Skip to content

ci: fix snyk sbom [DO-2367] (#59) #163

ci: fix snyk sbom [DO-2367] (#59)

ci: fix snyk sbom [DO-2367] (#59) #163

Workflow file for this run

name: "CI"
on:
pull_request:
branches:
- main
- develop
push:
branches:
- main
- develop
release:
types: [ published ]
jobs:
snyk_scan:
name: "Snyk scan"
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/setup-node@main
with:
node-version: '14'
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'swift-engine-toolkit'
step_name: 'snyk-scan'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Install snyk
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Snyk deps and licences scan
run: |
snyk test --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
- name: Snyk code scan
run: |
snyk code test --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
snyk_sbom:
name: "Snyk SBOM"
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
needs:
- snyk_scan
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/setup-node@main
with:
node-version: '14'
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'swift-engine-toolkit'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Install snyk
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
run: |
snyk sbom --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
- name: Upload SBOM
if: github.event_name == 'release'
uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
with:
files: sbom.json
repo-token: ${{ secrets.GITHUB_TOKEN }}
unit_tests:
name: "Unit tests"
runs-on: macos-12
needs:
- snyk_scan
strategy:
matrix:
platform:
- macOS
- iOS
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/ssh-agent@master
with:
ssh-private-key: |
${{ secrets.BITE_UNIT_TESTS_SSH_KEY }}
${{ secrets.SLIP_10_UNIT_TESTS_SSH_KEY }}
${{ secrets.MNEMONIC_UNIT_TESTS_SSH_KEY }}
- name: Run unit tests
uses: RDXWorks-actions/xcodebuild@master
with:
xcode: ^14.2
action: test
platform: ${{ matrix.platform }}
snyk_monitor:
name: "Snyk monitoring"
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- unit_tests
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: RDXWorks-actions/setup-node@main
with:
node-version: '14'
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'swift-engine-toolkit'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Install snyk
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Enable Snyk online monitoring to check for vulnerabilities
run: |
snyk monitor --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}