From bb0254e6d5f128b73fbc9a8b619c1de637ece4b9 Mon Sep 17 00:00:00 2001 From: Mark Calvert Date: Tue, 18 Mar 2025 14:21:38 +1300 Subject: [PATCH 1/6] Add shipshape audit workflow and permissions to tide_build.yml --- .github/workflows/shipshape.yml | 50 ++++++++++++++++++++++++++++++++ .github/workflows/tide_build.yml | 14 ++++++++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/shipshape.yml diff --git a/.github/workflows/shipshape.yml b/.github/workflows/shipshape.yml new file mode 100644 index 00000000..bba05b0a --- /dev/null +++ b/.github/workflows/shipshape.yml @@ -0,0 +1,50 @@ +name: shipshape + +on: + workflow_call: + +# Add permissions block +permissions: + checks: write + contents: read + pull-requests: write + +env: + SDP_PLATFORM_RULES_VERSION: 1.0.0 + +jobs: + audit: + name: shipshape_audit + runs-on: ubuntu-latest + container: + image: ghcr.io/dpc-sdp/bay/ci-builder:6.x + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Get Cached SDP Platform Rules + id: cache-sdp-rules + uses: actions/cache@v4 + with: + path: shipshape.yml + key: sdp-platform-rules-${{ env.SDP_PLATFORM_RULES_VERSION }} + restore-keys: | + sdp-platform-rules- + - name: Download SDP Platform Rules if not cached + if: steps.cache-sdp-rules.outputs.cache-hit != 'true' + run: | + curl -L -o shipshape.yml https://raw.githubusercontent.com/dpc-sdp/sdp-platform-rules/v${SDP_PLATFORM_RULES_VERSION}/shipshape.yml + - name: Audit codebase + shell: bash + run: | + # Run shipshape + shipshape run . -f shipshape.yml --error-code --output-format table --output-file shipshape-results.xml --output-file-format junit > shipshape-results.txt + - name: Upload audit report + uses: actions/upload-artifact@v4 + if: always() + with: + path: shipshape-results.txt + - name: Publish junit report + uses: mikepenz/action-junit-report@v5 + if: always() + with: + report_paths: shipshape-results.xml diff --git a/.github/workflows/tide_build.yml b/.github/workflows/tide_build.yml index b68ef9a4..5aefa802 100644 --- a/.github/workflows/tide_build.yml +++ b/.github/workflows/tide_build.yml @@ -17,6 +17,12 @@ on: env: REGISTRY: ghcr.io +# Add permissions block with required permissions used for shipshape audit +permissions: + checks: write + contents: read + pull-requests: write + jobs: check-nginx-config: name: check-nginx-config @@ -91,4 +97,10 @@ jobs: if: always() with: name: behat-results - path: /tmp/artifacts \ No newline at end of file + path: /tmp/artifacts + + shipshape-audit: + name: shipshape_audit + uses: ./.github/workflows/shipshape.yml + secrets: inherit + \ No newline at end of file From b1a5ae69003e37b609d3c80d631c72778d459d73 Mon Sep 17 00:00:00 2001 From: Mark Calvert Date: Tue, 25 Mar 2025 11:43:55 +0800 Subject: [PATCH 2/6] Updated shipshape to not throw error code and fail the job Adjust Junit audit report settings to not fail the job Update shipshape workflow to use GitHub API for downloading rules --- .github/workflows/shipshape.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shipshape.yml b/.github/workflows/shipshape.yml index bba05b0a..f7bb31c0 100644 --- a/.github/workflows/shipshape.yml +++ b/.github/workflows/shipshape.yml @@ -32,12 +32,14 @@ jobs: - name: Download SDP Platform Rules if not cached if: steps.cache-sdp-rules.outputs.cache-hit != 'true' run: | - curl -L -o shipshape.yml https://raw.githubusercontent.com/dpc-sdp/sdp-platform-rules/v${SDP_PLATFORM_RULES_VERSION}/shipshape.yml + gh api \ + repos/dpc-sdp/sdp-platform-rules/contents/shipshape.yml?ref=${{ env.SDP_PLATFORM_RULES_VERSION }} \ + --raw > shipshape.yml - name: Audit codebase shell: bash run: | # Run shipshape - shipshape run . -f shipshape.yml --error-code --output-format table --output-file shipshape-results.xml --output-file-format junit > shipshape-results.txt + shipshape run . -f shipshape.yml --output-format table --output-file shipshape-results.xml --output-file-format junit > shipshape-results.txt - name: Upload audit report uses: actions/upload-artifact@v4 if: always() @@ -48,3 +50,8 @@ jobs: if: always() with: report_paths: shipshape-results.xml + check_name: Junit Shipshape Audit Report + fail_on_failure: false + require_tests: false + require_passed_tests: false + annotate_only: false From 84cdf5088fc62e81ddc1fd113ad00972b0c919c7 Mon Sep 17 00:00:00 2001 From: Mark Calvert Date: Thu, 10 Apr 2025 10:08:21 +0800 Subject: [PATCH 3/6] Refactor shipshape workflow to use curl for downloading SDP Platform Rules --- .github/workflows/shipshape.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/shipshape.yml b/.github/workflows/shipshape.yml index f7bb31c0..a1476b24 100644 --- a/.github/workflows/shipshape.yml +++ b/.github/workflows/shipshape.yml @@ -32,9 +32,9 @@ jobs: - name: Download SDP Platform Rules if not cached if: steps.cache-sdp-rules.outputs.cache-hit != 'true' run: | - gh api \ - repos/dpc-sdp/sdp-platform-rules/contents/shipshape.yml?ref=${{ env.SDP_PLATFORM_RULES_VERSION }} \ - --raw > shipshape.yml + curl -s -L -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + "https://raw.githubusercontent.com/dpc-sdp/sdp-platform-rules/${{ env.SDP_PLATFORM_RULES_VERSION }}/shipshape.yml" \ + -o shipshape.yml - name: Audit codebase shell: bash run: | @@ -43,7 +43,7 @@ jobs: - name: Upload audit report uses: actions/upload-artifact@v4 if: always() - with: + with: path: shipshape-results.txt - name: Publish junit report uses: mikepenz/action-junit-report@v5 From cbef93719c3d2e79a10fcff30798b4c14d162c96 Mon Sep 17 00:00:00 2001 From: Mark Calvert Date: Thu, 10 Apr 2025 10:23:40 +0800 Subject: [PATCH 4/6] Add input for shipshape audit execution in tide_build workflow --- .github/workflows/tide_build.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tide_build.yml b/.github/workflows/tide_build.yml index 5aefa802..09732870 100644 --- a/.github/workflows/tide_build.yml +++ b/.github/workflows/tide_build.yml @@ -13,6 +13,11 @@ on: type: string required: false default: biggy + run_shipshape_audit: + description: Set to true to run shipshape audit. + type: boolean + required: false + default: false env: REGISTRY: ghcr.io @@ -101,6 +106,6 @@ jobs: shipshape-audit: name: shipshape_audit + if: ${{ inputs.run_shipshape_audit == true }} uses: ./.github/workflows/shipshape.yml secrets: inherit - \ No newline at end of file From b874b5b93fefcf8c0d89e17aa7e9c6da9fbe6a3d Mon Sep 17 00:00:00 2001 From: Mark Calvert Date: Thu, 10 Apr 2025 10:24:30 +0800 Subject: [PATCH 5/6] Formatted file --- .github/workflows/tide_build.yml | 52 ++++++++++++++++---------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/tide_build.yml b/.github/workflows/tide_build.yml index 09732870..b8f3c09d 100644 --- a/.github/workflows/tide_build.yml +++ b/.github/workflows/tide_build.yml @@ -1,6 +1,6 @@ name: tide_build -on: +on: workflow_call: inputs: module_build: @@ -33,31 +33,31 @@ jobs: name: check-nginx-config runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: Set up Docker - uses: docker/setup-buildx-action@v2 - - name: Create Docker network - run: docker network create test-network - - name: Run PHP container - run: docker run -d --name php --network test-network php:7.4-fpm - - name: Run Nginx container with long-running command - run: docker run -d --name nginx-container --network test-network ghcr.io/dpc-sdp/bay/nginx:6.x tail -f /dev/null - - name: Test Nginx configuration Results - run: | - docker exec nginx-container sh -c "nginx -t" - continue-on-error: true - - name: Check Nginx test results - run: | - RESULT=$(docker exec nginx-container sh -c "nginx -t" 2>&1) - echo "$RESULT" - if echo "$RESULT" | grep -q 'successful'; then - echo "Nginx configuration test successful" - else - echo "Nginx configuration test failed" - exit 1 - fi - shell: bash + - name: Checkout repository + uses: actions/checkout@v2 + - name: Set up Docker + uses: docker/setup-buildx-action@v2 + - name: Create Docker network + run: docker network create test-network + - name: Run PHP container + run: docker run -d --name php --network test-network php:7.4-fpm + - name: Run Nginx container with long-running command + run: docker run -d --name nginx-container --network test-network ghcr.io/dpc-sdp/bay/nginx:6.x tail -f /dev/null + - name: Test Nginx configuration Results + run: | + docker exec nginx-container sh -c "nginx -t" + continue-on-error: true + - name: Check Nginx test results + run: | + RESULT=$(docker exec nginx-container sh -c "nginx -t" 2>&1) + echo "$RESULT" + if echo "$RESULT" | grep -q 'successful'; then + echo "Nginx configuration test successful" + else + echo "Nginx configuration test failed" + exit 1 + fi + shell: bash build_tide: name: tide_build From 2eda536588b61b7304dd295a0b0ed630fa547ac4 Mon Sep 17 00:00:00 2001 From: Mark Calvert Date: Wed, 16 Apr 2025 13:12:44 +0800 Subject: [PATCH 6/6] Refactor shipshape workflow to use new configuration file structure and remove caching steps --- .github/workflows/shipshape.yml | 19 +--- .github/workflows/shipshape/shipshape.yml | 108 ++++++++++++++++++++++ 2 files changed, 109 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/shipshape/shipshape.yml