Compliance #1137
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Compliance | |
on: | |
# Run compliance jobs for pull requests, to make sure there are no issues before merging | |
pull_request: | |
# Re-run compliance jobs in main, to make sure there are no issues from the merge | |
push: | |
branches: | |
- main | |
# Use the release:publish event to generate compliance reports for releases | |
# This lines up with the packaging workflow, so reports will be published when packages are published | |
release: | |
types: | |
- published | |
# Allow manual triggering of the compliance jobs | |
workflow_dispatch: | |
# Use baseline language versions for compliance builds | |
env: | |
JAVA_VERSION: "11" | |
JAVA_DISTRIBUTION: "zulu" | |
NODE_VERSION: "16.x" | |
PYTHON_VERSION: "3.11" | |
jobs: | |
platform_compliance: | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
steps: | |
# fetch-depth = 0 is needed to get tags for version info | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Set up Java | |
uses: actions/setup-java@v3 | |
with: | |
distribution: ${{ env.JAVA_DISTRIBUTION }} | |
java-version: ${{ env.JAVA_VERSION }} | |
cache: gradle | |
# Use a cache to save downloading the whole NVD on every build | |
# Dependency check will automatically look for updates and download the delta | |
- name: NVD cache | |
uses: actions/cache@v3 | |
with: | |
key: compliance-cache-data | |
path: ./build/compliance-cache | |
- name: OWASP dependency checkout | |
run: ./gradlew dependencyCheckAggregate | |
- name: License check | |
run: ./gradlew checkLicense | |
# Always save the reports - they are especially needed when the checks have failed! | |
- name: Store compliance reports | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: compliance-reports | |
path: build/compliance/** | |
python_runtime_compliance: | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
steps: | |
# fetch-depth = 0 is needed to get tags for version info | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
- name: PIP Upgrade | |
run: python -m pip install --upgrade pip | |
- name: Install dependencies | |
run: | | |
cd tracdap-runtime/python | |
pip install -r requirements.txt | |
- name: Safety check | |
run: | | |
mkdir -p build/compliance/python-runtime-safety | |
cd tracdap-runtime/python | |
safety check --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt | |
safety check --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json | |
- name: License check | |
run: | | |
# Source license excpetions | |
. dev/compliance/license-config-python.sh | |
mkdir -p build/compliance/python-runtime-licenses | |
cd tracdap-runtime/python | |
pip-licenses --format=json --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.json | |
pip-licenses --format=html --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.html | |
pip-licenses --allow-only="$ALLOWED_LICENSES" --ignore-packages $IGNORE_LICENSE | |
# Always save the reports - they are especially needed when the checks have failed! | |
- name: Store compliance reports | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: compliance-reports | |
path: build/compliance/** | |
web_api_compliance: | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
steps: | |
# fetch-depth = 0 is needed to get tags for version info | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Set up Node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
cache: npm | |
cache-dependency-path: tracdap-api/packages/web/package-lock.json | |
# Use a cache to save downloading global compliance data on every build (e.g. NVD) | |
# Compliance tasks will automatically look for updates and download deltas | |
- name: NVD cache | |
uses: actions/cache@v3 | |
with: | |
key: compliance-cache-data | |
path: ./build/compliance-cache | |
- name: Install dependencies | |
run: | | |
cd tracdap-api/packages/web | |
npm install | |
- name: OWASP dependency check | |
run: | | |
mkdir -p build/compliance | |
cd tracdap-api/packages/web | |
npm run compliance-owasp | |
- name: License check | |
run: | | |
cd tracdap-api/packages/web | |
npm run compliance-licenses | |
- name: NPM audit | |
run: | | |
mkdir -p build/compliance/web-api-npm-audit | |
cd tracdap-api/packages/web | |
npm run compliance-audit | |
# Always save the reports - they are especially needed when the checks have failed! | |
- name: Store compliance reports | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: compliance-reports | |
path: build/compliance/** | |
publish_to_github: | |
if: ${{ github.event_name == 'release' && github.event.action == 'published' }} | |
runs-on: ubuntu-latest | |
needs: | |
- platform_compliance | |
- python_runtime_compliance | |
- web_api_compliance | |
steps: | |
# fetch-depth = 0 is needed to get tags for version info | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Get TRAC d.a.p. version | |
id: tracdap-version | |
run: | | |
tracdap_version=`dev/version.sh` | |
echo "tracdap_version = ${tracdap_version}" | |
echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT | |
- name: Fetch copmliance report artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: compliance-reports | |
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }} | |
- name: Build compliance reports tarball | |
run: tar -cvzf tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}/ | |
- name: Publish compliance reports | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ github.event.release.upload_url }} | |
asset_path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz | |
asset_name: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz | |
asset_content_type: application/gzip |