February 2022 (the exact date will be communicated separately) and will have the following resource quota:

requests.cpu: 2 cores
limits.cpu: 4 cores

Depending on how much reserved CPU is freed up as a result of the teams re-configuring their Jenkins instances, more quota reduction steps may need to be introduced.

Why is it happening?

Inefficient resource utilization by Platform apps, and Jenkins instances in particular, have led to a misuse and shortage of free compute resources in the Silver cluster of the OpenShift Platform. This behaviour will soon prevent us from being able to accept new apps. There is an immediate need to reduce the amount of “requested but unused” resources. Doing this together will allow us to increase our Platform resource utilization, onboard more applications with our current investment, and educate the community on containerized resource utilization best practices.

Secondly, we will continue to encourage you to shut down your Jenkins instances entirely, and take advantage of Jenkins alternatives such as GitHub Actions and OpenShift Pipelines (Tekton) that are available on the Platform today. To help teams get started with these technologies quickly, we developed pipeline templates that also incorporate security best practices. Both alternatives provide much better resource utilization, substantially save the Province money and resources to manage, and reduce the Jenkins security risks with many instances versus centralized enterprise managed products.

When is it happening?

To be determined, but we are targeting early Februrary 2022.

What impact will it have on my app?

If the CPU Request or Limit settings for your Jenkins pod are above the new quota size, it may impact the pod’s ability to start.

What can I do to prepare my app for this change?

Adjust your Jenkins pod settings per the Jenkins Resource Configuration Requirements ASAP. It’s easy to do in your YAML configurations, with recommended settings provided by the Platform Services Team for you to leverage. We have also prepared a how-to video with the step-by-step instructions.

To test that your Jenkins instance can work successfully with the new settings, you can go to the Project Registry and change the CPU resource quota for the tools namespace to match the new quota as shown below.

Run your usual build process to confirm that it works as expected.

The entire test should not take more than 1 hr and we hope that all teams will be able to accomodate it in their current Sprint.

We have tested that Jenkins can successfully perform with the recommended settings, if, however, you find that the new quota impacts your ability to use other development tools in the tools namespace, please let us know ASAP in the “quota-reduction” discussion thread in the #devops-operations channel.

What should I do if I have concerns about this change?

Come to the Q&A session on January 12, 2022 that will take place in preparation for this change.

Thank you for doing your part in improving the resource utilization on the Private Cloud Platform.

Description

As a developer
I want to investigate the mocha tests in the Quebec fork of the repo
So that I can add or adapt them for use in our repo to increase test coverage

Tasks (How)

• determine if the tests can be brought over as-is or would need to be refactored/rewritten and how

User Story

As a government executive, I want to easily be able to produce a report for my Minister about the money that has flowed to the private sector through our innovative procurement programs, CWU and SWU.

I would like to easily be able to see:

• Total $$ awarded through CWU since its inception
• Total $$ awarded through SWU since its inception

By government fiscal year (April 1 - March 31)

• Total $$ awarded through CWU
• Total $$ awarded through SWU

For each opportunity, I can see:

• Name of awardee
• Award amount

Describe the bug
After successfully receiving one opportunity email directly to my regular inbox this past December 8 (following the previous spam filter issues), the new opportunity emails resumed being filtered straight to my Junk folder for all opportunities posted subsequently.

To Reproduce
Steps to reproduce the behavior:

1. Sign up for email notifications of new opportunities
2. Wait for a new opportunity to be posted / post new opportunity
3. Watch your regular Outlook inbox, as well as your Junk folder
4. New opportunity emails appear in Junk folder

Expected behavior
Email sender should be considered trustworthy enough by Outlook to be delivered to users' regular inbox.

Additional context
Can send the raw email headers by other means

As a developer, I want to rename anonymous functions throughout the code(see pic) to relevant names using relevant naming conventions, so that I can debug the front-end code more effectively.

DoD:

• Come up with a naming convention the team agrees upon
• Find all anon functions in the code
• Rename functions

On one of the pages of Sprint With Us projects some of the labels/text do not show up. You can however see them if you highlight the column in the table as shows in the screen shot below. You can see the F/T and P/T labels only show up when highlighted. Does not work in Safari or Chrome.

