name: Run checks

on: [push]

permissions:
  contents: read

env:
  NOTIFY_ENVIRONMENT: test
  NEW_RELIC_CONFIG_FILE: newrelic.ini
  NEW_RELIC_ENVIRONMENT: test
  FLASK_APP: application.py
  WERKZEUG_DEBUG_PIN: off
  REDIS_ENABLED: 0
  NODE_VERSION: 16.15.1

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Run style checks
        run: pipenv run flake8 .
      - name: Check imports alphabetized
        run: pipenv run isort --check-only ./app ./tests
      - name: Run js lint
        run: npm run lint
      - name: Run js tests
        run: npm test
      - name: Run py tests
        run: pipenv run pytest -n4 --maxfail=10

  validate-new-relic-config:
    runs-on: ubuntu-latest
    environment: staging
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Validate NewRelic config
        env:
          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
          # Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true
          NEW_RELIC_ENVIRONMENT: staging
        run: pipenv run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE

  dependency-audits:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Create requirements.txt
        run: pipenv requirements > requirements.txt
      - uses: pypa/gh-action-pip-audit@v1.0.4
        with:
          inputs: requirements.txt
          ignore-vulns: GHSA-8fww-64cx-x8p5
      - name: Run npm audit
        run: make npm-audit

  static-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Run scan
        run: pipenv run bandit -r app/ --confidence-level medium

  dynamic-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Run server
        run: make run-flask &
        env:
          NOTIFY_ENVIRONMENT: scanning
      - name: Run OWASP Baseline Scan
        uses: zaproxy/action-baseline@v0.7.0
        with:
          docker_name: "owasp/zap2docker-stable"
          target: "http://localhost:6012"
          fail_action: true
          allow_issue_writing: false
          rules_file_name: "zap.conf"
          cmd_options: "-I"

  a11y-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Run server
        run: make run-flask &
        env:
          NOTIFY_ENVIRONMENT: scanning
      - name: Run pa11y-ci
        run: make a11y-scan