Skip to content

Merge pull request #131 from radixdlt/DO-2949-snyk-policy #794

Merge pull request #131 from radixdlt/DO-2949-snyk-policy

Merge pull request #131 from radixdlt/DO-2949-snyk-policy #794

Workflow file for this run

name: CI
on:
release:
types: [ published ]
push:
branches:
- main
tags:
- test-artifacts*
pull_request:
branches:
- main
permissions:
id-token: write
packages: write
contents: write
jobs:
snyk-scan:
runs-on: ubuntu-latest
container:
image: radixdlt/snyk-python:sha-e6b1b80
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- name: Configure AWS credentials to fetch secrets
uses: RDXWorks-actions/configure-aws-credentials@main
with:
role-to-assume: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
aws-region: "eu-west-2"
role-session-name: "baylon-nodecli-${{ github.run_id }}-${{ github.run_attempt }}"
- name: Create .snyk file
run: echo "${{ vars.DOT_SNYK_FILE }}" > .snyk
- name: Fetch AWS secrets
uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main
with:
secret-ids: |
SNYK, ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse-json-secrets: true
- name: Run Snyk to check for deps vulnerabilities
run: |
cd node-runner-cli/
pipenv install --python /usr/local/bin/python
snyk auth "${{ env.SNYK_TOKEN }}"
snyk test --file=Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --severity-threshold=critical
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run Snyk to check for code vulnerabilities
continue-on-error: true
run: snyk code test --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --severity-threshold=high
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Test SBOM generation
run: snyk sbom --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --format=cyclonedx1.4+json > sbom.json
snyk-monitor:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'release' }}
needs:
- build-jammy
- build-focal
- snyk-scan
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-nodecli'
step_name: 'snyk-monitor'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Setup python
uses: RDXWorks-actions/setup-python@main
with:
python-version: 3.10.13
- name: Install pipenv
run: python -m pip install --upgrade pipenv wheel
- name: Install dependencies
run: |
cd ./node-runner-cli
pipenv install
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install Snyk cli
run: |
npm install snyk -g
snyk -v
snyk auth "${{ env.SNYK_TOKEN }}"
- name: Enable Snyk online monitoring - Devops
run: snyk monitor --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_DEVOPS_ORG_ID }}" --target-reference="${{ github.ref_name }}"
- name: Enable Snyk online monitoring - Network
run: snyk monitor --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --target-reference="${{ github.ref_name }}"
upload-sbom:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'release' }}
permissions: write-all
needs:
- build-jammy
- snyk-scan
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-nodecli'
step_name: 'upload-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Setup python
uses: RDXWorks-actions/setup-python@main
with:
python-version: 3.10.13
- name: Install pipenv
run: python -m pip install --upgrade pipenv wheel
- name: Install dependencies
run: |
cd ./node-runner-cli
pipenv install
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install Snyk cli
run: |
npm install snyk -g
snyk -v
snyk auth "${{ env.SNYK_TOKEN }}"
- name: Generate SBOM
run: snyk sbom --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --format=cyclonedx1.4+json > sbom.json
- name: Upload SBOM
uses: RDXWorks-actions/action-gh-release@master
with:
files: sbom.json
tests:
name: "Unit tests"
runs-on: ubuntu-22.04
permissions:
checks: write
pull-requests: write
steps:
- name: cancel running workflows
uses: RDXWorks-actions/cancel-workflow-action@main
with:
access_token: ${{ github.token }}
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Install build essentials
run: sudo apt-get -y install build-essential
- name: setup python
uses: RDXWorks-actions/setup-python@main
with:
python-version: 3.10.13
- name: Install pipenv
run: |
pip install pipenv==2023.7.23
cd node-runner-cli/
pipenv install
pipenv run pip install pytest pytest-cov
pipenv run pytest tests/unit --doctest-modules --junitxml=junit/test-results.xml --cov=. --cov-report=xml --cov-report=html
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish Test Results
uses: RDXWorks-actions/publish-unit-test-result-action@master
if: always()
with:
files: |
/home/runner/work/babylon-nodecli/babylon-nodecli/node-runner-cli/junit/test-results.xml
