chore: update dev release #492
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - develop | |
| - release/* | |
| pull_request: | |
| branches: | |
| - develop | |
| - release/** | |
| release: | |
| types: [published] | |
| jobs: | |
| snyk-scan-deps-licences: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
| app_name: 'radix-dapp-toolkit' | |
| step_name: 'snyk-scan-deps-licenses' | |
| secret_prefix: 'SNYK' | |
| secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
| parse_json: true | |
| - name: Run Snyk to check for deps vulnerabilities | |
| uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical | |
| snyk-scan-code: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
| app_name: 'radix-dapp-toolkit' | |
| step_name: 'snyk-scan-code' | |
| secret_prefix: 'SNYK' | |
| secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
| parse_json: true | |
| - name: Run Snyk to check for code vulnerabilities | |
| uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high | |
| command: code test | |
| snyk-sbom: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| needs: | |
| - snyk-scan-deps-licences | |
| - snyk-scan-code | |
| steps: | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
| app_name: 'radix-dapp-toolkit' | |
| step_name: 'snyk-sbom' | |
| secret_prefix: 'SNYK' | |
| secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
| parse_json: true | |
| - name: Generate SBOM # check SBOM can be generated but nothing is done with it | |
| uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json | |
| command: sbom | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - snyk-scan-deps-licences | |
| - snyk-scan-code | |
| outputs: | |
| tag: ${{ steps.setup_tags.outputs.tag }} | |
| steps: | |
| - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
| - name: Setup tags for docker image | |
| id: setup_tags | |
| run: echo "tag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| - name: Use Node.js | |
| uses: actions/setup-node@7c29869aec4da703a571b27bcd84d4f15af0b56e | |
| with: | |
| node-version: '18.x' | |
| - name: Authenticate with private NPM package | |
| run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run tests | |
| run: npm run test | |
| - name: Build | |
| run: npm run build | |
| - name: Dump context | |
| uses: crazy-max/ghaction-dump-context@v2 | |
| push-docker-image: | |
| name: (PRIVATE) Docker AMD | |
| needs: | |
| - build | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: "docker.io" | |
| image_organization: "radixdlt" | |
| image_name: "private-radix-dapp-toolkit" | |
| tag: ${{ needs.build.outputs.tag }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| context: "./" | |
| dockerfile: "./Dockerfile" | |
| platforms: "linux/amd64" | |
| scan_image: true | |
| snyk_target_ref: ${{ github.ref_name }} | |
| snyk-monitor: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
| needs: | |
| - push-docker-image | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
| app_name: 'radix-dapp-toolkit' | |
| step_name: 'snyk-monitor' | |
| secret_prefix: 'SNYK' | |
| secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
| parse_json: true | |
| - name: Enable Snyk online monitoring to check for vulnerabilities | |
| uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }} | |
| command: monitor | |
| snyk-container-monitor: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
| needs: | |
| - push-docker-image | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main | |
| with: | |
| role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
| app_name: 'radix-dapp-toolkit' | |
| step_name: 'snyk-container-monitor' | |
| dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }} | |
| snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
| parse_json: true | |
| snyk_org_id: ${{ secrets.SNYK_ORG_ID }} | |
| image: docker.io/radixdlt/private-radix-dapp-toolkit:${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
| target_ref: ${{ github.ref_name }} | |
| deploy-pr: | |
| if: ${{ github.event_name == 'pull_request' }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - push-docker-image | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
| with: | |
| version: 2 | |
| - name: Setup helmfile and helm | |
| uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
| with: | |
| helm-diff-plugin-version: 'v3.1.3' | |
| helmfile-version: 'v0.144.0' | |
| helm-version: 'v3.11.0' | |
| install-kubectl: no | |
| - name: Install kubectl | |
| uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
| with: | |
| version: 'v1.25.6' | |
| - name: Configure AWS credentials for deployment | |
| uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
| with: | |
| role-to-assume: ${{ secrets.DEPLOY_PR_IAM_ROLE }} | |
| aws-region: eu-west-2 | |
| - name: Deploy application | |
| working-directory: deploy/helm | |
| run: | | |
| cat <<DOC > namespace.yaml | |
| apiVersion: hnc.x-k8s.io/v1alpha2 | |
| kind: SubnamespaceAnchor | |
| metadata: | |
| name: radix-dapp-toolkit-pr-${{ github.event.number }} | |
| namespace: radix-dapp-toolkit-ci-pr | |
| DOC | |
| aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \ | |
| --alias ${{ secrets.CLUSTER_NAME }} \ | |
| --region eu-west-2 | |
| kubectl apply -f namespace.yaml | |
| helmfile --environment pr --namespace radix-dapp-toolkit-pr-${{ github.event.number }} \ | |
| --state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
| --state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \ | |
| apply | |
| env: | |
| CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
| INGRESS_DOMAIN: radix-dapp-toolkit-pr-${{ github.event.number}}.${{ secrets.INGRESS_DOMAIN }} | |
| HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
| HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} | |
| deploy-dev: | |
| if: github.ref == 'refs/heads/develop' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - push-docker-image | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
| with: | |
| version: 2 | |
| - name: Setup helmfile and helm | |
| uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
| with: | |
| helm-diff-plugin-version: 'v3.1.3' | |
| helmfile-version: 'v0.144.0' | |
| helm-version: 'v3.11.0' | |
| install-kubectl: no | |
| - name: Install kubectl | |
| uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
| with: | |
| version: 'v1.25.6' | |
| - name: Configure AWS credentials for deployment | |
| uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
| with: | |
| role-to-assume: ${{ secrets.DEPLOY_DEV_IAM_ROLE }} | |
| aws-region: eu-west-2 | |
| - name: Deploy application | |
| working-directory: deploy/helm | |
| run: | | |
| aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \ | |
| --alias ${{ secrets.CLUSTER_NAME }} \ | |
| --region eu-west-2 | |
| helmfile --environment dev --namespace radix-dapp-toolkit-dev \ | |
| --state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
| --state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \ | |
| apply | |
| env: | |
| CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
| INGRESS_DOMAIN: radix-dapp-toolkit-dev.${{ secrets.INGRESS_DOMAIN }} | |
| HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
| HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} | |
| deploy-release: | |
| if: startsWith(github.ref_name,'release/') | |
| runs-on: ubuntu-latest | |
| needs: | |
| - push-docker-image | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
| - uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
| with: | |
| version: 2 | |
| - name: Setup helmfile and helm | |
| uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
| with: | |
| helm-diff-plugin-version: 'v3.1.3' | |
| helmfile-version: 'v0.144.0' | |
| helm-version: 'v3.11.0' | |
| install-kubectl: no | |
| - name: Install kubectl | |
| uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
| with: | |
| version: 'v1.25.6' | |
| - name: Configure AWS credentials for deployment | |
| uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
| with: | |
| role-to-assume: ${{ secrets.DEPLOY_RELEASES_IAM_ROLE }} | |
| aws-region: eu-west-2 | |
| - name: Deploy application | |
| working-directory: deploy/helm | |
| run: | | |
| aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \ | |
| --alias ${{ secrets.CLUSTER_NAME }} \ | |
| --region eu-west-2 | |
| BRANCH_NAME=${{ github.ref_name }} | |
| NORMALIZED_BRANCH_NAME=${BRANCH_NAME/\//-} | |
| cat <<DOC > subns-manifest.yaml | |
| apiVersion: hnc.x-k8s.io/v1alpha2 | |
| kind: SubnamespaceAnchor | |
| metadata: | |
| name: radix-dapp-toolkit-$NORMALIZED_BRANCH_NAME | |
| namespace: radix-dapp-toolkit-ci-releases | |
| DOC | |
| kubectl apply -f subns-manifest.yaml | |
| helmfile --environment dev --namespace radix-dapp-toolkit-$NORMALIZED_BRANCH_NAME \ | |
| --state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
| --state-values-set "ci.ingressDomain=radix-dapp-toolkit-${NORMALIZED_BRANCH_NAME}.${{ env.INGRESS_DOMAIN }}" \ | |
| apply | |
| env: | |
| CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
| INGRESS_DOMAIN: ${{ secrets.INGRESS_DOMAIN }} | |
| HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
| HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} |