mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-05 10:53:28 -05:00
169 lines
5.3 KiB
YAML
169 lines
5.3 KiB
YAML
name: Run checks
|
|
|
|
on: [push]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
NODE_VERSION: 16.15.1
|
|
|
|
jobs:
|
|
build:
|
|
permissions:
|
|
checks: write
|
|
pull-requests: write
|
|
contents: write
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- uses: jwalton/gh-find-current-pr@v1
|
|
id: findPr
|
|
- uses: ArtiomTr/jest-coverage-report-action@v2
|
|
with:
|
|
test-script: npm test
|
|
output: report-markdown
|
|
annotations: failed-tests
|
|
prnumber: ${{ steps.findPr.outputs.number }}
|
|
- name: Run style checks
|
|
run: poetry run flake8 .
|
|
- name: Check imports alphabetized
|
|
run: poetry run isort --check-only ./app ./tests
|
|
- name: Check dead code
|
|
run: make dead-code
|
|
- name: Run js lint
|
|
run: npm run lint
|
|
- name: Run js tests
|
|
run: npm test
|
|
- name: Run py tests with coverage
|
|
run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10 --ignore=tests/end_to_end tests/
|
|
- name: Check coverage threshold
|
|
run: poetry run coverage report --fail-under=90
|
|
|
|
end-to-end-tests:
|
|
permissions:
|
|
checks: write
|
|
pull-requests: write
|
|
contents: write
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- uses: jwalton/gh-find-current-pr@v1
|
|
id: findPr
|
|
- name: Clone API
|
|
uses: actions/checkout@v3
|
|
with:
|
|
repository: GSA/notifications-api
|
|
path: 'notifications-api'
|
|
- name: Install API dependencies
|
|
working-directory: 'notifications-api'
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
# - name: Run API server
|
|
# with:
|
|
# path: './notifications-api'
|
|
# run: make run-procfile &
|
|
# env:
|
|
# SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
# NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
# NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Run E2E tests
|
|
run: poetry run pytest -v --browser chromium --browser firefox --browser webkit tests/end_to_end
|
|
env:
|
|
NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }}
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
NOTIFY_E2E_TEST_URI: ${{ secrets.NOTIFY_E2E_TEST_URI }}
|
|
# API_HOST_NAME: http://localhost:6011
|
|
|
|
validate-new-relic-config:
|
|
runs-on: ubuntu-latest
|
|
environment: staging
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Validate NewRelic config
|
|
env:
|
|
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
|
|
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true
|
|
NEW_RELIC_ENVIRONMENT: staging
|
|
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE
|
|
|
|
dependency-audits:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.0.6
|
|
with:
|
|
inputs: requirements.txt
|
|
- name: Run npm audit
|
|
run: make npm-audit
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run scan
|
|
run: poetry run bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
- name: Run OWASP Baseline Scan
|
|
uses: zaproxy/action-baseline@v0.9.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6012'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|
|
|
|
a11y-scan:
|
|
runs-on: ubuntu-20.04
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
- name: Run pa11y-ci
|
|
run: make a11y-scan
|