Merge branch 'main' of https://github.com/GSA/notifications-api into … #4418
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run checks | |
on: [push] | |
permissions: | |
contents: read | |
env: | |
DEBUG: True | |
NOTIFY_ENVIRONMENT: test | |
NEW_RELIC_CONFIG_FILE: newrelic.ini | |
NEW_RELIC_ENVIRONMENT: test | |
FLASK_APP: application.py | |
WERKZEUG_DEBUG_PIN: off | |
REDIS_ENABLED: 0 | |
AWS_US_TOLL_FREE_NUMBER: "+18556438890" | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_USER: user | |
POSTGRES_PASSWORD: password | |
POSTGRES_DB: test_notification_api | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 5432 on service container to the host | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Install application dependencies | |
run: make bootstrap | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }} | |
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
- name: Run style checks | |
run: poetry run flake8 . | |
- name: Check imports alphabetized | |
run: poetry run isort --check-only ./app ./tests | |
- name: Check for dead code | |
run: make dead-code | |
- name: Run tests with coverage | |
run: poetry run coverage run --omit=*/migrations/*,*/tests/* -m pytest --maxfail=10 | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }} | |
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
- name: Check coverage threshold | |
# TODO get this back up to 95 | |
run: poetry run coverage report -m --fail-under=94 | |
validate-new-relic-config: | |
runs-on: ubuntu-latest | |
environment: staging | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Install poetry packages | |
run: poetry install | |
- name: Validate NewRelic config | |
env: | |
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true | |
NEW_RELIC_ENVIRONMENT: staging | |
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE | |
pip-audit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Create requirements.txt | |
run: poetry export --without-hashes --format=requirements.txt > requirements.txt | |
- uses: pypa/[email protected] | |
with: | |
inputs: requirements.txt | |
ignore-vulns: | | |
PYSEC-2022-43162 | |
static-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Install bandit | |
run: pip install bandit | |
- name: Run scan | |
run: bandit -r app/ --confidence-level medium | |
dynamic-scan: | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_USER: user | |
POSTGRES_PASSWORD: password | |
POSTGRES_DB: test_notification_api | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 5432 on service container to the host | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Install application dependencies | |
run: make bootstrap | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }} | |
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
- name: Run server | |
run: make run-flask & | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
- name: Run OWASP API Scan | |
uses: zaproxy/[email protected] | |
with: | |
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly' | |
target: 'http://localhost:6011/docs/openapi.yml' | |
fail_action: true | |
allow_issue_writing: false | |
rules_file_name: 'zap.conf' | |
cmd_options: '-I' |