Merge pull request #2145 from ASFHyP3/edc-vcpus #6130
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Static code analysis | |
| on: push | |
| jobs: | |
| flake8: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.9 | |
| - run: | | |
| python -m pip install --upgrade pip | |
| make install | |
| - run: make flake8 | |
| cfn-lint: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| security_environment: [ASF, EDC, JPL, JPL-public] | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.9 | |
| - run: | | |
| python -m pip install --upgrade pip | |
| make install | |
| - run: | | |
| make security_environment=${{ matrix.security_environment }} cfn-lint | |
| openapi-spec-validator: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.9 | |
| - run: | | |
| python -m pip install --upgrade pip | |
| make install | |
| - run: make openapi-validate | |
| statelint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: 2.7 | |
| - run: gem install statelint | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.9 | |
| - run: | | |
| python -m pip install --upgrade pip | |
| make install | |
| - run: | | |
| make render | |
| sed -i 's/"Resource": "${.*}"/"Resource": "foo:bar"/' apps/step-function.json | |
| statelint apps/step-function.json | |
| snyk: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: snyk/actions/[email protected] | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.9 | |
| - run: | | |
| python -m pip install --upgrade pip | |
| make install | |
| make render security_environment=EDC | |
| - name: Run Snyk to check for vulnerabilities | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| snyk test --package-manager=pip --file=requirements-all.txt --severity-threshold=high | |
| snyk iac test --severity-threshold=high | |
| call-secrets-analysis-workflow: | |
| uses: ASFHyP3/actions/.github/workflows/[email protected] |