.github/workflows/ci.yml

name: CI
on:
  pull_request:
    branches: ["main"]
  push:
    branches: ["main"]
concurrency:
  group: ci-${{ github.workflow }}-${{ github.actor }}-${{ github.sha }}
  cancel-in-progress: true

jobs:
  static-analysis:
    name: Prospector Static Analysis
    runs-on: ubuntu-22.04
    env:
      DJANGO_SETTINGS_MODULE: onadata.settings.github_actions_test
    strategy:
      fail-fast: false
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup python
        uses: actions/setup-python@v5
        with:
          python-version: "3.10"
          architecture: "x64"
          cache: "pip"
          cache-dependency-path: |
            requirements/base.pip
            requirements/dev.pip
            requirements/azure.pip

      - name: Update apt sources
        run: sudo apt-get update

      - name: Install APT requirements
        run: sudo apt-get install -y --no-install-recommends libjpeg-dev zlib1g-dev software-properties-common ghostscript libxslt1-dev binutils libproj-dev gdal-bin memcached libmemcached-dev libxml2-dev libxslt-dev

      - name: Install Pip requirements
        run: |
          pip install -U pip
          pip install wheel
          pip install -r requirements/base.pip
          pip install -r requirements/dev.pip
          pip install -r requirements/azure.pip

      - name: Install linting tools
        run: pip install prospector==1.7.7 pylint==2.14.5

      - name: Run Prospector
        run: prospector -X -s veryhigh onadata
  unit-tests:
    strategy:
      fail-fast: false
      matrix:
        test_path:
          - [" Django Unit Tests (Libraries, Main, RestServices, SMS Support, Viewer, Messaging)", "python manage.py test onadata/libs onadata/apps/main onadata/apps/restservice onadata/apps/sms_support onadata/apps/viewer onadata/apps/messaging --noinput --timing --settings=onadata.settings.github_actions_test --verbosity=2 --parallel=4"]
          - ["Django Unit Tests API", "python manage.py test onadata/apps/api --noinput --timing --settings=onadata.settings.github_actions_test --verbosity=2 --parallel=4"]
          - ["Django Unit Tests Logger", "python manage.py test onadata/apps/logger --noinput --timing --settings=onadata.settings.github_actions_test --verbosity=2 --parallel=4"]
    name: "${{ matrix.test_path[0] }}"
    runs-on: ubuntu-22.04
    needs: static-analysis
    env:
      DJANGO_SETTINGS_MODULE: onadata.settings.github_actions_test
    services:
      postgres:
        image: postgis/postgis:13-3.0
        env:
          POSTGRES_PASSWORD: onadata
          POSTGRES_DB: onadata
          POSTGRES_USER: onadata
        ports:
          - 5432:5432
        # Set health checks to wait until postgres has started
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: "adopt"
          java-version: "8"

      - name: Setup python
        uses: actions/setup-python@v5
        with:
          python-version: "3.10"
          architecture: "x64"
          cache: "pip"
          cache-dependency-path: |
            requirements/base.pip
            requirements/dev.pip
            requirements/azure.pip

      - name: Update apt sources
        run: sudo apt-get update

      - name: Install APT requirements
        run: sudo apt-get install -y --no-install-recommends libjpeg-dev zlib1g-dev software-properties-common ghostscript libxslt1-dev binutils libproj-dev gdal-bin memcached libmemcached-dev libxml2-dev libxslt-dev

      - name: Install Pip requirements
        run: |
          pip install -U pip
          pip install -r requirements/base.pip
          pip install -r requirements/dev.pip
          pip install -r requirements/azure.pip

      - name: Run tests
        run: |
          ${{ matrix.test_path[1] }}
  security-check:
    name: Trivy Security Checks
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Update apt sources
        run: sudo apt-get update

      - name: Get the branch name
        id: get-branch-name
        if: github.event_name == 'push'
        run: echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV

      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./docker/onadata-uwsgi/Dockerfile.ubuntu
          platforms: linux/amd64
          push: false
          tags: |
            onaio/onadata:${{ github.head_ref || github.base_ref || env.version }}
          cache-from: type=registry,ref=onaio/onadata:${{ github.head_ref || github.base_ref || env.version }}
          cache-to: type=inline

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: github.event_name == 'pull_request'
        with:
          image-ref: onaio/onadata:${{ github.head_ref || github.base_ref || env.version }}
          format: sarif
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"
          output: "trivy_results.sarif"

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: github.event_name == 'push'
        with:
          image-ref: onaio/onadata:${{ github.head_ref || github.base_ref || env.version }}
          format: sarif
          ignore-unfixed: true
          output: "trivy_results.sarif"

      - name: Upload vulnerability scan results
        uses: github/codeql-action/upload-sarif@v3
        if: github.event_name == 'push' || github.event_name == 'pull_request'
        with:
          sarif_file: "trivy_results.sarif"

      - name: Run Trivy vulnerability for Slack summary
        uses: aquasecurity/trivy-action@master
        if: github.event_name == 'push'
        with:
          image-ref: onaio/onadata:${{ github.head_ref || github.base_ref || env.version }}
          format: json
          ignore-unfixed: true
          output: "trivy_results.json"

      - name: Create summary of trivy issues
        if: github.event_name == 'push'
        run: |
          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy_results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
          if [ -z $summary ]
          then
            summary="0 Issues"
          fi
          echo "SUMMARY=$summary" >> $GITHUB_ENV

      - name: Send Slack Notification
        uses: slackapi/slack-github-action@v1.23.0
        if: github.event_name == 'push'
        with:
          payload: |
            {
              "text": "Trivy scan results for ${{ github.head_ref || github.base_ref || env.version }}",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "[Ona Data] Trivy scan results for ${{ github.head_ref || github.base_ref || env.version }}: ${{ env.SUMMARY }}"
                  }
                },
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "View scan results: https://github.com/${{ github.repository }}/security/code-scanning?query=branch:${{ github.head_ref || github.base_ref || env.version }}+is:open++"
                  }
                }
              ]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK