feat: extend sandbox with PoO request #595
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Sandbox CI/CD | |
on: | |
push: | |
paths-ignore: | |
- 'apps/console/**' | |
- 'deploy/helm/console/**' | |
- ".github/workflows/console-ci.yaml" | |
- 'apps/dashboard/**' | |
- 'packages/ui/**' | |
- 'deploy/helm/dashboard/**' | |
- ".github/workflows/ci.yaml" | |
branches: | |
- main | |
pull_request: | |
paths-ignore: | |
- 'apps/console/**' | |
- 'deploy/helm/console/**' | |
- 'packages/ui/**' | |
- ".github/workflows/console-ci.yaml" | |
- 'apps/dashboard/**' | |
- 'deploy/helm/dashboard/**' | |
- ".github/workflows/ci.yaml" | |
branches: | |
- main | |
release: | |
types: | |
- prereleased | |
- released | |
workflow_dispatch: | |
inputs: | |
ENVIRONMENT_NAME: | |
description: 'Environment Name' | |
required: true | |
default: enkinet | |
type: choice | |
options: | |
- enkinet | |
env: | |
prerelease_network: 'Stokenet' | |
release_network: 'Mainnet' | |
jenkins_job_name: 'kubernetes-deployments/job/dapps-sandbox' | |
helm_dir: 'deploy/helm/sandbox' | |
dev_eks_cluster: 'rdx-works-main-dev' | |
prod_eks_cluster: 'rtlj-prod' | |
permissions: | |
id-token: write | |
pull-requests: write | |
contents: read | |
deployments: write | |
packages: write | |
jobs: | |
trigger: | |
name: Check trigger | |
if: > | |
( github.event.action == 'prereleased' && contains( github.event.release.tag_name, 'sandbox') ) || | |
( github.event.action == 'released' && contains( github.event.release.tag_name, 'sandbox') ) || | |
( github.event_name == 'workflow_dispatch' ) || | |
( github.ref == 'refs/heads/main' && github.event_name == 'push' ) || | |
( github.event_name == 'pull_request' ) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Dump context | |
uses: RDXWorks-actions/ghaction-dump-context@master | |
- name: Info | |
run: | | |
echo "This is triggered by ${{ github.event_name }}." >> $GITHUB_STEP_SUMMARY | |
echo "Github action is ${{ github.event.action }}." >> $GITHUB_STEP_SUMMARY | |
phylum_analyze: | |
if: ${{ github.event.pull_request }} | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main | |
secrets: | |
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }} | |
with: | |
phylum_pr_number: ${{ github.event.number }} | |
phylum_pr_name: ${{ github.head_ref }} | |
phylum_group_name: dApp-engineering | |
phylum_project_id: 70969afc-325a-413c-8001-2092940e0d7d | |
github_repository: ${{ github.repository }} | |
add_report_comment_to_pull_request: true | |
snyk-scan-deps-licences: | |
runs-on: ubuntu-latest | |
needs: | |
- trigger | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
app_name: 'sandbox' | |
step_name: 'snyk-scan-deps-licenses' | |
secret_prefix: 'SNYK' | |
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
parse_json: true | |
- name: Run Snyk to check for deps vulnerabilities | |
uses: RDXWorks-actions/snyk-actions/node@master | |
continue-on-error: true | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical | |
snyk-scan-code: | |
runs-on: ubuntu-latest | |
needs: | |
- trigger | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
app_name: 'sandbox' | |
step_name: 'snyk-scan-code' | |
secret_prefix: 'SNYK' | |
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
parse_json: true | |
- name: Run Snyk to check for code vulnerabilities | |
uses: RDXWorks-actions/snyk-actions/node@master | |
continue-on-error: true # temporary until code fix | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high | |
command: code test | |
snyk-sbom: | |
runs-on: ubuntu-latest | |
permissions: write-all | |
needs: | |
- snyk-scan-deps-licences | |
- snyk-scan-code | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
app_name: 'sandbox' | |
step_name: 'snyk-sbom' | |
secret_prefix: 'SNYK' | |
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
parse_json: true | |
- name: Generate SBOM # check SBOM can be generated but nothing is done with it | |
uses: RDXWorks-actions/snyk-actions/node@master | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json | |
command: sbom | |
- name: Upload SBOM | |
if: github.event_name == 'release' | |
uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a | |
with: | |
files: sbom.json | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
release-tag: ${{ github.event.release.tag_name }} | |
build: | |
runs-on: ubuntu-latest | |
needs: | |
- trigger | |
- snyk-scan-deps-licences | |
- snyk-scan-code | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Use Node.js | |
uses: RDXWorks-actions/setup-node@main | |
with: | |
node-version: '18.x' | |
- name: Install dependencies | |
run: npm ci | |
- name: Build | |
run: npx turbo run build:prod --filter=sandbox | |
- name: Dump context | |
uses: RDXWorks-actions/ghaction-dump-context@master | |
setup-build-args: | |
runs-on: ubuntu-latest | |
needs: | |
- trigger | |
name: Setup build argument values for docker | |
outputs: | |
network: ${{ steps.network_name_step.outputs.network_name }} | |
is_public: ${{ steps.network_name_step.outputs.is_public }} | |
tag_with_network: ${{ steps.tag-with-network.outputs.tag-with-network }} | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Dump context | |
uses: RDXWorks-actions/ghaction-dump-context@master | |
- name: Define network name | |
id: network_name_step | |
run: | | |
if [ "${{ github.event.action }}" = "released" ]; then | |
echo "is_public=true" >> $GITHUB_OUTPUT | |
echo "network_name=${{ env.release_network }}" >> $GITHUB_OUTPUT | |
elif [ "${{ github.event.action }}" = "prereleased" ]; then | |
echo "is_public=true" >> $GITHUB_OUTPUT | |
echo "network_name=${{ env.prerelease_network }}" >> $GITHUB_OUTPUT | |
else | |
echo "is_public=false" >> $GITHUB_OUTPUT | |
echo "network_name=${{ env.prerelease_network }}" >> $GITHUB_OUTPUT | |
fi | |
- id: tag-with-network | |
run: | | |
echo "tag-with-network=${{ github.sha }}-${{ steps.network_name_step.outputs.network_name }}" >> $GITHUB_OUTPUT | |
- name: Output tag value to job summary | |
run: | | |
echo "network-name=${{ steps.network_name_step.outputs.network_name }}" >> $GITHUB_STEP_SUMMARY | |
echo "docker-tag=${{ github.sha }}-${{ steps.network_name_step.outputs.network_name }}" >> $GITHUB_STEP_SUMMARY | |
push-sandbox: | |
name: (PRIVATE) Docker AMD | |
needs: | |
- build | |
- setup-build-args | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
with: | |
runs_on: selfhosted-ubuntu-22.04 | |
image_registry: 'docker.io' | |
image_organization: 'radixdlt' | |
target: 'sandbox' | |
image_name: 'dapps-sandbox' | |
tag: ${{ needs.setup-build-args.outputs.tag_with_network }} | |
tags: | | |
type=semver,pattern={{version}} | |
context: './' | |
dockerfile: './Dockerfile' | |
platforms: 'linux/amd64' | |
scan_image: true | |
snyk_target_ref: ${{ github.ref_name }} | |
build-args: | | |
NETWORK_NAME=${{needs.setup-build-args.outputs.network}} | |
IS_PUBLIC=${{needs.setup-build-args.outputs.is_public}} | |
snyk-monitor: | |
runs-on: selfhosted-ubuntu-22.04 | |
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
needs: | |
- push-sandbox | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
app_name: 'sandbox' | |
step_name: 'snyk-monitor' | |
secret_prefix: 'SNYK' | |
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
parse_json: true | |
- name: Enable Snyk online monitoring to check for vulnerabilities | |
uses: RDXWorks-actions/snyk-actions/node@master | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }} | |
command: monitor | |
snyk-container-monitor: | |
runs-on: selfhosted-ubuntu-22.04 | |
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
needs: | |
- build | |
- setup-build-args | |
- push-sandbox | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
app_name: 'sandbox' | |
step_name: 'snyk-monitor' | |
secret_prefix: 'SNY' | |
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
parse_json: true | |
