Bump actions/checkout from 4.1.1 to 4.2.0 in /.github/workflows #468
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR pipeline | |
on: | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
env: | |
# threatdragon is the working area on docker hub so use this area | |
# owasp/threat-dragon is the final release area so DO NOT use that | |
IMAGE_NAME: "pr-${{ github.event.number }}" | |
ZAP_FILE: "zap-scan-pr-${{ github.event.number }}" | |
# for security reasons the github actions are pinned to specific release versions | |
jobs: | |
server_unit_tests: | |
name: Server unit tests | |
runs-on: ubuntu-24.04 | |
defaults: | |
run: | |
working-directory: td.server | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: lint | |
run: npm run lint | |
- name: Unit test | |
run: npm run test:unit | |
site_unit_tests: | |
name: Site unit tests | |
runs-on: ubuntu-24.04 | |
defaults: | |
run: | |
working-directory: td.vue | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: Site lint | |
run: npm run lint | |
- name: Run unit tests | |
run: npm run test:unit | |
desktop_unit_tests: | |
name: Desktop unit tests | |
runs-on: ubuntu-24.04 | |
defaults: | |
run: | |
working-directory: td.vue | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: Desktop lint | |
run: npm run lint:desktop | |
- name: Run unit tests | |
run: npm run test:desktop | |
codeql: | |
name: Analyze with codeql | |
runs-on: ubuntu-24.04 | |
needs: [server_unit_tests, site_unit_tests] | |
permissions: | |
security-events: write | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Initialize CodeQL | |
uses: github/codeql-action/[email protected] | |
with: | |
languages: 'javascript' | |
config-file: ./.github/codeql/codeql-config.yml | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
- name: CodeQL autobuild | |
uses: github/codeql-action/[email protected] | |
- name: Perform vulnerability analysis | |
uses: github/codeql-action/[email protected] | |
build_docker_image: | |
name: Build docker image | |
runs-on: ubuntu-24.04 | |
needs: [site_unit_tests, server_unit_tests] | |
if: github.repository == 'OWASP/threat-dragon' | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/[email protected] | |
with: | |
install: true | |
- name: Cache Docker layers | |
uses: actions/[email protected] | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
${{ runner.os }}- | |
- name: Build for amd64 | |
id: docker_build | |
uses: docker/[email protected] | |
with: | |
context: ./ | |
file: ./Dockerfile | |
builder: ${{ steps.buildx.outputs.name }} | |
tags: ${{ env.IMAGE_NAME }} | |
outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME }}.tar | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
platforms: linux/amd64 | |
load: true | |
- name: Upload docker local image | |
uses: actions/[email protected] | |
with: | |
name: ${{ env.IMAGE_NAME }} | |
path: /tmp/${{ env.IMAGE_NAME }}.tar | |
- name: Check docker local image | |
run: | | |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
docker image ls -a | |
- # Temp fix for large cache bug | |
# https://github.com/docker/build-push-action/issues/252 | |
name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
e2e_smokes: | |
name: Site e2e smokes | |
runs-on: ubuntu-24.04 | |
needs: build_docker_image | |
defaults: | |
run: | |
working-directory: td.vue | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Download docker local image | |
uses: actions/[email protected] | |
with: | |
name: ${{ env.IMAGE_NAME }} | |
path: /tmp | |
- name: Load docker local image | |
run: | | |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
- name: Run Threat Dragon | |
run: | | |
docker run -d \ | |
-p 3000:3000 \ | |
-e ENCRYPTION_JWT_REFRESH_SIGNING_KEY='${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}' \ | |
