Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
335 changes: 224 additions & 111 deletions .github/workflows/ci-cd-tests.yml

Large diffs are not rendered by default.

24 changes: 12 additions & 12 deletions .github/workflows/ci-contract-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@ permissions:
jobs:
contract-tests:
name: Contract & Version Consistency
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0

- name: Install yq
run: |
Expand All @@ -45,11 +45,11 @@ jobs:

terraform-validate:
name: Terraform Validate (offline)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0

- uses: hashicorp/setup-terraform@v4.0.0
- uses: hashicorp/setup-terraform@v4.0.1

- name: Terraform fmt check
run: terraform fmt -check -recursive terraform/
Expand All @@ -59,9 +59,9 @@ jobs:

k8s-manifest-validate:
name: K8s Manifest Schema Validation
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0

- name: Install kubeconform
run: |
Expand All @@ -83,9 +83,9 @@ jobs:

tflint:
name: TFLint
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0

- uses: terraform-linters/setup-tflint@v4

Expand All @@ -106,12 +106,12 @@ jobs:

full-bats-suite:
name: Full BATS Test Suite
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0

- name: Set up Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v6.5.0
with:
go-version: '1.25'
cache-dependency-path: console/go.sum
Expand Down
26 changes: 13 additions & 13 deletions .github/workflows/console-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,13 +58,13 @@ jobs:
# Lint and format check job
lint:
name: Lint and Format Check
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Set up Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v6.5.0
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: console/go.sum
Expand Down Expand Up @@ -97,13 +97,13 @@ jobs:
# Unit test job
test:
name: Unit Tests
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Set up Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v6.5.0
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: console/go.sum
Expand Down Expand Up @@ -135,9 +135,9 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [ubuntu-24.04, macos-14, macos-15]
os: [ubuntu-26.04, macos-14, macos-15]
include:
- os: ubuntu-24.04
- os: ubuntu-26.04
goos: linux
goarch: amd64
artifact_name: linux-amd64
Expand All @@ -152,10 +152,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Set up Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v6.5.0
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: console/go.sum
Expand Down Expand Up @@ -211,13 +211,13 @@ jobs:
# Security scanning job - ZERO-TOLERANCE policy
security:
name: Security Scan (Zero-Tolerance)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Set up Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v6.5.0
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: console/go.sum
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/manual-releases.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:
# Job 1: Determine release type and validate inputs
# This job processes the workflow inputs and determines the appropriate version bump
determine-release-type:
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
outputs:
release-type: ${{ steps.determine-type.outputs.release-type }} # Type of release (major/minor/patch)
bump-version: ${{ steps.determine-type.outputs.bump-version }} # Version bump type for semver
Expand All @@ -88,13 +88,13 @@ jobs:
# since the last tagged release
check-changes:
needs: determine-release-type # Wait for release type determination
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
outputs:
has-changes: ${{ steps.check-changes.outputs.has-changes }} # Boolean indicating if changes exist
last-tag: ${{ steps.check-changes.outputs.last-tag }} # Last release tag for reference
steps:
# Step 1: Checkout repository with full history for change detection
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0
with:
fetch-depth: 0 # Fetch complete git history for change detection
token: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -129,20 +129,20 @@ jobs:
create-release:
needs: [determine-release-type, check-changes] # Wait for previous jobs
if: needs.check-changes.outputs.has-changes == 'true' # Only run if changes exist
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
outputs:
new-version: ${{ steps.new-version.outputs.new-version }} # Calculated new version
release-url: ${{ steps.create-release.outputs.html_url }} # GitHub release URL
steps:
# Step 1: Checkout repository with full history for release creation
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0
with:
fetch-depth: 0 # Fetch complete git history for release notes
token: ${{ secrets.GITHUB_TOKEN }}

# Step 2: Set up Python environment for semantic versioning
- name: Setup Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand Down Expand Up @@ -325,7 +325,7 @@ jobs:
# and generates detailed summaries for both successful and failed releases
notify-completion:
needs: [determine-release-type, check-changes, create-release] # Wait for all previous jobs
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
if: always() # Run regardless of previous job outcomes
steps:
# Step 1: Generate comprehensive workflow summary
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/monthly-version-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,8 @@ on:
env:
VERSION_CHECK_ENABLED: "true" # Enable version checking functionality
LOG_LEVEL: INFO # Logging level for detailed output
TF_VERSION: "1.15.0" # Terraform version for infrastructure checks
KUBECTL_VERSION: "v1.36.0" # kubectl version for Kubernetes checks
TF_VERSION: "1.15.7" # Terraform version for infrastructure checks
KUBECTL_VERSION: "v1.36.2" # kubectl version for Kubernetes checks

