name: 'API: Tests' on: push: branches: - 'master' - 'v5.*' pull_request: branches: - 'master' - 'v5.*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: POSTGRES_HOST: localhost POSTGRES_PORT: 5432 POSTGRES_ADMIN_USER: prowler POSTGRES_ADMIN_PASSWORD: S3cret POSTGRES_USER: prowler_user POSTGRES_PASSWORD: prowler POSTGRES_DB: postgres-db VALKEY_SCHEME: redis VALKEY_USERNAME: "" VALKEY_PASSWORD: "" VALKEY_HOST: localhost VALKEY_PORT: 6379 VALKEY_DB: 0 API_WORKING_DIR: ./api permissions: {} jobs: api-tests: runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read strategy: matrix: python-version: - '3.12' defaults: run: working-directory: ./api services: postgres: image: postgres:17@sha256:5c855ad7b85e68e48a62f34662853f38b57c1c1d80f3a927ab58034fd6d31c5e env: POSTGRES_HOST: ${{ env.POSTGRES_HOST }} POSTGRES_PORT: ${{ env.POSTGRES_PORT }} POSTGRES_USER: ${{ env.POSTGRES_USER }} POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }} POSTGRES_DB: ${{ env.POSTGRES_DB }} ports: - 5432:5432 options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 valkey: image: valkey/valkey:7-alpine3.19@sha256:4054fe7fc607b9326ac7c4691ed26e9670d2ff17a9fb28c2577adecf928acbcc env: VALKEY_HOST: ${{ env.VALKEY_HOST }} VALKEY_PORT: ${{ env.VALKEY_PORT }} VALKEY_DB: ${{ env.VALKEY_DB }} ports: - 6379:6379 options: >- --health-cmd "valkey-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5 steps: - name: Harden Runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: block allowed-endpoints: > github.com:443 pypi.org:443 files.pythonhosted.org:443 cli.codecov.io:443 keybase.io:443 raw.githubusercontent.com:443 ingest.codecov.io:443 storage.googleapis.com:443 o26192.ingest.us.sentry.io:443 api.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # zizmor: ignore[artipacked] persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch - name: Check for API changes id: check-changes uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files: | api/** .github/workflows/api-tests.yml files_ignore: | api/docs/** api/README.md api/CHANGELOG.md api/AGENTS.md - name: Setup Python with uv if: steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/setup-python-uv with: python-version: ${{ matrix.python-version }} working-directory: ./api - name: Run tests with pytest if: steps.check-changes.outputs.any_changed == 'true' run: uv run pytest --cov=./src/backend --cov-report=xml src/backend - name: Upload coverage reports to Codecov if: steps.check-changes.outputs.any_changed == 'true' uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: flags: api