From 95bd22f209558be32fb8cbe2d2a2c8e29e6df940 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 19:44:59 +0200 Subject: [PATCH 01/66] Add pylint test --- .github/workflows/u34-hw.yml | 192 +++++++++++++++++++---------------- 1 file changed, 106 insertions(+), 86 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 988fa21ab..a325060e5 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -10,93 +10,113 @@ env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest jobs: - trivy-test: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'fs' - scan-ref: 'app/' - trivy-config: trivy.yaml - lint-test: + pylint-test: runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] steps: - - name: Check out code - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install flake8 - - name: Run flake8 linting - run: flake8 app/ - - unit-test: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - name: Test with pytest - run: | - pip install pytest pytest-cov - cd app - pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html - - build-test-push: - name: Build Dockerfile, test container with trivy if ok push to registry - runs-on: ubuntu-latest - steps: - - name: Import Secrets from Hashi vault - id: import-secrets - uses: hashicorp/vault-action@v2 - with: - url: https://vault.elcomp68.com:8200 - token: ${{ secrets.HV_U34_TOKEN }} - caCertificate: ${{ secrets.VAULT_CA_CERT }} - secrets: | - kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; - kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ env.DOCKERHUB_USERNAME }} - password: ${{ env.DOCKERHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Build and export to Docker - uses: docker/build-push-action@v6 - with: - load: true - tags: ${{ env.TEST_TAG }} - - name: Scan Docker image with Trivy - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) - format: 'table' # Output format (can be 'table', 'json', 'template', etc.) - severity: 'HIGH,CRITICAL' # Only show HIGH and CRITICAL vulnerabilities (optional) - exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) + - uses: actions/checkout@v4 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v3 + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install pylint + - name: Analysing the code with pylint + run: | + pylint $(git ls-files '*.py') - - name: Build and push - uses: docker/build-push-action@v6 - with: - push: true - tags: ${{ env.IMAGE_TAG }} - if: success() # Only push if test is ok \ No newline at end of file +# trivy-test: +# runs-on: ubuntu-latest +# steps: +# - name: Checkout code +# uses: actions/checkout@v4 +# +# - name: Run Trivy vulnerability scanner in fs mode +# uses: aquasecurity/trivy-action@0.28.0 +# with: +# scan-type: 'fs' +# scan-ref: 'app/' +# trivy-config: trivy.yaml +# +# lint-test: +# runs-on: ubuntu-latest +# steps: +# - name: Check out code +# uses: actions/checkout@v4 +# - name: Set up Python +# uses: actions/setup-python@v5 +# with: +# python-version: '3.x' +# - name: Install dependencies +# run: | +# python -m pip install --upgrade pip +# pip install flake8 +# - name: Run flake8 linting +# run: flake8 app/ +# +# unit-test: +# runs-on: ubuntu-latest +# steps: +# - name: Check out code +# uses: actions/checkout@v4 +# - name: Set up Python +# uses: actions/setup-python@v5 +# with: +# python-version: '3.x' +# - name: Install dependencies +# run: | +# python -m pip install --upgrade pip +# pip install -r requirements.txt +# - name: Test with pytest +# run: | +# pip install pytest pytest-cov +# cd app +# pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html +# +# build-test-push: +# name: Build Dockerfile, test container with trivy if ok push to registry +# runs-on: ubuntu-latest +# steps: +# - name: Import Secrets from Hashi vault +# id: import-secrets +# uses: hashicorp/vault-action@v2 +# with: +# url: https://vault.elcomp68.com:8200 +# token: ${{ secrets.HV_U34_TOKEN }} +# caCertificate: ${{ secrets.VAULT_CA_CERT }} +# secrets: | +# kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; +# kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; +# - name: Login to Docker Hub +# uses: docker/login-action@v3 +# with: +# username: ${{ env.DOCKERHUB_USERNAME }} +# password: ${{ env.DOCKERHUB_TOKEN }} +# - name: Set up QEMU +# uses: docker/setup-qemu-action@v3 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v3 +# - name: Build and export to Docker +# uses: docker/build-push-action@v6 +# with: +# load: true +# tags: ${{ env.TEST_TAG }} +# - name: Scan Docker image with Trivy +# uses: aquasecurity/trivy-action@0.28.0 +# with: +# image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) +# format: 'table' # Output format (can be 'table', 'json', 'template', etc.) +# severity: 'HIGH,CRITICAL' # Only show HIGH and CRITICAL vulnerabilities (optional) +# exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) +# +# - name: Build and push +# uses: docker/build-push-action@v6 +# with: +# push: true +# tags: ${{ env.IMAGE_TAG }} +# if: success() # Only push if test is ok \ No newline at end of file From 51151720f72f22b009c876dceef391be082346d8 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 19:46:37 +0200 Subject: [PATCH 02/66] Run on push --- .github/workflows/u34-hw.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index a325060e5..68680a8f0 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -1,11 +1,12 @@ name: u34 homework workflow run-name: u34 homework workflow run on ${{ github.event_name }} event on: - pull_request: - paths: - - 'app/**' - - 'Dockerfile' - - 'requirements.txt' + push: +# pull_request: +# paths: +# - 'app/**' +# - 'Dockerfile' +# - 'requirements.txt' env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest From efe7489077c0c10b5ee02ead8b4a54d6eb88b2ea Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 19:50:48 +0200 Subject: [PATCH 03/66] Check .editorconfig --- .github/workflows/u34-hw.yml | 39 +++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 68680a8f0..5ba56617c 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -12,24 +12,31 @@ env: IMAGE_TAG: metodil/my-hello-app:latest jobs: - pylint-test: + editorconfig: runs-on: ubuntu-latest - strategy: - matrix: - python-version: ["3.8", "3.9", "3.10"] steps: - - uses: actions/checkout@v4 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v3 - with: - python-version: ${{ matrix.python-version }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install pylint - - name: Analysing the code with pylint - run: | - pylint $(git ls-files '*.py') + - uses: actions/checkout@v4 + - uses: editorconfig-checker/action-editorconfig-checker@main + - run: editorconfig-checker + +# pylint-test: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# python-version: ["3.8", "3.9", "3.10"] +# steps: +# - uses: actions/checkout@v4 +# - name: Set up Python ${{ matrix.python-version }} +# uses: actions/setup-python@v3 +# with: +# python-version: ${{ matrix.python-version }} +# - name: Install dependencies +# run: | +# python -m pip install --upgrade pip +# pip install pylint +# - name: Analysing the code with pylint +# run: | +# pylint $(git ls-files '*.py') # trivy-test: # runs-on: ubuntu-latest From 35db86c27b9d323643a9ae5e9ea023d302b2a009 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 19:54:38 +0200 Subject: [PATCH 04/66] Add markdown-link-check --- .github/workflows/u34-hw.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 5ba56617c..fab946080 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -19,6 +19,12 @@ jobs: - uses: editorconfig-checker/action-editorconfig-checker@main - run: editorconfig-checker + markdown-link-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - uses: gaurav-nelson/github-action-markdown-link-check@v1 + # pylint-test: # runs-on: ubuntu-latest # strategy: From 0c97638d12c8a82e27eb920bad831ae37aa3f901 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 19:58:09 +0200 Subject: [PATCH 05/66] Add unit test with app_test.py --- .github/workflows/u34-hw.yml | 38 +++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index fab946080..bdf93cf07 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -25,6 +25,26 @@ jobs: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 + unit-test: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + - name: Test with pytest + run: | + pip install pytest pytest-cov + cd app + pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html + + # pylint-test: # runs-on: ubuntu-latest # strategy: @@ -73,24 +93,6 @@ jobs: # - name: Run flake8 linting # run: flake8 app/ # -# unit-test: -# runs-on: ubuntu-latest -# steps: -# - name: Check out code -# uses: actions/checkout@v4 -# - name: Set up Python -# uses: actions/setup-python@v5 -# with: -# python-version: '3.x' -# - name: Install dependencies -# run: | -# python -m pip install --upgrade pip -# pip install -r requirements.txt -# - name: Test with pytest -# run: | -# pip install pytest pytest-cov -# cd app -# pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html # # build-test-push: # name: Build Dockerfile, test container with trivy if ok push to registry From 0e5cc34d939a9de894e42170ee28848ea2e69804 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:05:40 +0200 Subject: [PATCH 06/66] Ajust unit test --- .github/workflows/u34-hw.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index bdf93cf07..2c1211883 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -33,16 +33,17 @@ jobs: - name: Set up Python uses: actions/setup-python@v5 with: - python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt + python-version: '3.11.8' + cache: 'pip' +# - name: Install dependencies +# run: | +# python -m pip install --upgrade pip +# pip install -r requirements.txt - name: Test with pytest run: | pip install pytest pytest-cov cd app - pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html + python -m unittest app/app_test.py # pylint-test: From 9c64c196b7c2d628cc00f7b2c70e95764f91566a Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:15:33 +0200 Subject: [PATCH 07/66] Ajust workflow triger to pull_request --- .github/workflows/u34-hw.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 2c1211883..197ad93fe 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -1,12 +1,12 @@ name: u34 homework workflow run-name: u34 homework workflow run on ${{ github.event_name }} event on: - push: -# pull_request: -# paths: -# - 'app/**' -# - 'Dockerfile' -# - 'requirements.txt' +# push: + pull_request: + paths: + - 'app/**' + - 'Dockerfile' + - 'requirements.txt' env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest @@ -43,7 +43,7 @@ jobs: run: | pip install pytest pytest-cov cd app - python -m unittest app/app_test.py + python -m unittest app_test.py # pylint-test: From cc090f1cd6cb6ea388cd82cbcef23c3f05ed3a05 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:17:32 +0200 Subject: [PATCH 08/66] Ajust u34-hw --- .github/workflows/u34-hw.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 197ad93fe..7b9fff0be 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -11,7 +11,6 @@ env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest jobs: - editorconfig: runs-on: ubuntu-latest steps: From f610da8285ce4e858f019da637ff8cb0d7afa9de Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:19:43 +0200 Subject: [PATCH 09/66] pull_request --- .github/workflows/u34-hw.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 7b9fff0be..b36130023 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -1,7 +1,6 @@ name: u34 homework workflow run-name: u34 homework workflow run on ${{ github.event_name }} event on: -# push: pull_request: paths: - 'app/**' From 15ac6048f71b2f99bf232fb1980a15b5559fd6cf Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:25:54 +0200 Subject: [PATCH 10/66] remove paths in u34-hw --- .github/workflows/u34-hw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index b36130023..0cad12b66 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -2,10 +2,10 @@ name: u34 homework workflow run-name: u34 homework workflow run on ${{ github.event_name }} event on: pull_request: - paths: - - 'app/**' - - 'Dockerfile' - - 'requirements.txt' +# paths: +# - 'app/**' +# - 'Dockerfile' +# - 'requirements.txt' env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest From 039a2c49056f58a9f1cd9e06a99882e1358134ab Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:37:33 +0200 Subject: [PATCH 11/66] ajust unit test --- .github/workflows/u34-hw.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 0cad12b66..b5296cddd 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -9,6 +9,7 @@ on: env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest + jobs: editorconfig: runs-on: ubuntu-latest @@ -40,8 +41,7 @@ jobs: - name: Test with pytest run: | pip install pytest pytest-cov - cd app - python -m unittest app_test.py + python -m unittest app/app_test.py # pylint-test: From 6626c71a8d81f864e4fe1679688afcfe8ce49ba1 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:41:08 +0200 Subject: [PATCH 12/66] Ajust unit-test add lint check --- .github/workflows/u34-hw.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index b5296cddd..64e874832 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -24,7 +24,7 @@ jobs: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 - unit-test: + lint-unit-test: runs-on: ubuntu-latest steps: - name: Check out code @@ -34,21 +34,21 @@ jobs: with: python-version: '3.11.8' cache: 'pip' -# - name: Install dependencies -# run: | -# python -m pip install --upgrade pip -# pip install -r requirements.txt + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt - name: Test with pytest run: | - pip install pytest pytest-cov + pip install pytest pytest-cov flake8 python -m unittest app/app_test.py + - name: Run flake8 linting + run: flake8 app/ + # pylint-test: # runs-on: ubuntu-latest -# strategy: -# matrix: -# python-version: ["3.8", "3.9", "3.10"] # steps: # - uses: actions/checkout@v4 # - name: Set up Python ${{ matrix.python-version }} From b7d970be7e8cd469adc58d4354c7af7cb0041689 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:44:22 +0200 Subject: [PATCH 13/66] Ajust lint-unit-test --- .github/workflows/u34-hw.