Merge pull request #2267 from GSA/main #4423
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run checks | |
on: [push] | |
permissions: | |
contents: read | |
env: | |
NOTIFY_ENVIRONMENT: test | |
FLASK_APP: application.py | |
WERKZEUG_DEBUG_PIN: off | |
REDIS_ENABLED: 0 | |
NODE_VERSION: 16.15.1 | |
AWS_US_TOLL_FREE_NUMBER: "+18556438890" | |
ADMIN_BASE_URL: http://localhost:6012 | |
jobs: | |
build: | |
permissions: | |
checks: write | |
pull-requests: write | |
contents: write | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: "22.3.0" | |
- name: Install dependencies | |
run: npm install | |
- uses: ./.github/actions/setup-project | |
- uses: jwalton/gh-find-current-pr@v1 | |
id: findPr | |
- uses: ArtiomTr/jest-coverage-report-action@v2 | |
with: | |
test-script: npm test | |
output: report-markdown | |
annotations: failed-tests | |
prnumber: ${{ steps.findPr.outputs.number }} | |
- name: Run style checks | |
run: poetry run flake8 . | |
- name: Check imports alphabetized | |
run: poetry run isort --check-only ./app ./tests | |
- name: Check dead code | |
run: make dead-code | |
- name: Run js tests | |
run: npm test | |
- name: Run py tests with coverage | |
run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10 --ignore=tests/end_to_end tests/ | |
- name: Check coverage threshold | |
run: poetry run coverage report --fail-under=90 | |
end-to-end-tests: | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
permissions: | |
checks: write | |
pull-requests: write | |
contents: write | |
runs-on: ubuntu-latest | |
environment: staging | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_USER: user | |
POSTGRES_PASSWORD: password | |
POSTGRES_DB: test_notification_api | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 5432 on service container to the host | |
- 5432:5432 | |
redis: | |
image: redis | |
options: >- | |
--health-cmd "redis-cli ping" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 6379 on service container to the host | |
- 6379:6379 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- uses: jwalton/gh-find-current-pr@v1 | |
id: findPr | |
- name: Check API Server availability | |
run: | | |
curl --fail -v https://notify-api-staging.app.cloud.gov || exit 1 | |
- name: Run Admin server | |
# If we want to log stuff and see what's broken, | |
# insert this line: | |
# tail -f admin-server.log & | |
# above make e2e-test | |
run: | | |
make run-flask > admin-server.log 2>&1 & | |
tail -f admin-server.log & | |
make e2e-test | |
env: | |
API_HOST_NAME: https://notify-api-staging.app.cloud.gov/ | |
SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} | |
ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} | |
ADMIN_CLIENT_USERNAME: notify-admin | |
NOTIFY_ENVIRONMENT: e2etest | |
NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }} | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
NOTIFY_E2E_TEST_URI: http://localhost:6012/ | |
VCAP_SERVICES: ${{ secrets.VCAP_SERVICES }} | |
validate-new-relic-config: | |
runs-on: ubuntu-latest | |
environment: staging | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Validate NewRelic config | |
env: | |
NEW_RELIC_CONFIG_FILE: newrelic.ini | |
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true | |
NEW_RELIC_ENVIRONMENT: staging | |
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE | |
dependency-audits: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Create requirements.txt | |
run: poetry export --without-hashes --format=requirements.txt > requirements.txt | |
- uses: pypa/[email protected] | |
with: | |
inputs: requirements.txt | |
ignore-vulns: | | |
PYSEC-2024-60 | |
PYSEC-2022-43162 | |
- name: Run npm audit | |
run: make npm-audit | |
static-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Run scan | |
run: poetry run bandit -r app/ --confidence-level medium | |
dynamic-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Run server | |
run: make run-flask & | |
env: | |
NOTIFY_ENVIRONMENT: scanning | |
- name: Run OWASP Baseline Scan | |
uses: zaproxy/[email protected] | |
with: | |
docker_name: "ghcr.io/zaproxy/zaproxy:weekly" | |
target: "http://localhost:6012" | |
fail_action: true | |
allow_issue_writing: false | |
rules_file_name: "zap.conf" | |
cmd_options: "-I" | |
a11y-scan: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Run server | |
run: make run-flask & | |
env: | |
NOTIFY_ENVIRONMENT: scanning | |
- name: Run pa11y-ci | |
run: make a11y-scan |