Add OWASP project schema

.github/labeler.yml

@@ -64,3 +64,16 @@ nginx:
   - changed-files:
       - any-glob-to-any-file:
           - 'nginx/**'
+
+schema:
+  - all:
+      - changed-files:
+          - any-glob-to-any-file:
+              - 'schema/**'
+          - all-globs-to-all-files:
+              - '!schema/tests/**'
+
+schema-tests:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'schema/tests/**'

.github/workflows/pr-labeler.yaml → .github/workflows/label-pull-requests.yaml

@@ -1,4 +1,4 @@
-name: 'Pull Request Labeler'
+name: Label Pull Requests
 
 on:
   - pull_request_target

.github/workflows/ci-cd.yaml → .github/workflows/run-ci-cd.yaml

@@ -1,4 +1,4 @@
-name: CI/CD
+name: Run CI/CD
 
 on:
   merge_group:
@@ -7,11 +7,13 @@ on:
       - main
     paths-ignore:
       - backend/data/nest.json.gz
+      - schema/*
   push:
     branches:
       - main
     paths-ignore:
       - backend/data/nest.json.gz
+      - schema/*
   release:
     types:
       - published

.github/workflows/sync.yaml → .github/workflows/sync-nest-data.yaml

@@ -1,4 +1,4 @@
-name: Sync data
+name: Sync Nest data
 
 on:
   schedule:

.github/workflows/test-schema.yaml

@@ -0,0 +1,112 @@
+name: Test OWASP Schema
+
+on:
+  merge_group:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - schema/**
+  push:
+    branches:
+      - main
+    paths:
+      - schema/**
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.ref }}
+
+env:
+  DOCKERHUB_USERNAME: arkid15r
+  FORCE_COLOR: 1
+
+jobs:
+  pre-commit:
+    name: Run pre-commit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Install Poetry
+        run: pipx install poetry
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          cache: poetry
+          cache-dependency-path: schema/poetry.lock
+          python-version: '3.13'
+
+      - name: Run pre-commit
+        uses: pre-commit/[email protected]
+
+      - name: Check for uncommitted changes
+        run: |
+          git diff --exit-code || (echo 'Unstaged changes detected. \
+          Run `make check` and use `git add` to address it.' && exit 1)
+
+  code-ql:
+    name: CodeQL
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language:
+          - python
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{ matrix.language }}'
+
+  spellcheck:
+    name: Run spell check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Run cspell
+        run: |
+          make spellcheck
+
+  run-schema-tests:
+    name: Run schema tests
+    needs:
+      - pre-commit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build schema test image
+        uses: docker/build-push-action@v6
+        with:
+          cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-schema:cache
+          context: schema
+          file: schema/Dockerfile.test
+          load: true
+          platforms: linux/amd64
+          tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-schema:latest
+
+      - name: Run schema tests
+        run: |
+          docker run ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-schema:latest poetry run pytest

.github/workflows/nest-test-image-updater.yaml → .github/workflows/update-nest-test-images.yaml

@@ -11,7 +11,7 @@ env:
 
 jobs:
   update-nest-test-images:
-    name: Update Nest test image
+    name: Update Nest test images
     if: ${{ github.repository == 'OWASP/Nest' }}
     runs-on: ubuntu-latest
     steps:
@@ -26,7 +26,7 @@ jobs:
           username: ${{ env.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build backend test image
+      - name: Update backend test image
         uses: docker/build-push-action@v6
         with:
           cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-backend:cache
@@ -37,7 +37,7 @@ jobs:
           push: true
           tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-backend:latest
 
-      - name: Build frontend test image
+      - name: Update frontend test image
         uses: docker/build-push-action@v6
         with:
           cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend:cache
@@ -47,3 +47,14 @@ jobs:
           platforms: linux/amd64
           push: true
           tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend:latest
+
+      - name: Update schema test image
+        uses: docker/build-push-action@v6
+        with:
+          cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-schema:cache
+          cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-schema:cache,mode=max
+          context: schema
+          file: schema/Dockerfile.test
+          platforms: linux/amd64
+          push: true
+          tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-schema:latest

.gitignore

@@ -19,7 +19,6 @@ venv/
 *.log
 backend/.venv
 backend/staticfiles
-backend/venv
 frontend/.npm
 frontend/coverage
 frontend/dist
@@ -28,5 +27,6 @@ frontend/npm-debug.log*
 frontend/pnpm-debug.log*
 frontend/yarn-debug.log*
 frontend/yarn-error.log*
+schema/.venv
 logs
 TODO

Makefile

@@ -1,6 +1,7 @@
 include backend/Makefile
 include cspell/Makefile
 include frontend/Makefile
+include schema/Makefile
 
 build:
 	@docker compose build

schema/Dockerfile.test

@@ -0,0 +1,23 @@
+FROM python:3.13-slim
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN groupadd owasp && \
+    useradd --create-home --home-dir /home/owasp -g owasp owasp && \
+    apt-get update && apt-get upgrade -y && \
+    apt-get install -y gcc libpq-dev && \
+    apt-get clean -y && rm -rf /var/lib/apt/lists/* && \
+    python -m pip install --no-cache-dir poetry
+
+ENV FORCE_COLOR=1
+ENV PYTHONUNBUFFERED=1
+
+WORKDIR /home/owasp
+
+USER owasp
+
+COPY poetry.lock pyproject.toml ./
+RUN poetry install --no-root
+
+COPY project.json project.json
+COPY tests tests

schema/Makefile

@@ -0,0 +1,3 @@
+test-schema:
+	@docker build -f schema/Dockerfile.test schema -t nest-test-schema
+	@docker run nest-test-schema poetry run pytest