test-results/**/*.xml
test-results/**/*.trx
test-results/**/*.json
junit/**/*.xml
junit/*.xml
node-runner-cli/junit/**/*.xml
junit/*.xml
**/junit/test-results.xml
- if: ${{ github.event_name == 'pull_request' }}
name: Get Cover
uses: RDXWorks-actions/coverage@main
with:
coverageFile: node-runner-cli/coverage.xml
token: ${{ secrets.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
e2e-tests:
name: "E2E tests"
runs-on: ubuntu-22.04
steps:
- name: cancel running workflows
uses: RDXWorks-actions/cancel-workflow-action@main
with:
access_token: ${{ github.token }}
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: setup python
uses: RDXWorks-actions/setup-python@main
with:
python-version: 3.10.13
- name: Install pipenv
run: |
pip install pipenv==2023.7.23
cd node-runner-cli/
pipenv install
pipenv run pip install pytest
pipenv run pytest tests/e2e
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build-jammy:
needs:
- tests
- e2e-tests
name: "Build jammy"
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Build the binary for ubuntu jammy
run: |
cd node-runner-cli
make output-ubuntu-jammy
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Upload generated cli file"
uses: RDXWorks-actions/upload-artifact@main
with:
name: ubuntu 22.04
path: "${{ github.workspace }}/node-runner-cli/out/ubuntu/jammy/babylonnode"
build-focal:
needs:
- tests
name: "Build focal"
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Build the binary for ubuntu focal
run: |
cd node-runner-cli
make output-ubuntu-focal
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Upload generated cli file"
uses: RDXWorks-actions/upload-artifact@main
with:
name: ubuntu 20.04
path: "${{ github.workspace }}/node-runner-cli/out/ubuntu/focal/babylonnode"
upload-release-jammy:
runs-on: ubuntu-22.04
if: ${{ github.event_name == 'release' }}
needs:
- build-jammy
- snyk-scan
steps:
- name: Download packaged cli
uses: RDXWorks-actions/download-artifact@main
with:
name: ubuntu 22.04
- name: Rename release asset
run: |
mv ./babylonnode babylonnode-ubuntu-22.04
- if: ${{ github.event_name == 'release' }}
name: Upload radixcli ubuntu binary
uses: RDXWorks-actions/action-gh-release@master
with:
files: |
babylonnode-ubuntu-22.04
upload-release-focal:
runs-on: ubuntu-20.04
if: ${{ github.event_name == 'release' }}
needs:
- build-focal
- snyk-scan
steps:
- name: Download packaged cli
uses: RDXWorks-actions/download-artifact@main
with:
name: ubuntu 20.04
- name: Rename release asset
run: |
mv ./babylonnode babylonnode-ubuntu-20.04
- if: ${{ github.event_name == 'release' }}
name: Upload radixcli ubuntu binary
uses: RDXWorks-actions/action-gh-release@master
with:
files: |
babylonnode-ubuntu-20.04
test-config-command:
runs-on: ubuntu-22.04
needs:
- build-jammy
- snyk-scan
steps:
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Download packaged cli
uses: RDXWorks-actions/download-artifact@main
with:
name: ubuntu 22.04
- name: Get dependencies
run: |
chmod +x ./babylonnode
sudo apt-get update
./babylonnode docker dependencies
- name: core-gateway-all-local
run: |
ls -a
chmod +x ./babylonnode
mkdir -p "$HOME/node-config"
export PROMPT_FEEDS="node-runner-cli/test-prompts/core-gateway-all-local.yml"
./babylonnode docker config -m DETAILED \
-d "$HOME/node-config" \
-k "$KEYSTORE_PASSWORD" -nk -a
env:
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: corenode-01
run: |
ls -a
chmod +x ./babylonnode
export PROMPT_FEEDS="node-runner-cli/test-prompts/corenode-01.yml"
./babylonnode docker config -m DETAILED \
-d "$HOME/node-config" \
-k $KEYSTORE_PASSWORD -nk -a
env:
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: corenode-02
run: |
ls -a
export PROMPT_FEEDS="node-runner-cli/test-prompts/corenode-02.yml"
./babylonnode docker config -m DETAILED \
-d "$HOME/node-config" \
-k "$KEYSTORE_PASSWORD" -nk -a
env:
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: gateway-remote-core-local-postgress
run: |
ls -a
export PROMPT_FEEDS="node-runner-cli/test-prompts/gateway-remote-core-local-postgress.yml"
./babylonnode docker config -m DETAILED \
-d "$HOME/node-config" \
-k "$KEYSTORE_PASSWORD" -nk -a
env:
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
- name: gateway-remote-core-remote-postgress
run: |
ls -a
export PROMPT_FEEDS="node-runner-cli/test-prompts/gateway-remote-core-remote-postgress.yml"
./babylonnode docker config -m DETAILED \
-d "$HOME/node-config" \
-k "$KEYSTORE_PASSWORD" -nk -a
env:
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
