From b2b9a168bc2adc52cad4851bfee191775aa87bef Mon Sep 17 00:00:00 2001 From: Duje Begonja RDX <108268552+duje-begonja-rdx@users.noreply.github.com> Date: Tue, 26 Nov 2024 10:11:57 -0500 Subject: [PATCH] ci: add sonar step, migrate to AWS secrets --- .github/workflows/build.yml | 43 +++++-- .github/workflows/connect-button-ci.yml | 20 ++-- .github/workflows/release.yml | 24 +++- .../dapp-toolkit/.github/workflows/build.yml | 106 ------------------ .../.github/workflows/release.yml | 57 ---------- .../dapp-toolkit/sonar-project.properties | 7 ++ 6 files changed, 74 insertions(+), 183 deletions(-) delete mode 100644 packages/dapp-toolkit/.github/workflows/build.yml delete mode 100644 packages/dapp-toolkit/.github/workflows/release.yml create mode 100644 packages/dapp-toolkit/sonar-project.properties diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9303062e..b30b38af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,11 +36,11 @@ jobs: - uses: RDXWorks-actions/checkout@main - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'radix-dapp-toolkit' step_name: 'snyk-scan-deps-licenses' secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' parse_json: true - name: Run Snyk to check for deps vulnerabilities uses: RDXWorks-actions/snyk-actions/node@master @@ -58,11 +58,11 @@ jobs: - uses: RDXWorks-actions/checkout@main - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'radix-dapp-toolkit' step_name: 'snyk-scan-code' secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' parse_json: true - name: Run Snyk to check for code vulnerabilities uses: RDXWorks-actions/snyk-actions/node@master @@ -85,11 +85,11 @@ jobs: - uses: RDXWorks-actions/checkout@main - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'radix-dapp-toolkit' step_name: 'snyk-sbom' secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' parse_json: true - name: Generate SBOM # check SBOM can be generated but nothing is done with it uses: RDXWorks-actions/snyk-actions/node@master @@ -102,6 +102,9 @@ jobs: needs: - snyk-scan-deps-licences - snyk-scan-code + permissions: + id-token: write + contents: read steps: - uses: RDXWorks-actions/checkout@main @@ -110,8 +113,17 @@ jobs: with: node-version: '20.x' + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access' + app_name: 'dapp-toolkit' + step_name: 'npm' + secret_prefix: 'GH' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3' + parse_json: true + - name: Authenticate with private NPM package - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc + run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc - name: Install dependencies run: npm ci @@ -122,5 +134,18 @@ jobs: - name: Run tests run: npm run test - - name: Dump context - uses: RDXWorks-actions/ghaction-dump-context@master + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' + app_name: 'dapp-toolkit' + step_name: 'build' + secret_prefix: 'GH' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD' + parse_json: true + + - name: SonarCloud Scan + uses: RDXWorks-actions/sonarcloud-github-action@master + with: + projectBaseDir: ./packages/dapp-toolkit + env: + SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }} diff --git a/.github/workflows/connect-button-ci.yml b/.github/workflows/connect-button-ci.yml index 016c4741..733351fb 100644 --- a/.github/workflows/connect-button-ci.yml +++ b/.github/workflows/connect-button-ci.yml @@ -2,8 +2,9 @@ name: 'Connect button CI/CD' on: pull_request: - # branches: - # - develop + branches: + - develop + - main push: branches: - develop @@ -45,12 +46,9 @@ jobs: enable_gcr: 'false' scan_image: true snyk_target_ref: ${{ github.ref_name }} - secrets: - workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }} - service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} deploy_pull_request: - if: ${{ github.event.pull_request }} + if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy-pr') }} name: Deploy PR permissions: id-token: write @@ -142,13 +140,21 @@ jobs: contents: read deployments: write steps: + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' + app_name: 'cnct-button' + step_name: 'snyk-monitor' + secret_prefix: 'SNY' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' + parse_json: true - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main with: role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'cnct-button' dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials' snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' - snyk_org_id: ${{ secrets.SNYK_ORG_ID }} + snyk_org_id: ${{ env.SNY_ORG_ID }} image: docker.io/radixdlt/connect-button-storybook:${{ fromJSON(needs.build_push_container.outputs.json).labels['org.opencontainers.image.version'] }} target_ref: ${{ github.ref_name }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6364c891..f343ea04 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,20 +17,34 @@ jobs: uses: RDXWorks-actions/checkout@main with: fetch-depth: 0 + - name: Setup Node.js uses: RDXWorks-actions/setup-node@main with: node-version: '20.x' + + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access' + app_name: 'dapp-toolkit' + step_name: 'npm' + secret_prefix: 'GH' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3' + parse_json: true + - name: Authenticate with private NPM package - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc + run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc + - name: Install dependencies run: npm ci + - name: Build run: npm run build + - name: Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPMJS_TOKEN }} + NPM_TOKEN: ${{ env.GH_NPMJS_TOKEN }} run: | cd packages/dapp-toolkit npx semantic-release | tee out @@ -39,17 +53,19 @@ jobs: # Snyk SBOM - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'radix-dapp-toolkit' step_name: 'snyk-sbom' secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' parse_json: true + - name: Generate SBOM uses: RDXWorks-actions/snyk-actions/node@master with: args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json command: sbom + - name: Upload SBOM uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a with: diff --git a/packages/dapp-toolkit/.github/workflows/build.yml b/packages/dapp-toolkit/.github/workflows/build.yml deleted file mode 100644 index 13fe527b..00000000 --- a/packages/dapp-toolkit/.github/workflows/build.yml +++ /dev/null @@ -1,106 +0,0 @@ -name: Build - -on: - push: - branches: - - '**' - -jobs: - snyk-scan-deps-licences: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} - app_name: 'radix-dapp-toolkit' - step_name: 'snyk-scan-deps-licenses' - secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true - - name: Run Snyk to check for deps vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical - - snyk-scan-code: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} - app_name: 'radix-dapp-toolkit' - step_name: 'snyk-scan-code' - secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true - - name: Run Snyk to check for code vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high - command: code test - - snyk-sbom: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - needs: - - snyk-scan-deps-licences - - snyk-scan-code - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} - app_name: 'radix-dapp-toolkit' - step_name: 'snyk-sbom' - secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true - - name: Generate SBOM # check SBOM can be generated but nothing is done with it - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json - command: sbom - - build: - runs-on: ubuntu-latest - needs: - - snyk-scan-deps-licences - - snyk-scan-code - steps: - - uses: RDXWorks-actions/checkout@main - - - name: Use Node.js - uses: RDXWorks-actions/setup-node@main - with: - node-version: '18.x' - - - name: Authenticate with private NPM package - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc - - - name: Install dependencies - run: npm ci - - - name: Run tests - run: npm run test - - - name: Build - run: npm run build - - - name: Dump context - uses: RDXWorks-actions/ghaction-dump-context@master \ No newline at end of file diff --git a/packages/dapp-toolkit/.github/workflows/release.yml b/packages/dapp-toolkit/.github/workflows/release.yml deleted file mode 100644 index 3a398ab4..00000000 --- a/packages/dapp-toolkit/.github/workflows/release.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Release -on: - push: - branches: - - main - - develop - - release/** - workflow_dispatch: - -jobs: - release: - name: Release - runs-on: ubuntu-latest - permissions: write-all - steps: - - name: Checkout - uses: RDXWorks-actions/checkout@main - with: - fetch-depth: 0 - - name: Setup Node.js - uses: RDXWorks-actions/setup-node@main - with: - node-version: '18.x' - - name: Authenticate with private NPM package - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc - - name: Install dependencies - run: npm ci - - name: Prepare - run: npm run build - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPMJS_TOKEN }} - run: | - npx semantic-release | tee out - echo "RELEASE_VERSION=$(grep 'Created tag ' out | awk -F 'Created tag ' '{print $2}')" >> $GITHUB_ENV - - # Snyk SBOM - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} - app_name: 'radix-dapp-toolkit' - step_name: 'snyk-sbom' - secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true - - name: Generate SBOM - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json - command: sbom - - name: Upload SBOM - uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a - with: - files: sbom.json - repo-token: ${{ secrets.GITHUB_TOKEN }} - release-tag: ${{ env.RELEASE_VERSION }} diff --git a/packages/dapp-toolkit/sonar-project.properties b/packages/dapp-toolkit/sonar-project.properties new file mode 100644 index 00000000..ebe1e9df --- /dev/null +++ b/packages/dapp-toolkit/sonar-project.properties @@ -0,0 +1,7 @@ +sonar.organization=radixdlt-github +sonar.projectKey=radix-dapp-toolkit + +sonar.sources=src +sonar.coverage.exclusions=**/*.test.*,**/*.spec.* +#sonar.tests=src +sonar.javascript.lcov.reportPaths=coverage/lcov.info \ No newline at end of file