manual macos notarization #577
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR pipeline | |
on: | |
pull_request: | |
branches: | |
- main | |
workflow_dispatch: | |
env: | |
IMAGE_NAME: "pr-${{ github.event.number }}" | |
ZAP_FILE: "zap-scan-pr-${{ github.event.number }}" | |
GITHUB_CLIENT_ID: "${{ secrets.CI_GITHUB_CLIENT_ID }}" | |
GITHUB_CLIENT_SECRET: "${{ secrets.CI_GITHUB_CLIENT_SECRET }}" | |
ENCRYPTION_JWT_REFRESH_SIGNING_KEY: "${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}" | |
ENCRYPTION_JWT_SIGNING_KEY: "${{ secrets.CI_JWT_SIGNING_KEY }}" | |
ENCRYPTION_KEYS: "${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}" | |
NODE_ENV: development | |
SERVER_API_PROTOCOL: http | |
# for security reasons the github actions are pinned to specific release versions | |
jobs: | |
server_unit_tests: | |
name: Server unit tests | |
runs-on: ubuntu-24.04 | |
defaults: | |
run: | |
working-directory: td.server | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: lint | |
run: npm run lint | |
- name: Unit test | |
run: npm run test:unit | |
site_unit_tests: | |
name: Site unit tests | |
runs-on: ubuntu-24.04 | |
defaults: | |
run: | |
working-directory: td.vue | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: Site lint | |
run: npm run lint | |
- name: Run unit tests | |
run: npm run test:unit | |
desktop_unit_tests: | |
name: Desktop unit tests | |
runs-on: ubuntu-24.04 | |
defaults: | |
run: | |
working-directory: td.vue | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: Desktop lint | |
run: npm run lint:desktop | |
- name: Run unit tests | |
run: npm run test:desktop | |
codeql: | |
name: Analyze with codeql | |
runs-on: ubuntu-24.04 | |
needs: [server_unit_tests, site_unit_tests, desktop_unit_tests] | |
permissions: | |
security-events: write | |
strategy: | |
fail-fast: false | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Initialize CodeQL | |
uses: github/codeql-action/[email protected] | |
with: | |
languages: 'javascript' | |
config-file: ./.github/codeql/codeql-config.yml | |
# If you wish to specify custom queries, you can do so here or in a config file. | |
# By default, queries listed here will override any specified in a config file. | |
# Prefix the list here with "+" to use these queries and those in the config file. | |
- name: CodeQL autobuild | |
uses: github/codeql-action/[email protected] | |
- name: Perform vulnerability analysis | |
uses: github/codeql-action/[email protected] | |
e2e_smokes: | |
name: Local site e2e smokes | |
runs-on: ubuntu-24.04 | |
needs: [site_unit_tests, server_unit_tests] | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
${{ runner.os }}- | |
- name: Install packages | |
run: npm clean-install | |
- name: Build and run locally | |
run: npm start | |
- name: Run e2e tests | |
run: | | |
cd td.vue | |
npm run test:e2e-pr-smokes | |
- name: Upload e2e videos | |
uses: actions/[email protected] | |
with: | |
name: e2e_vids.zip | |
path: td.vue/tests/e2e/videos | |
if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }} | |
e2e_tests: | |
name: Local site e2e tests | |
runs-on: ubuntu-24.04 | |
needs: e2e_smokes | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
- name: Install packages | |
run: npm clean-install | |
- name: Build and run locally | |
run: npm start | |
- name: Run e2e tests | |
run: | | |
cd td.vue | |
npm run test:e2e-pr | |
- name: Upload e2e videos | |
uses: actions/[email protected] | |
with: | |
name: e2e_vids.zip | |
path: td.vue/tests/e2e/videos | |
if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }} | |
zap_scan_web_app: | |
name: Local site zap scan | |
runs-on: ubuntu-24.04 | |
needs: e2e_tests | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Use node LTS 20.14.0 | |
uses: actions/[email protected] | |
with: | |
node-version: '20.14.0' | |
- name: Cache NPM dir | |
uses: actions/[email protected] | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
- name: Install packages | |
run: npm clean-install | |
- name: Build and run locally | |
run: npm start | |
- name: ZAP Scan | |
uses: zaproxy/[email protected] | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
target: 'http://localhost:8080' | |
rules_file_name: '.github/workflows/.zap-rules-web.tsv' | |
allow_issue_writing: false | |
fail_action: false | |
artifact_name: ${{ env.ZAP_FILE }} | |
cmd_options: '-a' | |
build_docker_image: | |
name: Build docker image | |
runs-on: ubuntu-24.04 | |
needs: e2e_smokes | |
if: github.repository == 'OWASP/threat-dragon' | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/[email protected] | |
with: | |
install: true | |
- name: Cache Docker layers | |
uses: actions/[email protected] | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
${{ runner.os }}- | |
- name: Build for amd64 | |
id: docker_build | |
uses: docker/[email protected] | |
with: | |
context: ./ | |
file: ./Dockerfile | |
builder: ${{ steps.buildx.outputs.name }} | |
tags: ${{ env.IMAGE_NAME }} | |
outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME }}.tar | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
platforms: linux/amd64 | |
load: true | |
- name: Upload docker local image | |
uses: actions/[email protected] | |
with: | |
name: ${{ env.IMAGE_NAME }} | |
path: /tmp/${{ env.IMAGE_NAME }}.tar | |
- name: Check docker local image | |
run: | | |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
docker image ls -a | |
- # Temp fix for large cache bug | |
# https://github.com/docker/build-push-action/issues/252 | |
name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
scan_image_with_trivy: | |
name: Scan with Trivy | |
runs-on: ubuntu-24.04 | |
needs: build_docker_image | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
- name: Retrieve local docker image | |
uses: actions/[email protected] | |
with: | |
name: ${{ env.IMAGE_NAME }} | |
path: /tmp | |
- name: Load local docker image | |
run: | | |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: '${{ env.IMAGE_NAME }}' | |
format: 'table' | |
trivyignores: '.github/workflows/.trivyignore' | |
exit-code: 1 |