fix: account's nft filtering #323

Workflow file for this run

.github/workflows/sandbox-ci.yaml at 50d4f26

	name: Sandbox CI/CD

	on:
	push:
	paths-ignore:
	- 'apps/console/**'
	- 'deploy/helm/console/**'
	- ".github/workflows/console-ci.yaml"
	- 'apps/dashboard/**'
	- 'packages/ui/**'
	- 'deploy/helm/dashboard/**'
	- ".github/workflows/ci.yaml"
	branches:
	- main
	pull_request:
	paths-ignore:
	- 'apps/console/**'
	- 'deploy/helm/console/**'
	- 'packages/ui/**'
	- ".github/workflows/console-ci.yaml"
	- 'apps/dashboard/**'
	- 'deploy/helm/dashboard/**'
	- ".github/workflows/ci.yaml"
	branches:
	- main
	release:
	types:
	- prereleased
	- released

	workflow_dispatch:
	inputs:
	ENVIRONMENT_NAME:
	description: 'Environment Name'
	required: true
	default: enkinet
	type: choice
	options:
	- enkinet


	env:
	prerelease_network: 'Stokenet'
	release_network: 'Mainnet'
	jenkins_job_name: 'kubernetes-deployments/job/dapps-sandbox'
	helm_dir: 'deploy/helm/sandbox'
	dev_eks_cluster: 'rdx-works-main-dev'
	prod_eks_cluster: 'rtlj-prod'

	permissions:
	id-token: write
	pull-requests: write
	contents: read
	deployments: write
	packages: write

	jobs:
	trigger:
	name: Check trigger
	if: >
	( github.event.action == 'prereleased' && contains( github.event.release.tag_name, 'sandbox') ) \|\|
	( github.event.action == 'released' && github.event.release.prerelease && contains( github.event.release.tag_name, 'sandbox') ) \|\|
	( github.event_name == 'workflow_dispatch' ) \|\|
	( github.ref == 'refs/heads/main' && github.event_name == 'push' ) \|\|
	( github.event_name == 'pull_request' )
	runs-on: ubuntu-latest
	steps:
	- name: Dump context
	uses: RDXWorks-actions/ghaction-dump-context@master
	- name: Info
	run: \|
	echo "This is triggered by ${{ github.event_name }}." >> $GITHUB_STEP_SUMMARY
	echo "Github action is ${{ github.event.action }}." >> $GITHUB_STEP_SUMMARY

	snyk-scan-deps-licences:
	runs-on: ubuntu-latest
	needs:
	- trigger
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'sandbox'
	step_name: 'snyk-scan-deps-licenses'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Run Snyk to check for deps vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

	snyk-scan-code:
	runs-on: ubuntu-latest
	needs:
	- trigger
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'sandbox'
	step_name: 'snyk-scan-code'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Run Snyk to check for code vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	continue-on-error: true # temporary until code fix
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
	command: code test

	snyk-sbom:
	runs-on: ubuntu-latest
	permissions: write-all
	needs:
	- snyk-scan-deps-licences
	- snyk-scan-code
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'sandbox'
	step_name: 'snyk-sbom'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Generate SBOM # check SBOM can be generated but nothing is done with it
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
	command: sbom
	- name: Upload SBOM
	if: github.event_name == 'release'
	uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
	with:
	files: sbom.json
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	release-tag: ${{ github.event.release.tag_name }}

	build:
	runs-on: ubuntu-latest
	needs:
	- trigger
	- snyk-scan-deps-licences
	- snyk-scan-code
	steps:
	- uses: RDXWorks-actions/checkout@main

	- name: Use Node.js
	uses: RDXWorks-actions/setup-node@main
	with:
	node-version: '18.x'

