mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-11 03:43:51 -04:00
This changeset updates the PYSEC notices to ignore to due versions that either cannot be fixed or are false positives. Specifically, this changeset removes previously ignored vulnerability reports and adds PYSEC-2023-312 to the list because it is a false positive and refers to Redis itself, not the Python Redis client (see https://github.com/pypa/advisory-database/issues/237 for details). Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
190 lines
5.7 KiB
YAML
190 lines
5.7 KiB
YAML
name: Run checks
|
|
|
|
on: [push]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
NOTIFY_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
NODE_VERSION: 22.3.0
|
|
AWS_US_TOLL_FREE_NUMBER: "+18556438890"
|
|
ADMIN_BASE_URL: http://localhost:6012
|
|
|
|
jobs:
|
|
build:
|
|
permissions:
|
|
checks: write
|
|
pull-requests: write
|
|
contents: write
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "22.3.0"
|
|
- name: Install dependencies
|
|
run: npm install
|
|
- uses: ./.github/actions/setup-project
|
|
- uses: jwalton/gh-find-current-pr@v1
|
|
id: findPr
|
|
- uses: ArtiomTr/jest-coverage-report-action@v2
|
|
with:
|
|
test-script: npm test
|
|
output: report-markdown
|
|
annotations: failed-tests
|
|
prnumber: ${{ steps.findPr.outputs.number }}
|
|
- name: Check imports alphabetized
|
|
run: poetry run isort --check-only ./app ./tests
|
|
- name: Run style checks
|
|
run: poetry run flake8 .
|
|
- name: Check dead code
|
|
run: make dead-code
|
|
- name: Run js tests
|
|
run: npm test
|
|
- name: Run py tests with coverage
|
|
run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10 --ignore=tests/end_to_end tests/
|
|
- name: Check coverage threshold
|
|
run: poetry run coverage report --fail-under=90
|
|
|
|
end-to-end-tests:
|
|
if: ${{ github.actor != 'dependabot[bot]' }}
|
|
|
|
permissions:
|
|
checks: write
|
|
pull-requests: write
|
|
contents: write
|
|
runs-on: ubuntu-latest
|
|
environment: staging
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
redis:
|
|
image: redis
|
|
options: >-
|
|
--health-cmd "redis-cli ping"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 6379 on service container to the host
|
|
- 6379:6379
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- uses: jwalton/gh-find-current-pr@v1
|
|
id: findPr
|
|
- name: Check API Server availability
|
|
run: |
|
|
curl --fail -v https://notify-api-staging.app.cloud.gov || exit 1
|
|
- name: Run Admin server
|
|
# If we want to log stuff and see what's broken,
|
|
# insert this line:
|
|
# tail -f admin-server.log &
|
|
# above make e2e-test
|
|
|
|
|
|
run: |
|
|
make run-flask > admin-server.log 2>&1 &
|
|
tail -f admin-server.log &
|
|
make e2e-test
|
|
|
|
env:
|
|
API_HOST_NAME: https://notify-api-staging.app.cloud.gov/
|
|
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
|
DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
|
|
ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
|
|
ADMIN_CLIENT_USERNAME: notify-admin
|
|
NOTIFY_ENVIRONMENT: e2etest
|
|
NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }}
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
NOTIFY_E2E_TEST_URI: http://localhost:6012/
|
|
VCAP_SERVICES: ${{ secrets.VCAP_SERVICES }}
|
|
|
|
validate-new-relic-config:
|
|
runs-on: ubuntu-latest
|
|
environment: staging
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Validate NewRelic config
|
|
env:
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
|
|
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true
|
|
NEW_RELIC_ENVIRONMENT: staging
|
|
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE
|
|
|
|
dependency-audits:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.1.0
|
|
with:
|
|
inputs: requirements.txt
|
|
ignore-vulns: |
|
|
PYSEC-2023-312
|
|
- name: Run npm audit
|
|
run: make npm-audit
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run scan
|
|
run: poetry run bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
FEATURE_SOCKET_ENABLED: true
|
|
- name: Run OWASP Baseline Scan
|
|
uses: zaproxy/action-baseline@v0.14.0
|
|
with:
|
|
docker_name: "ghcr.io/zaproxy/zaproxy:weekly"
|
|
target: "http://localhost:6012"
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: "zap.conf"
|
|
cmd_options: "-I"
|
|
|
|
a11y-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
- name: Run pa11y-ci
|
|
run: make a11y-scan
|