Skip to content

Compliance

Compliance #1124

Workflow file for this run

name: Compliance
on:
# Run compliance jobs for pull requests, to make sure there are no issues before merging
pull_request:
# Re-run compliance jobs in main, to make sure there are no issues from the merge
push:
branches:
- main
# Use the release:publish event to generate compliance reports for releases
# This lines up with the packaging workflow, so reports will be published when packages are published
release:
types:
- published
# Allow manual triggering of the compliance jobs
workflow_dispatch:
# Use baseline language versions for compliance builds
env:
JAVA_VERSION: "11"
JAVA_DISTRIBUTION: "zulu"
NODE_VERSION: "16.x"
PYTHON_VERSION: "3.11"
jobs:
platform_compliance:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Java
uses: actions/setup-java@v3
with:
distribution: ${{ env.JAVA_DISTRIBUTION }}
java-version: ${{ env.JAVA_VERSION }}
cache: gradle
# Use a cache to save downloading the whole NVD on every build
# Dependency check will automatically look for updates and download the delta
- name: NVD cache
uses: actions/cache@v3
with:
key: compliance-cache-data
path: ./build/compliance-cache
- name: OWASP dependency checkout
run: ./gradlew dependencyCheckAggregate
- name: License check
run: ./gradlew checkLicense
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v3
if: always()
with:
name: compliance-reports
path: build/compliance/**
python_runtime_compliance:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: PIP Upgrade
run: python -m pip install --upgrade pip
- name: Install dependencies
run: |
cd tracdap-runtime/python
pip install -r requirements.txt
- name: Safety check
run: |
mkdir -p build/compliance/python-runtime-safety
cd tracdap-runtime/python
safety check --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt
safety check --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json
- name: License check
run: |
# Source license excpetions
. dev/compliance/license-config-python.sh
mkdir -p build/compliance/python-runtime-licenses
cd tracdap-runtime/python
pip-licenses --format=json --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.json
pip-licenses --format=html --ignore-packages $IGNORE_LICENSE > ../../build/compliance/python-runtime-licenses/python-runtime-licenses.html
pip-licenses --allow-only="$ALLOWED_LICENSES" --ignore-packages $IGNORE_LICENSE
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v3
if: always()
with:
name: compliance-reports
path: build/compliance/**
web_api_compliance:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
cache-dependency-path: tracdap-api/packages/web/package-lock.json
# Use a cache to save downloading global compliance data on every build (e.g. NVD)
# Compliance tasks will automatically look for updates and download deltas
- name: NVD cache
uses: actions/cache@v3
with:
key: compliance-cache-data
path: ./build/compliance-cache
- name: Install dependencies
run: |
cd tracdap-api/packages/web
npm install
- name: OWASP dependency check
run: |
mkdir -p build/compliance
cd tracdap-api/packages/web
npm run compliance-owasp
- name: License check
run: |
cd tracdap-api/packages/web
npm run compliance-licenses
- name: NPM audit
run: |
mkdir -p build/compliance/web-api-npm-audit
cd tracdap-api/packages/web
npm run compliance-audit
# Always save the reports - they are especially needed when the checks have failed!
- name: Store compliance reports
uses: actions/upload-artifact@v3
if: always()
with:
name: compliance-reports
path: build/compliance/**
publish_to_github:
if: ${{ github.event_name == 'release' && github.event.action == 'published' }}
runs-on: ubuntu-latest
needs:
- platform_compliance
- python_runtime_compliance
- web_api_compliance
steps:
# fetch-depth = 0 is needed to get tags for version info
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Get TRAC d.a.p. version
id: tracdap-version
run: |
tracdap_version=`dev/version.sh`
echo "tracdap_version = ${tracdap_version}"
echo "tracdap_version=${tracdap_version}" >> $GITHUB_OUTPUT
- name: Fetch copmliance report artifacts
uses: actions/download-artifact@v3
with:
name: compliance-reports
path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}
- name: Build compliance reports tarball
run: tar -cvzf tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}/
- name: Publish compliance reports
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz
asset_name: tracdap-compliance-reports-${{ steps.tracdap-version.outputs.tracdap_version }}.tgz
asset_content_type: application/gzip