name: Run checks on: [push] permissions: contents: read env: NOTIFY_ENVIRONMENT: test FLASK_APP: application.py WERKZEUG_DEBUG_PIN: off REDIS_ENABLED: 0 NODE_VERSION: 22.3.0 AWS_US_TOLL_FREE_NUMBER: "+18556438890" ADMIN_BASE_URL: http://localhost:6012 jobs: build: permissions: checks: write pull-requests: write contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v4 with: node-version: "22.3.0" - name: Install dependencies run: npm install - uses: ./.github/actions/setup-project - uses: jwalton/gh-find-current-pr@v1 id: findPr - uses: ArtiomTr/jest-coverage-report-action@v2 with: test-script: npm test output: report-markdown annotations: failed-tests prnumber: ${{ steps.findPr.outputs.number }} - name: Check imports alphabetized run: poetry run isort --check-only ./app ./tests - name: Run style checks run: poetry run flake8 . - name: Check dead code run: make dead-code - name: Run js tests run: npm test - name: Run py tests with coverage run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10 --ignore=tests/end_to_end tests/ - name: Check coverage threshold run: poetry run coverage report --fail-under=90 # TODO FIX THIS! # end-to-end-tests: # if: ${{ github.actor != 'dependabot[bot]' }} # permissions: # checks: write # pull-requests: write # contents: write # runs-on: ubuntu-latest # environment: staging # services: # postgres: # image: postgres # env: # POSTGRES_USER: user # POSTGRES_PASSWORD: password # POSTGRES_DB: test_notification_api # options: >- # --health-cmd pg_isready # --health-interval 10s # --health-timeout 5s # --health-retries 5 # ports: # # Maps tcp port 5432 on service container to the host # - 5432:5432 # redis: # image: redis # options: >- # --health-cmd "redis-cli ping" # --health-interval 10s # --health-timeout 5s # --health-retries 5 # ports: # # Maps tcp port 6379 on service container to the host # - 6379:6379 # steps: # - uses: actions/checkout@v4 # - uses: ./.github/actions/setup-project # - uses: jwalton/gh-find-current-pr@v1 # id: findPr # - name: Check API Server availability # run: | # curl --fail -v https://notify-api-staging.app.cloud.gov || exit 1 # - name: Run Admin server # # If we want to log stuff and see what's broken, # # insert this line: # # tail -f admin-server.log & # # above make e2e-test # run: | # make run-flask > admin-server.log 2>&1 & # tail -f admin-server.log & # make e2e-test # env: # API_HOST_NAME: https://notify-api-staging.app.cloud.gov/ # SECRET_KEY: ${{ secrets.SECRET_KEY }} # DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} # ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} # ADMIN_CLIENT_USERNAME: notify-admin # NOTIFY_ENVIRONMENT: e2etest # NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }} # NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} # NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} # NOTIFY_E2E_TEST_URI: http://localhost:6012/ # VCAP_SERVICES: ${{ secrets.VCAP_SERVICES }} validate-new-relic-config: runs-on: ubuntu-latest environment: staging steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Validate NewRelic config env: NEW_RELIC_CONFIG_FILE: newrelic.ini NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} # Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true NEW_RELIC_ENVIRONMENT: staging run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE dependency-audits: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Create requirements.txt run: poetry export --without-hashes --format=requirements.txt > requirements.txt - uses: pypa/gh-action-pip-audit@v1.1.0 with: inputs: requirements.txt ignore-vulns: | PYSEC-2024-60 PYSEC-2022-43162 - name: Run npm audit run: make npm-audit static-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Run scan run: poetry run bandit -r app/ --confidence-level medium dynamic-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Run server run: make run-flask & env: NOTIFY_ENVIRONMENT: scanning - name: Run OWASP Baseline Scan uses: zaproxy/action-baseline@v0.14.0 with: docker_name: "ghcr.io/zaproxy/zaproxy:weekly" target: "http://localhost:6012" fail_action: true allow_issue_writing: false rules_file_name: "zap.conf" cmd_options: "-I" a11y-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Run server run: make run-flask & env: NOTIFY_ENVIRONMENT: scanning - name: Run pa11y-ci run: make a11y-scan