Skip to content

Merge pull request #535 from radixdlt/do-not-use-faucet-as-example #1316

Merge pull request #535 from radixdlt/do-not-use-faucet-as-example

Merge pull request #535 from radixdlt/do-not-use-faucet-as-example #1316

Workflow file for this run

name: main
on:
push:
branches:
- main
- develop
- release\/*
pull_request:
branches:
- main
- develop
- release\/*
env:
DOTNET_VERSION: "7.0.x"
jobs:
snyk-scan:
name: snyk scan
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-gateway'
step_name: 'snyk-scan'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Setup .NET SDK
uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Install dependencies
run: dotnet restore
- name: Run Snyk to check for deps vulnerabilities
uses: snyk/actions/dotnet@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
with:
args: --all-projects --org=${{ env.SNYK_SERVICES_ORG_ID }} --severity-threshold=critical
- name: Run Snyk to check for code vulnerabilities
uses: snyk/actions/dotnet@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
with:
args: --all-projects --org=${{ env.SNYK_SERVICES_ORG_ID }} --severity-threshold=high
command: code test
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: snyk/actions/dotnet@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
with:
args: --all-projects --org=${{ env.SNYK_SERVICES_ORG_ID }} --exclude=package.json --format=cyclonedx1.4+json --json-file-output sbom.json
command: sbom
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- name: Setup .NET SDK
uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Install dependencies
run: dotnet restore
- name: Build
run: dotnet build --configuration Release --no-restore
- name: Unit tests
# Add --verbosity normal to get more noisy logs if required for debugging
run: dotnet test --no-restore --filter RadixDlt.NetworkGateway.UnitTests
setup-tags:
runs-on: ubuntu-22.04
outputs:
database-migrations-tag: ${{ steps.setup_tags.outputs.database-migrations-tag }}
data-aggregator-tag: ${{ steps.setup_tags.outputs.data-aggregator-tag }}
gateway-api-tag: ${{ steps.setup_tags.outputs.gateway-api-tag }}
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- name: Setup tags for docker image
id: setup_tags
uses: ./.github/actions/set-variables
with:
github_event_name: ${{ github.event_name }}
github_action_name: ${{ github.event.action}}
- name: Publish Gateway Settings
uses: actions/upload-artifact@v3
with:
path: Directory.Build.props
name: build_props
retention-days: 1
docker-database-migrations-private:
name: AMD Migration
needs:
- setup-tags
- snyk-scan
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-22.04
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-ng-database-migrations"
tag: ${{ needs.setup-tags.outputs.database-migrations-tag }}-amd64
context: "."
dockerfile: "./apps/DatabaseMigrations/Dockerfile"
platforms: "linux/amd64"
restore_artifact: "true"
artifact_location: "./"
artifact_name: build_props
provenance: "false"
scan_image: true
snyk_target_ref: ${{ github.ref_name }}
docker-database-migrations-private-arm:
name: ARM Migration
needs:
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: babylon-gateway-arm
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-ng-database-migrations"
tag: ${{ needs.setup-tags.outputs.database-migrations-tag }}-arm64
context: "."
dockerfile: "./apps/DatabaseMigrations/Dockerfile"
platforms: "linux/arm64"
restore_artifact: "true"
artifact_location: "./"
artifact_name: build_props
provenance: "false"
disable_qemu: true
docker-data-aggregator-private:
name: AMD Aggregator
needs:
- setup-tags
- snyk-scan
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-22.04
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-ng-data-aggregator"
