Merge pull request #406 from GSA/remove-ryan-from-terraform #890
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run checks | |
on: [push] | |
permissions: | |
contents: read | |
env: | |
DEBUG: True | |
NOTIFY_ENVIRONMENT: test | |
NEW_RELIC_CONFIG_FILE: newrelic.ini | |
NEW_RELIC_ENVIRONMENT: test | |
FLASK_APP: application.py | |
WERKZEUG_DEBUG_PIN: off | |
REDIS_ENABLED: 0 | |
AWS_US_TOLL_FREE_NUMBER: "+18556438890" | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_USER: user | |
POSTGRES_PASSWORD: password | |
POSTGRES_DB: test_notification_api | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 5432 on service container to the host | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-project | |
- name: Install application dependencies | |
run: make bootstrap | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
- name: Run style checks | |
run: pipenv run flake8 . | |
- name: Check imports alphabetized | |
run: pipenv run isort --check-only ./app ./tests | |
- name: Run tests with coverage | |
run: pipenv run coverage run --omit=*/notifications_utils/* -m pytest -n4 --maxfail=10 | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
- name: Check coverage threshold | |
run: pipenv run coverage report --fail-under=50 | |
validate-new-relic-config: | |
runs-on: ubuntu-latest | |
environment: staging | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-project | |
- name: Install pipenv packages | |
run: pipenv install --dev | |
- name: Validate NewRelic config | |
env: | |
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true | |
NEW_RELIC_ENVIRONMENT: staging | |
run: pipenv run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE | |
pip-audit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-project | |
- name: Create requirements.txt | |
run: pipenv requirements > requirements.txt | |
- uses: pypa/gh-action-pip-audit@v1.0.6 | |
with: | |
inputs: requirements.txt | |
static-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-project | |
- name: Install bandit | |
run: pip install bandit | |
- name: Run scan | |
run: bandit -r app/ --confidence-level medium | |
dynamic-scan: | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_USER: user | |
POSTGRES_PASSWORD: password | |
POSTGRES_DB: test_notification_api | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 5432 on service container to the host | |
- 5432:5432 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: ./.github/actions/setup-project | |
- name: Install application dependencies | |
run: make bootstrap | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
- name: Run server | |
run: make run-flask & | |
env: | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
- name: Run OWASP Baseline Scan | |
uses: zaproxy/action-api-scan@v0.4.0 | |
with: | |
docker_name: 'owasp/zap2docker-stable' | |
target: 'http://localhost:6011/docs/openapi.yml' | |
fail_action: true | |
allow_issue_writing: false | |
rules_file_name: 'zap.conf' | |
cmd_options: '-I' |