python-tests.yml

name: python-tests
on: [push, pull_request]


jobs:
  tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.10'
      - uses: actions/setup-node@v4
        with:
          node-version: "18"
      - name: install python dependencies
        run: pip install -r requirements.txt
      - name: install layer files
        run: pip install -r ./lambda/token/requirements.txt --target ./layers/token/python --only-binary=":all:" --platform manylinux2014_x86_64
      - name: install cdk
        run: npm install -g aws-cdk
      - name: smoke-test-pjwt-only
        run: |
          cp cdk.context.template cdk.context.json
          echo synth test with Private Key JWT only
          cdk synth
      - name: smoke-test-full
        run: |
          cp cdk.context.template cdk.context.json
          echo synth test with PKCE and Private Key JWT
          sed -i 's/\"pkce\": false/\"pkce\": true/g' cdk.context.json
          cdk synth
      - name: python sec scan
        run: |
          pip install bandit
          bandit -r ./ --exclude "./cdk.out","./layers"
      - name: static code analysis
        run: |
          pip install semgrep
          semgrep scan --config auto
      - name: python package scan - ignore future alternatives
        run: |
          pip install pip-audit
          for i in $(find . -name requirements.txt -not -path "*/alternatives/*")
          do
            pip-audit -r $i
          done