-
Notifications
You must be signed in to change notification settings - Fork 6
147 lines (125 loc) · 3.39 KB
/
search-api-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Search API CI
on:
pull_request:
paths:
- "search-api/**"
defaults:
run:
shell: bash
working-directory: ./search-api
jobs:
setup-job:
runs-on: ubuntu-20.04
if: github.repository == 'bcgov/sbc-search'
steps:
- uses: actions/checkout@v2
- run: "true"
linting:
needs: setup-job
runs-on: ubuntu-20.04
strategy:
matrix:
python-version: [3.9]
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
make setup
- name: Lint with pylint
id: pylint
run: |
make pylint
- name: Lint with flake8
id: flake8
run: |
make flake8
testing:
needs: setup-job
env:
SQLALCHEMY_DATABASE_URI: "postgresql://postgres:postgres@localhost:5432/postgres"
IS_ORACLE: false
runs-on: ubuntu-20.04
services:
postgres:
image: postgres:12
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
# needed because the postgres container does not provide a healthcheck
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
make setup
- name: Test with pytest
id: test
run: |
make test
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v1
with:
file: ./search-api/coverage.xml
flags: searchapi
name: codecov-search-api
fail_ci_if_error: true
build-strictness:
needs: setup-job
runs-on: ubuntu-20.04
env:
DOCKER_NAME: search-api
steps:
- uses: actions/checkout@v2
- name: build to check strictness
id: build
run: |
make build-nc
- name: export image
id: export
run: |
docker save ${{ env.DOCKER_NAME }} > /tmp/${{ env.DOCKER_NAME }}.tar
- name: Upload artifact
uses: actions/upload-artifact@v2
with:
name: ${{ env.DOCKER_NAME }}
path: /tmp/${{ env.DOCKER_NAME }}.tar
vulnerability-scan:
runs-on: ubuntu-latest
needs: build-strictness
env:
DOCKER_NAME: search-api
steps:
- uses: actions/checkout@v2
- name: Download artifact
uses: actions/download-artifact@v2
with:
name: ${{ env.DOCKER_NAME }}
path: /tmp
- name: Load image
run: |
ls -l /tmp
docker load --input /tmp/${{ env.DOCKER_NAME }}.tar
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.DOCKER_NAME }}
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
# delete-artifact
- uses: geekyeggo/delete-artifact@v1
with:
name: ${{ env.DOCKER_NAME }}