Skip to content

[Snyk] Fix for 7 vulnerabilities #435

[Snyk] Fix for 7 vulnerabilities

[Snyk] Fix for 7 vulnerabilities #435

Workflow file for this run

name: "CI"
env:
POETRY_VERSION: "1.3.1"
on:
push:
branches:
- master
- main
pull_request:
branches:
- master
- main
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
Lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install Linter
run: |
python -m pip install --upgrade pip
pip install flake8 black
- name: Lint Check
run: |
make lint
- name: Format Check
run: |
black --check tools/c7n_left
Analyzer:
runs-on: ubuntu-latest
needs: Lint
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v1
with:
python-version: 3.9
- name: Run Bandit
run: |
python -m pip install bandit
make analyzer-bandit
- name: Run Semgrep
run: |
python -m pip install semgrep
make analyzer-semgrep
Tests:
runs-on: "${{ matrix.os }}"
needs: Lint
strategy:
matrix:
# os: [ubuntu-latest, macos-latest, windows-latest]
os: [ubuntu-latest]
python-version: ["3.10"]
include:
- os: ubuntu-latest
python-version: 3.9
# - os: ubuntu-latest
# python-version: 3.8
# - os: ubuntu-latest
# python-version: 3.7
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
- name: Bootstrap poetry
shell: bash
run: |
curl -sSL https://raw.githubusercontent.com/python-poetry/install.python-poetry.org/6161821b1d39fa30f92a677bba51abfc471f8aee/install-poetry.py | python3 - --version $POETRY_VERSION -y
- name: Set up cache
uses: actions/cache@v2
id: cache
with:
path: .venv
key: venv-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('**/poetry.lock') }}
- name: Update PATH
shell: bash
run: |
if [[ "$OSTYPE" == "msys" ]]
then
echo "$APPDATA\Python\Scripts" >> $GITHUB_PATH
echo "$PWD\.venv\Scripts" >> $GITHUB_PATH
echo "VIRTUAL_ENV=$PWD\.venv" >> $GITHUB_ENV
else
echo "$HOME/.local/bin" >> $GITHUB_PATH
echo "$PWD/.venv/bin" >> $GITHUB_PATH
echo "VIRTUAL_ENV=$PWD/.venv" >> $GITHUB_ENV
fi
- name: Ensure cache is healthy
if: steps.cache.outputs.cache-hit == 'true'
id: cache_check
shell: bash
run: |
(poetry run custodian version && echo "::set-output name=venv::success") || (rm -rf .venv && echo "::set-output name=venv::recreate")
- name: Virtualenv
if: steps.cache.outputs.cache-hit != 'true' || steps.cache_check.outputs.venv != 'success'
shell: bash
env:
CHECK_VENV: ${{ steps.cache_check.outputs.venv }}
CACHE_HIT: ${{ steps.cache.outputs.cache-hit }}
run: |
echo "check venv $CHECK_VENV"
echo "cache hit $CACHE_HIT"
python -m venv .venv
- name: Install Deps
if: steps.cache.outputs.cache-hit != 'true' || steps.cache_check.outputs.venv != 'success'
shell: bash
run: |
python -m pip install --upgrade pip
pip install -U wheel
make install-poetry
- name: Test
shell: bash
env:
COV_RUN: ${{ contains(matrix.python-version, '3.10') && contains(matrix.os, 'ubuntu') }}
run: |
if [[ "$COV_RUN" == "true" ]]
then
echo "Running Coverage Test"
. test.env && poetry run pytest -n auto tests tools \
--cov c7n --cov tools/c7n_azure/c7n_azure \
--cov tools/c7n_gcp/c7n_gcp --cov tools/c7n_kube/c7n_kube \
--cov tools/c7n_tencentcloud/c7n_tencentcloud \
--cov tools/c7n_left/c7n_left \
--cov tools/c7n_mailer/c7n_mailer
poetry run coverage xml
else
. test.env && poetry run pytest -n auto tests tools
fi
- name: Upload Code Coverage
uses: codecov/codecov-action@v3
if: contains(matrix.python-version, '3.10') && contains(matrix.os, 'ubuntu')
with:
files: ./coverage.xml
name: codecov
verbose: true
- name: License Check
if: contains(matrix.python-version, '3.9') && contains(matrix.os, 'ubuntu')
run: |
poetry run python tools/dev/license-check.py