-
Notifications
You must be signed in to change notification settings - Fork 12
164 lines (147 loc) · 5.71 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Build
on:
push:
branches:
- develop
- main
- release/**
pull_request:
branches:
- develop
- main
- release/**
workflow_dispatch:
jobs:
phylum-analyze:
if: ${{ github.event.pull_request }}
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
permissions:
id-token: write
pull-requests: write
contents: read
deployments: write
secrets:
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
with:
phylum_pr_number: ${{ github.event.number }}
phylum_pr_name: ${{ github.head_ref }}
phylum_group_name: dApp-engineering
phylum_project_id: ad50ad22-146e-4339-80ea-d895b4bce133
github_repository: ${{ github.repository }}
add_report_comment_to_pull_request: true
snyk-scan-deps-licences:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-scan-deps-licenses'
secret_prefix: 'SNYK'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- name: Run Snyk to check for deps vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical
snyk-scan-code:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-scan-code'
secret_prefix: 'SNYK'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- name: Run Snyk to check for code vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
continue-on-error: true
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
command: code test
build:
runs-on: ubuntu-latest
needs:
- snyk-scan-deps-licences
- snyk-scan-code
permissions:
id-token: write
contents: read
steps:
- uses: RDXWorks-actions/checkout@main
- name: Use Node.js
uses: RDXWorks-actions/setup-node@main
with:
node-version: '20.x'
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access'
app_name: 'dapp-toolkit'
step_name: 'npm'
secret_prefix: 'GH'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3'
parse_json: true
- name: Authenticate with private NPM package
run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc
- name: Install dependencies
run: npm ci
- name: Build
run: npm run build
- name: Run tests
run: npm run test
- name: Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ env.GH_NPMJS_TOKEN }}
run: |
cd packages/dapp-toolkit
npx semantic-release | tee out
echo "RELEASE_VERSION=$(grep 'Created tag ' out | awk -F 'Created tag ' '{print $2}')" >> $GITHUB_ENV
# Snyk SBOM
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- name: Generate SBOM
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
command: sbom
- name: Upload SBOM
uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
with:
files: sbom.json
repo-token: ${{ secrets.GITHUB_TOKEN }}
release-tag: ${{ env.RELEASE_VERSION }}
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'dapp-toolkit'
step_name: 'build'
secret_prefix: 'GH'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD'
parse_json: true
- name: SonarCloud Scan
uses: RDXWorks-actions/sonarcloud-github-action@master
with:
projectBaseDir: ./packages/dapp-toolkit
env:
SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }}