.github/workflows/build.yml

name: Build & Test

on:
  push:
    branches: ['**']
  workflow_dispatch:

jobs:
  snyk_scan_deps_licences:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: RDXWorks-actions/checkout@main
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-scan-deps-licenses'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for deps vulnerabilities
        uses: RDXWorks-actions/snyk-actions/node@master
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

  snyk_scan_code:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: RDXWorks-actions/checkout@main
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-scan-code'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for code vulnerabilities
        uses: RDXWorks-actions/snyk-actions/node@master
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
          command: code test

  snyk_sbom:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    needs:
      - snyk_scan_deps_licences
      - snyk_scan_code
    steps:
      - uses: RDXWorks-actions/checkout@main
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-sbom'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
        uses: RDXWorks-actions/snyk-actions/node@master
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
          command: sbom

  build:
    runs-on: ubuntu-latest
    steps:
      - uses: RDXWorks-actions/checkout@main
      - name: Use Node.js
        uses: RDXWorks-actions/setup-node@main
        with:
          node-version: '18.17.0'

      - name: Install dependencies
        run: npm ci

      - name: Build extension
        env: 
          VITE_GITHUB_REF_NAME: ${{ github.ref_name }} 
        run: npm run build

      - uses: RDXWorks-actions/upload-artifact@main
        with:
          name: connector-extension.${{ github.sha }}
          path: dist/

      - name: Build extension with dev tools
        run: npm run build
        env:
          VITE_DEV_TOOLS: true
          VITE_GITHUB_REF_NAME: ${{ github.ref_name }} 

      - uses: RDXWorks-actions/upload-artifact@main
        with:
          name: connector-extension-with-dev-tools.${{ github.sha }}
          path: dist/

      - name: Running lint
        run: npm run lint

      - name: Running unit tests
        run: npm run test

      - name: SonarCloud Scan
        uses: RDXWorks-actions/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  snyk_monitor:
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
    needs:
      - build
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: RDXWorks-actions/checkout@main
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-monitor'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Enable Snyk online monitoring to check for vulnerabilities
        uses: RDXWorks-actions/snyk-actions/node@master
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
          command: monitor