[Snyk] Security upgrade jinja2 from 3.1.2 to 3.1.5 #951

Workflow file for this run

	name: Deploy

	on:
	push:
	tags: ["[0-9].[0-9]+.[0-9]+"]
	branches:
	- master
	paths:
	- ".github/workflows/deploy.yml"
	- "nikas/**"
	- "share/**"
	- "Dockerfile"
	- "Dockerfile.dev"
	- "gulpfile.js"
	- "Makefile"
	- "MANIFEST.in"
	- "package-lock.json"
	- "package.json"
	- "requirements.txt"
	- "setup.cfg"
	- "setup.py"
	- "tox.ini"
	- "uwsgi.ini"
	- "version.env"
	pull_request:
	branches:
	- master
	paths:
	- ".github/workflows/deploy.yml"
	- "nikas/**"
	- "share/**"
	- "Dockerfile"
	- "Dockerfile.dev"
	- "gulpfile.js"
	- "Makefile"
	- "MANIFEST.in"
	- "package-lock.json"
	- "package.json"
	- "requirements.txt"
	- "setup.cfg"
	- "setup.py"
	- "tox.ini"
	- "uwsgi.ini"
	- "version.env"

	env:
	IMAGE_NAME: nikasproject/server
	GITHUB_IMAGE_NAME: docker.pkg.github.com/nikas-project/server/server
	TARGET_NODE: "14"
	TARGET_PYTHON: "3.8"

	jobs:
	Initialize:
	name: 🚩 Initialize
	runs-on: ubuntu-latest
	outputs:
	docker_file: ${{ steps.set-docker.outputs.file }}

	steps:
	- name: Cancel previous workflow
	uses: styfle/[email protected]
	with:
	access_token: ${{ github.token }}

	- name: Dump GitHub context
	env:
	GITHUB_CONTEXT: ${{ toJson(github) }}
	run: \|
	echo "$GITHUB_CONTEXT"
	echo ${{ github.event.pull_request.title }}

	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	ref: ${{ github.ref }}

	- name: Set Dockerfile
	id: set-docker
	run: \|
	if [[ "${{ github.ref }}" == "refs/heads/master" ]]; then
	echo "::set-output name=file::Dockerfile"
	else
	echo "::set-output name=file::Dockerfile.dev"
	fi

	Python:
	name: 🐍 Python
	needs: Initialize
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	os: [ubuntu-latest]
	python-version: ["3.7", "3.8", "3.9", "3.10"]
	node-version: ["12", "14"]
	fail-fast: false

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Python ${{ matrix.python-version }} on ${{ matrix.os }}
	uses: actions/setup-python@v4
	with:
	python-version: ${{ matrix.python-version }}
	cache: "pip"
	cache-dependency-path: "setup.py"

	- name: Setup NodeJS ${{ matrix.node-version }} on ${{ matrix.os }}
	uses: actions/setup-node@v3
	with:
	node-version: ${{ matrix.node-version }}
	cache: "npm"
	cache-dependency-path: package.json

	- name: Install dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y libxml2-utils libsqlite0 libxml2-utils sqlite openssl ca-certificates tini
	python -m pip install --upgrade pip
	pip install setuptools flake8 pytest pytest-cov wheel twine nose-py3 gunicorn cffi flask
	touch .env.pypi

	- name: Lint with flake8
	run: \|
	# stop the build if there are Python syntax errors or undefined names
	flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
	# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
	flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics

	- name: Compile JS stuff
	run: \|
	npm install
	make init sass js

	- name: Setup development
	run: \|
	pip install -e .
	nikas --version

	- name: Run test suite
	run: \|
	make test
	env:
	PYTHONHASHSEED: random

	- name: Deploy to test server
	run: \|
	python setup.py sdist bdist_wheel
	TWINE_PASSWORD=${{ secrets.PYPI_TEST_TOKEN }} TWINE_USERNAME=__token__ python -m twine upload --repository-url https://test.pypi.org/legacy/ --skip-existing --verbose dist/*

