OPT-841 - Reorganize StartLeft GH workflows and actions

iriusrisk · Sep 20, 2023 · 56bc8b9 · 56bc8b9
1 parent 75d7cca
commit 56bc8b9
Show file tree

Hide file tree

Showing 10 changed files with 113 additions and 101 deletions.
diff --git a/.github/actions/documentation/action.yml → ...tions/install-doc-dependencies/action.yml b/.github/actions/documentation/action.yml → ...tions/install-doc-dependencies/action.yml
@@ -1,5 +1,5 @@
-name: Config documentation environment
-description: 'Config documentation environment'
+name: Install doc dependencies
+description: 'Install doc dependencies'
 
 runs:
   using: "composite"

diff --git a/.github/actions/install-startleft/action.yml b/.github/actions/install-startleft/action.yml
@@ -0,0 +1,40 @@
+name: Install StartLeft
+description: 'Install StartLeft'
+inputs:
+  python-version:
+    description: 'Python Version'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+
+      - name: Set up Python ${{ inputs.python-version }}
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ inputs.python-version }}
+
+      - name: Update pip version to 23.0.1
+        run: python -m pip install --upgrade pip==23.0.1
+        shell: bash
+
+      - name: Setup Graphviz
+        uses: ts-graphviz/setup-graphviz@55fcdfa9328aed658432c22011bec2873cd8e69f # Securely point to hash commit for v1
+
+      - name: Configure Graphviz in Windows
+        if: runner.os == 'Windows'
+        shell: bash
+        run: |
+          pip install --global-option=build_ext --global-option="-IC:\Program files\Graphviz\include" --global-option="-LC:\Program files\Graphviz\lib" pygraphviz==1.10
+          echo "C:\Program Files\Graphviz\bin" >> $GITHUB_PATH
+
+      - name: Install dependencies
+        run: pip install -e ".[setup,test]"
+        shell: bash
+
+        # This step MUST be after the general installation of StartLeft
+      - name: Install libmagic in Windows
+        if: runner.os == 'Windows'
+        run: pip install python-magic-bin
+        shell: bash
+
diff --git a/.github/workflows/documentation-check.yml b/.github/workflows/documentation-check.yml
@@ -1,18 +1,19 @@
-name: Documentation Check
+name: documentation-check
 
 on: [pull_request]
 
 jobs:
 
   check-documentation:
+    name: Documentation Check
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout the project from Git
         uses: actions/checkout@v3
 
       - name: Config documentation environment
-        uses: ./.github/actions/documentation
+        uses: ./.github/actions/install-doc-dependencies
 
       - name: Check doc build
         run: mkdocs build
diff --git a/.github/workflows/documentation-deploy.yml → .github/workflows/documentation.yml b/.github/workflows/documentation-deploy.yml → .github/workflows/documentation.yml
@@ -1,4 +1,4 @@
-name: Documentation Deploy
+name: documentation
 
 on:
   workflow_dispatch: {}
@@ -8,14 +8,15 @@ on:
 jobs:
 
   deploy-documentation:
+    name: Documentation Deploy
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout the project from Git
         uses: actions/checkout@v3
 
       - name: Config documentation environment
-        uses: ./.github/actions/documentation
+        uses: ./.github/actions/install-doc-dependencies
 
       - name: Publish docs
         run: mkdocs gh-deploy --force
diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml
@@ -0,0 +1,28 @@
+# This workflow will perform a QA test
+# Including:
+#   - sonarcloud
+#   - test
+
+name: qa
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+
+jobs:
+  sonar:
+    name: SonarCloud Analysis
+    uses: ./.github/workflows/sonar.yml
+    with:
+      python-version: "3.8"
+    secrets: inherit
+  test:
+    name: StartLeft Tests
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest ]
+        python-version: [ "3.8", "3.9", "3.10", "3.11" ]
+    uses: ./.github/workflows/test.yml
+    with:
+      os: ${{ matrix.os }}
+      python-version: ${{ matrix.python-version }}
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -1,11 +1,9 @@
 # This workflow will perform a static code testing with semgrep
 
-name: Static Application Security Testing
+name: semgrep
 
 on:
   pull_request: {}
-  push:
-    branches: ["dev", "main"]
 
 jobs:
   semgrep:
@@ -22,12 +20,7 @@ jobs:
         run: semgrep ci --config=p/owasp-top-ten --config=p/cwe-top-25 --config=p/gitleaks -q --exclude="tests" --exclude="*/tests" --skip-unknown-extensions --suppress-errors
         continue-on-error: true
 
