Bump actions/setup-python from 4 to 5 #83
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check code on pull requests & subsequent pushes | |
on: | |
pull_request: | |
branches: | |
- staging | |
- production | |
jobs: | |
tests: | |
name: run tests | |
runs-on: ubuntu-20.04 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: ".python-version" | |
cache: "pip" | |
cache-dependency-path: "pyproject.toml" | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -e .[pdf,picture] | |
- name: Start LocalStack | |
env: | |
LOCALSTACK_S3_ENDPOINT_URL: http://localhost:4566 | |
AWS_ACCESS_KEY_ID: test | |
AWS_SECRET_ACCESS_KEY: test | |
run: | | |
# install LocalStack cli and awslocal | |
pip install localstack awscli-local | |
# Make sure to pull the latest version of the image | |
docker pull localstack/localstack | |
# Start LocalStack in the background | |
localstack start -d | |
# Wait 30 seconds for the LocalStack container to become ready before timing out | |
echo "Waiting for LocalStack startup..." | |
localstack wait -t 30 | |
echo "Startup complete" | |
- name: Test | |
env: | |
LOCALSTACK_S3_ENDPOINT_URL: http://localhost:4566 | |
AWS_ACCESS_KEY_ID: test | |
AWS_SECRET_ACCESS_KEY: test | |
run: python -m unittest discover -s tests 2>&1 | tee test-report.txt | |
- name: Archive test results | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: test-results | |
path: test-report.txt | |
retention-days: 5 | |
lint_and_scan: | |
name: run linting and sonarqube scan | |
runs-on: ubuntu-20.04 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: "0" | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: ".python-version" | |
cache: "pip" | |
cache-dependency-path: "pyproject.toml" | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -e .[pdf,picture] | |
pip install pylint coverage | |
- name: lint | |
run: pylint --output=lint-report.txt --output-format=parseable ./src | |
- name: Start LocalStack | |
env: | |
LOCALSTACK_S3_ENDPOINT_URL: http://localhost:4566 | |
AWS_ACCESS_KEY_ID: test | |
AWS_SECRET_ACCESS_KEY: test | |
run: | | |
# install LocalStack cli and awslocal | |
pip install localstack awscli-local | |
# Make sure to pull the latest version of the image | |
docker pull localstack/localstack | |
# Start LocalStack in the background | |
localstack start -d | |
# Wait 30 seconds for the LocalStack container to become ready before timing out | |
echo "Waiting for LocalStack startup..." | |
localstack wait -t 30 | |
echo "Startup complete" | |
- name: Run tests with coverage | |
env: | |
LOCALSTACK_S3_ENDPOINT_URL: http://localhost:4566 | |
AWS_ACCESS_KEY_ID: test | |
AWS_SECRET_ACCESS_KEY: test | |
run: python -m coverage run -m unittest discover -s tests | |
- name: Create coverage report | |
run: python -m coverage xml | |
- name: SonarQube Scan | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
uses: kitabisa/sonarqube-action@v1.2.1 | |
with: | |
host: ${{ secrets.SONAR_HOST }} | |
login: ${{ secrets.SONAR_TOKEN }} | |
projectKey: ${{ secrets.SONAR_PROJECTKEY }} | |
- name: Archive lint results | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: lint-results | |
path: lint-report.txt | |
retention-days: 5 | |
dependency-check: | |
name: run owasp dependency check | |
runs-on: ubuntu-20.04 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: '.python-version' | |
cache: 'pip' | |
cache-dependency-path: "pyproject.toml" | |
- name: Install pypa/build | |
run: >- | |
python -m | |
pip install | |
build | |
--user | |
- name: Run owasp dependency check | |
uses: dependency-check/Dependency-Check_Action@main | |
with: | |
project: 's3-metadata-tagger' | |
path: '.' | |
format: 'HTML' | |
args: > | |
--failOnCVSS 6 | |
--exclude **/examples/** | |
- name: Upload Test results | |
uses: actions/upload-artifact@master | |
if: always() | |
with: | |
name: dependency-check-results | |
path: ${{github.workspace}}/reports | |
retention-days: 5 | |
trivy-check: | |
name: run trivy vulnerability scanner | |
runs-on: ubuntu-20.04 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner in fs mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
scan-ref: '.' | |
format: template | |
template: '@/contrib/html.tpl' | |
exit-code: 1 | |
severity: CRITICAL,HIGH | |
skip-dirs: /github/workspace/examples | |
- name: Archive trivy results | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: trivy-results | |
path: trivy-results.html | |
retention-days: 5 |