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 64e874832..2617814a7 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -41,7 +41,8 @@ jobs: - name: Test with pytest run: | pip install pytest pytest-cov flake8 - python -m unittest app/app_test.py + cd app + python -m unittest app_test.py - name: Run flake8 linting run: flake8 app/ From 5c4ff3df2677644f8425435f2695b3c0bbb44b37 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:56:59 +0200 Subject: [PATCH 14/66] Ajust u34-hw add needs requiremnt and edit .editorconfig --- .editorconfig | 2 +- .github/workflows/u34-hw.yml | 30 +++++++++--------------------- 2 files changed, 10 insertions(+), 22 deletions(-) diff --git a/.editorconfig b/.editorconfig index 7b938fe92..1a76854ef 100644 --- a/.editorconfig +++ b/.editorconfig @@ -3,7 +3,7 @@ root = true # Unix-style newlines with a newline ending every file [*] end_of_line = lf -insert_final_newline = true +#insert_final_newline = true # Matches multiple files with brace expansion notation # Set default charset diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 2617814a7..6d64b12e5 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -9,23 +9,25 @@ on: env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest + RUNS_ON: ubuntu-latest jobs: editorconfig: - runs-on: ubuntu-latest + runs-on: ${{ RUNS_ON }} steps: - uses: actions/checkout@v4 - uses: editorconfig-checker/action-editorconfig-checker@main - run: editorconfig-checker markdown-link-check: - runs-on: ubuntu-latest + runs-on: ${{ RUNS_ON }} steps: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 lint-unit-test: - runs-on: ubuntu-latest + runs-on: ${{ RUNS_ON }} + needs: [ editorconfig, markdown-link-check ] steps: - name: Check out code uses: actions/checkout@v4 @@ -38,6 +40,7 @@ jobs: run: | python -m pip install --upgrade pip pip install -r requirements.txt + - name: Test with pytest run: | pip install pytest pytest-cov flake8 @@ -45,24 +48,9 @@ jobs: python -m unittest app_test.py - name: Run flake8 linting run: flake8 app/ - - - -# pylint-test: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@v4 -# - name: Set up Python ${{ matrix.python-version }} -# uses: actions/setup-python@v3 -# with: -# python-version: ${{ matrix.python-version }} -# - name: Install dependencies -# run: | -# python -m pip install --upgrade pip -# pip install pylint -# - name: Analysing the code with pylint -# run: | -# pylint $(git ls-files '*.py') + - name: Analysing the code with pylint + run: | + pylint $(git ls-files '*.py') # trivy-test: # runs-on: ubuntu-latest From 08577de8cfdd98aea21551446b729f17934cd0b2 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 20:59:38 +0200 Subject: [PATCH 15/66] triger workflow --- .github/workflows/u34-hw.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 6d64b12e5..4ec8c0341 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -6,6 +6,7 @@ on: # - 'app/**' # - 'Dockerfile' # - 'requirements.txt' + env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest From dd7da60fa4027c351cd4bf8ebeed25fc77656a39 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 21:01:32 +0200 Subject: [PATCH 16/66] Ajust name of var --- .github/workflows/u34-hw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 4ec8c0341..516b30a71 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -10,24 +10,24 @@ on: env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest - RUNS_ON: ubuntu-latest + RUNS_ON_IMAGE: ubuntu-latest jobs: editorconfig: - runs-on: ${{ RUNS_ON }} + runs-on: ${{ RUNS_ON_IMAGE }} steps: - uses: actions/checkout@v4 - uses: editorconfig-checker/action-editorconfig-checker@main - run: editorconfig-checker markdown-link-check: - runs-on: ${{ RUNS_ON }} + runs-on: ${{ RUNS_ON_IMAGE }} steps: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 lint-unit-test: - runs-on: ${{ RUNS_ON }} + runs-on: ${{ RUNS_ON_IMAGE }} needs: [ editorconfig, markdown-link-check ] steps: - name: Check out code From f361fe3cca5b338db9e859730662053007eb6a71 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 21:03:35 +0200 Subject: [PATCH 17/66] Ajust var name --- .github/workflows/u34-hw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 516b30a71..7924beaf2 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -10,24 +10,24 @@ on: env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest - RUNS_ON_IMAGE: ubuntu-latest + RUNSONIMAGE: 'ubuntu-latest' jobs: editorconfig: - runs-on: ${{ RUNS_ON_IMAGE }} + runs-on: ${{ RUNSONIMAGE }} steps: - uses: actions/checkout@v4 - uses: editorconfig-checker/action-editorconfig-checker@main - run: editorconfig-checker markdown-link-check: - runs-on: ${{ RUNS_ON_IMAGE }} + runs-on: ${{ RUNSONIMAGE }} steps: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 lint-unit-test: - runs-on: ${{ RUNS_ON_IMAGE }} + runs-on: ${{ RUNSONIMAGE }} needs: [ editorconfig, markdown-link-check ] steps: - name: Check out code From 8ffd156d80233670a921480599aa458571093120 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 21:05:03 +0200 Subject: [PATCH 18/66] remove RUNONIMAGE var --- .github/workflows/u34-hw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 7924beaf2..8976196ef 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -10,24 +10,24 @@ on: env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest - RUNSONIMAGE: 'ubuntu-latest' +# RUNSONIMAGE: 'ubuntu-latest' jobs: editorconfig: - runs-on: ${{ RUNSONIMAGE }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: editorconfig-checker/action-editorconfig-checker@main - run: editorconfig-checker markdown-link-check: - runs-on: ${{ RUNSONIMAGE }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 lint-unit-test: - runs-on: ${{ RUNSONIMAGE }} + runs-on: ubuntu-latest needs: [ editorconfig, markdown-link-check ] steps: - name: Check out code From 521ec72462e1992ecf52702553370ba331cc29ec Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 21:07:47 +0200 Subject: [PATCH 19/66] comment pylint test --- .github/workflows/u34-hw.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 8976196ef..4d4dc2e8a 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -49,9 +49,9 @@ jobs: python -m unittest app_test.py - name: Run flake8 linting run: flake8 app/ - - name: Analysing the code with pylint - run: | - pylint $(git ls-files '*.py') +# - name: Analysing the code with pylint +# run: | +# pylint $(git ls-files '*.py') # trivy-test: # runs-on: ubuntu-latest From 2f17c06e64c43d4682fce70a37fddb320b27b000 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 21:47:40 +0200 Subject: [PATCH 20/66] add security test and docker build, test and deploy --- .github/workflows/u34-hw.yml | 135 ++++++++++++++++------------------- 1 file changed, 62 insertions(+), 73 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 4d4dc2e8a..4e7e82746 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -41,7 +41,6 @@ jobs: run: | python -m pip install --upgrade pip pip install -r requirements.txt - - name: Test with pytest run: | pip install pytest pytest-cov flake8 @@ -53,75 +52,65 @@ jobs: # run: | # pylint $(git ls-files '*.py') -# trivy-test: -# runs-on: ubuntu-latest -# steps: -# - name: Checkout code -# uses: actions/checkout@v4 -# -# - name: Run Trivy vulnerability scanner in fs mode -# uses: aquasecurity/trivy-action@0.28.0 -# with: -# scan-type: 'fs' -# scan-ref: 'app/' -# trivy-config: trivy.yaml -# -# lint-test: -# runs-on: ubuntu-latest -# steps: -# - name: Check out code -# uses: actions/checkout@v4 -# - name: Set up Python -# uses: actions/setup-python@v5 -# with: -# python-version: '3.x' -# - name: Install dependencies -# run: | -# python -m pip install --upgrade pip -# pip install flake8 -# - name: Run flake8 linting -# run: flake8 app/ -# -# -# build-test-push: -# name: Build Dockerfile, test container with trivy if ok push to registry -# runs-on: ubuntu-latest -# steps: -# - name: Import Secrets from Hashi vault -# id: import-secrets -# uses: hashicorp/vault-action@v2 -# with: -# url: https://vault.elcomp68.com:8200 -# token: ${{ secrets.HV_U34_TOKEN }} -# caCertificate: ${{ secrets.VAULT_CA_CERT }} -# secrets: | -# kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; -# kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; -# - name: Login to Docker Hub -# uses: docker/login-action@v3 -# with: -# username: ${{ env.DOCKERHUB_USERNAME }} -# password: ${{ env.DOCKERHUB_TOKEN }} -# - name: Set up QEMU -# uses: docker/setup-qemu-action@v3 -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v3 -# - name: Build and export to Docker -# uses: docker/build-push-action@v6 -# with: -# load: true -# tags: ${{ env.TEST_TAG }} -# - name: Scan Docker image with Trivy -# uses: aquasecurity/trivy-action@0.28.0 -# with: -# image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) -# format: 'table' # Output format (can be 'table', 'json', 'template', etc.) -# severity: 'HIGH,CRITICAL' # Only show HIGH and CRITICAL vulnerabilities (optional) -# exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) -# -# - name: Build and push -# uses: docker/build-push-action@v6 -# with: -# push: true -# tags: ${{ env.IMAGE_TAG }} -# if: success() # Only push if test is ok \ No newline at end of file + security-scan: + name: gitleaks + runs-on: ubuntu-latest + needs: lint-unit-test + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + scan-ref: 'app/' + trivy-config: trivy.yaml + + build-test-push: + name: Build Dockerfile, test container with trivy if ok push to registry + runs-on: ubuntu-latest + needs: security-scan + steps: + - name: Import Secrets from Hashi vault + id: import-secrets + uses: hashicorp/vault-action@v2 + with: + url: https://vault.elcomp68.com:8200 + token: ${{ secrets.HV_U34_TOKEN }} + caCertificate: ${{ secrets.VAULT_CA_CERT }} + secrets: | + kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; + kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKERHUB_USERNAME }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and export to Docker + uses: docker/build-push-action@v6 + with: + load: true + tags: ${{ env.TEST_TAG }} + - name: Scan Docker image with Trivy + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) + format: 'table' # Output format (can be 'table', 'json', 'template', etc.) + severity: 'HIGH,CRITICAL' # Only show HIGH and CRITICAL vulnerabilities (optional) + exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) + + - name: Build and push + uses: docker/build-push-action@v6 + with: + push: true + tags: ${{ env.IMAGE_TAG }} + if: success() # Only push if test is ok \ No newline at end of file From 1300403f853c13e0a9acc240c0961e65cd0007d2 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 21:54:21 +0200 Subject: [PATCH 21/66] fix syntax in yml --- .github/workflows/u34-hw.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 4e7e82746..d277b6bb4 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -10,7 +10,6 @@ on: env: TEST_TAG: metodil/my-hello-app:test IMAGE_TAG: metodil/my-hello-app:latest -# RUNSONIMAGE: 'ubuntu-latest' jobs: editorconfig: @@ -64,12 +63,12 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'fs' - scan-ref: 'app/' - trivy-config: trivy.yaml + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + scan-ref: 'app/' + trivy-config: trivy.yaml build-test-push: name: Build Dockerfile, test container with trivy if ok push to registry From 3fd9422fdfe80b3b366ff03a7c2e25e2456925b1 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 21:56:41 +0200 Subject: [PATCH 22/66] fix syntax in yml 2 --- .github/workflows/u34-hw.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index d277b6bb4..af6e72d2a 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -62,7 +62,6 @@ jobs: - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - name: Run Trivy vulnerability scanner in fs mode uses: aquasecurity/trivy-action@0.28.0 with: From 28e6b98cc37f7f130693645343ef024f8b57540a Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 22:06:40 +0200 Subject: [PATCH 23/66] Add sonar cloud test --- .github/workflows/u34-hw.yml | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index af6e72d2a..e57d70c02 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -52,7 +52,6 @@ jobs: # pylint $(git ls-files '*.py') security-scan: - name: gitleaks runs-on: ubuntu-latest needs: lint-unit-test steps: @@ -62,17 +61,30 @@ jobs: - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'fs' - scan-ref: 'app/' - trivy-config: trivy.yaml +# - name: Run Trivy vulnerability scanner in fs mode +# uses: aquasecurity/trivy-action@0.28.0 +# with: +# scan-type: 'fs' +# scan-ref: 'app/' +# trivy-config: trivy.yaml + + sonarcloud: + runs-on: ubuntu-latest + needs: lint-unit-test + steps: + - uses: actions/checkout@v4 + with: + # Disabling shallow clone is recommended for improving relevancy of reporting + fetch-depth: 0 + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} build-test-push: name: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest - needs: security-scan + needs: [ security-scan, sonarcloud ] steps: - name: Import Secrets from Hashi vault id: import-secrets From a1410a3405808c8eafcc8a894dcd4b1341ba4bbb Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 22:09:49 +0200 Subject: [PATCH 24/66] Set proper version on sonar cloud --- .github/workflows/u34-hw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index e57d70c02..4f50a04d3 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -77,7 +77,7 @@ jobs: # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@ # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan + uses: sonarsource/sonarcloud-github-action@v3.1.0 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 7925027d9e742228c169d23ed40b01764b119c12 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 22:39:49 +0200 Subject: [PATCH 25/66] add sonar-project.properties --- sonar-project.properties | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 sonar-project.properties diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 000000000..fe5fe01b7 --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,7 @@ +sonar.organization=metodil +sonar.projectKey=metodil-telerik-u34 + + +# relative paths to source directories. More details and properties are described +# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/ +sonar.sources=. \ No newline at end of file From 4602dca6222225e904e1303ea39aed906a5141d3 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 22:46:11 +0200 Subject: [PATCH 26/66] Ajust sonar-project --- sonar-project.