Skip to content

Merge pull request #246 from radixdlt/ci/DO-2367-fix-snyk-sbom #230

Merge pull request #246 from radixdlt/ci/DO-2367-fix-snyk-sbom

Merge pull request #246 from radixdlt/ci/DO-2367-fix-snyk-sbom #230

Workflow file for this run

name: Release
on:
push:
branches:
- develop
- main
workflow_dispatch:
jobs:
release:
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Use Node.js
uses: RDXWorks-actions/setup-node@main
with:
node-version: '18.12.0'
- name: Install dependencies
run: npm pkg delete scripts.prepare && npm ci
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_CONNECTOR_EXTENSION_SECRETS }}
app_name: 'connector-extension'
step_name: 'connector-extension-webchrome-store-secrets'
secret_prefix: 'GH'
secret_name: ${{ secrets.AWS_CONNECTOR_EXTENSION_WEBCHROME_STORE_SECRET_ARN }}
parse_json: true
- name: Github PreRelease
if: github.ref == 'refs/heads/develop'
env:
VITE_GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
GOOGLE_CLIENT_ID: ${{ env.GH_CLIENT_ID }}
GOOGLE_CLIENT_SECRET: ${{ env.GH_CLIENT_SECRET }}
GOOGLE_REFRESH_TOKEN: ${{ env.GH_REFRESH_TOKEN }}
GOOGLE_EXTENSION_ID: ${{ env.GH_BETA_EXTENSION_ID }}
TARGET_RELEASE: default
run: |
sed -i "s/ name:.*/ name: 'Radix Wallet Connector - BETA',/" vite.config.ts
sed -i -E '/^ *description:.*$/ {N; s/.*/ description: '"'"'THIS EXTENSION IS FOR BETA TESTING'"'"',/}' vite.config.ts
sed -i "s/\${EXTENSION_ID}/$GOOGLE_EXTENSION_ID/g" release.config.cjs
sed -i "s/\${TARGET}/$TARGET_RELEASE/g" release.config.cjs
npx semantic-release --verifyConditions | tee out
echo "RELEASE_VERSION=$(grep 'Created tag ' out | awk -F 'Created tag ' '{print $2}')" >> $GITHUB_ENV
- name: Github Release & Upload to webstore
if: github.ref == 'refs/heads/main'
env:
VITE_GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
GOOGLE_CLIENT_ID: ${{ env.GH_CLIENT_ID }}
GOOGLE_CLIENT_SECRET: ${{ env.GH_CLIENT_SECRET }}
GOOGLE_REFRESH_TOKEN: ${{ env.GH_REFRESH_TOKEN }}
GOOGLE_EXTENSION_ID: ${{ env.GH_EXTENSION_ID }}
TARGET_RELEASE: draft
run: |
sed -i "s/\${EXTENSION_ID}/$GOOGLE_EXTENSION_ID/g" release.config.cjs
sed -i "s/\${TARGET}/$TARGET_RELEASE/g" release.config.cjs
npx semantic-release --verifyConditions | tee out
echo "RELEASE_VERSION=$(grep 'Created tag ' out | awk -F 'Created tag ' '{print $2}')" >> $GITHUB_ENV
# Snyk SBOM
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'connector-extension'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Generate SBOM
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
command: sbom
- name: Upload SBOM
uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
with:
files: sbom.json
repo-token: ${{ secrets.GITHUB_TOKEN }}
release-tag: ${{ env.RELEASE_VERSION }}