tag: ${{ needs.setup-tags.outputs.data-aggregator-tag }}-amd64
context: "."
dockerfile: "./apps/DataAggregator/Dockerfile"
platforms: "linux/amd64"
restore_artifact: "true"
artifact_location: "./"
artifact_name: build_props
provenance: "false"
scan_image: true
snyk_target_ref: ${{ github.ref_name }}
docker-data-aggregator-private-arm:
name: ARM Aggregator
needs:
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: babylon-gateway-arm
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-ng-data-aggregator"
tag: ${{ needs.setup-tags.outputs.data-aggregator-tag }}-arm64
context: "."
dockerfile: "./apps/DataAggregator/Dockerfile"
platforms: "linux/arm64"
restore_artifact: "true"
artifact_location: "./"
artifact_name: build_props
provenance: "false"
disable_qemu: true
docker-gateway-api-private:
name: AMD Gateway
needs:
- setup-tags
- snyk-scan
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-22.04
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-ng-gateway-api"
tag: ${{ needs.setup-tags.outputs.gateway-api-tag }}-amd64
context: "."
dockerfile: "./apps/GatewayApi/Dockerfile"
platforms: "linux/amd64"
restore_artifact: "true"
artifact_location: "./"
artifact_name: build_props
provenance: "false"
scan_image: true
snyk_target_ref: ${{ github.ref_name }}
docker-gateway-api-private-arm:
name: ARM Gateway
needs:
- setup-tags
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: babylon-gateway-arm
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-ng-gateway-api"
tag: ${{ needs.setup-tags.outputs.gateway-api-tag }}-arm64
context: "."
dockerfile: "./apps/GatewayApi/Dockerfile"
platforms: "linux/arm64"
restore_artifact: "true"
artifact_location: "./"
artifact_name: build_props
provenance: "false"
disable_qemu: true
join-gateway-images:
name: Gateway
needs:
- setup-tags
- docker-gateway-api-private
- docker-gateway-api-private-arm
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
with:
image_name: private-babylon-ng-gateway-api
image_tag: ${{ needs.setup-tags.outputs.gateway-api-tag }}
tag_suffix_1: amd64
tag_suffix_2: arm64
aws_dockerhub_secret: github-actions/common/dockerhub-credentials
secrets:
role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }}
join-aggregator-images:
name: Aggregator
needs:
- setup-tags
- docker-data-aggregator-private
- docker-data-aggregator-private-arm
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
with:
image_name: private-babylon-ng-data-aggregator
image_tag: ${{ needs.setup-tags.outputs.data-aggregator-tag }}
tag_suffix_1: amd64
tag_suffix_2: arm64
aws_dockerhub_secret: github-actions/common/dockerhub-credentials
secrets:
role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }}
join-migrations-images:
name: Migration
needs:
- setup-tags
- docker-database-migrations-private
- docker-database-migrations-private-arm
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
with:
image_name: private-babylon-ng-database-migrations
image_tag: ${{ needs.setup-tags.outputs.database-migrations-tag }}
tag_suffix_1: amd64
tag_suffix_2: arm64
aws_dockerhub_secret: github-actions/common/dockerhub-credentials
secrets:
role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }}
deploy-on-mardunet:
runs-on: ubuntu-22.04
needs:
- docker-gateway-api-private
- docker-data-aggregator-private
- docker-database-migrations-private
- setup-tags
if: github.ref == 'refs/heads/develop'
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: ./.github/actions/fetch-secrets
with:
role_name: ${{ secrets.GH_BABYLON_GATEWAY_SECRETS_READ_ACCESS_ROLE }}
app_name: "babylon-gateway"
step_name: "deploy-on-mardunet"
secret_prefix: "CF_GITHUB_WORKER"
secret_name: "github-actions/radixdlt/babylon-gateway/cloudflare"
