Skip to content

Remove ACLED layers; COUNTRY=myanmar #5812

Remove ACLED layers; COUNTRY=myanmar

Remove ACLED layers; COUNTRY=myanmar #5812

Workflow file for this run

# for comment on PR, follow instruction for: https://github.com/marketplace/actions/sticky-pull-request-comment
name: PRISM CI - API
on:
# Run on all pull requests and on pushes to master.
pull_request:
push:
branches:
- master
jobs:
api_lint:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.12"]
# run the matrix jobs one after the other, so they can benefit from caching
max-parallel: 1
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install Poetry
uses: snok/install-poetry@v1
with:
# Version of Poetry to use
version: 2.3.3
virtualenvs-create: true
virtualenvs-in-project: true
- name: Install dependencies
run: |
cd api
poetry install
if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
- name: Upgrade pip (CVE-2026-1703)
run: |
cd api
poetry run pip install --upgrade 'pip>=26.0'
- name: Check formatting with black and isort
run: |
cd api
poetry run black --check .
poetry run isort --check .
- name: Security audit
run: |
cd api
# NOTE: Temporarily ignoring PYSEC-2025-183; add a tracking issue/plan to remove this ignore.
poetry run pip-audit --desc --format json --ignore-vuln PYSEC-2025-183 > audit_results.json 2>/dev/null || true
python - <<'PY'
import json
import sys
from pathlib import Path
data = json.loads(Path("audit_results.json").read_text() or "{}")
vulnerable_dependencies = [
dependency
for dependency in data.get("dependencies", [])
if dependency.get("vulns")
]
if not vulnerable_dependencies:
print("✅ No vulnerabilities found")
sys.exit(0)
print(
f"❌ Found vulnerable packages: {len(vulnerable_dependencies)}"
)
for dependency in vulnerable_dependencies:
advisory_ids = sorted(
{
advisory
for vuln in dependency["vulns"]
for advisory in [vuln.get("id"), *(vuln.get("aliases") or [])]
if advisory
}
)
fixed_versions = sorted(
{
version
for vuln in dependency["vulns"]
for version in (vuln.get("fix_versions") or [])
if version
}
)
print(
f"- {dependency['name']}@{dependency['version']} | "
f"{', '.join(advisory_ids)} | "
f"fix: {', '.join(fixed_versions) or 'none listed'}"
)
sys.exit(1)
PY
# Trivy: OS + language packages inside the built images (pip-audit above is Poetry-only).
docker_image_cve_scan:
name: Docker CVE scan (${{ matrix.image_label }})
runs-on: ubuntu-latest
timeout-minutes: 90
strategy:
fail-fast: false
matrix:
include:
- image_label: api
dockerfile: Dockerfile
image_tag: prism-ci-api:trivy
- image_label: export-map-worker
dockerfile: Dockerfile.export-map-worker
image_tag: prism-ci-export-map-worker:trivy
steps:
- uses: actions/checkout@v4
- name: Build ${{ matrix.image_label }} image
run: docker build -f "api/${{ matrix.dockerfile }}" -t "${{ matrix.image_tag }}" api
- name: Trivy vulnerability scan
uses: aquasecurity/trivy-action@v0.36.0
with:
scan-type: image
image-ref: ${{ matrix.image_tag }}
trivy-config: api/trivy-ci.yaml
vuln-type: os,library
severity: CRITICAL,HIGH
exit-code: "1"
format: table
api_build:
name: build and test api
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Docker Compose
run: |
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-`uname -s`-`uname -m` -o $DOCKER_CONFIG/cli-plugins/docker-compose
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
docker compose version
- name: Build containers
run: cd api && make ci-build
- name: Run tests
run: cd api && make api-test
# Ephemeral Postgres: alembic upgrade → Node schema contract + worker smoke → API tests
# (alerts CRUD, /stats fixture, admin list routes, alembic_version).
alerts_db_alembic_and_alerting:
runs-on: ubuntu-latest
services:
postgres:
image: postgres:16-alpine
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
ports:
- 5432:5432
options: >-
--health-cmd "pg_isready -U postgres"
--health-interval 5s
--health-timeout 5s
--health-retries 10
env:
PRISM_ALERTS_DATABASE_URL: postgresql://postgres:postgres@localhost:5432/postgres
# Required to import prism_app.main during pytest collection (see docker-compose.yml defaults).
KOBO_USERNAME: kobo_user
KOBO_PASSWORD: test
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- uses: snok/install-poetry@v1
with:
version: 2.3.3
virtualenvs-create: true
virtualenvs-in-project: true
- name: Install API dependencies
run: |
cd api
poetry install
- name: Upgrade pip (CVE-2026-1703)
run: |
cd api
poetry run pip install --upgrade 'pip>=26.0'
- name: Alembic upgrade head
run: cd api && poetry run alembic upgrade head
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Alerting install and DB checks
env:
PUPPETEER_SKIP_DOWNLOAD: "true"
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: "true"
run: |
cd alerting
yarn install --frozen-lockfile
yarn setup:common
yarn check-alerts-db-contract
yarn smoke-alerts-db-pool
yarn smoke-alerting-workers
- name: API alerts integration tests (same database)
env:
# Ubuntu runner Poetry venv has rasterio but not a full gdal_calc CLI like the API Docker image.
SKIP_GDAL_MASK_STATS_TEST: "1"
run: |
cd api
PYTHONPATH=. poetry run pytest \
prism_app/tests/test_api.py \
prism_app/tests/test_alerting.py \
prism_app/tests/test_alerts_db_integration.py \
-v --tb=short