[ABW-3847] Integrate sargon logic for security problems in Android wallet #5515
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Test and build" | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
jobs: | |
cancel: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
pull-requests: read | |
actions: write | |
steps: | |
- name: Cancel Previous Runs | |
uses: RDXWorks-actions/cancel-workflow-action@main | |
snyk_scan_deps_licences: | |
name: "Snyk deps/licenses" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Fetch Snyk credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'snyk-licenses' | |
secret_prefix: 'SNYK' | |
secret_name: "github-actions/common/snyk-credentials" | |
parse_json: true | |
- name: Run Snyk to check for deps vulnerabilities | |
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master | |
with: | |
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=critical | |
env: | |
SNYK_TOKEN: ${{ env.SNYK_TOKEN }} | |
snyk_scan_code: | |
name: "Snyk code" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Fetch Snyk credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'snyk-licenses' | |
secret_prefix: 'SNYK' | |
secret_name: "github-actions/common/snyk-credentials" | |
parse_json: true | |
- name: Run Snyk to check for code vulnerabilities | |
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master | |
continue-on-error: true | |
with: | |
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high | |
command: code test | |
env: | |
SNYK_TOKEN: ${{ env.SNYK_TOKEN }} | |
snyk_sbom: | |
name: "Snyk SBOM" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Fetch Snyk credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'snyk-licenses' | |
secret_prefix: 'SNYK' | |
secret_name: "github-actions/common/snyk-credentials" | |
parse_json: true | |
- name: Fetch AppsFlyer credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'sbom-flyers' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret" | |
parse_json: true | |
- name: Output AppsFlyer secret to file | |
shell: bash | |
run: | | |
mkdir -p config/secrets/ | |
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties | |
- name: Generate SBOM # check SBOM can be generated but nothing is done with it | |
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master | |
with: | |
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json | |
command: sbom | |
env: | |
SNYK_TOKEN: ${{ env.SNYK_TOKEN }} | |
unit_tests: | |
name: "Unit tests" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: RDXWorks-actions/setup-java@main | |
with: | |
distribution: 'zulu' # See 'Supported distributions' for available options | |
java-version: '17' | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'unit-gpr' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Fetch Crashlytics info | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'unit-crash' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics" | |
parse_json: true | |
- name: Fetch AppsFlyer credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'unit-flyers' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret" | |
parse_json: true | |
- name: Output AppsFlyer secret to file | |
shell: bash | |
run: | | |
mkdir -p config/secrets/ | |
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- name: "Run unit tests" | |
run: ./gradlew testDebugUnitTest | |
env: | |
GPR_USER: ${{ env.GH_GPR_USER }} | |
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }} | |
static_analysis: | |
name: "Static analysis and SonarCloud" | |
# jacoco runs unit tests and since they depend on sargon-desktop we need mac os | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- uses: RDXWorks-actions/setup-java@main | |
with: | |
distribution: 'zulu' # See 'Supported distributions' for available options | |
java-version: '17' | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'sonar' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Fetch Sonar token | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'sonar-1' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/sonar-token" | |
parse_json: true | |
- name: Fetch Crashlytics info | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'static-crash' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics" | |
parse_json: true | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- name: Fetch AppsFlyer credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'sonar-flyers' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret" | |
parse_json: true | |
- name: Output AppsFlyer secret to file | |
shell: bash | |
run: | | |
mkdir -p config/secrets/ | |
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties | |
- name: Export vars | |
run: | | |
echo "GPR_USER=${{ env.GH_GPR_USER }}" >> $GITHUB_ENV | |
echo "GPR_TOKEN=${{ env.GH_GPR_TOKEN }}" >> $GITHUB_ENV | |
echo "SONAR_TOKEN=${{ env.GH_SONAR_TOKEN }}" >> $GITHUB_ENV | |
- name: "Run detekt" | |
run: | | |
env | |
./gradlew detektMain | |
- name: "Run jacoco" | |
run: | | |
./gradlew jacocoTestReport | |
- name: "Run Sonarcloud" | |
run: | | |
./gradlew sonarqube | |
build: | |
name: "Build" | |
runs-on: ubuntu-latest | |
needs: | |
# - unit_tests | |
# - static_analysis | |
- snyk_scan_deps_licences | |
- snyk_scan_code | |
- snyk_sbom | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Dump context | |
uses: RDXWorks-actions/ghaction-dump-context@master | |
- uses: RDXWorks-actions/setup-java@main | |
with: | |
distribution: 'zulu' # See 'Supported distributions' for available options | |
java-version: '17' | |
- name: Fetch GPR credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'build' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials" | |
parse_json: true | |
- name: Fetch Crashlytics info | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'build-crash' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics" | |
parse_json: true | |
- name: Decode Firebase Crashlytics json | |
uses: RDXWorks-actions/base64-to-file@main | |
id: crashlytics_credentials | |
with: | |
fileName: "google-services.json" | |
fileDir: "app/" | |
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }} | |
- name: Fetch AppsFlyer credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'build-flyers' | |
secret_prefix: 'GH' | |
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret" | |
parse_json: true | |
- name: Output AppsFlyer secret to file | |
shell: bash | |
run: | | |
mkdir -p config/secrets/ | |
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties | |
- name: "Build" | |
run: | | |
./gradlew assembleDebug | |
env: | |
GPR_USER: ${{ env.GH_GPR_USER }} | |
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }} | |
snyk_online_monitor: | |
name: "Snyk monitoring" | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
needs: | |
- build | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Fetch Snyk credentials | |
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}' | |
app_name: 'wallet-android' | |
step_name: 'snyk-licenses' | |
secret_prefix: 'SNYK' | |
secret_name: "github-actions/common/snyk-credentials" | |
parse_json: true | |
- name: Enable Snyk online monitoring to check for vulnerabilities | |
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master | |
with: | |
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} | |
command: monitor | |
env: | |
SNYK_TOKEN: ${{ env.SNYK_TOKEN }} |