-
Notifications
You must be signed in to change notification settings - Fork 6
147 lines (138 loc) · 4.23 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: "CI"
on:
pull_request:
branches:
- main
- develop
push:
branches:
- main
- develop
release:
types: [ published ]
jobs:
snyk_scan:
name: "Snyk scan"
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/setup-node@main
with:
node-version: '14'
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'swift-engine-toolkit'
step_name: 'snyk-scan'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Install snyk
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Snyk deps and licences scan
run: |
snyk test --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
- name: Snyk code scan
run: |
snyk code test --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
snyk_sbom:
name: "Snyk SBOM"
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
needs:
- snyk_scan
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/setup-node@main
with:
node-version: '14'
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'swift-engine-toolkit'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Install snyk
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
run: |
snyk sbom --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
- name: Upload SBOM
if: github.event_name == 'release'
uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
with:
files: sbom.json
repo-token: ${{ secrets.GITHUB_TOKEN }}
unit_tests:
name: "Unit tests"
runs-on: macos-12
needs:
- snyk_scan
strategy:
matrix:
platform:
- macOS
- iOS
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/ssh-agent@master
with:
ssh-private-key: |
${{ secrets.BITE_UNIT_TESTS_SSH_KEY }}
${{ secrets.SLIP_10_UNIT_TESTS_SSH_KEY }}
${{ secrets.MNEMONIC_UNIT_TESTS_SSH_KEY }}
- name: Run unit tests
uses: RDXWorks-actions/xcodebuild@master
with:
xcode: ^14.2
action: test
platform: ${{ matrix.platform }}
snyk_monitor:
name: "Snyk monitoring"
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- unit_tests
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/setup-node@main
with:
node-version: '14'
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'swift-engine-toolkit'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Install snyk
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Enable Snyk online monitoring to check for vulnerabilities
run: |
snyk monitor --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}