ci(actions): add quality checks

* Verify conventional commits * The tests are run for every PR in the django workflow. However, we just do unit tests. We could also check if the backend run with the changes, so that's what we do in this PR. * Use GitHub's vulnerability scan action for external dependencies * Use GitHub's code scanning action for code quality and security (CodeQL) * Translate all the sentences to Spanish * Minor refactors to uniformize the syntax between all the workflow definitions Signed-off-by: GitHub <[email protected]>
us-ferferga · Dec 14, 2023 · e61b5b6 · e61b5b6
1 parent e2cffc5
commit e61b5b6
Show file tree

Hide file tree

Showing 4 changed files with 156 additions and 11 deletions.
diff --git a/.github/workflows/automation.yml b/.github/workflows/automation.yml
@@ -1,4 +1,4 @@
-name: Automatizacion 🤖
+name: Automatización 🤖
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -12,14 +12,18 @@ on:
       - "**/*.md"
   pull_request_target:
   issues:
-    types: [opened, reopened, transferred]
+    types: 
+      - opened
+      - reopened
+      - transferred
 
 jobs:
   project:
     name: Actualizar el proyecto 📊
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/[email protected]
+      - name: Añadir al proyecto
+        uses: actions/[email protected]
         if: ${{ github.event_name == 'pull_request_target' || github.event_name == 'issues' }}
         continue-on-error: true
         with:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,52 @@
+name: GitHub CodeQL 🔬
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    paths-ignore:
+      - "**/*.md"
+  workflow_call:
+  schedule:
+    - cron: "0 0 * * MON,FRI"
+
+jobs:
+  analyze:
+    name: Análisis de CodeQL 🔬
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - "javascript-typescript"
+          - "python"
+
+    steps:
+      - name: Clonar ⬇️
+        uses: actions/[email protected]
+        with:
+          show-progress: false
+
+      - name: Preparar consultas 🛠️
+        uses: github/codeql-action/init@v2
+        with:
+          queries: security-and-quality
+          languages: ${{ matrix.language }}
+
+      - name: Construir consultas 📦
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Realizar análisis 🧪
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/django.yml → .github/workflows/decide.yml b/.github/workflows/django.yml → .github/workflows/decide.yml
@@ -1,4 +1,4 @@
-name: Decide checks 🗳️
+name: Decide 🗳️
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -17,12 +17,13 @@ on:
 
 jobs:
   test:
-    name: Test 🧪
+    name: Pruebas unitarias 🧪
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: decide
     strategy:
+      fail-fast: false
       matrix:
         module: 
           - "authentication"
@@ -47,37 +48,38 @@ jobs:
           POSTGRES_DB: decide
         ports:
           - 5432:5432
-        # needed because the postgres container does not provide a healthcheck
+        # Necesario porque el contenedor no tiene comprobaciones de estado
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
 
     steps:
-    - name: Checkout ⬇️
+    - name: Clonar ⬇️
       uses: actions/[email protected]
       with:
         show-progress: false
 
-    - name: Setup Python 🐍
+    - name: Configurar Python 🐍
       uses: actions/[email protected]
       with:
         python-version: '3.x'
         check-latest: true
 
-    - name: Install dependencies 📦
+    - name: Instalar dependencias 📦
       run: |
         sudo apt update
         sudo apt install libpq-dev chromium-browser chromium-chromedriver
         echo "pynose==1.4.8" >> ../requirements.txt
         echo "selenium" >> ../requirements.txt
         echo "coverage" >> ../requirements.txt
+        # Necesario a partir de Python 3.12: https://github.com/Becksteinlab/GromacsWrapper/issues/263#issue-1966724749
         echo "setuptools" >> ../requirements.txt
         pip install -r ../requirements.txt
         cp local_settings.gactions.py local_settings.py
 
-    - name: Perform migrations 🗃️
+    - name: Aplicar migraciones 🗃️
       run: |
         python manage.py migrate
 
-    - name: Run unit tests 🔬
+    - name: Ejecutar pruebas 🔬
       run: |
         python manage.py test ${{ matrix.module }}
 
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -0,0 +1,87 @@
+name: Calidad 👌🧪
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    paths-ignore:
+      - "**/*.md"
+  workflow_dispatch:
+
+jobs:
+  dependency-review:
+    name: Vulnerabilidades en dependencias 🔎
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clonar repositorio ⬇️
+        uses: actions/[email protected]
+        with:
+          show-progress: false
+
+      - name: Buscar dependencias vulnerables 🦠
+        uses: actions/[email protected]
+
+  conventional_commits:
+    name: Convención de commits 💬
+    if: ${{ github.event_name == 'pull_request' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clonar repositorio ⬇️
+        uses: actions/[email protected]
+        with:
+          show-progress: false
+
+      - name: Verificar cumplimiento 📝
+        uses: webiny/[email protected]
+
+  run_backend:
+    name: Iniciar 🏃‍♂️
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_USER: decide
+          POSTGRES_PASSWORD: decide
+          POSTGRES_DB: decide
+        ports:
+          - 5432:5432
+        # Necesario porque el contenedor no tiene comprobaciones de estado
+        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+    defaults:
+      run:
+        working-directory: decide
+
+    steps:
+      - name: Clonar repositorio ⬇️
+        uses: actions/[email protected]
+        with:
+          show-progress: false
+
+      - name: Configurar Python 🐍
+        uses: actions/[email protected]
+        with:
+          python-version: '3.x'
+          check-latest: true
+
+      - name: Instalar dependencias 📦
+        run: |
+          # Necesario a partir de Python 3.12: https://github.com/Becksteinlab/GromacsWrapper/issues/263#issue-1966724749
+          echo "setuptools" >> ../requirements.txt
+          pip install -r ../requirements.txt
+
+      - name: Aplicar migraciones 🗃️
+        run: python ./manage.py migrate
+
+      - name: Iniciar servidor de Decide (Django) 🏃‍♂️
+        run: |
+          python manage.py runserver 127.0.0.1:8000 &
+          sleep 10 # Espera a que el servidor esté listo
+
+      - name: Comprobar si responde a peticiones 🩺
+        run: |
+          curl -I http://127.0.0.1:8000/
+          sudo pkill python