As a developer
I want to use the Cypress Dashboard
So that I can see screenshots and videos of my CI Cypress test runs, which will help me debug failures.

Tasks:

• Discuss:
• • Screenshots and videos are public, so if test fixtures include any sensitive information (they shouldn't, they're mainly lorem ipsum), it could show in an image
• • It's possible to accidentally expose a secret from our github actions configuration (we have detect-secrets as part of pre-commit already; could add some additional mitigation)
• If discussion lands on using the dashboard, apply for the open-source plan here: https://docs.cypress.io/guides/dashboard/organizations#Open-Source-Plan
• Set up dashboard access from our code (add CYPRESS_RECORD_KEY to the repo secrets and projectId to cypress.json (both these values come from the dashboard))

As a developer
I want to set up a fully functional smtp endpoint for transactional emails
so that I don't have to use a gmail workaround.

Tasks

• set up endpoint
• remove code related to the gmail workaround
• remove requirement to provide gmail environment variables in order to start the server

Additional notes:

in development, the site uses gmail to test transactional emails in development

Highly recommend using Mailhog in ci/dev/test to create a fully functional smtp endpoint. Here's a good helm chart for Mailhog.

Originally posted by @wenzowski in button-inc#126 (comment)

User Story

As a public sector employee from another jurisdiction (e.g. Government of Canada), I would like to know that the source code for the Digital Marketplace app is open source, so we can build our own!

(This came from a conversation @ZachWoodward and I just had with some folks from this Gov of Canada team. They had forked the old devex codebase, then visited digital.gov.bc.ca/marketplace, but it was not apparent to them that the code for it was also open source.)

Minor typo as per the below image (says 'contract' but should say 'contact'):

From GDX accessibility audit conducted in July 2021.

Issues

Use the WAVE Evaluation Tool Chrome extension to see the areas of concern:

• BC Gov logo (header logo) should have descriptive alt text as it functions as a link
• Images for CWU & SWU boxes have alt text of "Code With Us Image" and "Sprint With Us Image". These don't help the user understand. They'd best be reverted to decorative (i.e. alt="")
• Two other illustrations below don't have any alt attribute; they should also have decorative (i.e. alt="")

From GDX accessibility audit conducted in July 2021.

Issue

There are some instances of low contrast between text and background colors. For example:

• Light blue used for buttons and links
• Footer links

See:

• WCAG guideline for minimum contrast
• WAVE Evaluation Tool Chrome extension — using this will highlight the areas of concern

Expected

Text and background always have a contrast ratio of 4.5:1 (3:1 for large text)

No Project Lifecycle Badge found in your readme!

Hello! I scanned your readme and could not find a project lifecycle badge. A project lifecycle badge will provide contributors to your project as well as other stakeholders (platform services, executive) insight into the lifecycle of your repository.

What is a Project Lifecycle Badge?

It is a simple image that neatly describes your project's stage in its lifecycle. More information can be found in the project lifecycle badges documentation.

What do I need to do?

I suggest you make a PR into your README.md and add a project lifecycle badge near the top where it is easy for your users to pick it up :). Once it is merged feel free to close this issue. I will not open up a new one :)

Some recent discoveries in the code have noted backdoors being used for testing purposes. These security issues should be documented and reported to the gov't as a breach of security.

@wenzowski Is there a format or template used to document security breaches?

As an Admin and Opportunity owner
I want to see the notes and their attachments in the history list
So that I can audit trail the opportunity process

Business value:

• Right now, the production image applies Grunt later than optimal - if we applied Grunt earlier, we could reduce the size of the image
• Align with Test/Prod parity
• Eliminate existing anti-patterns (reduce tech debt)

Questions to answer:

• What is the current image size in production?
• What is the ideal image size?
• Who requested this?
• Why we should do this?