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main | |
with: | |
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access' | |
app_name: 'sandbox' | |
dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/dockerhub-credentials' | |
snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/snyk-credentials-rXRpuX' | |
snyk_org_id: ${{ secrets.SNY_ORG_ID }} | |
image: docker.io/radixdlt/dapps-sandbox:${{ needs.setup-build-args.outputs.tag_with_network }} | |
target_ref: ${{ github.ref_name }} | |
deploy_pull_request: | |
if: ${{ github.event.pull_request }} | |
name: Deploy PR | |
needs: | |
- push-sandbox | |
- setup-build-args | |
- build | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
with: | |
jenkins_job_name: "kubernetes-deployments/job/dapps-sandbox" | |
github_branch: "${{ github.head_ref }}" | |
application_name: "dapps-sandbox" | |
hierarchical_namespace: "dapps-sandbox-ci-pr" | |
create_subnamespace: "true" | |
kubernetes_namespace: "dapps-sandbox-pr-${{ github.event.number }}" | |
aws_eks_cluster: "rdx-works-main-dev" | |
aws_iam_role_name: "jenkins-dapps-sandbox-pr-deployer" | |
helm_dir: "deploy/helm/sandbox" | |
helmfile_environment: "pr" | |
helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }},ci.prNumber=${{ github.event.number }}" | |
secrets: | |
aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} | |
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
deploy_dev: | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
name: Deploy DEV | |
needs: | |
- push-sandbox | |
- setup-build-args | |
- build | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
with: | |
github_environment: "sandbox-dev" | |
github_branch: "${{ github.ref }}" | |
jenkins_job_name: "kubernetes-deployments/job/dapps-sandbox" | |
application_name: "dapps-sandbox" | |
kubernetes_namespace: "dapps-sandbox-dev" | |
aws_eks_cluster: "rdx-works-main-dev" | |
aws_iam_role_name: "jenkins-dapps-sandbox-dev-deployer" | |
helm_dir: "deploy/helm/sandbox" | |
helmfile_environment: "dev" | |
helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }}" | |
secrets: | |
aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} | |
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
deploy_stokenet: | |
if: github.event_name == 'release' && github.event.action == 'prereleased' | |
name: Deploy STOKENET | |
needs: | |
- push-sandbox | |
- setup-build-args | |
- build | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
with: | |
github_environment: "sandbox-stokenet" | |
github_branch: "${{ github.ref }}" | |
jenkins_job_name: "kubernetes-deployments/job/dapps-sandbox" | |
application_name: "dapps-sandbox" | |
kubernetes_namespace: "dapps-sandbox-stokenet" | |
aws_eks_cluster: "rtlj-prod" | |
aws_iam_role_name: "jenkins-dapps-sandbox-stokenet-deployer" | |
helm_dir: "deploy/helm/sandbox" | |
helmfile_environment: "stokenet" | |
helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }}" | |
secrets: | |
aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }} | |
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
deploy_mainnet: | |
if: github.event_name == 'release' && github.event.action == 'released' | |
name: Deploy MAINNET | |
needs: | |
- push-sandbox | |
- setup-build-args | |
- build | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
with: | |
github_environment: "sandbox-mainnet" | |
github_branch: "${{ github.ref }}" | |
jenkins_job_name: "kubernetes-deployments/job/dapps-sandbox" | |
application_name: "dapps-sandbox" | |
kubernetes_namespace: "dapps-sandbox-mainnet" | |
aws_eks_cluster: "rtlj-prod" | |
aws_iam_role_name: "jenkins-dapps-sandbox-mainnet-deployer" | |
helm_dir: "deploy/helm/sandbox" | |
helmfile_environment: "mainnet" | |
helmfile_extra_vars: "ci.tag=${{ needs.setup-build-args.outputs.tag_with_network }}" | |
secrets: | |
aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }} | |
secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} |