diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..11500242 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,130 @@ +name: Build + +on: + workflow_dispatch: + inputs: + ENVIRONMENT_NAME: + description: 'Environment Name' + required: true + default: Stokenet + type: choice + options: + - Mainnet + - Stokenet + + push: + branches: + - develop + - release/* + pull_request: + branches: + - develop + - release/** + release: + types: [published] + +jobs: + snyk-scan-deps-licences: + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'radix-dapp-toolkit' + step_name: 'snyk-scan-deps-licenses' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Run Snyk to check for deps vulnerabilities + uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical + + snyk-scan-code: + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'radix-dapp-toolkit' + step_name: 'snyk-scan-code' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Run Snyk to check for code vulnerabilities + uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high + command: code test + + snyk-sbom: + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + needs: + - snyk-scan-deps-licences + - snyk-scan-code + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'radix-dapp-toolkit' + step_name: 'snyk-sbom' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Generate SBOM # check SBOM can be generated but nothing is done with it + uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json + command: sbom + + build: + runs-on: ubuntu-latest + needs: + - snyk-scan-deps-licences + - snyk-scan-code + outputs: + tag: ${{ steps.setup_tags.outputs.tag }} + steps: + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + + - name: Setup tags for docker image + id: setup_tags + run: echo "tag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + - name: Use Node.js + uses: actions/setup-node@7c29869aec4da703a571b27bcd84d4f15af0b56e + with: + node-version: '18.x' + + - name: Authenticate with private NPM package + run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc + + - name: Install dependencies + run: npm ci + + - name: Run tests + run: npm run test + + - name: Build + run: npm run build + + - name: Dump context + uses: crazy-max/ghaction-dump-context@v2 \ No newline at end of file