.github/workflows/build.yml

name: Build

on:
  workflow_dispatch:
    inputs:
      ENVIRONMENT_NAME:
        description: 'Environment Name'
        required: true
        default: Stokenet
        type: choice
        options:
          - Mainnet
          - Stokenet

  push:
    branches:
      - develop
      - release/*
  pull_request:
    branches:
      - develop
      - release/**
  release:
    types: [published]

jobs:
  snyk-scan-deps-licences:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'radix-dapp-toolkit'
          step_name: 'snyk-scan-deps-licenses'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for deps vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

  snyk-scan-code:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'radix-dapp-toolkit'
          step_name: 'snyk-scan-code'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for code vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
          command: code test

  snyk-sbom:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    needs:
      - snyk-scan-deps-licences
      - snyk-scan-code
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'radix-dapp-toolkit'
          step_name: 'snyk-sbom'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
          command: sbom

  build:
    runs-on: ubuntu-latest
    needs:
      - snyk-scan-deps-licences
      - snyk-scan-code
    outputs:
      tag: ${{ steps.setup_tags.outputs.tag }}
    steps:
      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c

      - name: Setup tags for docker image
        id: setup_tags
        run: echo "tag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Use Node.js
        uses: actions/setup-node@7c29869aec4da703a571b27bcd84d4f15af0b56e
        with:
          node-version: '18.x'

      - name: Authenticate with private NPM package
        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc

      - name: Install dependencies
        run: npm ci

      - name: Run tests
        run: npm run test

      - name: Build
        run: npm run build

      - name: Dump context
        uses: crazy-max/ghaction-dump-context@v2