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index fe5fe01b7..b1106df40 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,5 +1,5 @@ sonar.organization=metodil -sonar.projectKey=metodil-telerik-u34 +sonar.projectKey=metodil_telerik_u34 # relative paths to source directories. More details and properties are described From 879641dcf579c04791e9c3b1cce7b7184675f949 Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 22:52:27 +0200 Subject: [PATCH 27/66] add .gitleaks.toml --- .gitleaks.toml | 14 ++++++++++++++ sonar-project.properties | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 000000000..2e66bada4 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,14 @@ +# Title for the gitleaks configuration file. +title = "Gitleaks title" + +# You can include an allowlist table for a single rule to reduce false positives or ignore commits +# with known/rotated secrets +[rules.allowlist] +# note: (rule) regexTarget defaults to check the _Secret_ in the finding. +# if regexTarget is not specified then _Secret_ will be used. +# Acceptable values for regexTarget are "match" and "line" +regexTarget = "match" +regexes = [ + '''sonar.organization''', + '''sonar.projectKey''', +] \ No newline at end of file diff --git a/sonar-project.properties b/sonar-project.properties index b1106df40..dcddeac7e 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,5 +1,5 @@ sonar.organization=metodil -sonar.projectKey=metodil_telerik_u34 +sonar.projectKey=devops-programme # relative paths to source directories. More details and properties are described From 0bf7675363e87d8155d1f6ddf887661bd1b50dbb Mon Sep 17 00:00:00 2001 From: metodil Date: Mon, 11 Nov 2024 22:55:46 +0200 Subject: [PATCH 28/66] Finaly proper projectkey in sonar cloud --- sonar-project.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonar-project.properties b/sonar-project.properties index dcddeac7e..5a56b33df 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,5 +1,5 @@ sonar.organization=metodil -sonar.projectKey=devops-programme +sonar.projectKey=Metodil_devops-programme # relative paths to source directories. More details and properties are described From 2d4d5918cb53727ae71bb39aee38a2faaf627511 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:12:05 +0200 Subject: [PATCH 29/66] check with pylint and security scan with trivy fs --- .github/workflows/u34-hw.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 4f50a04d3..cc60406b2 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -2,6 +2,9 @@ name: u34 homework workflow run-name: u34 homework workflow run on ${{ github.event_name }} event on: pull_request: + types: [opened, reopened] + branches: + - 'main' # paths: # - 'app/**' # - 'Dockerfile' @@ -47,9 +50,9 @@ jobs: python -m unittest app_test.py - name: Run flake8 linting run: flake8 app/ -# - name: Analysing the code with pylint -# run: | -# pylint $(git ls-files '*.py') + - name: Analysing the code with pylint + run: | + pylint $(git ls-files '*.py') security-scan: runs-on: ubuntu-latest @@ -61,10 +64,11 @@ jobs: - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# - name: Run Trivy vulnerability scanner in fs mode -# uses: aquasecurity/trivy-action@0.28.0 -# with: -# scan-type: 'fs' + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + scan-ref: '.' # scan-ref: 'app/' # trivy-config: trivy.yaml From 9ae09d13cfa65b04889d94d440baac6948b0026d Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:15:47 +0200 Subject: [PATCH 30/66] Ajust pull_request triger --- .github/workflows/u34-hw.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index cc60406b2..b96fb31da 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -2,9 +2,9 @@ name: u34 homework workflow run-name: u34 homework workflow run on ${{ github.event_name }} event on: pull_request: - types: [opened, reopened] - branches: - - 'main' +# types: [opened, reopened] +# branches: +# - 'main' # paths: # - 'app/**' # - 'Dockerfile' From ab437ca1783bc0c5092f5f68aa4a648e56d953bf Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:26:31 +0200 Subject: [PATCH 31/66] set test order in lint-unit-tests --- .github/workflows/u34-hw.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index b96fb31da..c660b15b2 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -43,16 +43,16 @@ jobs: run: | python -m pip install --upgrade pip pip install -r requirements.txt - - name: Test with pytest - run: | - pip install pytest pytest-cov flake8 - cd app - python -m unittest app_test.py + pip install pytest pytest-cov flake8 pylint - name: Run flake8 linting run: flake8 app/ - name: Analysing the code with pylint run: | pylint $(git ls-files '*.py') + - name: Test with pytest + run: | + cd app + python -m unittest app_test.py security-scan: runs-on: ubuntu-latest From eb3623e82512846681a670d8e99118c241c22b26 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:35:06 +0200 Subject: [PATCH 32/66] Ajust pylint err missing modules --- .github/workflows/u34-hw.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index c660b15b2..4515df17b 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 - lint-unit-test: + lint-unit-tests: runs-on: ubuntu-latest needs: [ editorconfig, markdown-link-check ] steps: @@ -48,7 +48,7 @@ jobs: run: flake8 app/ - name: Analysing the code with pylint run: | - pylint $(git ls-files '*.py') + pylint --rcfile=pylintrc $(git ls-files '*.py') - name: Test with pytest run: | cd app @@ -56,7 +56,7 @@ jobs: security-scan: runs-on: ubuntu-latest - needs: lint-unit-test + needs: lint-unit-tests steps: - uses: actions/checkout@v4 with: @@ -74,7 +74,7 @@ jobs: sonarcloud: runs-on: ubuntu-latest - needs: lint-unit-test + needs: lint-unit-tests steps: - uses: actions/checkout@v4 with: From c242ac4812db979ce0570857f462c275f237c701 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:39:10 +0200 Subject: [PATCH 33/66] add .pylintrc with settings --- .pylintrc | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .pylintrc diff --git a/.pylintrc b/.pylintrc new file mode 100644 index 000000000..93787e6d3 --- /dev/null +++ b/.pylintrc @@ -0,0 +1,3 @@ +[MASTER] +disable= + C0114, # missing-module-docstring \ No newline at end of file From edff86da51ee394cd221a6ea6005729b032cb07f Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:45:05 +0200 Subject: [PATCH 34/66] ajust path to .pylintrc --- .github/workflows/u34-hw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 4515df17b..e4e9eaf37 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -48,7 +48,7 @@ jobs: run: flake8 app/ - name: Analysing the code with pylint run: | - pylint --rcfile=pylintrc $(git ls-files '*.py') + pylint --rcfile=.pylintrc $(git ls-files '*.py') - name: Test with pytest run: | cd app From a4756d5fb48dac0041f9c44a9261f94d7e0750da Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:47:07 +0200 Subject: [PATCH 35/66] disable workin test for save time --- .github/workflows/u34-hw.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index e4e9eaf37..9b74808ab 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -15,18 +15,18 @@ env: IMAGE_TAG: metodil/my-hello-app:latest jobs: - editorconfig: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: editorconfig-checker/action-editorconfig-checker@main - - run: editorconfig-checker - - markdown-link-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - uses: gaurav-nelson/github-action-markdown-link-check@v1 +# editorconfig: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v4 +# - uses: editorconfig-checker/action-editorconfig-checker@main +# - run: editorconfig-checker +# +# markdown-link-check: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@master +# - uses: gaurav-nelson/github-action-markdown-link-check@v1 lint-unit-tests: runs-on: ubuntu-latest From 212907d9d8349730dddd17b0a7e7437ce66e3ff5 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:49:36 +0200 Subject: [PATCH 36/66] set syntax err --- .github/workflows/u34-hw.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 9b74808ab..d7c732d56 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -15,6 +15,7 @@ env: IMAGE_TAG: metodil/my-hello-app:latest jobs: + # editorconfig: # runs-on: ubuntu-latest # steps: @@ -30,7 +31,7 @@ jobs: lint-unit-tests: runs-on: ubuntu-latest - needs: [ editorconfig, markdown-link-check ] +# needs: [ editorconfig, markdown-link-check ] steps: - name: Check out code uses: actions/checkout@v4 From d0e20c163563071a4d4b7c28a3c7f52586198e9d Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 10:54:02 +0200 Subject: [PATCH 37/66] Set others missing docring in .pylintrc --- .pylintrc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.pylintrc b/.pylintrc index 93787e6d3..83182234f 100644 --- a/.pylintrc +++ b/.pylintrc @@ -1,3 +1,5 @@ [MASTER] disable= - C0114, # missing-module-docstring \ No newline at end of file + C0114, # missing-module-docstring + C0115, # missing-class-docstring + C0116, # missing-function-docstring From 800ad34ba74d798afb2b182943a18ecd0944b137 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 11:05:29 +0200 Subject: [PATCH 38/66] try other setings in .pylintrc --- .github/workflows/u34-hw.yml | 1 + .pylintrc | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index d7c732d56..f4fc55086 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -55,6 +55,7 @@ jobs: cd app python -m unittest app_test.py + security-scan: runs-on: ubuntu-latest needs: lint-unit-tests diff --git a/.pylintrc b/.pylintrc index 83182234f..ff0d4e8ee 100644 --- a/.pylintrc +++ b/.pylintrc @@ -3,3 +3,6 @@ disable= C0114, # missing-module-docstring C0115, # missing-class-docstring C0116, # missing-function-docstring + +[MESSAGES CONTROL] +disable=missing-docstring,empty-docstring \ No newline at end of file From c0bb8ed26703a3f86dfc280a0d27dd4b2bdacd0a Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 14:35:45 +0200 Subject: [PATCH 39/66] fix security-scan with Trivy --- .github/workflows/u34-hw.yml | 178 +++++++++++++++++++---------------- 1 file changed, 96 insertions(+), 82 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index f4fc55086..fbf9d98c9 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -29,36 +29,36 @@ jobs: # - uses: actions/checkout@master # - uses: gaurav-nelson/github-action-markdown-link-check@v1 - lint-unit-tests: - runs-on: ubuntu-latest +# lint-unit-tests: +# runs-on: ubuntu-latest # needs: [ editorconfig, markdown-link-check ] - steps: - - name: Check out code - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.11.8' - cache: 'pip' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - pip install pytest pytest-cov flake8 pylint - - name: Run flake8 linting - run: flake8 app/ - - name: Analysing the code with pylint - run: | - pylint --rcfile=.pylintrc $(git ls-files '*.py') - - name: Test with pytest - run: | - cd app - python -m unittest app_test.py +# steps: +# - name: Check out code +# uses: actions/checkout@v4 +# - name: Set up Python +# uses: actions/setup-python@v5 +# with: +# python-version: '3.11.8' +# cache: 'pip' +# - name: Install dependencies +# run: | +# python -m pip install --upgrade pip +# pip install -r requirements.txt +# pip install pytest pytest-cov flake8 pylint +# - name: Run flake8 linting +# run: flake8 app/ +# - name: Analysing the code with pylint +# run: | +# pylint --rcfile=.pylintrc $(git ls-files '*.py') +# - name: Test with pytest +# run: | +# cd app +# python -m unittest app_test.py security-scan: runs-on: ubuntu-latest - needs: lint-unit-tests +# needs: lint-unit-tests steps: - uses: actions/checkout@v4 with: @@ -66,67 +66,81 @@ jobs: - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'fs' - scan-ref: '.' +# - name: Run Trivy vulnerability scanner in fs mode +# uses: aquasecurity/trivy-action@0.28.0 +# with: +# scan-type: 'fs' +# scan-ref: '.' # scan-ref: 'app/' # trivy-config: trivy.yaml - sonarcloud: - runs-on: ubuntu-latest - needs: lint-unit-tests - steps: - - uses: actions/checkout@v4 - with: - # Disabling shallow clone is recommended for improving relevancy of reporting - fetch-depth: 0 - - name: SonarCloud Scan - uses: sonarsource/sonarcloud-github-action@v3.1.0 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - build-test-push: - name: Build Dockerfile, test container with trivy if ok push to registry - runs-on: ubuntu-latest - needs: [ security-scan, sonarcloud ] - steps: - - name: Import Secrets from Hashi vault - id: import-secrets - uses: hashicorp/vault-action@v2 - with: - url: https://vault.elcomp68.com:8200 - token: ${{ secrets.HV_U34_TOKEN }} - caCertificate: ${{ secrets.VAULT_CA_CERT }} - secrets: | - kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; - kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ env.DOCKERHUB_USERNAME }} - password: ${{ env.DOCKERHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Build and export to Docker - uses: docker/build-push-action@v6 - with: - load: true - tags: ${{ env.TEST_TAG }} - - name: Scan Docker image with Trivy + - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) - format: 'table' # Output format (can be 'table', 'json', 'template', etc.) - severity: 'HIGH,CRITICAL' # Only show HIGH and CRITICAL vulnerabilities (optional) - exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' - - name: Build and push - uses: docker/build-push-action@v6 + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 with: - push: true - tags: ${{ env.IMAGE_TAG }} - if: success() # Only push if test is ok \ No newline at end of file + sarif_file: 'trivy-results.sarif' + +# sonarcloud: +# runs-on: ubuntu-latest +# needs: lint-unit-tests +# steps: +# - uses: actions/checkout@v4 +# with: +# # Disabling shallow clone is recommended for improving relevancy of reporting +# fetch-depth: 0 +# - name: SonarCloud Scan +# uses: sonarsource/sonarcloud-github-action@v3.1.0 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan +# env: +# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + +# build-test-push: +# name: Build Dockerfile, test container with trivy if ok push to registry +# runs-on: ubuntu-latest +# needs: [ security-scan, sonarcloud ] +# steps: +# - name: Import Secrets from Hashi vault +# id: import-secrets +# uses: hashicorp/vault-action@v2 +# with: +# url: https://vault.elcomp68.com:8200 +# token: ${{ secrets.HV_U34_TOKEN }} +# caCertificate: ${{ secrets.VAULT_CA_CERT }} +# secrets: | +# kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; +# kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; +# - name: Login to Docker Hub +# uses: docker/login-action@v3 +# with: +# username: ${{ env.DOCKERHUB_USERNAME }} +# password: ${{ env.DOCKERHUB_TOKEN }} +# - name: Set up QEMU +# uses: docker/setup-qemu-action@v3 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v3 +# - name: Build and export to Docker +# uses: docker/build-push-action@v6 +# with: +# load: true +# tags: ${{ env.TEST_TAG }} +# - name: Scan Docker image with Trivy +# uses: aquasecurity/trivy-action@0.28.0 +# with: +# image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) +# format: 'table' # Output format (can be 'table', 'json', 'template', etc.) +# severity: 'HIGH,CRITICAL' # Only show HIGH and CRITICAL vulnerabilities (optional) +# exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) +# +# - name: Build and push +# uses: docker/build-push-action@v6 +# with: +# push: true +# tags: ${{ env.IMAGE_TAG }} +# if: success() # Only push if test is ok \ No newline at end of file From c48140e345a9b497e78c14fd18e6008d49dc3cd8 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 14:53:46 +0200 Subject: [PATCH 40/66] ajust trivy docker container test --- .github/workflows/u34-hw.yml | 135 +++++++++++++++++------------------ 1 file changed, 67 insertions(+), 68 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index fbf9d98c9..9be2ee595 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -56,37 +56,29 @@ jobs: # python -m unittest app_test.py - security-scan: - runs-on: ubuntu-latest +# security-scan: +# runs-on: ubuntu-latest # needs: lint-unit-tests - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# - name: Run Trivy vulnerability scanner in fs mode +# steps: +# - uses: actions/checkout@v4 +# with: +# fetch-depth: 0 +# - uses: gitleaks/gitleaks-action@v2 +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# - name: Run Trivy vulnerability scanner in repo mode # uses: aquasecurity/trivy-action@0.28.0 # with: # scan-type: 'fs' -# scan-ref: '.' -# scan-ref: 'app/' -# trivy-config: trivy.yaml - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' +# ignore-unfixed: true +# format: 'sarif' +# output: 'trivy-results.sarif' +# severity: 'CRITICAL' +# +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: 'trivy-results.sarif' # sonarcloud: # runs-on: ubuntu-latest @@ -101,46 +93,53 @@ jobs: # env: # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} -# build-test-push: -# name: Build Dockerfile, test container with trivy if ok push to registry -# runs-on: ubuntu-latest + build-test-push: + name: Build Dockerfile, test container with trivy if ok push to registry + runs-on: ubuntu-latest # needs: [ security-scan, sonarcloud ] -# steps: -# - name: Import Secrets from Hashi vault -# id: import-secrets -# uses: hashicorp/vault-action@v2 -# with: -# url: https://vault.elcomp68.com:8200 -# token: ${{ secrets.HV_U34_TOKEN }} -# caCertificate: ${{ secrets.VAULT_CA_CERT }} -# secrets: | -# kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; -# kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; -# - name: Login to Docker Hub -# uses: docker/login-action@v3 -# with: -# username: ${{ env.DOCKERHUB_USERNAME }} -# password: ${{ env.DOCKERHUB_TOKEN }} -# - name: Set up QEMU -# uses: docker/setup-qemu-action@v3 -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v3 -# - name: Build and export to Docker -# uses: docker/build-push-action@v6 -# with: -# load: true -# tags: ${{ env.TEST_TAG }} -# - name: Scan Docker image with Trivy -# uses: aquasecurity/trivy-action@0.28.0 -# with: -# image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) + steps: + - name: Import Secrets from Hashi vault + id: import-secrets + uses: hashicorp/vault-action@v2 + with: + url: https://vault.elcomp68.com:8200 + token: ${{ secrets.HV_U34_TOKEN }} + caCertificate: ${{ secrets.VAULT_CA_CERT }} + secrets: | + kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; + kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKERHUB_USERNAME }} + password: ${{ env.DOCKERHUB_TOKEN }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and export to Docker + uses: docker/build-push-action@v6 + with: + load: true + tags: ${{ env.TEST_TAG }} + - name: Scan Docker image with Trivy + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) + ignore-unfixed: true # format: 'table' # Output format (can be 'table', 'json', 'template', etc.) -# severity: 'HIGH,CRITICAL' # Only show HIGH and CRITICAL vulnerabilities (optional) -# exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) -# -# - name: Build and push -# uses: docker/build-push-action@v6 -# with: -# push: true -# tags: ${{ env.IMAGE_TAG }} -# if: success() # Only push if test is ok \ No newline at end of file + format: 'sarif' + output: 'trivy-docker-results.sarif' + severity: 'HIGH,CRITICAL' + exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-docker-results.sarif' + - name: Build and push + uses: docker/build-push-action@v6 + with: + push: true + tags: ${{ env.IMAGE_TAG }} + if: success() # Only push if test is ok \ No newline at end of file From 83024922a0ade61092c525599bb62675b061b93b Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 15:10:00 +0200 Subject: [PATCH 41/66] ajust buld test and push --- .github/workflows/u34-hw.yml | 80 +++++++++++++++++++++++------------- 1 file changed, 52 insertions(+), 28 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 9be2ee595..e0b2f0843 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -11,8 +11,8 @@ on: # - 'requirements.txt' env: - TEST_TAG: metodil/my-hello-app:test - IMAGE_TAG: metodil/my-hello-app:latest +# TEST_TAG: metodil/my-hello-app + IMAGE_TAG: metodil/my-hello-app jobs: @@ -98,6 +98,53 @@ jobs: runs-on: ubuntu-latest # needs: [ security-scan, sonarcloud ] steps: +# - name: Set up QEMU +# uses: docker/setup-qemu-action@v3 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v3 +# - name: Build and export to Docker +# uses: docker/build-push-action@v6 +# with: +# load: true +# tags: ${{ env.TEST_TAG }} +# - name: Scan Docker image with Trivy +# uses: aquasecurity/trivy-action@0.28.0 +# with: +# image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) +# ignore-unfixed: true +## format: 'table' # Output format (can be 'table', 'json', 'template', etc.) +# format: 'sarif' +# output: 'trivy-docker-results.sarif' +# severity: 'HIGH,CRITICAL' +# exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) + +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: 'trivy-docker-results.sarif' + + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t ${{ env.IMAGE_TAG }}:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: '${{ env.IMAGE_TAG }}:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + + - name: Import Secrets from Hashi vault id: import-secrets uses: hashicorp/vault-action@v2 @@ -106,40 +153,17 @@ jobs: token: ${{ secrets.HV_U34_TOKEN }} caCertificate: ${{ secrets.VAULT_CA_CERT }} secrets: | - kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; - kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; + kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ; + kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ; - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ env.DOCKERHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Build and export to Docker - uses: docker/build-push-action@v6 - with: - load: true - tags: ${{ env.TEST_TAG }} - - name: Scan Docker image with Trivy - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) - ignore-unfixed: true -# format: 'table' # Output format (can be 'table', 'json', 'template', etc.) - format: 'sarif' - output: 'trivy-docker-results.sarif' - severity: 'HIGH,CRITICAL' - exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-docker-results.sarif' - name: Build and push uses: docker/build-push-action@v6 with: push: true - tags: ${{ env.IMAGE_TAG }} + tags: '${{ env.IMAGE_TAG }}:${{ github.sha }}' if: success() # Only push if test is ok \ No newline at end of file From d72745dd658531652aca6a7f3f03322f7c678243 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 15:17:43 +0200 Subject: [PATCH 42/66] increase ver of hashi vault action --- .github/workflows/u34-hw.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index e0b2f0843..cee70b05b 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -147,7 +147,7 @@ jobs: - name: Import Secrets from Hashi vault id: import-secrets - uses: hashicorp/vault-action@v2 + uses: hashicorp/vault-action@v3 with: url: https://vault.elcomp68.com:8200 token: ${{ secrets.HV_U34_TOKEN }} From 74b6ef7ee14bca584eb6d93754602bb770d3a98d Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 17:46:57 +0200 Subject: [PATCH 43/66] arrange all test --- .github/workflows/u34-hw.yml | 179 ++++++++++++++++------------------- 1 file changed, 81 insertions(+), 98 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index cee70b05b..412311c6d 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -16,135 +16,118 @@ env: jobs: -# editorconfig: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@v4 -# - uses: editorconfig-checker/action-editorconfig-checker@main -# - run: editorconfig-checker -# -# markdown-link-check: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@master -# - uses: gaurav-nelson/github-action-markdown-link-check@v1 + editorconfig: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: editorconfig-checker/action-editorconfig-checker@main + - run: editorconfig-checker + markdown-link-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - uses: gaurav-nelson/github-action-markdown-link-check@v1 -# lint-unit-tests: -# runs-on: ubuntu-latest -# needs: [ editorconfig, markdown-link-check ] -# steps: -# - name: Check out code -# uses: actions/checkout@v4 -# - name: Set up Python -# uses: actions/setup-python@v5 -# with: -# python-version: '3.11.8' -# cache: 'pip' -# - name: Install dependencies -# run: | -# python -m pip install --upgrade pip -# pip install -r requirements.txt -# pip install pytest pytest-cov flake8 pylint -# - name: Run flake8 linting -# run: flake8 app/ -# - name: Analysing the code with pylint -# run: | -# pylint --rcfile=.pylintrc $(git ls-files '*.py') -# - name: Test with pytest -# run: | -# cd app -# python -m unittest app_test.py + lint-unit-tests: + runs-on: ubuntu-latest + needs: [ editorconfig, markdown-link-check ] + steps: + - name: Check out code + uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.11.8' + cache: 'pip' + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + pip install pytest pytest-cov flake8 pylint + - name: Run flake8 linting + run: flake8 app/ + - name: Analysing the code with pylint + run: | + pylint --rcfile=.pylintrc $(git ls-files '*.py') + - name: Test with pytest + run: | + cd app + python -m unittest app_test.py + trivy-security: + runs-on: ubuntu-latest + needs: lint-unit-tests + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' -# security-scan: + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' +# snyk-security: # runs-on: ubuntu-latest # needs: lint-unit-tests # steps: -# - uses: actions/checkout@v4 -# with: -# fetch-depth: 0 -# - uses: gitleaks/gitleaks-action@v2 +# - uses: actions/checkout@v4 #actions/checkout@master +# - name: Run Snyk to check for vulnerabilities +# uses: snyk/actions/node@master +# continue-on-error: true # To make sure that SARIF upload gets called # env: -# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# - name: Run Trivy vulnerability scanner in repo mode -# uses: aquasecurity/trivy-action@0.28.0 +# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # with: -# scan-type: 'fs' -# ignore-unfixed: true -# format: 'sarif' -# output: 'trivy-results.sarif' -# severity: 'CRITICAL' -# -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 +# args: --sarif-file-output=snyk.sarif +# - name: Upload result to GitHub Code Scanning +# uses: github/codeql-action/upload-sarif@v2 # with: -# sarif_file: 'trivy-results.sarif' - -# sonarcloud: -# runs-on: ubuntu-latest -# needs: lint-unit-tests -# steps: -# - uses: actions/checkout@v4 -# with: -# # Disabling shallow clone is recommended for improving relevancy of reporting -# fetch-depth: 0 -# - name: SonarCloud Scan -# uses: sonarsource/sonarcloud-github-action@v3.1.0 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan -# env: -# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} +# sarif_file: snyk.sarif + sonarcloud-security: + runs-on: ubuntu-latest + needs: lint-unit-tests + steps: + - uses: actions/checkout@v4 + with: + # Disabling shallow clone is recommended for improving relevancy of reporting + fetch-depth: 0 + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@v3.1.0 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} build-test-push: name: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest -# needs: [ security-scan, sonarcloud ] + needs: [ trivy-security, sonarcloud-security ] steps: -# - name: Set up QEMU -# uses: docker/setup-qemu-action@v3 -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v3 -# - name: Build and export to Docker -# uses: docker/build-push-action@v6 -# with: -# load: true -# tags: ${{ env.TEST_TAG }} -# - name: Scan Docker image with Trivy -# uses: aquasecurity/trivy-action@0.28.0 -# with: -# image-ref: ${{ env.TEST_TAG }} # Image to scan (can use a local build or a pre-pushed image) -# ignore-unfixed: true -## format: 'table' # Output format (can be 'table', 'json', 'template', etc.) -# format: 'sarif' -# output: 'trivy-docker-results.sarif' -# severity: 'HIGH,CRITICAL' -# exit-code: '1' # Set exit code 1 if vulnerabilities are found (optional) - -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: 'trivy-docker-results.sarif' - - name: Checkout code uses: actions/checkout@v4 - - name: Build an image from Dockerfile run: | docker build -t ${{ env.IMAGE_TAG }}:${{ github.sha }} . - - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.28.0 with: image-ref: '${{ env.IMAGE_TAG }}:${{ github.sha }}' format: 'sarif' output: 'trivy-results.sarif' - - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' - - - name: Import Secrets from Hashi vault id: import-secrets uses: hashicorp/vault-action@v3 From 5a88bbe27cf5e0c65dbc19ab0449118bb1b05b9c Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 18:17:42 +0200 Subject: [PATCH 44/66] add lint with black --- .github/workflows/u34-hw.