.github/workflows/compliance.yml

name: Compliance

on:

  # Run compliance jobs for pull requests, to make sure there are no issues before merging
  pull_request:

  # Re-run compliance jobs in main, to make sure there are no issues from the merge
  push:
    branches:
      - main

  # Use the release:publish event to generate compliance reports for releases
  # This lines up with the packaging workflow, so reports will be published when packages are published
  release:
    types:
      - published

  # Allow manual triggering of the compliance jobs
  workflow_dispatch:


# Use baseline language versions for compliance builds
env:
  JAVA_VERSION: "11"
  JAVA_DISTRIBUTION: "zulu"
  NODE_VERSION: "16.x"
  PYTHON_VERSION: "3.11"


jobs:

  platform_compliance:

    runs-on: ubuntu-latest
    timeout-minutes: 20

    steps:

      # fetch-depth = 0 is needed to get tags for version info
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Set up Java
        uses: actions/setup-java@v3
        with:
          distribution: ${{ env.JAVA_DISTRIBUTION }}
          java-version: ${{ env.JAVA_VERSION }}
          cache: gradle

      # Use a cache to save downloading the whole NVD on every build
      # Dependency check will automatically look for updates and download the delta
      - name: NVD cache
        uses: actions/cache@v3
        with:
          key: compliance-cache-data
          path: ./build/compliance-cache

      - name: OWASP dependency check
        run: ./gradlew dependencyCheckAggregate

      - name: License check
        run: ./gradlew checkLicense

      # Always save the reports - they are especially needed when the checks have failed!
      - name: Store compliance reports
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: compliance-reports
          path: build/compliance/**

  python_runtime_compliance:

    runs-on: ubuntu-latest
    timeout-minutes: 20

    steps:

      # fetch-depth = 0 is needed to get tags for version info
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: PIP Upgrade
        run: python -m pip install --upgrade pip

      # Make sure to check compliance on both core and plugin dependencies
      - name: Install dependencies
        run: |
          cd tracdap-runtime/python
          pip install -r requirements.txt
          pip install -r requirements_plugins.txt

      - name: Safety check
        run: |
          mkdir -p build/compliance/python-runtime-safety
          cd tracdap-runtime/python
          safety check --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt
          safety check --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json

      - name: License check
        run: |

          # Source license excpetions
          . dev/compliance/license-config-python.sh

          mkdir -p build/compliance/python-runtime-licenses
          cd tracdap-runtime/python
          pip-licenses --format=json --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.json
          pip-licenses --format=html --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.html
          pip-licenses --allow-only="$ALLOWED_LICENSES" --ignore-packages $IGNORE_LICENSE

      # Always save the reports - they are especially needed when the checks have failed!
      - name: Store compliance reports
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: compliance-reports
          path: build/compliance/**

  web_api_compliance:

    runs-on: ubuntu-latest
    timeout-minutes: 20

    steps:

      # fetch-depth = 0 is needed to get tags for version info
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Set up Node.js
        uses: actions/setup-node@v3
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: npm
          cache-dependency-path: tracdap-api/packages/web/package-lock.json

      # Use a cache to save downloading global compliance data on every build (e.g. NVD)
      # Compliance tasks will automatically look for updates and download deltas
      - name: NVD cache
        uses: actions/cache@v3
        with:
          key: compliance-cache-data
          path: ./build/compliance-cache

      - name: Install dependencies
        run: |
          cd tracdap-api/packages/web
          npm install

      - name: OWASP dependency check
        run: |
          mkdir -p build/compliance
          cd tracdap-api/packages/web
          npm run compliance-owasp

      - name: License check
        run: |
          cd tracdap-api/packages/web
          npm run compliance-licenses

      - name: NPM audit
        run: |
          mkdir -p build/compliance/web-api-npm-audit
          cd tracdap-api/packages/web
          npm run compliance-audit

      # Always save the reports - they are especially needed when the checks have failed!
      - name: Store compliance reports
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: compliance-reports
          path: build/compliance/**

  publish_to_github:

    if: ${{ github.event_name == 'release' && github.event.action == 'published' }}

    runs-on: ubuntu-latest

    needs:
      - platform_compliance
      - python_runtime_compliance
      - web_api_compliance

    steps:

      # fetch-depth = 0 is needed to get tags for version info
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Get TRAC d.a.p. version
        id: tracdap-version
        run: |
          tracdap_version=`dev/version.sh`
          echo "tracdap_version = ${tracdap_version}"
          echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT

      - name: Fetch copmliance report artifacts
        uses: actions/download-artifact@v3
        with:
          name: compliance-reports
          path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}

      - name: Build compliance reports tarball
        run: tar -cvzf tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}/

      - name: Publish compliance reports
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ github.event.release.upload_url }}
          asset_path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz
          asset_name: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz
          asset_content_type: application/gzip