action-python-security-auditing/.github/workflows/integration-tests.yml at main · developmentseed/action-python-security-auditing · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
name: Integration Tests

on:
  push:
    branches: [main]
  pull_request:

permissions:
  contents: read

concurrency:
  group: integration-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:

  # ── Run each test scenario against the local composite action ──
  integration-test:
    name: "Test ${{ matrix.id }}"
    runs-on: ubuntu-latest
    continue-on-error: true
    strategy:
      fail-fast: false
      matrix:
        include:
          - id: "01"
            working_directory: integration-tests/cases/01-requirements-flat
            package_manager: requirements
            requirements_file: requirements.txt
            bandit_scan_dirs: "."
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: ""

          - id: "02"
            working_directory: integration-tests/cases/02-requirements-src-bandit
            package_manager: requirements
            requirements_file: requirements.txt
            bandit_scan_dirs: src/
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: ""

          - id: "03"
            working_directory: integration-tests/cases/03-requirements-multi-both
            package_manager: requirements
            requirements_file: requirements.txt
            bandit_scan_dirs: "src/,scripts/"
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: ""

          - id: "04"
            working_directory: integration-tests/cases/04-uv-flat
            package_manager: uv
            requirements_file: ""
            bandit_scan_dirs: "."
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: uv

          - id: "05"
            working_directory: integration-tests/cases/05-uv-src-vuln
            package_manager: uv
            requirements_file: ""
            bandit_scan_dirs: src/
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: uv

          - id: "06"
            working_directory: integration-tests/cases/06-uv-multi-bandit
            package_manager: uv
            requirements_file: ""
            bandit_scan_dirs: "src/,scripts/"
            bandit_severity_threshold: medium
            pip_audit_block_on: none
            tools: "bandit,pip-audit"
            setup: uv

          - id: "07"
            working_directory: integration-tests/cases/07-poetry-flat
            package_manager: poetry
            requirements_file: ""
            bandit_scan_dirs: "."
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: poetry

          - id: "08"
            working_directory: integration-tests/cases/08-poetry-src-both
            package_manager: poetry
            requirements_file: ""
            bandit_scan_dirs: src/
            bandit_severity_threshold: medium
            pip_audit_block_on: all
            tools: "bandit,pip-audit"
            setup: poetry

          - id: "09"
            working_directory: integration-tests/cases/09-pipenv-flat
            package_manager: pipenv
            requirements_file: ""
            bandit_scan_dirs: "."
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: pipenv

          - id: "10"
            working_directory: integration-tests/cases/10-pipenv-multi-bandit
            package_manager: pipenv
            requirements_file: ""
            bandit_scan_dirs: "src/,scripts/"
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: pipenv

          # Test 11: working_directory is repo root; paths are prefixed with integration-tests/cases/
          - id: "11"
            working_directory: "."
            package_manager: requirements
            requirements_file: integration-tests/cases/11-requirements-root/requirements.txt
            bandit_scan_dirs: integration-tests/cases/11-requirements-root
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: "bandit,pip-audit"
            setup: ""

          # Tests 12 & 14: bandit-only — no lockfile setup needed
          - id: "12"
            working_directory: integration-tests/cases/12-uv-flat-bandit-only
            package_manager: uv
            requirements_file: ""
            bandit_scan_dirs: "."
            bandit_severity_threshold: high
            pip_audit_block_on: fixable
            tools: bandit
            setup: ""

          - id: "14"
            working_directory: integration-tests/cases/14-uv-low-threshold
            package_manager: uv
            requirements_file: ""
            bandit_scan_dirs: "."
            bandit_severity_threshold: low
            pip_audit_block_on: fixable
            tools: bandit
            setup: ""

    permissions:
      contents: read

    steps:
      - name: Checkout action repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      # --- Package-manager-specific lockfile setup ---

      - name: Set up uv
        if: matrix.setup == 'uv'
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0

