-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (122 loc) · 6.58 KB
/
Copy pathci.yml
File metadata and controls
131 lines (122 loc) · 6.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: CI
on:
push:
branches: ["main", "master"]
pull_request:
permissions:
contents: read
jobs:
rust-backend-tests:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v7
- uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
components: rustfmt, clippy
- name: Check Rust formatting
run: |
cargo fmt --manifest-path rust/iscy-backend/Cargo.toml -- --check
- name: Run Rust clippy
run: |
cargo clippy --locked --manifest-path rust/iscy-backend/Cargo.toml --all-targets -- -D warnings
- name: Run Rust backend tests
run: |
cargo test --locked --manifest-path rust/iscy-backend/Cargo.toml
- name: Install verified Rust supply-chain tools
uses: taiki-e/install-action@v2
with:
tool: cargo-audit,cargo-deny
fallback: none
- name: Audit Rust dependency advisories
run: |
cargo audit --file rust/iscy-backend/Cargo.lock --ignore RUSTSEC-2023-0071
- name: Check Rust dependency licenses and sources
run: |
cargo deny --manifest-path rust/iscy-backend/Cargo.toml check advisories licenses sources
rust-bootstrap-smoke:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v7
- uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
- name: Run Rust DB/bootstrap HTTP smoke
run: |
make rust-smoke
nix-rust-smoke:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v7
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
experimental-features = nix-command flakes
- name: Run Nix Rust app smoke
run: |
tmpdir="$(mktemp -d)"
db_path="$tmpdir/iscy-nix-smoke.sqlite3"
cookie_file="$tmpdir/iscy-nix-smoke.cookies"
evidence_file="$tmpdir/evidence.txt"
import_file="$tmpdir/import-preview.csv"
export DATABASE_URL="sqlite:////${db_path#/}"
export ISCY_MEDIA_ROOT="$tmpdir/media"
export RUST_BACKEND_BIND="127.0.0.1:19001"
export RUST_BACKEND_URL="http://127.0.0.1:19001"
printf 'rust smoke evidence\n' > "$evidence_file"
printf 'Name,Beschreibung,BusinessUnit,Status\nRust Smoke Process,Previewed import,Security Operations,PARTIAL\n' > "$import_file"
nix run .#iscy-backend -- init-demo
nix run .#iscy-backend >"$tmpdir/iscy-backend.log" 2>&1 &
pid="$!"
trap 'kill "$pid" >/dev/null 2>&1 || true' EXIT
for _ in $(seq 1 60); do
if curl -fsS "$RUST_BACKEND_URL/health/live" >/dev/null 2>&1; then
break
fi
if ! kill -0 "$pid" >/dev/null 2>&1; then
cat "$tmpdir/iscy-backend.log"
exit 1
fi
sleep 1
done
curl -fsS "$RUST_BACKEND_URL/health/live" >/dev/null
curl -fsS "$RUST_BACKEND_URL/status/" >/dev/null
curl -fsS -c "$cookie_file" -H "content-type: application/json" -d '{"tenant_id":1,"username":"admin","password":"Admin123!"}' "$RUST_BACKEND_URL/api/v1/auth/sessions" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/auth/session" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/dashboard/" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/admin/users/" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/imports/" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1/nis2-export" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1/nis2-export.html" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/incidents/1/nis2-export.pdf" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/users" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/roles" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/groups" >/dev/null
curl -fsS -b "$cookie_file" "$RUST_BACKEND_URL/api/v1/accounts/permissions" >/dev/null
curl -fsS -b "$cookie_file" -F import_type='processes' -F "file=@$import_file;filename=preview.csv;type=text/csv" "$RUST_BACKEND_URL/api/v1/import-center/preview" >/dev/null
curl -fsS -b "$cookie_file" -H "content-type: application/json" -d '{"import_type":"business_units","replace_existing":false,"csv_data":"name\nRust Smoke Import"}' "$RUST_BACKEND_URL/api/v1/import-center/csv" >/dev/null
curl -fsS -b "$cookie_file" -F title='Rust Smoke Evidence' -F status='SUBMITTED' -F session_id='1' -F requirement_id='1' -F incident_id='1' -F "file=@$evidence_file;filename=evidence.txt;type=text/plain" "$RUST_BACKEND_URL/api/v1/evidence/uploads" >/dev/null
curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/catalog/domains" >/dev/null
curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/requirements" >/dev/null
curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents" >/dev/null
curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents/1/nis2-export" >/dev/null
curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents/1/nis2-export.html" >/dev/null
curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/incidents/1/nis2-export.pdf" >/dev/null
curl -fsS -H "x-iscy-tenant-id: 1" -H "x-iscy-user-id: 1" "$RUST_BACKEND_URL/api/v1/product-security/overview" >/dev/null
docker-config:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v7
- name: Validate effective compose configurations
run: |
cp .env.example .env
docker compose config
docker compose --env-file .env -f docker-compose.yml -f docker-compose.llm.yml config
docker compose --env-file .env -f docker-compose.yml -f docker-compose.stage.yml config
docker compose --env-file .env -f docker-compose.yml -f docker-compose.prod.yml config
docker compose --env-file .env -f docker-compose.yml -f docker-compose.prod.yml -f docker-compose.llm.yml config
- name: Build hardened application image
run: |
docker build --file rust/iscy-backend/Dockerfile .