Deploy RC 348 to Production

.github/workflows/create-deploy-pr.yml

@@ -0,0 +1,32 @@
+name: Create deploy PR
+on:
+  workflow_dispatch:
+    inputs:
+      deploy_type:
+        description: 'Type of deploy'
+        required: true
+        type: choice
+        options:
+          - Normal
+          - Patch
+      source:
+        description: 'Source branch/SHA (If blank, the current SHA running on staging will be used)'
+        required: false
+        type: string
+permissions:
+  pull-requests: write
+  contents: write
+jobs:
+  create-pr:
+    name: Create PR
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
+      PATCH: ${{ inputs.deploy_type == 'Patch' && 1 || 0 }}
+      SOURCE: ${{ inputs.source }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Get all commits
+      - uses: ruby/setup-ruby@v1
+      - run: scripts/create-deploy-pr

.github/workflows/create-release.yml

@@ -0,0 +1,18 @@
+name: Create release
+run-name: "Create release based on ${{ github.event.pull_request.title }}"
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - 'stages/prod'
+jobs:
+  create-release:
+    name: Create release after PR merge
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@v4
+      - run: scripts/create-release ${{ github.event.pull_request.number }}

.gitlab-ci.yml

@@ -8,7 +8,7 @@ variables:
   FF_SCRIPT_SECTIONS: 'true'
   JUNIT_OUTPUT: 'true'
   ECR_REGISTRY: '${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com'
-  IDP_CI_SHA: 'sha256:908cb207c214016f3e366b2ebbe89c2077cfe1d40f3b82ad8d79e58e0cec720b'
+  IDP_CI_SHA: 'sha256:756a1d450b422720dee36cb9a6217687bcad1e40b780219d360989861ce94212'
   PKI_IMAGE_TAG: 'main'
   DASHBOARD_IMAGE_TAG: 'main'
 
@@ -163,17 +163,6 @@ check_changelog:
         exit 0
       fi
 
-check_content_freeze:
-  stage: test
-  script: |-
-    echo "Content change is not allowed during content freeze"
-    exit 1
-  rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "external_pull_request_event" || $CI_PIPELINE_SOURCE == "web"'
-      changes:
-        compare_to: 'refs/heads/main'
-        paths:
-          - config/locales/**/en.yml
 specs:
   stage: test
   needs:

.ruby-version

@@ -1 +1 @@
-3.2.2
+3.3.0

Gemfile

@@ -16,11 +16,14 @@ gem 'aws-sdk-sns'
 gem 'aws-sdk-sqs'
 gem 'barby', '~> 0.6.8'
 gem 'base32-crockford'
+gem 'base64'
+gem 'bigdecimal'
 gem 'bootsnap', '~> 1.0', require: false
 gem 'browser'
 gem 'caxlsx', require: false
 gem 'concurrent-ruby'
 gem 'connection_pool'
+gem 'csv'
 gem 'cssbundling-rails'
 gem 'devise', '~> 4.8'
 gem 'dotiw', '>= 4.0.1'
@@ -101,7 +104,7 @@ group :development, :test do
   gem 'i18n-tasks', '~> 1.0'
   gem 'knapsack'
   gem 'listen'
-  gem 'nokogiri', '~> 1.14.0'
+  gem 'nokogiri', '~> 1.16.0'
   gem 'pg_query', require: false
   gem 'pry-byebug'
   gem 'pry-doc'

