Add python and npm audits to checks.yml

2026-02-06 03:13:42 -05:00 · 2022-08-25 20:36:13 +00:00
parent c982254ef0
commit fa7b1a41b8
5 changed files with 83 additions and 13 deletions
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -29,20 +29,9 @@ env:
 jobs:
  build:
    runs-on: ubuntu-latest
-
    steps:
-    - name: Install container dependencies
-      run: |
-        sudo apt-get update \
-        && sudo apt-get install -y --no-install-recommends \
-        libcurl4-openssl-dev
    - uses: actions/checkout@v3
-    - name: Set up Python 3.9
-      uses: actions/setup-python@v3
-      with:
-        python-version: "3.9"
-    - name: Install application dependencies
-      run: make bootstrap
+    - uses: ./.github/actions/setup-project
    - name: Run style checks
      run: flake8 .
    - name: Check imports alphabetized
@@ -51,3 +40,15 @@ jobs:
      run: npm test
    - name: Run py tests
      run: pytest -n4 --maxfail=10
+
+  dependency-audits:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ./.github/actions/setup-project
+    - uses: trailofbits/gh-action-pip-audit@v1.0.0
+      with:
+        inputs: requirements.txt requirements_for_test.txt
+        ignore-vulns: PYSEC-2022-237
+    - name: Run npm audit
+      run: make npm-audit
--- a/.github/workflows/daily_checks.yml
+++ b/.github/workflows/daily_checks.yml
@@ -0,0 +1,44 @@
+name: Run daily scans
+
+on:
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at noon UTC every day (7am EST / 8am EDT)
+    - cron: '0 12 * * *'
+
+permissions:
+  contents: read
+
+env:
+  NOTIFY_ENVIRONMENT: test
+  FLASK_APP: application.py
+  FLASK_ENV: development
+  WERKZEUG_DEBUG_PIN: off
+  REDIS_URL: redis://adminredis:6379/0
+  DEV_REDIS_URL: redis://adminredis:6379/0
+  REDIS_ENABLED: False
+  ANTIVIRUS_ENABLED: 0
+  NODE_VERSION: 16.15.1
+  ADMIN_CLIENT_ID: notify-admin
+  ADMIN_CLIENT_USERNAME: notify-admin
+  ADMIN_CLIENT_SECRET: dev-notify-secret-key
+  GOVUK_ALERTS_CLIENT_ID: govuk-alerts
+  ADMIN_BASE_URL: http://localhost:6012
+  API_HOST_NAME: http://localhost:6011
+  DEV_API_HOST_NAME: http://localhost:6011
+  AWS_REGION: us-west-2
+  BASIC_AUTH_USERNAME: curiousabout
+  BASIC_AUTH_PASSWORD: the10xnotifybeta
+
+jobs:
+  dependency-audits:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ./.github/actions/setup-project
+    - uses: trailofbits/gh-action-pip-audit@v1.0.0
+      with:
+        inputs: requirements.txt requirements_for_test.txt
+        ignore-vulns: PYSEC-2022-237
+    - name: Run npm audit
+      run: make npm-audit