mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-07 03:43:48 -05:00
38379176f4
The OWASP ZAP scan GitHub Actions have been updated recently and we need to make sure our GitHub Actions account for the recent changes. This changeset makes sure we are using the latest version of the OWASP ZAP API scan and the correct Docker image. Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
135 lines
4.3 KiB
YAML
135 lines
4.3 KiB
YAML
name: Run checks
|
|
|
|
on: [push]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
NODE_VERSION: 16.15.1
|
|
|
|
jobs:
|
|
build:
|
|
permissions:
|
|
checks: write
|
|
pull-requests: write
|
|
contents: write
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- uses: jwalton/gh-find-current-pr@v1
|
|
id: findPr
|
|
- uses: ArtiomTr/jest-coverage-report-action@v2
|
|
with:
|
|
test-script: npm test
|
|
output: report-markdown
|
|
annotations: failed-tests
|
|
prnumber: ${{ steps.findPr.outputs.number }}
|
|
- name: Run style checks
|
|
run: poetry run flake8 .
|
|
- name: Check imports alphabetized
|
|
run: poetry run isort --check-only ./app ./tests
|
|
- name: Check dead code
|
|
run: make dead-code
|
|
- name: Run js lint
|
|
run: npm run lint
|
|
- name: Run js tests
|
|
run: npm test
|
|
- name: Run py tests with coverage
|
|
run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10 --ignore=tests/end_to_end tests/
|
|
# - name: Run E2E tests
|
|
# run: poetry run pytest -v --browser chromium --browser firefox --browser webkit tests/end_to_end
|
|
# env:
|
|
# NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }}
|
|
# NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
# NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
# NOTIFY_E2E_TEST_URI: ${{ secrets.NOTIFY_E2E_TEST_URI }}
|
|
- name: Check coverage threshold
|
|
run: poetry run coverage report --fail-under=90
|
|
# - name: Health check
|
|
# run: |
|
|
# response=$(curl -url ${{secrets.NOTIFY_E2E_TEST_URI}}_status)
|
|
# if grep -q "ok" <<< "$response"; then
|
|
# echo "Health check passed"
|
|
# else
|
|
# echo "Health check failed"
|
|
# exit 1
|
|
# fi
|
|
# env:
|
|
# NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }}
|
|
# NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
# NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
# NOTIFY_E2E_TEST_URI: ${{ secrets.NOTIFY_E2E_TEST_URI }}
|
|
|
|
validate-new-relic-config:
|
|
runs-on: ubuntu-latest
|
|
environment: staging
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Validate NewRelic config
|
|
env:
|
|
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
|
|
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true
|
|
NEW_RELIC_ENVIRONMENT: staging
|
|
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE
|
|
|
|
dependency-audits:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.0.6
|
|
with:
|
|
inputs: requirements.txt
|
|
- name: Run npm audit
|
|
run: make npm-audit
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run scan
|
|
run: poetry run bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
- name: Run OWASP Baseline Scan
|
|
uses: zaproxy/action-baseline@v0.9.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6012'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|
|
|
|
a11y-scan:
|
|
runs-on: ubuntu-20.04
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
- name: Run pa11y-ci
|
|
run: make a11y-scan
|