From db2191d80e7a6ae8152a3ad715892037519047e1 Mon Sep 17 00:00:00 2001 From: JoshLarouche Date: Mon, 18 Sep 2023 14:13:46 -0700 Subject: [PATCH] Chore: merging precommit check file into test.yaml --- .github/workflows/pre-commit-check.yaml | 210 ++++++++++++------------ .github/workflows/test.yaml | 150 ++++++++++++++--- 2 files changed, 235 insertions(+), 125 deletions(-) diff --git a/.github/workflows/pre-commit-check.yaml b/.github/workflows/pre-commit-check.yaml index fef2b29ae7..3c20174be8 100644 --- a/.github/workflows/pre-commit-check.yaml +++ b/.github/workflows/pre-commit-check.yaml @@ -1,109 +1,109 @@ -name: pre-commit +# name: pre-commit -on: - push: - workflow_dispatch: +# on: +# push: +# workflow_dispatch: -jobs: - install-client-dev-tools: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: dev env setup - uses: ./.github/actions/dev-env-setup - - run: yarn install --frozen-lockfile - working-directory: ./client +# jobs: +# install-client-dev-tools: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - name: dev env setup +# uses: ./.github/actions/dev-env-setup +# - run: yarn install --frozen-lockfile +# working-directory: ./client - install-server-dev-tools: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: dev env setup - uses: ./.github/actions/dev-env-setup - - name: Set up python - id: setup-python - uses: actions/setup-python@v4 - with: - # do this dynamically with tool-versions version - python-version: "3.9.16" - - name: Install Poetry - uses: snok/install-poetry@v1 - - name: Load cached venv - id: cached-poetry-dependencies - uses: actions/cache@v3 - with: - path: .venv - key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} - #---------------------------------------------- - # install dependencies if cache does not exist - #---------------------------------------------- - - name: Install dependencies - if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' - run: poetry install --no-interaction --no-root - working-directory: ./bc_obps - - name: is pylint installed? - run: | - poetry run pylint --version - echo $PATH - working-directory: ./bc_obps - # - name: Setup tmate session - # uses: mxschmitt/action-tmate@v3 +# install-server-dev-tools: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - name: dev env setup +# uses: ./.github/actions/dev-env-setup +# - name: Set up python +# id: setup-python +# uses: actions/setup-python@v4 +# with: +# # do this dynamically with tool-versions version +# python-version: "3.9.16" +# - name: Install Poetry +# uses: snok/install-poetry@v1 +# - name: Load cached venv +# id: cached-poetry-dependencies +# uses: actions/cache@v3 +# with: +# path: .venv +# key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} +# #---------------------------------------------- +# # install dependencies if cache does not exist +# #---------------------------------------------- +# - name: Install dependencies +# if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' +# run: poetry install --no-interaction --no-root +# working-directory: ./bc_obps +# - name: is pylint installed? +# run: | +# poetry run pylint --version +# echo $PATH +# working-directory: ./bc_obps +# # - name: Setup tmate session +# # uses: mxschmitt/action-tmate@v3 - # yarn-test: - # needs: install-client-dev-tools - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v3 - # - name: dev env setup - # uses: ./.github/actions/dev-env-setup - # - run: yarn test - # working-directory: ./client - pre-commit: - needs: ["install-client-dev-tools", "install-server-dev-tools"] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: dev env setup - uses: ./.github/actions/dev-env-setup - - run: pip install -r requirements.txt - - name: Set up python - id: setup-python - uses: actions/setup-python@v4 - with: - # do this dynamically with tool-versions version - python-version: "3.9.16" - - name: Install Poetry - uses: snok/install-poetry@v1 - - name: Load cached venv - id: cached-poetry-dependencies - uses: actions/cache@v3 - with: - path: .venv - key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} - #---------------------------------------------- - # install dependencies if cache does not exist - #---------------------------------------------- - - name: Install dependencies - if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' - run: poetry install --no-interaction --no-root - working-directory: ./bc_obps - - name: is pylint installed? - run: | - poetry run pylint --version - echo $PATH - working-directory: ./bc_obps - - uses: pre-commit/action@v3.0.0 - # - uses: actions/setup-python@v2 - - uses: terraform-linters/setup-tflint@v1 - with: - tflint_version: latest - # - name: Analyze Kustomize Manifests - # run: | - # pwd - # ls -al - # curl https://get.datree.io | /bin/bash - # datree test tekton/base/pipelines/* --ignore-missing-schemas --no-record - # echo "scanning tasks..." - # datree test tekton/base/tasks/* --ignore-missing-schemas --no-record - # echo "scan triggers..." - # datree test tekton/base/triggers/* --ignore-missing-schemas --no-record +# # yarn-test: +# # needs: install-client-dev-tools +# # runs-on: ubuntu-latest +# # steps: +# # - uses: actions/checkout@v3 +# # - name: dev env setup +# # uses: ./.github/actions/dev-env-setup +# # - run: yarn test +# # working-directory: ./client +# pre-commit: +# needs: ["install-client-dev-tools", "install-server-dev-tools"] +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v2 +# - name: dev env setup +# uses: ./.github/actions/dev-env-setup +# - run: pip install -r requirements.txt +# - name: Set up python +# id: setup-python +# uses: actions/setup-python@v4 +# with: +# # do this dynamically with tool-versions version +# python-version: "3.9.16" +# - name: Install Poetry +# uses: snok/install-poetry@v1 +# - name: Load cached venv +# id: cached-poetry-dependencies +# uses: actions/cache@v3 +# with: +# path: .venv +# key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} +# #---------------------------------------------- +# # install