Skip to content

PTD-1306

PTD-1306 #2102

Workflow file for this run

name: Console CI/CD
on:
push:
paths-ignore:
- 'apps/dashboard/**'
- 'deploy/helm/dashboard/**'
- ".github/workflows/ci.yaml"
- 'apps/sandbox/**'
- 'deploy/helm/sandbox/**'
- ".github/workflows/sandbox-ci.yaml"
branches:
- main
pull_request:
paths-ignore:
- 'apps/dashboard/**'
- 'deploy/helm/dashboard/**'
- ".github/workflows/ci.yaml"
- 'apps/sandbox/**'
- 'deploy/helm/sandbox/**'
- ".github/workflows/sandbox-ci.yaml"
branches:
- main
release:
types:
- prereleased
- released
workflow_dispatch:
inputs:
ENVIRONMENT_NAME:
description: 'Environment Name'
required: true
default: enkinet
type: choice
options:
- enkinet
- hammunet
- gilganet
- mardunet
- dumunet
env:
active_network: 'stokenet'
prerelease_network: 'stokenet'
release_network: 'mainnet'
jenkins_job_name: 'kubernetes-deployments/job/dapps-console'
helm_dir: 'deploy/helm/console'
dev_eks_cluster: 'rdx-works-main-dev'
prod_eks_cluster: 'rtlj-prod'
permissions:
id-token: write
pull-requests: write
contents: read
deployments: write
packages: write
jobs:
trigger:
name: Check trigger
if: >
( github.event.action == 'prereleased' && contains( github.event.release.tag_name, 'console') ) ||
( github.event.action == 'released' && contains( github.event.release.tag_name, 'console') ) ||
( github.event_name == 'workflow_dispatch' ) ||
( github.ref == 'refs/heads/main' && github.event_name == 'push') ||
( github.event_name == 'pull_request' )
runs-on: ubuntu-latest
steps:
- name: Dump context
uses: RDXWorks-actions/ghaction-dump-context@master
- name: Info
run: |
echo "This is triggered by ${{ github.event_name }}." >> $GITHUB_STEP_SUMMARY
echo "Github action is ${{ github.event.action }}." >> $GITHUB_STEP_SUMMARY
build:
runs-on: ubuntu-latest
needs:
- trigger
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Dump context
uses: RDXWorks-actions/ghaction-dump-context@master
- uses: ./.github/actions/build
with:
active_network_name: ${{ env.active_network }}
release_network_name: ${{ env.release_network }}
- name: Turbo Worfkflow
run: npx turbo run lint prettier coverage svelte:check --filter=console
setup-tags:
runs-on: ubuntu-latest
needs:
- trigger
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Docker tags for console
id: console-tags
uses: RDXWorks-actions/metadata-action@master
with:
images: |
docker.io/radixdlt/dapps-console
tags: |
type=sha,event=pr
type=sha,event=branch
type=semver,pattern={{version}}
- name: Define network name
run: |
if [ "${{ github.event_name}}" = 'workflow_dispatch' ]; then
echo "NETWORK_NAME="${{ github.event.inputs.ENVIRONMENT_NAME }}"" >> $GITHUB_ENV
elif [ "${{ github.event.action }}" = "released" ]; then
echo "NETWORK_NAME=${{ env.release_network }}" >> $GITHUB_ENV
elif [ "${{ github.event.action }}" = "prereleased" ]; then
echo "NETWORK_NAME=${{ env.prerelease_network }}" >> $GITHUB_ENV
elif [ "${{ github.ref }}" = "refs/heads/main" -a "${{ github.event_name }}" = 'push' ] || [ "${{ github.event_name }}" = "pull_request" ]; then
echo "NETWORK_NAME=${{ env.active_network }}" >> $GITHUB_ENV
fi
- id: network
run: |
echo "network-name=${{ env.NETWORK_NAME }}" >> $GITHUB_OUTPUT
- id: tag-with-network
run: |
echo "tag-with-network=${{github.sha}}-${{ env.NETWORK_NAME }}" >> $GITHUB_OUTPUT
- run: |
echo "$GITHUB_OUTPUT"
- name: Output tag value to job summary
run: |
echo "network-name=${{ steps.network.outputs.network-name }}" >> $GITHUB_STEP_SUMMARY
echo "docker-tag=${{ steps.tag-with-network.outputs.tag-with-network }}" >> $GITHUB_STEP_SUMMARY
outputs:
console-tags: ${{ steps.console-tags.outputs.tags }}
console-labels: ${{ steps.console-tags.outputs.labels }}
console-json: ${{ steps.console-tags.outputs.json }}
