Part Type Changes #215
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create and publish a package | |
on: | |
push: | |
branches: | |
- 'release-**' | |
- 'automated_tests' | |
env: | |
IMAGE_NAME: ooicgsn-roundabout | |
jobs: | |
# OWASP Dependency Check & ZAP Scan | |
depchecktest: | |
runs-on: ubuntu-latest | |
name: OWASP | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build RDB project | |
run: | | |
- name: OWASP Dependency Check | |
uses: dependency-check/Dependency-Check_Action@main | |
id: Depcheck | |
with: | |
project: 'ooicgsn-roundabout' | |
path: '.' | |
format: 'HTML' | |
args: > | |
--failOnCVSS 7 | |
--enableRetired | |
--enableExperimental | |
- name: Upload Test results | |
uses: actions/upload-artifact@master | |
with: | |
name: Dependency Check Report | |
path: ${{github.workspace}}/reports | |
- name: OWASP ZAP Scan | |
# Full scan runs spider and then performs attacks on target website | |
# uses: zaproxy/[email protected] | |
run: | | |
# Build and Run RDB | |
mv .envs.example .envs | |
docker-compose -f docker-compose-testing.yml build | |
docker-compose -f docker-compose-testing.yml up --detach | |
sh -c "until curl -Is http://localhost:8000; do echo 'waiting for http://localhost:8000'; sleep 10; done" | |
# Pull the OWASP ZAP Docker Image | |
docker pull zaproxy/zap-stable | |
# Run OWASP ZAP Scan | |
pwd | |
cp .github/zap/rdb.context . | |
ls | |
# Needed for Zap | |
chmod a+rw $(pwd) | |
docker run --network roundabout-network \ | |
-v "/$(pwd):/zap/wrk/:rw" \ | |
-t zaproxy/zap-stable zap-baseline.py -j \ | |
-t http://django:8000 \ | |
-I \ | |
-d \ | |
-r rdb-zap-baseline-scan.html \ | |
-n rdb.context \ | |
-U admin | |
# -t zaproxy/zap-stable zap-baseline.py -j \ no high alerts | |
# -t zaproxy/zap-stable zap-full-scan.py \ runs 6+ hrs and timesout, includes high alerts | |
# -t zaproxy/zap-weekly zap-full-scan.py -j \ runs for 6+ hours - times out | |
- name: Archive production artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Zap Report | |
path: | | |
./rdb-zap-baseline-scan.html | |
- name: Stopping RDB application | |
run: docker-compose --file docker-compose-testing.yml down | |
# RDB Automated Testing and Tagging | |
setup-build-publish: | |
name: RDB Setup, Build, and Publish | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Running Automated tests | |
run: | | |
# Build and run development version of Django | |
mv .envs.example .envs | |
docker-compose -f docker-compose-testing.yml build | |
docker-compose -f docker-compose-testing.yml up --detach | |
#sleep 60 | |
sh -c "until curl -Is http://localhost:8000; do echo 'waiting for http://localhost:8000'; sleep 10; done" | |
# Run automated tests | |
docker-compose -f docker-compose-testing.yml run tests ./RunAllTests-Chrome-Linux.bat | |
- name: Build, Tag & Push Production Image | |
if: contains(github.ref, 'release') | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
IMAGE_ID=ghcr.io/${{ github.repository }} | |
# Change all uppercase to lowercase | |
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') | |
# Strip git ref prefix from branch | |
BRANCH=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
# Strip "release-" prefix from version | |
VERSION=$(echo $BRANCH | sed -e 's/.*-//') | |
echo "IMAGE_ID:" | |
echo $IMAGE_ID | |
echo "VERSION:" | |
echo $VERSION | |
# Build Production Django Container | |
docker build -f compose/production/django/Dockerfile -t $IMAGE_ID . | |
docker image ls | |
docker tag $IMAGE_ID $IMAGE_ID:$VERSION | |
docker push $IMAGE_ID:$VERSION | |
- name: Stopping RDB application | |
run: docker-compose --file docker-compose-testing.yml down | |