dependencies if cache does not exist +# #---------------------------------------------- +# - name: Install dependencies +# if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' +# run: poetry install --no-interaction --no-root +# working-directory: ./bc_obps +# - name: is pylint installed? +# run: | +# poetry run pylint --version +# echo $PATH +# working-directory: ./bc_obps +# - uses: pre-commit/action@v3.0.0 +# # - uses: actions/setup-python@v2 +# - uses: terraform-linters/setup-tflint@v1 +# with: +# tflint_version: latest +# # - name: Analyze Kustomize Manifests +# # run: | +# # pwd +# # ls -al +# # curl https://get.datree.io | /bin/bash +# # datree test tekton/base/pipelines/* --ignore-missing-schemas --no-record +# # echo "scanning tasks..." +# # datree test tekton/base/tasks/* --ignore-missing-schemas --no-record +# # echo "scan triggers..." +# # datree test tekton/base/triggers/* --ignore-missing-schemas --no-record diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 20a4b668ea..14617870c2 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -8,6 +8,108 @@ on: jobs: # codeql-scan: # uses: bcgov/pipeline-templates/.github/workflows/codeql.yaml@main + install-client-dev-tools: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: dev env setup + uses: ./.github/actions/dev-env-setup + - run: yarn install --frozen-lockfile + working-directory: ./client + + install-server-dev-tools: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: dev env setup + uses: ./.github/actions/dev-env-setup + - name: Set up python + id: setup-python + uses: actions/setup-python@v4 + with: + # do this dynamically with tool-versions version + python-version: "3.9.16" + - name: Install Poetry + uses: snok/install-poetry@v1 + - name: Load cached venv + id: cached-poetry-dependencies + uses: actions/cache@v3 + with: + path: .venv + key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} + #---------------------------------------------- + # install dependencies if cache does not exist + #---------------------------------------------- + - name: Install dependencies + if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' + run: poetry install --no-interaction --no-root + working-directory: ./bc_obps + - name: is pylint installed? + run: | + poetry run pylint --version + echo $PATH + working-directory: ./bc_obps + # - name: Setup tmate session + # uses: mxschmitt/action-tmate@v3 + + # yarn-test: + # needs: install-client-dev-tools + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + # - name: dev env setup + # uses: ./.github/actions/dev-env-setup + # - run: yarn test + # working-directory: ./client + pre-commit: + needs: ["install-client-dev-tools", "install-server-dev-tools"] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: dev env setup + uses: ./.github/actions/dev-env-setup + - run: pip install -r requirements.txt + - name: Set up python + id: setup-python + uses: actions/setup-python@v4 + with: + # do this dynamically with tool-versions version + python-version: "3.9.16" + - name: Install Poetry + uses: snok/install-poetry@v1 + - name: Load cached venv + id: cached-poetry-dependencies + uses: actions/cache@v3 + with: + path: .venv + key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }} + #---------------------------------------------- + # install dependencies if cache does not exist + #---------------------------------------------- + - name: Install dependencies + if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' + run: poetry install --no-interaction --no-root + working-directory: ./bc_obps + - name: is pylint installed? + run: | + poetry run pylint --version + echo $PATH + working-directory: ./bc_obps + - uses: pre-commit/action@v3.0.0 + # - uses: actions/setup-python@v2 + - uses: terraform-linters/setup-tflint@v1 + with: + tflint_version: latest + # - name: Analyze Kustomize Manifests + # run: | + # pwd + # ls -al + # curl https://get.datree.io | /bin/bash + # datree test tekton/base/pipelines/* --ignore-missing-schemas --no-record + # echo "scanning tasks..." + # datree test tekton/base/tasks/* --ignore-missing-schemas --no-record + # echo "scan triggers..." + # datree test tekton/base/triggers/* --ignore-missing-schemas --no-record docker-build: runs-on: ubuntu-latest strategy: @@ -137,23 +239,31 @@ jobs: with: IMAGE: gregnrobinson/bcgov-nginx-demo TAG: latest - sonar-repo-scan: - uses: bcgov/pipeline-templates/.github/workflows/sonar-scanner.yaml@main - with: - ORG: ci-testing - PROJECT_KEY: bcgov-pipeline-templates - URL: https://sonarcloud.io - secrets: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - owasp-zap-scan: - uses: bcgov/pipeline-templates/.github/workflows/owasp-scan.yaml@owasp-gcp-fix - with: - ZAP_SCAN_TYPE: "base" # Accepted values are base and full. - ZAP_TARGET_URL: "http://localhost:3004/" - ZAP_DURATION: "2" - ZAP_MAX_DURATION: "5" - ZAP_GCP_PUBLISH: false - ZAP_GCP_PROJECT: phronesis-310405 # Only required if ZAP_GCP_PUBLISH is TRUE - ZAP_GCP_BUCKET: "zap-scan-results" # Only required if ZAP_GCP_PUBLISH is TRUE - secrets: - GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }} # Only required if ZAP_GCP_PUBLISH is TRUE + # sonar-repo-scan: + # uses: bcgov/pipeline-templates/.github/workflows/sonar-scanner.yaml@main + # with: + # ORG: ci-testing + # PROJECT_KEY: bcgov-pipeline-templates + # URL: https://sonarcloud.io + # secrets: + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + zap-owasp: + needs: + ["docker-build", "install-client-dev-tools", "install-server-dev-tools"] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: dev env setup + uses: ./.github/actions/dev-env-setup + - name: run app locally + uses: ./.github/actions/local-app-run + - name: ZAP Base Scan + uses: zaproxy/action-baseline@v0.6.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: "owasp/zap2docker-stable" + target: "http://localhost:3004/" + rules_file_name: ".zap/rules.tsv" + cmd_options: "-a -d -T 5 -m 2" + issue_title: OWASP Baseline + fail_action: false