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index 412311c6d..ae5e40990 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -28,9 +28,18 @@ jobs: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 + lint-black: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: psf/black@stable + with: + options: "--check --verbose" +# src: "." + lint-unit-tests: runs-on: ubuntu-latest - needs: [ editorconfig, markdown-link-check ] + needs: [ editorconfig, markdown-link-check, lint-black ] steps: - name: Check out code uses: actions/checkout@v4 From f1cc38c3b4939b0e88ffddba4ada2241a987b796 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 22:23:56 +0200 Subject: [PATCH 45/66] add pre-commit.yml --- .github/workflows/u34-hw.yml | 8 ++++++-- .pre-commit-config.yml | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 .pre-commit-config.yml diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index ae5e40990..be2dc6c7f 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -115,7 +115,7 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - build-test-push: + build-test: name: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest needs: [ trivy-security, sonarcloud-security ] @@ -137,6 +137,10 @@ jobs: with: sarif_file: 'trivy-results.sarif' + push: + runs-on: ubuntu-latest + needs: [ build-test ] + steps: - name: Import Secrets from Hashi vault id: import-secrets uses: hashicorp/vault-action@v3 @@ -158,4 +162,4 @@ jobs: with: push: true tags: '${{ env.IMAGE_TAG }}:${{ github.sha }}' - if: success() # Only push if test is ok \ No newline at end of file + if: success() # Only push if get login is ok \ No newline at end of file diff --git a/.pre-commit-config.yml b/.pre-commit-config.yml new file mode 100644 index 000000000..741e7dba8 --- /dev/null +++ b/.pre-commit-config.yml @@ -0,0 +1,15 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v2.3.0 + hooks: + - id: check-yaml + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/psf/black + rev: 22.10.0 + hooks: + - id: black +- repo: https://github.com/gitleaks/gitleaks + rev: v8.18.0 # Specify the desired version of Gitleaks + hooks: + - id: gitleaks \ No newline at end of file From 9d7378ac0ba05b4763615ec78eb9cb4b1595a704 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 22:51:30 +0200 Subject: [PATCH 46/66] rm pre-commit.yml --- .pre-commit-config.yml | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 .pre-commit-config.yml diff --git a/.pre-commit-config.yml b/.pre-commit-config.yml deleted file mode 100644 index 741e7dba8..000000000 --- a/.pre-commit-config.yml +++ /dev/null @@ -1,15 +0,0 @@ -repos: -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v2.3.0 - hooks: - - id: check-yaml - - id: end-of-file-fixer - - id: trailing-whitespace -- repo: https://github.com/psf/black - rev: 22.10.0 - hooks: - - id: black -- repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 # Specify the desired version of Gitleaks - hooks: - - id: gitleaks \ No newline at end of file From d8bee4041e703ec32ebd1b12fa7cb901d75db6e6 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 23:01:43 +0200 Subject: [PATCH 47/66] add pre-commit-config.yaml --- .pre-commit-config.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..ca787473e --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,15 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v2.3.0 + hooks: + - id: check-yaml + - id: end-of-file-fixer + - id: trailing-whitespace +#- repo: https://github.com/psf/black +# rev: 22.10.0 +# hooks: +# - id: black +- repo: https://github.com/gitleaks/gitleaks + rev: v8.18.0 # Specify the desired version of Gitleaks + hooks: + - id: gitleaks From 9694615a4130564f50cca1074b1febc0818482a7 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 23:13:24 +0200 Subject: [PATCH 48/66] set other hooks in pre-commit-config.yaml --- .pre-commit-config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ca787473e..76aaf833c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,6 +5,9 @@ repos: - id: check-yaml - id: end-of-file-fixer - id: trailing-whitespace + - id: check-added-large-files + - id: check-json + - id: check-merge-conflict #- repo: https://github.com/psf/black # rev: 22.10.0 # hooks: From f5036739d699a8f435738ca83d57417584c9eb05 Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 12 Nov 2024 23:52:40 +0200 Subject: [PATCH 49/66] add compose.yaml build ans run container --- compose.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 compose.yaml diff --git a/compose.yaml b/compose.yaml new file mode 100644 index 000000000..d8e5570bf --- /dev/null +++ b/compose.yaml @@ -0,0 +1,6 @@ +services: + web: + container_name: my-hello-world-dc + build: . + ports: + - "5000:3000" From 23df0d5955a6e5c86a6edf2162e60f323c650ae8 Mon Sep 17 00:00:00 2001 From: metodil Date: Wed, 13 Nov 2024 00:04:11 +0200 Subject: [PATCH 50/66] add schedule in workflow on Monday (1) and Thursday (4) --- .github/workflows/u34-hw.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/u34-hw.yml index be2dc6c7f..955444c54 100644 --- a/.github/workflows/u34-hw.yml +++ b/.github/workflows/u34-hw.yml @@ -1,6 +1,8 @@ name: u34 homework workflow run-name: u34 homework workflow run on ${{ github.event_name }} event on: + schedule: + - cron: '0 0 * * 1,4' # on Monday (1) and Thursday (4) pull_request: # types: [opened, reopened] # branches: @@ -11,7 +13,6 @@ on: # - 'requirements.txt' env: -# TEST_TAG: metodil/my-hello-app IMAGE_TAG: metodil/my-hello-app jobs: @@ -162,4 +163,4 @@ jobs: with: push: true tags: '${{ env.IMAGE_TAG }}:${{ github.sha }}' - if: success() # Only push if get login is ok \ No newline at end of file + if: success() # Only push if get login is ok From c71c77145e6d826cfdf9503530a3ea80948f5522 Mon Sep 17 00:00:00 2001 From: metodil Date: Wed, 13 Nov 2024 14:25:12 +0200 Subject: [PATCH 51/66] reorganizing the repo as per the requirements --- .github/workflows/{u34-hw.yml => ci-pipeline.yml} | 0 ansible/playbook.yml | 0 app/requirements.txt | 8 ++++++++ {M1-3-Ansible => homework/M1-3-Ansible}/README.md | 0 .../M1-3-Ansible}/dockerhub_pass.yml | 0 .../my-roles/get-dockerhub-credentials/README.md | 0 .../my-roles/get-dockerhub-credentials/defaults/main.yml | 0 .../my-roles/get-dockerhub-credentials/handlers/main.yml | 0 .../my-roles/get-dockerhub-credentials/meta/main.yml | 1 - .../my-roles/get-dockerhub-credentials/tasks/main.yml | 0 .../my-roles/get-dockerhub-credentials}/tests/inventory | 1 - .../my-roles/get-dockerhub-credentials/tests/test.yml | 0 .../my-roles/get-dockerhub-credentials/vars/main.yml | 0 .../M1-3-Ansible}/my-roles/run-container/README.md | 0 .../my-roles/run-container/defaults/main.yml | 2 +- .../my-roles/run-container/handlers/main.yml | 0 .../M1-3-Ansible}/my-roles/run-container/meta/main.yml | 0 .../M1-3-Ansible}/my-roles/run-container/tasks/main.yml | 1 - .../M1-3-Ansible/my-roles/run-container}/tests/inventory | 1 - .../M1-3-Ansible}/my-roles/run-container/tests/test.yml | 0 .../M1-3-Ansible}/my-roles/run-container/vars/main.yml | 1 - {M1-3-Ansible => homework/M1-3-Ansible}/playbook.yaml | 2 +- .../M1-3-Ansible}/u34-ansible-hw-with-ansible-vault.yaml | 0 .../M1-3-Ansible}/u34-ansible-hw-with-hashi-vault.yaml | 0 .../u34-ansible-hw-with-role-hashi-vault.yaml | 2 +- .../M1-3-Ansible}/u34-ansible-hw.yaml | 0 {M1-3-Ansible => homework/M1-3-Ansible}/ver_num | 0 .../M1-4-2-CI-Practice}/README.md | 1 - compose.yaml => homework/M1-4-2-CI-Practice/compose.yaml | 0 .../M1-4-2-CI-Practice}/first-workflow.yml | 0 .../workflows => homework/M1-4-2-CI-Practice}/push.yml | 2 +- 31 files changed, 12 insertions(+), 10 deletions(-) rename .github/workflows/{u34-hw.yml => ci-pipeline.yml} (100%) create mode 100644 ansible/playbook.yml create mode 100644 app/requirements.txt rename {M1-3-Ansible => homework/M1-3-Ansible}/README.md (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/dockerhub_pass.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/get-dockerhub-credentials/README.md (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/get-dockerhub-credentials/defaults/main.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/get-dockerhub-credentials/handlers/main.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/get-dockerhub-credentials/meta/main.yml (99%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/get-dockerhub-credentials/tasks/main.yml (100%) rename {M1-3-Ansible/my-roles/run-container => homework/M1-3-Ansible/my-roles/get-dockerhub-credentials}/tests/inventory (90%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/get-dockerhub-credentials/tests/test.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/get-dockerhub-credentials/vars/main.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/run-container/README.md (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/run-container/defaults/main.yml (84%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/run-container/handlers/main.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/run-container/meta/main.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/run-container/tasks/main.yml (99%) rename {M1-3-Ansible/my-roles/get-dockerhub-credentials => homework/M1-3-Ansible/my-roles/run-container}/tests/inventory (90%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/run-container/tests/test.yml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/my-roles/run-container/vars/main.yml (97%) rename {M1-3-Ansible => homework/M1-3-Ansible}/playbook.yaml (95%) rename {M1-3-Ansible => homework/M1-3-Ansible}/u34-ansible-hw-with-ansible-vault.yaml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/u34-ansible-hw-with-hashi-vault.yaml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/u34-ansible-hw-with-role-hashi-vault.yaml (98%) rename {M1-3-Ansible => homework/M1-3-Ansible}/u34-ansible-hw.yaml (100%) rename {M1-3-Ansible => homework/M1-3-Ansible}/ver_num (100%) rename {M1-4-2-CI-Practice => homework/M1-4-2-CI-Practice}/README.md (99%) rename compose.yaml => homework/M1-4-2-CI-Practice/compose.yaml (100%) rename {.github/workflows => homework/M1-4-2-CI-Practice}/first-workflow.yml (100%) rename {.github/workflows => homework/M1-4-2-CI-Practice}/push.yml (97%) diff --git a/.github/workflows/u34-hw.yml b/.github/workflows/ci-pipeline.yml similarity index 100% rename from .github/workflows/u34-hw.yml rename to .github/workflows/ci-pipeline.yml diff --git a/ansible/playbook.yml b/ansible/playbook.