From 0f5ff532cf1b12914f7e125882cf3027cb4d1f8b Mon Sep 17 00:00:00 2001 From: Duje Begonja Date: Tue, 26 Nov 2024 11:06:11 -0500 Subject: [PATCH] merge workflow --- .github/workflows/build.yml | 62 ++++++++++++--------- .github/workflows/connect-button-ci.yml | 2 +- .github/workflows/release.yml | 74 ------------------------- 3 files changed, 37 insertions(+), 101 deletions(-) delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b30b38af..ff6b28c7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,7 @@ on: branches: - '**' pull_request: + workflow_dispatch: jobs: phylum-analyze: @@ -26,6 +27,7 @@ jobs: add_report_comment_to_pull_request: true snyk-scan-deps-licences: + if: ${{ !github.event.pull_request }} runs-on: ubuntu-latest permissions: id-token: write @@ -48,6 +50,7 @@ jobs: args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical snyk-scan-code: + if: ${{ !github.event.pull_request }} runs-on: ubuntu-latest permissions: id-token: write @@ -71,33 +74,8 @@ jobs: args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high command: code test - snyk-sbom: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - needs: - - snyk-scan-deps-licences - - snyk-scan-code - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' - app_name: 'radix-dapp-toolkit' - step_name: 'snyk-sbom' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Generate SBOM # check SBOM can be generated but nothing is done with it - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json - command: sbom - build: + if: ${{ !github.event.pull_request }} runs-on: ubuntu-latest needs: - snyk-scan-deps-licences @@ -149,3 +127,35 @@ jobs: projectBaseDir: ./packages/dapp-toolkit env: SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }} + + - name: Release + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ env.GH_NPMJS_TOKEN }} + run: | + cd packages/dapp-toolkit + npx semantic-release | tee out + echo "RELEASE_VERSION=$(grep 'Created tag ' out | awk -F 'Created tag ' '{print $2}')" >> $GITHUB_ENV + + # Snyk SBOM + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' + app_name: 'radix-dapp-toolkit' + step_name: 'snyk-sbom' + secret_prefix: 'SNYK' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' + parse_json: true + + - name: Generate SBOM + uses: RDXWorks-actions/snyk-actions/node@master + with: + args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json + command: sbom + + - name: Upload SBOM + uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a + with: + files: sbom.json + repo-token: ${{ secrets.GITHUB_TOKEN }} + release-tag: ${{ env.RELEASE_VERSION }} diff --git a/.github/workflows/connect-button-ci.yml b/.github/workflows/connect-button-ci.yml index 733351fb..faa79a39 100644 --- a/.github/workflows/connect-button-ci.yml +++ b/.github/workflows/connect-button-ci.yml @@ -1,4 +1,4 @@ -name: 'Connect button CI/CD' +name: 'Connect Button Storybook CI/CD' on: pull_request: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index f343ea04..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Release -on: - push: - branches: - - main - - develop - - release/** - workflow_dispatch: - -jobs: - release: - name: Release - runs-on: ubuntu-latest - permissions: write-all - steps: - - name: Checkout - uses: RDXWorks-actions/checkout@main - with: - fetch-depth: 0 - - - name: Setup Node.js - uses: RDXWorks-actions/setup-node@main - with: - node-version: '20.x' - - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access' - app_name: 'dapp-toolkit' - step_name: 'npm' - secret_prefix: 'GH' - secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3' - parse_json: true - - - name: Authenticate with private NPM package - run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc - - - name: Install dependencies - run: npm ci - - - name: Build - run: npm run build - - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ env.GH_NPMJS_TOKEN }} - run: | - cd packages/dapp-toolkit - npx semantic-release | tee out - echo "RELEASE_VERSION=$(grep 'Created tag ' out | awk -F 'Created tag ' '{print $2}')" >> $GITHUB_ENV - - # Snyk SBOM - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' - app_name: 'radix-dapp-toolkit' - step_name: 'snyk-sbom' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - - name: Generate SBOM - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json - command: sbom - - - name: Upload SBOM - uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a - with: - files: sbom.json - repo-token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ env.RELEASE_VERSION }}