Build

Merge pull request #298 from radixdlt/develop #1194

Workflow file for this run

	name: Build

	on:
	push:
	branches:
	- develop
	- main
	- release/**
	pull_request:

	jobs:
	phylum-analyze:
	if: ${{ github.event.pull_request }}
	uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
	permissions:
	id-token: write
	pull-requests: write
	contents: read
	deployments: write
	secrets:
	phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
	with:
	phylum_pr_number: ${{ github.event.number }}
	phylum_pr_name: ${{ github.head_ref }}
	phylum_group_name: dApp-engineering
	phylum_project_id: ad50ad22-146e-4339-80ea-d895b4bce133
	github_repository: ${{ github.repository }}
	add_report_comment_to_pull_request: true

	snyk-scan-deps-licences:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'radix-dapp-toolkit'
	step_name: 'snyk-scan-deps-licenses'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Run Snyk to check for deps vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

	snyk-scan-code:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'radix-dapp-toolkit'
	step_name: 'snyk-scan-code'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Run Snyk to check for code vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	continue-on-error: true
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
	command: code test

	snyk-sbom:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	needs:
	- snyk-scan-deps-licences
	- snyk-scan-code
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'radix-dapp-toolkit'
	step_name: 'snyk-sbom'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Generate SBOM # check SBOM can be generated but nothing is done with it
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
	command: sbom

	build:
	runs-on: ubuntu-latest
	needs:
	- snyk-scan-deps-licences
	- snyk-scan-code
	permissions:
	id-token: write
	contents: read
	steps:
	- uses: RDXWorks-actions/checkout@main

	- name: Use Node.js
	uses: RDXWorks-actions/setup-node@main
	with:
	node-version: '20.x'

	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access'
	app_name: 'dapp-toolkit'
	step_name: 'npm'
	secret_prefix: 'GH'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3'
	parse_json: true

	- name: Authenticate with private NPM package
	run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc

	- name: Install dependencies
	run: npm ci

	- name: Build
	run: npm run build

	- name: Run tests
	run: npm run test

	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'dapp-toolkit'
	step_name: 'build'
	secret_prefix: 'GH'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD'
	parse_json: true

	- name: SonarCloud Scan
	uses: RDXWorks-actions/sonarcloud-github-action@master
	with:
	projectBaseDir: ./packages/dapp-toolkit
	env:
	SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #298 from radixdlt/develop #1194

Workflow file

Merge pull request #298 from radixdlt/develop #1194

Jobs

Run details

Workflow file for this run