.github/workflows/build.yml

name: Build

on:
  push:
    branches: ['**']
  workflow_dispatch:

jobs:
  snyk_scan_deps_licences:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-scan-deps-licenses'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for deps vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

  snyk_scan_code:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-scan-code'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Run Snyk to check for code vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
          command: code test

  snyk_sbom:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    needs:
      - snyk_scan_deps_licences
      - snyk_scan_code
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-sbom'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
          command: sbom

  build_rcnet:
    runs-on: ubuntu-latest
    needs:
      - snyk_scan_deps_licences
      - snyk_scan_code
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20.x'

      - name: Install dependencies
        run: npm ci

      - name: Build dev extension
        run: npm run build:rcnet

      - uses: actions/upload-artifact@v3
        with:
          name: rcnet_connector-extension.${{ github.sha }}
          path: dist/

      - name: Build dev extension with dev tools
        run: npm run build:rcnet
        env:
          DEV_TOOLS: true

      - uses: actions/upload-artifact@v3
        with:
          name: rcnet_connector-extension-with-dev-tools.${{ github.sha }}
          path: dist/

  build_dev:
    runs-on: ubuntu-latest
    needs:
      - snyk_scan_deps_licences
      - snyk_scan_code
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20.x'

      - name: Install dependencies
        run: npm ci

      - name: Build dev extension
        run: npm run build:development

      - uses: actions/upload-artifact@v3
        with:
          name: development_connector-extension.${{ github.sha }}
          path: dist/

      - name: Build dev extension with dev tools
        run: npm run build:development
        env:
          DEV_TOOLS: true

      - uses: actions/upload-artifact@v3
        with:
          name: development_connector-extension-with-dev-tools.${{ github.sha }}
          path: dist/

  snyk_monitor:
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
    needs:
      - build_rcnet
    permissions:
      id-token: write
      pull-requests: read
      contents: read
      deployments: write
    steps:
      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
        with:
          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
          app_name: 'connector-extension'
          step_name: 'snyk-monitor'
          secret_prefix: 'SNYK'
          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
          parse_json: true
      - name: Enable Snyk online monitoring to check for vulnerabilities
        uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
        with:
          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
          command: monitor