OLH-4172: analytics for all paths #3195
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check | |
| permissions: {} | |
| on: | |
| pull_request: | |
| merge_group: | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| packages: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| persist-credentials: false | |
| - name: Check GitHub Actions | |
| uses: zizmorcore/zizmor-action@a16621b09c6db4281f81a93cb393b05dcd7b7165 | |
| - name: Set up Node | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e | |
| with: | |
| node-version-file: .nvmrc | |
| - name: Set up tflint | |
| uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 | |
| - name: Set up SAM CLI | |
| uses: aws-actions/setup-sam@89ddb14d60e682855e3fea4be85b3c56485de310 | |
| with: | |
| use-installer: true | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up JSON Schema CLI | |
| uses: sourcemeta/jsonschema@ac8293b728fd9fc9d7db832252812504f152e84b | |
| - name: Set up cfn-lint | |
| uses: scottbrenner/cfn-lint-action@ed184e91f5085a2932501da8314e899e5e0ef5be | |
| - name: Install dependencies | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: npm run install-all | |
| - name: Build | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: npm run build:all | |
| - name: Check types | |
| run: npm run check-types | |
| - name: ESLint | |
| run: npm run eslint | |
| - name: Lint Terraform | |
| run: npm run tflint | |
| - name: SAM validate | |
| run: npm run sam-validate | |
| - name: Lint CloudFormation | |
| run: npm run cfnlint | |
| - name: Check formatting | |
| run: npm run format | |
| - name: Knip | |
| run: npm run knip | |
| - name: Validate config | |
| run: npm run config:validate | |
| - name: Validate API Specs | |
| run: npm run api-specs:validate | |
| - name: Validate passkeys convenience metadata | |
| run: | | |
| npx tsx -e ' | |
| import { getAllPasskeyConvenienceMetadata } from "./solutions/commons/utils/passkeysConvenienceMetadata/index.ts"; | |
| getAllPasskeyConvenienceMetadata().then((metadata) => { | |
| console.log("Metadata is valid"); | |
| }).catch((err: unknown) => { | |
| throw err | |
| }); | |
| ' | |
| - name: Checkov | |
| uses: bridgecrewio/checkov-action@4048c972aae68d0b983a48bb3479aab2d877b898 # v12.3102.0 | |
| with: | |
| directory: . | |
| output_format: cli | |
| output_file_path: console | |
| # skip_path skips solutions/app-infra/template.yaml due to a checkov bug where Fn::If | |
| # inside SAM Globals causes a ValueError crash (invalid literal for int() with base 10: 'Fn::If'). | |
| # cfn-lint still runs against this template via the cfnlint CI step. | |
| # See: https://github.com/bridgecrewio/checkov/issues/6804 | |
| skip_path: solutions/app-infra/template.yaml | |
| # CKV_GHA_7 flags workflow_dispatch inputs but these workflows use gitRef solely | |
| # to select the deployment revision, not to affect build output. | |
| # CKV2_GHA_1 flags missing top-level permissions but all jobs in affected workflows | |
| # already define their own explicit permissions, making a top-level block redundant. | |
| # CKV_OPENAPI_21 flags omitting maxItems leaves arrays unbounded, created OLH-4092 | |
| # CKV_OPENAPI_4 and CKV_OPENAPI_5 flag empty security but public endpoints | |
| # (token, authorize, .well-known) intentionally have no authentication | |
| # CKV_AWS_18 flags missing S3 access logging and CKV_AWS_111 flags IAM policies | |
| # without write access constraints, created OLH-4093 to implement | |
| # CKV_AWS_124 Intentionally ommitted as SNS topics do not exist. | |
| # CKV_DOCKER_4 flags Dockerfiles using ADD instead of RUN curl and CKV_DOCKER_2 | |
| # flags missing HEALTHCHECK instructions, created OLH-4094 to implement. | |
| # CKV_DOCKER_3: "need a non-user root user" is intentionally omitted as the integration tests container needs root permissions to run AWS CLI commands and install dependencies. | |
| skip_check: CKV_GHA_7,CKV2_GHA_1,CKV_OPENAPI_21,CKV_OPENAPI_4,CKV_OPENAPI_5,CKV_AWS_18,CKV_AWS_111,CKV_AWS_124,CKV_DOCKER_2,CKV_DOCKER_3,CKV_DOCKER_4 |