EREGCSC-2363-B Fix escape vulnerability in text extraction user messa… #1271
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
permissions: | |
id-token: write | |
contents: read | |
actions: read | |
concurrency: ${{ github.workflow }}-${{ github.ref }} | |
jobs: | |
deploy: | |
strategy: | |
max-parallel: 1 | |
matrix: | |
environment: ["dev", "val", "prod"] | |
environment: | |
name: ${{ matrix.environment }} | |
url: ${{ steps.deploy-regulations-site-server.outputs.url }} | |
runs-on: ubuntu-22.04 | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_HOST: localhost | |
POSTGRES_DB: eregs | |
POSTGRES_USER: eregs | |
POSTGRES_PASSWORD: sgere | |
ports: | |
- 5432:5432 | |
# needed because the postgres container does not provide a healthcheck | |
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
# should build first and save the artifact | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: 18.14 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r ./solution/static-assets/requirements.txt | |
- name: build static assets | |
env: | |
STATIC_ROOT: ../static-assets/regulations | |
# This isn't at all accurate, but it doesn't matter; Django just needs it to run collectstatic | |
STATIC_URL: http://localhost:8888/ | |
VITE_ENV: ${{ matrix.environment }} | |
run: | | |
pushd solution | |
cd backend | |
python manage.py collectstatic --noinput | |
cd .. | |
popd | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: Configure AWS credentials for GitHub Actions | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }} | |
aws-region: us-east-1 | |
- name: deploy static assets | |
run: | | |
pushd solution/static-assets | |
npm install serverless@">=3.38.0 <4" -g | |
npm install | |
serverless deploy --stage ${{ matrix.environment }} | |
popd | |
- name: deploy text extractor lambda | |
run: | | |
pushd solution/text-extractor | |
npm install serverless@">=3.38.0 <4" -g | |
serverless deploy --stage ${{ matrix.environment }} | |
popd | |
- name: deploy regulations site server | |
id: deploy-regulations-site-server | |
env: | |
RUN_ID: ${{ github.run_id }} | |
run: | | |
pushd solution/backend | |
npm install serverless@">=3.38.0 <4" -g | |
npm install | |
serverless deploy --config ./serverless-maintenance.yml --stage ${{ matrix.environment }} | tee output.log | |
serverless deploy --config ./serverless-redirect.yml --stage ${{ matrix.environment }} | tee output.log | |
serverless deploy --stage ${{ matrix.environment }} | tee output.log | |
serverless invoke --function reg_core_migrate --stage ${{ matrix.environment }} | |
serverless invoke --function create_su --stage ${{ matrix.environment }} | |
url=$(cat output.log | grep -m1 'ANY -' | cut -c 9-) | |
url=${url%/} | |
echo "url=$(echo $url)" >> $GITHUB_OUTPUT | |
popd | |
# vite needs the .env file in order to know the URL of the api. | |
- name: Make envfile | |
uses: SpicyPizza/create-envfile@v2.0 | |
with: | |
envkey_VITE_API_URL: ${{ steps.deploy-regulations-site-server.outputs.url }} | |
envkey_VITE_ENV: ${{matrix.environment}} | |
directory: solution/ui/regulations/eregs-vite | |
file_name: .env | |
- name: build-vue-assets | |
id: build-vue-assets | |
env: | |
VITE_ENV: ${{ matrix.environment }} | |
run: | | |
pushd solution | |
make regulations | |
popd | |
pushd solution/static-assets | |
serverless deploy --stage ${{ matrix.environment }} | |
popd | |
- name: deploy and run eCFR parser | |
id: deploy-run-ecfr-parser | |
run: | | |
pushd solution/parser | |
npm install serverless@">=3.38.0 <4" -g | |
serverless deploy --stage ${{ matrix.environment }} --config ./serverless-ecfr.yml | |
AWS_CLIENT_TIMEOUT=360000 serverless invoke --function ecfr_parser --stage ${{ matrix.environment }} --config ./serverless-ecfr.yml | |
popd | |
- name: deploy and run FR parser | |
id: deploy-run-fr-parser | |
run: | | |
pushd solution/parser | |
npm install serverless@">=3.38.0 <4" -g | |
serverless deploy --stage ${{ matrix.environment }} --config ./serverless-fr.yml | |
AWS_CLIENT_TIMEOUT=360000 serverless invoke --function fr_parser --stage ${{ matrix.environment }} --config ./serverless-fr.yml | |
popd | |
- name: run pytest | |
env: | |
STATIC_URL: http://localhost:8888/ | |
DB_HOST: localhost | |
DB_NAME: eregs | |
DB_USER: eregs | |
DB_PASSWORD: sgere | |
DB_PORT: 5432 | |
HTTP_AUTH_USER: ${{ secrets.HTTP_AUTH_USER }} | |
HTTP_AUTH_PASSWORD: ${{ secrets.HTTP_AUTH_PASSWORD }} | |
working-directory: ./solution/backend | |
run: | | |
pytest -vv | |
# Get test user credentials from AWS Parameter Store | |
- name: Get test user credentials | |
uses: dkershner6/aws-ssm-getparameters-action@v2 | |
with: | |
parameterPairs: "/eregulations/http/user = CYPRESS_TEST_USERNAME, | |
/eregulations/http/password = CYPRESS_TEST_PASSWORD, | |
/eregulations/http/reader_user = CYPRESS_READER_USERNAME, | |
/eregulations/http/reader_password = CYPRESS_READER_PASSWORD" | |
withDecryption: "true" # defaults to true | |
- name: end-to-end tests | |
uses: cypress-io/github-action@v6 | |
with: | |
working-directory: solution/ui/e2e | |
config: baseUrl=${{ steps.deploy-regulations-site-server.outputs.url }} | |
env: | |
CYPRESS_DEPLOYING: true | |
CYPRESS_TEST_ENV: ${{ matrix.environment }} |