feat: support custom jwt assertion claim #386
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test API Generate Coverage, and Run SonarCloud Analysis | |
on: | |
workflow_dispatch: | |
pull_request: | |
branches: | |
- main | |
- test-coverage | |
paths: | |
- "api/source/**" | |
- "test/api/**" | |
- ".github/workflows/api-audit-test-coverage-response.yml" | |
push: | |
branches: | |
- main | |
- test-coverage | |
paths: | |
- "api/source/**" | |
- "test/api/**" | |
- ".github/workflows/api-audit-test-coverage-response.yml" | |
env: | |
STIGMAN_API_PORT: 64001 | |
STIGMAN_DB_HOST: localhost | |
STIGMAN_DB_PORT: 3306 | |
STIGMAN_DB_PASSWORD: stigman | |
STIGMAN_API_AUTHORITY: http://127.0.0.1:8080/auth/realms/stigman | |
STIGMAN_SWAGGER_ENABLED: true | |
STIGMAN_SWAGGER_SERVER: http://localhost:64001/api | |
STIGMAN_SWAGGER_REDIRECT: http://localhost:64001/api-docs/oauth2-redirect.html | |
STIGMAN_DEV_RESPONSE_VALIDATION: logOnly | |
STIGMAN_EXPERIMENTAL_APPDATA: 'true' | |
NODE_V8_COVERAGE: /home/runner/work/stig-manager/stig-manager/api/source/coverage/tmp/ | |
permissions: | |
pull-requests: read # allows SonarCloud to decorate PRs with analysis results | |
jobs: | |
npm_audit: | |
name: npm audit | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: install dependencies | |
run: npm ci | |
working-directory: ./api/source/ | |
- name: Audit Dependencies and Create PR Comment if needed | |
uses: oke-py/npm-audit-action@2c6b2da234031fbf72af81a04c76b3a152bb2222 # pin@v2 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
create_issues: false | |
create_pr_comments: true | |
working_directory: ./api/source/ | |
test_api: | |
name: Run tests with coverage | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 18 | |
- name: coverage directory | |
run: printenv NODE_V8_COVERAGE | |
- name: Install app dependencies | |
working-directory: ./api/source | |
run: npm ci | |
- name: Install test dependencies | |
run: npm ci | |
working-directory: ./test/api/ | |
- name: Run mock Keycloak | |
id: idp-run | |
working-directory: ./test/api/mock-keycloak | |
run: | | |
python3 -m http.server 8080 & | |
- name: Run MySQL container | |
id: mysql-run | |
run: | | |
docker run -d --name stig-manager-db \ | |
-p 3306:3306 \ | |
-e MYSQL_ROOT_PASSWORD=rootpw \ | |
-e MYSQL_DATABASE=stigman \ | |
-e MYSQL_USER=stigman \ | |
-e MYSQL_PASSWORD=stigman \ | |
mysql:8.0.21 | |
- name: Install c8 coverage reporter | |
run: | | |
sudo npm install -g c8 | |
- name: Run app and echo pid | |
working-directory: ./api/source | |
run: sh -c 'echo $$ > /tmp/test.pid ; exec c8 -r html node index.js > api-log.json 2>&1' & | |
- name: pid file check | |
working-directory: ./api/source | |
run: cat /tmp/test.pid | |
- name: Wait for bootstrap | |
run: for i in {1..10}; do [ $i -gt 1 ] && sleep 5; curl --output /dev/null --silent --fail http://localhost:64001/api/op/configuration && s=0 && break || s=$?; printf '.'; done; (exit $s) | |
- name: Run tests with coverage | |
working-directory: ./test/api/ | |
run: npm test | |
- name: Upload mocha test report | |
id: artifact-upload-mocha | |
uses: actions/upload-artifact@v4 | |
if: ${{ always() }} | |
with: | |
name: mocha-report | |
path: ./test/api/mochawesome-report | |
- name: Kill child pid | |
working-directory: ./api/source | |
run: kill -SIGINT $(ps -ef --ppid `cat /tmp/test.pid` -o pid= ) | |
- name: Wait until c8 process ends, or 60 seconds, whichever is shorter. | |
run: timeout 60 tail --pid=`cat /tmp/test.pid` -f /dev/null | |
- name: run c8 text/lcov report | |
working-directory: ./api/source | |
run: c8 report -r lcov -r text -r html | |
- name: Upload coverage artifact | |
id: artifact-upload-coverage | |
uses: actions/upload-artifact@v4 | |
if: ${{ always() }} | |
with: | |
name: coverage-report | |
path: ./api/source/coverage | |
- name: Upload API logs | |
id: artifact-upload-api-logs | |
uses: actions/upload-artifact@v4 | |
if: ${{ always() }} | |
with: | |
name: api-log | |
path: ./api/source/api-log.json | |
response_validation: | |
name: Response validation | |
needs: | |
- test_api | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download API log artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: api-log | |
path: ./logs | |
- name: Test for response validation messages | |
working-directory: ./logs | |
run: | | |
jq -s 'map(select(.type=="responseValidation")|{method:.data.request.method,url:.data.request.url,errors:.data.error.errors,body:.data.body})' api-log.json > response-validation.json | |
exit $(jq '. | length' response-validation.json) | |
- name: Upload response validation artifact | |
if: ${{ failure() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: response-validation | |
path: ./logs/response-validation.json | |
SonarCloudAnalysis-API: | |
name: SonarCloud Analysis API | |
needs: test_api | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check if PR is from a fork | |
id: check_fork | |
run: | | |
if [ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]; then | |
echo "This is a PR from a fork, skipping sonarcloud analysis." | |
echo "SKIP_STEP=true" >> $GITHUB_ENV | |
fi | |
- name: Checkout repository | |
if: env.SKIP_STEP != 'true' | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Important to fetch all history for accurate blame information | |
- name: Download lcov artifact | |
if: env.SKIP_STEP != 'true' | |
uses: actions/download-artifact@v4 | |
with: | |
name: coverage-report | |
- name: Move lcov.info to api/source | |
if: env.SKIP_STEP != 'true' | |
run: mv lcov.info ./api/source/ | |
- name: Analyze API with SonarCloud | |
if: env.SKIP_STEP != 'true' | |
uses: SonarSource/sonarcloud-github-action@v2.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN_API }} # Needed to push to SonarCloud | |
with: | |
# Additional arguments for the sonarcloud scanner | |
projectBaseDir: ./api/source | |
args: -Dsonar.projectKey=nuwcdivnpt_stig-manager-api | |
-Dsonar.projectName=nuwcdivnpt_stig-manager-api | |
-Dsonar.organization=nuwcdivnpt | |
-Dsonar.inclusions=**/*.js | |
-Dsonar.exclusions=**/node_modules/**,**/coverage-report/** | |
-Dsonar.javascript.lcov.reportPaths=./lcov.info | |
# This will fail the action if Quality Gate fails (leaving out for now ) | |
# - name: Check Quality Gate | |
# uses: sonarsource/sonarqube-quality-gate-action@master | |
# env: | |
# SONAR_TOKEN: |