feat: add security headers #24962
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR checks | |
on: [push, pull_request] | |
env: | |
SECRET_KEY: insecure_test_key | |
jobs: | |
run-image: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build image | |
run: DOCKER_BUILDKIT=1 docker build --tag ubuntu-com . | |
- name: Run image | |
run: | | |
docker run --env SECRET_KEY=insecure_secret_key --network host ubuntu-com & | |
sleep 1 | |
curl --head --fail --retry-delay 1 --retry 30 --retry-connrefused http://localhost | |
run-dotrun: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install dotrun | |
run: sudo pip3 install dotrun requests==2.31.0 # requests version is pinned to avoid breaking changes, can be removed once issue is resolved: https://github.com/docker/docker-py/issues/3256 | |
- name: Install dependencies | |
run: | | |
sudo chmod -R 777 . | |
dotrun install | |
- name: Build assets | |
run: dotrun build | |
- name: Run dotrun | |
run: | | |
dotrun & | |
curl --head --fail --retry-delay 1 --retry 30 --retry-connrefused http://localhost:8001 | |
lint-scss: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: yarn install --immutable | |
- name: Lint scss | |
run: yarn lint-scss | |
check-prettier: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: yarn install --immutable | |
- name: Check Prettier | |
run: yarn check-prettier | |
lint-python: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install dotrun | |
run: sudo pip3 install dotrun | |
- name: Install dependencies | |
run: | | |
sudo chmod -R 777 . | |
dotrun install | |
- name: Build assets | |
run: dotrun build | |
- name: Lint python | |
run: dotrun lint-python | |
lint-jinja: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install node dependencies | |
run: yarn install --immutable | |
- name: Install python dependencies | |
run: | | |
python3 -m pip install --upgrade pip | |
sudo pip3 install djlint | |
- name: Get changed HTML files in the templates folder | |
id: changed-files | |
uses: tj-actions/changed-files@v43 | |
with: | |
files: templates/**/*.html | |
- name: Lint jinja | |
if: steps.changed-files.outputs.any_changed == 'true' | |
env: | |
CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
run: | | |
echo "The following files have changed: $CHANGED_FILES" | |
djlint $CHANGED_FILES --lint --profile="jinja" | |
validate-deploy: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install konf | |
run: | | |
sudo snap install konf | |
sudo chown root:root / | |
- name: Install Kubeval | |
run: | | |
wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz | |
tar xf kubeval-linux-amd64.tar.gz | |
sudo cp kubeval /usr/local/bin | |
- name: Validate all sites | |
run: | | |
konf staging deploy/site.yaml | kubeval -f - | |
konf production deploy/site.yaml | kubeval -f - | |
test-python: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # fetch all history for codecov | |
- name: Install requirements | |
run: | | |
sudo apt-get update && sudo apt-get install --yes python3-setuptools | |
sudo pip3 install -r requirements.txt | |
- name: Install dotrun | |
run: sudo pip3 install dotrun requests==2.31.0 # requests version is pinned to avoid breaking changes, can be removed once issue is resolved: https://github.com/docker/docker-py/issues/3256 | |
- name: Install node dependencies | |
run: | | |
sudo chmod -R 777 . | |
dotrun install | |
- name: Install dependencies | |
run: dotrun exec pip3 install coverage | |
- name: Build resources | |
run: dotrun build | |
- name: Run tests with coverage | |
run: dotrun --env SEARCH_API_KEY=fake-key exec coverage run --source=. --module unittest discover tests | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
flags: python | |
test-js: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # fetch all history for codecov | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: Install dependencies | |
run: yarn install --immutable | |
- name: Test JS | |
run: | | |
yarn test-js --coverage | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
flags: javascript | |
lint-js: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: yarn install --immutable | |
- name: Lint JS | |
run: | | |
yarn lint-js | |
lint-ts: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install dependencies | |
run: yarn install --immutable | |
- name: Lint TS | |
run: | | |
yarn lint-ts | |
Inclusive-naming-check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: woke | |
uses: canonical-web-and-design/inclusive-naming@main | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
reporter: github-pr-check | |
fail-on-error: false |