	- name: Install dependencies
	run: npm ci

	- name: Build
	run: npx turbo run build:prod --filter=sandbox

	- name: Dump context
	uses: RDXWorks-actions/ghaction-dump-context@master

	setup-build-args:
	runs-on: ubuntu-latest
	needs:
	- trigger
	name: Setup build argument values for docker
	outputs:
	network: ${{ steps.network_name_step.outputs.network_name }}
	is_public: ${{ steps.network_name_step.outputs.is_public }}
	tag_with_network: ${{ steps.tag-with-network.outputs.tag-with-network }}
	steps:
	- uses: RDXWorks-actions/checkout@main
	- name: Dump context
	uses: RDXWorks-actions/ghaction-dump-context@master
	- name: Define network name
	id: network_name_step
	run: \|
	if [ "${{ github.event.action }}" = "released" ]; then
	echo "is_public=true" >> $GITHUB_OUTPUT
	echo "network_name=${{ env.release_network }}" >> $GITHUB_OUTPUT
	elif [ "${{ github.event.action }}" = "prereleased" ]; then
	echo "is_public=true" >> $GITHUB_OUTPUT
	echo "network_name=${{ env.prerelease_network }}" >> $GITHUB_OUTPUT
	else
	echo "is_public=false" >> $GITHUB_OUTPUT
	echo "network_name=${{ env.prerelease_network }}" >> $GITHUB_OUTPUT
	fi
	- id: tag-with-network
	run: \|
	echo "tag-with-network=${{ github.sha }}-${{ steps.network_name_step.outputs.network_name }}" >> $GITHUB_OUTPUT
	- name: Output tag value to job summary
	run: \|
	echo "network-name=${{ steps.network_name_step.outputs.network_name }}" >> $GITHUB_STEP_SUMMARY
	echo "docker-tag=${{ github.sha }}-${{ steps.network_name_step.outputs.network_name }}" >> $GITHUB_STEP_SUMMARY

	push-sandbox:
	name: (PRIVATE) Docker AMD
	needs:
	- build
	- setup-build-args
	uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
	with:
	runs_on: ubuntu-latest
	image_registry: 'docker.io'
	image_organization: 'radixdlt'
	target: 'sandbox'
	image_name: 'dapps-sandbox'
	tag: ${{ needs.setup-build-args.outputs.tag_with_network }}
	tags: \|
	type=semver,pattern={{version}}
	context: './'
	dockerfile: './Dockerfile'
	platforms: 'linux/amd64'
	scan_image: true
	snyk_target_ref: ${{ github.ref_name }}
	build-args: \|
	NETWORK_NAME=${{needs.setup-build-args.outputs.network}}
	IS_PUBLIC=${{needs.setup-build-args.outputs.is_public}}

	snyk-monitor:
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/develop')
	needs:
	- push-sandbox
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'sandbox'
	step_name: 'snyk-monitor'
	secret_prefix: 'SNYK'
	secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	- name: Enable Snyk online monitoring to check for vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
	command: monitor

	snyk-container-monitor:
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/develop')
	needs:
	- build
	- setup-build-args
	- push-sandbox
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
	with:
	role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
	app_name: 'sandbox'
	step_name: 'snyk-container-monitor'
	dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials'
	snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
	parse_json: true
	snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
	image: docker.io/radixdlt/dapps-sandbox:${{ needs.setup-build-args.outputs.tag_with_network }}
	target_ref: ${{ github.ref_name }}

	deploy_pull_request:
	if: ${{ github.event.pull_request }}
	runs-on: ubuntu-latest
	needs:
	- push-sandbox
	- setup-build-args
	- build
	steps:
	- name: Trigger ansible job to deploy PR
	uses: RDXWorks-actions/jenkins-job-trigger-action@master
	with:
	jenkins_url: ${{ secrets.JENKINS_URL }}
	jenkins_user: radixbot
	jenkins_token: ${{ secrets.GH_JENKINS_API_TOKEN }}
	job_name: ${{ env.jenkins_job_name }}
	job_params: \|
	{
	"git_repo" : "${{ github.repository }}",
	"git_branch" : "${{ github.head_ref }}",
	"helmfile_environment": "pr",
	"hierarchical_namespace": "dapps-sandbox-ci-pr",
	"namespace" : "dapps-sandbox-pr-${{ github.event.number }}",
	"create_subnamespace" : "true",
	"aws_region" : "eu-west-2",
	"aws_iam_role": "arn:aws:iam::${{ secrets.AWS_DEV_ACCOUNT_ID }}:role/jenkins-dapps-sandbox-pr-deployer",
	"aws_eks_cluster" : "${{ env.dev_eks_cluster }}",
	"helm_folder" : "${{ env.helm_dir }}",
	"helmfile_extra_vars" : "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }},ci.prNumber=${{ github.event.number }}"
	}
	job_timeout: "3600"
	fetch_logs: "false"
	- name: Write URL to GH summary
	run: \|
	echo "PR URL is: https://sandbox-pr-${{ github.event.number }}.rdx-works-main.extratools.works" >> $GITHUB_STEP_SUMMARY

