Skip to content

Daily Analysis Phylum #499

Daily Analysis Phylum

Daily Analysis Phylum #499

name: Daily Analysis Phylum
on:
schedule:
# Runs at 14:00 UTC every day
- cron: '0 14 * * *'
env:
DEFAULT_BRANCH: main
PHYLUM_GROUP_NAME: dApp-engineering
PHYLUM_NAME: dapps-monorepo
jobs:
phylum_analyze:
name: Analyze dependencies with Phylum
permissions:
id-token: write
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- uses: RDXWorks-actions/setup-python@main
with:
python-version: 3.10.6
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access'
app_name: 'dapps'
step_name: 'phylum'
secret_prefix: 'GH'
secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/phylum-credentials-4koyXP'
parse_json: true
- name: Install Phylum
run: |
curl https://sh.phylum.io/ | sh -s -- --yes
# Add the Python user base binary directory to PATH
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run Phylum Analysis
env:
PHYLUM_API_KEY: ${{ env.GH_PHYLUM_API_KEY }}
run: |
phylum analyze --quiet --label ${DEFAULT_BRANCH}_branch_daily_schedule > /dev/null 2>&1 || exit_code=$?
if [ $exit_code -eq 100 ]; then
echo "Phylum Analysis returned exit code 100, but continuing.";
echo "phylum_analyze_status=failure" >> $GITHUB_ENV
exit 0;
else
echo "phylum_analyze_status=success" >> $GITHUB_ENV
exit $?;
fi
- name: Analysis Status Failure notification
if: always()
uses: RDXWorks-actions/notify-slack-action@master
with:
status: ${{ env.phylum_analyze_status }}
notify_when: 'failure'
notification_title: ':clock3: Phylum Scheduled Daily Analysis:'
message_format: 'Automatic phylum analysis has found vulnerabilities on ${{ env.PHYLUM_NAME }} :boom:'
footer: "Linked Repository <{repo_url}|{repo}> | <https://app.phylum.io/projects/${{ env.GH_DAPPS_MONOREPO_PHYLUM_PROJECT_ID }}?label=${{ env.DEFAULT_BRANCH }}_branch_daily_schedule&group=${{ env.PHYLUM_GROUP_NAME }}|View Report> "
env:
SLACK_WEBHOOK_URL: ${{ env.GH_DAPP_ENGINEERING_PHYLUM_SLACK_CHANNEL_WEBHOOK }}