	- name: Deploy to main server
	if: github.ref_type == 'tag' && matrix.python-version == env.TARGET_PYTHON && matrix.node-version == env.TARGET_NODE
	run: \|
	TWINE_PASSWORD=${{ secrets.PYPI_TOKEN }} TWINE_USERNAME=__token__ python -m twine upload --skip-existing --verbose dist/*

	- name: Report Failure
	uses: ravsamhq/notify-slack-action@v2
	if: github.ref_type == 'tag'
	with:
	status: ${{ job.status }}
	notify_when: "failure,warnings"
	token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}
	notification_title: "Deployment ( Python ) has a problem"
	message_format: "{emoji} {workflow} pipeline {status_message} in <{repo_url}\|{repo}>"
	footer: "Linked Repo <{repo_url}\|{repo}> \| <{workflow_url}\|View Workflow>"
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

	Docker:
	name: 🐳 Docker
	needs:
	- Python
	- Initialize
	runs-on: ubuntu-latest
	env:
	DOCKERFILE: ${{ needs.Initialize.outputs.docker_file }}
	DOCKER_BUILDKIT: 1
	permissions:
	contents: read
	packages: write
	id-token: write
	security-events: write

	steps:
	- name: Sleep for 90 seconds
	if: github.ref_type == 'tag'
	run: sleep 90s

	- name: Checkout
	uses: actions/checkout@v4

	- name: Get version
	run: echo "NIKAS_VERSION=$(cat version.env)" >> $GITHUB_ENV

	- name: Get Current Date
	id: date
	run: echo "::set-output name=date::$(date +'%Y-%m-%d')"

	- name: Build image
	run: >
	docker build
	-t ${{ env.IMAGE_NAME }}:${{ env.NIKAS_VERSION }}
	-t ${{ env.IMAGE_NAME }}:${{ github.sha }}
	-t ${{ env.GITHUB_IMAGE_NAME }}:${{ env.NIKAS_VERSION }}
	--build-arg DATE_CREATED=${{ steps.date.outputs.date }}
	--build-arg VERSION=${{ env.NIKAS_VERSION }}
	-f ${{ env.DOCKERFILE }}
	.

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
	exit-code: "0"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	format: "template"
	template: "@/contrib/sarif.tpl"
	output: "trivy-results.sarif"

	- name: Upload Trivy scan results to GitHub Security tab
	if: github.ref_type == 'tag'
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: "trivy-results.sarif"

	- name: Push to Dockerhub
	if: github.ref_type == 'tag'
	run: \|
	docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.DOCKERHUB_TOKEN }}"
	docker push ${{ env.IMAGE_NAME }}:${{ env.NIKAS_VERSION }}

	- name: Push to Github
	if: github.ref_type == 'tag'
	run: \|
	docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" -p "${{ secrets.GITHUB_TOKEN }}" docker.pkg.github.com
	docker push ${{ env.GITHUB_IMAGE_NAME }}:${{ env.NIKAS_VERSION }}

	- name: Report Failure
	uses: ravsamhq/notify-slack-action@v2
	if: github.ref_type == 'tag'
	with:
	status: ${{ job.status }}
	notify_when: "failure,warnings"
	token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}
	notification_title: "Deployment ( Docker ) has a problem"
	message_format: "{emoji} {workflow} pipeline {status_message} in <{repo_url}\|{repo}>"
	footer: "Linked Repo <{repo_url}\|{repo}> \| <{workflow_url}\|View Workflow>"
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

	- name: Report Success
	uses: ravsamhq/notify-slack-action@v2
	if: github.ref_type == 'tag'
	with:
	status: ${{ job.status }}
	notify_when: "success"
	token: ${{ secrets.PERSONAL_GITHUB_TOKEN }}
	notification_title: "New version deployed"
	message_format: "{emoji} {workflow} pipeline {status_message} in <{repo_url}\|{repo}>"
	footer: "Linked Repo <{repo_url}\|{repo}> \| <{workflow_url}\|View Workflow>"
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade jinja2 from 3.1.2 to 3.1.5 #951

Workflow file

[Snyk] Security upgrade jinja2 from 3.1.2 to 3.1.5 #951

Jobs

Run details

Workflow file for this run