name: Run checks

on: [push]

permissions:
  contents: read

env:
  NOTIFY_ENVIRONMENT: test
  FLASK_APP: application.py
  FLASK_ENV: development
  WERKZEUG_DEBUG_PIN: off
  REDIS_URL: redis://adminredis:6379/0
  DEV_REDIS_URL: redis://adminredis:6379/0
  REDIS_ENABLED: False
  ANTIVIRUS_ENABLED: 0
  NODE_VERSION: 16.15.1
  ADMIN_CLIENT_ID: notify-admin
  ADMIN_CLIENT_USERNAME: notify-admin
  ADMIN_CLIENT_SECRET: dev-notify-secret-key
  GOVUK_ALERTS_CLIENT_ID: govuk-alerts
  ADMIN_BASE_URL: http://localhost:6012
  API_HOST_NAME: http://localhost:6011
  DEV_API_HOST_NAME: http://localhost:6011
  AWS_REGION: us-west-2
  BASIC_AUTH_USERNAME: curiousabout
  BASIC_AUTH_PASSWORD: the10xnotifybeta

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: ./.github/actions/setup-project
    - name: Run style checks
      run: flake8 .
    - name: Check imports alphabetized
      run: isort --check-only ./app ./tests
    - name: Run js tests
      run: npm test
    - name: Run py tests
      run: pytest -n4 --maxfail=10

  dependency-audits:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: ./.github/actions/setup-project
    - uses: trailofbits/gh-action-pip-audit@v1.0.0
      with:
        inputs: requirements.txt requirements_for_test.txt
        ignore-vulns: PYSEC-2022-237
    - name: Run npm audit
      run: make npm-audit

  static-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Install bandit
        run: pip install bandit
      - name: Run scan
        run: bandit -r app/ --confidence-level medium

  dynamic-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Run server
        run: make run-flask &
        env:
          NOTIFY_ENVIRONMENT: scanning
      - name: Run OWASP Baseline Scan
        uses: zaproxy/action-baseline@v0.7.0
        with:
          docker_name: 'owasp/zap2docker-weekly'
          target: 'http://localhost:6012'
          fail_action: true
          allow_issue_writing: false
          rules_file_name: 'zap.conf'
          cmd_options: '-I'

  a11y-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Run server
        run: make run-flask &
        env:
          NOTIFY_ENVIRONMENT: scanning
      - name: Install pa11y-ci
        run: npm install -g pa11y-ci
      - name: Run pa11y-ci
        run: pa11y-ci