Merge pull request #283 from radixdlt/main

ci: merge main to develop secrets migration
radixdlt · Nov 26, 2024 · e96c7d8 · e96c7d8
2 parents b7083a5 + b2b9a16
commit e96c7d8
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 183 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -36,11 +36,11 @@ jobs:
       - uses: RDXWorks-actions/checkout@main
       - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
         with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
           app_name: 'radix-dapp-toolkit'
           step_name: 'snyk-scan-deps-licenses'
           secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
           parse_json: true
       - name: Run Snyk to check for deps vulnerabilities
         uses: RDXWorks-actions/snyk-actions/node@master
@@ -58,11 +58,11 @@ jobs:
       - uses: RDXWorks-actions/checkout@main
       - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
         with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
           app_name: 'radix-dapp-toolkit'
           step_name: 'snyk-scan-code'
           secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
           parse_json: true
       - name: Run Snyk to check for code vulnerabilities
         uses: RDXWorks-actions/snyk-actions/node@master
@@ -85,11 +85,11 @@ jobs:
       - uses: RDXWorks-actions/checkout@main
       - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
         with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
           app_name: 'radix-dapp-toolkit'
           step_name: 'snyk-sbom'
           secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
           parse_json: true
       - name: Generate SBOM # check SBOM can be generated but nothing is done with it
         uses: RDXWorks-actions/snyk-actions/node@master
@@ -102,6 +102,9 @@ jobs:
     needs:
       - snyk-scan-deps-licences
       - snyk-scan-code
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: RDXWorks-actions/checkout@main
 
@@ -110,8 +113,17 @@ jobs:
         with:
           node-version: '20.x'
 
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access'
+          app_name: 'dapp-toolkit'
+          step_name: 'npm'
+          secret_prefix: 'GH'
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3'
+          parse_json: true
+
       - name: Authenticate with private NPM package
-        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc
+        run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc
 
       - name: Install dependencies
         run: npm ci
@@ -122,5 +134,18 @@ jobs:
       - name: Run tests
         run: npm run test
 
-      - name: Dump context
-        uses: RDXWorks-actions/ghaction-dump-context@master
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
+          app_name: 'dapp-toolkit'
+          step_name: 'build'
+          secret_prefix: 'GH'
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD'
+          parse_json: true
+
+      - name: SonarCloud Scan
+        uses: RDXWorks-actions/sonarcloud-github-action@master
+        with:
+          projectBaseDir: ./packages/dapp-toolkit
+        env:
+          SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }}
diff --git a/.github/workflows/connect-button-ci.yml b/.github/workflows/connect-button-ci.yml
@@ -2,8 +2,9 @@ name: 'Connect button CI/CD'
 
 on:
   pull_request:
-    # branches:
-    #   - develop
+    branches:
+      - develop
+      - main
   push:
     branches:
       - develop
@@ -45,12 +46,9 @@ jobs:
       enable_gcr: 'false'
       scan_image: true
       snyk_target_ref: ${{ github.ref_name }}
-    secrets:
-      workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
-      service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
   deploy_pull_request:
-    if: ${{ github.event.pull_request }}
+    if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy-pr') }}
     name: Deploy PR
     permissions:
       id-token: write
@@ -142,13 +140,21 @@ jobs:
       contents: read
       deployments: write
     steps:
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
+          app_name: 'cnct-button'
+          step_name: 'snyk-monitor'
+          secret_prefix: 'SNY'
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
+          parse_json: true
       - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
         with:
           role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
           app_name: 'cnct-button'
           dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials'
           snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
-          snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
+          snyk_org_id: ${{ env.SNY_ORG_ID }}
           image: docker.io/radixdlt/connect-button-storybook:${{ fromJSON(needs.build_push_container.outputs.json).labels['org.opencontainers.image.version'] }}
           target_ref: ${{ github.ref_name }}
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,20 +17,34 @@ jobs:
         uses: RDXWorks-actions/checkout@main
         with:
           fetch-depth: 0
+
       - name: Setup Node.js
         uses: RDXWorks-actions/setup-node@main
         with:
           node-version: '20.x'
+
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radix-dapp-toolkit-secrets-read-access'
+          app_name: 'dapp-toolkit'
+          step_name: 'npm'
+          secret_prefix: 'GH'
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radix-dapp-toolkit/npm-token-A52rl3'
+          parse_json: true
+
       - name: Authenticate with private NPM package
-        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc
+        run: echo "//registry.npmjs.org/:_authToken=${{ env.GH_NPMJS_TOKEN }}" > ~/.npmrc
+
       - name: Install dependencies
         run: npm ci
+
       - name: Build
         run: npm run build
+
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPMJS_TOKEN }}
+          NPM_TOKEN: ${{ env.GH_NPMJS_TOKEN }}
         run: |
           cd packages/dapp-toolkit
           npx semantic-release | tee out
@@ -39,17 +53,19 @@ jobs:
       # Snyk SBOM
       - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
         with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
           app_name: 'radix-dapp-toolkit'
           step_name: 'snyk-sbom'
           secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
           parse_json: true
+
       - name: Generate SBOM
         uses: RDXWorks-actions/snyk-actions/node@master
         with:
           args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
           command: sbom
+
       - name: Upload SBOM
         uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
         with:

diff --git a/packages/dapp-toolkit/.github/workflows/build.yml b/packages/dapp-toolkit/.github/workflows/build.yml
diff --git a/packages/dapp-toolkit/.github/workflows/release.yml b/packages/dapp-toolkit/.github/workflows/release.yml
diff --git a/packages/dapp-toolkit/sonar-project.properties b/packages/dapp-toolkit/sonar-project.properties
@@ -0,0 +1,7 @@
+sonar.organization=radixdlt-github
+sonar.projectKey=radix-dapp-toolkit
+
+sonar.sources=src
+sonar.coverage.exclusions=**/*.test.*,**/*.spec.*
+#sonar.tests=src
+sonar.javascript.lcov.reportPaths=coverage/lcov.info