.github/workflows/mapi.yml

name: 'Mayhem for API'
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:
  schedule:
    - cron: '0 3 * * *' # run at 2 AM UTC

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    # Create environment to run API
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: 3.8

    - name: Install dependencies
      run: pip install -r requirements.txt
      
    - name: Run unit tests
      run: py.test --cov=./ --cov-report=xml

    - name: Upload unit test coverage to Codecov
      uses: codecov/codecov-action@v4
      env:
        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      with:
        files: coverage.xml
        flags: unit-tests
        fail_ci_if_error: true

    # Run API in test mode. We configured test mode to output stacktraces in
    # the error responses to improve the output of Mayhem for API.
    - name: Run API
      env:
        FASTAPI_ENV: test
      run: coverage run -m uvicorn src.main:app &

    # Run Mayhem for API
    - name: Run Mayhem for API to check for vulnerabilities
      uses: ForAllSecure/mapi-action@v2
      continue-on-error: true
      with:
        mayhem-url: https://app.mayhem.security
        mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
        api-url: http://localhost:8000
        api-spec: http://localhost:8000/openapi.json
        sarif-report: mapi.sarif
        html-report: mapi.html
        target: forallsecure-demo/mapi-action-examples/fastapi

    # Kill python if it's still running, ignoring any errors
    - name: Shut down API
      run: pgrep coverage | xargs kill || true; sleep 5

    # codecov action requires a coverage.xml file
    - name: Generate coverage.xml
      run: coverage xml

    - name: Upload Mayhem coverage to Codecov
      uses: codecov/codecov-action@v4
      env:
        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      with:
        files: coverage.xml
        flags: vulnerability-tests
        name: mayhem
        fail_ci_if_error: true

    # Archive HTML report
    - name: Archive Mayhem for API report
      uses: actions/upload-artifact@v4
      with:
        name: mapi-report
        path: mapi.html

    # Upload SARIF file (only available on public repos or github enterprise)
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: mapi.sarif