[roadmap] Add evidence storage restore drill phase two #271
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: ["main", "master"] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| rust-backend-tests: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| components: rustfmt, clippy | |
| - name: Check Rust formatting | |
| run: | | |
| cargo fmt --manifest-path rust/iscy-backend/Cargo.toml -- --check | |
| - name: Run Rust clippy | |
| run: | | |
| cargo clippy --locked --manifest-path rust/iscy-backend/Cargo.toml --all-targets -- -D warnings | |
| - name: Run Rust backend tests | |
| run: | | |
| cargo test --locked --manifest-path rust/iscy-backend/Cargo.toml | |
| - name: Install verified Rust supply-chain tools | |
| uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-audit,cargo-deny | |
| fallback: none | |
| - name: Audit Rust dependency advisories | |
| run: | | |
| cargo audit --file rust/iscy-backend/Cargo.lock --ignore RUSTSEC-2023-0071 | |
| - name: Check Rust dependency licenses and sources | |
| run: | | |
| cargo deny --manifest-path rust/iscy-backend/Cargo.toml check advisories licenses sources | |
| rust-bootstrap-smoke: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Run Rust DB/bootstrap HTTP smoke | |
| run: | | |
| make rust-smoke | |
| nix-rust-smoke: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: cachix/install-nix-action@v31 | |
| with: | |
| extra_nix_config: | | |
| experimental-features = nix-command flakes | |
| - name: Run Nix Rust app smoke | |
| run: | | |
| tmpdir="$(mktemp -d)" | |
| db_path="$tmpdir/iscy-nix-smoke.sqlite3" | |
| cookie_file="$tmpdir/iscy-nix-smoke.cookies" | |
| evidence_file="$tmpdir/evidence.txt" | |
| import_file="$tmpdir/import-preview.csv" | |
| export DATABASE_URL="sqlite:////${db_path#/}" | |
| export ISCY_MEDIA_ROOT="$tmpdir/media" | |
| export RUST_BACKEND_BIND="127.0.0.1:19001" | |
| export RUST_BACKEND_URL="http://127.0.0.1:19001" | |
| printf 'rust smoke evidence\n' > "$evidence_file" | |
| printf 'Name,Beschreibung,BusinessUnit,Status\nRust Smoke Process,Previewed import,Security Operations,PARTIAL\n' > "$import_file" | |
| nix run .#iscy-backend -- init-demo | |
| nix run .#iscy-backend >"$tmpdir/iscy-backend.log" 2>&1 & | |
| pid="$!" | |
| trap 'kill "$pid" >/dev/null 2>&1 || true' EXIT | |
| for _ in $(seq 1 60); do | |
| if curl -fsS "$RUST_BACKEND_URL/health/live" >/dev/null 2>&1; then | |
| break | |
| fi | |
| if ! kill -0 "$pid" >/dev/null 2>&1; then | |
| cat "$tmpdir/iscy-backend.log" | |
| exit 1 | |
| fi | |
| sleep 1 | |
| done | |
| curl -fsS "$RUST_BACKEND_URL/health/live" >/dev/null | |
| curl -fsS "$RUST_BACKEND_URL/status/" >/dev/null | |
| curl -fsS -c "$cookie_file" -H "content-type: application/json" -d '{"tenant_id":1,"username":"admin","password":"Admin123!"}' "$RUST_BACKEND_URL/api/v1/auth/sessions" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/auth/session" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/dashboard/" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/admin/users/" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/imports/" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1/nis2-export" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1/nis2-export.html" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1/nis2-export.pdf" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/users" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/roles" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/groups" >/dev/null | |
| curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/permissions" >/dev/null | |
| curl -fsS -b "$cookie_file" -F import_type='processes' -F "file=@$import_file;filename=preview.csv;type=text/csv" "$RUST_BACKEND_URL/api/v1/import-center/preview" >/dev/null | |
| curl -fsS -b "$cookie_file" -H "content-type: application/json" -d '{"import_type":"business_units","replace_existing":false,"csv_data":"name\nRust Smoke Import"}' "$RUST_BACKEND_URL/api/v1/import-center/csv" >/dev/null | |
| curl -fsS -b "$cookie_file" -F title='Rust Smoke Evidence' -F status='SUBMITTED' -F session_id='1' -F requirement_id='1' -F incident_id='1' -F "file=@$evidence_file;filename=evidence.txt;type=text/plain" "$RUST_BACKEND_URL/api/v1/evidence/uploads" >/dev/null | |
| curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/catalog/domains" >/dev/null | |
| curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/requirements" >/dev/null | |
| curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents" >/dev/null | |
| curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents/1/nis2-export" >/dev/null | |
| curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents/1/nis2-export.html" >/dev/null | |
| curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents/1/nis2-export.pdf" >/dev/null | |
| curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/product-security/overview" >/dev/null | |
| docker-config: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - name: Validate effective compose configurations | |
| run: | | |
| cp .env.example .env | |
| docker compose config | |
| docker compose --env-file .env -f docker-compose.yml -f docker-compose.llm.yml config | |
| docker compose --env-file .env -f docker-compose.yml -f docker-compose.stage.yml config | |
| docker compose --env-file .env -f docker-compose.yml -f docker-compose.prod.yml config | |
| docker compose --env-file .env -f docker-compose.yml -f docker-compose.prod.yml -f docker-compose.llm.yml config | |
| - name: Build hardened application image | |
| run: | | |
| docker build --file rust/iscy-backend/Dockerfile rust/iscy-backend |