Add AI Tools extension to Threat Dragon #1039
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR pipeline | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| env: | |
| IMAGE_NAME: "pr-${{ github.event.number }}" | |
| ZAP_FILE: "zap-scan-pr-${{ github.event.number }}" | |
| GITHUB_CLIENT_ID: "${{ secrets.CI_GITHUB_CLIENT_ID }}" | |
| GITHUB_CLIENT_SECRET: "${{ secrets.CI_GITHUB_CLIENT_SECRET }}" | |
| ENCRYPTION_JWT_REFRESH_SIGNING_KEY: "${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}" | |
| ENCRYPTION_JWT_SIGNING_KEY: "${{ secrets.CI_JWT_SIGNING_KEY }}" | |
| ENCRYPTION_KEYS: "${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}" | |
| NODE_ENV: development | |
| SERVER_API_PROTOCOL: http | |
| # for security reasons the github actions are pinned to specific release versions | |
| jobs: | |
| md_linter: | |
| name: Lint docs | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout markdown | |
| uses: actions/[email protected] | |
| - name: Lint markdown | |
| uses: DavidAnson/[email protected] | |
| with: | |
| config: '.markdownlint.yaml' | |
| globs: | | |
| docs/*.md | |
| docs/**/*.md | |
| td.vue/*.md | |
| td.server/*.md | |
| *.md | |
| link_checker: | |
| name: Link checker | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout markdown | |
| uses: actions/[email protected] | |
| - name: Link Checker | |
| uses: lycheeverse/[email protected] | |
| with: | |
| args: >- | |
| --no-progress | |
| --max-retries 1 | |
| --retry-wait-time 10 | |
| 'docs/**/*.md' | |
| 'docs/*.md' | |
| '*.md' | |
| fail: true | |
| env: | |
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
| spell_checker: | |
| name: Check spelling | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout markdown | |
| uses: actions/[email protected] | |
| - name: Spell check EN language | |
| uses: rojopolis/[email protected] | |
| with: | |
| config_path: .spellcheck.yaml | |
| server_unit_tests: | |
| name: Server unit tests | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| working-directory: td.server | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Use node LTS 20.14.0 | |
| uses: actions/[email protected] | |
| with: | |
| node-version: '20.14.0' | |
| - name: Cache NPM dir | |
| uses: actions/[email protected] | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| ${{ runner.os }}- | |
| - name: Install clean packages | |
| run: npm clean-install | |
| - name: lint | |
| run: npm run lint | |
| - name: Unit test | |
| run: npm run test:unit | |
| site_unit_tests: | |
| name: Site unit tests | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| working-directory: td.vue | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Use node LTS 20.14.0 | |
| uses: actions/[email protected] | |
| with: | |
| node-version: '20.14.0' | |
| - name: Cache NPM dir | |
| uses: actions/[email protected] | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| ${{ runner.os }}- | |
| - name: Install clean packages | |
| run: npm clean-install | |
| - name: Site lint | |
| run: npm run lint | |
| - name: Run unit tests | |
| run: npm run test:unit | |
| desktop_unit_tests: | |
| name: Desktop unit tests | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| working-directory: td.vue | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Use node LTS 20.14.0 | |
| uses: actions/[email protected] | |
| with: | |
| node-version: '20.14.0' | |
| - name: Cache NPM dir | |
| uses: actions/[email protected] | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| ${{ runner.os }}- | |
| - name: Install clean packages | |
| run: npm clean-install | |
| - name: Desktop lint | |
| run: npm run lint:desktop | |
| - name: Run unit tests | |
| run: npm run test:desktop | |
| codeql: | |
| name: Analyze with codeql | |
| runs-on: ubuntu-24.04 | |
| needs: [server_unit_tests, site_unit_tests, desktop_unit_tests] | |
| permissions: | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/[email protected] | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| languages: 'javascript' | |
| config-file: ./.github/codeql/codeql-config.yml | |
| # If you wish to specify custom queries, you can do so here or in a config file. | |
| # By default, queries listed here will override any specified in a config file. | |
| # Prefix the list here with "+" to use these queries and those in the config file. | |
| - name: CodeQL autobuild | |
| uses: github/codeql-action/[email protected] | |
| - name: Perform vulnerability analysis | |
