-
Notifications
You must be signed in to change notification settings - Fork 10
150 lines (126 loc) · 5.47 KB
/
ci.yml
File metadata and controls
150 lines (126 loc) · 5.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: Continuous Integration
on:
pull_request:
branches:
- main
push:
branches: [main, development, staging]
paths-ignore:
- ".github/**" # We don't want to trigger when we update the workflows.
- "docs/**" # We don't want to trigger when we update the docs.
- "*.md"
- "terraform/**"
jobs:
secret-scanning:
name: Trufflehog Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: TruffleHog OSS
id: trufflehog
uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2
env:
GITHUB_HEAD_REF_SAFE: ${{ github.head_ref }}
continue-on-error: true
with:
path: ./
base: "${{ github.event.repository.default_branch }}"
head: "$GITHUB_HEAD_REF_SAFE"
extra_args: --debug --only-verified
# - name: Setup Trufflehog [Docker]
# env:
# GITHUB_HEAD_REF_SAFE: ${{ github.head_ref }}
# run: docker run --rm -v "$PWD:/pwd" trufflesecurity/trufflehog:3.67.1 git file://. --since-commit main --branch "$GITHUB_HEAD_REF_SAFE" --only-verified --fail
unit-tests:
name: Unit Tests
secrets: inherit # https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow
uses: ./.github/workflows/unit_test_reusable.yml
e2e-tests:
name: End-to-End Tests
secrets: inherit # https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow
uses: ./.github/workflows/e2e_test_reusable.yml
a11y-regression:
name: A11y Regression Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: ./.github/actions/setup-javascript
- name: Cache Cypress binary
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ~/.cache/Cypress
key: cypress-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('frontend/bun.lock') }}
- name: Install Cypress binary
working-directory: ./frontend
run: |
bunx cypress install
bunx cypress verify
- name: Launch Stack
uses: ./.github/actions/run-full-stack
env:
JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }}
JWT_PUBLIC_KEY: ${{ secrets.JWT_PUBLIC_KEY }}
- name: Validate a11y suppression metadata
working-directory: ./frontend
run: bun run a11y:validate-suppressions
- name: Install minimal runtime deps for headless browser
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends dbus-x11 xvfb libgtk-3-0 libnss3 libxss1 libasound2t64 libgbm1
- name: Run critical accessibility regression specs
working-directory: ./frontend
env:
TERM: xterm
A11Y_REGRESSION_GATE: "true"
JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }}
JWT_PUBLIC_KEY: ${{ secrets.JWT_PUBLIC_KEY }}
run: |
dbus-run-session -- npx cypress run \
--config-file ./cypress.config.ci.js \
--headless \
--spec "cypress/e2e/agreementList.cy.js,cypress/e2e/agreementsPagination.cy.js,cypress/e2e/agreementDetails.cy.js,cypress/e2e/portfolioList.cy.js,cypress/e2e/portfolioDetail.cy.js,cypress/e2e/budgetLineItemsList.cy.js,cypress/e2e/createAgreement.cy.js,cypress/e2e/createAgreementWithValidations.cy.js,cypress/e2e/uploadDocument.cy.js,cypress/e2e/notificationCenter.cy.js"
codeql-analysis:
permissions:
actions: read
contents: read
security-events: write
name: CodeQL Scan
uses: ./.github/workflows/security_codeql.yml
semgrep-analysis:
permissions:
security-events: write
name: Semgrep Scan
uses: ./.github/workflows/security_semgrep.yml
lint:
name: Linting
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: ./.github/actions/setup-python
- name: Lint backend
working-directory: ./backend/ops_api
run: pipenv run nox -s lint
- name: Check backend formatting (Black)
working-directory: ./backend/ops_api
run: pipenv run black --config ./pyproject.toml --check ops tests ./noxfile.py ../../performance_tests/locustfile.py
- name: Check backend import sorting (isort)
working-directory: ./backend/ops_api
run: pipenv run isort --settings-file ./pyproject.toml --check-only --filter-files ops tests ./noxfile.py ../../performance_tests/locustfile.py
- name: Install data_tools dependencies
working-directory: ./backend/data_tools
run: pipenv install --dev
- name: Check data_tools formatting (Black)
working-directory: ./backend/data_tools
run: pipenv run black --config ./pyproject.toml --check .
- name: Check data_tools import sorting (isort)
working-directory: ./backend/data_tools
run: pipenv run isort --settings-file ./pyproject.toml --check-only --filter-files .
- uses: ./.github/actions/setup-javascript
- name: Lint frontend
working-directory: ./frontend
run: bun lint
- name: Check frontend formatting
working-directory: ./frontend
run: bun run prettier --check --ignore-unknown 'src/**/*' '!src/uswds/**'