Skip to content

Shield building updates #5714

Shield building updates

Shield building updates #5714

Workflow file for this run

name: "Test and build"
on:
pull_request:
push:
branches:
- main
permissions:
id-token: write
contents: read
pull-requests: read
jobs:
cancel:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
actions: write
steps:
- name: Cancel Previous Runs
uses: RDXWorks-actions/cancel-workflow-action@main
phylum-analyze:
if: ${{ github.event.pull_request }}
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
permissions:
id-token: write
pull-requests: write
contents: read
deployments: write
secrets:
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
with:
phylum_pr_number: ${{ github.event.number }}
phylum_pr_name: ${{ github.head_ref }}
phylum_group_name: Wallet
phylum_project_id: 7d09edfc-1ff4-4f88-9389-5da831913983
github_repository: ${{ github.repository }}
add_report_comment_to_pull_request: true
snyk_scan_deps_licences:
name: "Snyk deps/licenses"
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
- name: Fetch Snyk credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'snyk-licenses'
secret_prefix: 'SNYK'
secret_name: "github-actions/common/snyk-credentials"
parse_json: true
- name: Run Snyk to check for deps vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=critical
env:
SNYK_TOKEN: ${{ env.SNYK_TOKEN }}
snyk_scan_code:
name: "Snyk code"
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
- name: Fetch Snyk credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'snyk-licenses'
secret_prefix: 'SNYK'
secret_name: "github-actions/common/snyk-credentials"
parse_json: true
- name: Run Snyk to check for code vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
continue-on-error: true
with:
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high
command: code test
env:
SNYK_TOKEN: ${{ env.SNYK_TOKEN }}
snyk_sbom:
name: "Snyk SBOM"
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
- name: Fetch Snyk credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'snyk-licenses'
secret_prefix: 'SNYK'
secret_name: "github-actions/common/snyk-credentials"
parse_json: true
- name: Fetch AppsFlyer credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'sbom-flyers'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret"
parse_json: true
- name: Output AppsFlyer secret to file
shell: bash
run: |
mkdir -p config/secrets/
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
command: sbom
env:
SNYK_TOKEN: ${{ env.SNYK_TOKEN }}
unit_tests:
name: "Unit tests"
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/setup-java@main
with:
distribution: 'zulu' # See 'Supported distributions' for available options
java-version: '17'
- name: Fetch GPR credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'unit-gpr'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
parse_json: true
- name: Fetch Crashlytics info
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'unit-crash'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
parse_json: true
- name: Fetch AppsFlyer credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'unit-flyers'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret"
parse_json: true
- name: Output AppsFlyer secret to file
shell: bash
run: |
mkdir -p config/secrets/
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- name: "Run unit tests"
run: ./gradlew testDebugUnitTest
env:
GPR_USER: ${{ env.GH_GPR_USER }}
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }}
static_analysis:
name: "Static analysis and SonarCloud"
# jacoco runs unit tests and since they depend on sargon-desktop we need mac os
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- uses: RDXWorks-actions/setup-java@main
with:
distribution: 'zulu' # See 'Supported distributions' for available options
java-version: '17'
- name: Fetch GPR credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'sonar'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
parse_json: true
- name: Fetch Sonar token
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'sonar-1'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/sonar-token"
parse_json: true
- name: Fetch Crashlytics info
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'static-crash'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
parse_json: true
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- name: Fetch AppsFlyer credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'sonar-flyers'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret"
parse_json: true
- name: Output AppsFlyer secret to file
shell: bash
run: |
mkdir -p config/secrets/
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties
- name: Export vars
run: |
echo "GPR_USER=${{ env.GH_GPR_USER }}" >> $GITHUB_ENV
echo "GPR_TOKEN=${{ env.GH_GPR_TOKEN }}" >> $GITHUB_ENV
echo "SONAR_TOKEN=${{ env.GH_SONAR_TOKEN }}" >> $GITHUB_ENV
- name: "Run detekt"
run: |
env
./gradlew detektMain
- name: "Run jacoco"
run: |
./gradlew jacocoTestReport
- name: "Run Sonarcloud"
run: |
./gradlew sonarqube
build:
name: "Build"
runs-on: ubuntu-latest
needs:
# - unit_tests
# - static_analysis
- snyk_scan_deps_licences
- snyk_scan_code
- snyk_sbom
steps:
- uses: RDXWorks-actions/checkout@main
- name: Dump context
uses: RDXWorks-actions/ghaction-dump-context@master
- uses: RDXWorks-actions/setup-java@main
with:
distribution: 'zulu' # See 'Supported distributions' for available options
java-version: '17'
- name: Fetch GPR credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'build'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/gpr-credentials"
parse_json: true
- name: Fetch Crashlytics info
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'build-crash'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/crashlytics"
parse_json: true
- name: Decode Firebase Crashlytics json
uses: RDXWorks-actions/base64-to-file@main
id: crashlytics_credentials
with:
fileName: "google-services.json"
fileDir: "app/"
encodedString: ${{ env.GH_CRASHLYTICS_GOOGLE_SERVICES_JSON_FILE_BASE64 }}
- name: Fetch AppsFlyer credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.ANDROID_WALLET_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'build-flyers'
secret_prefix: 'GH'
secret_name: "github-actions/radixdlt/babylon-wallet-android/apps-flyer-secret"
parse_json: true
- name: Output AppsFlyer secret to file
shell: bash
run: |
mkdir -p config/secrets/
echo "appsFlyerDevKey=${{ env.GH_APPS_FLYER_DEV_KEY }}" > config/secrets/secrets.properties
- name: "Build"
run: |
./gradlew assembleDebug
env:
GPR_USER: ${{ env.GH_GPR_USER }}
GPR_TOKEN: ${{ env.GH_GPR_TOKEN }}
snyk_online_monitor:
name: "Snyk monitoring"
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- build
steps:
- uses: RDXWorks-actions/checkout@main
- name: Fetch Snyk credentials
uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: '${{ secrets.COMMON_SECRETS_READ_IAM_ROLE }}'
app_name: 'wallet-android'
step_name: 'snyk-licenses'
secret_prefix: 'SNYK'
secret_name: "github-actions/common/snyk-credentials"
parse_json: true
- name: Enable Snyk online monitoring to check for vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }}
command: monitor
env:
SNYK_TOKEN: ${{ env.SNYK_TOKEN }}