diff --git a/.github/workflows/shipshape.yml b/.github/workflows/shipshape.yml new file mode 100644 index 00000000..2c747bcf --- /dev/null +++ b/.github/workflows/shipshape.yml @@ -0,0 +1,40 @@ +name: shipshape + +on: + workflow_call: + +# Add permissions block +permissions: + checks: write + contents: read + pull-requests: write + +jobs: + audit: + name: shipshape_audit + runs-on: ubuntu-latest + container: + image: ghcr.io/dpc-sdp/bay/ci-builder:6.x + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Audit codebase + shell: bash + run: | + # Run shipshape + shipshape run . -f .github/workflows/shipshape/shipshape.yml --output-format table --output-file shipshape-results.xml --output-file-format junit > shipshape-results.txt + - name: Upload audit report + uses: actions/upload-artifact@v4 + if: always() + with: + path: shipshape-results.txt + - name: Publish junit report + uses: mikepenz/action-junit-report@v5 + if: always() + with: + report_paths: shipshape-results.xml + check_name: Junit Shipshape Audit Report + fail_on_failure: false + require_tests: false + require_passed_tests: false + annotate_only: false diff --git a/.github/workflows/shipshape/shipshape.yml b/.github/workflows/shipshape/shipshape.yml new file mode 100644 index 00000000..8e6a99ea --- /dev/null +++ b/.github/workflows/shipshape/shipshape.yml @@ -0,0 +1,108 @@ +collect: + #--------------------------------------------------------------------------- + # CORE EXTENSION CONFIGURATION + #--------------------------------------------------------------------------- + # File containing core extension configuration + core-extension-file: + file:read: + path: config/sync/core.extension.yml + + # Get the list of modules + modules: + yaml:key: + input: core-extension-file + path: module + keys-only: true + + # Get the site profile + profile: + yaml:key: + input: core-extension-file + path: profile + ignore-not-found: true + + #--------------------------------------------------------------------------- + # LAGOON CONFIGURATION + #--------------------------------------------------------------------------- + # Lagoon configuration file + lagoon-file: + file:read: + path: .lagoon.yml + + # TLS-ACME settings for different environments + production-tls-acme: + yaml:key: + input: lagoon-file + path: production_routes.active.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + + master-tls-acme: + yaml:key: + input: lagoon-file + path: environments.master.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + + uat-tls-acme: + yaml:key: + input: lagoon-file + path: environments.uat.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + + develop-tls-acme: + yaml:key: + input: lagoon-file + path: environments.develop.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + +analyse: + #--------------------------------------------------------------------------- + # MODULE CHECKS + #--------------------------------------------------------------------------- + lagoon-logs-check: + allowed:list: + description: "Lagoon logs module is not enabled" + input: modules + required: + - lagoon_logs + severity: high + + #--------------------------------------------------------------------------- + # PROFILE CHECKS + #--------------------------------------------------------------------------- + tide-profile-check: + regex:not-match: + description: "Verify Tide profile is correctly set" + input: profile + pattern: "^tide$" + severity: high + + #--------------------------------------------------------------------------- + # TLS-ACME CHECKS + #--------------------------------------------------------------------------- + production-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the production environment" + input: production-tls-acme + pattern: "^false$" + severity: high + + master-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the master environment" + input: master-tls-acme + pattern: "^false$" + severity: high + + uat-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the UAT environment" + input: uat-tls-acme + pattern: "^false$" + severity: high + + develop-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the develop environment" + input: develop-tls-acme + pattern: "^false$" + severity: high \ No newline at end of file diff --git a/.github/workflows/tide_build.yml b/.github/workflows/tide_build.yml index b68ef9a4..b8f3c09d 100644 --- a/.github/workflows/tide_build.yml +++ b/.github/workflows/tide_build.yml @@ -1,6 +1,6 @@ name: tide_build -on: +on: workflow_call: inputs: module_build: @@ -13,40 +13,51 @@ on: type: string required: false default: biggy + run_shipshape_audit: + description: Set to true to run shipshape audit. + type: boolean + required: false + default: false env: REGISTRY: ghcr.io +# Add permissions block with required permissions used for shipshape audit +permissions: + checks: write + contents: read + pull-requests: write + jobs: check-nginx-config: name: check-nginx-config runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: Set up Docker - uses: docker/setup-buildx-action@v2 - - name: Create Docker network - run: docker network create test-network - - name: Run PHP container - run: docker run -d --name php --network test-network php:7.4-fpm - - name: Run Nginx container with long-running command - run: docker run -d --name nginx-container --network test-network ghcr.io/dpc-sdp/bay/nginx:6.x tail -f /dev/null - - name: Test Nginx configuration Results - run: | - docker exec nginx-container sh -c "nginx -t" - continue-on-error: true - - name: Check Nginx test results - run: | - RESULT=$(docker exec nginx-container sh -c "nginx -t" 2>&1) - echo "$RESULT" - if echo "$RESULT" | grep -q 'successful'; then - echo "Nginx configuration test successful" - else - echo "Nginx configuration test failed" - exit 1 - fi - shell: bash + - name: Checkout repository + uses: actions/checkout@v2 + - name: Set up Docker + uses: docker/setup-buildx-action@v2 + - name: Create Docker network + run: docker network create test-network + - name: Run PHP container + run: docker run -d --name php --network test-network php:7.4-fpm + - name: Run Nginx container with long-running command + run: docker run -d --name nginx-container --network test-network ghcr.io/dpc-sdp/bay/nginx:6.x tail -f /dev/null + - name: Test Nginx configuration Results + run: | + docker exec nginx-container sh -c "nginx -t" + continue-on-error: true + - name: Check Nginx test results + run: | + RESULT=$(docker exec nginx-container sh -c "nginx -t" 2>&1) + echo "$RESULT" + if echo "$RESULT" | grep -q 'successful'; then + echo "Nginx configuration test successful" + else + echo "Nginx configuration test failed" + exit 1 + fi + shell: bash build_tide: name: tide_build @@ -91,4 +102,10 @@ jobs: if: always() with: name: behat-results - path: /tmp/artifacts \ No newline at end of file + path: /tmp/artifacts + + shipshape-audit: + name: shipshape_audit + if: ${{ inputs.run_shipshape_audit == true }} + uses: ./.github/workflows/shipshape.yml + secrets: inherit