.github/workflows/build.yml

name: Build

on:
  push:
    branches:
      - develop
      - main
      - release/**
  pull_request:

jobs:
  phylum-analyze:
    if: ${{ github.event.pull_request }}
    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
    permissions:
      id-token: write
      pull-requests: write
      contents: read
      deployments: write
    secrets:
      phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
    with:
      phylum_pr_number: ${{ github.event.number }}
      phylum_pr_name: ${{ github.head_ref }}
      phylum_group_name: dApp-engineering
      phylum_project_id: ad50ad22-146e-4339-80ea-d895b4bce133
      github_repository: ${{ github.repository }}
      add_report_comment_to_pull_request: true

  snyk-scan-deps-licences:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: RDXWorks-actions/checkout@main
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
          app_name: 'radix-dapp-toolkit'
          step_name: 'snyk-scan-deps-licenses'
          secret_prefix: 'SNYK'
          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
          parse_json: true
      - name: Run Snyk to check for deps vulnerabilities
        uses: RDXWorks-actions/snyk-actions/node@master
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

  snyk-scan-code:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: RDXWorks-actions/checkout@main
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
          app_name: 'radix-dapp-toolkit'
          step_name: 'snyk-scan-code'
          secret_prefix: 'SNYK'
          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
          parse_json: true
      - name: Run Snyk to check for code vulnerabilities
        uses: RDXWorks-actions/snyk-actions/node@master
        continue-on-error: true
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
          command: code test

  snyk-sbom:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    needs:
      - snyk-scan-deps-licences
      - snyk-scan-code
    steps:
      - uses: RDXWorks-actions/checkout@main
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
          app_name: 'radix-dapp-toolkit'
          step_name: 'snyk-sbom'
          secret_prefix: 'SNYK'
          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
          parse_json: true
      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
        uses: RDXWorks-actions/snyk-actions/node@master
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
          command: sbom

  build:
    runs-on: ubuntu-latest
    needs:
      - snyk-scan-deps-licences
      - snyk-scan-code
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: RDXWorks-actions/checkout@main

      - name: Use Node.js
        uses: RDXWorks-actions/setup-node@main
        with:
          node-version: '20.x'

      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access'
          app_name: 'dapp-toolkit'
          step_name: 'npm'
          secret_prefix: 'GH'
          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3'
          parse_json: true

      - name: Authenticate with private NPM package
        run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc

      - name: Install dependencies
        run: npm ci

      - name: Build
        run: npm run build

      - name: Run tests
        run: npm run test

      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
          app_name: 'dapp-toolkit'
          step_name: 'build'
          secret_prefix: 'GH'
          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD'
          parse_json: true
      
      - name: SonarCloud Scan
        uses: RDXWorks-actions/sonarcloud-github-action@master
        with:
          projectBaseDir: ./packages/dapp-toolkit
        env:
          SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }}