Merge pull request #131 from radixdlt/DO-2949-snyk-policy #794
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
release: | |
types: [ published ] | |
push: | |
branches: | |
- main | |
tags: | |
- test-artifacts* | |
pull_request: | |
branches: | |
- main | |
permissions: | |
id-token: write | |
packages: write | |
contents: write | |
jobs: | |
snyk-scan: | |
runs-on: ubuntu-latest | |
container: | |
image: radixdlt/snyk-python:sha-e6b1b80 | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- name: Configure AWS credentials to fetch secrets | |
uses: RDXWorks-actions/configure-aws-credentials@main | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
aws-region: "eu-west-2" | |
role-session-name: "baylon-nodecli-${{ github.run_id }}-${{ github.run_attempt }}" | |
- name: Create .snyk file | |
run: echo "${{ vars.DOT_SNYK_FILE }}" > .snyk | |
- name: Fetch AWS secrets | |
uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main | |
with: | |
secret-ids: | | |
SNYK, ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse-json-secrets: true | |
- name: Run Snyk to check for deps vulnerabilities | |
run: | | |
cd node-runner-cli/ | |
pipenv install --python /usr/local/bin/python | |
snyk auth "${{ env.SNYK_TOKEN }}" | |
snyk test --file=Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --severity-threshold=critical | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Snyk to check for code vulnerabilities | |
continue-on-error: true | |
run: snyk code test --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --severity-threshold=high | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Test SBOM generation | |
run: snyk sbom --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --format=cyclonedx1.4+json > sbom.json | |
snyk-monitor: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'release' }} | |
needs: | |
- build-jammy | |
- build-focal | |
- snyk-scan | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'babylon-nodecli' | |
step_name: 'snyk-monitor' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Setup python | |
uses: RDXWorks-actions/setup-python@main | |
with: | |
python-version: 3.10.13 | |
- name: Install pipenv | |
run: python -m pip install --upgrade pipenv wheel | |
- name: Install dependencies | |
run: | | |
cd ./node-runner-cli | |
pipenv install | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install Snyk cli | |
run: | | |
npm install snyk -g | |
snyk -v | |
snyk auth "${{ env.SNYK_TOKEN }}" | |
- name: Enable Snyk online monitoring - Devops | |
run: snyk monitor --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_DEVOPS_ORG_ID }}" --target-reference="${{ github.ref_name }}" | |
- name: Enable Snyk online monitoring - Network | |
run: snyk monitor --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --target-reference="${{ github.ref_name }}" | |
upload-sbom: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'release' }} | |
permissions: write-all | |
needs: | |
- build-jammy | |
- snyk-scan | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'babylon-nodecli' | |
step_name: 'upload-sbom' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Setup python | |
uses: RDXWorks-actions/setup-python@main | |
with: | |
python-version: 3.10.13 | |
- name: Install pipenv | |
run: python -m pip install --upgrade pipenv wheel | |
- name: Install dependencies | |
run: | | |
cd ./node-runner-cli | |
pipenv install | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install Snyk cli | |
run: | | |
npm install snyk -g | |
snyk -v | |
snyk auth "${{ env.SNYK_TOKEN }}" | |
- name: Generate SBOM | |
run: snyk sbom --file=./node-runner-cli/Pipfile --org="${{ env.SNYK_NETWORK_ORG_ID }}" --format=cyclonedx1.4+json > sbom.json | |
- name: Upload SBOM | |
