feat: add Helm chart #448
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Audit Python dependencies for known vulnerabilities (pip-audit). | |
| # Runs on push/PR to master and dev; fails if any CVEs are found. | |
| name: Security audit | |
| on: | |
| push: | |
| branches: [master, dev] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'iam-proxy-italia-project/static/**' | |
| - 'Docker-compose/nginx/html/static/**' | |
| pull_request: | |
| branches: [master, dev] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'iam-proxy-italia-project/static/**' | |
| - 'Docker-compose/nginx/html/static/**' | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true' | |
| jobs: | |
| pre_job: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
| steps: | |
| - id: skip_check | |
| uses: fkirc/skip-duplicate-actions@v5.3.1 | |
| with: | |
| skip_after_successful_duplicate: 'true' | |
| concurrent_skipping: 'same_content_newer' | |
| audit: | |
| needs: pre_job | |
| if: needs.pre_job.outputs.should_skip != 'true' | |
| name: pip-audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Patch pyproject.toml if matching branch exists in eudi-wallet-it-python | |
| env: | |
| CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }} | |
| TARGET_BRANCH: ${{ github.base_ref || 'master' }} | |
| DEPTH_COMMITS: 50 | |
| run: bash .github/scripts/patch-pyeudiw-branch.sh | |
| - name: Install dependencies with Poetry | |
| run: | | |
| pip install "poetry>=2.3.3" | |
| poetry install --extras test | |
| - name: Install pip-audit | |
| run: poetry run pip install pip-audit | |
| - name: Audit dependencies for vulnerabilities | |
| run: | | |
| # satosa is from git (peppelinux/SATOSA in pyproject.toml), not PyPI. | |
| # pip-audit will report "Dependency not found on PyPI ... satosa" — that means | |
| # "could not look up on PyPI", not "satosa is missing". Expected for git deps. | |
| # | |
| # --ignore-vuln CVE-2024-23342 (ecdsa): Minerva timing side-channel. python-ecdsa | |
| # considers side-channel attacks out of scope; no upstream fix exists. | |
| # | |
| # --cache-dir: use fresh dir to avoid CacheControl "deserialization failed" warnings from pip's incompatible http cache | |
| poetry run pip-audit --cache-dir /tmp/pip-audit-cache --desc \ | |
| --ignore-vuln CVE-2024-23342 | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Note:** \`satosa\` is installed from git (peppelinux/SATOSA). The \"not found on PyPI\" line for it is expected; pip-audit cannot look up git-installed packages on PyPI." >> $GITHUB_STEP_SUMMARY | |
| audit-djangosaml2-sp: | |
| needs: pre_job | |
| if: needs.pre_job.outputs.should_skip != 'true' | |
| name: pip-audit (djangosaml2_sp) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install pip-audit | |
| run: pip install pip-audit | |
| - name: Audit djangosaml2_sp dependencies for vulnerabilities | |
| run: | | |
| # --cache-dir: use fresh dir to avoid CacheControl "deserialization failed" warnings | |
| pip-audit --cache-dir /tmp/pip-audit-cache -r iam-proxy-italia-project-demo-examples/djangosaml2_sp/requirements.txt --desc |