Gemfile.lock

@@ -253,6 +253,7 @@ GEM
       addressable
     cssbundling-rails (1.0.0)
       railties (>= 6.0.0)
+    csv (3.2.8)
     date (3.3.4)
     dead_end (4.0.0)
     derailed_benchmarks (2.1.2)
@@ -355,14 +356,14 @@ GEM
       rainbow (>= 2.2.2, < 4.0)
       terminal-table (>= 1.5.1)
     ice_nine (0.11.2)
-    io-console (0.6.0)
-    irb (1.9.1)
+    io-console (0.7.1)
+    irb (1.11.0)
       rdoc
       reline (>= 0.3.8)
     jmespath (1.6.2)
     jsbundling-rails (1.1.2)
       railties (>= 6.0.0)
-    json (2.7.0)
+    json (2.7.1)
     jwe (0.4.0)
     jwt (2.7.1)
     knapsack (4.0.0)
@@ -427,15 +428,15 @@ GEM
     net-ssh (6.1.0)
     newrelic_rpm (9.7.0)
     nio4r (2.7.0)
-    nokogiri (1.14.5)
-      mini_portile2 (~> 2.8.0)
+    nokogiri (1.16.0)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     openssl (3.0.2)
     openssl-signature_algorithm (1.2.1)
       openssl (> 2.0, < 3.1)
     orm_adapter (0.5.0)
     parallel (1.23.0)
-    parser (3.2.2.4)
+    parser (3.3.0.0)
       ast (~> 2.4.1)
       racc
     pg (1.5.4)
@@ -463,12 +464,12 @@ GEM
     pry-byebug (3.10.1)
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
-    pry-doc (1.4.0)
+    pry-doc (1.5.0)
       pry (~> 0.11)
       yard (~> 0.9.11)
     pry-rails (0.3.9)
       pry (>= 0.10.4)
-    psych (5.1.1.1)
+    psych (5.1.2)
       stringio
     public_suffix (5.0.3)
     puma (6.4.2)
@@ -481,7 +482,7 @@ GEM
     rack-cors (2.0.1)
       rack (>= 2.0.0)
     rack-headers_filter (0.0.1)
-    rack-mini-profiler (3.1.1)
+    rack-mini-profiler (3.3.0)
       rack (>= 1.2.0)
     rack-proxy (0.7.7)
       rack
@@ -537,7 +538,7 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rdoc (6.6.0)
+    rdoc (6.6.2)
       psych (>= 4.0.0)
     redacted_struct (1.1.0)
     redcarpet (3.6.0)
@@ -546,7 +547,7 @@ GEM
     redis-client (0.14.1)
       connection_pool
     regexp_parser (2.8.2)
-    reline (0.4.0)
+    reline (0.4.1)
       io-console (~> 0.5)
     request_store (1.5.1)
       rack (>= 1.4)
@@ -658,7 +659,7 @@ GEM
       unf (~> 0.1.4)
     smart_properties (1.17.0)
     stringex (2.8.5)
-    stringio (3.0.9)
+    stringio (3.1.0)
     strong_migrations (1.6.4)
       activerecord (>= 5.2)
     subprocess (1.5.5)
@@ -744,7 +745,9 @@ DEPENDENCIES
   axe-core-rspec (~> 4.2)
   barby (~> 0.6.8)
   base32-crockford
+  base64
   better_errors (>= 2.5.1)
+  bigdecimal
   bootsnap (~> 1.0)
   brakeman
   browser
@@ -755,6 +758,7 @@ DEPENDENCIES
   concurrent-ruby
   connection_pool
   cssbundling-rails
+  csv
   derailed_benchmarks
   devise (~> 4.8)
   dotiw (>= 4.0.1)
@@ -788,7 +792,7 @@ DEPENDENCIES
   multiset
   net-sftp
   newrelic_rpm (~> 9.0)
-  nokogiri (~> 1.14.0)
+  nokogiri (~> 1.16.0)
   pg
   pg_query
   phonelib
@@ -852,7 +856,7 @@ DEPENDENCIES
   zxcvbn (= 0.1.9)
 
 RUBY VERSION
-   ruby 3.2.2p53
+   ruby 3.3.0p0
 
 BUNDLED WITH
    2.4.20

app/controllers/concerns/idv/document_capture_concern.rb

@@ -32,22 +32,15 @@ def failure(message, extra = nil)
     # @param [DocAuth::Response,
     #   DocumentCaptureSessionResult] response
     def extract_pii_from_doc(user, response, store_in_session: false)
-      pii_from_doc = response.pii_from_doc.merge(
-        uuid: user.uuid,
-        phone: user.phone_configurations.take&.phone,
-        uuid_prefix: ServiceProvider.find_by(issuer: sp_session[:issuer])&.app_id,
-      )
-
       if defined?(idv_session) # hybrid mobile does not have idv_session
         idv_session.had_barcode_read_failure = response.attention_with_barcode?
         if store_in_session
-          idv_session.pii_from_doc ||= {}
-          idv_session.pii_from_doc.merge!(pii_from_doc)
+          idv_session.pii_from_doc = response.pii_from_doc
           idv_session.selfie_check_performed = response.selfie_check_performed
         end
       end
 
-      track_document_issuing_state(user, pii_from_doc[:state])
+      track_document_issuing_state(user, response.pii_from_doc[:state])
     end
 
     def stored_result

app/controllers/concerns/idv/phone_otp_sendable.rb

@@ -2,10 +2,6 @@ module Idv
   module PhoneOtpSendable
     extend ActiveSupport::Concern
 
-    included do
-      before_action :handle_locked_out_user
-    end
-
     def send_phone_confirmation_otp
       send_phone_confirmation_otp_service.call
     end

app/controllers/concerns/idv/verify_info_concern.rb

@@ -23,11 +23,14 @@ def shared_update
       idv_session.verify_info_step_document_capture_session_uuid = document_capture_session.uuid
 