uses: RDXWorks-actions/action-gh-release@master | |
with: | |
files: sbom.json | |
tests: | |
name: "Unit tests" | |
runs-on: ubuntu-22.04 | |
permissions: | |
checks: write | |
pull-requests: write | |
steps: | |
- name: cancel running workflows | |
uses: RDXWorks-actions/cancel-workflow-action@main | |
with: | |
access_token: ${{ github.token }} | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Install build essentials | |
run: sudo apt-get -y install build-essential | |
- name: setup python | |
uses: RDXWorks-actions/setup-python@main | |
with: | |
python-version: 3.10.13 | |
- name: Install pipenv | |
run: | | |
pip install pipenv==2023.7.23 | |
cd node-runner-cli/ | |
pipenv install | |
pipenv run pip install pytest pytest-cov | |
pipenv run pytest tests/unit --doctest-modules --junitxml=junit/test-results.xml --cov=. --cov-report=xml --cov-report=html | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish Test Results | |
uses: RDXWorks-actions/publish-unit-test-result-action@master | |
if: always() | |
with: | |
files: | | |
/home/runner/work/babylon-nodecli/babylon-nodecli/node-runner-cli/junit/test-results.xml | |
test-results/**/*.xml | |
test-results/**/*.trx | |
test-results/**/*.json | |
junit/**/*.xml | |
junit/*.xml | |
node-runner-cli/junit/**/*.xml | |
junit/*.xml | |
**/junit/test-results.xml | |
- if: ${{ github.event_name == 'pull_request' }} | |
name: Get Cover | |
uses: RDXWorks-actions/coverage@main | |
with: | |
coverageFile: node-runner-cli/coverage.xml | |
token: ${{ secrets.GITHUB_TOKEN }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
e2e-tests: | |
name: "E2E tests" | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: cancel running workflows | |
uses: RDXWorks-actions/cancel-workflow-action@main | |
with: | |
access_token: ${{ github.token }} | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: setup python | |
uses: RDXWorks-actions/setup-python@main | |
with: | |
python-version: 3.10.13 | |
- name: Install pipenv | |
run: | | |
pip install pipenv==2023.7.23 | |
cd node-runner-cli/ | |
pipenv install | |
pipenv run pip install pytest | |
pipenv run pytest tests/e2e | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
build-jammy: | |
needs: | |
- tests | |
- e2e-tests | |
name: "Build jammy" | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Build the binary for ubuntu jammy | |
run: | | |
cd node-runner-cli | |
make output-ubuntu-jammy | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Upload generated cli file" | |
uses: RDXWorks-actions/upload-artifact@main | |
with: | |
name: ubuntu 22.04 | |
path: "${{ github.workspace }}/node-runner-cli/out/ubuntu/jammy/babylonnode" | |
build-focal: | |
needs: | |
- tests | |
name: "Build focal" | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Build the binary for ubuntu focal | |
run: | | |
cd node-runner-cli | |
make output-ubuntu-focal | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Upload generated cli file" | |
uses: RDXWorks-actions/upload-artifact@main | |
with: | |
name: ubuntu 20.04 | |
path: "${{ github.workspace }}/node-runner-cli/out/ubuntu/focal/babylonnode" | |
upload-release-jammy: | |
runs-on: ubuntu-22.04 | |
if: ${{ github.event_name == 'release' }} | |
needs: | |
- build-jammy | |
- snyk-scan | |
steps: | |
- name: Download packaged cli | |
uses: RDXWorks-actions/download-artifact@main | |
with: | |
name: ubuntu 22.04 | |
- name: Rename release asset | |
run: | | |
mv ./babylonnode babylonnode-ubuntu-22.04 | |
- if: ${{ github.event_name == 'release' }} | |
name: Upload radixcli ubuntu binary | |
uses: RDXWorks-actions/action-gh-release@master | |
with: | |
files: | | |
babylonnode-ubuntu-22.04 | |
upload-release-focal: | |
runs-on: ubuntu-20.04 | |
if: ${{ github.event_name == 'release' }} | |
needs: | |
- build-focal | |
- snyk-scan | |
steps: | |
- name: Download packaged cli | |
uses: RDXWorks-actions/download-artifact@main | |
with: | |
name: ubuntu 20.04 | |
- name: Rename release asset | |
run: | | |
mv ./babylonnode babylonnode-ubuntu-20.04 | |
- if: ${{ github.event_name == 'release' }} | |
name: Upload radixcli ubuntu binary | |
uses: RDXWorks-actions/action-gh-release@master | |
with: | |
files: | | |
babylonnode-ubuntu-20.04 | |
test-config-command: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-jammy | |
- snyk-scan | |
steps: | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Download packaged cli | |
uses: RDXWorks-actions/download-artifact@main | |
with: | |
name: ubuntu 22.04 | |
- name: Get dependencies | |
run: | | |
chmod +x ./babylonnode | |
sudo apt-get update | |
./babylonnode docker dependencies | |
- name: core-gateway-all-local | |
run: | | |
ls -a | |
chmod +x ./babylonnode | |
mkdir -p "$HOME/node-config" | |
export PROMPT_FEEDS="node-runner-cli/test-prompts/core-gateway-all-local.yml" | |
./babylonnode docker config -m DETAILED \ | |
-d "$HOME/node-config" \ | |
-k "$KEYSTORE_PASSWORD" -nk -a | |
env: | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: corenode-01 | |
run: | | |
ls -a | |
chmod +x ./babylonnode | |
export PROMPT_FEEDS="node-runner-cli/test-prompts/corenode-01.yml" | |
./babylonnode docker config -m DETAILED \ | |
-d "$HOME/node-config" \ | |
-k $KEYSTORE_PASSWORD -nk -a | |
env: | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: corenode-02 | |
run: | | |
ls -a | |
export PROMPT_FEEDS="node-runner-cli/test-prompts/corenode-02.yml" | |
./babylonnode docker config -m DETAILED \ | |
-d "$HOME/node-config" \ | |
-k "$KEYSTORE_PASSWORD" -nk -a | |
env: | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: gateway-remote-core-local-postgress | |
run: | | |
ls -a | |
export PROMPT_FEEDS="node-runner-cli/test-prompts/gateway-remote-core-local-postgress.yml" | |
./babylonnode docker config -m DETAILED \ | |
-d "$HOME/node-config" \ | |
-k "$KEYSTORE_PASSWORD" -nk -a | |
env: | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
- name: gateway-remote-core-remote-postgress | |
run: | | |
ls -a | |
export PROMPT_FEEDS="node-runner-cli/test-prompts/gateway-remote-core-remote-postgress.yml" | |
./babylonnode docker config -m DETAILED \ | |
-d "$HOME/node-config" \ | |
-k "$KEYSTORE_PASSWORD" -nk -a | |
env: | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
test-userflow-docker-core-gateway-same-host: | |
runs-on: gh-ephemeral-nodecli-docker-runner | |
needs: | |
- build-jammy | |
- snyk-scan | |
steps: | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Download packaged cli | |
uses: RDXWorks-actions/download-artifact@main | |
with: | |
name: ubuntu 22.04 | |
- name: Get dependencies | |
run: | | |
chmod +x ./babylonnode | |
sudo apt-get update | |
sudo apt-get install -y postgresql-client jq docker-compose | |
./babylonnode docker dependencies | |
- name: "Execute User Flow: Install Core, Gateway and Monitoring on the same host" | |
run: | | |
chmod +x ./node-runner-cli/tests/userflows/install-docker-all-same-host.sh | |
./node-runner-cli/tests/userflows/install-docker-all-same-host.sh | |
env: | |
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}} | |
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}} | |
NGINX_GATEWAY_PASSWORD: ${{secrets.NGINX_GATEWAY_PASSWORD}} | |
POSTGRES_PASSWORD: ${{secrets.POSTGRES_PASSWORD}} | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
SEED_NODE: ${{ vars.SEED_NODE }} | |
NETWORK_ID: ${{ vars.NETWORK_ID }} | |
NETWORK_NAME: ${{ vars.NETWORK_NAME }} | |
test-userflow-systemd-simple: | |
runs-on: gh-ephemeral-nodecli-systemd-runner | |