Description

As a developer and user
I want login to be secure
So that no one can see my private info

Tasks

• Task
• Task

Additional Notes

• From Matthieu: Right now your server checks that the authentication is successful in the auth callback, but after that it never checks with the identity provider again, which is bad. Keycloak (or any oauth/openid server) sends you an access token and a refresh token. The access token is a short-lived (defaults to 5min in keycloak) token that should be checked on every request. If the access token is expired, the session can be refreshed using the refresh token, which has a longer lifespan (defaults to 30min). If the user is idle for 30min, they will need to log in again.
  Right now it looks like session expiry is only handled with the sid cookie?
  https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration. this is what your application should be doing for every request, instead of just retrieving the user id from the session: https://github.com/bcgov/cas-template-app/blob/b6030312b5852b9df284c5175d86b98a3773ed08/packages/sso-express/src/controllers.ts#L42

User Stories

As a vendor, I would like to see which of my competitors are being awarded opportunities, what amounts they are being paid, and what work is being delivered for that money.

As a vendor who has been awarded an opportunity in the past, I would like to be able to refer to the terms of the opportunity, and also be able to point new prospective clients to work that we have been awarded and delivered for the Province of British Columbia.

As a government product owner who is interested in posting a CWU or SWU opportunity, I want to be able to see past opportunities that have been offered so I can get a sense of how I might compose my opportunity.

As a concerned taxpayer, I would like to know that my government is being transparent about the money they are spending through procurement, who they awarding it to, and for what.

I would like to be able to peruse past opportunities and:

• Sort all of the opportunities that have been awarded by ministry (see what opportunities my ministry has awarded in the past)
• Read the full content of the opportunity as it was posted (i.e. all of the Acceptance Criteria, Proposal Eval criteria in the case of CWU)
• See the award amount
• See the name of the vendor/individual who was awarded the opportunity
• See the number of proposals that were submitted
• Find a link to where the work that the opportunity is paying for is being delivered (i.e. link to the public GitHub repo where the work is being delivered)

Once Node has been upgraded to LTS, handle the other package upgrades necessary.

The first iteration of this was in Sprint 1 here: button-inc#129.

Tasks

• update all of the following packages
• fix any errors (probably lots of TS ones) these updates cause

These packages require a major bump (there are no patch or minor updates in between the version we have and the next major):
@keycloak/keycloak-admin-client 15.1.0 15.1.0 16.1.0 dependencies https://www.keycloak.org/
autoprefixer 9.8.8 9.8.8 10.4.2 devDependencies https://github.com/postcss/autoprefixer#readme
chalk 2.4.2 2.4.2 5.0.0 dependencies https://github.com/chalk/chalk#readme
cssnano 4.1.11 4.1.11 5.0.15 devDependencies https://github.com/cssnano/cssnano
dotenv 6.2.0 6.2.0 11.0.0 dependencies https://github.com/motdotla/dotenv#readme
find-up 5.0.0 5.0.0 6.2.0 dependencies https://github.com/sindresorhus/find-up#readme
grunt-browserify 5.3.0 5.3.0 6.0.0 devDependencies https://github.com/jmreidy/grunt-browserify
grunt-contrib-compress 1.6.0 1.6.0 2.0.0 devDependencies https://github.com/gruntjs/grunt-contrib-compress#readme
grunt-terser 0.1.1 0.1.1 2.0.0 devDependencies https://github.com/adascal/grunt-terser
html-to-text 5.1.1 5.1.1 8.1.0 dependencies https://github.com/html-to-text/node-html-to-text
jest-diff 25.5.0 25.5.0 27.4.6 dependencies https://github.com/facebook/jest#readme
keycloak-connect 8.0.2 8.0.2 16.1.0 dependencies http://keycloak.org
load-grunt-tasks 4.0.0 4.0.0 5.1.0 devDependencies https://github.com/sindresorhus/load-grunt-tasks#readme
openid-client 3.15.10 3.15.10 5.1.1 dependencies https://github.com/panva/node-openid-client
react 16.14.0 16.14.0 17.0.2 dependencies https://reactjs.org/
react-dom 16.14.0 16.14.0 17.0.2 dependencies https://reactjs.org/
react-markdown 4.3.1 4.3.1 7.1.2 devDependencies https://github.com/remarkjs/react-markdown#readme
react-select 3.2.0 3.2.0 5.2.1 devDependencies https://github.com/JedWatson/react-select/tree/master/packages/react-select
reactstrap 8.10.1 8.10.1 9.0.1 devDependencies https://github.com/reactstrap/reactstrap#readme
serve 11.3.2 11.3.2 13.0.2 devDependencies https://github.com/vercel/serve#readme
swagger-jsdoc 4.3.2 4.3.2 6.1.0 dependencies https://github.com/Surnet/swagger-jsdoc
ts-node 8.10.2 8.10.2 10.4.0 dependencies https://typestrong.org/ts-node
typescript 3.8.2 3.9.10 4.5.4 dependencies https://www.typescriptlang.org/
uuid 3.4.0 3.4.0 8.3.2 dependencies https://github.com/uuidjs/uuid#readme
yargs 16.2.0 16.2.0 17.3.1 dependencies https://yargs.js.org/
@wordpress/wordcount 2.15.2 2.15.2 3.2.3 dependencies https://github.com/WordPress/gutenberg/tree/HEAD/packages/wordcount/README.md