| uses: github/codeql-action/[email protected] | |
| e2e_smokes: | |
| name: Local site e2e smokes | |
| runs-on: ubuntu-24.04 | |
| needs: [site_unit_tests, server_unit_tests] | |
| defaults: | |
| run: | |
| working-directory: td.vue | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Use node LTS 20.14.0 | |
| uses: actions/[email protected] | |
| with: | |
| node-version: '20.14.0' | |
| - name: Cache NPM dir | |
| uses: actions/[email protected] | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| ${{ runner.os }}- | |
| - name: Install front-end | |
| run: npm clean-install | |
| - name: Build and run locally | |
| run: npm run start:serve | |
| - name: Run e2e tests | |
| run: npm run test:e2e-pr-smokes | |
| - name: Upload e2e videos | |
| uses: actions/[email protected] | |
| with: | |
| name: e2e_vids.zip | |
| path: tests/e2e/videos | |
| if: ${{ failure() && hashFiles('tests/e2e/videos/') != '' }} | |
| e2e_tests: | |
| name: Local site e2e tests | |
| runs-on: ubuntu-24.04 | |
| needs: e2e_smokes | |
| defaults: | |
| run: | |
| working-directory: td.vue | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Use node LTS 20.14.0 | |
| uses: actions/[email protected] | |
| with: | |
| node-version: '20.14.0' | |
| - name: Cache NPM dir | |
| uses: actions/[email protected] | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Install front-end | |
| run: npm clean-install | |
| - name: Build and run locally | |
| run: npm run start:serve | |
| - name: Run e2e tests | |
| run: npm run test:e2e-pr | |
| - name: Upload e2e videos | |
| uses: actions/[email protected] | |
| with: | |
| name: e2e_vids.zip | |
| path: tests/e2e/videos | |
| if: ${{ failure() && hashFiles('tests/e2e/videos/') != '' }} | |
| zap_scan_web_app: | |
| name: Local site zap scan | |
| runs-on: ubuntu-24.04 | |
| needs: e2e_tests | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Use node LTS 20.14.0 | |
| uses: actions/[email protected] | |
| with: | |
| node-version: '20.14.0' | |
| - name: Cache NPM dir | |
| uses: actions/[email protected] | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Clean install | |
| run: | | |
| npm clean-install --ignore-scripts | |
| cd td.server | |
| npm clean-install | |
| cd ../td.vue | |
| npm clean-install | |
| - name: Build and run locally | |
| run: npm start | |
| - name: ZAP Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| target: 'http://localhost:8080' | |
| rules_file_name: '.github/workflows/.zap-rules-web.tsv' | |
| allow_issue_writing: false | |
| fail_action: false | |
| artifact_name: ${{ env.ZAP_FILE }} | |
| cmd_options: '-a' | |
| build_docker_image: | |
| name: Build docker image | |
| runs-on: ubuntu-24.04 | |
| needs: e2e_smokes | |
| if: github.repository == 'OWASP/threat-dragon' | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/[email protected] | |
| with: | |
| install: true | |
| - name: Cache Docker layers | |
| uses: actions/[email protected] | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| ${{ runner.os }}- | |
| - name: Build for amd64 | |
| id: docker_build | |
| uses: docker/[email protected] | |
| with: | |
| context: ./ | |
| file: ./Dockerfile | |
| builder: ${{ steps.buildx.outputs.name }} | |
| tags: ${{ env.IMAGE_NAME }} | |
| outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME }}.tar | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
| platforms: linux/amd64 | |
| load: true | |
| - name: Upload docker local image | |
| uses: actions/[email protected] | |
| with: | |
| name: ${{ env.IMAGE_NAME }} | |
| path: /tmp/${{ env.IMAGE_NAME }}.tar | |
| - name: Check docker local image | |
| run: | | |
| docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
| docker image ls -a | |
| - # Temp fix for large cache bug | |
| # https://github.com/docker/build-push-action/issues/252 | |
| name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
| scan_image_with_trivy: | |
| name: Scan with Trivy | |
| runs-on: ubuntu-24.04 | |
| needs: build_docker_image | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Retrieve local docker image | |
| uses: actions/[email protected] | |
| with: | |
| name: ${{ env.IMAGE_NAME }} | |
| path: /tmp | |
| - name: Load local docker image | |
| run: | | |
| docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: '${{ env.IMAGE_NAME }}' | |
| format: 'table' | |
| trivyignores: '.github/workflows/.trivyignore' | |
| exit-code: 1 | |
| skip-files: '/app/docs/configure/bitbucket.html' |