Merge pull request #39 from radixdlt/pr-snyk

Run snyk for both PRs and releases
radixdlt · Feb 8, 2024 · b8e5bb0 · b8e5bb0
2 parents 11eb2fb + dd8ba30
commit b8e5bb0
Showing 1 changed file with 28 additions and 2 deletions.
diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml
@@ -81,16 +81,19 @@ jobs:
       role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
 
   snyk-monitor-devops:
+    if: always()
     runs-on: ubuntu-latest
     needs:
       - build-push-container-docker
+      - build-push-container-private
     permissions:
       id-token: write
       pull-requests: read
       contents: read
       deployments: write
     steps:
-      - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
+      - if: github.event_name == 'pull_request'
+        uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
         with:
           role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
           app_name: 'babylon-nginx'
@@ -99,18 +102,31 @@ jobs:
           snyk_org_id: ${{ secrets.SNYK_DEVOPS_ORG_ID }}
           image: docker.io/radixdlt/private-babylon-nginx:${{ needs.build-push-container-private.outputs.default_tag }}
           target_ref: ${{ github.ref_name }}
+      - if: github.event_name == 'release'
+        uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
+        with:
+          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          app_name: 'babylon-nginx'
+          dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
+          snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          snyk_org_id: ${{ secrets.SNYK_DEVOPS_ORG_ID }}
+          image: docker.io/radixdlt/private-babylon-nginx:${{ needs.build-push-container-docker.outputs.default_tag }}
+          target_ref: ${{ github.ref_name }}
 
   snyk-monitor-network:
+    if: always()
     runs-on: ubuntu-latest
     needs:
       - build-push-container-docker
+      - build-push-container-private
     permissions:
       id-token: write
       pull-requests: read
       contents: read
       deployments: write
     steps:
-      - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
+      - if: github.event_name == 'pull_request'
+        uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
         with:
           role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
           app_name: 'babylon-nginx'
@@ -119,3 +135,13 @@ jobs:
           snyk_org_id: ${{ secrets.SNYK_NETWORK_ORG_ID }}
           image: docker.io/radixdlt/private-babylon-nginx:${{ needs.build-push-container-private.outputs.default_tag }}
           target_ref: ${{ github.ref_name }}
+      - if: github.event_name == 'release'
+        uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
+        with:
+          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          app_name: 'babylon-nginx'
+          dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
+          snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          snyk_org_id: ${{ secrets.SNYK_NETWORK_ORG_ID }}
+          image: docker.io/radixdlt/private-babylon-nginx:${{ needs.build-push-container-docker.outputs.default_tag }}
+          target_ref: ${{ github.ref_name }}