diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 323a275116..03c511bcef 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -52,58 +52,58 @@ jobs: run: | timeout 300 snyk code test --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --severity-threshold=high || [ "$?" = "124" ] - snyk_sbom: - if: > - ( github.event.action == 'opened' && github.event.pull_request.draft == false ) || - ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || - ( github.event.action == 'ready_for_review' ) || - ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) - permissions: - id-token: write - contents: read - name: "Snyk SBOM" - runs-on: ubuntu-latest - steps: - - uses: RDXWorks-actions/checkout@main - - uses: RDXWorks-actions/setup-node@main - with: - node-version: '14' - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ACCESS }} - app_name: 'babylon-wallet-ios' - step_name: 'snyk_sbom' - secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} - app_name: 'babylon-wallet-ios' - step_name: 'snyk_sbom' - secret_prefix: 'WALLET' - secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET }} - parse_json: true - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} - app_name: 'babylon-wallet-ios' - step_name: 'unit_test' - secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY' - secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET_SWIFT_SSH }} - parse_json: true - - uses: RDXWorks-actions/ssh-agent@master - with: - ssh-private-key: | - ${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} - - name: Install snyk - run: | - npm install snyk -g - snyk -v - snyk auth ${{ env.SNYK_TOKEN }} - - name: Generate SBOM # check SBOM can be generated but nothing is done with it - run: | - snyk sbom --debug --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json +# snyk_sbom: +# if: > +# ( github.event.action == 'opened' && github.event.pull_request.draft == false ) || +# ( github.event.pull_request.draft == false && github.event.action == 'synchronize' ) || +# ( github.event.action == 'ready_for_review' ) || +# ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) +# permissions: +# id-token: write +# contents: read +# name: "Snyk SBOM" +# runs-on: ubuntu-latest +# steps: +# - uses: RDXWorks-actions/checkout@main +# - uses: RDXWorks-actions/setup-node@main +# with: +# node-version: '14' +# - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main +# with: +# role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ACCESS }} +# app_name: 'babylon-wallet-ios' +# step_name: 'snyk_sbom' +# secret_prefix: 'SNYK' +# secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} +# parse_json: true +# - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main +# with: +# role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} +# app_name: 'babylon-wallet-ios' +# step_name: 'snyk_sbom' +# secret_prefix: 'WALLET' +# secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET }} +# parse_json: true +# - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main +# with: +# role_name: ${{ secrets.GH_WALLET_SECRET_ACCESS }} +# app_name: 'babylon-wallet-ios' +# step_name: 'unit_test' +# secret_prefix: 'SWIFT_ENGINE_TOOLKIT_SSH_KEY' +# secret_name: ${{ secrets.AWS_SECRET_NAME_WALLET_SWIFT_SSH }} +# parse_json: true +# - uses: RDXWorks-actions/ssh-agent@master +# with: +# ssh-private-key: | +# ${{ env.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} +# - name: Install snyk +# run: | +# npm install snyk -g +# snyk -v +# snyk auth ${{ env.SNYK_TOKEN }} +# - name: Generate SBOM # check SBOM can be generated but nothing is done with it +# run: | +# snyk sbom --debug --all-projects --org=${{ env.SNYK_COREAPPS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json linting: name: "Linting" @@ -210,7 +210,7 @@ jobs: needs: - unit_test - snyk_scan - - snyk_sbom + #- snyk_sbom steps: - uses: RDXWorks-actions/checkout@main - uses: RDXWorks-actions/setup-node@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 14e555d1b1..05a4a1dfd8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,33 +1,33 @@ -name: Release - -on: - release: - types: - - "published" - -jobs: - - publish_sbom: - runs-on: ubuntu-latest - steps: - - uses: RDXWorks-actions/checkout@main - - uses: RDXWorks-actions/setup-node@main - with: - node-version: '14' - - uses: RDXWorks-actions/ssh-agent@master - with: - ssh-private-key: | - ${{ secrets.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} - - name: Install snyk - run: | - npm install snyk -g - snyk -v - snyk auth ${{ secrets.SNYK_TOKEN }} - - name: Generate SBOM - run: | - snyk sbom --all-projects --org=${{ secrets.SNYK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json - - name: Upload SBOM - uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a - with: - files: sbom.json - repo-token: ${{ secrets.GITHUB_TOKEN }} +#name: Release +# +#on: +# release: +# types: +# - "published" +# +#jobs: +# +# publish_sbom: +# runs-on: ubuntu-latest +# steps: +# - uses: RDXWorks-actions/checkout@main +# - uses: RDXWorks-actions/setup-node@main +# with: +# node-version: '14' +# - uses: RDXWorks-actions/ssh-agent@master +# with: +# ssh-private-key: | +# ${{ secrets.SWIFT_ENGINE_TOOLKIT_SSH_KEY }} +# - name: Install snyk +# run: | +# npm install snyk -g +# snyk -v +# snyk auth ${{ secrets.SNYK_TOKEN }} +# - name: Generate SBOM +# run: | +# snyk sbom --all-projects --org=${{ secrets.SNYK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json +# - name: Upload SBOM +# uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a +# with: +# files: sbom.json +# repo-token: ${{ secrets.GITHUB_TOKEN }}