ci: add pen tests (#1563)

.github/workflows/pen-tests.yml

@@ -0,0 +1,36 @@
+name: Pen Tests
+
+on:
+  # Be careful when using the workflow_run trigger
+  # https://github.community/t/workflow-run-completed-event-triggered-by-failed-workflow/128001/7?u=gao-sun
+  workflow_run:
+    workflows: [ "Release" ]
+    branches:
+      - master
+    types: 
+      - completed
+
+concurrency:
+  group: main-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  zap_scan:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Docker Compose up
+        run: |
+          curl -fsSL https://raw.githubusercontent.com/logto-io/logto/HEAD/docker-compose.yml |\
+          TAG=prerelease docker compose -p logto -f - up -d
+
+      - name: Sleep for 30 seconds
+        run: sleep 30s
+
+      - name: ZAP Scan
+        uses: zaproxy/action-baseline@v0.7.0
+        with:
+          target: http://localhost:3001
+          cmd_options: '-a'
+          fail_action: true

.github/workflows/release.yml

@@ -54,22 +54,6 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
-      - name: Build and export to Docker
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          load: true
-          tags: ${{ env.IMAGE }}:test
-      
-      - name: Compose up
-        run: TAG=test docker compose up -d
-
-      - name: Sleep for 30 seconds
-        run: sleep 30s
-      
-      - name: Health check
-        run: curl http://localhost:3001/api/status -If
-
   create-github-release:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/')