merge from main

Makefile

@@ -16,10 +16,7 @@ GIT_HOOKS_PATH ?= $(shell git config --global core.hooksPath || echo "")
 .PHONY: bootstrap
 bootstrap: ## Set up everything to run the app
 	make generate-version-file
-	rm poetry.lock
-	poetry lock
-	poetry install --no-root
-	poetry sync
+	poetry sync --no-root
 	poetry run pre-commit install
 	createdb notification_api || true
 	createdb test_notification_api || true
@@ -28,10 +25,7 @@ bootstrap: ## Set up everything to run the app
 .PHONY: bootstrap-with-git-hooks
 bootstrap-with-git-hooks:  ## Sets everything up and accounts for pre-existing git hooks
 	make generate-version-file
-	rm poetry.lock
-	poetry lock
-	poetry install --no-root
-	poetry sync
+	poetry sync --no-root
 	git config --global --unset-all core.hooksPath
 	poetry run pre-commit install
 	git config --global core.hookspath "${GIT_HOOKS_PATH}"
@@ -116,12 +110,8 @@ test: ## Run tests and create coverage report
 
 .PHONY: py-lock
 py-lock: ## Syncs dependencies and updates lock file without performing recursive internal updates
-
-	rm poetry.lock
-
+	poetry sync --no-root
 	poetry lock
-	poetry install
-	poetry sync
 
 .PHONY: freeze-requirements
 freeze-requirements: ## Pin all requirements including sub dependencies into requirements.txt

README.md

@@ -477,6 +477,8 @@ instructions above for more details.
   - [Onboarding](./docs/all.md#onboarding)
   - [Setting up the infrastructure](./docs/all.md#setting-up-the-infrastructure)
 - [Using the logs](./docs/all.md#using-the-logs)
+- [`git` hooks](./docs/all.md#git-hooks)
+  - [detect-secrets pre-commit plugin](./docs/all.md#detect-secrets-pre-commit-plugin)
 - [Testing](./docs/all.md#testing)
   - [CI testing](./docs/all.md#ci-testing)
   - [Manual testing](./docs/all.md#manual-testing)

docs/all.md

@@ -7,6 +7,7 @@
   - [Setting up the infrastructure](#setting-up-the-infrastructure)
 - [Using the logs](#using-the-logs)
 - [`git` hooks](#git-hooks)
+  - [detect-secrets pre-commit plugin](#detect-secrets-pre-commit-plugin)
 - [Testing](#testing)
   - [CI testing](#ci-testing)
   - [Manual testing](#manual-testing)
@@ -262,6 +263,17 @@ The configuration is stored in `.pre-commit-config.yaml`. In that config, there
 
 We do not maintain any hooks in this repository.
 
+## detect-secrets pre-commit plugin
+
+One of the pre-commit hooks we use is [`detect-secrets`](https://github.com/Yelp/detect-secrets), which checks for all sorts of things that might be committed accidently that should not be.  The project is already set up with a baseline file (`.ds.baseline`) and this should just work out of the box, but occasionally it will flag something new when you try and commit something; or, the file may need a refresh after a while.  In either case, to get things back on track and update the `.ds.baseline` file, run these two commands:
+
+```sh
+detect-secrets scan --baseline .ds.baseline
+detect-secrets audit .ds.baseline
+```
+
+The second command will walk you through all of the new detected secrets and ask you to validate if they actually are or if they're false positives.  Mark off each one as apppropriate (they should all be false positives - if they're not please stop and check in with the team!), then commit the updates to the `.ds.baseline` file and push them remotely so the project stays up-to-date.
+
 # Testing
 
 ```