diff --git a/.github/workflows/shipshape.yml b/.github/workflows/shipshape.yml index a1476b24..2c747bcf 100644 --- a/.github/workflows/shipshape.yml +++ b/.github/workflows/shipshape.yml @@ -9,9 +9,6 @@ permissions: contents: read pull-requests: write -env: - SDP_PLATFORM_RULES_VERSION: 1.0.0 - jobs: audit: name: shipshape_audit @@ -21,25 +18,11 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - - name: Get Cached SDP Platform Rules - id: cache-sdp-rules - uses: actions/cache@v4 - with: - path: shipshape.yml - key: sdp-platform-rules-${{ env.SDP_PLATFORM_RULES_VERSION }} - restore-keys: | - sdp-platform-rules- - - name: Download SDP Platform Rules if not cached - if: steps.cache-sdp-rules.outputs.cache-hit != 'true' - run: | - curl -s -L -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - "https://raw.githubusercontent.com/dpc-sdp/sdp-platform-rules/${{ env.SDP_PLATFORM_RULES_VERSION }}/shipshape.yml" \ - -o shipshape.yml - name: Audit codebase shell: bash run: | # Run shipshape - shipshape run . -f shipshape.yml --output-format table --output-file shipshape-results.xml --output-file-format junit > shipshape-results.txt + shipshape run . -f .github/workflows/shipshape/shipshape.yml --output-format table --output-file shipshape-results.xml --output-file-format junit > shipshape-results.txt - name: Upload audit report uses: actions/upload-artifact@v4 if: always() diff --git a/.github/workflows/shipshape/shipshape.yml b/.github/workflows/shipshape/shipshape.yml new file mode 100644 index 00000000..8e6a99ea --- /dev/null +++ b/.github/workflows/shipshape/shipshape.yml @@ -0,0 +1,108 @@ +collect: + #--------------------------------------------------------------------------- + # CORE EXTENSION CONFIGURATION + #--------------------------------------------------------------------------- + # File containing core extension configuration + core-extension-file: + file:read: + path: config/sync/core.extension.yml + + # Get the list of modules + modules: + yaml:key: + input: core-extension-file + path: module + keys-only: true + + # Get the site profile + profile: + yaml:key: + input: core-extension-file + path: profile + ignore-not-found: true + + #--------------------------------------------------------------------------- + # LAGOON CONFIGURATION + #--------------------------------------------------------------------------- + # Lagoon configuration file + lagoon-file: + file:read: + path: .lagoon.yml + + # TLS-ACME settings for different environments + production-tls-acme: + yaml:key: + input: lagoon-file + path: production_routes.active.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + + master-tls-acme: + yaml:key: + input: lagoon-file + path: environments.master.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + + uat-tls-acme: + yaml:key: + input: lagoon-file + path: environments.uat.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + + develop-tls-acme: + yaml:key: + input: lagoon-file + path: environments.develop.routes[0].nginx-php[0].*.tls-acme + ignore-not-found: true + +analyse: + #--------------------------------------------------------------------------- + # MODULE CHECKS + #--------------------------------------------------------------------------- + lagoon-logs-check: + allowed:list: + description: "Lagoon logs module is not enabled" + input: modules + required: + - lagoon_logs + severity: high + + #--------------------------------------------------------------------------- + # PROFILE CHECKS + #--------------------------------------------------------------------------- + tide-profile-check: + regex:not-match: + description: "Verify Tide profile is correctly set" + input: profile + pattern: "^tide$" + severity: high + + #--------------------------------------------------------------------------- + # TLS-ACME CHECKS + #--------------------------------------------------------------------------- + production-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the production environment" + input: production-tls-acme + pattern: "^false$" + severity: high + + master-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the master environment" + input: master-tls-acme + pattern: "^false$" + severity: high + + uat-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the UAT environment" + input: uat-tls-acme + pattern: "^false$" + severity: high + + develop-tls-acme-check: + regex:not-match: + description: "Verify TLS-ACME is enabled for the develop environment" + input: develop-tls-acme + pattern: "^false$" + severity: high \ No newline at end of file