ocadotechnology · faucomte97 · Feb 17, 2025 · Feb 18, 2025 · Feb 18, 2025 · Feb 18, 2025
diff --git a/.github/workflows/backend.yaml b/.github/workflows/backend.yaml
@@ -31,6 +31,9 @@ on:
       CFL_BOT_GH_TOKEN:
         description: "The CFL-bot's GitHub token. Used to release."
         required: false
+      SNYK_TOKEN:
+        description: "The Snyk token used to connect to the Snyk project."
+        required: false
 
 jobs:
   test:
@@ -90,6 +93,14 @@ jobs:
         with:
           cfl-bot-gh-token: ${{ secrets.CFL_BOT_GH_TOKEN }}
 
+      - name: 🔎 Run Snyk scan
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=requirements.txt --package-manager=pip --skip-unresolved
+          command: monitor
+
       - name: 📥 Download Build Artifact
         uses: actions/download-artifact@v4
         with:

diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml
@@ -15,6 +15,9 @@ on:
       CFL_BOT_GH_TOKEN:
         description: "The CFL-bot's GitHub token. Used to release."
         required: false
+      SNYK_TOKEN:
+        description: "The Snyk token used to connect to the Snyk project."
+        required: false
 
 jobs:
   test:
@@ -41,6 +44,14 @@ jobs:
         with:
           cfl-bot-gh-token: ${{ secrets.CFL_BOT_GH_TOKEN }}
 
+      - name: 🔎 Run Snyk scan
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=package.json --package-manager=yarn
+          command: monitor
+
       - name: 🚀 Publish Semantic Release
         uses: ocadotechnology/codeforlife-workspace/.github/actions/service/release@main
         with:

diff --git a/.github/workflows/test-javascript-code.yaml b/.github/workflows/test-javascript-code.yaml
@@ -32,34 +32,35 @@ on:
       CODECOV_TOKEN:
         description: "The token used to gain access to Codecov."
         required: false # Needs to be false to support contributors
+      SNYK_TOKEN:
+        description: "The Snyk token used to connect to the Snyk project."
+        required: false
 
 jobs:
   test-js-code:
     runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
     env:
       OCADO_TECH_ORG_ID: 2088731
     steps:
       - name: 🌐 Set up JavaScript ${{ inputs.node-version }} Environment
         uses: ocadotechnology/codeforlife-workspace/.github/actions/javascript/setup-environment@main
         with:
           node-version: ${{ inputs.node-version }}
-          working-directory: ${{ inputs.working-directory }}
           install-args: --production=false
 
       - name: 🔎 Check Code Format
-        working-directory: ${{ inputs.working-directory }}
         run: yarn run prettier --check --write=false .
 
       - name: 🔎 Check Static Type Hints
-        working-directory: ${{ inputs.working-directory }}
         run: yarn run tsc --build tsconfig.json
 
       - name: 🔎 Check Static Code
-        working-directory: ${{ inputs.working-directory }}
         run: yarn run eslint --max-warnings=0 .
 
       - name: 🧪 Test Code Units
-        working-directory: ${{ inputs.working-directory }}
         run: |
           if [ ${{ github.repository_owner_id }} = ${{ env.OCADO_TECH_ORG_ID }} ]
           then
@@ -81,5 +82,11 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: ${{ inputs.codecov-slug }}
           codecov_yml_path: ${{ inputs.codecov-yml-path }}
-          working-directory: ${{ inputs.working-directory }}
           file: ${{ inputs.codecov-file }}
+
+      - name: 🔎 Run Snyk to check vulnerabilities in Node and report them here
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=package.json --package-manager=yarn --severity-threshold=medium
diff --git a/.github/workflows/test-python-code.yaml b/.github/workflows/test-python-code.yaml
@@ -62,13 +62,20 @@ on:
       CODECOV_TOKEN:
         description: "The token used to gain access to Codecov."
         required: false # Needs to be false to support contributors
+      SNYK_TOKEN:
+        description: "The Snyk token used to connect to the Snyk project."
+        required: false
 
 jobs:
   test-py-code:
     runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
     env:
       PYPROJECT_TOML: ${{ inputs.pyproject-toml-directory }}/pyproject.toml
       COVERAGE_REPORT: coverage.xml # NOTE: COVERAGE_FILE is reserved - do not use.
+      LANG: C.UTF-8
       OCADO_TECH_ORG_ID: 2088731
       DB_NAME: ${{ inputs.postgres-db }}
       DB_HOST: localhost
@@ -97,23 +104,31 @@ jobs:
         uses: ocadotechnology/codeforlife-workspace/.github/actions/python/setup-environment@main
         with:
           python-version: ${{ inputs.python-version }}
-          working-directory: ${{ inputs.working-directory }}
-          install-args: --dev
+          install-args: --system
+
+      - name: 📝 Generate requirements file
+        run: pip freeze > requirements.txt
+
+      - name: 🔎 Run Snyk to check for vulnerabilities and report them here
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=requirements.txt --package-manager=pip --severity-threshold=medium --skip-unresolved
+
+      - name: 🧪 Also install dev dependencies
+        run: pipenv install --dev --system
 
       - name: 🔎 Check Import Sort
-        working-directory: ${{ inputs.working-directory }}
         run: pipenv run isort --settings-file=${{ env.PYPROJECT_TOML }} --check ${{ inputs.source-path }}
 
       - name: 🔎 Check Code Format
-        working-directory: ${{ inputs.working-directory }}
         run: if ! pipenv run black --config=${{ env.PYPROJECT_TOML }} --check ${{ inputs.source-path }}; then exit 1; fi
 
       - name: 🔎 Check Static Type Hints
-        working-directory: ${{ inputs.working-directory }}
         run: pipenv run mypy --config-file=${{ env.PYPROJECT_TOML }} ${{ inputs.source-path }}
 
       - name: 🔎 Check Static Code
-        working-directory: ${{ inputs.working-directory }}
         run: |
           echo 'Linting non-test files'
 
@@ -143,11 +158,9 @@ jobs:
 
       - name: 🔎 Check Django Migrations
         if: inputs.check-django-migrations
-        working-directory: ${{ inputs.working-directory }}
         run: pipenv run python manage.py makemigrations --check --dry-run
 
       - name: 🧪 Test Code Units
-        working-directory: ${{ inputs.working-directory }}
         run: |
           if [ ${{ github.repository_owner_id }} = ${{ env.OCADO_TECH_ORG_ID }} ]
           then
@@ -174,5 +187,4 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: ${{ inputs.codecov-slug }}
           codecov_yml_path: ${{ inputs.codecov-yml-path }}
-          working-directory: ${{ inputs.working-directory }}
           file: ${{ env.COVERAGE_REPORT }}
diff --git a/rapid-router b/rapid-router
+1 −1		.github/workflows/ci.yml
+1 −1		.github/workflows/publish-python-package.yml
+1 −1		.github/workflows/semantic-pull-request-check.yml
+1 −1		.github/workflows/snyk.yaml
+30 −0		CHANGELOG.md
+100 −99		Pipfile.lock
+1 −1		game/__init__.py
+3 −0		game/static/game/css/game.css
+66 −15		game/static/game/js/level_editor.js
+14 −1		game/static/game/js/pythonControl.js
+9 −6		game/templates/game/python_den_level_selection.html
+8 −7		game/views/level_editor.py
+48 −22		game/views/level_selection.py