Skip to content

Commit

Permalink
ci: use phylum AWS secret part I (#1009)
Browse files Browse the repository at this point in the history
  • Loading branch information
@duje-begonja-rdx
duje-begonja-rdx authored Nov 22, 2024
1 parent 3cb8041 commit dcc0220
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 13 deletions.
14 changes: 11 additions & 3 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,11 +100,11 @@ jobs:

- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-dapps-monorepo-secrets-read-access'
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'dashboard'
step_name: 'build'
secret_prefix: 'GH'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/dapps-monorepo/dashboard/sonar-token-uQM7l6'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD'
parse_json: true

- name: SonarCloud Scan
Expand Down Expand Up @@ -288,13 +288,21 @@ jobs:
- push-dashboard
- push-storybook
steps:
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'dashboard'
step_name: 'snyk-monitor'
secret_prefix: 'SNY'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'dashboard'
dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials'
snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
snyk_org_id: ${{ env.SNY_ORG_ID }}
image: docker.io/radixdlt/dapps-dashboard:${{ needs.setup-tags.outputs.tag-with-network }}
target_ref: ${{ github.ref_name }}

Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/console-ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,13 +252,21 @@ jobs:
- setup-tags
- push-console
steps:
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
step_name: 'snyk-monitor'
secret_prefix: 'SNY'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials'
snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
snyk_org_id: ${{ env.SNY_ORG_ID }}
image: docker.io/radixdlt/dapps-console:${{ needs.setup-tags.outputs.tag-with-network }}
target_ref: ${{ github.ref_name }}

Expand All @@ -277,11 +285,11 @@ jobs:
node-version: 20.3.0
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-dapps-monorepo-secrets-read-access'
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
step_name: 'sonar'
secret_prefix: 'GH'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/dapps-monorepo/console/sonar-token-xXTI1Y'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD'
parse_json: true
- name: SonarCloud Scan
uses: RDXWorks-actions/sonarcloud-github-action@master
Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/phylum-daily-analysis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ on:


env:
PHYLUM_PROJECT_ID: 70969afc-325a-413c-8001-2092940e0d7d
DEFAULT_BRANCH: main
PHYLUM_GROUP_NAME: dApp-engineering
PHYLUM_NAME: dapps-monorepo
jobs:
phylum_analyze:
name: Analyze dependencies with Phylum
permissions:
id-token: write
contents: read
pull-requests: write
runs-on: ubuntu-latest
Expand All @@ -26,14 +26,22 @@ jobs:
- uses: RDXWorks-actions/setup-python@main
with:
python-version: 3.10.6
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'dapps'
step_name: 'phylum'
secret_prefix: 'GH'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/phylum-credentials-4koyXP'
parse_json: true
- name: Install Phylum
run: |
curl https://sh.phylum.io/ | sh -s -- --yes
# Add the Python user base binary directory to PATH
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run Phylum Analysis
env:
PHYLUM_API_KEY: ${{ secrets.PHYLUM_API_KEY }}
PHYLUM_API_KEY: ${{ env.GH_PHYLUM_API_KEY }}
run: |
phylum analyze --quiet --label ${DEFAULT_BRANCH}_branch_daily_schedule > /dev/null 2>&1 || exit_code=$?
if [ $exit_code -eq 100 ]; then
Expand All @@ -52,6 +60,6 @@ jobs:
notify_when: 'failure'
notification_title: ':clock3: Phylum Scheduled Daily Analysis:'
message_format: 'Automatic phylum analysis has found vulnerabilities on ${{ env.PHYLUM_NAME }} :boom:'
footer: "Linked Repository <{repo_url}|{repo}> | <https://app.phylum.io/projects/${{ env.PHYLUM_PROJECT_ID }}?label=${{ env.DEFAULT_BRANCH }}_branch_daily_schedule&group=${{ env.PHYLUM_GROUP_NAME }}|View Report> "
footer: "Linked Repository <{repo_url}|{repo}> | <https://app.phylum.io/projects/${{ env.GH_DAPPS_MONOREPO_PHYLUM_PROJECT_ID }}?label=${{ env.DEFAULT_BRANCH }}_branch_daily_schedule&group=${{ env.PHYLUM_GROUP_NAME }}|View Report> "
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_DAPP_ENGINEERING_WEBHOOK }}
SLACK_WEBHOOK_URL: ${{ env.GH_DAPP_ENGINEERING_PHYLUM_SLACK_CHANNEL_WEBHOOK }}
12 changes: 9 additions & 3 deletions .github/workflows/sandbox-ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,15 +286,21 @@ jobs:
contents: read
deployments: write
steps:
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'sandbox'
step_name: 'snyk-monitor'
secret_prefix: 'SNY'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'sandbox'
step_name: 'snyk-container-monitor'
dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials'
snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
snyk_org_id: ${{ secrets.SNY_ORG_ID }}
image: docker.io/radixdlt/dapps-sandbox:${{ needs.setup-build-args.outputs.tag_with_network }}
target_ref: ${{ github.ref_name }}

Expand Down

0 comments on commit dcc0220

Please sign in to comment.