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app/requirements.txt b/app/requirements.txt new file mode 100644 index 000000000..6d0d371b6 --- /dev/null +++ b/app/requirements.txt @@ -0,0 +1,8 @@ +blinker==1.6.3 ; python_version >= "3.10" and python_version < "4.0" +click==8.1.7 ; python_version >= "3.10" and python_version < "4.0" +colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows" +flask==3.0.0 ; python_version >= "3.10" and python_version < "4.0" +itsdangerous==2.1.2 ; python_version >= "3.10" and python_version < "4.0" +jinja2==3.1.2 ; python_version >= "3.10" and python_version < "4.0" +markupsafe==2.1.3 ; python_version >= "3.10" and python_version < "4.0" +werkzeug==3.0.3 ; python_version >= "3.10" and python_version < "4.0" diff --git a/M1-3-Ansible/README.md b/homework/M1-3-Ansible/README.md similarity index 100% rename from M1-3-Ansible/README.md rename to homework/M1-3-Ansible/README.md diff --git a/M1-3-Ansible/dockerhub_pass.yml b/homework/M1-3-Ansible/dockerhub_pass.yml similarity index 100% rename from M1-3-Ansible/dockerhub_pass.yml rename to homework/M1-3-Ansible/dockerhub_pass.yml diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/README.md b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/README.md similarity index 100% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/README.md rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/README.md diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/defaults/main.yml b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/defaults/main.yml similarity index 100% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/defaults/main.yml rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/defaults/main.yml diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/handlers/main.yml b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/handlers/main.yml similarity index 100% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/handlers/main.yml rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/handlers/main.yml diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/meta/main.yml b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/meta/main.yml similarity index 99% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/meta/main.yml rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/meta/main.yml index 767ba5530..1d16de1c8 100644 --- a/M1-3-Ansible/my-roles/get-dockerhub-credentials/meta/main.yml +++ b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/meta/main.yml @@ -10,4 +10,3 @@ galaxy_info: galaxy_tags: [] dependencies: [] - diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/tasks/main.yml b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/tasks/main.yml similarity index 100% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/tasks/main.yml rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/tasks/main.yml diff --git a/M1-3-Ansible/my-roles/run-container/tests/inventory b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/inventory similarity index 90% rename from M1-3-Ansible/my-roles/run-container/tests/inventory rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/inventory index 878877b07..2fbb50c4a 100644 --- a/M1-3-Ansible/my-roles/run-container/tests/inventory +++ b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/inventory @@ -1,2 +1 @@ localhost - diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/test.yml b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/test.yml similarity index 100% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/test.yml rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/test.yml diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/vars/main.yml b/homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/vars/main.yml similarity index 100% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/vars/main.yml rename to homework/M1-3-Ansible/my-roles/get-dockerhub-credentials/vars/main.yml diff --git a/M1-3-Ansible/my-roles/run-container/README.md b/homework/M1-3-Ansible/my-roles/run-container/README.md similarity index 100% rename from M1-3-Ansible/my-roles/run-container/README.md rename to homework/M1-3-Ansible/my-roles/run-container/README.md diff --git a/M1-3-Ansible/my-roles/run-container/defaults/main.yml b/homework/M1-3-Ansible/my-roles/run-container/defaults/main.yml similarity index 84% rename from M1-3-Ansible/my-roles/run-container/defaults/main.yml rename to homework/M1-3-Ansible/my-roles/run-container/defaults/main.yml index 6d503c1c0..ed0bd0f11 100644 --- a/M1-3-Ansible/my-roles/run-container/defaults/main.yml +++ b/homework/M1-3-Ansible/my-roles/run-container/defaults/main.yml @@ -2,4 +2,4 @@ # defaults file for run-container image_name_r: "my-hello-world" container_name_r: "my-hello-world-hw" -listen_port_r: 5000 \ No newline at end of file +listen_port_r: 5000 diff --git a/M1-3-Ansible/my-roles/run-container/handlers/main.yml b/homework/M1-3-Ansible/my-roles/run-container/handlers/main.yml similarity index 100% rename from M1-3-Ansible/my-roles/run-container/handlers/main.yml rename to homework/M1-3-Ansible/my-roles/run-container/handlers/main.yml diff --git a/M1-3-Ansible/my-roles/run-container/meta/main.yml b/homework/M1-3-Ansible/my-roles/run-container/meta/main.yml similarity index 100% rename from M1-3-Ansible/my-roles/run-container/meta/main.yml rename to homework/M1-3-Ansible/my-roles/run-container/meta/main.yml diff --git a/M1-3-Ansible/my-roles/run-container/tasks/main.yml b/homework/M1-3-Ansible/my-roles/run-container/tasks/main.yml similarity index 99% rename from M1-3-Ansible/my-roles/run-container/tasks/main.yml rename to homework/M1-3-Ansible/my-roles/run-container/tasks/main.yml index 9de1450d9..0376fe519 100644 --- a/M1-3-Ansible/my-roles/run-container/tasks/main.yml +++ b/homework/M1-3-Ansible/my-roles/run-container/tasks/main.yml @@ -11,4 +11,3 @@ image: "{{ image_name_r }}" state: started ports: "{{ listen_port_r }}" - diff --git a/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/inventory b/homework/M1-3-Ansible/my-roles/run-container/tests/inventory similarity index 90% rename from M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/inventory rename to homework/M1-3-Ansible/my-roles/run-container/tests/inventory index 878877b07..2fbb50c4a 100644 --- a/M1-3-Ansible/my-roles/get-dockerhub-credentials/tests/inventory +++ b/homework/M1-3-Ansible/my-roles/run-container/tests/inventory @@ -1,2 +1 @@ localhost - diff --git a/M1-3-Ansible/my-roles/run-container/tests/test.yml b/homework/M1-3-Ansible/my-roles/run-container/tests/test.yml similarity index 100% rename from M1-3-Ansible/my-roles/run-container/tests/test.yml rename to homework/M1-3-Ansible/my-roles/run-container/tests/test.yml diff --git a/M1-3-Ansible/my-roles/run-container/vars/main.yml b/homework/M1-3-Ansible/my-roles/run-container/vars/main.yml similarity index 97% rename from M1-3-Ansible/my-roles/run-container/vars/main.yml rename to homework/M1-3-Ansible/my-roles/run-container/vars/main.yml index 85acec6d0..037aee7d3 100644 --- a/M1-3-Ansible/my-roles/run-container/vars/main.yml +++ b/homework/M1-3-Ansible/my-roles/run-container/vars/main.yml @@ -1,3 +1,2 @@ --- # vars file for run-container - diff --git a/M1-3-Ansible/playbook.yaml b/homework/M1-3-Ansible/playbook.yaml similarity index 95% rename from M1-3-Ansible/playbook.yaml rename to homework/M1-3-Ansible/playbook.yaml index e65a7b98a..8fa15c807 100644 --- a/M1-3-Ansible/playbook.yaml +++ b/homework/M1-3-Ansible/playbook.yaml @@ -25,4 +25,4 @@ register: test_results - name: Print test test_results debug: - var=test_results.stderr \ No newline at end of file + var=test_results.stderr diff --git a/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml similarity index 100% rename from M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml rename to homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml diff --git a/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml similarity index 100% rename from M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml rename to homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml diff --git a/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml similarity index 98% rename from M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml rename to homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml index c03cf93ee..4b86657e3 100644 --- a/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml @@ -71,4 +71,4 @@ vars: container_name_r: "{{ container_name }}" image_name_r: "{{ dockerhub_username }}/{{ image_name }}:{{ image_tag }}{{ ver_num.stdout }}-hashi-vault" - listen_port_r: "{{ listen_port }}" \ No newline at end of file + listen_port_r: "{{ listen_port }}" diff --git a/M1-3-Ansible/u34-ansible-hw.yaml b/homework/M1-3-Ansible/u34-ansible-hw.yaml similarity index 100% rename from M1-3-Ansible/u34-ansible-hw.yaml rename to homework/M1-3-Ansible/u34-ansible-hw.yaml diff --git a/M1-3-Ansible/ver_num b/homework/M1-3-Ansible/ver_num similarity index 100% rename from M1-3-Ansible/ver_num rename to homework/M1-3-Ansible/ver_num diff --git a/M1-4-2-CI-Practice/README.md b/homework/M1-4-2-CI-Practice/README.md similarity index 99% rename from M1-4-2-CI-Practice/README.md rename to homework/M1-4-2-CI-Practice/README.md index 761192ab9..891b695e9 100644 --- a/M1-4-2-CI-Practice/README.md +++ b/homework/M1-4-2-CI-Practice/README.md @@ -59,4 +59,3 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n - check-added-large-files - Setup docker-compose with build and run a container - Try out GitHub Actions schedule trigger event - - diff --git a/compose.yaml b/homework/M1-4-2-CI-Practice/compose.yaml similarity index 100% rename from compose.yaml rename to homework/M1-4-2-CI-Practice/compose.yaml diff --git a/.github/workflows/first-workflow.yml b/homework/M1-4-2-CI-Practice/first-workflow.yml similarity index 100% rename from .github/workflows/first-workflow.yml rename to homework/M1-4-2-CI-Practice/first-workflow.yml diff --git a/.github/workflows/push.yml b/homework/M1-4-2-CI-Practice/push.yml similarity index 97% rename from .github/workflows/push.yml rename to homework/M1-4-2-CI-Practice/push.yml index 78e173aec..ef5074384 100644 --- a/.github/workflows/push.yml +++ b/homework/M1-4-2-CI-Practice/push.yml @@ -88,4 +88,4 @@ jobs: run: | pip install pytest pytest-cov cd app - pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html \ No newline at end of file + pytest app_test.py --doctest-modules --junitxml=junit/test-results.xml --cov=com --cov-report=xml --cov-report=html From ff012f7958de77771dc4d3e2a5a278393c20db1a Mon Sep 17 00:00:00 2001 From: metodil Date: Wed, 13 Nov 2024 14:40:04 +0200 Subject: [PATCH 52/66] fix buils-test and deploy only if prev tesk ok --- .github/workflows/ci-pipeline.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 955444c54..4d0bf6ae4 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -1,5 +1,5 @@ -name: u34 homework workflow -run-name: u34 homework workflow run on ${{ github.event_name }} event +name: u34 ci-pipeline +run-name: u34 ci-pipeline run on ${{ github.event_name }} event on: schedule: - cron: '0 0 * * 1,4' # on Monday (1) and Thursday (4) @@ -119,6 +119,7 @@ jobs: build-test: name: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest + if: ${{ always() && (needs.trivy-security.result == 'success' || needs.sonarcloud-security.result == 'success') }} needs: [ trivy-security, sonarcloud-security ] steps: - name: Checkout code @@ -138,8 +139,9 @@ jobs: with: sarif_file: 'trivy-results.sarif' - push: + deploy: runs-on: ubuntu-latest + if: ${{ always() && (needs.build-test.result == 'success') }} needs: [ build-test ] steps: - name: Import Secrets from Hashi vault From ea3b60da61765fb9ee14e9a619c6c18410bb4858 Mon Sep 17 00:00:00 2001 From: metodil Date: Wed, 13 Nov 2024 14:49:42 +0200 Subject: [PATCH 53/66] fix security in app/requiremnt.txt --- app/requirements.txt | 4 ++-- homework/M1-3-Ansible/playbook.yaml | 2 +- homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml | 2 +- homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml | 2 +- .../M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml | 2 +- homework/M1-3-Ansible/u34-ansible-hw.yaml | 2 +- requirements.txt | 5 ++--- 7 files changed, 9 insertions(+), 10 deletions(-) diff --git a/app/requirements.txt b/app/requirements.txt index 6d0d371b6..bbfeb58d9 100644 --- a/app/requirements.txt +++ b/app/requirements.txt @@ -3,6 +3,6 @@ click==8.1.7 ; python_version >= "3.10" and python_version < "4.0" colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows" flask==3.0.0 ; python_version >= "3.10" and python_version < "4.0" itsdangerous==2.1.2 ; python_version >= "3.10" and python_version < "4.0" -jinja2==3.1.2 ; python_version >= "3.10" and python_version < "4.0" +jinja2==3.1.4 ; python_version >= "3.10" and python_version < "4.0" markupsafe==2.1.3 ; python_version >= "3.10" and python_version < "4.0" -werkzeug==3.0.3 ; python_version >= "3.10" and python_version < "4.0" +werkzeug==3.0.6 ; python_version >= "3.10" and python_version < "4.0" diff --git a/homework/M1-3-Ansible/playbook.yaml b/homework/M1-3-Ansible/playbook.yaml index 8fa15c807..977eb6eff 100644 --- a/homework/M1-3-Ansible/playbook.yaml +++ b/homework/M1-3-Ansible/playbook.yaml @@ -7,7 +7,7 @@ file: path: "{{ folder_path }}" state: directory - mode: 0755 + mode: 0655 - name: Get latest git version git: repo: git@github.com:Metodil/devops-programme diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml index 5f4c09d9e..aef2e8e30 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml @@ -27,7 +27,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0755 + mode: 0655 - name: Get latest git version git: diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml index e812cd8b7..c9dc27a5b 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml @@ -45,7 +45,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0755 + mode: 0655 - name: Get latest git version git: diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml index 4b86657e3..51d3e2078 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml @@ -34,7 +34,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0755 + mode: 0655 - name: Get latest git version git: repo: git@github.com:{{ git_repo }} diff --git a/homework/M1-3-Ansible/u34-ansible-hw.yaml b/homework/M1-3-Ansible/u34-ansible-hw.yaml index e9ed2a663..6bc974848 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw.yaml @@ -25,7 +25,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0755 + mode: 0655 - name: Get latest git version git: diff --git a/requirements.txt b/requirements.txt index d5327549c..bbfeb58d9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,6 @@ click==8.1.7 ; python_version >= "3.10" and python_version < "4.0" colorama==0.4.6 ; python_version >= "3.10" and python_version < "4.0" and platform_system == "Windows" flask==3.0.0 ; python_version >= "3.10" and python_version < "4.0" itsdangerous==2.1.2 ; python_version >= "3.10" and python_version < "4.0" -jinja2==3.1.2 ; python_version >= "3.10" and python_version < "4.0" +jinja2==3.1.4 ; python_version >= "3.10" and python_version < "4.0" markupsafe==2.1.3 ; python_version >= "3.10" and python_version < "4.0" -werkzeug==3.0.3 ; python_version >= "3.10" and python_version < "4.0" - +werkzeug==3.0.6 ; python_version >= "3.10" and python_version < "4.0" From 5b931f06745636baa7de809f4bf676c45caace30 Mon Sep 17 00:00:00 2001 From: metodil Date: Wed, 13 Nov 2024 15:04:54 +0200 Subject: [PATCH 54/66] fix some err from sonar cloud --- .github/workflows/ci-pipeline.yml | 6 ++++-- homework/M1-3-Ansible/playbook.yaml | 2 +- .../M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml | 2 +- homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml | 2 +- .../M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml | 2 +- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 4d0bf6ae4..56550ddf5 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -119,7 +119,8 @@ jobs: build-test: name: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest - if: ${{ always() && (needs.trivy-security.result == 'success' || needs.sonarcloud-security.result == 'success') }} + if: ${{ !cancelled() && !failure() }} +# if: ${{ always() && (needs.trivy-security.result == 'success' || needs.sonarcloud-security.result == 'success') }} needs: [ trivy-security, sonarcloud-security ] steps: - name: Checkout code @@ -141,7 +142,8 @@ jobs: deploy: runs-on: ubuntu-latest - if: ${{ always() && (needs.build-test.result == 'success') }} + if: ${{ !cancelled() && !failure() }} +# if: ${{ always() && (needs.build-test.result == 'success') }} needs: [ build-test ] steps: - name: Import Secrets from Hashi vault diff --git a/homework/M1-3-Ansible/playbook.yaml b/homework/M1-3-Ansible/playbook.yaml index 977eb6eff..b7c973e6f 100644 --- a/homework/M1-3-Ansible/playbook.yaml +++ b/homework/M1-3-Ansible/playbook.yaml @@ -7,7 +7,7 @@ file: path: "{{ folder_path }}" state: directory - mode: 0655 + mode: 0777 - name: Get latest git version git: repo: git@github.com:Metodil/devops-programme diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml index aef2e8e30..d9d03af7e 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml @@ -27,7 +27,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0655 + mode: 0777 - name: Get latest git version git: diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml index c9dc27a5b..1326b0c88 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml @@ -45,7 +45,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0655 + mode: 0777 - name: Get latest git version git: diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml index 51d3e2078..6469606ed 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml @@ -34,7 +34,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0655 + mode: 0777 - name: Get latest git version git: repo: git@github.com:{{ git_repo }} From 6114cdd2877b12b8d3fdc1be28b15c44e8577dae Mon Sep 17 00:00:00 2001 From: metodil Date: Wed, 13 Nov 2024 19:30:20 +0200 Subject: [PATCH 55/66] fix ci-pipeline build-test --- .github/workflows/ci-pipeline.yml | 6 +++--- homework/M1-3-Ansible/u34-ansible-hw.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 56550ddf5..a341e5af1 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -136,9 +136,9 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' +# if: always() +# with: +# sarif_file: 'trivy-results.sarif' deploy: runs-on: ubuntu-latest diff --git a/homework/M1-3-Ansible/u34-ansible-hw.yaml b/homework/M1-3-Ansible/u34-ansible-hw.yaml index 6bc974848..7f0a1200a 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw.yaml @@ -25,7 +25,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0655 + mode: 0777 - name: Get latest git version git: From 57bce0781f63623bbdc703ee250e4ca077ebb0b9 Mon Sep 17 00:00:00 2001 From: metodil Date: Thu, 14 Nov 2024 11:18:29 +0200 Subject: [PATCH 56/66] fix perm in ansible playbook and ajust ci-pipline.yml build test result --- .github/workflows/ci-pipeline.yml | 9 +++++++-- homework/M1-3-Ansible/playbook.yaml | 2 +- .../M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml | 2 +- .../M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml | 2 +- .../u34-ansible-hw-with-role-hashi-vault.yaml | 2 +- homework/M1-3-Ansible/u34-ansible-hw.yaml | 2 +- 6 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index a341e5af1..4f58eb185 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -117,7 +117,8 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} build-test: - name: Build Dockerfile, test container with trivy if ok push to registry + name: Build image and test + description: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest if: ${{ !cancelled() && !failure() }} # if: ${{ always() && (needs.trivy-security.result == 'success' || needs.sonarcloud-security.result == 'success') }} @@ -133,14 +134,18 @@ jobs: with: image-ref: '${{ env.IMAGE_TAG }}:${{ github.sha }}' format: 'sarif' - output: 'trivy-results.sarif' + output: 'trivy-results-container.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-container.sarif' # if: always() # with: # sarif_file: 'trivy-results.sarif' deploy: + name: Get credentials and push to Dockerhub + description: Get credentials from Hashi vault and push docker image to Dockerhub runs-on: ubuntu-latest if: ${{ !cancelled() && !failure() }} # if: ${{ always() && (needs.build-test.result == 'success') }} diff --git a/homework/M1-3-Ansible/playbook.yaml b/homework/M1-3-Ansible/playbook.yaml index b7c973e6f..0d6942561 100644 --- a/homework/M1-3-Ansible/playbook.yaml +++ b/homework/M1-3-Ansible/playbook.yaml @@ -7,7 +7,7 @@ file: path: "{{ folder_path }}" state: directory - mode: 0777 + mode: 0770 - name: Get latest git version git: repo: git@github.com:Metodil/devops-programme diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml index d9d03af7e..e55a7c81c 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-ansible-vault.yaml @@ -27,7 +27,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0777 + mode: 0770 - name: Get latest git version git: diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml index 1326b0c88..f41ec8834 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-hashi-vault.yaml @@ -45,7 +45,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0777 + mode: 0770 - name: Get latest git version git: diff --git a/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml index 6469606ed..789dba4d8 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw-with-role-hashi-vault.yaml @@ -34,7 +34,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0777 + mode: 0770 - name: Get latest git version git: repo: git@github.com:{{ git_repo }} diff --git a/homework/M1-3-Ansible/u34-ansible-hw.yaml b/homework/M1-3-Ansible/u34-ansible-hw.yaml index 7f0a1200a..a85619e3b 100644 --- a/homework/M1-3-Ansible/u34-ansible-hw.yaml +++ b/homework/M1-3-Ansible/u34-ansible-hw.yaml @@ -25,7 +25,7 @@ file: path: "{{ app_folder }}" state: directory - mode: 0777 + mode: 0770 - name: Get latest git version git: From 576c6aa0a967eacc1252a048259636ab3ea6141e Mon Sep 17 00:00:00 2001 From: metodil Date: Thu, 14 Nov 2024 11:41:45 +0200 Subject: [PATCH 57/66] comment description in buld and deploy --- .github/workflows/ci-pipeline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 4f58eb185..209c16e2c 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -118,7 +118,7 @@ jobs: build-test: name: Build image and test - description: Build Dockerfile, test container with trivy if ok push to registry +# description: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest if: ${{ !cancelled() && !failure() }} # if: ${{ always() && (needs.trivy-security.result == 'success' || needs.sonarcloud-security.result == 'success') }} @@ -145,7 +145,7 @@ jobs: deploy: name: Get credentials and push to Dockerhub - description: Get credentials from Hashi vault and push docker image to Dockerhub +# description: Get credentials from Hashi vault and push docker image to Dockerhub runs-on: ubuntu-latest if: ${{ !cancelled() && !failure() }} # if: ${{ always() && (needs.build-test.result == 'success') }} From 3425b69507e842d39b9f5f7f5acbfc7ec521835b Mon Sep 17 00:00:00 2001 From: metodil Date: Sun, 17 Nov 2024 18:27:52 +0200 Subject: [PATCH 58/66] move gitleaks test in oun job --- .github/workflows/ci-pipeline.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 209c16e2c..a8d490a0c 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -23,6 +23,7 @@ jobs: - uses: actions/checkout@v4 - uses: editorconfig-checker/action-editorconfig-checker@main - run: editorconfig-checker + markdown-link-check: runs-on: ubuntu-latest steps: @@ -64,7 +65,7 @@ jobs: cd app python -m unittest app_test.py - trivy-security: + gitleaks-security: runs-on: ubuntu-latest needs: lint-unit-tests steps: @@ -74,6 +75,11 @@ jobs: - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + trivy-security: + runs-on: ubuntu-latest + needs: lint-unit-tests + steps: + - uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.28.0 with: @@ -82,11 +88,11 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL' - - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' +# it is link in my github account # snyk-security: # runs-on: ubuntu-latest # needs: lint-unit-tests @@ -121,8 +127,7 @@ jobs: # description: Build Dockerfile, test container with trivy if ok push to registry runs-on: ubuntu-latest if: ${{ !cancelled() && !failure() }} -# if: ${{ always() && (needs.trivy-security.result == 'success' || needs.sonarcloud-security.result == 'success') }} - needs: [ trivy-security, sonarcloud-security ] + needs: [ gitleaks-security, trivy-security, sonarcloud-security ] steps: - name: Checkout code uses: actions/checkout@v4 @@ -141,14 +146,13 @@ jobs: sarif_file: 'trivy-results-container.sarif' # if: always() # with: -# sarif_file: 'trivy-results.sarif' +# sarif_file: 'trivy-results-container.sarif' deploy: name: Get credentials and push to Dockerhub # description: Get credentials from Hashi vault and push docker image to Dockerhub runs-on: ubuntu-latest if: ${{ !cancelled() && !failure() }} -# if: ${{ always() && (needs.build-test.result == 'success') }} needs: [ build-test ] steps: - name: Import Secrets from Hashi vault From 9717075d502dd746d4feb068526cb4dfdde61ca7 Mon Sep 17 00:00:00 2001 From: metodil Date: Sun, 17 Nov 2024 18:39:54 +0200 Subject: [PATCH 59/66] ajust ci-pipeline.yaml in trivy test --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index a8d490a0c..88e38a55c 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -81,7 +81,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.20.0 with: scan-type: 'fs' ignore-unfixed: true From df46c4cbd77480a583d0e59c7d04a00cb655f2c7 Mon Sep 17 00:00:00 2001 From: metodil Date: Sun, 17 Nov 2024 19:43:10 +0200 Subject: [PATCH 60/66] update README.md and add CONTRIBUTING.md --- CONTRIBUTING.md | 27 +++++++++++++++++++++ README.md | 63 ++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..96a3d89d5 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,27 @@ +## How to contribute Devops-programe + +#### **Did you find a bug?** + +* **Open up a GitHub issue if the bug is a security vulnerability** + +#### **Did you write a patch that fixes a bug?** + +* Open a new GitHub pull request with the patch. + +* Ensure the PR description clearly describes the problem and solution. Include the relevant issue number if applicable. + +#### **Did you fix whitespace, format code, or make a purely cosmetic patch?** + +Changes that are cosmetic in nature and do not add anything substantial to the stability, functionality, or testability of App will generally not be accepted + +#### **Do you intend to add a new feature or change an existing one?** + +* Suggest your change in the [my email](mailto:metodil@hotmail.com). + +#### **Do you have questions about the source code?** + +* Ask any question about how to use on [my email](mailto:metodil@hotmail.com). + +Thanks! + +Metodi Lichkov diff --git a/README.md b/README.md index d19dfd95a..8a7ffb00a 100644 --- a/README.md +++ b/README.md @@ -1 +1,62 @@ -# devops-programme \ No newline at end of file +# devops-programme + + +## M1-4-2-CI-Practice - GitHub Actions Practice + +### Prerequisites + +- Organize your git repo to follow the guidelines provides in the presentation +✅  Ok + +### Task description + +Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. not `main`) and performs the following checks on our simple Flask app repository. +✅  workflow is creted in .github/workflow/ci-pipeline.yaml + +- Check `.editorconfig` +✅  Ok - test in workflow *editorconfig* +- Code Lint and style - use `pylint` and `black` to check for style/formatting/syntax errors +✅  Ok - test in workflow *lint-black* and part in *lint-unit-tests* +- Check makrdown files [markdownlint-cli](https://www.npmjs.com/package/cli-markdown) +✅  Ok - test in workflow *markdown-link-check* +- Code Unittest - there's a simple unit test next to our app called `app_test.py`. Make sure our unittest passes (`python -m unittest` executed in the app directory) +✅  Ok - test in workflow last part of *lint-unit-tests* +- Check for hardcoded secrets (`gitleaks`) - not just our app but the whole repository. +✅  Ok - test in workflow *gitleaks-security* +✅  Extra Trivy check repo(fs) - test in workflow *Trivy-security +- SAST - SonarCloud; Review code smells and security issues +✅  Ok - test in workflow *sonarcloud-security* +- SCA - Snyk; review security issues +✅  Ok - integrated in my github account +- Build a Docker image. Use Git commit SHA as an Image tag. +- Scan the built image with `Trivy` +✅  Ok - job in workflow *build-test* using SHA in tag and test with Trivy +- Push the built image to your Docker HUB account +✅  Ok - job in workflow *deploy* get credential from Hashi vault and push to my dockerhub account +- (optional) Add CONTRIBUTORS guide. Follow [this](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/setting-guidelines-for-repository-contributors) document from GitHUb. +✅  Ok - guide is added in root: CONTRIBUTING.md + +## Extra effort + +- Create a pre-commit hook that safeguards for the following + - hardcoded secrets (`gitleaks`) + - yamllint + - check-merge-conflict + - check-added-large-files +✅  Ok - my pre-commit using: +> - id: check-yaml +> - id: end-of-file-fixer +> - id: trailing-whitespace +> - id: check-added-large-files +> - id: check-json +> - id: check-merge-conflict +> - id: gitleaks + +- Setup docker-compose with build and run a container +✅  Ok - created in M1-4-2-CI-Practice/compose.yaml +- Try out GitHub Actions schedule trigger event - +✅  Ok - add to workflow +``` + schedule: + - cron: '0 0 * * 1,4' # on Monday (1) and Thursday (4) +``` From 754dd52efde674e167346bd53815cc99bc64a514 Mon Sep 17 00:00:00 2001 From: metodil Date: Sun, 17 Nov 2024 19:58:07 +0200 Subject: [PATCH 61/66] ajust README.md and CONTRIBUTING.md - new lines ... --- CONTRIBUTING.md | 4 ---- README.md | 17 ++++++++++++++++- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 96a3d89d5..f7a1d44ed 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,10 +10,6 @@ * Ensure the PR description clearly describes the problem and solution. Include the relevant issue number if applicable. -#### **Did you fix whitespace, format code, or make a purely cosmetic patch?