This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

Build

[DO-2453] update workflow to use setup-helmfile for all tools #304

Workflow file for this run

	name: Build

	on:
	pull_request:
	branches:
	- develop
	- main
	push:
	branches:
	- develop
	- main

	jobs:
	snyk_scan_deps_licences:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'connect-button'
	step_name: 'snyk-scan-deps-licenses'
	secret_prefix: 'SNYK'
	secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	- name: Run Snyk to check for deps vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical

	snyk_scan_code:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'connect-button'
	step_name: 'snyk-scan-code'
	secret_prefix: 'SNYK'
	secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	- name: Run Snyk to check for code vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
	command: code test

	snyk_sbom:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'connect-button'
	step_name: 'snyk-sbom'
	secret_prefix: 'SNYK'
	secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	- name: Generate SBOM # check SBOM can be generated but nothing is done with it
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
	command: sbom

	build:
	runs-on: ubuntu-latest
	needs:
	- snyk_scan_deps_licences
	- snyk_scan_code
	outputs:
	tag: ${{ steps.setup_tags.outputs.tag }}
	steps:
	- uses: RDXWorks-actions/checkout@main

	- name: Use Node.js
	uses: RDXWorks-actions/setup-node@main
	with:
	node-version: '18.x'

	- name: Setup tags for docker image
	id: setup_tags
	run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

	- name: Authenticate with private NPM package
	run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc

	- name: Install dependencies
	run: npm ci

	- name: Build
	run: npm run build

	- name: Prettier
	run: npm run prettier

	build_push_container:
	needs:
	- build
	permissions:
	packages: write
	id-token: write
	pull-requests: write
	contents: read
	name: Build and push docker image
	uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
	with:
	runs_on: ubuntu-latest
	image_registry: 'docker.io'
	image_organization: 'radixdlt'
	image_name: 'connect-button-storybook'
	tag: ${{ needs.build.outputs.tag }}
	tags: \|
	type=sha,priority=601
	type=ref,event=pr
	type=ref,event=branch
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=semver,pattern={{major}}
	context: '.'
	dockerfile: './Dockerfile'
	platforms: 'linux/amd64'
	provenance: 'false'
	enable_gcr: 'false'
	scan_image: true
	snyk_target_ref: ${{ github.ref_name }}
	secrets:
	workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
	service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

	deploy-pr:
	if: ${{ github.event_name == 'pull_request' }}
	name: Deploy PR
	runs-on: ubuntu-latest
	needs:
	- build_push_container
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: RDXWorks-actions/install-aws-cli-action@master
	with:
	version: 2
	- name: Setup helmfile and helm
	uses: RDXWorks-actions/setup-helmfile@master

	- name: Configure AWS credentials for deployment
	uses: RDXWorks-actions/configure-aws-credentials@main
	with:
	role-to-assume: ${{ secrets.DEPLOY_PR_IAM_ROLE }}
	aws-region: eu-west-2
	- name: Deploy application
	working-directory: deploy/helm
	run: \|
	cat <<DOC > namespace.yaml
	apiVersion: hnc.x-k8s.io/v1alpha2
	kind: SubnamespaceAnchor
	metadata:
	name: connect-button-pr-${{ github.event.number }}
	namespace: connect-button-ci-pr
	DOC

	aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \
	--alias ${{ secrets.CLUSTER_NAME }} \
	--region eu-west-2

	kubectl apply -f namespace.yaml

	helmfile --environment pr --namespace connect-button-pr-${{ github.event.number }} \
	--state-values-set "ci.tag=${{ env.CI_TAG }}" \
	--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
	apply
	env:
	CI_TAG: ${{ fromJSON(needs.build_push_container.outputs.json).labels['org.opencontainers.image.version'] }}
	INGRESS_DOMAIN: connect-button-storybook-pr-${{ github.event.number}}.${{ secrets.INGRESS_DOMAIN }}
	HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
	HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}

	deploy-dev:
	if: github.ref == 'refs/heads/develop' && github.event_name == 'push'
	name: Deploy DEV
	runs-on: ubuntu-latest
	needs:
	- build_push_container
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: RDXWorks-actions/install-aws-cli-action@master
	with:
	version: 2
	- name: Setup helmfile and helm
	uses: RDXWorks-actions/setup-helmfile@master

	- name: Configure AWS credentials for deployment
	uses: RDXWorks-actions/configure-aws-credentials@main
	with:
	role-to-assume: ${{ secrets.DEPLOY_DEV_IAM_ROLE }}
	aws-region: eu-west-2
	- name: Deploy application
	working-directory: deploy/helm
	run: \|
	aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \
	--alias ${{ secrets.CLUSTER_NAME }} \
	--region eu-west-2

	helmfile --environment dev --namespace connect-button-dev \
	--state-values-set "ci.tag=${{ env.CI_TAG }}" \
	--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
	apply
	env:
	CI_TAG: ${{ fromJSON(needs.build_push_container.outputs.json).labels['org.opencontainers.image.version'] }}
	INGRESS_DOMAIN: connect-button-storybook-dev.${{ secrets.INGRESS_DOMAIN }}
	HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
	HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}

	deploy-prod:
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	name: Deploy PROD
	runs-on: ubuntu-latest
	needs:
	- build_push_container
	permissions:
	id-token: write
	contents: read
	pull-requests: read
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: RDXWorks-actions/install-aws-cli-action@master
	with:
	version: 2
	- name: Setup helmfile and helm
	uses: RDXWorks-actions/setup-helmfile@master

	- name: Configure AWS credentials for deployment
	uses: RDXWorks-actions/configure-aws-credentials@main
	with:
	role-to-assume: ${{ secrets.DEPLOY_PROD_IAM_ROLE }}
	aws-region: eu-west-2
	- name: Deploy application
	working-directory: deploy/helm
	run: \|
	aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \
	--alias ${{ secrets.CLUSTER_NAME }} \
	--region eu-west-2

	helmfile --environment prod --namespace connect-button-prod \
	--state-values-set "ci.tag=${{ env.CI_TAG }}" \
	--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
	apply
	env:
	CI_TAG: ${{ fromJSON(needs.build_push_container.outputs.json).labels['org.opencontainers.image.version'] }}
	INGRESS_DOMAIN: ${{ secrets.PROD_INGRESS_DOMAIN }}
	HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
	HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}

	snyk_container_monitor:
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/develop')
	needs:
	- build
	- build_push_container
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'connect-button'
	step_name: 'snyk-container-monitor'
	dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
	snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
	image: docker.io/radixdlt/connect-button-storybook:${{ needs.build.outputs.tag }}
	target_ref: ${{ github.ref_name }}

	snyk_monitor:
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/develop')
	needs:
	- build
	- build_push_container
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: RDXWorks-actions/checkout@main
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'connect-button'
	step_name: 'snyk-monitor'
	secret_prefix: 'SNYK'
	secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	- name: Enable Snyk online monitoring to check for vulnerabilities
	uses: RDXWorks-actions/snyk-actions/node@master
	with:
	args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
	command: monitor

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DO-2453] update workflow to use setup-helmfile for all tools #304

Workflow file

[DO-2453] update workflow to use setup-helmfile for all tools #304

Jobs

Run details

Workflow file for this run