      - name: Generate uv.lock
        if: matrix.setup == 'uv'
        working-directory: ${{ matrix.working_directory }}
        run: uv lock

      - name: Set up Poetry
        if: matrix.setup == 'poetry'
        uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1

      - name: Generate poetry.lock
        if: matrix.setup == 'poetry'
        working-directory: ${{ matrix.working_directory }}
        run: poetry lock

      - name: Set up Python (for pipenv)
        if: matrix.setup == 'pipenv'
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.12'

      - name: Install pipenv
        if: matrix.setup == 'pipenv'
        run: pip install pipenv

      - name: Generate Pipfile.lock
        if: matrix.setup == 'pipenv'
        working-directory: ${{ matrix.working_directory }}
        run: pipenv install

      # --- Run the composite action at the current commit ---

      - name: Run security audit
        id: audit
        uses: ./
        continue-on-error: true
        with:
          working_directory: ${{ matrix.working_directory }}
          package_manager: ${{ matrix.package_manager }}
          tools: ${{ matrix.tools }}
          requirements_file: ${{ matrix.requirements_file }}
          bandit_scan_dirs: ${{ matrix.bandit_scan_dirs }}
          bandit_severity_threshold: ${{ matrix.bandit_severity_threshold }}
          pip_audit_block_on: ${{ matrix.pip_audit_block_on }}
          comment_on: never
          artifact_name: security-audit-${{ matrix.id }}

      # --- Record outcome so the validate job can reconstruct NEEDS_JSON ---

      - name: Record step outcome
        if: always()
        env:
          AUDIT_OUTCOME: ${{ steps.audit.outcome }}
        run: |
          mkdir -p outcome
          echo "$AUDIT_OUTCOME" > outcome/outcome.txt

      - name: Upload outcome
        if: always()
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: test-outcome-${{ matrix.id }}
          path: outcome/outcome.txt

  # ── Validate all results against expected_results.yml ──────────
  validate:
    name: Validate results
    if: always()
    needs: [integration-test]
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write # Post or update the integration-test validation report on PRs

    steps:
      - name: Checkout action repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Download security-audit artifacts
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          pattern: security-audit-*
          path: artifacts

      - name: Download outcome artifacts
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          pattern: test-outcome-*
          path: artifacts

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: pip install pyyaml

      # Build NEEDS_JSON from outcome files — validate_results.py expects
      # {"test-01": {"result": "success"}, ...} (same shape as toJSON(needs))
      - name: Build NEEDS_JSON from outcome artifacts
        run: |
          python3 - <<'EOF' >> "$GITHUB_ENV"
          import json
          from pathlib import Path
          needs = {}
          for f in sorted(Path("artifacts").glob("test-outcome-*/outcome.txt")):
              num = f.parent.name.replace("test-outcome-", "")
              needs["test-" + num] = {"result": f.read_text().strip()}
          print("NEEDS_JSON=" + json.dumps(needs))
          EOF

      - name: Validate test outcomes
        env:
          NEEDS_JSON: ${{ env.NEEDS_JSON }}
        run: python integration-tests/validate_results.py

      - name: Post or update PR comment
        if: always() && github.event_name == 'pull_request'
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GITHUB_REPOSITORY: ${{ github.repository }}
        run: |
          if [ ! -f validation-report.md ]; then
            echo "No report generated" >&2
            exit 0
          fi

          MARKER="<!-- integration-test-validation-report -->"

          # Find existing comment with our marker
          COMMENT_ID=$(
            gh api \
              "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
              --paginate -q \
              ".[] | select(.body | contains(\"${MARKER}\")) | .id" \
            | head -n 1
          )

          if [ -n "$COMMENT_ID" ]; then
            gh api \
              "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}" \
              --method PATCH \
              -F "body=@validation-report.md"
            echo "Updated existing comment ${COMMENT_ID}"
          else
            gh pr comment "${PR_NUMBER}" --body-file validation-report.md
            echo "Created new comment"
          fi