** - -Changes that are cosmetic in nature and do not add anything substantial to the stability, functionality, or testability of App will generally not be accepted - #### **Do you intend to add a new feature or change an existing one?** * Suggest your change in the [my email](mailto:metodil@hotmail.com). diff --git a/README.md b/README.md index 8a7ffb00a..ec2a7dd98 100644 --- a/README.md +++ b/README.md @@ -6,34 +6,46 @@ ### Prerequisites - Organize your git repo to follow the guidelines provides in the presentation +*** ✅  Ok ### Task description Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. not `main`) and performs the following checks on our simple Flask app repository. -✅  workflow is creted in .github/workflow/ci-pipeline.yaml +*** +✅  workflow is created in .github/workflow/ci-pipeline.yaml - Check `.editorconfig` +*** ✅  Ok - test in workflow *editorconfig* - Code Lint and style - use `pylint` and `black` to check for style/formatting/syntax errors +*** ✅  Ok - test in workflow *lint-black* and part in *lint-unit-tests* - Check makrdown files [markdownlint-cli](https://www.npmjs.com/package/cli-markdown) +*** ✅  Ok - test in workflow *markdown-link-check* - Code Unittest - there's a simple unit test next to our app called `app_test.py`. Make sure our unittest passes (`python -m unittest` executed in the app directory) +*** ✅  Ok - test in workflow last part of *lint-unit-tests* - Check for hardcoded secrets (`gitleaks`) - not just our app but the whole repository. +*** ✅  Ok - test in workflow *gitleaks-security* ✅  Extra Trivy check repo(fs) - test in workflow *Trivy-security - SAST - SonarCloud; Review code smells and security issues +*** ✅  Ok - test in workflow *sonarcloud-security* - SCA - Snyk; review security issues +*** ✅  Ok - integrated in my github account - Build a Docker image. Use Git commit SHA as an Image tag. - Scan the built image with `Trivy` +*** ✅  Ok - job in workflow *build-test* using SHA in tag and test with Trivy - Push the built image to your Docker HUB account +*** ✅  Ok - job in workflow *deploy* get credential from Hashi vault and push to my dockerhub account - (optional) Add CONTRIBUTORS guide. Follow [this](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/setting-guidelines-for-repository-contributors) document from GitHUb. +*** ✅  Ok - guide is added in root: CONTRIBUTING.md ## Extra effort @@ -43,6 +55,7 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n - yamllint - check-merge-conflict - check-added-large-files +*** ✅  Ok - my pre-commit using: > - id: check-yaml > - id: end-of-file-fixer @@ -53,8 +66,10 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n > - id: gitleaks - Setup docker-compose with build and run a container +*** ✅  Ok - created in M1-4-2-CI-Practice/compose.yaml - Try out GitHub Actions schedule trigger event - +*** ✅  Ok - add to workflow ``` schedule: From a01304b1a25bebb0bf27a9548ad41164f37fb750 Mon Sep 17 00:00:00 2001 From: metodil Date: Sun, 17 Nov 2024 20:09:44 +0200 Subject: [PATCH 62/66] more ajust in README.md --- README.md | 46 +++++++++++++++------------------------------- 1 file changed, 15 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index ec2a7dd98..5b13d4f4c 100644 --- a/README.md +++ b/README.md @@ -5,47 +5,33 @@ ### Prerequisites -- Organize your git repo to follow the guidelines provides in the presentation -*** -✅  Ok +- Organize your git repo to follow the guidelines provides in the presentation ✅  Ok ### Task description Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. not `main`) and performs the following checks on our simple Flask app repository. -*** +
✅  workflow is created in .github/workflow/ci-pipeline.yaml -- Check `.editorconfig` -*** -✅  Ok - test in workflow *editorconfig* -- Code Lint and style - use `pylint` and `black` to check for style/formatting/syntax errors -*** -✅  Ok - test in workflow *lint-black* and part in *lint-unit-tests* -- Check makrdown files [markdownlint-cli](https://www.npmjs.com/package/cli-markdown) -*** -✅  Ok - test in workflow *markdown-link-check* -- Code Unittest - there's a simple unit test next to our app called `app_test.py`. Make sure our unittest passes (`python -m unittest` executed in the app directory) -*** -✅  Ok - test in workflow last part of *lint-unit-tests* +- Check `.editorconfig` ✅  Ok - test in workflow *editorconfig* +- Code Lint and style - use `pylint` and `black` to check for style/formatting/syntax errors ✅  Ok - test in workflow *lint-black* and part in *lint-unit-tests* +- Check makrdown files [markdownlint-cli](https://www.npmjs.com/package/cli-markdown) ✅  Ok - test in workflow *markdown-link-check* +- Code Unittest - there's a simple unit test next to our app called `app_test.py`. Make sure our unittest passes (`python -m unittest` executed in the app directory) ✅  Ok - test in workflow last part of *lint-unit-tests* - Check for hardcoded secrets (`gitleaks`) - not just our app but the whole repository. -*** +
✅  Ok - test in workflow *gitleaks-security* ✅  Extra Trivy check repo(fs) - test in workflow *Trivy-security -- SAST - SonarCloud; Review code smells and security issues -*** -✅  Ok - test in workflow *sonarcloud-security* -- SCA - Snyk; review security issues -*** -✅  Ok - integrated in my github account +- SAST - SonarCloud; Review code smells and security issues ✅  Ok - test in workflow *sonarcloud-security* +- SCA - Snyk; review security issues ✅  Ok - integrated in my github account - Build a Docker image. Use Git commit SHA as an Image tag. - Scan the built image with `Trivy` -*** +
✅  Ok - job in workflow *build-test* using SHA in tag and test with Trivy - Push the built image to your Docker HUB account -*** +
✅  Ok - job in workflow *deploy* get credential from Hashi vault and push to my dockerhub account - (optional) Add CONTRIBUTORS guide. Follow [this](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/setting-guidelines-for-repository-contributors) document from GitHUb. -*** +
✅  Ok - guide is added in root: CONTRIBUTING.md ## Extra effort @@ -55,7 +41,7 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n - yamllint - check-merge-conflict - check-added-large-files -*** +
✅  Ok - my pre-commit using: > - id: check-yaml > - id: end-of-file-fixer @@ -65,11 +51,9 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n > - id: check-merge-conflict > - id: gitleaks -- Setup docker-compose with build and run a container -*** -✅  Ok - created in M1-4-2-CI-Practice/compose.yaml +- Setup docker-compose with build and run a container ✅  Ok - created in M1-4-2-CI-Practice/compose.yaml - Try out GitHub Actions schedule trigger event - -*** +
✅  Ok - add to workflow ``` schedule: From f7c449517dca990d1628bc48be8dde90fc972137 Mon Sep 17 00:00:00 2001 From: metodil Date: Sun, 17 Nov 2024 20:40:03 +0200 Subject: [PATCH 63/66] final ajustments in README.md --- README.md | 44 +++++++++++++++++++------------------------- 1 file changed, 19 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 5b13d4f4c..ad7a39da7 100644 --- a/README.md +++ b/README.md @@ -9,30 +9,25 @@ ### Task description -Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. not `main`) and performs the following checks on our simple Flask app repository. -
-✅  workflow is created in .github/workflow/ci-pipeline.yaml - -- Check `.editorconfig` ✅  Ok - test in workflow *editorconfig* -- Code Lint and style - use `pylint` and `black` to check for style/formatting/syntax errors ✅  Ok - test in workflow *lint-black* and part in *lint-unit-tests* -- Check makrdown files [markdownlint-cli](https://www.npmjs.com/package/cli-markdown) ✅  Ok - test in workflow *markdown-link-check* -- Code Unittest - there's a simple unit test next to our app called `app_test.py`. Make sure our unittest passes (`python -m unittest` executed in the app directory) ✅  Ok - test in workflow last part of *lint-unit-tests* +Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. not `main`) and performs the following checks on our simple Flask app repository.
✅  workflow is created in **.github/workflow/ci-pipeline.yaml** + +- Check `.editorconfig` ✅  Ok - test in workflow **editorconfig** +- Code Lint and style - use `pylint` and `black` to check for style/formatting/syntax errors + ✅  Ok - test in workflow **lint-black** and part in **lint-unit-tests** +- Check makrdown files [markdownlint-cli](https://www.npmjs.com/package/cli-markdown) ✅  Ok - test in workflow **markdown-link-check** +- Code Unittest - there's a simple unit test next to our app called `app_test.py`. Make sure our unittest passes (`python -m unittest` executed in the app directory) ✅  Ok - test in workflow last part of **lint-unit-tests** - Check for hardcoded secrets (`gitleaks`) - not just our app but the whole repository. -
-✅  Ok - test in workflow *gitleaks-security* -✅  Extra Trivy check repo(fs) - test in workflow *Trivy-security -- SAST - SonarCloud; Review code smells and security issues ✅  Ok - test in workflow *sonarcloud-security* -- SCA - Snyk; review security issues ✅  Ok - integrated in my github account + ✅  Ok - test in workflow **gitleaks-security** + ✅  Extra Trivy check repo(fs) - test in workflow **Trivy-security** +- SAST - SonarCloud; Review code smells and security issues ✅  Ok - test in workflow **sonarcloud-security** +- SCA - Snyk; review security issues ✅  Ok - **integrated** in my github account - Build a Docker image. Use Git commit SHA as an Image tag. -- Scan the built image with `Trivy` -
-✅  Ok - job in workflow *build-test* using SHA in tag and test with Trivy -- Push the built image to your Docker HUB account -
-✅  Ok - job in workflow *deploy* get credential from Hashi vault and push to my dockerhub account +- Scan the built image with `Trivy`. + ✅  Ok - job in workflow **build-test** using SHA in tag and test with Trivy +- Push the built image to your Docker HUB account. + ✅  Ok - job in workflow **deploy** get credential from Hashi vault and push to my dockerhub account - (optional) Add CONTRIBUTORS guide. Follow [this](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/setting-guidelines-for-repository-contributors) document from GitHUb. -
-✅  Ok - guide is added in root: CONTRIBUTING.md + ✅  Ok - guide is **added** in root: **CONTRIBUTING.md** ## Extra effort @@ -41,7 +36,7 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n - yamllint - check-merge-conflict - check-added-large-files -
+*** ✅  Ok - my pre-commit using: > - id: check-yaml > - id: end-of-file-fixer @@ -51,9 +46,8 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n > - id: check-merge-conflict > - id: gitleaks -- Setup docker-compose with build and run a container ✅  Ok - created in M1-4-2-CI-Practice/compose.yaml -- Try out GitHub Actions schedule trigger event - -
+- Setup docker-compose with build and run a container ✅  Ok - created in **M1-4-2-CI-Practice/compose.yaml** +- Try out GitHub Actions schedule trigger event - . ✅  Ok - add to workflow ``` schedule: From 1e63cde5686969bebc70eb64b4911937707e29fd Mon Sep 17 00:00:00 2001 From: metodil Date: Tue, 19 Nov 2024 09:46:28 +0200 Subject: [PATCH 64/66] add in README.md info for Ansible homework --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/README.md b/README.md index ad7a39da7..7d8beb18e 100644 --- a/README.md +++ b/README.md @@ -53,3 +53,27 @@ Create a GitHub Actions pipeline that runs on commit to a feature branch (i.e. n schedule: - cron: '0 0 * * 1,4' # on Monday (1) and Thursday (4) ``` + +*** + +## M1-3-1 Configuration Management + +### Ansible Task + +Create an Ansible playbook that build, push and then run the Docker image for the Python +application. Let your playbook has the following variables: + +* `image_name` - contains the name of your image without the tag, i.e. `vutoff/python-app` +* `image_tag` - contains the tag you tagged your image with, i.e. `v0.2` +* `listen_port` - contains the listening port you're binding your app to. + +Make sure that you set environment variable `PORT` when you define your container +in the Ansible playbook that takes its value from `listen_port` variable. + +✅  playbook is created in homework/**M1-3-Ansible/u34-ansible-hw.yaml**, +using **branch:** **ansible-practice-and-homework** + +extra playbooks in **M1-3-Ansible** : +- u34-ansible-hw-with-ansible-vault.yaml : Secrets management with **Ansible secrets** +- u34-ansible-hw-with-hashi-vault.yaml : Secrets management with **Hashi vault** +- u34-ansible-hw-with-role-hashi-vault.yaml : Using **roles** in Ansible From 4a3a64c93bec3ca6f7dde6e68d363d6998c69f0d Mon Sep 17 00:00:00 2001 From: metodil Date: Thu, 21 Nov 2024 11:15:05 +0200 Subject: [PATCH 65/66] set trivy ver to 0.20.0 --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 88e38a55c..9cb9f38bd 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -135,7 +135,7 @@ jobs: run: | docker build -t ${{ env.IMAGE_TAG }}:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.20.0 with: image-ref: '${{ env.IMAGE_TAG }}:${{ github.sha }}' format: 'sarif' From 9bd147e36e401ebe6b192ed11df3a10884573f69 Mon Sep 17 00:00:00 2001 From: metodil Date: Thu, 21 Nov 2024 11:28:54 +0200 Subject: [PATCH 66/66] set trivy ver to 0.29.0 --- .github/workflows/ci-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 9cb9f38bd..81f6ce73e 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -135,7 +135,7 @@ jobs: run: | docker build -t ${{ env.IMAGE_TAG }}:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.29.0 with: image-ref: '${{ env.IMAGE_TAG }}:${{ github.sha }}' format: 'sarif'