diff --git a/.github/actions/setup-project/action.yml b/.github/actions/setup-project/action.yml new file mode 100644 index 000000000..bb5d8c1fa --- /dev/null +++ b/.github/actions/setup-project/action.yml @@ -0,0 +1,17 @@ +name: Set up project +description: Setup python & install dependencies +runs: + using: composite + steps: + - name: Install container dependencies + shell: bash + run: | + sudo apt-get update \ + && sudo apt-get install -y --no-install-recommends \ + libcurl4-openssl-dev + - name: Set up Python 3.9 + uses: actions/setup-python@v3 + with: + python-version: "3.9" + - name: Install application dependencies + run: make bootstrap diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 0dd734caa..3c75f23c2 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -29,20 +29,9 @@ env: jobs: build: runs-on: ubuntu-latest - steps: - - name: Install container dependencies - run: | - sudo apt-get update \ - && sudo apt-get install -y --no-install-recommends \ - libcurl4-openssl-dev - uses: actions/checkout@v3 - - name: Set up Python 3.9 - uses: actions/setup-python@v3 - with: - python-version: "3.9" - - name: Install application dependencies - run: make bootstrap + - uses: ./.github/actions/setup-project - name: Run style checks run: flake8 . - name: Check imports alphabetized @@ -51,3 +40,15 @@ jobs: run: npm test - name: Run py tests run: pytest -n4 --maxfail=10 + + dependency-audits: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup-project + - uses: trailofbits/gh-action-pip-audit@v1.0.0 + with: + inputs: requirements.txt requirements_for_test.txt + ignore-vulns: PYSEC-2022-237 + - name: Run npm audit + run: make npm-audit diff --git a/.github/workflows/daily_checks.yml b/.github/workflows/daily_checks.yml new file mode 100644 index 000000000..79e8e4caf --- /dev/null +++ b/.github/workflows/daily_checks.yml @@ -0,0 +1,44 @@ +name: Run daily scans + +on: + schedule: + # cron format: 'minute hour dayofmonth month dayofweek' + # this will run at noon UTC every day (7am EST / 8am EDT) + - cron: '0 12 * * *' + +permissions: + contents: read + +env: + NOTIFY_ENVIRONMENT: test + FLASK_APP: application.py + FLASK_ENV: development + WERKZEUG_DEBUG_PIN: off + REDIS_URL: redis://adminredis:6379/0 + DEV_REDIS_URL: redis://adminredis:6379/0 + REDIS_ENABLED: False + ANTIVIRUS_ENABLED: 0 + NODE_VERSION: 16.15.1 + ADMIN_CLIENT_ID: notify-admin + ADMIN_CLIENT_USERNAME: notify-admin + ADMIN_CLIENT_SECRET: dev-notify-secret-key + GOVUK_ALERTS_CLIENT_ID: govuk-alerts + ADMIN_BASE_URL: http://localhost:6012 + API_HOST_NAME: http://localhost:6011 + DEV_API_HOST_NAME: http://localhost:6011 + AWS_REGION: us-west-2 + BASIC_AUTH_USERNAME: curiousabout + BASIC_AUTH_PASSWORD: the10xnotifybeta + +jobs: + dependency-audits: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup-project + - uses: trailofbits/gh-action-pip-audit@v1.0.0 + with: + inputs: requirements.txt requirements_for_test.txt + ignore-vulns: PYSEC-2022-237 + - name: Run npm audit + run: make npm-audit diff --git a/Makefile b/Makefile index 510df60f3..49070541c 100644 --- a/Makefile +++ b/Makefile @@ -73,6 +73,14 @@ freeze-requirements: ## create static requirements.txt ${VIRTUALENV_ROOT}/bin/pip install --upgrade pip-tools ${VIRTUALENV_ROOT}/bin/pip-compile requirements.in +.PHONY: pip-audit +pip-audit: + pip install --upgrade pip-audit + pip-audit -r requirements.txt -r requirements_for_test.txt -l --ignore-vuln PYSEC-2022-237 + +.PHONY: audit +audit: npm-audit pip-audit + .PHONY: clean clean: rm -rf node_modules cache target ${CF_MANIFEST_PATH} diff --git a/package.json b/package.json index 6d0a5af68..41675bd79 100644 --- a/package.json +++ b/package.json @@ -10,7 +10,7 @@ "test-watch": "jest --watch --config tests/javascripts/jest.config.js tests/javascripts", "build": "gulp", "watch": "gulp watch", - "audit": "better-npm-audit audit --production --level high" + "audit": "better-npm-audit audit --production --level low" }, "repository": { "type": "git",