keep/.github/workflows/ci.yml at 02250ac3341e7ad1e6e54ac0c787ebeac72c7920 · evalops/keep · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
name: CI/CD Pipeline

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

env:
  GO_VERSION: '1.23'
  PYTHON_VERSION: '3.12'

jobs:
  lint-and-format:
    name: Lint and Format Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install toolchains
        run: |
          python -m pip install --upgrade pip
          make install-tools

      - name: Format check
        run: make ci-format-check

      - name: Lint
        run: make lint

  test:
    name: Run Tests
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
          POSTGRES_DB: app_test
        options: >-
          --health-cmd="pg_isready -U postgres -d app_test"
          --health-interval=2s
          --health-timeout=2s
          --health-retries=20
        ports:
          - 5432:5432

    env:
      DATABASE_URL: postgresql://postgres:postgres@127.0.0.1:5432/app_test
      PGUSER: postgres
      PGPASSWORD: postgres
      PGHOST: 127.0.0.1
      PGPORT: "5432"
      PGDATABASE: app_test

    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install Python dependencies
        run: |
          pip install --upgrade pip
          pip install -r app/requirements.txt
          make install-tools

      - name: Wait for database
        run: |
          for i in {1..30}; do
            pg_isready -h 127.0.0.1 -p 5432 -U postgres -d app_test && exit 0
            sleep 1
          done
          echo "Postgres did not become ready" >&2
          exit 1

      - name: Run test suite
        run: make test

      - name: Test OPA policies
        run: make opa-test

  security-scan:
    name: Security Scanning
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Prepare tooling
        run: |
          python -m pip install --upgrade pip
          make install-tools

      - name: Run security checks
        run: make security

      - name: Run gosec with SARIF output
        run: gosec -fmt sarif -out gosec.sarif ./...

      - name: Upload gosec results
        uses: github/codeql-action/upload-sarif@v3
        continue-on-error: true
        with:
          sarif_file: gosec.sarif

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy results
        uses: github/codeql-action/upload-sarif@v3
        continue-on-error: true
        with:
          sarif_file: 'trivy-results.sarif'

  build:
    name: Build and Test Docker Images
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build authz service
        run: docker build -t keep/authz -f services/authz/Dockerfile .

      - name: Build inventory service
        run: docker build -t keep/inventory -f services/inventory/Dockerfile .

      - name: Build Flask app
        run: docker build -t keep/app -f app/Dockerfile .

      - name: Test Docker Compose build
        run: docker compose -f docker-compose.secure.yml build

      - name: Run basic smoke test
        run: |
          # Generate test certificates
          ./scripts/generate-root-ca.sh ./test-certs

          # Set minimal environment
          cat > .env << EOF
          POSTGRES_PASSWORD=test-password
          GOOGLE_CLIENT_ID=test-client-id.apps.googleusercontent.com
          AUTHZ_ROOT_CA_CERT=./test-certs/keep-root.pem
          AUTHZ_ROOT_CA_KEY=./test-certs/keep-root-key.pem
          EOF

          # Start services briefly to test startup
          timeout 30s docker compose -f docker-compose.secure.yml up --abort-on-container-exit || true

  opa-policy-test:
    name: Test OPA Policies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Setup OPA
        uses: open-policy-agent/setup-opa@v2

      - name: Run policy tests
        run: make opa-test