Skip to content

feat: add security headers #24962

feat: add security headers

feat: add security headers #24962

Workflow file for this run

name: PR checks
on: [push, pull_request]
env:
SECRET_KEY: insecure_test_key
jobs:
run-image:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- name: Build image
run: DOCKER_BUILDKIT=1 docker build --tag ubuntu-com .
- name: Run image
run: |
docker run --env SECRET_KEY=insecure_secret_key --network host ubuntu-com &
sleep 1
curl --head --fail --retry-delay 1 --retry 30 --retry-connrefused http://localhost
run-dotrun:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dotrun
run: sudo pip3 install dotrun requests==2.31.0 # requests version is pinned to avoid breaking changes, can be removed once issue is resolved: https://github.com/docker/docker-py/issues/3256
- name: Install dependencies
run: |
sudo chmod -R 777 .
dotrun install
- name: Build assets
run: dotrun build
- name: Run dotrun
run: |
dotrun &
curl --head --fail --retry-delay 1 --retry 30 --retry-connrefused http://localhost:8001
lint-scss:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: yarn install --immutable
- name: Lint scss
run: yarn lint-scss
check-prettier:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: yarn install --immutable
- name: Check Prettier
run: yarn check-prettier
lint-python:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dotrun
run: sudo pip3 install dotrun
- name: Install dependencies
run: |
sudo chmod -R 777 .
dotrun install
- name: Build assets
run: dotrun build
- name: Lint python
run: dotrun lint-python
lint-jinja:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install node dependencies
run: yarn install --immutable
- name: Install python dependencies
run: |
python3 -m pip install --upgrade pip
sudo pip3 install djlint
- name: Get changed HTML files in the templates folder
id: changed-files
uses: tj-actions/changed-files@v43
with:
files: templates/**/*.html
- name: Lint jinja
if: steps.changed-files.outputs.any_changed == 'true'
env:
CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
run: |
echo "The following files have changed: $CHANGED_FILES"
djlint $CHANGED_FILES --lint --profile="jinja"
validate-deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install konf
run: |
sudo snap install konf
sudo chown root:root /
- name: Install Kubeval
run: |
wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
tar xf kubeval-linux-amd64.tar.gz
sudo cp kubeval /usr/local/bin
- name: Validate all sites
run: |
konf staging deploy/site.yaml | kubeval -f -
konf production deploy/site.yaml | kubeval -f -
test-python:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # fetch all history for codecov
- name: Install requirements
run: |
sudo apt-get update && sudo apt-get install --yes python3-setuptools
sudo pip3 install -r requirements.txt
- name: Install dotrun
run: sudo pip3 install dotrun requests==2.31.0 # requests version is pinned to avoid breaking changes, can be removed once issue is resolved: https://github.com/docker/docker-py/issues/3256
- name: Install node dependencies
run: |
sudo chmod -R 777 .
dotrun install
- name: Install dependencies
run: dotrun exec pip3 install coverage
- name: Build resources
run: dotrun build
- name: Run tests with coverage
run: dotrun --env SEARCH_API_KEY=fake-key exec coverage run --source=. --module unittest discover tests
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
flags: python
test-js:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # fetch all history for codecov
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Install dependencies
run: yarn install --immutable
- name: Test JS
run: |
yarn test-js --coverage
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
flags: javascript
lint-js:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: yarn install --immutable
- name: Lint JS
run: |
yarn lint-js
lint-ts:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: yarn install --immutable
- name: Lint TS
run: |
yarn lint-ts
Inclusive-naming-check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: woke
uses: canonical-web-and-design/inclusive-naming@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-check
fail-on-error: false