-e ENCRYPTION_JWT_SIGNING_KEY='${{ secrets.CI_JWT_SIGNING_KEY }}' \ | |
-e ENCRYPTION_KEYS='${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}' \ | |
-e GITHUB_CLIENT_ID='${{ secrets.CI_GITHUB_CLIENT_ID }}' \ | |
-e GITHUB_CLIENT_SECRET='${{ secrets.CI_GITHUB_CLIENT_SECRET }}' \ | |
-e NODE_ENV='development' \ | |
-e SERVER_API_PROTOCOL='http' \ | |
${{ env.IMAGE_NAME }} | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: Run e2e tests | |
run: npm run test:e2e-ci-smokes | |
- name: Upload e2e videos | |
uses: actions/[email protected] | |
with: | |
name: e2e_vids.zip | |
path: td.vue/tests/e2e/videos | |
if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }} | |
e2e_tests: | |
name: Site e2e tests | |
runs-on: ubuntu-24.04 | |
needs: e2e_smokes | |
defaults: | |
run: | |
working-directory: td.vue | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Download docker local image | |
uses: actions/[email protected] | |
with: | |
name: ${{ env.IMAGE_NAME }} | |
path: /tmp | |
- name: Load docker local image | |
run: | | |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
- name: Run Threat Dragon | |
run: | | |
docker run -d \ | |
-p 3000:3000 \ | |
-e GITHUB_CLIENT_ID='${{ secrets.CI_GITHUB_CLIENT_ID }}' \ | |
-e GITHUB_CLIENT_SECRET='${{ secrets.CI_GITHUB_CLIENT_SECRET }}' \ | |
-e ENCRYPTION_JWT_REFRESH_SIGNING_KEY='${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}' \ | |
-e ENCRYPTION_JWT_SIGNING_KEY='${{ secrets.CI_JWT_SIGNING_KEY }}' \ | |
-e ENCRYPTION_KEYS='${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}' \ | |
-e NODE_ENV='development' \ | |
-e SERVER_API_PROTOCOL='http' \ | |
${{ env.IMAGE_NAME }} | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
- name: Install packages | |
run: npm clean-install | |
- name: Run e2e tests | |
run: npm run test:e2e-ci | |
- name: Upload e2e videos | |
uses: actions/[email protected] | |
with: | |
name: e2e_vids.zip | |
path: td.vue/tests/e2e/videos | |
if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }} | |
zap_scan_web_app: | |
name: Local site zap scan | |
runs-on: ubuntu-24.04 | |
needs: build_docker_image | |
steps: | |
- name: Download docker local image | |
uses: actions/[email protected] | |
with: | |
name: ${{ env.IMAGE_NAME }} | |
path: /tmp | |
- name: Load docker local image | |
run: | | |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
- name: Run Threat Dragon | |
run: | | |
docker run -d \ | |
-p 3000:3000 \ | |
-e GITHUB_CLIENT_ID='${{ secrets.CI_GITHUB_CLIENT_ID }}' \ | |
-e GITHUB_CLIENT_SECRET='${{ secrets.CI_GITHUB_CLIENT_SECRET }}' \ | |
-e ENCRYPTION_JWT_REFRESH_SIGNING_KEY='${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}' \ | |
-e ENCRYPTION_JWT_SIGNING_KEY='${{ secrets.CI_JWT_SIGNING_KEY }}' \ | |
-e ENCRYPTION_KEYS='${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}' \ | |
-e NODE_ENV='development' \ | |
-e SERVER_API_PROTOCOL='http' \ | |
${{ env.IMAGE_NAME }} | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: ZAP Scan | |
uses: zaproxy/[email protected] | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
target: 'http://localhost:3000' | |
rules_file_name: '.github/workflows/.zap-rules-web.tsv' | |
allow_issue_writing: false | |
fail_action: true | |
artifact_name: ${{ env.ZAP_FILE }} | |
cmd_options: '-a' | |
scan_image_with_trivy: | |
name: Scan with trivy | |
runs-on: ubuntu-24.04 | |
needs: build_docker_image | |
permissions: | |
contents: write | |
steps: | |
# Need .trivyignore | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Download docker local image | |
uses: actions/[email protected] | |
with: | |
name: ${{ env.IMAGE_NAME }} | |
path: /tmp | |
- name: Load docker local image | |
run: | | |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: '${{ env.IMAGE_NAME }}' | |
format: 'table' | |
exit-code: 1 |