-      - name: Get branch name (merge)
-        if: github.event_name != 'pull_request'
-        run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr / -)" >> $GITHUB_ENV
-
       - name: Get branch name (pull request)
-        if: github.event_name == 'pull_request'
         run: echo "BRANCH_NAME=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV
 
       - name: Set failure message vars

diff --git a/.github/workflows/sonarcloud.yml → .github/workflows/sonar.yml b/.github/workflows/sonarcloud.yml → .github/workflows/sonar.yml
@@ -7,34 +7,34 @@
 # GitHub Code Scanning alerts with the vulnerabilities found.
 # Free for open source project.
 
-name: SonarCloud analysis
+name: sonar
 
 on:
-  pull_request:
-    branches: [dev,feature/*]
-  push:
-    branches: [dev]
-  workflow_dispatch:
+  workflow_call:
+    inputs:
+      python-version:
+        description: 'Python Version'
+        required: true
+        type: string
+    secrets:
+      SONAR_TOKEN:
+        required: true
 
 permissions:
   pull-requests: read # allows SonarCloud to decorate PRs with analysis results
 
 jobs:
-  Analysis:
+  run_analysis:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the project from Git
         uses: actions/checkout@v3
         with:
             fetch-depth: 0
-      - name: Setup Python 3.8
-        uses: actions/setup-python@v3
+      - name: Install StartLeft
+        uses: ./.github/actions/install-startleft
         with:
-          python-version: "3.8"
-      - name: Setup Graphviz
-        uses: ts-graphviz/setup-graphviz@55fcdfa9328aed658432c22011bec2873cd8e69f # v1
-      - name: Install dependencies
-        run: pip install -e ".[setup,test]"
+          python-version: ${{ inputs.python-version }}
       - name: Run test using coverage
         run: coverage run -m pytest
       - name: Generate coverage report

diff --git a/.github/workflows/startleft-unit-integration-full.yml b/.github/workflows/startleft-unit-integration-full.yml
diff --git a/...flows/startleft-unit-integration-fast.yml → .github/workflows/test.yml b/...flows/startleft-unit-integration-fast.yml → .github/workflows/test.yml
@@ -1,17 +1,27 @@
-# This workflow will install Python, StarLeft dependencies and then run StarLeft tests.
+# This workflow will install Python, StarLeft dependencies and then run StarLeft tests with the given Python version and Operating System.
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
 
-name: Fast Startleft automated testing
+name: test
 
-on: [workflow_dispatch,push]
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        description: 'Python Version'
+        required: true
+        type: string
+      os:
+        description: 'Operating System'
+        required: true
+        type: string
 
 permissions:
   contents: read
 
 jobs:
-  build:
+  run_tests:
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.os }}
 
     steps:
       - name: Checkout the project from Git
@@ -22,19 +32,10 @@ jobs:
           git fetch --prune --unshallow
           git fetch --depth=1 origin +refs/tags/*:refs/tags/*
 
-      - name: Set up Python 3.8
-        uses: actions/setup-python@v3
+      - name: Install StartLeft
+        uses: ./.github/actions/install-startleft
         with:
-          python-version: "3.8"
-
-      - name: Update pip version to 23.0.1
-        run: python -m pip install --upgrade pip==23.0.1
-
-      - name: Setup Graphviz
-        uses: ts-graphviz/setup-graphviz@55fcdfa9328aed658432c22011bec2873cd8e69f # v1
-
-      - name: Install dependencies
-        run: pip install -e ".[setup,test]"
+          python-version: ${{ inputs.python-version }}
 
       - name: Test with pytest
         run: python run_tests.py --log-level debug
diff --git a/README.md b/README.md
@@ -1,5 +1,9 @@
 # StartLeft
 
+![Semgrep scan with owasp-top-ten & cwe-top-25](https://github.com/iriusrisk/startleft/actions/workflows/semgrep.yml/badge.svg)
+![Documentation](https://github.com/iriusrisk/startleft/actions/workflows/documentation.yml/badge.svg)
+![Software Quality Assurance](https://github.com/iriusrisk/startleft/actions/workflows/qa.yml/badge.svg)
+
 **StartLeft** is an automation tool for **generating Threat Models** written in the 
 [Open Threat Model (OTM)](http://iriusrisk.github.io/startleft/site/Open-Threat-Model-%28OTM%29/)
 format **from a variety of different sources** such as IaC files, diagrams or projects exported from