diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7e0d3c87dd..41afe8561d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,23 @@ on: - main - release\/* jobs: + phylum-analyze: + if: ${{ github.event.pull_request }} + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main + permissions: + id-token: write + pull-requests: write + contents: read + deployments: write + secrets: + phylum_api_key: ${{ secrets.PHYLUM_API_KEY }} + with: + phylum_pr_number: ${{ github.event.number }} + phylum_pr_name: ${{ github.head_ref }} + phylum_group_name: Protocol + phylum_project_id: 3f5b2c53-46bd-4f68-b050-5898f929002f + github_repository: ${{ github.repository }} + add_report_comment_to_pull_request: true snyk-scan-deps-licences: name: Snyk deps/licences scan runs-on: ubuntu-latest diff --git a/.github/workflows/phylum-daily-analysis.yaml b/.github/workflows/phylum-daily-analysis.yaml new file mode 100644 index 0000000000..6bc1aa2dc6 --- /dev/null +++ b/.github/workflows/phylum-daily-analysis.yaml @@ -0,0 +1,65 @@ +name: Daily Analysis Phylum + +on: + schedule: + # Runs at 14:00 UTC every day + - cron: '0 13 * * *' + +env: + PHYLUM_PROJECT_ID: 3f5b2c53-46bd-4f68-b050-5898f929002f + PHYLUM_GROUP_NAME: Protocol + PHYLUM_NAME: babylon-node +jobs: + analyze_branch_phylum: + name: Analyze dependencies with Phylum + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + strategy: + matrix: + branch: [main, develop, release/babylon, release/anemone, release/bottlenose] + include: + - branch: main + - branch: develop + - branch: release/babylon + - branch: release/anemone + - branch: release/bottlenose + fail-fast: false + steps: + - uses: RDXWorks-actions/checkout@main + with: + ref: ${{ matrix.branch }} + fetch-depth: 0 + - uses: RDXWorks-actions/setup-python@main + with: + python-version: 3.10.6 + - name: Install Phylum + run: | + curl https://sh.phylum.io/ | sh -s -- --yes + # Add the Python user base binary directory to PATH + echo "$HOME/.local/bin" >> $GITHUB_PATH + - name: Run Phylum Analysis + env: + PHYLUM_API_KEY: ${{ secrets.PHYLUM_API_KEY }} + run: | + phylum analyze --quiet --label ${{ matrix.branch }}_branch_daily_schedule > /dev/null 2>&1 || exit_code=$? + if [ $exit_code -eq 100 ]; then + echo "Phylum Analysis returned exit code 100, but continuing."; + echo "phylum_analyze_status=failure" >> $GITHUB_ENV + exit 0; + else + echo "phylum_analyze_status=success" >> $GITHUB_ENV + exit $?; + fi + - name: Analysis Status Failure notification + if: always() + uses: RDXWorks-actions/notify-slack-action@master + with: + status: ${{ env.phylum_analyze_status }} + notify_when: 'failure' + notification_title: ':clock3: Phylum Scheduled Daily Analysis:' + message_format: 'Automatic phylum analysis has found vulnerabilities on ${{ env.PHYLUM_NAME }} in ${{ matrix.branch }} branch:boom:' + footer: "Linked Repository <{repo_url}|{repo}> | " + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PHYLUM_PROTOCOL_TEAM_WEBHOOK }} \ No newline at end of file diff --git a/.phylum_project b/.phylum_project new file mode 100644 index 0000000000..a783aedb9e --- /dev/null +++ b/.phylum_project @@ -0,0 +1,9 @@ +id: 3f5b2c53-46bd-4f68-b050-5898f929002f +name: babylon-node +created_at: 2024-07-05T10:48:15.419011+02:00 +group_name: Protocol +depfiles: + - path: ./core/gradle.lockfile + type: gradle + - path: ./core-rust/Cargo.lock + type: cargo \ No newline at end of file