[PRMP-1482] Implement user restrictions list page #4181
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Z-AUTOMATED: PR Validator" | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| types: [opened, edited, synchronize] | |
| jobs: | |
| changes: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: read | |
| outputs: | |
| frontend: ${{ steps.filter.outputs.frontend }} | |
| backend: ${{ steps.filter.outputs.backend }} | |
| steps: | |
| - uses: dorny/paths-filter@v4 | |
| id: filter | |
| with: | |
| filters: | | |
| frontend: | |
| - 'app/src/**' | |
| backend: | |
| - '*.py' | |
| - 'lambdas/*.py' | |
| - 'lambdas/**/*.py' | |
| checklist_validator: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Python 3.11 | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: 3.11 | |
| - name: Run checklist validator | |
| run: | | |
| python3 scripts/github/checklist_validator/main.py | |
| env: | |
| PR_BODY: ${{ github.event.pull_request.body }} | |
| sbom_scan: | |
| name: SBOM Repo Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read # Required for anchore/sbom-action | |
| contents: write # Required for anchore/sbom-action | |
| id-token: write # Required for requesting the JWT | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| path: "." | |
| format: cyclonedx-json | |
| output-file: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json | |
| - uses: anchore/scan-action@v7 | |
| id: sbom-scan | |
| with: | |
| sbom: sbom-repo-${{ github.event.repository.name }}-${{ github.sha }}.cdx.json | |
| fail-build: true | |
| severity-cutoff: low | |
| only-fixed: true | |
| output-format: sarif | |
| - name: Upload Anchore scan SARIF report | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: ${{ steps.sbom-scan.outputs.sarif }} | |
| - name: Add/Update SBOM failure comment | |
| uses: actions/github-script@v8 | |
| if: always() && failure() | |
| with: | |
| script: | | |
| // 1. Retrieve existing bot comments for the PR | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') | |
| }) | |
| // 2. Prepare format of the comment | |
| const output = `### Code security issues found | |
| View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`; | |
| // 3. If we have a comment, update it, otherwise create a new one | |
| if (botComment) { | |
| github.rest.issues.deleteComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: output | |
| }) | |
| } | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| - name: Delete SBOM failure comment | |
| uses: actions/github-script@v8 | |
| if: always() && success() | |
| with: | |
| script: | | |
| // 1. Retrieve existing bot comments for the PR | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') | |
| }) | |
| // 2. If we have a comment, update it, otherwise create a new one | |
| if (botComment) { | |
| github.rest.issues.deleteComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id | |
| }) | |
| } | |
| markdown-validation: | |
| name: Markdown Validation | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Markdown Validation Script | |
| id: validate | |
| run: | | |
| BRANCH_NAME=${{ github.event.repository.default_branch }} | |
| chmod +x scripts/markdown-validator.sh | |
| scripts/markdown-validator.sh | |
| react_lint_and_build: | |
| name: React Lint and Build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| needs: changes | |
| if: needs.changes.outputs.frontend == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install packages | |
| id: install | |
| run: | | |
| make install | |
| - name: Run Lint | |
| id: lint | |
| working-directory: app | |
| run: | | |
| npm run lint | |
| - name: Run Build | |
| id: build | |
| working-directory: app | |
| if: always() | |
| run: | | |
| npm run build | |
| python_lint: | |
| name: Python Lint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| needs: changes | |
| if: needs.changes.outputs.backend == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python 3.11 | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: 3.11 | |
| - name: Setup env | |
| run: | | |
| make env | |
| - name: Get changed files | |
| id: changed-files | |
| run: | | |
| git remote set-branches origin main && git fetch --depth 1 origin main && git branch main origin/main | |
| echo "CHANGED_FILES=$(git diff main --name-status | grep -E '^[^D].*\.py$' | awk '{print $NF}' | tr '\n' ' ')" >> $GITHUB_OUTPUT | |
| - name: Run black | |
| id: black | |
| run: | | |
| if [ -z "${{ steps.changed-files.outputs.CHANGED_FILES }}" ]; then echo "No changed Python files to format"; exit 0; fi; \ | |
| ./lambdas/venv/bin/python3 -m black --check --diff --color ${{ steps.changed-files.outputs.CHANGED_FILES }} | |
| - name: Run ruff | |
| id: ruff | |
| if: always() | |
| run: | | |
| if [ -z "${{ steps.changed-files.outputs.CHANGED_FILES }}" ]; then echo "No changed Python files to lint"; exit 0; fi; \ | |
| ./lambdas/venv/bin/ruff check ${{ steps.changed-files.outputs.CHANGED_FILES }} | |
| - name: Run isort with black | |
| id: isort | |
| if: always() | |
| run: | | |
| if [ -z "${{ steps.changed-files.outputs.CHANGED_FILES }}" ]; then echo "No changed Python files to sort imports"; exit 0; fi; \ | |
| ./lambdas/venv/bin/python3 -m isort --profile black --check-only ${{ steps.changed-files.outputs.CHANGED_FILES }} |