feat: add missing security header (#1997) #3661
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR checks | |
| on: | |
| pull_request: | |
| push: | |
| branches: main | |
| env: | |
| SECRET_KEY: insecure_test_key | |
| jobs: | |
| run-image: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build image | |
| run: DOCKER_BUILDKIT=1 docker build --tag charmhub-io . | |
| - name: Run image | |
| run: | | |
| docker run -d -p 80:80 --env-file .env charmhub-io | |
| sleep 1 | |
| curl --head --fail --retry-delay 1 --retry 30 --retry-connrefused http://localhost | |
| run-dotrun: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Dotrun | |
| run: | | |
| sudo pip3 install dotrun requests==2.31.0 # requests version is pinned to avoid breaking changes, can be removed once issue is resolved: https://github.com/docker/docker-py/issues/3256 | |
| - name: Install dependencies | |
| run: | | |
| sudo chmod -R 777 . | |
| dotrun install | |
| - name: Build assets | |
| run: dotrun build | |
| - name: Test site | |
| run: dotrun & sleep 10 && curl --head --fail --retry-delay 1 --retry 30 --retry-connrefused http://localhost:8045 | |
| pack-rock: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup LXD | |
| uses: canonical/setup-lxd@main | |
| - name: Setup rockcraft | |
| run: sudo snap install rockcraft --classic --channel=latest/edge | |
| - name: Pack rock | |
| run: rockcraft pack | |
| check-prettier: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: yarn install --immutable | |
| - name: Check Prettier | |
| run: yarn check-prettier | |
| lint-python: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| py: | |
| - '**/*.py' | |
| - name: Install Python dependencies | |
| if: ${{ steps.filter.outputs.py == 'true' }} | |
| run: | | |
| python3 -m pip install --upgrade pip | |
| sudo pip3 install -r requirements.txt | |
| - name: Lint Python | |
| if: ${{ steps.filter.outputs.py == 'true' }} | |
| run: yarn lint-python | |
| lint-scss: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| scss: | |
| - '**/*.scss' | |
| - name: Install SCSS dependencies | |
| if: ${{ steps.filter.outputs.scss == 'true' }} | |
| run: yarn install --immutable | |
| - name: Lint SCSS | |
| if: ${{ steps.filter.outputs.scss == 'true' }} | |
| run: yarn lint-scss | |
| lint-js: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| js: | |
| - '**/*.js' | |
| ts: | |
| - '**/*.ts' | |
| jsx: | |
| - '**/*.jsx' | |
| tsx: | |
| - '**/*.tsx' | |
| - name: Install JS dependencies | |
| if: ${{ steps.filter.outputs.js == 'true' || steps.filter.outputs.ts == 'true' || steps.filter.outputs.jsx == 'true' || steps.filter.outputs.tsx == 'true' }} | |
| run: yarn install --immutable | |
| - name: Lint JS | |
| if: ${{ steps.filter.outputs.js == 'true' || steps.filter.outputs.ts == 'true' || steps.filter.outputs.jsx == 'true' || steps.filter.outputs.tsx == 'true' }} | |
| run: yarn lint-js | |
| test-python: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| py: | |
| - '**/*.py' | |
| - name: Install Python dependencies | |
| if: ${{ steps.filter.outputs.py == 'true' }} | |
| run: | | |
| sudo pip3 install -r requirements.txt | |
| sudo pip3 install coverage | |
| - name: Run Python tests with coverage | |
| if: ${{ steps.filter.outputs.py == 'true' }} | |
| run: | | |
| SECRET_KEY=insecure_secret_key coverage run --source=. -m unittest discover tests | |
| - name: Upload coverage to Codecov | |
| if: ${{ steps.filter.outputs.py == 'true' }} | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| flags: python | |
| test-js: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| js: | |
| - '**/*.js' | |
| ts: | |
| - '**/*.ts' | |
| jsx: | |
| - '**/*.jsx' | |
| tsx: | |
| - '**/*.tsx' | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - name: Install dependencies | |
| if: ${{ steps.filter.outputs.js == 'true' || steps.filter.outputs.ts == 'true' || steps.filter.outputs.jsx == 'true' || steps.filter.outputs.tsx == 'true' }} | |
| run: yarn install --immutable | |
| - name: Test JS | |
| if: ${{ steps.filter.outputs.js == 'true' || steps.filter.outputs.ts == 'true' || steps.filter.outputs.jsx == 'true' || steps.filter.outputs.tsx == 'true' }} | |
| run: | | |
| yarn test-js --coverage | |
| - name: Upload coverage to Codecov | |
| if: ${{ steps.filter.outputs.js == 'true' || steps.filter.outputs.ts == 'true' || steps.filter.outputs.jsx == 'true' || steps.filter.outputs.tsx == 'true' }} | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| flags: javascript | |
| check-inclusive-naming: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Check inclusive naming | |
| uses: canonical-web-and-design/inclusive-naming@main | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| reporter: github-pr-review | |
| fail-on-error: true |