This one can go to a higher minor first:
knex 0.19.5 0.19.5 0.95.15 dependencies https://knexjs.org (but TS needs to be updated first)

Description

As a developer
I want to npm run browserslist --update-db
So that browsers stay up-to-date

Tasks (How)

• Task
• Task
• Task
  Additional notes:
  here: The npm run browserslist --update-db call should probably also be part of our ci config so I'd track that as separate tech debt.

Description

As a developer
I want to use the same docker image in testing and prod
So that I can get closer to dev/prod parity

Tasks (How)

• replace current build steps in CI with a step that grabs the production docker image

Alec note from here: Let's make sure we've got a tech debt card for our CI/CD process that notes our e2e tests should be booting the candidate docker image that we intend to release to production (as a 12 factor app, we should be able to boot the prod image with development or test environment flag set). The cypress errors appear to be due to the fact that we're running headless from inside a runner that does not have access to a gpu.

As a developer
I want my testing endpoints to use the same types as my production endpoints
so I can use type-checking to avoid bugs and unexpected behavior.

Tasks

• rewrite the testing endpoints so they return the same types as the prod endpoints

Additional notes:
Ideally we'd cast this endpoint's output to return prod types. Tech debt

Originally posted by @wenzowski in button-inc#111 (comment)

As a developer
I want to avoid having different versions of node in different parts of the code (e.g., the package is updated to 16 but the github action uses 10)
so that I can keep versions consistent and avoid any unexpected behaviour.

Tasks

• find a way to ensure that when a node version changes in one place, it changes everywhere else too

Additional notes:

This looks like continuation of button-inc#56 ...so I'd call the fact that we were able to bump the node version there and miss the CI configuration tech debt. Let's not hold back this PR but let's figure out how to ensure when we bump node versions in the future we get everything in one go–perhaps we should be looking at how other projects use a .tool-versions file as a source of truth that gets consumed by other systems, like docker, ci, npm, etc.

Originally posted by @wenzowski in button-inc#65 (comment)

As a developer
I want to address all typescript warnings
so that my code is better quality and more maintainable.

Tasks

• fix all typescript-eslint/no-unused-vars warnings

Hello guys!
I am subscribed for notifications of new opportunities under my Public Sector Employee account. Pretty sure I did not receive a notification about this latest one.

As an Opportunity Owner or Administrator
I want to add notes (text and/or multiple attachments) in the Opportunity history
So that I can provide a complete audit history if/when required

Opportunity owners and administrators require the ability to add a general note at the opportunity level. In addition to the text provided for the note, the user may include an attachment, or attachments, to supplement the note.

Designs uploaded to InVision:

Page: Opportunity History - https://invis.io/QBZ92HXTMJZ
Modal: Add Entry to Opportunity - https://invis.io/QNZ92I36DAG

Original Jira ticket => https://bcdevex.atlassian.net/browse/DM-97
Unmerged PR => #134

Related Jira ticket => https://bcdevex.atlassian.net/browse/DM-814
(There's no related PR for this issue)

Acceptance Criteria:

• Validate to ensure that only PDF files can be added
• Validate to ensure that only files less than or equal to 2 MB can be added
• Validate to ensure that note field is not empty
• Validate to ensure that note field is not greater than 1000 chars
• Apply max length to note's text field (e.g., 1024 characters max)
• Ensure that multiple attachments can be uploaded
• On save, the field "Entity Type" has the value "Note".
• All admins to be notified by email when a new note is add to a History List (template text requirements)
• Refresh the history list to show the new note

As I developer
I want to regularly audit my packages
so that I can avoid security vulnerabilities

Tasks

• set up up package auditing (e.g. yarn audit) in CI
• fix vulnerabilities the audit reveals

(This replaces the add npm audit issue (#12) since we've migrated to yarn)

Is your feature request related to a problem? Please describe.

