Skip to content
This repository has been archived by the owner on Dec 30, 2024. It is now read-only.

Commit

Permalink
Merge pull request #396 from aws-solutions/release/v1.11.1
Browse files Browse the repository at this point in the history 
Release/v1.11.1
  • Loading branch information
@eggoynes
eggoynes authored Apr 18, 2023
2 parents 31f0afd + ac16c2c commit 879716e
Show file tree
Hide file tree
Showing 12 changed files with 401 additions and 1,287 deletions.
61 changes: 0 additions & 61 deletions .github/workflows/notify-workflow.yml
View file

This file was deleted.

26 changes: 26 additions & 0 deletions .github/workflows/pipeline-workflow.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Pipeline Workflow

env:
REGION: us-east-1

on: push

jobs:
pipeline-job:
name: Pipeline Job
if: github.repository_owner == 'aws-solutions'
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.DISPATCHER_ROLE_ARN }}
aws-region: ${{ env.REGION }}
role-duration-seconds: 900
role-session-name: OIDCSession
- name: Run CodeBuild
uses: aws-actions/aws-codebuild-run-build@v1.0.12
with:
project-name: ${{ secrets.DISPATCHER_CODEBUILD_PROJECT_NAME }}
6 changes: 3 additions & 3 deletions .github/workflows/post-pipeline-workflow.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ jobs:
}
return updated
- name: Check Out Repo
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Create or Update Version Tag
id: create_tag
# create a new tag if version tag wasn't found
Expand Down Expand Up @@ -136,7 +136,7 @@ jobs:
if: ${{github.event.inputs.pipeline_status == 'Succeeded'}}
steps:
- name: Check Out Repo
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Install required system packages
run: |
pip install --upgrade --force-reinstall -r deployment/requirements.txt 2> error.txt
Expand All @@ -155,4 +155,4 @@ jobs:
export TEST_ENDPOINT=${{ secrets.TEST_ENDPOINT }}
echo TEST_ENDPOINT=$TEST_ENDPOINT >> $GITHUB_ENV
cd deployment
python test-release.py
python test-release.py
225 changes: 13 additions & 212 deletions .github/workflows/pull-request-workflow.yml
View file
Original file line number Diff line number Diff line change
@@ -1,222 +1,23 @@
name: Pull Request Workflow

# global environment variables to all jobs
env:
REGION: us-east-1
DIST_OUTPUT_BUCKET: solutions-features

on:
pull_request:
types: [opened, edited, reopened, synchronize]
paths-ignore:
- "docs/**"
- "**/*.md"

jobs:
clamav-scan-job:
runs-on: ubuntu-latest
name: Check source code with ClamAV Scan
steps:
- name: Check out repo
uses: actions/checkout@v2
# scan for any malware in the commit
- name: ClamAV Scan
uses: djdefi/gitavscan@main
with:
full: "--full"

trufflehog-scan-job:
runs-on: ubuntu-latest
name: Check source code with Trufflehog Scan
steps:
- name: Check out repo
uses: actions/checkout@v2
# scan for various types of keys and tokens
- name: Trufflehog Scan
uses: edplato/trufflehog-actions-scan@master
with:
scanArguments: "--regex --entropy=False"

bandit-check-job:
runs-on: ubuntu-latest
name: Check source code with Bandit
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install bandit
run: pip install bandit
- name: Check source with bandit
run: bandit -r source

pylint-check-job:
runs-on: ubuntu-latest
name: Check source code with Pylint
steps:
# check out repo
- name: Checkout
uses: actions/checkout@v2
# check it with Pylint
- name: Check with Pylint
run: |
pip install pylint
cd source
./tools/pylint.sh
jshint-check-job:
runs-on: ubuntu-latest
name: Check source code with JShint
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install JShint
run: npm install -g jshint
- name: Check with JShint
run: |
cd source/html
find . -name '*.js' -type f -print | \
grep --invert-match "/external/" | \
jshint
eslint-check-job:
runs-on: ubuntu-latest
name: Check source code with eslint
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install eslint
run: npm install -g eslint
- name: Check with eslint
run: |
cd source/html
eslint js/app
codeql-check-job:
runs-on: ubuntu-latest
name: Check source code with CodeQL
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript', 'python' ]
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2

build-job:
pull-request-job:
name: Status Checks
runs-on: ubuntu-latest
needs:
[
clamav-scan-job,
trufflehog-scan-job,
bandit-check-job,
pylint-check-job,
jshint-check-job,
eslint-check-job,
codeql-check-job
]
steps:
- name: Check out repo
uses: actions/checkout@v2
- name: Set up PR variables
run: |
PR_ID=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
echo "VERSION=PR$PR_ID" >> $GITHUB_ENV
echo "AWS_DEFAULT_REGION=$REGION" >> $GITHUB_ENV
- name: Update system path
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Update packages
run: |
sudo apt-get update
pip install -U pip
- name: Run safety check before build
run: |
pip install safety
safety check -r deployment/requirements.txt
- name: Install required system packages
run: |
pip install --upgrade --force-reinstall -r deployment/requirements.txt 2> error.txt
if [ -s error.txt ]; then
echo "ERROR: System package installation failed."
cat error.txt
exit 1
fi
- name: Cache deployment directory
uses: actions/cache@v2
id: cache-deployment
with:
path: deployment/
key: ${{ github.sha }}
- name: Run build script
run: |
cd deployment
./build-s3-dist.sh $DIST_OUTPUT_BUCKET ${{ github.event.repository.name }} $VERSION
- name: Run unit tests
run: |
cd deployment
./run-unit-tests.sh
pa11y-check-job:
runs-on: ubuntu-latest
needs:
[
build-job
]
name: Check HTML code with Pa11y for accessibility
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install Pa11y
run: npm install -g pa11y
- name: Check with Pa11y
run: |
cd source/html
find . -iname '*.html' | xargs -I '{}' pa11y --config ../tools/pa11y.json {}
cfn-lint-job:
name: Run cfn-lint on templates
runs-on: ubuntu-latest
needs:
[
build-job
]
steps:
- name: Install cfn-lint
run: pip install cfn-lint
- name: Restore deployment directory from cache
uses: actions/cache@v2
id: cache-deployment
with:
path: deployment/
key: ${{ github.sha }}
- name: Run cfn-lint against templates
run: |
cd deployment/global-s3-assets
cfn-lint *.template
cfn-nag-job:
name: Run cfn-nag on templates
runs-on: ubuntu-latest
needs:
[
build-job
]
steps:
- name: Restore deployment directory from cache
uses: actions/cache@v2
id: cache-deployment
with:
path: deployment/
key: ${{ github.sha }}
- name: Run cfn-nag against templates
uses: stelligent/cfn_nag@master
with:
input_path: deployment/global-s3-assets
uses: actions/checkout@v3
- name: Viperlight
run: |
wget -q https://viperlight-scanner.s3.amazonaws.com/latest/.viperlightrc
wget -q https://viperlight-scanner.s3.amazonaws.com/latest/viperlight.zip
unzip -q viperlight.zip -d ../viperlight
rm -r ./viperlight.zip
echo "Content scanning utility installation complete `date`"
echo "Starting content scanning `date` in `pwd`"
../viperlight/bin/viperlight scan -m files-contents -m files-aws -m files-binary -m files-entropy -m files-secrets
echo "Completed content scanning `date`"
Loading

0 comments on commit 879716e

Please sign in to comment.