mirror of
https://github.com/GSA/notifications-api.git
synced 2026-01-03 15:10:43 -05:00
8af59b1c55
This changeset adds the same additional steps needed in our PR checks to make sure the daily checks work properly with the recent Poetry update. It also updates our PR checks to use the latest pip-audit GitHub action. Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
156 lines
5.3 KiB
YAML
156 lines
5.3 KiB
YAML
name: Run checks
|
|
|
|
on: [push]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
DEBUG: True
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
AWS_US_TOLL_FREE_NUMBER: "+18556438890"
|
|
|
|
jobs:
|
|
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
|
|
- name: Check imports alphabetized
|
|
run: poetry run isort --check-only ./app ./tests
|
|
- name: Run style checks
|
|
run: poetry run flake8 .
|
|
- name: Check for dead code
|
|
run: make dead-code
|
|
- name: Run tests with coverage
|
|
run: poetry run coverage run --omit=*/migrations/*,*/tests/* -m pytest --maxfail=10
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Check coverage threshold
|
|
# TODO get this back up to 95
|
|
run: poetry run coverage report -m --fail-under=93
|
|
|
|
validate-new-relic-config:
|
|
runs-on: ubuntu-latest
|
|
environment: staging
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install poetry packages
|
|
run: poetry install
|
|
- name: Validate NewRelic config
|
|
env:
|
|
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
|
|
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true
|
|
NEW_RELIC_ENVIRONMENT: staging
|
|
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE
|
|
|
|
pip-audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --output requirements_tmp.txt --without-hashes
|
|
- name: Filter requirements.txt
|
|
run: grep -v "oscrypto@ git" requirements_tmp.txt > requirements.txt
|
|
- name: Verify requirements.txt
|
|
run: ls -l requirements.txt
|
|
- name: Print requirements.txt
|
|
run: |
|
|
echo "Contents of requirements.txt:"
|
|
cat requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.1.0
|
|
with:
|
|
inputs: requirements.txt
|
|
ignore-vulns: |
|
|
PYSEC-2023-312
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install bandit
|
|
run: pip install bandit
|
|
- name: Run scan
|
|
run: bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
- name: Run OWASP API Scan
|
|
uses: zaproxy/action-api-scan@v0.9.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6011/docs/openapi.yml'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|