The SWU form won't allow a gov user to submit the opportunity for review if they've failed to fill in mandatory information, but it doesn't indicate which fields/checkboxes, etc. are the problem.

Describe the solution you'd suggest

Flag which fields are missing/unacceptable, similar to how the if you enter an invalid email, you're immediately given feedback.

Describe alternatives you've considered

Additional context

none

Describe the bug
If year is 2050 (probably affects other years too), CWU opportunity completion date doesn't save correctly--the day is off by one. Proposed start date is also off by a day.

To Reproduce
Steps to reproduce the behavior:

1. Create an opportunity with the completion date of April 30, 2050
2. Save the opportunity as a draft
3. View the draft
4. See that the completion date is now April 29, 2050
   Expected behavior
   The date shouldn't change

Screenshots
If applicable, add screenshots to help explain your problem.

TL;DR

Topics greatly improve the discoverability of repos; please add the short code from the table below to the topics of your repo so that ministries can use GitHub's search to find out what repos belong to them and other visitors can find useful content (and reuse it!).

Why Topic

In short order we'll add our 800th repo. This large number clearly demonstrates the success of using GitHub and our Open Source initiative. This huge success means its critical that we work to make our content as discoverable as possible; Through discoverability, we promote code reuse across a large decentralized organization like the Government of British Columbia as well as allow ministries to find the repos they own.

What to do

Below is a table of abbreviation a.k.a short codes for each ministry; they're the ones used in all @gov.bc.ca email addresses. Please add the short codes of the ministry or organization that "owns" this repo as a topic.

That's in, you're done!!!

How to use

Once topics are added, you can use them in GitHub's search. For example, enter something like org:bcgov topic:citz to find all the repos that belong to Citizens' Services. You can refine this search by adding key words specific to a subject you're interested in. To learn more about searching through repos check out GitHub's doc on searching.

Pro Tip 🤓

• If your org is not in the list below, or the table contains errors, please create an issue here.

• While you're doing this, add additional topics that would help someone searching for "something". These can be the language used javascript or R; something like opendata or data for data only repos; or any other key words that are useful.

• Add a meaningful description to your repo. This is hugely valuable to people looking through our repositories.

• If your application is live, add the production URL.

Ministry Short Codes

NOTE See an error or omission? Please create an issue here to get it remedied.

Per comment in #193, why don't we consider reviewing Rule 9 of the OWASP Docker Security Cheat Sheet to further augment our existing linting and static analysis guardrails?

As a developer
I want to address all typescript warnings
so that my code is better quality and more maintainable.

Tasks

• fix all typescript-eslint/no-non-null-assertion eslint warnings

I'd also recommend reviewing the Security tab and consider splitting off a new issue to configure CodeQL.

Originally posted by @wenzowski in button-inc#12 (comment)

Describe the bug
Cypress tests occasionally fail due to uncaught exception errors:

To Reproduce
Comment out these lines from Cypress index.js:

Cypress.on('uncaught:exception', (err, runnable) => {
    // returning false here prevents Cypress from
    // failing the test
    return false
  })

Run the Cypress tests until the uncaught exception fails one of them (which one fails and where is inconsistent).

Expected behavior
There should be no errors in the app code.

Additional context
none

From GDX accessibility audit conducted in July 2021.

Issue

The 'Sign In' and 'Sign Up' buttons can't be accessed via keyboard navigation (i.e. using TAB).

Expected behaviour

Pressing tab should take the user from the site logo to the buttons, then to the links in the navbar.

Yes, I'd say this is safe. Tech debt here is we eventually want a validated configuration (eg. convict, among many others) but this is good for now.

Originally posted by @wenzowski in button-inc#111 (comment)

See also: button-inc#111 (comment)

As a developer
I want to determine if this project will use mocha
so that I can either improve the existing mocha harness or remove it.

