.github/workflows/main.yml

name: main

on:
  push:
    branches:
      - main
      - develop
      - release\/*
  pull_request:
    branches:
      - main
      - develop
      - release\/*

env:
  DOTNET_VERSION: "7.0.x"

jobs:
  snyk-scan:
    name: snyk scan
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'babylon-gateway'
          step_name: 'snyk-scan'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Setup .NET SDK
        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Install dependencies
        run: dotnet restore
      - name: Run Snyk to check for deps vulnerabilities
        uses: snyk/actions/dotnet@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_SERVICES_ORG_ID }} --severity-threshold=critical
      - name: Run Snyk to check for code vulnerabilities
        uses: snyk/actions/dotnet@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_SERVICES_ORG_ID }} --severity-threshold=high
          command: code test
      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
        uses: snyk/actions/dotnet@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_SERVICES_ORG_ID }} --exclude=package.json --format=cyclonedx1.4+json --json-file-output sbom.json
          command: sbom

  build:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - name: Setup .NET SDK
        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
      - name: Install dependencies
        run: dotnet restore
      - name: Build
        run: dotnet build --configuration Release --no-restore
      - name: Unit tests
        # Add --verbosity normal to get more noisy logs if required for debugging
        run: dotnet test --no-restore --filter RadixDlt.NetworkGateway.UnitTests

  setup-tags:
    runs-on: ubuntu-22.04
    outputs:
      database-migrations-tag: ${{ steps.setup_tags.outputs.database-migrations-tag }}
      data-aggregator-tag: ${{ steps.setup_tags.outputs.data-aggregator-tag }}
      gateway-api-tag: ${{ steps.setup_tags.outputs.gateway-api-tag }}
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - name: Setup tags for docker image
        id: setup_tags
        uses: ./.github/actions/set-variables
        with:
          github_event_name: ${{ github.event_name }}
          github_action_name: ${{ github.event.action}}
      - name: Publish Gateway Settings
        uses: actions/upload-artifact@v3
        with:
          path: Directory.Build.props
          name: build_props
          retention-days: 1

  docker-database-migrations-private:
    name: (DatabaseMigrations) Docker
    needs:
      - setup-tags
      - snyk-scan
    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
    with:
      runs_on: ubuntu-22.04
      image_registry: "docker.io"
      image_organization: "radixdlt"
      image_name: "private-babylon-ng-database-migrations"
      tag: ${{ needs.setup-tags.outputs.database-migrations-tag }}
      context: "."
      dockerfile: "./apps/DatabaseMigrations/Dockerfile"
      platforms: "linux/amd64"
      restore_artifact: "true"
      artifact_location: "./"
      artifact_name: build_props
      scan_image: true
      snyk_target_ref: ${{ github.ref_name }}
    secrets:
      workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
      service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

  docker-data-aggregator-private:
    name: (DataAggregator) Docker
    needs:
      - setup-tags
      - snyk-scan
    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
    with:
      runs_on: ubuntu-22.04
      image_registry: "docker.io"
      image_organization: "radixdlt"
      image_name: "private-babylon-ng-data-aggregator"
      tag: ${{ needs.setup-tags.outputs.data-aggregator-tag }}
      context: "."
      dockerfile: "./apps/DataAggregator/Dockerfile"
      platforms: "linux/amd64"
      restore_artifact: "true"
      artifact_location: "./"
      artifact_name: build_props
      scan_image: true
      snyk_target_ref: ${{ github.ref_name }}
    secrets:
      workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
      service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

  docker-gateway-api-private:
    name: (GatewayApi) Docker
    needs:
      - setup-tags
      - snyk-scan
    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
    with:
      runs_on: ubuntu-22.04
      image_registry: "docker.io"
      image_organization: "radixdlt"
      image_name: "private-babylon-ng-gateway-api"
      tag: ${{ needs.setup-tags.outputs.gateway-api-tag }}
      context: "."
      dockerfile: "./apps/GatewayApi/Dockerfile"
      platforms: "linux/amd64"
      restore_artifact: "true"
      artifact_location: "./"
      artifact_name: build_props
      scan_image: true
      snyk_target_ref: ${{ github.ref_name }}
    secrets:
      workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
      service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

