-
Notifications
You must be signed in to change notification settings - Fork 18
283 lines (281 loc) · 10.6 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
name: Unit, integration tests and sonar
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
pull_request:
# Runs on all PRs
push:
branches:
- develop
- main
- release\/*
jobs:
phylum-analyze:
if: ${{ github.event.pull_request }}
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
permissions:
id-token: write
pull-requests: write
contents: read
deployments: write
secrets:
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
with:
phylum_pr_number: ${{ github.event.number }}
phylum_pr_name: ${{ github.head_ref }}
phylum_group_name: Protocol
phylum_project_id: 3f5b2c53-46bd-4f68-b050-5898f929002f
github_repository: ${{ github.repository }}
add_report_comment_to_pull_request: true
snyk-scan-deps-licences:
name: Snyk deps/licences scan
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-scan-deps-licenses'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for deps vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical
snyk-scan-code:
name: Snyk code scan
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-scan-code'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for code vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
continue-on-error: true
with:
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high
command: code test
snyk-sbom:
name: Snyk SBOM
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
command: sbom
build:
name: Unit tests and sonarqube
runs-on: selfhosted-ubuntu-22.04-16-cores
permissions:
id-token: write
contents: read
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache SonarCloud packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Unit tests
# Theoretically, the lack of `--info` in the Gradle command below should completely suppress
# any (application's) output from the tests. However, our current Rust logging infra writes
# to STDOUT directly (i.e. bypasses the Gradle's hijacked output) and spams the unit test
# results - luckily, it respects the ENV var, and we can set it high enough.
env:
RADIXDLT_LOG_LEVEL: error
run: ./gradlew clean check jacocoTestReport --stacktrace --refresh-dependencies
- name: Install cargo-llvm-cov
uses: RDXWorks-actions/install-action@cargo-llvm-cov
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.COMMON_SECRETS_ROLE_ARN }}
app_name: "babylon-node"
step_name: "codecoverage"
secret_prefix: "CODECOV"
secret_name: ${{ secrets.AWS_SECRET_NAME_CODECOV }}
parse_json: true
- name: Generate Code Coverage
run: cd core-rust && cargo llvm-cov --lcov --output-path lcov.info && cd ..
- name: Upload to codecov.io
uses: RDXWorks-actions/codecov-action@main
with:
fail_ci_if_error: true
file: ./core-rust/lcov.info
name: codecov-rust
flags: rust
- name: DistZip
run: ./gradlew distZip
- name: Publish Java distZip
uses: RDXWorks-actions/upload-artifact@main
with:
path: ./core/build/distributions/core-*.zip
name: distZip
retention-days: 7
- uses: ./.github/actions/fetch-secrets
with:
role_name: "${{ secrets.COMMON_SECRETS_ROLE_ARN }}"
app_name: "babylon-node"
step_name: "build"
secret_prefix: "SONAR"
# SonarCloud access token should be generated from https://sonarcloud.io/account/security/
secret_name: "github-actions/common/sonar-token"
parse_json: true
- name: Sonar analysis
env:
# Needed to get some information about the pull request, if any
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew sonarqube
local-dev-sm-docker-build:
name: Test core-rust docker build for local development
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Run local core-rust docker build
run: ./gradlew :core-rust:buildRustForDocker
steadystate-integration:
name: Steady state integration tests
runs-on: selfhosted-ubuntu-22.04-16-cores
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Run steady-state integration tests
env:
# Might be set to warn for debugging purposes. Warning, log file will be huge.
RADIXDLT_LOG_LEVEL: error
run: ./gradlew clean runSteadyStateIntegrationTests --info --refresh-dependencies
targeted-integration:
name: Targeted integration tests
runs-on: selfhosted-ubuntu-22.04-16-cores
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Run targeted integration tests
env:
# Might be set to warn for debugging purposes. Warning, log file will be huge.
RADIXDLT_LOG_LEVEL: error
run: ./gradlew clean runTargetedIntegrationTests --info --refresh-dependencies --parallel
mesh-api-test-suite:
name: Run Mesh API tests
runs-on: selfhosted-ubuntu-22.04-16-cores
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- name: Setup environment
uses: ./.github/actions/setup-env
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Install mesh-cli
run: curl -sSfL https://raw.githubusercontent.com/coinbase/mesh-cli/master/scripts/install.sh | sh -s
- name: Build Node
run: ./gradlew build
- name: Run Node in the background
env:
# This is to skip keygen step
RADIXDLT_NODE_KEY: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY=
run: ./gradlew :core:run --info &
- name: Wait for 2 minutes
run: sleep 2m
- name: Run mesh-cli tests (TODO:MESH add other checks)
run: ./bin/rosetta-cli check:data --configuration-file core-rust/mesh-api-server/mesh-cli-configs/default.json
cross-xwin:
name: Cross compile to Windows
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 1
- name: Setup environment
uses: ./.github/actions/setup-env
with:
cross-compile-to-windows: "true"
- name: cross compile to windows
run: pushd core-rust; cargo xwin build --release --target x86_64-pc-windows-msvc
- name: Publish corerust.dll
uses: RDXWorks-actions/upload-artifact@main
with:
path: core-rust/target/x86_64-pc-windows-msvc/release/corerust.dll
name: corerust.dll
retention-days: 7