chore: create dependabot.yml for github actions updates [DO-1997] (#51) #136

Workflow file for this run

	name: "CI"

	on:
	pull_request:
	branches:
	- main
	- develop
	push:
	branches:
	- main
	- develop
	release:
	types: [ published ]

	jobs:

	snyk_scan:
	name: "Snyk scan"
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
	- uses: actions/setup-node@v2
	with:
	node-version: '14'
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'swift-engine-toolkit'
	step_name: 'snyk-scan'
	secret_prefix: 'SNYK'
	secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	- name: Install snyk
	run: \|
	npm install snyk -g
	snyk -v
	snyk auth ${{ env.SNYK_TOKEN }}
	- name: Snyk deps and licences scan
	run: \|
	snyk test --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
	- name: Snyk code scan
	run: \|
	snyk code test --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high

	snyk_sbom:
	name: "Snyk SBOM"
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	needs:
	- snyk_scan
	steps:
	- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
	- uses: actions/setup-node@v2
	with:
	node-version: '14'
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'swift-engine-toolkit'
	step_name: 'snyk-sbom'
	secret_prefix: 'SNYK'
	secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	- name: Install snyk
	run: \|
	npm install snyk -g
	snyk -v
	snyk auth ${{ env.SNYK_TOKEN }}
	- name: Generate SBOM # check SBOM can be generated but nothing is done with it
	run: \|
	snyk sbom --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
	- name: Upload SBOM
	if: github.event_name == 'release'
	uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2
	with:
	files: sbom.json
	repo-token: ${{ secrets.GITHUB_TOKEN }}

	unit_tests:
	name: "Unit tests"
	runs-on: macos-12
	needs:
	- snyk_scan
	strategy:
	matrix:
	platform:
	- macOS
	- iOS

	steps:
	- uses: actions/checkout@v3.1.0

	- uses: webfactory/ssh-agent@v0.6.0
	with:
	ssh-private-key: \|
	${{ secrets.BITE_UNIT_TESTS_SSH_KEY }}
	${{ secrets.SLIP_10_UNIT_TESTS_SSH_KEY }}
	${{ secrets.MNEMONIC_UNIT_TESTS_SSH_KEY }}

	- name: Run unit tests
	uses: mxcl/xcodebuild@v1
	with:
	xcode: ^14.2
	action: test
	platform: ${{ matrix.platform }}

	snyk_monitor:
	name: "Snyk monitoring"
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	needs:
	- unit_tests
	permissions:
	id-token: write
	pull-requests: read
	contents: read
	deployments: write
	steps:
	- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
	- uses: actions/setup-node@v2
	with:
	node-version: '14'
	- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
	with:
	role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
	app_name: 'swift-engine-toolkit'
	step_name: 'snyk-sbom'
	secret_prefix: 'SNYK'
	secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
	parse_json: true
	- name: Install snyk
	run: \|
	npm install snyk -g
	snyk -v
	snyk auth ${{ env.SNYK_TOKEN }}
	- name: Enable Snyk online monitoring to check for vulnerabilities
	run: \|
	snyk monitor --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: create dependabot.yml for github actions updates [DO-1997] (#51) #136

Workflow file

chore: create dependabot.yml for github actions updates [DO-1997] (#51) #136

Jobs

Run details

Workflow file for this run