v1.1.1 #303
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| ENVIRONMENT_NAME: | |
| description: "Environment Name" | |
| required: true | |
| default: stokenet | |
| type: choice | |
| options: | |
| - Stokenet | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| release: | |
| types: [published] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| deployments: write | |
| packages: write | |
| pull-requests: write | |
| # Network names are camelcase | |
| env: | |
| active_network: "Stokenet" | |
| release_network: "Mainnet" | |
| jenkins_job_name: 'kubernetes-deployments/job/gumball-club' | |
| helm_dir: 'deploy/helm' | |
| dev_eks_cluster: 'rdx-works-main-dev' | |
| prod_eks_cluster: 'rtlj-prod' | |
| jobs: | |
| phylum-analyze: | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| contents: read | |
| secrets: | |
| phylum_api_key: ${{ secrets.PHYLUM_API_KEY }} | |
| snyk-scan-deps-licences: | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'gumball-club' | |
| step_name: 'snyk-scan-deps-licences' | |
| secret_prefix: 'SNYK' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| parse_json: true | |
| - name: Run Snyk to check for deps vulnerabilities | |
| uses: RDXWorks-actions/snyk-actions/node@master | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical | |
| snyk-scan-code: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'gumball-club' | |
| step_name: 'snyk-scan-code' | |
| secret_prefix: 'SNYK' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| parse_json: true | |
| - name: Run Snyk to check for code vulnerabilities | |
| uses: RDXWorks-actions/snyk-actions/node@master | |
| continue-on-error: true # temporary until code fix | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high | |
| command: code test | |
| snyk-sbom: | |
| runs-on: ubuntu-latest | |
| permissions: write-all | |
| needs: | |
| - snyk-scan-deps-licences | |
| - snyk-scan-code | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'gumball-club' | |
| step_name: 'snyk-sbom' | |
| secret_prefix: 'SNYK' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| parse_json: true | |
| - name: Generate SBOM # check SBOM can be generated but nothing is done with it | |
| uses: RDXWorks-actions/snyk-actions/node@master | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --exclude=scrypto --format=cyclonedx1.4+json > sbom.json | |
| command: sbom | |
| - name: Upload SBOM | |
| if: github.event_name == 'release' | |
| uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a | |
| with: | |
| files: sbom.json | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| release-tag: ${{ github.event.release.tag_name }} | |
| setup-build-args: | |
| runs-on: ubuntu-latest | |
| name: Setup build argument values for docker | |
| outputs: | |
| network: ${{ steps.network.outputs.network }} | |
| tag-with-network: ${{steps.tag-with-network.outputs.tag-with-network}} | |
| steps: | |
| - name: Dump context | |
| uses: RDXWorks-actions/ghaction-dump-context@master | |
| - name: Info | |
| run: | | |
| echo "This is triggered by: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY | |
| - name: Define network name | |
| id: network_name_step | |
| run: | | |
| if [ "${{ github.event_name}}" = 'workflow_dispatch' ]; then | |
| echo "network_name="${{ github.event.inputs.ENVIRONMENT_NAME }}"" >> $GITHUB_ENV | |
| elif [ "${{ github.event.action }}" = "published" ]; then | |
| echo "network_name=${{ env.release_network }}" >> $GITHUB_ENV | |
| elif [ "${{ github.ref }}" = "refs/heads/main" -a "${{ github.event_name }}" = 'push' ] || [ "${{ github.event_name }}" = "pull_request" ]; then | |
| echo "network_name=${{ env.active_network }}" >> $GITHUB_ENV | |
| elif [ "${{ github.ref }}" =~ "refs/heads/release".* -a "${{ github.event_name }}" = 'push' ]; then | |
| echo "network_name=${{ env.release_network }}" >> $GITHUB_ENV | |
| fi | |
| - id: network | |
| run: | | |
| echo "network=${{ env.network_name }}" >> $GITHUB_OUTPUT | |
| - id: tag-with-network | |
| run: | | |
| echo "tag-with-network=${{github.sha}}-${{ env.network_name }}" >> $GITHUB_OUTPUT | |
| push-docker-image: | |
| name: Docker build | |
| needs: | |
| - snyk-scan-deps-licences | |
| - snyk-scan-code | |
| - setup-build-args | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| contents: read | |
| deployments: write | |
| packages: write | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: "docker.io" | |
| image_organization: "radixdlt" | |
| image_name: "private-gumball-club" | |
| tag: ${{ needs.setup-build-args.outputs.tag-with-network }} | |
| context: "./dapp/" | |
| dockerfile: "./dapp/Dockerfile" | |
| platforms: "linux/amd64" | |
