add trivy (testing) #44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
push: | |
# hitting just main on push suffices to avoid duplicate runs for PRs, since PRs never update main. | |
# more ideas at https://github.com/orgs/community/discussions/26940 including branches-ignore | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet | |
branches: | |
- main | |
- "hotfix/**" | |
pull_request: | |
defaults: | |
run: | |
working-directory: spiffworkflow-backend | |
jobs: | |
tests-backend: | |
name: ${{ matrix.session }} ${{ matrix.python }} / ${{ matrix.os }} ${{ matrix.database }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- { python: "3.12", os: "ubuntu-latest", session: "safety" } | |
- { python: "3.12", os: "ubuntu-latest", session: "mypy" } | |
- { python: "3.11", os: "ubuntu-latest", session: "safety" } | |
- { python: "3.11", os: "ubuntu-latest", session: "mypy" } | |
- { python: "3.10", os: "ubuntu-latest", session: "mypy" } | |
- { | |
python: "3.11", | |
os: "ubuntu-latest", | |
session: "tests", | |
database: "mysql", | |
} | |
- { | |
python: "3.12", | |
os: "ubuntu-latest", | |
session: "tests", | |
database: "mysql", | |
upload_coverage: true, | |
} | |
- { | |
python: "3.11", | |
os: "ubuntu-latest", | |
session: "tests", | |
database: "postgres", | |
} | |
- { | |
python: "3.12", | |
os: "ubuntu-latest", | |
session: "tests", | |
database: "postgres", | |
} | |
- { | |
python: "3.11", | |
os: "ubuntu-latest", | |
session: "tests", | |
database: "sqlite", | |
} | |
- { | |
python: "3.12", | |
os: "ubuntu-latest", | |
session: "tests", | |
database: "sqlite", | |
} | |
- { | |
python: "3.10", | |
os: "ubuntu-latest", | |
session: "tests", | |
database: "sqlite", | |
} | |
# FIXME: tests cannot pass on windows and we currently cannot debug | |
# since none of us have a windows box that can run the python app. | |
# so ignore windows tests until we can get it fixed. | |
# - { | |
# python: "3.10", | |
# os: "windows-latest", | |
# session: "tests", | |
# database: "sqlite", | |
# } | |
- { | |
python: "3.11", | |
os: "macos-latest", | |
session: "tests", | |
database: "sqlite", | |
} | |
- { | |
# typeguard 2.13.3 is broken with TypeDict in 3.11. | |
# probably the next release fixes it. | |
# https://github.com/agronholm/typeguard/issues/242 | |
python: "3.11", | |
os: "ubuntu-latest", | |
session: "typeguard", | |
database: "sqlite", | |
} | |
- { | |
# typeguard 2.13.3 is broken with TypeDict in 3.11. | |
# probably the next release fixes it. | |
# https://github.com/agronholm/typeguard/issues/242 | |
python: "3.12", | |
os: "ubuntu-latest", | |
session: "typeguard", | |
database: "sqlite", | |
} | |
# - { python: "3.11", os: "ubuntu-latest", session: "xdoctest" } | |
# - { python: "3.11", os: "ubuntu-latest", session: "docs-build" } | |
env: | |
FLASK_SESSION_SECRET_KEY: super_secret_key | |
FORCE_COLOR: "1" | |
PRE_COMMIT_COLOR: "always" | |
SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD: password | |
SPIFFWORKFLOW_BACKEND_DATABASE_TYPE: ${{ matrix.database }} | |
SPIFFWORKFLOW_BACKEND_RUNNING_IN_CI: "true" | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v4 | |
- name: Set up Python ${{ matrix.python }} | |
uses: actions/[email protected] | |
with: | |
python-version: ${{ matrix.python }} | |
- name: Install pip and poetry | |
run: | | |
pwd | |
ls -al | |
pip install --constraint=../.github/workflows/constraints.txt pip poetry | |
pip --version | |
poetry --version | |
- name: Upgrade pip in virtual environments | |
shell: python | |
run: | | |
import os | |
import pip | |
with open(os.environ["GITHUB_ENV"], mode="a") as io: | |
print(f"VIRTUALENV_PIP={pip.__version__}", file=io) | |
# when we get an imcompatible sqlite migration again and need to combine all migrations into one for the benefit of sqlite | |
# see if we can get the sqlite-specific block in the noxfile.py to work instead of this block in the github workflow, | |
# which annoyingly runs python setup outside of the nox environment (which seems to be flakier on poetry install). | |
# - name: Checkout Samples | |
# if: matrix.database == 'sqlite' | |
# uses: actions/checkout@v4 | |
# with: | |
# repository: sartography/sample-process-models | |
# path: sample-process-models | |
# - name: Poetry Install | |
# if: matrix.database == 'sqlite' | |
# run: poetry install | |
# - name: Setup sqlite | |
# if: matrix.database == 'sqlite' | |
# env: | |
# SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR: "${GITHUB_WORKSPACE}/sample-process-models" | |
# run: ./bin/recreate_db clean rmall | |
- name: Setup Mysql | |
uses: mirromutth/[email protected] | |
with: | |
host port: 3306 | |
container port: 3306 | |
mysql version: "8.0" | |
mysql database: "spiffworkflow_backend_unit_testing" | |
mysql root password: password | |
collation server: "utf8mb4_0900_as_cs" | |
if: matrix.database == 'mysql' | |
- name: Setup Postgres | |
