mckinsey · l0uden · Aug 2, 2024 · Jul 1, 2024 · Jul 2, 2024 · Jul 2, 2024
@@ -0,0 +1,29 @@
+name: Checks for GitHub workflows
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches:
+      - main
+
+env:
+  PYTHONUNBUFFERED: 1
+  FORCE_COLOR: 1
+  PYTHON_VERSION: "3.11"
+
+jobs:
+  checks-workflows:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Checks for GitHub workflows
+        run: |
+          python tools/scan_yaml_for_risky_text.py.py .github/workflows
@@ -94,3 +94,16 @@ jobs:
           cd ../vizro-ai
           hatch run ${{ matrix.hatch-env }}:pip install ../vizro-core/dist/vizro*.tar.gz
           hatch run ${{ matrix.hatch-env }}:test-integration
+
+      - name: Send custom JSON data to Slack
+        id: slack
+        uses: slackapi/[email protected]
+        if: failure()
+        with:
+          payload: |
+            {
+              "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
@@ -0,0 +1,52 @@
+name: Vizro QA tests trigger
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches:
+      - main
+
+env:
+  PYTHONUNBUFFERED: 1
+  FORCE_COLOR: 1
+
+jobs:
+  vizro-qa-test-trigger-fork:
+    if: ${{ github.event.pull_request.head.repo.fork }}
+    name: Vizro QA ${{ matrix.label }} trigger
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - label: integration tests
+          - label: notebooks tests
+    steps:
+      - name: Passed fork step
+        run: echo "Success!"
+
+  vizro-qa-tests-trigger:
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
+    name: Vizro QA ${{ matrix.label }} trigger
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - label: integration tests
+            file: "VIZRO_QA_INTEGRATION_TESTS_WORKFLOW"
+          - label: notebooks test
+            file: "VIZRO_QA_NOTEBOOKS_TESTS_WORKFLOW"
+    steps:
+      - uses: actions/checkout@v4
+      - name: Tests trigger
+        run: |
+          export INPUT_OWNER=${{ secrets.VIZRO_QA_ORG }}
+          export INPUT_REPO=${{ secrets.VIZRO_QA_REPO }}
+          if [ "${{ matrix.file }}" == "VIZRO_QA_INTEGRATION_TESTS_WORKFLOW" ]; then
+            export INPUT_WORKFLOW_FILE_NAME=${{ secrets.VIZRO_QA_INTEGRATION_TESTS_WORKFLOW }}
+          elif [ "${{ matrix.file }}" == "VIZRO_QA_NOTEBOOKS_TESTS_WORKFLOW" ]; then
+            export INPUT_WORKFLOW_FILE_NAME=${{ secrets.VIZRO_QA_NOTEBOOKS_TESTS_WORKFLOW }}
+          fi
+          export INPUT_GITHUB_TOKEN=${{ secrets.VIZRO_SVC_PAT }}
+          export INPUT_REF=${{ github.head_ref }}
+          tools/trigger-workflow-and-wait.sh
diff --git a/tools/scan_yaml_for_risky_text.py.py b/tools/scan_yaml_for_risky_text.py.py
@@ -0,0 +1,19 @@
+"""Check for security issues in workflows files."""
+
+import sys
+from pathlib import Path
+
+# according to this article: https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
+# we should avoid using `pull_request_target` for security reasons
+risky_text = "pull_request_target"
+
+
+def find_risky_files(path: str):
+    """Searching for risky text in yml files for given path."""
+    return {str(file) for file in Path(path).rglob("*.yml") if f"{risky_text}" in file.read_text()}
+
+
+if __name__ == "__main__":
+    risky_files = find_risky_files(sys.argv[1])
+    if risky_files:
+        sys.exit(f"{risky_text} found in files {risky_files}.")