Skip to content

feat: support custom jwt assertion claim #386

feat: support custom jwt assertion claim

feat: support custom jwt assertion claim #386

name: Test API Generate Coverage, and Run SonarCloud Analysis
on:
workflow_dispatch:
pull_request:
branches:
- main
- test-coverage
paths:
- "api/source/**"
- "test/api/**"
- ".github/workflows/api-audit-test-coverage-response.yml"
push:
branches:
- main
- test-coverage
paths:
- "api/source/**"
- "test/api/**"
- ".github/workflows/api-audit-test-coverage-response.yml"
env:
STIGMAN_API_PORT: 64001
STIGMAN_DB_HOST: localhost
STIGMAN_DB_PORT: 3306
STIGMAN_DB_PASSWORD: stigman
STIGMAN_API_AUTHORITY: http://127.0.0.1:8080/auth/realms/stigman
STIGMAN_SWAGGER_ENABLED: true
STIGMAN_SWAGGER_SERVER: http://localhost:64001/api
STIGMAN_SWAGGER_REDIRECT: http://localhost:64001/api-docs/oauth2-redirect.html
STIGMAN_DEV_RESPONSE_VALIDATION: logOnly
STIGMAN_EXPERIMENTAL_APPDATA: 'true'
NODE_V8_COVERAGE: /home/runner/work/stig-manager/stig-manager/api/source/coverage/tmp/
permissions:
pull-requests: read # allows SonarCloud to decorate PRs with analysis results
jobs:
npm_audit:
name: npm audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: install dependencies
run: npm ci
working-directory: ./api/source/
- name: Audit Dependencies and Create PR Comment if needed
uses: oke-py/npm-audit-action@2c6b2da234031fbf72af81a04c76b3a152bb2222 # pin@v2
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
create_issues: false
create_pr_comments: true
working_directory: ./api/source/
test_api:
name: Run tests with coverage
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 18
- name: coverage directory
run: printenv NODE_V8_COVERAGE
- name: Install app dependencies
working-directory: ./api/source
run: npm ci
- name: Install test dependencies
run: npm ci
working-directory: ./test/api/
- name: Run mock Keycloak
id: idp-run
working-directory: ./test/api/mock-keycloak
run: |
python3 -m http.server 8080 &
- name: Run MySQL container
id: mysql-run
run: |
docker run -d --name stig-manager-db \
-p 3306:3306 \
-e MYSQL_ROOT_PASSWORD=rootpw \
-e MYSQL_DATABASE=stigman \
-e MYSQL_USER=stigman \
-e MYSQL_PASSWORD=stigman \
mysql:8.0.21
- name: Install c8 coverage reporter
run: |
sudo npm install -g c8
- name: Run app and echo pid
working-directory: ./api/source
run: sh -c 'echo $$ > /tmp/test.pid ; exec c8 -r html node index.js > api-log.json 2>&1' &
- name: pid file check
working-directory: ./api/source
run: cat /tmp/test.pid
- name: Wait for bootstrap
run: for i in {1..10}; do [ $i -gt 1 ] && sleep 5; curl --output /dev/null --silent --fail http://localhost:64001/api/op/configuration && s=0 && break || s=$?; printf '.'; done; (exit $s)
- name: Run tests with coverage
working-directory: ./test/api/
run: npm test
- name: Upload mocha test report
id: artifact-upload-mocha
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
name: mocha-report
path: ./test/api/mochawesome-report
- name: Kill child pid
working-directory: ./api/source
run: kill -SIGINT $(ps -ef --ppid `cat /tmp/test.pid` -o pid= )
- name: Wait until c8 process ends, or 60 seconds, whichever is shorter.
run: timeout 60 tail --pid=`cat /tmp/test.pid` -f /dev/null
- name: run c8 text/lcov report
working-directory: ./api/source
run: c8 report -r lcov -r text -r html
- name: Upload coverage artifact
id: artifact-upload-coverage
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
name: coverage-report
path: ./api/source/coverage
- name: Upload API logs
id: artifact-upload-api-logs
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
name: api-log
path: ./api/source/api-log.json
response_validation:
name: Response validation
needs:
- test_api
runs-on: ubuntu-latest
steps:
- name: Download API log artifact
uses: actions/download-artifact@v4
with:
name: api-log
path: ./logs
- name: Test for response validation messages
working-directory: ./logs
run: |
jq -s 'map(select(.type=="responseValidation")|{method:.data.request.method,url:.data.request.url,errors:.data.error.errors,body:.data.body})' api-log.json > response-validation.json
exit $(jq '. | length' response-validation.json)
- name: Upload response validation artifact
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: response-validation
path: ./logs/response-validation.json
SonarCloudAnalysis-API:
name: SonarCloud Analysis API
needs: test_api
runs-on: ubuntu-latest
steps:
- name: Check if PR is from a fork
id: check_fork
run: |
if [ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]; then
echo "This is a PR from a fork, skipping sonarcloud analysis."
echo "SKIP_STEP=true" >> $GITHUB_ENV
fi
- name: Checkout repository
if: env.SKIP_STEP != 'true'
uses: actions/checkout@v4
with:
fetch-depth: 0 # Important to fetch all history for accurate blame information
- name: Download lcov artifact
if: env.SKIP_STEP != 'true'
uses: actions/download-artifact@v4
with:
name: coverage-report
- name: Move lcov.info to api/source
if: env.SKIP_STEP != 'true'
run: mv lcov.info ./api/source/
- name: Analyze API with SonarCloud
if: env.SKIP_STEP != 'true'
uses: SonarSource/sonarcloud-github-action@v2.0.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_API }} # Needed to push to SonarCloud
with:
# Additional arguments for the sonarcloud scanner
projectBaseDir: ./api/source
args: -Dsonar.projectKey=nuwcdivnpt_stig-manager-api
-Dsonar.projectName=nuwcdivnpt_stig-manager-api
-Dsonar.organization=nuwcdivnpt
-Dsonar.inclusions=**/*.js
-Dsonar.exclusions=**/node_modules/**,**/coverage-report/**
-Dsonar.javascript.lcov.reportPaths=./lcov.info
# This will fail the action if Quality Gate fails (leaving out for now )
# - name: Check Quality Gate
# uses: sonarsource/sonarqube-quality-gate-action@master
# env:
# SONAR_TOKEN: