ci: Refactor CI/CD secrets #6279
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| types: | |
| - ready_for_review | |
| - synchronize | |
| - opened | |
| push: | |
| branches: | |
| - main | |
| concurrency: | |
| group: ${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| snyk_scan: | |
| if: > | |
| ( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
| ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
| ( github.event.action == 'ready_for_review' ) || | |
| ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
| permissions: | |
| id-token: write | |
| contents: read | |
| name: "Snyk scan" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: RDXWorks-actions/setup-node@main | |
| with: | |
| node-version: '14' | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'snyk_online_monitor' | |
| secret_prefix: 'SNYK' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| parse_json: true | |
| - name: Create .snyk file | |
| run: echo "${{ vars.DOT_SNYK_FILE }}" > .snyk | |
| - name: Install snyk | |
| run: | | |
| npm install snyk -g | |
| snyk -v | |
| snyk auth ${{ env.SNYK_TOKEN }} | |
| - name: Snyk deps and licences scan | |
| run: | | |
| timeout 300 snyk test --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high || [ "$?" = "124" ] | |
| - name: Snyk code scan | |
| continue-on-error: true | |
| run: | | |
| timeout 300 snyk code test --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high || [ "$?" = "124" ] | |
| snyk_sbom: | |
| if: > | |
| ( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
| ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
| ( github.event.action == 'ready_for_review' ) || | |
| ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
| permissions: | |
| id-token: write | |
| contents: read | |
| name: "Snyk SBOM" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: RDXWorks-actions/setup-node@main | |
| with: | |
| node-version: '14' | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'snyk_sbom' | |
| secret_prefix: 'SNYK' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| parse_json: true | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-babylon-wallet-ios-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'snyk_sbom' | |
| secret_prefix: WALLET | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-ios/secret-vTE3y0' | |
| parse_json: true | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-babylon-wallet-ios-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'unit_test' | |
| secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-ios/swift-ssh-dLcxg6' | |
| parse_json: true | |
| - uses: RDXWorks-actions/ssh-agent@master | |
| with: | |
| ssh-private-key: | | |
| ${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} | |
| - name: Install snyk | |
| run: | | |
| npm install snyk -g | |
| snyk -v | |
| snyk auth ${{ env.SNYK_TOKEN }} | |
| - name: Generate SBOM # check SBOM can be generated but nothing is done with it | |
| run: | | |
| snyk sbom --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json | |
| linting: | |
| name: "Linting" | |
| if: > | |
| ( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
| ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
| ( github.event.action == 'ready_for_review' ) || | |
| ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
| runs-on: macos-15-xlarge | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - name: "Run Lint" | |
| run: | | |
| brew update | |
| brew upgrade swiftformat | |
| swiftformat . --lint | |
| unit_test: | |
| if: > | |
| ( github.event.action == 'opened' && github.event.pull_request.draft == false ) || | |
| ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || | |
| ( github.event.action == 'ready_for_review' ) || | |
| ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) | |
| permissions: | |
| id-token: write | |
| contents: read | |
| checks: write | |
| name: "Unit test" | |
| runs-on: macos-15-xlarge | |
| timeout-minutes: 20 | |
| needs: | |
| - linting | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-babylon-wallet-ios-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'babylon-wallet-ios-wallet-secrets' | |
| secret_prefix: WALLET | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-ios/secret-vTE3y0' | |
| parse_json: true | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-babylon-wallet-ios-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'babylon-wallet-ios-fastlane-repo-ssh' | |
| secret_prefix: FASTLANE_MATCH_REPO_SSH_KEY | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-ios/fastlane-ssh-OKSWFa' | |
| parse_json: true | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-babylon-wallet-ios-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'babylon-wallet-ios-swift-engine-toolkit-ssh' | |
| secret_prefix: SWIFT_ENGINE_TOOLKIT_SSH_KEY | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-ios/swift-ssh-dLcxg6' | |
| parse_json: true | |
| - uses: RDXWorks-actions/ssh-agent@master | |
| with: | |
| ssh-private-key: | | |
| ${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} | |
| ${{ env.FASTLANE_MATCH_REPO_SSH_KEY }} | |
| - uses: RDXWorks-actions/setup-xcode@master | |
| with: | |
| xcode-version: "16.0.0" | |
| - name: "Set up ruby" | |
| uses: RDXWorks-actions/setup-ruby@master | |
| with: | |
| ruby-version: 3.1.2 | |
| bundler-cache: true | |
| - name: "Install additional deps" | |
| run: | | |
| echo "${{ env.WALLET_FASTLANE_SECRETS_BASE64 }}" | base64 --decode > fastlane/.env.secret | |
| brew install xcbeautify | |
| - name: "Unit tests" | |
| run: | | |
| defaults write com.apple.dt.Xcode IDESkipMacroFingerprintValidation -bool YES | |
| bundle exec fastlane tests | |
| - name: Upload results | |
| uses: RDXWorks-actions/xcresulttool-xcode16@v1.8.0 | |
| with: | |
| path: build/test_output/results.xcresult | |
| show-passed-tests: false | |
| show-code-coverage: true | |
| if: success() || failure() | |
| snyk_online_monitor: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| name: "Snyk monitoring" | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| needs: | |
| - unit_test | |
| - snyk_scan | |
| - snyk_sbom | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: RDXWorks-actions/setup-node@main | |
| with: | |
| node-version: '14' | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'snyk_online_monitor' | |
| secret_prefix: 'SNYK' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
| parse_json: true | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-babylon-wallet-ios-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'snyk_online_monitor' | |
| secret_prefix: WALLET | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-ios/secret-vTE3y0' | |
| parse_json: true | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-babylon-wallet-ios-secrets-read-access' | |
| app_name: 'babylon-wallet-ios' | |
| step_name: 'unit_test' | |
| secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/babylon-wallet-ios/swift-ssh-dLcxg6' | |
| parse_json: true | |
| - uses: RDXWorks-actions/ssh-agent@master | |
| with: | |
| ssh-private-key: | | |
| ${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} | |
| - name: Install snyk | |
| run: | | |
| npm install snyk -g | |
| snyk -v | |
| snyk auth ${{ env.SNYK_TOKEN }} | |
| - name: Enable Snyk online monitoring to check for vulnerabilities | |
| run: | | |
| snyk monitor --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} | |
| # snapshot_tests: | |
| # name: "Snapshot tests" | |
| # runs-on: macos-12 | |
| # needs: | |
| # - assertFormated | |
| # steps: | |
| # - uses: RDXWorks-actions/checkout@main | |
| # - name: "Run snapshot tests" | |
| # run: echo "Runing snapshot tests" # JUST A PLACEHOLDER, NEEDS TO BE REPLACED | |
| # ui_tests: | |
| # name: "UI tests" | |
| # runs-on: macos-12 | |
| # needs: | |
| # - assertFormated | |
| # steps: | |
| # - uses: RDXWorks-actions/checkout@main | |
| # - name: "Run UI tests" | |
| # run: echo "Runing UI tests" # JUST A PLACEHOLDER, NEEDS TO BE REPLACED |