ci: restore snyk sbom (#1060)

radixdlt · Mar 26, 2024 · 6c40d84 · 6c40d84
1 parent 9b5ff6f
commit 6c40d84
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 86 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -52,58 +52,58 @@ jobs:
         run: |
           timeout 300 snyk code test --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high || [ "$?" = "124" ]
 
-#  snyk_sbom:
-#    if: >
-#      ( github.event.action == 'opened' && github.event.pull_request.draft == false ) ||
-#      ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) ||
-#      ( github.event.action == 'ready_for_review' ) ||
-#      ( github.event_name == 'push' && github.ref == 'refs/heads/main' )
-#    permissions:
-#      id-token: write
-#      contents: read
-#    name: "Snyk SBOM"
-#    runs-on: ubuntu-latest
-#    steps:
-#      - uses: RDXWorks-actions/checkout@main
-#      - uses: RDXWorks-actions/setup-node@main
-#        with:
-#          node-version: '14'
-#      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-#        with:
-#          role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ACCESS }}
-#          app_name: 'babylon-wallet-ios'
-#          step_name: 'snyk_sbom'
-#          secret_prefix: 'SNYK'
-#          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-#          parse_json: true
-#      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-#        with:
-#          role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }}
-#          app_name: 'babylon-wallet-ios'
-#          step_name: 'snyk_sbom'
-#          secret_prefix: 'WALLET'
-#          secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET }}
-#          parse_json: true
-#      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-#        with:
-#          role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }}
-#          app_name: 'babylon-wallet-ios'
-#          step_name: 'unit_test'
-#          secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY'
-#          secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET_SWIFT_SSH }}
-#          parse_json: true
-#      - uses: RDXWorks-actions/ssh-agent@master
-#        with:
-#          ssh-private-key: |
-#            ${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }}
-#      - name: Install snyk
-#        run: |
-#          npm install snyk -g
-#          snyk -v
-#          snyk auth ${{ env.SNYK_TOKEN }}
-#      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
-#        run: |
-#          snyk sbom --debug --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
+  snyk_sbom:
+    if: >
+      ( github.event.action == 'opened' && github.event.pull_request.draft == false ) ||
+      ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) ||
+      ( github.event.action == 'ready_for_review' ) ||
+      ( github.event_name == 'push' && github.ref == 'refs/heads/main' )
+    permissions:
+      id-token: write
+      contents: read
+    name: "Snyk SBOM"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: RDXWorks-actions/checkout@main
+      - uses: RDXWorks-actions/setup-node@main
+        with:
+          node-version: '14'
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ACCESS }}
+          app_name: 'babylon-wallet-ios'
+          step_name: 'snyk_sbom'
+          secret_prefix: 'SNYK'
+          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          parse_json: true
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }}
+          app_name: 'babylon-wallet-ios'
+          step_name: 'snyk_sbom'
+          secret_prefix: 'WALLET'
+          secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET }}
+          parse_json: true
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }}
+          app_name: 'babylon-wallet-ios'
+          step_name: 'unit_test'
+          secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY'
+          secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET_SWIFT_SSH }}
+          parse_json: true
+      - uses: RDXWorks-actions/ssh-agent@master
+        with:
+          ssh-private-key: |
+            ${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }}
+      - name: Install snyk
+        run: |
+          npm install snyk -g
+          snyk -v
+          snyk auth ${{ env.SNYK_TOKEN }}
+      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
+        run: |
+          snyk sbom --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
 
   linting:
     name: "Linting"
@@ -210,7 +210,7 @@ jobs:
     needs:
       - unit_test
       - snyk_scan
-      #- snyk_sbom
+      - snyk_sbom
     steps:
       - uses: RDXWorks-actions/checkout@main
       - uses: RDXWorks-actions/setup-node@main

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,33 +1,33 @@
-#name: Release
-#
-#on:
-#  release:
-#    types:
-#      - "published"
-#
-#jobs:
-#
-#  publish_sbom:
-#    runs-on: ubuntu-latest
-#    steps:
-#      - uses: RDXWorks-actions/checkout@main
-#      - uses: RDXWorks-actions/setup-node@main
-#        with:
-#          node-version: '14'
-#      - uses: RDXWorks-actions/ssh-agent@master
-#        with:
-#          ssh-private-key: |
-#            ${{ secrets.SWIFT_ENGINE_TOOLKIT_SSH_KEY }}
-#      - name: Install snyk
-#        run: |
-#          npm install snyk -g
-#          snyk -v
-#          snyk auth ${{ secrets.SNYK_TOKEN }}
-#      - name: Generate SBOM
-#        run: |
-#          snyk sbom --all-projects --org=${{ secrets.SNYK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
-#      - name: Upload SBOM
-#        uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
-#        with:
-#          files: sbom.json
-#          repo-token: ${{ secrets.GITHUB_TOKEN }}
+name: Release
+
+on:
+  release:
+    types:
+      - "published"
+
+jobs:
+
+  publish_sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: RDXWorks-actions/checkout@main
+      - uses: RDXWorks-actions/setup-node@main
+        with:
+          node-version: '14'
+      - uses: RDXWorks-actions/ssh-agent@master
+        with:
+          ssh-private-key: |
+            ${{ secrets.SWIFT_ENGINE_TOOLKIT_SSH_KEY }}
+      - name: Install snyk
+        run: |
+          npm install snyk -g
+          snyk -v
+          snyk auth ${{ secrets.SNYK_TOKEN }}
+      - name: Generate SBOM
+        run: |
+          snyk sbom --all-projects --org=${{ secrets.SNYK_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
+      - name: Upload SBOM
+        uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
+        with:
+          files: sbom.json
+          repo-token: ${{ secrets.GITHUB_TOKEN }}