# Authentication Note:
# This repository now prefers GitHub OIDC → AWS IAM role.
Expand All @@ -87,13 +87,13 @@ jobs:
steps:
# Step 1: Checkout repository with full history for version analysis
- name: Checkout Repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0
with:
fetch-depth: 0 # Fetch complete git history for comprehensive analysis

# Step 2: Set up Terraform for infrastructure version checking
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4.0.0
uses: hashicorp/setup-terraform@v4.0.1
with:
terraform_version: ${{ env.TF_VERSION }}

Expand Down Expand Up @@ -519,7 +519,7 @@ jobs:
# This job runs after the version-check job and provides feedback about the process
notification:
name: Send Notifications
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
needs: version-check # Wait for version-check job to complete
if: always() # Run regardless of version-check outcome

Expand Down
47 changes: 24 additions & 23 deletions .github/workflows/security-comprehensive.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,10 @@ permissions:

env:
# Tool versions for reproducibility (synced with versions.yaml)
TRIVY_VERSION: '0.70.0'
CHECKOV_VERSION: '3.2.526'
TRIVY_VERSION: '0.72.0'
CHECKOV_VERSION: '3.3.6'
KICS_VERSION: 'v2.1.20'
GOSEC_VERSION: 'v2.26.1'
GOSEC_VERSION: 'v2.27.1'
PYTHON_VERSION: '3.14'
GO_VERSION: '1.25'

Expand All @@ -65,12 +65,12 @@ jobs:
# =====================================================================
trivy-scan:
name: Trivy Security Scan (Zero-Tolerance)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'trivy' || github.event_name != 'workflow_dispatch' }}

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Run Trivy filesystem scan (STRICT)
uses: aquasecurity/trivy-action@master
Expand Down Expand Up @@ -139,15 +139,15 @@ jobs:
# =====================================================================
checkov-scan:
name: Checkov IaC Scan (Zero-Tolerance)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'checkov' || github.event_name != 'workflow_dispatch' }}

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand Down Expand Up @@ -246,12 +246,12 @@ jobs:
# =====================================================================
kics-scan:
name: KICS IaC Scan (Zero-Tolerance)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'kics' || github.event_name != 'workflow_dispatch' }}

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Run KICS scan
uses: Checkmarx/kics-github-action@v2.1.20
Expand Down Expand Up @@ -295,34 +295,35 @@ jobs:
# =====================================================================
bandit-scan:
name: Bandit Python Scan (Zero-Tolerance)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'bandit' || github.event_name != 'workflow_dispatch' }}

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@v6.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}

- name: Install Bandit
run: pip install bandit[toml] sarif-om jschema-to-python

- name: Run Bandit on warp project
- name: Run Bandit on Python projects (warp + openemr_dr)
run: |
echo "🔍 Running Bandit Python Security Scanner..."
bandit -r warp/ \
bandit -r warp/ scripts/openemr_dr/ \
-c scripts/openemr_dr/pyproject.toml \
-f sarif \
-o bandit-results.sarif \
--severity-level low \
--confidence-level low \
-x '**/tests/**,**/test_*.py,**/*_test.py' \
2>&1 | tee bandit-results.txt || true

# Also run with text output
bandit -r warp/ \
bandit -r warp/ scripts/openemr_dr/ \
-c scripts/openemr_dr/pyproject.toml \
-f txt \
--severity-level low \
--confidence-level low \
Expand Down Expand Up @@ -364,15 +365,15 @@ jobs:
# =====================================================================
gosec-scan:
name: gosec Go Security Scan (Zero-Tolerance)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'gosec' || github.event_name != 'workflow_dispatch' }}

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Set up Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v6.5.0
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: console/go.sum
Expand Down Expand Up @@ -422,12 +423,12 @@ jobs:
# =====================================================================
shellcheck-scan:
name: ShellCheck Shell Scan (Zero-Tolerance)
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'shellcheck' || github.event_name != 'workflow_dispatch' }}

steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0

- name: Install ShellCheck
run: |
Expand Down Expand Up @@ -473,7 +474,7 @@ jobs:
# =====================================================================
security-summary:
name: Security Summary & Enforcement
runs-on: ubuntu-24.04
runs-on: ubuntu-26.04
needs: [trivy-scan, checkov-scan, kics-scan, bandit-scan, gosec-scan, shellcheck-scan]
if: always()

Expand Down
Loading
Loading