tag-with-network: ${{steps.tag-with-network.outputs.tag-with-network}}
network-name: ${{steps.network.outputs.network-name}}
phylum_analyze:
if: ${{ github.event.pull_request }}
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
secrets:
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
with:
phylum_pr_number: ${{ github.event.number }}
phylum_pr_name: ${{ github.head_ref }}
phylum_group_name: dApp-engineering
phylum_project_id: 70969afc-325a-413c-8001-2092940e0d7d
github_repository: ${{ github.repository }}
add_report_comment_to_pull_request: true
snyk-scan-deps-licences:
runs-on: ubuntu-latest
needs:
- trigger
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
step_name: 'snyk-scan-deps-licenses'
secret_prefix: 'SNYK'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- name: Run Snyk to check for deps vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
continue-on-error: true
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical
snyk-scan-code:
runs-on: ubuntu-latest
needs:
- trigger
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
step_name: 'snyk-scan-code'
secret_prefix: 'SNYK'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- name: Run Snyk to check for code vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
continue-on-error: true # temporary until code fix
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
command: code test
snyk-sbom:
runs-on: ubuntu-latest
permissions: write-all
needs:
- snyk-scan-deps-licences
- snyk-scan-code
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
command: sbom
- name: Upload SBOM
if: github.event_name == 'release'
uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
with:
files: sbom.json
repo-token: ${{ secrets.GITHUB_TOKEN }}
release-tag: ${{ github.event.release.tag_name }}
snyk-monitor:
runs-on: ubuntu-latest
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
needs:
- setup-tags
- push-console
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
step_name: 'snyk-monitor'
secret_prefix: 'SNYK'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
parse_json: true
- name: Enable Snyk online monitoring to check for vulnerabilities
uses: RDXWorks-actions/snyk-actions/node@master
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
command: monitor
snyk-container-monitor:
runs-on: ubuntu-latest
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
needs:
- setup-tags
- push-console
steps:
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'console'
dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials'
snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX'
snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
image: docker.io/radixdlt/dapps-console:${{ needs.setup-tags.outputs.tag-with-network }}
target_ref: ${{ github.ref_name }}
sonar:
runs-on: ubuntu-latest
needs:
- trigger
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Use Node.js
uses: RDXWorks-actions/setup-node@main
with:
always-auth: true
node-version: 20.3.0
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-dapps-monorepo-secrets-read-access'
app_name: 'console'
step_name: 'sonar'
secret_prefix: 'GH'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/dapps-monorepo/console/sonar-token-xXTI1Y'
parse_json: true
- name: SonarCloud Scan
uses: RDXWorks-actions/sonarcloud-github-action@master
with:
projectBaseDir: ./apps/console
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ env.GH_SONAR_TOKEN }}
push-console:
name: (PRIVATE) Docker AMD
needs:
- setup-tags
- snyk-scan-deps-licences
- snyk-scan-code
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: selfhosted-ubuntu-22.04
image_registry: 'docker.io'
image_organization: 'radixdlt'
target: 'console'
image_name: 'dapps-console'
tag: ${{ needs.setup-tags.outputs.tag-with-network }}
context: '.'