run: docker run --name postgres-spiff -p 5432:5432 -e POSTGRES_PASSWORD=spiffworkflow_backend -e POSTGRES_USER=spiffworkflow_backend -e POSTGRES_DB=spiffworkflow_backend_unit_testing -d postgres | |
if: matrix.database == 'postgres' | |
- name: Install mysqlclient and psycopg2 lib dependencies | |
if: matrix.os == 'macos-latest' | |
# mysql 8.3 causes failure in poetry install so pin to 8.0. https://github.com/feast-dev/feast/issues/3916 | |
# 8.0 is keg-only, so we have to force link it in order for pkg-config and everything to find it. | |
run: | | |
brew install [email protected] pkg-config postgresql && brew link [email protected] | |
- name: Run Session | |
run: | | |
./bin/run_ci_session ${{ matrix.session }} | |
- name: Upload coverage data | |
# pin to upload coverage from only one matrix entry, otherwise coverage gets confused later | |
if: matrix.upload_coverage | |
uses: "actions/upload-artifact@v4" | |
# this action doesn't seem to respect working-directory so include working-directory value in path | |
with: | |
name: coverage-data | |
path: "spiffworkflow-backend/.coverage.*" | |
# - name: Upload documentation | |
# if: matrix.session == 'docs-build' | |
# uses: actions/upload-artifact@v4 | |
# with: | |
# name: docs | |
# path: docs/_build | |
# | |
- name: Upload logs | |
if: failure() && matrix.session == 'tests' | |
uses: "actions/upload-artifact@v4" | |
with: | |
name: logs-${{matrix.python}}-${{matrix.os}}-${{matrix.database}} | |
path: "./spiffworkflow-backend/log/*.log" | |
run_pre_commit_checks: | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: . | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/[email protected] | |
with: | |
python-version: "3.11" | |
- name: Install Poetry | |
run: | | |
pwd | |
ls -al | |
pip --version | |
pip install --constraint=.github/workflows/constraints.txt pip poetry | |
poetry --version | |
- name: Poetry Install | |
run: poetry install | |
- name: run_pre_commit | |
run: ./bin/run_pre_commit_in_ci | |
check_docker_start_script: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v4 | |
- name: Checkout Samples | |
uses: actions/checkout@v4 | |
with: | |
repository: sartography/sample-process-models | |
path: sample-process-models | |
- name: start_backend | |
run: ./bin/build_and_run_with_docker_compose | |
timeout-minutes: 20 | |
env: | |
SPIFFWORKFLOW_BACKEND_RUN_DATA_SETUP: "false" | |
- name: wait_for_backend | |
run: ./bin/wait_for_backend_to_be_up 5 | |
coverage: | |
runs-on: ubuntu-latest | |
needs: [tests-backend, run_pre_commit_checks, check_docker_start_script] | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v4 | |
with: | |
# Disabling shallow clone is recommended for improving relevancy of reporting in sonarcloud | |
fetch-depth: 0 | |
- name: Set up Python | |
uses: actions/[email protected] | |
with: | |
python-version: "3.11" | |
- name: Install pip and poetry | |
run: | | |
pwd | |
ls -al | |
pip install --constraint=../.github/workflows/constraints.txt pip poetry | |
pip --version | |
poetry --version | |
- name: Upgrade pip in virtual environments | |
shell: python | |
run: | | |
import os | |
import pip | |
with open(os.environ["GITHUB_ENV"], mode="a") as io: | |
print(f"VIRTUALENV_PIP={pip.__version__}", file=io) | |
- name: Download coverage data | |
uses: actions/[email protected] | |
with: | |
name: coverage-data | |
# this action doesn't seem to respect working-directory so include working-directory value in path | |
path: spiffworkflow-backend | |
- name: Run Coverage | |
run: | | |
./bin/run_ci_session coverage | |
- name: Upload coverage report | |
uses: codecov/[email protected] | |
- name: SonarCloud Scan | |
uses: sonarsource/[email protected] | |
# thought about just skipping dependabot | |
# if: ${{ github.actor != 'dependabot[bot]' }} | |
# but figured all pull requests seems better, since none of them will have access to sonarcloud. | |
# however, with just skipping pull requests, the build associated with "Triggered via push" is also associated with the pull request and also fails hitting sonarcloud | |
# if: ${{ github.event_name != 'pull_request' }} | |
# so just skip everything but main | |
if: github.ref_name == 'main' | |
with: | |
projectBaseDir: spiffworkflow-backend | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
# part about saving PR number and then using it from auto-merge-dependabot-prs from: | |
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run | |
- name: Write PR number to spiffworkflow-backend/pr dir | |
if: ${{ github.event_name == 'pull_request' }} | |
env: | |
PR_NUMBER: ${{ github.event.number }} | |
run: | | |
mkdir -p ./pr | |
echo "$PR_NUMBER" > ./pr/pr_number | |
- name: Upload PR number as artifact | |
uses: actions/upload-artifact@v4 | |
if: ${{ github.event_name == 'pull_request' }} | |
with: | |
name: pr_number | |
