Extract codeQL workflow to have a separate one + Add scorecards analysis workflow file + Add UI tests for the UI branch
This commit is contained in:
parent
1c71572f44
commit
4d50026744
|
@ -6,5 +6,7 @@ paths:
|
|||
- src/ui
|
||||
- src/common
|
||||
paths-ignore:
|
||||
- src/ui/static
|
||||
- src/ui/static/tsparticles.bundle.min.js
|
||||
- src/ui/static/js/utils/flatpickr.js
|
||||
- src/ui/static/js/editor
|
||||
- src/common/core/modsecurity/files
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
name: CodeQL Analysis
|
||||
|
||||
on:
|
||||
schedule:
|
||||
# Weekly on Saturdays.
|
||||
- cron: "30 1 * * 6"
|
||||
workflow_call:
|
||||
|
||||
jobs:
|
||||
code-security:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: ["python", "javascript"]
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v2
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
config-file: ./.github/codeql.yml
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
|
@ -63,45 +63,28 @@ jobs:
|
|||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Python code security
|
||||
code-security:
|
||||
runs-on: ubuntu-latest
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: ["python"]
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v2
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
config-file: ./.github/codeql.yml
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
|
||||
# UI tests
|
||||
tests-ui:
|
||||
needs: [code-security, build-containers]
|
||||
needs: [codeql, build-containers]
|
||||
uses: ./.github/workflows/tests-ui.yml
|
||||
with:
|
||||
RELEASE: dev
|
||||
tests-ui-linux:
|
||||
needs: [code-security, build-packages]
|
||||
needs: [codeql, build-packages]
|
||||
uses: ./.github/workflows/tests-ui-linux.yml
|
||||
with:
|
||||
RELEASE: dev
|
||||
|
||||
# Core tests
|
||||
prepare-tests-core:
|
||||
needs: [code-security, build-containers, build-packages]
|
||||
needs: [codeql, build-containers, build-packages]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
|
|
|
@ -39,7 +39,7 @@ jobs:
|
|||
- name: Checkout source code
|
||||
uses: actions/checkout@v4
|
||||
- name: Replace VERSION
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||
run: ./misc/update-version.sh ${{ inputs.RELEASE }}
|
||||
- name: Extract arch
|
||||
run: |
|
||||
|
@ -91,7 +91,7 @@ jobs:
|
|||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
# Build testing package image
|
||||
- name: Build package image
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: .
|
||||
|
|
|
@ -7,6 +7,16 @@ on:
|
|||
branches: [master]
|
||||
|
||||
jobs:
|
||||
scorecards-analysis:
|
||||
uses: ./.github/workflows/scorecards-analysis.yml
|
||||
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
# Build amd64 + 386 containers images
|
||||
build-containers:
|
||||
strategy:
|
||||
|
@ -123,7 +133,7 @@ jobs:
|
|||
# Wait for all builds and extract VERSION
|
||||
wait-builds:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [build-containers, build-containers-arm, build-packages]
|
||||
needs: [codeql, build-containers, build-containers-arm, build-packages]
|
||||
outputs:
|
||||
version: ${{ steps.getversion.outputs.version }}
|
||||
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
name: Scorecard analysis workflow
|
||||
|
||||
on:
|
||||
branch_protection_rule:
|
||||
schedule:
|
||||
# Weekly on Saturdays.
|
||||
- cron: "30 1 * * 6"
|
||||
workflow_call:
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
analysis:
|
||||
name: Scorecard analysis
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@v2.2.0
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
publish_results: true
|
||||
- name: "Upload SARIF results to code scanning"
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: results.sarif
|
|
@ -64,33 +64,16 @@ jobs:
|
|||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Python code security
|
||||
code-security:
|
||||
runs-on: ubuntu-latest
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: ["python"]
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v2
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
config-file: ./.github/codeql.yml
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
|
||||
# Create infrastructures and prepare tests
|
||||
create-infras:
|
||||
needs: [code-security, build-containers, build-packages]
|
||||
needs: [codeql, build-containers, build-packages]
|
||||
strategy:
|
||||
matrix:
|
||||
type: [docker, autoconf, swarm, k8s, linux]
|
||||
|
@ -102,7 +85,7 @@ jobs:
|
|||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||
K8S_IP: ${{ secrets.K8S_IP }}
|
||||
prepare-tests-core:
|
||||
needs: [code-security, build-containers, build-packages]
|
||||
needs: [codeql, build-containers, build-packages]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
|
@ -116,12 +99,12 @@ jobs:
|
|||
|
||||
# Perform tests
|
||||
tests-ui:
|
||||
needs: [code-security, build-containers]
|
||||
needs: [codeql, build-containers]
|
||||
uses: ./.github/workflows/tests-ui.yml
|
||||
with:
|
||||
RELEASE: testing
|
||||
tests-ui-linux:
|
||||
needs: [code-security, build-packages]
|
||||
needs: [codeql, build-packages]
|
||||
uses: ./.github/workflows/tests-ui-linux.yml
|
||||
with:
|
||||
RELEASE: testing
|
||||
|
|
|
@ -62,7 +62,7 @@ jobs:
|
|||
sudo apt update
|
||||
sudo apt install -y nginx=1.24.0-1~jammy
|
||||
- name: Fix version without a starting number
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev'
|
||||
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
|
||||
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
|
||||
- name: Install BunkerWeb
|
||||
run: sudo apt install -fy /tmp/bunkerweb.deb
|
||||
|
|
|
@ -33,9 +33,43 @@ jobs:
|
|||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
# Build Linux packages
|
||||
build-packages:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
linux: [ubuntu]
|
||||
include:
|
||||
- linux: ubuntu
|
||||
package: deb
|
||||
uses: ./.github/workflows/linux-build.yml
|
||||
with:
|
||||
RELEASE: ui
|
||||
LINUX: ${{ matrix.linux }}
|
||||
PACKAGE: ${{ matrix.package }}
|
||||
TEST: true
|
||||
PLATFORMS: linux/amd64
|
||||
secrets:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
|
||||
|
||||
codeql:
|
||||
uses: ./.github/workflows/codeql.yml
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
# UI tests
|
||||
tests-ui:
|
||||
needs: [build-containers]
|
||||
needs: [codeql, build-containers]
|
||||
uses: ./.github/workflows/tests-ui.yml
|
||||
with:
|
||||
RELEASE: ui
|
||||
tests-ui-linux:
|
||||
needs: [codeql, build-packages]
|
||||
uses: ./.github/workflows/tests-ui-linux.yml
|
||||
with:
|
||||
RELEASE: ui
|
||||
|
|
Loading…
Reference in New Issue