[DO-2802] move build workflow secrets to AWS #812

Workflow file for this run

	name: Build & Test

	on:
	push:
	branches:
	- develop
	- main
	pull_request:

	jobs:
	phylum_analyze:
	if: ${{ github.event.pull_request }}
	uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
	permissions:
	id-token: write
	pull-requests: write
	contents: read
	secrets:
	phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}

	snyk_scan_deps_licences:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'connector-extension'
	step_name: 'snyk-scan-deps-licenses'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Run Snyk to check for deps vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

	snyk_scan_code:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'connector-extension'
	step_name: 'snyk-scan-code'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Run Snyk to check for code vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	continue-on-error: true
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
	command: code test

	snyk_sbom:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	needs:
	- snyk_scan_deps_licences
	- snyk_scan_code
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'connector-extension'
	step_name: 'snyk-sbom'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Generate SBOM # check SBOM can be generated but nothing is done with it
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
	command: sbom

	build:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	steps:
	- uses: RDXWorks-actions/checkout@main
	- name: Use Node.js
	uses: RDXWorks-actions/setup-node@main
	with:
	node-version: '18.17.0'

	- name: Install dependencies
	run: npm ci

	- name: Build extension
	env:
	VITE_GITHUB_REF_NAME: ${{ github.ref_name }}
	run: npm run build

	- uses: RDXWorks-actions/upload-artifact@main
	with:
	name: connector-extension.${{ github.sha }}
	path: dist/

	- name: Build extension with dev tools
	run: npm run build
	env:
	VITE_DEV_TOOLS: true
	VITE_GITHUB_REF_NAME: ${{ github.ref_name }}

	- uses: RDXWorks-actions/upload-artifact@main
	with:
	name: connector-extension-with-dev-tools.${{ github.sha }}
	path: dist/

	- name: Running lint
	run: npm run lint

	- name: Running unit tests
	run: npm run test:ci

	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'conn-extension'
	step_name: 'sonar'
	secret_prefix: 'GH'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD'
	parse_json: true

	- name: SonarCloud Scan
	uses: RDXWorks-actions/sonarcloud-github-action@master
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }}

	snyk_monitor:
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/develop')
	needs:
	- build
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'connector-extension'
	step_name: 'snyk-monitor'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Enable Snyk online monitoring to check for vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
	command: monitor

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DO-2802] move build workflow secrets to AWS #812

Workflow file

[DO-2802] move build workflow secrets to AWS #812

Jobs

Run details

Workflow file for this run