chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.31.13 to 1.31.15 #177
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| GO_VERSION: '1.24' | |
| PYTHON_VERSION: '3.12' | |
| jobs: | |
| lint-and-format: | |
| name: Lint and Format Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| - name: Install Go tools | |
| run: | | |
| go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest | |
| go install golang.org/x/tools/cmd/goimports@latest | |
| - name: Install Python tools | |
| run: | | |
| pip install --upgrade pip | |
| pip install black flake8 isort mypy | |
| - name: Check Go formatting | |
| run: | | |
| if [ "$(gofmt -l . | wc -l)" -ne 0 ]; then | |
| echo "Go files need formatting:" | |
| gofmt -l . | |
| exit 1 | |
| fi | |
| - name: Check Python formatting | |
| run: | | |
| black --check app/ | |
| isort --check-only app/ | |
| - name: Run Go linters | |
| run: golangci-lint run | |
| - name: Run Python linters | |
| run: | | |
| flake8 app/ | |
| mypy app/ --ignore-missing-imports | |
| test: | |
| name: Run Tests | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:16 | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: app_test | |
| options: >- | |
| --health-cmd="pg_isready -U postgres -d app_test" | |
| --health-interval=2s | |
| --health-timeout=2s | |
| --health-retries=20 | |
| ports: | |
| - 5432:5432 | |
| env: | |
| DATABASE_URL: postgresql://postgres:[email protected]:5432/app_test | |
| PGUSER: postgres | |
| PGPASSWORD: postgres | |
| PGHOST: 127.0.0.1 | |
| PGPORT: "5432" | |
| PGDATABASE: app_test | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| - name: Install Python dependencies | |
| run: | | |
| pip install --upgrade pip | |
| pip install -r app/requirements.txt | |
| pip install pytest pytest-cov | |
| - name: Wait for database | |
| run: | | |
| for i in {1..30}; do | |
| pg_isready -h 127.0.0.1 -p 5432 -U postgres -d app_test && exit 0 | |
| sleep 1 | |
| done | |
| echo "Postgres did not become ready" >&2 | |
| exit 1 | |
| - name: Run Go tests | |
| run: go test -v -race -coverprofile=coverage.out ./... | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| - name: Run Python tests | |
| run: | | |
| cd app | |
| pytest tests/ -v --cov=. --cov-report=xml | |
| - name: Upload Go coverage | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.out | |
| flags: golang | |
| - name: Upload Python coverage | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./app/coverage.xml | |
| flags: python | |
| security-scan: | |
| name: Security Scanning | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install gosec | |
| run: | | |
| GOBIN=$(go env GOPATH)/bin go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| echo "$(go env GOPATH)/bin" >> $GITHUB_PATH | |
| - name: Run gosec security scanner | |
| run: gosec -fmt sarif -out gosec.sarif ./... | |
| - name: Upload gosec results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: gosec.sarif | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| build: | |
| name: Build and Test Docker Images | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build authz service | |
| run: docker build -t keep/authz -f services/authz/Dockerfile . | |
| - name: Build inventory service | |
| run: docker build -t keep/inventory -f services/inventory/Dockerfile . | |
| - name: Build Flask app | |
| run: docker build -t keep/app -f app/Dockerfile . | |
| - name: Test Docker Compose build | |
| run: docker compose -f docker-compose.secure.yml build | |
| - name: Run basic smoke test | |
| run: | | |
| # Generate test certificates | |
| ./scripts/generate-root-ca.sh ./test-certs | |
| # Set minimal environment | |
| cat > .env << EOF | |
| POSTGRES_PASSWORD=test-password | |
| GOOGLE_CLIENT_ID=test-client-id.apps.googleusercontent.com | |
| AUTHZ_ROOT_CA_CERT=./test-certs/keep-root.pem | |
| AUTHZ_ROOT_CA_KEY=./test-certs/keep-root-key.pem | |
| EOF | |
| # Start services briefly to test startup | |
| timeout 30s docker compose -f docker-compose.secure.yml up --abort-on-container-exit || true | |
| opa-policy-test: | |
| name: Test OPA Policies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Setup OPA | |
| uses: open-policy-agent/setup-opa@v2 | |
| - name: Test OPA policies | |
| run: opa test ./policies | |
| - name: Validate policy syntax | |
| run: opa fmt --diff ./policies/ |