	deploy_dev:
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	runs-on: ubuntu-latest
	needs:
	- push-sandbox
	- setup-build-args
	- build
	steps:
	- name: Trigger ansible job to deploy dev
	uses: RDXWorks-actions/jenkins-job-trigger-action@master
	with:
	jenkins_url: ${{ secrets.JENKINS_URL }}
	jenkins_user: radixbot
	jenkins_token: ${{ secrets.GH_JENKINS_API_TOKEN }}
	job_name: ${{ env.jenkins_job_name }}
	job_params: \|
	{
	"git_repo" : "${{ github.repository }}",
	"git_branch" : "${{ github.ref }}",
	"helmfile_environment": "dev",
	"namespace" : "dapps-sandbox-dev",
	"aws_region" : "eu-west-2",
	"aws_iam_role": "arn:aws:iam::${{ secrets.AWS_DEV_ACCOUNT_ID }}:role/jenkins-dapps-sandbox-dev-deployer",
	"aws_eks_cluster" : "${{ env.dev_eks_cluster }}",
	"helm_folder" : "${{ env.helm_dir }}",
	"helmfile_extra_vars" : "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }}"
	}
	job_timeout: "3600"
	fetch_logs: "false"

	deploy_stokenet:
	if: github.event_name == 'release' && github.event.action == 'prereleased'
	runs-on: ubuntu-latest
	environment: sandbox-stokenet
	needs:
	- push-sandbox
	- setup-build-args
	- build
	steps:
	- name: Trigger ansible job to deploy stokenet
	uses: RDXWorks-actions/jenkins-job-trigger-action@master
	with:
	jenkins_url: ${{ secrets.JENKINS_URL }}
	jenkins_user: radixbot
	jenkins_token: ${{ secrets.GH_JENKINS_API_TOKEN }}
	job_name: ${{ env.jenkins_job_name }}
	job_params: \|
	{
	"git_repo" : "${{ github.repository }}",
	"git_branch" : "${{ github.ref }}",
	"helmfile_environment": "stokenet",
	"namespace" : "dapps-sandbox-stokenet",
	"aws_region" : "eu-west-2",
	"aws_iam_role": "arn:aws:iam::${{ secrets.AWS_PROD_ACCOUNT_ID }}:role/jenkins-dapps-sandbox-stokenet-deployer",
	"aws_eks_cluster" : "${{ env.prod_eks_cluster }}",
	"helm_folder" : "${{ env.helm_dir }}",
	"helmfile_extra_vars" : "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }}"
	}
	job_timeout: "3600"
	fetch_logs: "false"

	deploy_mainnet:
	if: github.event_name == 'release' && github.event.action == 'released'
	runs-on: ubuntu-latest
	environment: sandbox-mainnet
	needs:
	- push-sandbox
	- setup-build-args
	- build
	steps:
	- name: Trigger ansible job to deploy mainnet
	uses: RDXWorks-actions/jenkins-job-trigger-action@master
	with:
	jenkins_url: ${{ secrets.JENKINS_URL }}
	jenkins_user: radixbot
	jenkins_token: ${{ secrets.GH_JENKINS_API_TOKEN }}
	job_name: ${{ env.jenkins_job_name }}
	job_params: \|
	{
	"git_repo" : "${{ github.repository }}",
	"git_branch" : "${{ github.ref }}",
	"helmfile_environment": "mainnet",
	"namespace" : "dapps-sandbox-mainnet",
	"aws_region" : "eu-west-2",
	"aws_iam_role": "arn:aws:iam::${{ secrets.AWS_PROD_ACCOUNT_ID }}:role/jenkins-dapps-sandbox-mainnet-deployer",
	"aws_eks_cluster" : "${{ env.prod_eks_cluster }}",
	"helm_folder" : "${{ env.helm_dir }}",
	"helmfile_extra_vars" : "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }}"
	}
	job_timeout: "3600"
	fetch_logs: "false"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: account's nft filtering #323

Workflow file

fix: account's nft filtering #323

Jobs

Run details

Workflow file for this run