dockerfile: './Dockerfile'
platforms: 'linux/amd64'
scan_image: false
provenance: false
snyk_target_ref: ${{ github.ref_name }}
with_sbom: false
build-args: |
NETWORK_NAME=${{ needs.setup-tags.outputs.network-name }}
NPM_LOCAL_CACHE=.cache/
deploy_pull_request:
if: ${{ github.event.pull_request }}
name: Deploy PR
needs:
- push-console
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main
with:
jenkins_job_name: "kubernetes-deployments/job/dapps-console"
github_branch: "${{ github.head_ref }}"
application_name: "dapps-console"
hierarchical_namespace: "dapps-console-ci-pr"
create_subnamespace: "true"
kubernetes_namespace: "dapps-console-pr-${{ github.event.number }}"
aws_eks_cluster: "rdx-works-main-dev"
aws_iam_role_name: "jenkins-dapps-console-pr-deployer"
helmfile_environment: "pr"
helm_dir: "deploy/helm/console"
helmfile_extra_vars: "ci.tag=${{ needs.setup-tags.outputs.tag-with-network }},ci.prNumber=${{ github.event.number }}"
secrets:
aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }}
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }}
deploy_dev:
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
name: Deploy DEV
needs:
- push-console
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main
with:
github_environment: "console-dev"
github_branch: "${{ github.ref }}"
jenkins_job_name: "kubernetes-deployments/job/dapps-console"
application_name: "dapps-console"
kubernetes_namespace: "dapps-console-dev"
aws_eks_cluster: "rdx-works-main-dev"
aws_iam_role_name: "jenkins-dapps-console-dev-deployer"
helmfile_environment: "dev"
helm_dir: "deploy/helm/console"
helmfile_extra_vars: "ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}"
secrets:
aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }}
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }}
deploy_enkinet:
if: >
( github.event.inputs.ENVIRONMENT_NAME == 'enkinet' && github.event_name == 'workflow_dispatch' )
name: Deploy ENKINET
needs:
- push-console
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main
with:
github_environment: "console-enkinet"
github_branch: "${{ github.ref }}"
jenkins_job_name: "kubernetes-deployments/job/dapps-console"
application_name: "dapps-console"
kubernetes_namespace: "dapps-console-enkinet"
aws_eks_cluster: "rdx-works-main-dev"
aws_iam_role_name: "jenkins-dapps-console-dev-deployer"
helmfile_environment: "enkinet"
helm_dir: "deploy/helm/console"
helmfile_extra_vars: "ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}"
secrets:
aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }}
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }}
deploy_dumunet:
if: >
( github.event.inputs.ENVIRONMENT_NAME == 'dumunet' && github.event_name == 'workflow_dispatch' )
name: Deploy DUMUNET
needs:
- push-console
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main
with:
github_environment: "console-dumunet"
github_branch: "${{ github.ref }}"
jenkins_job_name: "kubernetes-deployments/job/dapps-console"
application_name: "dapps-console"
kubernetes_namespace: "dapps-console-dumunet"
aws_eks_cluster: "rdx-works-main-dev"
aws_iam_role_name: "jenkins-dapps-console-dev-deployer"
helmfile_environment: "dumunet"
helm_dir: "deploy/helm/console"
helmfile_extra_vars: "ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}"
secrets:
aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }}
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }}
deploy_hammunet:
if: >
( github.event.inputs.ENVIRONMENT_NAME == 'hammunet' && github.event_name == 'workflow_dispatch' )
name: Deploy HAMMUNET
needs:
- push-console
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main
with:
github_environment: "console-hammunet"
github_branch: "${{ github.ref }}"
jenkins_job_name: "kubernetes-deployments/job/dapps-console"
application_name: "dapps-console"
kubernetes_namespace: "dapps-console-hammunet"
aws_eks_cluster: "rdx-works-main-dev"
aws_iam_role_name: "jenkins-dapps-console-dev-deployer"
helmfile_environment: "hammunet"
helm_dir: "deploy/helm/console"
helmfile_extra_vars: "ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}"
secrets:
aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }}
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }}
deploy_stokenet:
if: github.event_name == 'release' && github.event.action == 'prereleased'
name: Deploy STOKENET
needs:
- push-console
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main
with:
github_environment: "console-stokenet"
github_branch: "${{ github.ref }}"
jenkins_job_name: "kubernetes-deployments/job/dapps-console"
application_name: "dapps-console"
kubernetes_namespace: "dapps-console-stokenet"
aws_eks_cluster: "rtlj-prod"
aws_iam_role_name: "jenkins-dapps-console-stokenet-deployer"
helmfile_environment: "stokenet"
helm_dir: "deploy/helm/console"
helmfile_extra_vars: "ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}"
secrets:
aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }}
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }}
deploy_mainnet:
if: github.event_name == 'release' && github.event.action == 'released'
name: Deploy MAINNET
needs:
- push-console
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main
with:
github_environment: "console-mainnet"
github_branch: "${{ github.ref }}"
jenkins_job_name: "kubernetes-deployments/job/dapps-console"
application_name: "dapps-console"
kubernetes_namespace: "dapps-console-mainnet"
aws_eks_cluster: "rtlj-prod"
aws_iam_role_name: "jenkins-dapps-console-mainnet-deployer"
helmfile_environment: "mainnet"
helm_dir: "deploy/helm/console"
helmfile_extra_vars: "ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}"
secrets:
aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }}
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }}