-
Notifications
You must be signed in to change notification settings - Fork 0
189 lines (156 loc) · 6.22 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: CI
on: [push]
env:
PYTHON_VERSION: 3.11.5
jobs:
honeypot:
runs-on: ubuntu-22.04
defaults:
run:
working-directory: packages/honeypot/
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Adapted from https://github.com/actions/setup-python/blob/main/docs/advanced-usage.md#caching-packages
- name: Check pipx version
# Make sure the version of pipx doesn't unexpectedly change
# If this change looks legitimate (i.e. Github updating the vendored version, or coming after a change to the runner OS version) update the hard-coded version below
run: |
pipx --version
pipx --version | grep "1.6.0"
- name: Install poetry
run: |
pipx install poetry==1.5.1
- uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "poetry"
- run: |
poetry install
- name: Check Formatting
run: |
make check-format
- name: Lint
run: |
make lint
- name: Static Analysis - pyre
run: |
make static-analysis-pyre
- name: Static Analysis - mypy
run: |
make static-analysis-mypy
- name: Unit Tests
run: |
make test-unit
- name: Check Docker Version
# Make sure the version of Docker doesn't unexpectedly change and doesn't drift much from what's used in Codespaces
# If this change looks legitimate (i.e. Github updating the vendored version, or coming after a change to the runner OS version) update the hard-coded version below
run: |
docker --version
docker --version | grep "Docker version 26.1.3"
- name: Smoke Tests - Server Startup
run: |
make start-docker-simple-http
- name: Smoke Tests - Health Check
run: |
sleep 5
curl --fail http://127.0.0.1:8000/healthcheck
- name: Smoke Tests - Server Shutdown
run: |
make stop-docker-simple-http
aws-cloudformation:
runs-on: ubuntu-22.04
env:
CFN_GUARD_VERSION: 3.0.0
defaults:
run:
working-directory: packages/aws-cloudformation/
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Python and Caching for cfn-lint Install
uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "pip"
- name: Check pip version
# Make sure the version of pip doesn't unexpectedly change (it's unclear if actions/setup-python pins it or not) and doesn't drift much from what's used in Codespaces
# If this change looks legitimate (i.e. actions/setup-python updating the vendored version) update the hard-coded version below
run: |
pip --version
pip --version | grep "24.2"
- name: Install cfn-lint
run: |
pip install cfn-lint=='0.79.5'
- name: Lint
run: |
make lint
- name: Cache cfn-guard
id: cache-cfn-guard
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.local/bin/cfn-guard
key: cfn-guard-v${{ env.CFN_GUARD_VERSION }}
- name: Install cfn-guard
if: steps.cache-cfn-guard.outputs.cache-hit != 'true'
# This is partially duplicated in .devcontainer/Dockerfile, with the copy target being the only difference
run: |
mkdir ./cfn-guard-temp/
wget https://github.com/aws-cloudformation/cloudformation-guard/releases/download/${{ env.CFN_GUARD_VERSION }}/cfn-guard-v3-ubuntu-latest.tar.gz -O - | tar -xzvf - -C ./cfn-guard-temp/
mkdir -p ~/.local/bin/
cp ./cfn-guard-temp/cfn-guard-v3-ubuntu-latest/cfn-guard ~/.local/bin/
rm -rf ./cfn-guard-temp/
- name: Static Analysis - guard
run: |
make static-analysis-guard
aws-terraform:
runs-on: ubuntu-22.04
env:
TERRAFORM_VERSION: 1.9.5
TRIVY_VERSION: 0.54.1
defaults:
run:
working-directory: packages/aws-terraform/
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Cache terraform
id: cache-terraform
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.local/bin/terraform
key: cfn-terraform-v${{ env.TERRAFORM_VERSION }}
- name: Install terraform
if: steps.cache-terraform.outputs.cache-hit != 'true'
# This is partially duplicated in .devcontainer/Dockerfile, with the copy target being the only difference
run: |
mkdir ./terraform-temp/
wget https://releases.hashicorp.com/terraform/${{ env.TERRAFORM_VERSION }}/terraform_${{ env.TERRAFORM_VERSION }}_linux_amd64.zip -O ./terraform-temp/terraform.zip
unzip ./terraform-temp/terraform.zip -d ./terraform-temp/
mkdir -p ~/.local/bin/
cp ./terraform-temp/terraform ~/.local/bin/
rm -rf ./terraform-temp/
- name: Init terraform
run: |
make init
- name: Check Formatting
run: |
make check-format
- name: Lint
run: |
make lint
- name: Cache trivy
id: cache-trivy
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: ~/.local/bin/trivy
key: cfn-trivy-v${{ env.TRIVY_VERSION }}
- name: Install trivy
if: steps.cache-trivy.outputs.cache-hit != 'true'
# This is partially duplicated in .devcontainer/Dockerfile, with the copy target being the only difference
run: |
mkdir ./trivy-temp/
wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -xzvf - -C ./trivy-temp/
mkdir -p ~/.local/bin/
cp ./trivy-temp/trivy ~/.local/bin/
rm -rf ./trivy-temp/
- name: Static Analysis - trivy
run: |
make static-analysis-trivy