Extract codeQL workflow to have a separate one + Add scorecards analysis workflow file + Add UI tests for the UI branch
This commit is contained in:
parent
1c71572f44
commit
4d50026744
|
@ -6,5 +6,7 @@ paths:
|
||||||
- src/ui
|
- src/ui
|
||||||
- src/common
|
- src/common
|
||||||
paths-ignore:
|
paths-ignore:
|
||||||
- src/ui/static
|
- src/ui/static/tsparticles.bundle.min.js
|
||||||
|
- src/ui/static/js/utils/flatpickr.js
|
||||||
|
- src/ui/static/js/editor
|
||||||
- src/common/core/modsecurity/files
|
- src/common/core/modsecurity/files
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
name: CodeQL Analysis
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
# Weekly on Saturdays.
|
||||||
|
- cron: "30 1 * * 6"
|
||||||
|
workflow_call:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
code-security:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
language: ["python", "javascript"]
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Initialize CodeQL
|
||||||
|
uses: github/codeql-action/init@v2
|
||||||
|
with:
|
||||||
|
languages: ${{ matrix.language }}
|
||||||
|
config-file: ./.github/codeql.yml
|
||||||
|
- name: Perform CodeQL Analysis
|
||||||
|
uses: github/codeql-action/analyze@v2
|
||||||
|
with:
|
||||||
|
category: "/language:${{matrix.language}}"
|
|
@ -63,45 +63,28 @@ jobs:
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||||
|
|
||||||
# Python code security
|
codeql:
|
||||||
code-security:
|
uses: ./.github/workflows/codeql.yml
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
permissions:
|
||||||
actions: read
|
actions: read
|
||||||
contents: read
|
contents: read
|
||||||
security-events: write
|
security-events: write
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
language: ["python"]
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
- name: Initialize CodeQL
|
|
||||||
uses: github/codeql-action/init@v2
|
|
||||||
with:
|
|
||||||
languages: ${{ matrix.language }}
|
|
||||||
config-file: ./.github/codeql.yml
|
|
||||||
- name: Perform CodeQL Analysis
|
|
||||||
uses: github/codeql-action/analyze@v2
|
|
||||||
with:
|
|
||||||
category: "/language:${{matrix.language}}"
|
|
||||||
|
|
||||||
# UI tests
|
# UI tests
|
||||||
tests-ui:
|
tests-ui:
|
||||||
needs: [code-security, build-containers]
|
needs: [codeql, build-containers]
|
||||||
uses: ./.github/workflows/tests-ui.yml
|
uses: ./.github/workflows/tests-ui.yml
|
||||||
with:
|
with:
|
||||||
RELEASE: dev
|
RELEASE: dev
|
||||||
tests-ui-linux:
|
tests-ui-linux:
|
||||||
needs: [code-security, build-packages]
|
needs: [codeql, build-packages]
|
||||||
uses: ./.github/workflows/tests-ui-linux.yml
|
uses: ./.github/workflows/tests-ui-linux.yml
|
||||||
with:
|
with:
|
||||||
RELEASE: dev
|
RELEASE: dev
|
||||||
|
|
||||||
# Core tests
|
# Core tests
|
||||||
prepare-tests-core:
|
prepare-tests-core:
|
||||||
needs: [code-security, build-containers, build-packages]
|
needs: [codeql, build-containers, build-packages]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
|
|
|
@ -39,7 +39,7 @@ jobs:
|
||||||
- name: Checkout source code
|
- name: Checkout source code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
- name: Replace VERSION
|
- name: Replace VERSION
|
||||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
|
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||||
run: ./misc/update-version.sh ${{ inputs.RELEASE }}
|
run: ./misc/update-version.sh ${{ inputs.RELEASE }}
|
||||||
- name: Extract arch
|
- name: Extract arch
|
||||||
run: |
|
run: |
|
||||||
|
@ -91,7 +91,7 @@ jobs:
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
# Build testing package image
|
# Build testing package image
|
||||||
- name: Build package image
|
- name: Build package image
|
||||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
|
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||||
uses: docker/build-push-action@v5
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
|
|
|
@ -7,6 +7,16 @@ on:
|
||||||
branches: [master]
|
branches: [master]
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
scorecards-analysis:
|
||||||
|
uses: ./.github/workflows/scorecards-analysis.yml
|
||||||
|
|
||||||
|
codeql:
|
||||||
|
uses: ./.github/workflows/codeql.yml
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
|
||||||
# Build amd64 + 386 containers images
|
# Build amd64 + 386 containers images
|
||||||
build-containers:
|
build-containers:
|
||||||
strategy:
|
strategy:
|
||||||
|
@ -123,7 +133,7 @@ jobs:
|
||||||
# Wait for all builds and extract VERSION
|
# Wait for all builds and extract VERSION
|
||||||
wait-builds:
|
wait-builds:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [build-containers, build-containers-arm, build-packages]
|
needs: [codeql, build-containers, build-containers-arm, build-packages]
|
||||||
outputs:
|
outputs:
|
||||||
version: ${{ steps.getversion.outputs.version }}
|
version: ${{ steps.getversion.outputs.version }}
|
||||||
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
|
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
name: Scorecard analysis workflow
|
||||||
|
|
||||||
|
on:
|
||||||
|
branch_protection_rule:
|
||||||
|
schedule:
|
||||||
|
# Weekly on Saturdays.
|
||||||
|
- cron: "30 1 * * 6"
|
||||||
|
workflow_call:
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
analysis:
|
||||||
|
name: Scorecard analysis
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: "Checkout code"
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
- name: "Run analysis"
|
||||||
|
uses: ossf/scorecard-action@v2.2.0
|
||||||
|
with:
|
||||||
|
results_file: results.sarif
|
||||||
|
results_format: sarif
|
||||||
|
publish_results: true
|
||||||
|
- name: "Upload SARIF results to code scanning"
|
||||||
|
uses: github/codeql-action/upload-sarif@v2
|
||||||
|
with:
|
||||||
|
sarif_file: results.sarif
|
|
@ -64,33 +64,16 @@ jobs:
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||||
|
|
||||||
# Python code security
|
codeql:
|
||||||
code-security:
|
uses: ./.github/workflows/codeql.yml
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
permissions:
|
||||||
actions: read
|
actions: read
|
||||||
contents: read
|
contents: read
|
||||||
security-events: write
|
security-events: write
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
language: ["python"]
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
- name: Initialize CodeQL
|
|
||||||
uses: github/codeql-action/init@v2
|
|
||||||
with:
|
|
||||||
languages: ${{ matrix.language }}
|
|
||||||
config-file: ./.github/codeql.yml
|
|
||||||
- name: Perform CodeQL Analysis
|
|
||||||
uses: github/codeql-action/analyze@v2
|
|
||||||
with:
|
|
||||||
category: "/language:${{matrix.language}}"
|
|
||||||
|
|
||||||
# Create infrastructures and prepare tests
|
# Create infrastructures and prepare tests
|
||||||
create-infras:
|
create-infras:
|
||||||
needs: [code-security, build-containers, build-packages]
|
needs: [codeql, build-containers, build-packages]
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
type: [docker, autoconf, swarm, k8s, linux]
|
type: [docker, autoconf, swarm, k8s, linux]
|
||||||
|
@ -102,7 +85,7 @@ jobs:
|
||||||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||||
K8S_IP: ${{ secrets.K8S_IP }}
|
K8S_IP: ${{ secrets.K8S_IP }}
|
||||||
prepare-tests-core:
|
prepare-tests-core:
|
||||||
needs: [code-security, build-containers, build-packages]
|
needs: [codeql, build-containers, build-packages]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
|
@ -116,12 +99,12 @@ jobs:
|
||||||
|
|
||||||
# Perform tests
|
# Perform tests
|
||||||
tests-ui:
|
tests-ui:
|
||||||
needs: [code-security, build-containers]
|
needs: [codeql, build-containers]
|
||||||
uses: ./.github/workflows/tests-ui.yml
|
uses: ./.github/workflows/tests-ui.yml
|
||||||
with:
|
with:
|
||||||
RELEASE: testing
|
RELEASE: testing
|
||||||
tests-ui-linux:
|
tests-ui-linux:
|
||||||
needs: [code-security, build-packages]
|
needs: [codeql, build-packages]
|
||||||
uses: ./.github/workflows/tests-ui-linux.yml
|
uses: ./.github/workflows/tests-ui-linux.yml
|
||||||
with:
|
with:
|
||||||
RELEASE: testing
|
RELEASE: testing
|
||||||
|
|
|
@ -62,7 +62,7 @@ jobs:
|
||||||
sudo apt update
|
sudo apt update
|
||||||
sudo apt install -y nginx=1.24.0-1~jammy
|
sudo apt install -y nginx=1.24.0-1~jammy
|
||||||
- name: Fix version without a starting number
|
- name: Fix version without a starting number
|
||||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
|
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||||
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
|
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
|
||||||
- name: Install BunkerWeb
|
- name: Install BunkerWeb
|
||||||
run: sudo apt install -fy /tmp/bunkerweb.deb
|
run: sudo apt install -fy /tmp/bunkerweb.deb
|
||||||
|
|
|
@ -33,9 +33,43 @@ jobs:
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||||
|
|
||||||
|
# Build Linux packages
|
||||||
|
build-packages:
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
packages: write
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
linux: [ubuntu]
|
||||||
|
include:
|
||||||
|
- linux: ubuntu
|
||||||
|
package: deb
|
||||||
|
uses: ./.github/workflows/linux-build.yml
|
||||||
|
with:
|
||||||
|
RELEASE: ui
|
||||||
|
LINUX: ${{ matrix.linux }}
|
||||||
|
PACKAGE: ${{ matrix.package }}
|
||||||
|
TEST: true
|
||||||
|
PLATFORMS: linux/amd64
|
||||||
|
secrets:
|
||||||
|
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||||
|
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||||
|
|
||||||
|
codeql:
|
||||||
|
uses: ./.github/workflows/codeql.yml
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
|
||||||
# UI tests
|
# UI tests
|
||||||
tests-ui:
|
tests-ui:
|
||||||
needs: [build-containers]
|
needs: [codeql, build-containers]
|
||||||
uses: ./.github/workflows/tests-ui.yml
|
uses: ./.github/workflows/tests-ui.yml
|
||||||
with:
|
with:
|
||||||
RELEASE: ui
|
RELEASE: ui
|
||||||
|
tests-ui-linux:
|
||||||
|
needs: [codeql, build-packages]
|
||||||
|
uses: ./.github/workflows/tests-ui-linux.yml
|
||||||
|
with:
|
||||||
|
RELEASE: ui
|
||||||
|
|
Loading…
Reference in New Issue