diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e5d53ed6b..c5bb4f875 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -100,11 +100,11 @@ jobs: - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main with: - role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-dapps-monorepo-secrets-read-access' + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'dashboard' step_name: 'build' secret_prefix: 'GH' - secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/dapps-monorepo/dashboard/sonar-token-uQM7l6' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD' parse_json: true - name: SonarCloud Scan @@ -288,13 +288,21 @@ jobs: - push-dashboard - push-storybook steps: + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' + app_name: 'dashboard' + step_name: 'snyk-monitor' + secret_prefix: 'SNY' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' + parse_json: true - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main with: role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'dashboard' dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials' snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' - snyk_org_id: ${{ secrets.SNYK_ORG_ID }} + snyk_org_id: ${{ env.SNY_ORG_ID }} image: docker.io/radixdlt/dapps-dashboard:${{ needs.setup-tags.outputs.tag-with-network }} target_ref: ${{ github.ref_name }} diff --git a/.github/workflows/console-ci.yaml b/.github/workflows/console-ci.yaml index e55ce0f44..1d32e3c11 100644 --- a/.github/workflows/console-ci.yaml +++ b/.github/workflows/console-ci.yaml @@ -252,13 +252,21 @@ jobs: - setup-tags - push-console steps: + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' + app_name: 'console' + step_name: 'snyk-monitor' + secret_prefix: 'SNY' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' + parse_json: true - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main with: role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'console' dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials' snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' - snyk_org_id: ${{ secrets.SNYK_ORG_ID }} + snyk_org_id: ${{ env.SNY_ORG_ID }} image: docker.io/radixdlt/dapps-console:${{ needs.setup-tags.outputs.tag-with-network }} target_ref: ${{ github.ref_name }} @@ -277,11 +285,11 @@ jobs: node-version: 20.3.0 - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main with: - role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-dapps-monorepo-secrets-read-access' + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'console' step_name: 'sonar' secret_prefix: 'GH' - secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/dapps-monorepo/console/sonar-token-xXTI1Y' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/sonar-token-CgrUGD' parse_json: true - name: SonarCloud Scan uses: RDXWorks-actions/sonarcloud-github-action@master diff --git a/.github/workflows/phylum-daily-analysis.yaml b/.github/workflows/phylum-daily-analysis.yaml index 9c1c30d2d..1698c2346 100644 --- a/.github/workflows/phylum-daily-analysis.yaml +++ b/.github/workflows/phylum-daily-analysis.yaml @@ -7,7 +7,6 @@ on: env: - PHYLUM_PROJECT_ID: 70969afc-325a-413c-8001-2092940e0d7d DEFAULT_BRANCH: main PHYLUM_GROUP_NAME: dApp-engineering PHYLUM_NAME: dapps-monorepo @@ -15,6 +14,7 @@ jobs: phylum_analyze: name: Analyze dependencies with Phylum permissions: + id-token: write contents: read pull-requests: write runs-on: ubuntu-latest @@ -26,6 +26,14 @@ jobs: - uses: RDXWorks-actions/setup-python@main with: python-version: 3.10.6 + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' + app_name: 'dapps' + step_name: 'phylum' + secret_prefix: 'GH' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/phylum-credentials-4koyXP' + parse_json: true - name: Install Phylum run: | curl https://sh.phylum.io/ | sh -s -- --yes @@ -33,7 +41,7 @@ jobs: echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run Phylum Analysis env: - PHYLUM_API_KEY: ${{ secrets.PHYLUM_API_KEY }} + PHYLUM_API_KEY: ${{ env.GH_PHYLUM_API_KEY }} run: | phylum analyze --quiet --label ${DEFAULT_BRANCH}_branch_daily_schedule > /dev/null 2>&1 || exit_code=$? if [ $exit_code -eq 100 ]; then @@ -52,6 +60,6 @@ jobs: notify_when: 'failure' notification_title: ':clock3: Phylum Scheduled Daily Analysis:' message_format: 'Automatic phylum analysis has found vulnerabilities on ${{ env.PHYLUM_NAME }} :boom:' - footer: "Linked Repository <{repo_url}|{repo}> | " + footer: "Linked Repository <{repo_url}|{repo}> | " env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_DAPP_ENGINEERING_WEBHOOK }} \ No newline at end of file + SLACK_WEBHOOK_URL: ${{ env.GH_DAPP_ENGINEERING_PHYLUM_SLACK_CHANNEL_WEBHOOK }} \ No newline at end of file diff --git a/.github/workflows/sandbox-ci.yaml b/.github/workflows/sandbox-ci.yaml index 46b386853..123582e54 100644 --- a/.github/workflows/sandbox-ci.yaml +++ b/.github/workflows/sandbox-ci.yaml @@ -286,15 +286,21 @@ jobs: contents: read deployments: write steps: + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' + app_name: 'sandbox' + step_name: 'snyk-monitor' + secret_prefix: 'SNY' + secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' + parse_json: true - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main with: role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' app_name: 'sandbox' - step_name: 'snyk-container-monitor' dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials' snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - snyk_org_id: ${{ secrets.SNYK_ORG_ID }} + snyk_org_id: ${{ secrets.SNY_ORG_ID }} image: docker.io/radixdlt/dapps-sandbox:${{ needs.setup-build-args.outputs.tag_with_network }} target_ref: ${{ github.ref_name }}