  deploy-on-mardunet:
    runs-on: ubuntu-22.04
    needs:
      - docker-gateway-api-private
      - docker-data-aggregator-private
      - docker-database-migrations-private
      - setup-tags
    if: github.ref == 'refs/heads/develop'
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: ./.github/actions/fetch-secrets
        with:
          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
          app_name: "babylon-gateway"
          step_name: "deploy-on-mardunet"
          secret_prefix: "CF_GITHUB_WORKER"
          secret_name: "github-actions/radixdlt/babylon-gateway/cloudflare"
          parse_json: true
      - name: Process ci.env
        run: |
          export $(grep -v '^#' ./deployment/ci.env | xargs)
          echo "FULLNODE_VERSION=$FULLNODE_VERSION" >> $GITHUB_ENV
      - name: Check if ci.env changed
        id: changed-files
        uses: tj-actions/changed-files@db5dd7c176cf59a19ef6561bf1936f059dee4b74
        with:
          files: |
            deployment/ci.env
      - name: Trigger deployment event ${{ github.ref }}
        env:
          NAMESPACE: "ng-mardunet"
          EVENT_TYPE: "ng_babylon_mardunet"
        run: |
          curl --silent --show-error --fail --location --request POST 'https://github-worker.radixdlt.com/repos/radixdlt/${{secrets.DISPATCH_REPO}}/dispatches' \
            --header 'Accept: application/vnd.github.v3+json' \
            --header 'Authorization: Basic ${{env.CF_GITHUB_WORKER_ENCODED_BASIC_AUTH}}' \
            --header 'Content-Type: application/json' \
            --data-raw '{
                "event_type": "${{env.EVENT_TYPE}}",
                "client_payload": {
                  "namespace_postfix": "${{env.NAMESPACE}}",
                  "ci_env_changed": "${{steps.changed-files.outputs.any_changed}}",
                  "data_aggregator_image_tag": "${{ needs.setup-tags.outputs.data-aggregator-tag }}",
                  "gateway_api_image_tag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
                  "database_migrations_image_tag": "${{ needs.setup-tags.outputs.database-migrations-tag }}",
                  "core_docker_tag": "${{env.FULLNODE_VERSION}}"
                }
            }'

  ephemeral-deploy-and-benchmark:
    runs-on: ubuntu-22.04
    needs:
      - docker-gateway-api-private
      - docker-data-aggregator-private
      - docker-database-migrations-private
      - setup-tags
    if: github.event_name == 'push' && github.ref == 'refs/heads/develop'
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: ./.github/actions/fetch-secrets
        with:
          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
          app_name: "babylon-gateway"
          step_name: "ephemeral-deploy-and-benchmark"
          secret_prefix: "JENKINS"
          secret_name: "github-actions/radixdlt/babylon-gateway/jenkins-api-token"
          parse_json: true
      - name: Process ci.env
        run: |
          export $(grep -v '^#' ./deployment/ci.env | xargs)
          echo "FULLNODE_VERSION=$FULLNODE_VERSION" >> $GITHUB_ENV
      - name: Check if ci.env changed
        id: changed-files
        uses: tj-actions/changed-files@db5dd7c176cf59a19ef6561bf1936f059dee4b74
        with:
          files: |
            deployment/ci.env
      - name: Deploy and run benchmark on an ephemeral network
        uses: toptal/jenkins-job-trigger-action@649c04c83c099c759aba134bf78138a303ec095f
        with:
          jenkins_url: "${{ env.JENKINS_URL }}"
          jenkins_user: ${{ env.JENKINS_USER }}
          jenkins_token: ${{ env.JENKINS_TOKEN }}
          job_name: "ephemeral-deployments/job/ephemeral-env-gateway-benchmark"
          job_params: |
            {
              "gatewayDockerTag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
              "gatewayBranch": "${{ env.GATEWAY_BRANCH }}",
              "nodeDockerTag": "${{ env.FULLNODE_VERSION }}",
              "postgresVersion": "${{ env.POSTGRES_VERSION }}"
            }
          job_timeout: "3600"