Tasks

• if keeping mocha, change to a more standard implementation
• if removing mocha, remove it from the project

Additional notes:
I wouldn't worry too much about it yet since the existing mocha suite runs just one example test. I'd split the work of improving or replacing the mocha harness to a new PR, and since we're reading a property out of a json file and that property is from the parent this looks right to me.

Originally posted by @wenzowski in button-inc#17 (comment)

Epic for the new changes to the History List (both CWU and SWU).

As a government product owner, I would like my Sprint With Us posting to include dates for code challenges and team scenarios so vendors can prepare their resources. I might also want to communicate when to expect the results of each step of evaluation, so that vendors know when to stand down their resources.

As a CWU Opportunity Owner or Administrator
I want to be able to evaluate CWU opportunities more efficiently by adding evaluation scores in batch (currently, each score must be added individually).

Design recommendations (from original Jira ticket):

• Add “Enter Scores” button to the contextual navbar for the “Proposals” section when managing a CWU opportunity

  • If scores have been added, replace with “Edit Scores” button

• When “Enter Scores” button is clicked, present the user to enter all scores for all proposals

  • Content will include Proponent Name (readonly), Total Score (input) and Comments/Notes (textarea) for each vendor submission

Actions:

• Cancel
• Save Scores (previously, “Submit Scores”)
  • Save Scores allows the user to save all known scores (i.e. some scores may be left blank)
  • Save Notes for each submission would appear in the Proposal History
• Provide a “Lock Scores” button in the contextual navbar (disabled until all scores have been entered)
  • all scores must be entered and saved to activate this button
  • once clicked, user will not be able to go back and edit scores for the corresponding phase

Original Jira ticket => https://bcdevex.atlassian.net/browse/DM-658
Unmerged PR => #XXX

Acceptance Criteria:

• AC1
• AC2
• AC3

User Stories

As a proponent, I would like to see what the Code With Us terms are before deciding to apply on an opportunity.

As a government administrator, I need a way to send the Code With Us terms to my finance staff so that they have a copy of "the contract" and can set up a purchase order to pay invoices against it.

Business value - we want to capture the work done and migrate to final repo.

The Button team completed work on a bunch of tech debt. The work was done on the Button fork.

Details:

• Include config setting changes to match team agreements on Button fork
• Include cypress secrets
• Include Sonar secrets

When deploying digital marketplace locally I found a blocker while getting the project running. This came from not knowing which env viarables from the sample.env needed setting.

With Andrew's help we got it running by setting
POSTGRES_URL="postgresql://digitalmarketplace:digitalmarketplace@localhost:5432/digitalmarketplace"
MAILER_GMAIL_USER="[email protected]"
MAILER_GMAIL_PASS="password"
ORIGIN="http://localhost:3000/"

This should be documented in the digital marketplace readme.md file.
AC:

get a documentation to the dig marketplace readme merged into the codebase

Classic steps are :

1. Draft (if base validation passes)
2. Submit for review (if complete validation passes)
3. Publish (if previous step passes)

But an admin can go from step 1. to step 3. Then, no validation is done at step 2.

Relevant code parts :

// src/shared/lib/resources/opportunity/sprint-with-us.ts
export function isValidStatusChange(from: SWUOpportunityStatus, to: SWUOpportunityStatus): boolean {
  switch (from) {
    case SWUOpportunityStatus.Draft:
      // UnderReview step can be omitted
      return [SWUOpportunityStatus.UnderReview, SWUOpportunityStatus.Published].includes(to);
// [...]

But validations take place while Reviewal step :

// src/back-end/lib/resources/opportunity/sprint-with-us.ts

case 'publish':
            // [...]
            // Opportunity will have been fully validated during review process, so no need to repeat
            const validatedPublishNote = opportunityValidation.validateNote(request.body.value);
            if (isInvalid(validatedPublishNote)) {
              return invalid({ opportunity: adt('publish' as const, validatedPublishNote.value) });
            }
            return valid({
              session: request.session,
              body: adt('publish', validatedPublishNote.value)
            });

Found this bug while converting postman tests to Mocha (https://github.com/CQEN-QDCE/digital_marketplace/tree/experimentation/tests/back-end/unit/lib/api)