Add pip-audit workflow

William Chrisp · JoshArmi · commit 91406774e00d · 2023-04-24T09:09:40.000+08:00
diff --git a/.github/workflows/aws_cicd.yaml b/.github/workflows/aws_cicd.yaml
@@ -1,13 +1,10 @@
 name: aws-cicd
 on:
-  push:
-    branches:
-      - main
   workflow_dispatch:
-  pull_request:
+  workflow_call:
 concurrency:
   group: "AWS"
-  # cancel-in-progress: true
+  cancel-in-progress: true
 jobs:
   deploy:
     name: AWS
diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml
@@ -0,0 +1,26 @@
+name: cicd
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+  workflow_dispatch:
+  
+jobs:
+  pip-audit:
+    uses: ./.github/workflows/pip-audit.yaml
+
+  aws:
+    uses: ./.github/workflows/aws_cicd.yaml
+    needs: [pip-audit]
+
+  gcp:
+    uses: ./.github/workflows/gcp_cicd.yaml
+    secrets: inherit
+    needs: [pip-audit]
+
+  # slsa:
+  #   uses: ./.github/workflows/provenance.yaml
+  #   needs: [aws, gcp]
diff --git a/.github/workflows/gcp_cicd.yaml b/.github/workflows/gcp_cicd.yaml
@@ -1,10 +1,7 @@
 name: gcp-cicd
 on:
-  push:
-    branches:
-      - main
   workflow_dispatch:
-  pull_request:
+  workflow_call:
 concurrency:
   group: "GCP"
   cancel-in-progress: true
diff --git a/.github/workflows/pip-audit.yaml b/.github/workflows/pip-audit.yaml
@@ -0,0 +1,21 @@
+name: pip-audit
+on:
+  workflow_call:
+
+jobs:
+  pip-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
+      - name: Install pipenv
+        run: pip install pipenv
+      - name: Build requirement files
+        run: |
+          pipenv requirements | tee requirements.txt
+          pipenv requirements --dev | tee dev-requirements.txt
+      - uses: pypa/gh-action-pip-audit@v1.0.6
+        with:
+          inputs: requirements.txt dev-requirements.txt
diff --git a/.gitignore b/.gitignore
@@ -257,6 +257,7 @@ Thumbs.db
 
 # CDKTF Specifics
 requirements.txt
+dev-requirements.txt
 controller_core/
 api_key_rotation/
 !api_key_rotation/main.py
diff --git a/infrastructure/aws/README.md b/infrastructure/aws/README.md
@@ -51,7 +51,7 @@ API key is created by the terraform whilst core AWS infrastructure is being depl
 While writing this, Grafana API Keys are valid for maximum 30 days only. 
 Hopefully, Amazon will address this limitation in the future - but in the meantime, this simple pattern can be used to automatically rotate an API key every 29 days and store it for use in AWS Secrets Manager.
 
-![Grafana](images/manage_grafana_api_key.png)
+![Grafana](/images/manage_grafana_api_key.png)
 
 The solution is made up of two components:
 
diff --git a/infrastructure/gcp/README.md b/infrastructure/gcp/README.md
@@ -3,7 +3,7 @@
 
 ## Architecture
 
-![Flight Controller Architecture](images/gcp_flight_controller.png)
+![Flight Controller Architecture](/images/gcp_flight_controller.png)
 
 ## Development
 
@@ -73,20 +73,20 @@ Create a GCP Service Account for a Project
 
 1. Navigate to the `APIs & Services Credentials` page.
 2. Click on `Create credentials` and choose `Service account key`.
-![Create Credentials](images/credentials.png)
+![Create Credentials](/images/credentials.png)
 
-3. On the Create service account key page, choose key type `JSON`. Then in the Service Account dropdown, choose the `New service account` option:
-![New Service Account](images/service_account_key.png)
+1. On the Create service account key page, choose key type `JSON`. Then in the Service Account dropdown, choose the `New service account` option:
+![New Service Account](/images/service_account_key.png)
 
-4. Some new fields will appear. Fill in a name for the service account in the `Service account name` field and then choose the `BigQuery Data Viewer` and `BigQuery Job User` roles from the Role dropdown:
-![Attach roles](images/service_account_role.png)
+1. Some new fields will appear. Fill in a name for the service account in the `Service account name` field and then choose the `BigQuery Data Viewer` and `BigQuery Job User` roles from the Role dropdown:
+![Attach roles](/images/service_account_role.png)
 
-5. Click the `Create` button. A JSON key file will be created and downloaded to your computer. Store this file in a secure place as it allows access to your BigQuery data.
+1. Click the `Create` button. A JSON key file will be created and downloaded to your computer. Store this file in a secure place as it allows access to your BigQuery data.
 
-6. Upload it to Grafana on the datasource Configuration page. You can either upload the file or paste in the contents of the file.
-![Grafana authentication](images/grafana_authentication.png)
+2. Upload it to Grafana on the datasource Configuration page. You can either upload the file or paste in the contents of the file.
+![Grafana authentication](/images/grafana_authentication.png)
 
-7. The file contents will be encrypted and saved in the Grafana database. Don't forget to save after uploading the file!
+1. The file contents will be encrypted and saved in the Grafana database. Don't forget to save after uploading the file!
 
 #### Creating Dashboards
 