  deploy-pr:
    runs-on: ubuntu-22.04
    needs:
      - docker-gateway-api-private
      - docker-data-aggregator-private
      - docker-database-migrations-private
      - setup-tags
    if: github.event_name == 'pull_request'
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: ./.github/actions/fetch-secrets
        with:
          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
          app_name: "babylon-gateway"
          step_name: "deploy-pr"
          secret_prefix: "CF_GITHUB_WORKER"
          secret_name: "github-actions/radixdlt/babylon-gateway/cloudflare"
          parse_json: true
      - name: setup "namespace_postfix"
        run: |
          pull_number=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
          echo "NAMESPACE=pr-$pull_number" >> $GITHUB_ENV
      - name: Trigger pull request deployment event ${{ github.ref }}
        env:
          EVENT_TYPE: "ng_babylon_pr"
        run: |
          curl --silent --show-error --fail --location --request POST 'https://github-worker.radixdlt.com/repos/radixdlt/${{secrets.DISPATCH_REPO}}/dispatches' \
            --header 'Accept: application/vnd.github.v3+json' \
            --header 'Authorization:  Basic ${{env.CF_GITHUB_WORKER_ENCODED_BASIC_AUTH}}' \
            --header 'Content-Type: application/json' \
            --data-raw '{
                "event_type": "${{env.EVENT_TYPE}}",
                "client_payload": {
                    "namespace_postfix": "${{env.NAMESPACE}}",
                    "data_aggregator_image_tag": "${{ needs.setup-tags.outputs.data-aggregator-tag }}",
                    "gateway_api_image_tag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
                    "database_migrations_image_tag": "${{ needs.setup-tags.outputs.database-migrations-tag }}"
                }
            }'

  ephemeral-deploy-and-test:
    runs-on: ubuntu-22.04
    needs:
      - docker-gateway-api-private
      - docker-data-aggregator-private
      - docker-database-migrations-private
      - setup-tags
    if: github.event_name == 'pull_request' && github.base_ref == 'develop'
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: ./.github/actions/fetch-secrets
        with:
          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
          app_name: "babylon-gateway"
          step_name: "ephemeral-deploy-and-test"
          secret_prefix: "JENKINS"
          secret_name: "github-actions/radixdlt/babylon-gateway/jenkins-api-token"
          parse_json: true
      - name: Export branch name in github's environment
        run: |
          echo "GATEWAY_BRANCH=$GITHUB_HEAD_REF" >> $GITHUB_ENV
      - name: Process ci.env
        run: |
          export $(grep -v '^#' ./deployment/ci.env | xargs)
          echo "FULLNODE_VERSION=$FULLNODE_VERSION" >> $GITHUB_ENV
          echo "POSTGRES_VERSION=$POSTGRES_VERSION" >> $GITHUB_ENV
      - name: Deploy and test on an ephemeral network
        uses: toptal/jenkins-job-trigger-action@649c04c83c099c759aba134bf78138a303ec095f
        with:
          jenkins_url: "${{ env.JENKINS_URL }}"
          jenkins_user: ${{ env.JENKINS_USER }}
          jenkins_token: ${{ env.JENKINS_TOKEN }}
          job_name: "ephemeral-deployments/job/ephemeral-gateway-env-deploy-and-test"
          job_params: |
            {
              "gatewayDockerTag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
              "gatewayBranch": "${{ env.GATEWAY_BRANCH }}",
              "nodeDockerTag": "${{ env.FULLNODE_VERSION }}",
              "postgresVersion": "${{ env.POSTGRES_VERSION }}"
            }
          job_timeout: "3600"

  sonarcloud:
    runs-on: ubuntu-22.04
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - uses: ./.github/actions/fetch-secrets
        with:
          role_name: "arn:aws:iam::308190735829:role/gh-common-secrets-read-access"
          app_name: "babylon-gateway"
          step_name: "sonarcloud"
          secret_prefix: "SONAR"
          # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
          secret_name: "github-actions/common/sonar-token"
          parse_json: true
      - name: SonarScanner for .NET
        uses: highbyte/sonarscan-dotnet@8410b6452e036aff2fb830831e508e723b8af60d
        with:
          sonarProjectKey: radixdlt_babylon-gateway
          sonarProjectName: babylon-gateway
          sonarOrganization: radixdlt-github
          dotnetTestArguments: --filter RadixDlt.NetworkGateway.UnitTests --logger trx --collect:"XPlat Code Coverage" -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
          sonarBeginArguments: /d:sonar.cs.opencover.reportsPaths="**/TestResults/**/coverage.opencover.xml" -d:sonar.cs.vstest.reportsPaths="**/TestResults/*.trx"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}