Remove ACLED layers; COUNTRY=myanmar #5812
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # for comment on PR, follow instruction for: https://github.com/marketplace/actions/sticky-pull-request-comment | |
| name: PRISM CI - API | |
| on: | |
| # Run on all pull requests and on pushes to master. | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| jobs: | |
| api_lint: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.12"] | |
| # run the matrix jobs one after the other, so they can benefit from caching | |
| max-parallel: 1 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| # Version of Poetry to use | |
| version: 2.3.3 | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| - name: Install dependencies | |
| run: | | |
| cd api | |
| poetry install | |
| if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true' | |
| - name: Upgrade pip (CVE-2026-1703) | |
| run: | | |
| cd api | |
| poetry run pip install --upgrade 'pip>=26.0' | |
| - name: Check formatting with black and isort | |
| run: | | |
| cd api | |
| poetry run black --check . | |
| poetry run isort --check . | |
| - name: Security audit | |
| run: | | |
| cd api | |
| # NOTE: Temporarily ignoring PYSEC-2025-183; add a tracking issue/plan to remove this ignore. | |
| poetry run pip-audit --desc --format json --ignore-vuln PYSEC-2025-183 > audit_results.json 2>/dev/null || true | |
| python - <<'PY' | |
| import json | |
| import sys | |
| from pathlib import Path | |
| data = json.loads(Path("audit_results.json").read_text() or "{}") | |
| vulnerable_dependencies = [ | |
| dependency | |
| for dependency in data.get("dependencies", []) | |
| if dependency.get("vulns") | |
| ] | |
| if not vulnerable_dependencies: | |
| print("✅ No vulnerabilities found") | |
| sys.exit(0) | |
| print( | |
| f"❌ Found vulnerable packages: {len(vulnerable_dependencies)}" | |
| ) | |
| for dependency in vulnerable_dependencies: | |
| advisory_ids = sorted( | |
| { | |
| advisory | |
| for vuln in dependency["vulns"] | |
| for advisory in [vuln.get("id"), *(vuln.get("aliases") or [])] | |
| if advisory | |
| } | |
| ) | |
| fixed_versions = sorted( | |
| { | |
| version | |
| for vuln in dependency["vulns"] | |
| for version in (vuln.get("fix_versions") or []) | |
| if version | |
| } | |
| ) | |
| print( | |
| f"- {dependency['name']}@{dependency['version']} | " | |
| f"{', '.join(advisory_ids)} | " | |
| f"fix: {', '.join(fixed_versions) or 'none listed'}" | |
| ) | |
| sys.exit(1) | |
| PY | |
| # Trivy: OS + language packages inside the built images (pip-audit above is Poetry-only). | |
| docker_image_cve_scan: | |
| name: Docker CVE scan (${{ matrix.image_label }}) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 90 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - image_label: api | |
| dockerfile: Dockerfile | |
| image_tag: prism-ci-api:trivy | |
| - image_label: export-map-worker | |
| dockerfile: Dockerfile.export-map-worker | |
| image_tag: prism-ci-export-map-worker:trivy | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build ${{ matrix.image_label }} image | |
| run: docker build -f "api/${{ matrix.dockerfile }}" -t "${{ matrix.image_tag }}" api | |
| - name: Trivy vulnerability scan | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| scan-type: image | |
| image-ref: ${{ matrix.image_tag }} | |
| trivy-config: api/trivy-ci.yaml | |
| vuln-type: os,library | |
| severity: CRITICAL,HIGH | |
| exit-code: "1" | |
| format: table | |
| api_build: | |
| name: build and test api | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Docker Compose | |
| run: | | |
| DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker} | |
| mkdir -p $DOCKER_CONFIG/cli-plugins | |
| curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-`uname -s`-`uname -m` -o $DOCKER_CONFIG/cli-plugins/docker-compose | |
| chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose | |
| docker compose version | |
| - name: Build containers | |
| run: cd api && make ci-build | |
| - name: Run tests | |
| run: cd api && make api-test | |
| # Ephemeral Postgres: alembic upgrade → Node schema contract + worker smoke → API tests | |
| # (alerts CRUD, /stats fixture, admin list routes, alembic_version). | |
| alerts_db_alembic_and_alerting: | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:16-alpine | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: postgres | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd "pg_isready -U postgres" | |
| --health-interval 5s | |
| --health-timeout 5s | |
| --health-retries 10 | |
| env: | |
| PRISM_ALERTS_DATABASE_URL: postgresql://postgres:postgres@localhost:5432/postgres | |
| # Required to import prism_app.main during pytest collection (see docker-compose.yml defaults). | |
| KOBO_USERNAME: kobo_user | |
| KOBO_PASSWORD: test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - uses: snok/install-poetry@v1 | |
| with: | |
| version: 2.3.3 | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| - name: Install API dependencies | |
| run: | | |
| cd api | |
| poetry install | |
| - name: Upgrade pip (CVE-2026-1703) | |
| run: | | |
| cd api | |
| poetry run pip install --upgrade 'pip>=26.0' | |
| - name: Alembic upgrade head | |
| run: cd api && poetry run alembic upgrade head | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| - name: Alerting install and DB checks | |
| env: | |
| PUPPETEER_SKIP_DOWNLOAD: "true" | |
| PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: "true" | |
| run: | | |
| cd alerting | |
| yarn install --frozen-lockfile | |
| yarn setup:common | |
| yarn check-alerts-db-contract | |
| yarn smoke-alerts-db-pool | |
| yarn smoke-alerting-workers | |
| - name: API alerts integration tests (same database) | |
| env: | |
| # Ubuntu runner Poetry venv has rasterio but not a full gdal_calc CLI like the API Docker image. | |
| SKIP_GDAL_MASK_STATS_TEST: "1" | |
| run: | | |
| cd api | |
| PYTHONPATH=. poetry run pytest \ | |
| prism_app/tests/test_api.py \ | |
| prism_app/tests/test_alerting.py \ | |
| prism_app/tests/test_alerts_db_integration.py \ | |
| -v --tb=short |