needs: | |
- build-jammy | |
- snyk-scan | |
steps: | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Download packaged cli | |
uses: RDXWorks-actions/download-artifact@main | |
with: | |
name: ubuntu 22.04 | |
- name: Get dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y jq | |
chmod +x ./babylonnode | |
# Expect dependencies to be installed before. Since the command is interactive | |
# ./babylonnode systemd dependencies | |
- name: "Execute User Flow: Install Core, Gateway and Monitoring on the same host" | |
run: | | |
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose" | |
chmod +x ./node-runner-cli/tests/userflows/install-systemd-simple.sh | |
./node-runner-cli/tests/userflows/install-systemd-simple.sh | |
env: | |
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}} | |
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}} | |
NGINX_GATEWAY_PASSWORD: ${{secrets.NGINX_GATEWAY_PASSWORD}} | |
POSTGRES_PASSWORD: ${{secrets.POSTGRES_PASSWORD}} | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
SEED_NODE: ${{ vars.SEED_NODE }} | |
NETWORK_ID: ${{ vars.NETWORK_ID }} | |
NETWORK_NAME: ${{ vars.NETWORK_NAME }} | |
test-core-only-node: | |
runs-on: ubuntu-22.04 | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
needs: | |
- build-jammy | |
- snyk-scan | |
steps: | |
- name: Checkout | |
uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Download packaged cli | |
uses: RDXWorks-actions/download-artifact@main | |
with: | |
name: ubuntu 22.04 | |
- name: Run configure command | |
run: | | |
set -x | |
pwd | |
chmod +x ./babylonnode | |
mv ./babylonnode $HOME/babylonnode && cd $HOME | |
sudo apt-get update -y | |
sudo apt-get install containerd runc jq -y | |
./babylonnode docker dependencies | |
- name: Setup config | |
run: | | |
set -x | |
pwd && ls -la | |
CHECKOUT_PATH=$(pwd) | |
cd $HOME | |
ls -la work/babylon-nodecli/ | |
mkdir -p "$HOME/babylon-node-config" | |
export DISABLE_VERSION_CHECK=true | |
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose" | |
export PROMPT_FEEDS="$CHECKOUT_PATH/node-runner-cli/test-prompts/core-gateway-all-local.yml" | |
./babylonnode docker config -m DETAILED \ | |
-d "$HOME/babylon-node-config" \ | |
-k "$KEYSTORE_PASSWORD" -nk -a | |
env: | |
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run CLI setup | |
run: | | |
set -x | |
export DISABLE_VERSION_CHECK=true | |
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose" | |
pwd && ls -la | |
cd $HOME | |
./babylonnode docker install -f "$HOME/babylon-node-config/config.yaml" -a | |
sleep 60 | |
./babylonnode auth set-admin-password -m DOCKER -p "$NGINX_ADMIN_PASSWORD" | |
./babylonnode auth set-metrics-password -m DOCKER -p "$NGINX_METRICS_PASSWORD" | |
./babylonnode auth set-superadmin-password -m DOCKER -p "$NGINX_SUPERADMIN_PASSWORD" | |
NGINX_ADMIN_PASSWORD="$NGINX_ADMIN_PASSWORD" ./babylonnode api system health | |
NGINX_ADMIN_PASSWORD="$NGINX_ADMIN_PASSWORD" ./babylonnode api system version | |
env: | |
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}} | |
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}} | |
NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Monitoring setup | |
run: | | |
set -x | |
pwd && ls -la | |
export DOCKER_COMPOSE_LOCATION="/usr/local/bin/docker-compose" | |
cd $HOME | |
./babylonnode monitoring config \ | |
-m MONITOR_CORE \ | |
-cm "$NGINX_METRICS_PASSWORD" \ | |
-gm "$NGINX_METRICS_PASSWORD" \ | |
-am "$NGINX_METRICS_PASSWORD" | |
ls -la | |
docker compose ps | |
./babylonnode monitoring install -a | |
env: | |
NGINX_ADMIN_PASSWORD: ${{secrets.NGINX_ADMIN_PASSWORD}} | |
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}} | |
NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}} |