# at https://github.com/sartography/spiff-arena/actions/runs/7757308061/job/21156982087, for example, | |
# it said: "Warning: No files were found with the provided path: pr", so assuming this is running | |
# from spiff-arena root rather than the default working-directory we specified, and therefore | |
# trying to explicitly add spiffworkflow-backend to path | |
path: spiffworkflow-backend/pr/ | |
if-no-files-found: error | |
tests-frontend: | |
runs-on: ubuntu-latest | |
needs: [tests-backend, run_pre_commit_checks, check_docker_start_script] | |
defaults: | |
run: | |
working-directory: spiffworkflow-frontend | |
steps: | |
- name: Development Code | |
uses: actions/checkout@v4 | |
with: | |
# Disabling shallow clone is recommended for improving relevancy of reporting in sonarcloud | |
fetch-depth: 0 | |
ref: ${{ github.event.workflow_run.head_sha }} | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18.x | |
- run: npm install | |
- run: npm run lint | |
- run: npm test | |
- run: npm run build --if-present | |
- name: SonarCloud Scan | |
# thought about just skipping dependabot | |
# if: ${{ github.actor != 'dependabot[bot]' }} | |
# but figured all pull requests seems better, since none of them will have access to sonarcloud. | |
# however, with just skipping pull requests, the build associated with "Triggered via push" is also associated with the pull request and also fails hitting sonarcloud | |
# if: ${{ github.event_name != 'pull_request' }} | |
# so just skip everything but main | |
if: github.ref_name == 'main' | |
uses: sonarsource/[email protected] | |
with: | |
projectBaseDir: spiffworkflow-frontend | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
cypress-run: | |
runs-on: ubuntu-latest | |
needs: [tests-backend, run_pre_commit_checks, check_docker_start_script] | |
defaults: | |
run: | |
working-directory: spiffworkflow-frontend | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.workflow_run.head_sha }} | |
- name: Checkout Samples | |
uses: actions/checkout@v4 | |
with: | |
repository: sartography/sample-process-models | |
path: sample-process-models | |
- name: start_keycloak | |
working-directory: ./spiffworkflow-backend | |
run: ./keycloak/bin/start_keycloak | |
- name: start_backend | |
working-directory: ./spiffworkflow-backend | |
run: ./bin/build_and_run_with_docker_compose | |
timeout-minutes: 20 | |
env: | |
SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA: "true" | |
SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME: "acceptance_tests.yml" | |
- name: start_frontend | |
# working-directory: ./spiffworkflow-frontend | |
run: ./bin/build_and_run_with_docker_compose | |
- name: wait_for_backend | |
working-directory: ./spiffworkflow-backend | |
run: ./bin/wait_for_backend_to_be_up 5 | |
- name: wait_for_frontend | |
# working-directory: ./spiffworkflow-frontend | |
run: ./bin/wait_for_frontend_to_be_up 5 | |
- name: wait_for_keycloak | |
working-directory: ./spiffworkflow-backend | |
run: ./keycloak/bin/wait_for_keycloak 5 | |
- name: Dump GitHub context | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
echo "$GITHUB_CONTEXT" | |
- name: Cypress run | |
uses: cypress-io/github-action@v6 | |
with: | |
working-directory: ./spiffworkflow-frontend | |
browser: chrome | |
# only record on push, not pull_request, since we do not have secrets for PRs, | |
# so the required CYPRESS_RECORD_KEY will not be available. | |
# we have limited runs in cypress cloud, so only record main builds | |
# the direct check for github.event_name == 'push' is for if we want to go back to triggering this workflow | |
# directly, rather than when Backend Tests complete. | |
# note that github.event.workflow_run is referring to the Backend Tests workflow and another option | |
# for github.event.workflow_run.event is 'pull_request', which we want to ignore. | |
record: ${{ github.ref_name == 'main' && ((github.event_name == 'workflow_run' && github.event.workflow_run.event == 'push') || (github.event_name == 'push')) }} | |
env: | |
# pass the Dashboard record key as an environment variable | |
CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} | |
# pass GitHub token to allow accurately detecting a build vs a re-run build | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
CYPRESS_SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK: "true" | |
- name: get_backend_logs_from_docker_compose | |
if: failure() | |
working-directory: ./spiffworkflow-backend | |
run: ./bin/get_logs_from_docker_compose >./log/docker_compose.log | |
- name: Upload logs | |
if: failure() | |
uses: "actions/upload-artifact@v4" | |
with: | |
name: spiffworkflow-backend-logs | |
path: "./spiffworkflow-backend/log/*.log" | |
# https://github.com/cypress-io/github-action#artifacts | |
- name: upload_screenshots | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: cypress-screenshots | |
path: ./spiffworkflow-frontend/cypress/screenshots | |
# Test run video was always captured, so this action uses "always()" condition | |
- name: upload_videos | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: cypress-videos | |
path: ./spiffworkflow-frontend/cypress/videos |