Add shipshape audit workflow (#66)

MarkCalvert · web-flow · commit 27b99b482a12 · 2025-06-10T15:37:05.000+10:00
diff --git a/.github/workflows/shipshape.yml b/.github/workflows/shipshape.yml
@@ -0,0 +1,40 @@
+name: shipshape
+
+on:
+  workflow_call:
+
+# Add permissions block
+permissions:
+  checks: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  audit:
+    name: shipshape_audit
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/dpc-sdp/bay/ci-builder:6.x
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Audit codebase
+        shell: bash
+        run: |
+          # Run shipshape
+          shipshape run . -f .github/workflows/shipshape/shipshape.yml --output-format table --output-file shipshape-results.xml --output-file-format junit > shipshape-results.txt
+      - name: Upload audit report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          path: shipshape-results.txt
+      - name: Publish junit report
+        uses: mikepenz/action-junit-report@v5
+        if: always()
+        with:
+          report_paths: shipshape-results.xml
+          check_name: Junit Shipshape Audit Report
+          fail_on_failure: false
+          require_tests: false
+          require_passed_tests: false
+          annotate_only: false
diff --git a/.github/workflows/shipshape/shipshape.yml b/.github/workflows/shipshape/shipshape.yml
@@ -0,0 +1,108 @@
+collect:
+  #---------------------------------------------------------------------------
+  # CORE EXTENSION CONFIGURATION
+  #---------------------------------------------------------------------------
+  # File containing core extension configuration
+  core-extension-file:
+    file:read:
+      path: config/sync/core.extension.yml
+
+  # Get the list of modules
+  modules:
+    yaml:key:
+      input: core-extension-file
+      path: module
+      keys-only: true
+
+  # Get the site profile
+  profile:
+    yaml:key:
+      input: core-extension-file
+      path: profile
+      ignore-not-found: true
+
+  #---------------------------------------------------------------------------
+  # LAGOON CONFIGURATION
+  #---------------------------------------------------------------------------
+  # Lagoon configuration file
+  lagoon-file:
+    file:read:
+      path: .lagoon.yml
+
+  # TLS-ACME settings for different environments
+  production-tls-acme:
+    yaml:key:
+      input: lagoon-file
+      path: production_routes.active.routes[0].nginx-php[0].*.tls-acme
+      ignore-not-found: true
+
+  master-tls-acme:
+    yaml:key:
+      input: lagoon-file
+      path: environments.master.routes[0].nginx-php[0].*.tls-acme
+      ignore-not-found: true
+
+  uat-tls-acme:
+    yaml:key:
+      input: lagoon-file
+      path: environments.uat.routes[0].nginx-php[0].*.tls-acme
+      ignore-not-found: true
+
+  develop-tls-acme:
+    yaml:key:
+      input: lagoon-file
+      path: environments.develop.routes[0].nginx-php[0].*.tls-acme
+      ignore-not-found: true
+
+analyse:
+  #---------------------------------------------------------------------------
+  # MODULE CHECKS
+  #---------------------------------------------------------------------------
+  lagoon-logs-check:
+    allowed:list:
+      description: "Lagoon logs module is not enabled"
+      input: modules
+      required:
+        - lagoon_logs
+      severity: high
+
+  #---------------------------------------------------------------------------
+  # PROFILE CHECKS
+  #---------------------------------------------------------------------------
+  tide-profile-check:
+    regex:not-match:
+      description: "Verify Tide profile is correctly set"
+      input: profile
+      pattern: "^tide$"
+      severity: high
+
+  #---------------------------------------------------------------------------
+  # TLS-ACME CHECKS
+  #---------------------------------------------------------------------------
+  production-tls-acme-check:
+    regex:not-match:
+      description: "Verify TLS-ACME is enabled for the production environment"
+      input: production-tls-acme
+      pattern: "^false$"
+      severity: high
+
+  master-tls-acme-check:
+    regex:not-match:
+      description: "Verify TLS-ACME is enabled for the master environment"
+      input: master-tls-acme
+      pattern: "^false$"
+      severity: high
+
+  uat-tls-acme-check:
+    regex:not-match:
+      description: "Verify TLS-ACME is enabled for the UAT environment"
+      input: uat-tls-acme
+      pattern: "^false$"
+      severity: high
+
+  develop-tls-acme-check:
+    regex:not-match:
+      description: "Verify TLS-ACME is enabled for the develop environment"
+      input: develop-tls-acme
+      pattern: "^false$"
+      severity: high
diff --git a/.github/workflows/tide_build.yml b/.github/workflows/tide_build.yml
@@ -1,6 +1,6 @@
 name: tide_build
 
-on: 
+on:
   workflow_call:
     inputs:
       module_build:
@@ -13,40 +13,51 @@ on:
         type: string
         required: false
         default: biggy
+      run_shipshape_audit:
+        description: Set to true to run shipshape audit.
+        type: boolean
+        required: false
+        default: false
 
 env:
   REGISTRY: ghcr.io
 
+# Add permissions block with required permissions used for shipshape audit
+permissions:
+  checks: write
+  contents: read
+  pull-requests: write
+
 jobs:
   check-nginx-config:
     name: check-nginx-config
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-    - name: Set up Docker
-      uses: docker/setup-buildx-action@v2
-    - name: Create Docker network
-      run: docker network create test-network
-    - name: Run PHP container
-      run: docker run -d --name php --network test-network php:7.4-fpm
-    - name: Run Nginx container with long-running command
-      run: docker run -d --name nginx-container --network test-network ghcr.io/dpc-sdp/bay/nginx:6.x tail -f /dev/null
-    - name: Test Nginx configuration Results
-      run: |
-        docker exec nginx-container sh -c "nginx -t"
-      continue-on-error: true
-    - name: Check Nginx test results
-      run: |
-        RESULT=$(docker exec nginx-container sh -c "nginx -t" 2>&1)
-        echo "$RESULT"
-        if echo "$RESULT" | grep -q 'successful'; then
-          echo "Nginx configuration test successful"
-        else
-          echo "Nginx configuration test failed"
-          exit 1
-        fi
-      shell: bash
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Set up Docker
+        uses: docker/setup-buildx-action@v2
+      - name: Create Docker network
+        run: docker network create test-network
+      - name: Run PHP container
+        run: docker run -d --name php --network test-network php:7.4-fpm
+      - name: Run Nginx container with long-running command
+        run: docker run -d --name nginx-container --network test-network ghcr.io/dpc-sdp/bay/nginx:6.x tail -f /dev/null
+      - name: Test Nginx configuration Results
+        run: |
+          docker exec nginx-container sh -c "nginx -t"
+        continue-on-error: true
+      - name: Check Nginx test results
+        run: |
+          RESULT=$(docker exec nginx-container sh -c "nginx -t" 2>&1)
+          echo "$RESULT"
+          if echo "$RESULT" | grep -q 'successful'; then
+            echo "Nginx configuration test successful"
+          else
+            echo "Nginx configuration test failed"
+            exit 1
+          fi
+        shell: bash
 
   build_tide:
     name: tide_build
@@ -91,4 +102,10 @@ jobs:
         if: always()
         with:
           name: behat-results
-          path: /tmp/artifacts
+          path: /tmp/artifacts
+
+  shipshape-audit:
+    name: shipshape_audit
+    if: ${{ inputs.run_shipshape_audit == true }}
+    uses: ./.github/workflows/shipshape.yml
+    secrets: inherit
