notifications-admin/.github/workflows/checks.yml

name: Run checks

on: [push]

permissions:
  contents: read

env:
  NOTIFY_ENVIRONMENT: test
  FLASK_APP: application.py
  FLASK_ENV: development
  WERKZEUG_DEBUG_PIN: off
  REDIS_URL: redis://adminredis:6379/0
  DEV_REDIS_URL: redis://adminredis:6379/0
  REDIS_ENABLED: False
  ANTIVIRUS_ENABLED: 0
  NODE_VERSION: 16.15.1
  ADMIN_CLIENT_ID: notify-admin
  ADMIN_CLIENT_USERNAME: notify-admin
  ADMIN_CLIENT_SECRET: dev-notify-secret-key
  GOVUK_ALERTS_CLIENT_ID: govuk-alerts
  ADMIN_BASE_URL: http://localhost:6012
  API_HOST_NAME: http://localhost:6011
  DEV_API_HOST_NAME: http://localhost:6011
  AWS_REGION: us-west-2
  BASIC_AUTH_USERNAME: curiousabout
  BASIC_AUTH_PASSWORD: the10xnotifybeta

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: ./.github/actions/setup-project
    - name: Run style checks
      run: flake8 .
    - name: Check imports alphabetized
      run: isort --check-only ./app ./tests
    - name: Run js tests
      run: npm test
    - name: Run py tests
      run: pytest -n4 --maxfail=10

  dependency-audits:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: ./.github/actions/setup-project
    - uses: trailofbits/gh-action-pip-audit@v1.0.0
      with:
        inputs: requirements.txt requirements_for_test.txt
        ignore-vulns: PYSEC-2022-237
    - name: Run npm audit
      run: make npm-audit

  static-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Install bandit
        run: pip install bandit
      - name: Run scan
        run: bandit -r app/ --confidence-level medium