       # proof_resolution job expects these values
-      pii[:uuid_prefix] = ServiceProvider.find_by(issuer: sp_session[:issuer])&.app_id
-      pii[:ssn] = idv_session.ssn
-      Idv::Agent.new(pii).proof_resolution(
+      agent_pii = pii.merge(
+        uuid: current_user.uuid,
+        uuid_prefix: ServiceProvider.find_by(issuer: sp_session[:issuer])&.app_id,
+        ssn: idv_session.ssn,
+      )
+      Idv::Agent.new(agent_pii).proof_resolution(
         document_capture_session,
-        should_proof_state_id: aamva_state?(pii),
+        should_proof_state_id: aamva_state?,
         trace_id: amzn_trace_id,
         user_id: current_user.id,
         threatmetrix_session_id: idv_session.threatmetrix_session_id,
@@ -44,10 +47,8 @@ def ipp_enrollment_in_progress?
       current_user.has_in_person_enrollment?
     end
 
-    def aamva_state?(pii)
-      IdentityConfig.store.aamva_supported_jurisdictions.include?(
-        pii['state_id_jurisdiction'],
-      )
+    def aamva_state?
+      IdentityConfig.store.aamva_supported_jurisdictions.include?(pii['state_id_jurisdiction'])
     end
 
     def resolution_rate_limiter

app/forms/idv/api_image_upload_form.rb

@@ -454,11 +454,18 @@ def store_failed_images(client_response, doc_pii_response)
           failed_back_fingerprint = nil unless errors_hash[:back]&.present?
         end
         document_capture_session.
-          store_failed_auth_image_fingerprint(failed_front_fingerprint, failed_back_fingerprint)
+          store_failed_auth_data(
+            front_image_fingerprint: failed_front_fingerprint,
+            back_image_fingerprint: failed_back_fingerprint,
+            doc_auth_success: client_response.doc_auth_success?,
+            selfie_success: client_response.selfie_success,
+          )
       elsif doc_pii_response && !doc_pii_response.success?
-        document_capture_session.store_failed_auth_image_fingerprint(
-          extra_attributes[:front_image_fingerprint],
-          extra_attributes[:back_image_fingerprint],
+        document_capture_session.store_failed_auth_data(
+          front_image_fingerprint: extra_attributes[:front_image_fingerprint],
+          back_image_fingerprint: extra_attributes[:back_image_fingerprint],
+          doc_auth_success: client_response.doc_auth_success?,
+          selfie_success: client_response.selfie_success,
         )
       end
       # retrieve updated data from session

app/javascript/packages/document-capture/components/acuant-capture.scss

@@ -37,4 +37,12 @@
   .document-capture-file-image--loading {
     @extend %pad-common-id-card;
   }
+  // Styles for the text that appears over the selfie capture screen to help users position their face for a good photo
+  .document-capture-selfie-feedback {
+    left: 50%;
+    top: 10%;
+    position: fixed;
+    transform: translateX(-50%);
+    z-index: 11;
+  }
 }

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -337,6 +337,7 @@ function AcuantCapture(
   const [attempt, incrementAttempt] = useCounter(1);
   const [acuantFailureCookie, setAcuantFailureCookie, refreshAcuantFailureCookie] =
     useCookie('AcuantCameraHasFailed');
+  const [imageCaptureText, setImageCaptureText] = useState('');
   // There's some pretty significant changes to this component when it's used for
   // selfie capture vs document image capture. This controls those changes.
   const selfieCapture = name === 'selfie';
@@ -653,6 +654,10 @@ function AcuantCapture(
     });
   }
 
+  function onImageCaptureFeedback(text: string) {
+    setImageCaptureText(text);
+  }
+
   return (
     <div className={[className, 'document-capture-acuant-capture'].filter(Boolean).join(' ')}>
       {isCapturingEnvironment && !selfieCapture && (
@@ -678,11 +683,13 @@ function AcuantCapture(
           onImageCaptureFailure={onSelfieCaptureFailure}
           onImageCaptureOpen={onSelfieCaptureOpen}
           onImageCaptureClose={onSelfieCaptureClosed}
+          onImageCaptureFeedback={onImageCaptureFeedback}
         >
           <AcuantSelfieCaptureCanvas
             fullScreenRef={fullScreenRef}
             fullScreenLabel={t('doc_auth.accessible_labels.document_capture_dialog')}
             onRequestClose={() => setIsCapturingEnvironment(false)}
+            imageCaptureText={imageCaptureText}
           />
         </AcuantSelfieCamera>
       )}