Merge pull request #1852 from GSA/fix-prod-terraform-formatting #3448
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run checks | |
on: [push] | |
permissions: | |
contents: read | |
env: | |
NOTIFY_ENVIRONMENT: test | |
FLASK_APP: application.py | |
WERKZEUG_DEBUG_PIN: off | |
REDIS_ENABLED: 0 | |
NODE_VERSION: 16.15.1 | |
AWS_US_TOLL_FREE_NUMBER: "+18556438890" | |
ADMIN_BASE_URL: http://localhost:6012 | |
jobs: | |
build: | |
permissions: | |
checks: write | |
pull-requests: write | |
contents: write | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: "22.3.0" | |
- name: Install dependencies | |
run: npm install | |
- uses: ./.github/actions/setup-project | |
- uses: jwalton/gh-find-current-pr@v1 | |
id: findPr | |
- uses: ArtiomTr/jest-coverage-report-action@v2 | |
with: | |
test-script: npm test | |
output: report-markdown | |
annotations: failed-tests | |
prnumber: ${{ steps.findPr.outputs.number }} | |
- name: Run style checks | |
run: poetry run flake8 . | |
- name: Check imports alphabetized | |
run: poetry run isort --check-only ./app ./tests | |
- name: Check dead code | |
run: make dead-code | |
- name: Run js tests | |
run: npm test | |
- name: Run py tests with coverage | |
run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10 --ignore=tests/end_to_end tests/ | |
- name: Check coverage threshold | |
run: poetry run coverage report --fail-under=90 | |
end-to-end-tests: | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
permissions: | |
checks: write | |
pull-requests: write | |
contents: write | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_USER: user | |
POSTGRES_PASSWORD: password | |
POSTGRES_DB: test_notification_api | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 5432 on service container to the host | |
- 5432:5432 | |
redis: | |
image: redis | |
options: >- | |
--health-cmd "redis-cli ping" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
# Maps tcp port 6379 on service container to the host | |
- 6379:6379 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- uses: jwalton/gh-find-current-pr@v1 | |
id: findPr | |
- name: Clone API | |
uses: actions/checkout@v4 | |
with: | |
repository: GSA/notifications-api | |
path: "notifications-api" | |
- name: Install API dependencies | |
working-directory: "notifications-api" | |
run: make bootstrap | |
env: | |
DATABASE_URL: postgresql://user:password@localhost:5432/test_notification_api | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
REDIS_URL: redis://localhost:6379 | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
NOTIFY_ENVIRONMENT: development | |
- name: Run API server | |
working-directory: "notifications-api" | |
run: make run-procfile & | |
env: | |
DATABASE_URL: postgresql://user:password@localhost:5432/test_notification_api | |
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api | |
REDIS_URL: redis://localhost:6379 | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
NOTIFY_ENVIRONMENT: development | |
- name: Run Admin server | |
run: make run-flask & | |
env: | |
# API_HOST_NAME: https://notify-api-staging.app.cloud.gov | |
API_HOST_NAME: http://localhost:6011 | |
DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} | |
SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} | |
ADMIN_CLIENT_USERNAME: notify-admin | |
NOTIFY_ENVIRONMENT: e2etest | |
NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }} | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
NOTIFY_E2E_TEST_URI: http://localhost:6012 | |
- name: Run E2E tests | |
# Run the E2E tests against the code found in this PR. | |
# run: poetry run pytest -v --browser chromium --browser firefox --browser webkit tests/end_to_end | |
# --browser webkit doesn't work at this time. | |
run: make e2e-test | |
# Debugging for now to troubleshoot a connectivity issue to the local servers | |
# run: curl --request GET --url "http://localhost:6012" | |
env: | |
API_HOST_NAME: http://localhost:6011 | |
DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} | |
SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} | |
ADMIN_CLIENT_USERNAME: notify-admin | |
NOTIFY_ENVIRONMENT: e2etest | |
NOTIFY_E2E_AUTH_STATE_PATH: ${{ secrets.NOTIFY_E2E_AUTH_STATE_PATH }} | |
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }} | |
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }} | |
NOTIFY_E2E_TEST_URI: http://localhost:6012 | |
validate-new-relic-config: | |
runs-on: ubuntu-latest | |
environment: staging | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Validate NewRelic config | |
env: | |
NEW_RELIC_CONFIG_FILE: newrelic.ini | |
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true | |
NEW_RELIC_ENVIRONMENT: staging | |
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE | |
dependency-audits: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Create requirements.txt | |
run: poetry export --without-hashes --format=requirements.txt > requirements.txt | |
- uses: pypa/[email protected] | |
with: | |
inputs: requirements.txt | |
ignore-vulns: | | |
PYSEC-2024-60 | |
- name: Run npm audit | |
run: make npm-audit | |
static-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Run scan | |
run: poetry run bandit -r app/ --confidence-level medium | |
dynamic-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Run server | |
run: make run-flask & | |
env: | |
NOTIFY_ENVIRONMENT: scanning | |
- name: Run OWASP Baseline Scan | |
uses: zaproxy/[email protected] | |
with: | |
docker_name: "ghcr.io/zaproxy/zaproxy:weekly" | |
target: "http://localhost:6012" | |
fail_action: true | |
allow_issue_writing: false | |
rules_file_name: "zap.conf" | |
cmd_options: "-I" | |
a11y-scan: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/setup-project | |
- name: Run server | |
run: make run-flask & | |
env: | |
NOTIFY_ENVIRONMENT: scanning | |
- name: Run pa11y-ci | |
run: make a11y-scan |