move snyk stuff to snyk file (#895)

Co-authored-by: burnettk <burnettk@users.noreply.github.com>
2024-01-11 06:14:25 -08:00 · 2024-01-11 06:14:25 -08:00 · b02f505bea
parent ae9b16165c
commit b02f505bea
4 changed files with 22 additions and 165 deletions
--- a/.github/workflows/snyk-security.yml
+++ b/.github/workflows/snyk-security.yml
@ -1,3 +1,5 @@
+# burnettk created an account at https://app.snyk.io/org/kevin-jfx
+# and added his SNYK_TOKEN secret under the spiff-arena repo.
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support
@ -29,7 +31,7 @@ name: Snyk Security
 on:
  workflow_dispatch: # allow running on demand
  schedule:
-    - cron: "0 14 * * 2"  # Every Tuesday at 1PM UTC (9AM/10AM eastern)
+    - cron: "0 14 * * 2" # Every Tuesday at 1PM UTC (9AM/10AM eastern)

 permissions:
  contents: read
@ -73,6 +75,10 @@ jobs:
      - name: Snyk Code test
        run: snyk code test --sarif > snyk-code.sarif || true

+      # checks library dependencies
+      - name: Snyk test
+        run: snyk test
+
        # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
      - name: Snyk Open Source monitor
        run: snyk monitor --all-projects
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -77,7 +77,7 @@ jobs:
      PRE_COMMIT_COLOR: "always"
      SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD: password
      SPIFFWORKFLOW_BACKEND_DATABASE_TYPE: ${{ matrix.database }}
-      SPIFFWORKFLOW_BACKEND_RUNNING_IN_CI: 'true'
+      SPIFFWORKFLOW_BACKEND_RUNNING_IN_CI: "true"

    steps:
      - name: Check out the repository
@ -133,7 +133,7 @@ jobs:
          mysql version: "8.0"
          mysql database: "spiffworkflow_backend_unit_testing"
          mysql root password: password
-          collation server: 'utf8mb4_0900_as_cs'
+          collation server: "utf8mb4_0900_as_cs"
        if: matrix.database == 'mysql'

      - name: Setup Postgres
@ -172,19 +172,6 @@ jobs:
          name: logs-${{matrix.python}}-${{matrix.os}}-${{matrix.database}}
          path: "./spiffworkflow-backend/log/*.log"

-  # burnettk created an account at https://app.snyk.io/org/kevin-jfx
-  # and added his SNYK_TOKEN secret under the spiff-arena repo.
-  snyk:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/python@master
-        with:
-          args: spiffworkflow-backend
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
  run_pre_commit_checks:
    runs-on: ubuntu-latest
    defaults:
@ -295,7 +282,6 @@ jobs:
          name: pr_number
          path: pr/

-
  tests-frontend:
    runs-on: ubuntu-latest
    needs: [tests-backend, run_pre_commit_checks, check_docker_start_script]
--- a/spiffworkflow-backend/poetry.lock
+++ b/spiffworkflow-backend/poetry.lock
--- a/spiffworkflow-backend/pyproject.toml
+++ b/spiffworkflow-backend/pyproject.toml
@ -51,7 +51,7 @@ marshmallow-enum = "^1.5.1"
 PyJWT = "^2.6.0"
 gunicorn = "^20.1.0"
 APScheduler = "*"
-Jinja2 = "^3.1.2"
+Jinja2 = "^3.1.3"
 RestrictedPython = "^7.0"
 Flask-SQLAlchemy = "^3"