Skip to content

ci: add phylum analysis job #731

ci: add phylum analysis job

ci: add phylum analysis job #731

Workflow file for this run

name: Build & Test
on:
push:
branches: ['**']
workflow_dispatch:
jobs:
phylum_analyze:

Check failure on line 9 in .github/workflows/build.yml

View workflow run for this annotation

GitHub Actions / Build & Test

Invalid workflow file

The workflow is not valid. .github/workflows/build.yml (Line: 9, Col: 3): Error calling workflow 'radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main'. The nested job 'phylum_analyze' is requesting 'pull-requests: write, id-token: write', but is only allowed 'pull-requests: none, id-token: none'.
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
secrets:
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
snyk_scan_deps_licences:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'connector-extension'
step_name: 'snyk-scan-deps-licenses'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for deps vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical
snyk_scan_code:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'connector-extension'
step_name: 'snyk-scan-code'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for code vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
command: code test
snyk_sbom:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
needs:
- snyk_scan_deps_licences
- snyk_scan_code
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'connector-extension'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
command: sbom
build:
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
- name: Use Node.js
uses: RDXWorks-actions/setup-node@main
with:
node-version: '18.17.0'
- name: Install dependencies
run: npm ci
- name: Build extension
env:
VITE_GITHUB_REF_NAME: ${{ github.ref_name }}
run: npm run build
- uses: RDXWorks-actions/upload-artifact@main
with:
name: connector-extension.${{ github.sha }}
path: dist/
- name: Build extension with dev tools
run: npm run build
env:
VITE_DEV_TOOLS: true
VITE_GITHUB_REF_NAME: ${{ github.ref_name }}
- uses: RDXWorks-actions/upload-artifact@main
with:
name: connector-extension-with-dev-tools.${{ github.sha }}
path: dist/
- name: Running lint
run: npm run lint
- name: Running unit tests
run: npm run test
- name: SonarCloud Scan
uses: RDXWorks-actions/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
snyk_monitor:
runs-on: ubuntu-latest
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
needs:
- build
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'connector-extension'
step_name: 'snyk-monitor'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Enable Snyk online monitoring to check for vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
command: monitor