From e61b5b67793f7cd2b553b9edb865264838f37808 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fernando=20Fern=C3=A1ndez?= Date: Thu, 14 Dec 2023 15:14:47 +0000 Subject: [PATCH] ci(actions): add quality checks * Verify conventional commits * The tests are run for every PR in the django workflow. However, we just do unit tests. We could also check if the backend run with the changes, so that's what we do in this PR. * Use GitHub's vulnerability scan action for external dependencies * Use GitHub's code scanning action for code quality and security (CodeQL) * Translate all the sentences to Spanish * Minor refactors to uniformize the syntax between all the workflow definitions Signed-off-by: GitHub --- .github/workflows/automation.yml | 10 ++- .github/workflows/codeql.yml | 52 ++++++++++++ .github/workflows/{django.yml => decide.yml} | 18 ++-- .github/workflows/quality-checks.yml | 87 ++++++++++++++++++++ 4 files changed, 156 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/codeql.yml rename .github/workflows/{django.yml => decide.yml} (79%) create mode 100644 .github/workflows/quality-checks.yml diff --git a/.github/workflows/automation.yml b/.github/workflows/automation.yml index b9a9c67dd..f8070dc71 100644 --- a/.github/workflows/automation.yml +++ b/.github/workflows/automation.yml @@ -1,4 +1,4 @@ -name: Automatizacion 🤖 +name: Automatización 🤖 concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -12,14 +12,18 @@ on: - "**/*.md" pull_request_target: issues: - types: [opened, reopened, transferred] + types: + - opened + - reopened + - transferred jobs: project: name: Actualizar el proyecto 📊 runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v0.5.0 + - name: Añadir al proyecto + uses: actions/add-to-project@v0.5.0 if: ${{ github.event_name == 'pull_request_target' || github.event_name == 'issues' }} continue-on-error: true with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..cf6cba959 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +name: GitHub CodeQL 🔬 + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: + push: + branches: + - master + pull_request: + paths-ignore: + - "**/*.md" + workflow_call: + schedule: + - cron: "0 0 * * MON,FRI" + +jobs: + analyze: + name: Análisis de CodeQL 🔬 + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: + - "javascript-typescript" + - "python" + + steps: + - name: Clonar ⬇️ + uses: actions/checkout@v4.1.1 + with: + show-progress: false + + - name: Preparar consultas 🛠️ + uses: github/codeql-action/init@v2 + with: + queries: security-and-quality + languages: ${{ matrix.language }} + + - name: Construir consultas 📦 + uses: github/codeql-action/autobuild@v2 + + - name: Realizar análisis 🧪 + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/django.yml b/.github/workflows/decide.yml similarity index 79% rename from .github/workflows/django.yml rename to .github/workflows/decide.yml index 88c2a42a4..8375a79e5 100644 --- a/.github/workflows/django.yml +++ b/.github/workflows/decide.yml @@ -1,4 +1,4 @@ -name: Decide checks 🗳️ +name: Decide 🗳️ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -17,12 +17,13 @@ on: jobs: test: - name: Test 🧪 + name: Pruebas unitarias 🧪 runs-on: ubuntu-latest defaults: run: working-directory: decide strategy: + fail-fast: false matrix: module: - "authentication" @@ -47,37 +48,38 @@ jobs: POSTGRES_DB: decide ports: - 5432:5432 - # needed because the postgres container does not provide a healthcheck + # Necesario porque el contenedor no tiene comprobaciones de estado options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - - name: Checkout ⬇️ + - name: Clonar ⬇️ uses: actions/checkout@v4.1.1 with: show-progress: false - - name: Setup Python 🐍 + - name: Configurar Python 🐍 uses: actions/setup-python@v5.0.0 with: python-version: '3.x' check-latest: true - - name: Install dependencies 📦 + - name: Instalar dependencias 📦 run: | sudo apt update sudo apt install libpq-dev chromium-browser chromium-chromedriver echo "pynose==1.4.8" >> ../requirements.txt echo "selenium" >> ../requirements.txt echo "coverage" >> ../requirements.txt + # Necesario a partir de Python 3.12: https://github.com/Becksteinlab/GromacsWrapper/issues/263#issue-1966724749 echo "setuptools" >> ../requirements.txt pip install -r ../requirements.txt cp local_settings.gactions.py local_settings.py - - name: Perform migrations 🗃️ + - name: Aplicar migraciones 🗃️ run: | python manage.py migrate - - name: Run unit tests 🔬 + - name: Ejecutar pruebas 🔬 run: | python manage.py test ${{ matrix.module }} diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml new file mode 100644 index 000000000..0d9c66437 --- /dev/null +++ b/.github/workflows/quality-checks.yml @@ -0,0 +1,87 @@ +name: Calidad 👌🧪 + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: + pull_request: + paths-ignore: + - "**/*.md" + workflow_dispatch: + +jobs: + dependency-review: + name: Vulnerabilidades en dependencias 🔎 + runs-on: ubuntu-latest + steps: + - name: Clonar repositorio ⬇️ + uses: actions/checkout@v4.1.1 + with: + show-progress: false + + - name: Buscar dependencias vulnerables 🦠 + uses: actions/dependency-review-action@v3.1.4 + + conventional_commits: + name: Convención de commits 💬 + if: ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + + steps: + - name: Clonar repositorio ⬇️ + uses: actions/checkout@v4.1.1 + with: + show-progress: false + + - name: Verificar cumplimiento 📝 + uses: webiny/action-conventional-commits@v1.2.0 + + run_backend: + name: Iniciar 🏃‍♂️ + runs-on: ubuntu-latest + services: + postgres: + image: postgres:latest + env: + POSTGRES_USER: decide + POSTGRES_PASSWORD: decide + POSTGRES_DB: decide + ports: + - 5432:5432 + # Necesario porque el contenedor no tiene comprobaciones de estado + options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 + defaults: + run: + working-directory: decide + + steps: + - name: Clonar repositorio ⬇️ + uses: actions/checkout@v4.1.1 + with: + show-progress: false + + - name: Configurar Python 🐍 + uses: actions/setup-python@v5.0.0 + with: + python-version: '3.x' + check-latest: true + + - name: Instalar dependencias 📦 + run: | + # Necesario a partir de Python 3.12: https://github.com/Becksteinlab/GromacsWrapper/issues/263#issue-1966724749 + echo "setuptools" >> ../requirements.txt + pip install -r ../requirements.txt + + - name: Aplicar migraciones 🗃️ + run: python ./manage.py migrate + + - name: Iniciar servidor de Decide (Django) 🏃‍♂️ + run: | + python manage.py runserver 127.0.0.1:8000 & + sleep 10 # Espera a que el servidor esté listo + + - name: Comprobar si responde a peticiones 🩺 + run: | + curl -I http://127.0.0.1:8000/ + sudo pkill python