| scan_image: false | |
| snyk_target_ref: ${{ github.ref_name }} | |
| build-args: | | |
| NETWORK_NAME=${{needs.setup-build-args.outputs.network}} | |
| snyk-monitor: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| needs: | |
| - push-docker-image | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'gumball-club' | |
| step_name: 'snyk-monitor' | |
| secret_prefix: 'SNYK' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| parse_json: true | |
| - name: Enable Snyk online monitoring to check for vulnerabilities | |
| uses: RDXWorks-actions/snyk-actions/node@master | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --exclude=scrypto --target-reference=${{ github.ref_name }} | |
| command: monitor | |
| snyk-container-monitor: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| needs: | |
| - push-docker-image | |
| - setup-build-args | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'gumball-club' | |
| dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials' | |
| snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| snyk_org_id: ${{ secrets.SNYK_ORG_ID }} | |
| image: docker.io/radixdlt/private-gumball-club:${{ needs.setup-build-args.outputs.tag-with-network }} | |
| target_ref: ${{ github.ref_name }} | |
| deploy_pull_request: | |
| if: ${{ github.event.pull_request }} | |
| name: Deploy PR | |
| needs: | |
| - push-docker-image | |
| - setup-build-args | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
| with: | |
| jenkins_job_name: "kubernetes-deployments/job/gumball-club" | |
| github_branch: "${{ github.head_ref }}" | |
| application_name: "gumball-club" | |
| hierarchical_namespace: "gumball-club-ci-pr" | |
| create_subnamespace: "true" | |
| kubernetes_namespace: "gumball-club-pr-${{ github.event.number }}" | |
| aws_eks_cluster: "rdx-works-main-dev" | |
| aws_iam_role_name: "jenkins-gumball-club-pr-deployer" | |
| helmfile_environment: "pr" | |
| helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag-with-network }},ci.prNumber=${{ github.event.number }}" | |
| secrets: | |
| aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} | |
| secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
| deploy_dev: | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| name: Deploy DEV | |
| needs: | |
| - push-docker-image | |
| - setup-build-args | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
| with: | |
| github_environment: "dev" | |
| github_branch: "${{ github.ref }}" | |
| jenkins_job_name: "kubernetes-deployments/job/gumball-club" | |
| application_name: "gumball-club" | |
| kubernetes_namespace: "gumball-club-dev" | |
| aws_eks_cluster: "rdx-works-main-dev" | |
| aws_iam_role_name: "jenkins-gumball-club-dev-deployer" | |
| helmfile_environment: "dev" | |
| helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag-with-network }}" | |
| secrets: | |
| aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} | |
| secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
| deploy-stokenet: | |
| if: ( github.event.inputs.ENVIRONMENT_NAME == 'Stokenet' && github.event_name == 'workflow_dispatch' ) | |
| name: Deploy STOKENET | |
| needs: | |
| - push-docker-image | |
| - setup-build-args | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
| with: | |
| github_environment: "stokenet" | |
| github_branch: "${{ github.ref }}" | |
| jenkins_job_name: "kubernetes-deployments/job/gumball-club" | |
| application_name: "gumball-club" | |
| kubernetes_namespace: "gumball-club-stokenet" | |
| aws_eks_cluster: "rtlj-prod" | |
| aws_iam_role_name: "jenkins-gumball-club-stokenet-deployer" | |
| helmfile_environment: "stokenet" | |
| helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag-with-network }}" | |
| secrets: | |
| aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }} | |
| secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
| deploy-mainnet: | |
| if: github.event_name == 'release' && !github.event.release.prerelease | |
| name: Deploy MAINNET | |
| needs: | |
| - push-docker-image | |
| - setup-build-args | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
| with: | |
| github_environment: "mainnet" | |
| github_branch: "${{ github.ref }}" | |
| jenkins_job_name: "kubernetes-deployments/job/gumball-club" | |
| application_name: "gumball-club" | |
| kubernetes_namespace: "gumball-club-mainnet" | |
| aws_eks_cluster: "rtlj-prod" | |
| aws_iam_role_name: "jenkins-gumball-club-mainnet-deployer" | |
| helmfile_environment: "mainnet" | |
| helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag-with-network }}" | |
| secrets: | |
| aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }} | |
| secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} |