test-userflow-docker-core-gateway-same-host:
runs-on: gh-ephemeral-nodecli-docker-runner
needs:
- build-jammy
- snyk-scan
steps:
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Download packaged cli
uses: RDXWorks-actions/download-artifact@main
with:
name: ubuntu 22.04
- name: Get dependencies
run: |
chmod +x ./babylonnode
sudo apt-get update
sudo apt-get install -y postgresql-client jq docker-compose
./babylonnode docker dependencies
- name: "Execute User Flow: Install Core, Gateway and Monitoring on the same host"
run: |
chmod +x ./node-runner-cli/tests/userflows/install-docker-all-same-host.sh
./node-runner-cli/tests/userflows/install-docker-all-same-host.sh
env:
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}}
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}}
NGINX_GATEWAY_PASSWORD: ${{secrets.NGINX_GATEWAY_PASSWORD}}
POSTGRES_PASSWORD: ${{secrets.POSTGRES_PASSWORD}}
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
SEED_NODE: ${{ vars.SEED_NODE }}
NETWORK_ID: ${{ vars.NETWORK_ID }}
NETWORK_NAME: ${{ vars.NETWORK_NAME }}
test-userflow-systemd-simple:
runs-on: gh-ephemeral-nodecli-systemd-runner
needs:
- build-jammy
- snyk-scan
steps:
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Download packaged cli
uses: RDXWorks-actions/download-artifact@main
with:
name: ubuntu 22.04
- name: Get dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq
chmod +x ./babylonnode
# Expect dependencies to be installed before. Since the command is interactive
# ./babylonnode systemd dependencies
- name: "Execute User Flow: Install Core, Gateway and Monitoring on the same host"
run: |
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose"
chmod +x ./node-runner-cli/tests/userflows/install-systemd-simple.sh
./node-runner-cli/tests/userflows/install-systemd-simple.sh
env:
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}}
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}}
NGINX_GATEWAY_PASSWORD: ${{secrets.NGINX_GATEWAY_PASSWORD}}
POSTGRES_PASSWORD: ${{secrets.POSTGRES_PASSWORD}}
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
SEED_NODE: ${{ vars.SEED_NODE }}
NETWORK_ID: ${{ vars.NETWORK_ID }}
NETWORK_NAME: ${{ vars.NETWORK_NAME }}
test-core-only-node:
runs-on: ubuntu-22.04
permissions:
id-token: write
pull-requests: read
contents: read
needs:
- build-jammy
- snyk-scan
steps:
- name: Checkout
uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Download packaged cli
uses: RDXWorks-actions/download-artifact@main
with:
name: ubuntu 22.04
- name: Run configure command
run: |
set -x
pwd
chmod +x ./babylonnode
mv ./babylonnode $HOME/babylonnode && cd $HOME
sudo apt-get update -y
sudo apt-get install containerd runc jq -y
./babylonnode docker dependencies
- name: Setup config
run: |
set -x
pwd && ls -la
CHECKOUT_PATH=$(pwd)
cd $HOME
ls -la work/babylon-nodecli/
mkdir -p "$HOME/babylon-node-config"
export DISABLE_VERSION_CHECK=true
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose"
export PROMPT_FEEDS="$CHECKOUT_PATH/node-runner-cli/test-prompts/core-gateway-all-local.yml"
./babylonnode docker config -m DETAILED \
-d "$HOME/babylon-node-config" \
-k "$KEYSTORE_PASSWORD" -nk -a
env:
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run CLI setup
run: |
set -x
export DISABLE_VERSION_CHECK=true
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose"
pwd && ls -la
cd $HOME
./babylonnode docker install -f "$HOME/babylon-node-config/config.yaml" -a
sleep 60
./babylonnode auth set-admin-password -m DOCKER -p "$NGINX_ADMIN_PASSWORD"
./babylonnode auth set-metrics-password -m DOCKER -p "$NGINX_METRICS_PASSWORD"
./babylonnode auth set-superadmin-password -m DOCKER -p "$NGINX_SUPERADMIN_PASSWORD"
NGINX_ADMIN_PASSWORD="$NGINX_ADMIN_PASSWORD" ./babylonnode api system health
NGINX_ADMIN_PASSWORD="$NGINX_ADMIN_PASSWORD" ./babylonnode api system version
env:
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}}
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}}
NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run Monitoring setup
run: |
set -x
pwd && ls -la
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose"
cd $HOME
./babylonnode monitoring config \
-m MONITOR_CORE \
-cm "$NGINX_METRICS_PASSWORD" \
-gm "$NGINX_METRICS_PASSWORD" \
-am "$NGINX_METRICS_PASSWORD"
ls -la
docker compose ps
./babylonnode monitoring install -a
env:
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}}
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}}
NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}}