AAP-64830: fixes CVE-2026-1207, CVE-2026-1287, CVE-2026-1312. (#1834) #6203
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Code Coverage | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| # have the ability to trigger this workflow manually | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| name: Unit Test and SonarCloud Scan | |
| runs-on: ubuntu-latest | |
| env: | |
| ANSIBLE_AI_DATABASE_HOST: localhost | |
| ANSIBLE_AI_DATABASE_NAME: wisdom | |
| ANSIBLE_AI_DATABASE_PASSWORD: wisdom | |
| ANSIBLE_AI_DATABASE_USER: wisdom | |
| DJANGO_SETTINGS_MODULE: ansible_ai_connect.main.settings.development | |
| ENABLE_ANSIBLE_LINT_POSTPROCESS: True | |
| PYTHONUNBUFFERED: 1 | |
| SECRET_KEY: somesecret | |
| services: | |
| postgres: | |
| image: docker.io/library/postgres:alpine | |
| env: | |
| POSTGRES_USER: wisdom | |
| POSTGRES_PASSWORD: wisdom | |
| POSTGRES_DB: wisdom | |
| ports: | |
| - 5432:5432 | |
| # needed because the postgres container does not provide a healthcheck | |
| options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| ############## | |
| # Python tests | |
| ############## | |
| - name: Setup Python 3.12 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Dependencies (Python) | |
| run: | | |
| python3 -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install .[dev] | |
| - name: Create CA symlink to use RH's certifi on ubuntu-latest | |
| run: | | |
| sudo mkdir -p /etc/pki/tls/certs | |
| sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt | |
| - name: Running Unit Tests (Python) | |
| run: | | |
| coverage run --rcfile=setup.cfg -m ansible_ai_connect.manage test ansible_ai_connect | |
| coverage xml | |
| coverage report --rcfile=setup.cfg --format=markdown > code-coverage-results.md | |
| # See https://sonarsource.atlassian.net/browse/SONARPY-1203 | |
| - name: Fix paths in coverage file | |
| run: | | |
| sed -i 's,/home/runner/work/ansible-wisdom-service/ansible-wisdom-service/,/github/workspace/,g' coverage.xml | |
| ################## | |
| # TypeScript tests | |
| ################## | |
| - name: Use Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: '21.x' | |
| cache: 'npm' | |
| cache-dependency-path: ./ansible_ai_connect_admin_portal/package-lock.json | |
| - name: Install Dependencies (TypeScript) | |
| run: npm ci | |
| working-directory: ./ansible_ai_connect_admin_portal | |
| - name: Running Unit Tests (TypeScript) | |
| run: npm run test | |
| working-directory: ./ansible_ai_connect_admin_portal | |
| ############################ | |
| # TypeScript tests (chatbot) | |
| ############################ | |
| - name: Use Node.js (chatbot) | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: '21.x' | |
| cache: 'npm' | |
| cache-dependency-path: ./ansible_ai_connect_chatbot/package-lock.json | |
| - name: Install Dependencies (TypeScript) (chatbot) | |
| run: npm install | |
| working-directory: ./ansible_ai_connect_chatbot | |
| - name: Install Chromium dependencies (chatbot) | |
| run: npx playwright install-deps chromium | |
| working-directory: ./ansible_ai_connect_chatbot | |
| - name: Install Chromium (chatbot) | |
| run: npx playwright install chromium | |
| working-directory: ./ansible_ai_connect_chatbot | |
| - name: Running Unit Tests with code coverage (TypeScript) (chatbot) | |
| run: npm run coverage | |
| working-directory: ./ansible_ai_connect_chatbot | |
| ##################### | |
| # SonarCloud coverage | |
| ##################### | |
| - name: SonarCloud Scan | |
| uses: SonarSource/sonarqube-scan-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| #################### | |
| # OpenAPI file check | |
| #################### | |
| - name: Ensure the OpenAPI file is up to date | |
| run: | | |
| make run-server & | |
| sleep 10 | |
| make create-cachetable | |
| make update-openapi-schema | |
| git diff --exit-code -- tools/openapi-schema/ansible-ai-connect-service.yaml | |
| git diff --exit-code -- tools/openapi-schema/ansible-ai-connect-service.json | |
| - name: Validate OpenAPI schema | |
| run: | | |
| python3 -c " | |
| from openapi_spec_validator import validate_url | |
| from openapi_spec_validator.validation.validators import OpenAPIV30SpecValidator | |
| validate_url('http://localhost:8000/api/schema/', cls=OpenAPIV30SpecValidator) | |
| " |