[ABW-3918] Security Factors redesign (#1413) #6080
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
types: | |
- ready_for_review | |
- synchronize | |
- opened | |
push: | |
branches: | |
- main | |
concurrency: | |
group: ${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
snyk_scan: | |
if: > | |
( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
( github.event.action == 'ready_for_review' ) || | |
( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
permissions: | |
id-token: write | |
contents: read | |
name: "Snyk scan" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: RDXWorks-actions/setup-node@main | |
with: | |
node-version: '14' | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ACCESS }} | |
app_name: 'babylon-wallet-ios' | |
step_name: 'snyk-scan' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Install snyk | |
run: | | |
npm install snyk -g | |
snyk -v | |
snyk auth ${{ env.SNYK_TOKEN }} | |
- name: Snyk deps and licences scan | |
run: | | |
timeout 300 snyk test --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high || [ "$?" = "124" ] | |
- name: Snyk code scan | |
continue-on-error: true | |
run: | | |
timeout 300 snyk code test --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high || [ "$?" = "124" ] | |
snyk_sbom: | |
if: > | |
( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
( github.event.action == 'ready_for_review' ) || | |
( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
permissions: | |
id-token: write | |
contents: read | |
name: "Snyk SBOM" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: RDXWorks-actions/setup-node@main | |
with: | |
node-version: '14' | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ACCESS }} | |
app_name: 'babylon-wallet-ios' | |
step_name: 'snyk_sbom' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} | |
app_name: 'babylon-wallet-ios' | |
step_name: 'snyk_sbom' | |
secret_prefix: 'WALLET' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET }} | |
parse_json: true | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} | |
app_name: 'babylon-wallet-ios' | |
step_name: 'unit_test' | |
secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET_SWIFT_SSH }} | |
parse_json: true | |
- uses: RDXWorks-actions/ssh-agent@master | |
with: | |
ssh-private-key: | | |
${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} | |
- name: Install snyk | |
run: | | |
npm install snyk -g | |
snyk -v | |
snyk auth ${{ env.SNYK_TOKEN }} | |
- name: Generate SBOM # check SBOM can be generated but nothing is done with it | |
run: | | |
snyk sbom --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json | |
linting: | |
name: "Linting" | |
if: > | |
( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
( github.event.action == 'ready_for_review' ) || | |
( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
runs-on: macos-15-xlarge | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: "Run Lint" | |
run: | | |
brew update | |
brew upgrade swiftformat | |
swiftformat . --lint | |
unit_test: | |
if: > | |
( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
( github.event.action == 'ready_for_review' ) || | |
( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
permissions: | |
id-token: write | |
contents: read | |
checks: write | |
name: "Unit test" | |
runs-on: macos-15-xlarge | |
timeout-minutes: 20 | |
needs: | |
- linting | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Configure AWS credentials to fetch secrets | |
uses: RDXWorks-actions/configure-aws-credentials@main | |
with: | |
role-to-assume: ${{ secrets.GH_WALLET_SECRET_ACCESS }} | |
aws-region: "eu-west-2" | |
role-session-name: 'babylon-wallet-ios-${{ github.run_id }}-${{ github.run_attempt }}' | |
- name: Fetch AWS secrets | |
uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main | |
with: | |
secret-ids: | | |
WALLET, ${{ secrets.AWS_SECRET_NAME_WALLET }} | |
parse-json-secrets: true | |
- name: Fetch AWS secrets | |
uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main | |
with: | |
secret-ids: | | |
SWIFT_ENGINE_TOOLKIT_SSH_KEY, ${{ secrets.AWS_SECRET_NAME_WALLET_SWIFT_SSH }} | |
parse-json-secrets: true | |
- name: Fetch AWS secrets | |
uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main | |
with: | |
secret-ids: | | |
FASTLANE_MATCH_REPO_SSH_KEY, ${{ secrets.AWS_SECRET_NAME_WALLET_FASTLANE_SSH }} | |
parse-json-secrets: true | |
- uses: RDXWorks-actions/ssh-agent@master | |
with: | |
ssh-private-key: | | |
${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} | |
${{ env.FASTLANE_MATCH_REPO_SSH_KEY }} | |
- uses: RDXWorks-actions/setup-xcode@master | |
with: | |
xcode-version: "16.0.0" | |
- name: "Set up ruby" | |
uses: RDXWorks-actions/setup-ruby@master | |
with: | |
ruby-version: 3.1.2 | |
bundler-cache: true | |
- name: "Install additional deps" | |
run: | | |
echo "${{ env.WALLET_FASTLANE_SECRETS_BASE64 }}" | base64 --decode > fastlane/.env.secret | |
brew install xcbeautify | |
- name: "Unit tests" | |
run: | | |
defaults write com.apple.dt.Xcode IDESkipMacroFingerprintValidation -bool YES | |
bundle exec fastlane tests | |
- name: Upload results | |
uses: RDXWorks-actions/[email protected] | |
with: | |
path: build/test_output/results.xcresult | |
show-passed-tests: false | |
show-code-coverage: true | |
if: success() || failure() | |
snyk_online_monitor: | |
permissions: | |
id-token: write | |
contents: read | |
name: "Snyk monitoring" | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
needs: | |
- unit_test | |
- snyk_scan | |
- snyk_sbom | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: RDXWorks-actions/setup-node@main | |
with: | |
node-version: '14' | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ACCESS }} | |
app_name: 'babylon-wallet-ios' | |
step_name: 'snyk_online_monitor' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} | |
app_name: 'babylon-wallet-ios' | |
step_name: 'snyk_online_monitor' | |
secret_prefix: 'WALLET' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET }} | |
parse_json: true | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} | |
app_name: 'babylon-wallet-ios' | |
step_name: 'unit_test' | |
secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET_SWIFT_SSH }} | |
parse_json: true | |
- uses: RDXWorks-actions/ssh-agent@master | |
with: | |
ssh-private-key: | | |
${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} | |
- name: Install snyk | |
run: | | |
npm install snyk -g | |
snyk -v | |
snyk auth ${{ env.SNYK_TOKEN }} | |
- name: Enable Snyk online monitoring to check for vulnerabilities | |
run: | | |
snyk monitor --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} | |
# snapshot_tests: | |
# name: "Snapshot tests" | |
# runs-on: macos-12 | |
# needs: | |
# - assertFormated | |
# steps: | |
# - uses: RDXWorks-actions/checkout@main | |
# - name: "Run snapshot tests" | |
# run: echo "Runing snapshot tests" # JUST A PLACEHOLDER, NEEDS TO BE REPLACED | |
# ui_tests: | |
# name: "UI tests" | |
# runs-on: macos-12 | |
# needs: | |
# - assertFormated | |
# steps: | |
# - uses: RDXWorks-actions/checkout@main | |
# - name: "Run UI tests" | |
# run: echo "Runing UI tests" # JUST A PLACEHOLDER, NEEDS TO BE REPLACED |