name: Run checks on: [push] permissions: contents: read env: DEBUG: True NOTIFY_ENVIRONMENT: test NEW_RELIC_CONFIG_FILE: newrelic.ini NEW_RELIC_ENVIRONMENT: test FLASK_APP: application.py WERKZEUG_DEBUG_PIN: off REDIS_ENABLED: 0 AWS_US_TOLL_FREE_NUMBER: "+18556438890" jobs: build: runs-on: ubuntu-latest services: postgres: image: postgres env: POSTGRES_USER: user POSTGRES_PASSWORD: password POSTGRES_DB: test_notification_api options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 ports: # Maps tcp port 5432 on service container to the host - 5432:5432 steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Install application dependencies run: make bootstrap env: SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }} NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }} NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} - name: Run style checks run: poetry run flake8 . - name: Check imports alphabetized run: poetry run isort --check-only ./app ./tests - name: Check for dead code run: make dead-code - name: Run tests with coverage run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10 env: SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }} NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }} NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} - name: Check coverage threshold run: poetry run coverage report --fail-under=50 validate-new-relic-config: runs-on: ubuntu-latest environment: staging steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Install poetry packages run: poetry install - name: Validate NewRelic config env: NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} # Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true NEW_RELIC_ENVIRONMENT: staging run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE pip-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Create requirements.txt run: poetry export --without-hashes --format=requirements.txt > requirements.txt - uses: pypa/gh-action-pip-audit@v1.0.6 with: inputs: requirements.txt static-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Install bandit run: pip install bandit - name: Run scan run: bandit -r app/ --confidence-level medium dynamic-scan: runs-on: ubuntu-latest services: postgres: image: postgres env: POSTGRES_USER: user POSTGRES_PASSWORD: password POSTGRES_DB: test_notification_api options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 ports: # Maps tcp port 5432 on service container to the host - 5432:5432 steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Install application dependencies run: make bootstrap env: SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }} NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }} NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} - name: Run server run: make run-flask & env: SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api - name: Run OWASP API Scan uses: zaproxy/action-api-scan@v0.5.0 with: docker_name: 'ghcr.io/zaproxy/zaproxy:weekly' target: 'http://localhost:6011/docs/openapi.yml' fail_action: true allow_issue_writing: false rules_file_name: 'zap.conf' cmd_options: '-I'