chore: secureli 81 add pypi testing (#88)

This adds a dockerfile for local testing of the pypi package install and
a pipeline job for the same. It also breaks out the "integration"
testing into its own pipeline file. That's mostly just logistics to keep
the pipeline files focused and readable.

.github/workflows/integration-testing.yml

@@ -0,0 +1,55 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+
+name: Integration Testing
+
+on:
+  push:
+    branches:
+      - main
+      - feature/**
+
+jobs:
+  test-homebrew-osx:
+    runs-on: macos-latest
+    steps:
+    - name: Test with Homebrew
+      run: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+    - name: Install GH
+      run: brew install gh
+    - name: Prep for python 3.11.3 install # Removes python 3.11.3 to avoid conflict with homebrew python
+      run: |
+        rm -rf '/usr/local/bin/2to3'
+        rm -rf '/usr/local/bin/2to3-3.11'
+        rm -rf '/usr/local/bin/idle3'
+        rm -rf '/usr/local/bin/idle3.11'
+        rm -rf '/usr/local/bin/pydoc3'
+        rm -rf '/usr/local/bin/pydoc3.11'
+        rm -rf '/usr/local/bin/python3'
+        rm -rf '/usr/local/bin/python3-config'
+        rm -rf '/usr/local/bin/python3.11'
+        rm -rf '/usr/local/bin/python3.11-config'
+    - name: Set up Secureli
+      run: |
+        brew tap slalombuild/secureli
+        HOMEBREW_NO_AUTO_UPDATE=1 HOMEBREW_NO_INSTALL_CLEANUP=1 HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK=1 brew install secureli
+      # env:
+      #   HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.TAP_TOKEN }}
+    - name: Checkout test repo
+      uses: actions/checkout@v3
+      with:
+        repository: pypa/pip
+        path: pip
+    - name: Init Secureli
+      run: cd pip && secureli init --yes && secureli scan
+  test-pypi-osx:
+    runs-on: macos-latest
+    steps:
+      - name: Test with Pypi
+        run: |
+          pip3 --version #what do we have on the macos image
+          pip3 install secureli
+          git clone https://github.com/pypa/pip pip
+          cd pip
+          secureli init --yes
+          secureli scan  --mode all-files --yes

.github/workflows/secureliCI.yml

@@ -98,35 +98,3 @@ jobs:
       env:
         GH_TOKEN: ${{ secrets.ADMIN_TOKEN_SASCHA }}
       run: ./scripts/secureli-deployment.sh
-  test-osx:
-    runs-on: macos-latest
-    steps:
-    - name: Set up Homebrew
-      run: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
-    - name: Install GH
-      run: brew install gh
-    - name: Prep for python 3.11.3 install # Removes python 3.11.3 to avoid conflict with homebrew python
-      run: |
-        rm -rf '/usr/local/bin/2to3'
-        rm -rf '/usr/local/bin/2to3-3.11'
-        rm -rf '/usr/local/bin/idle3'
-        rm -rf '/usr/local/bin/idle3.11'
-        rm -rf '/usr/local/bin/pydoc3'
-        rm -rf '/usr/local/bin/pydoc3.11'
-        rm -rf '/usr/local/bin/python3'
-        rm -rf '/usr/local/bin/python3-config'
-        rm -rf '/usr/local/bin/python3.11'
-        rm -rf '/usr/local/bin/python3.11-config'
-    - name: Set up Secureli
-      run: |
-        brew tap slalombuild/secureli
-        HOMEBREW_NO_AUTO_UPDATE=1 HOMEBREW_NO_INSTALL_CLEANUP=1 HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK=1 brew install secureli
-      # env:
-      #   HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.TAP_TOKEN }}
-    - name: Checkout test repo
-      uses: actions/checkout@v3
-      with:
-        repository: pypa/pip
-        path: pip
-    - name: Init Secureli
-      run: cd pip && secureli init --yes && secureli scan

CONTRIBUTING.md

@@ -218,9 +218,13 @@ The project assumes you have a functioning docker install. These have been teste
 
 Current Dockerfiles
 
-- secureli_Dockerfile - builds secureli and runs the same tests and verifications as the cicd pipeline
-- homebrew_Dockerfile: Designed to verify secureli functionality
+- Dockerfile_secureli - builds secureli and runs the same tests and verifications as the cicd pipeline
+- Dockerfile_homebrew: Designed to verify secureli functionality
   - installs Homebrew(linuxbrew) on a Debian images
   - taps our private secureli homebrew tap
   - installs Secureli
   - Checks out the public pip repo, inits secureli into the repo and runs a scan
+- Dockerfile_pypi
+  - installs pip
+  - installs Secureli
+  - Checks out the public pip repo, inits secureli into the repo and runs a scan

Dockerfile_pypi

@@ -0,0 +1,19 @@
+FROM debian
+WORKDIR app
+
+# Install deps
+RUN apt-get update && apt-get autoclean && \
+    apt-get install -y -q software-properties-common gnupg
+
+RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 23F3D4EA75716059
+RUN apt-add-repository https://cli.github.com/packages
+RUN apt-get update
+
+RUN  apt-get install -y -q --allow-unauthenticated gh python3-pip
+
+RUN pip3 --version && pip3 install secureli
+
+RUN git clone https://github.com/pypa/pip pip
+WORKDIR pip
+RUN secureli init --yes
+RUN secureli scan  --mode all-files --yes

pyproject.toml

@@ -13,6 +13,7 @@ secureli = "secureli.main:app"
 coverage = ["test", { cmd = "coverage report" }]
 docker-build-app = "docker build -t secureli . -f Dockerfile_secureli --progress=plain --no-cache"
 docker-build-homebrew = "docker build --build-arg mytoken=$HOMEBREW_GITHUB_API_TOKEN -t homebrew . -f Dockerfile_homebrew --no-cache --progress=plain"
+docker-build-pypi = "docker build -t pypi . -f Dockerfile_pypi --no-cache --progress=plain"
 init = ["install", { cmd = "secureli init -y" }]
 install = "poetry install"
 lint = "black --check ."