parse_json: true
- name: Process ci.env
run: |
export $(grep -v '^#' ./deployment/ci.env | xargs)
echo "FULLNODE_VERSION=$FULLNODE_VERSION" >> $GITHUB_ENV
- name: Check if ci.env changed
id: changed-files
uses: tj-actions/changed-files@db5dd7c176cf59a19ef6561bf1936f059dee4b74
with:
files: |
deployment/ci.env
- name: Trigger deployment event ${{ github.ref }}
env:
NAMESPACE: "ng-mardunet"
EVENT_TYPE: "ng_babylon_mardunet"
run: |
curl --silent --show-error --fail --location --request POST 'https://github-worker.radixdlt.com/repos/radixdlt/${{secrets.DISPATCH_REPO}}/dispatches' \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Authorization: Basic ${{env.CF_GITHUB_WORKER_ENCODED_BASIC_AUTH}}' \
--header 'Content-Type: application/json' \
--data-raw '{
"event_type": "${{env.EVENT_TYPE}}",
"client_payload": {
"namespace_postfix": "${{env.NAMESPACE}}",
"ci_env_changed": "${{steps.changed-files.outputs.any_changed}}",
"data_aggregator_image_tag": "${{ needs.setup-tags.outputs.data-aggregator-tag }}",
"gateway_api_image_tag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
"database_migrations_image_tag": "${{ needs.setup-tags.outputs.database-migrations-tag }}",
"core_docker_tag": "${{env.FULLNODE_VERSION}}"
}
}'
ephemeral-deploy-and-benchmark:
runs-on: ubuntu-22.04
needs:
- docker-gateway-api-private
- docker-data-aggregator-private
- docker-database-migrations-private
- setup-tags
if: github.event_name == 'push' && github.ref == 'refs/heads/develop'
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: ./.github/actions/fetch-secrets
with:
role_name: ${{ secrets.GH_BABYLON_GATEWAY_SECRETS_READ_ACCESS_ROLE }}
app_name: "babylon-gateway"
step_name: "ephemeral-deploy-and-benchmark"
secret_prefix: "JENKINS"
secret_name: "github-actions/radixdlt/babylon-gateway/jenkins-api-token"
parse_json: true
- name: Process ci.env
run: |
export $(grep -v '^#' ./deployment/ci.env | xargs)
echo "FULLNODE_VERSION=$FULLNODE_VERSION" >> $GITHUB_ENV
- name: Check if ci.env changed
id: changed-files
uses: tj-actions/changed-files@db5dd7c176cf59a19ef6561bf1936f059dee4b74
with:
files: |
deployment/ci.env
- name: Deploy and run benchmark on an ephemeral network
uses: toptal/jenkins-job-trigger-action@649c04c83c099c759aba134bf78138a303ec095f
with:
jenkins_url: "${{ env.JENKINS_URL }}"
jenkins_user: ${{ env.JENKINS_USER }}
jenkins_token: ${{ env.JENKINS_TOKEN }}
job_name: "ephemeral-deployments/job/ephemeral-env-gateway-benchmark"
job_params: |
{
"gatewayDockerTag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
"gatewayBranch": "${{ env.GATEWAY_BRANCH }}",
"nodeDockerTag": "${{ env.FULLNODE_VERSION }}",
"postgresVersion": "${{ env.POSTGRES_VERSION }}"
}
job_timeout: "3600"
deploy-pr:
runs-on: ubuntu-22.04
needs:
- docker-gateway-api-private
- docker-data-aggregator-private
- docker-database-migrations-private
- setup-tags
if: github.event_name == 'pull_request'
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: ./.github/actions/fetch-secrets
with:
role_name: ${{ secrets.GH_BABYLON_GATEWAY_SECRETS_READ_ACCESS_ROLE }}
app_name: "babylon-gateway"
step_name: "deploy-pr"
secret_prefix: "CF_GITHUB_WORKER"
secret_name: "github-actions/radixdlt/babylon-gateway/cloudflare"
parse_json: true
- name: setup "namespace_postfix"
run: |
pull_number=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
echo "NAMESPACE=pr-$pull_number" >> $GITHUB_ENV
- name: Trigger pull request deployment event ${{ github.ref }}
env:
EVENT_TYPE: "ng_babylon_pr"
run: |
curl --silent --show-error --fail --location --request POST 'https://github-worker.radixdlt.com/repos/radixdlt/${{secrets.DISPATCH_REPO}}/dispatches' \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Authorization: Basic ${{env.CF_GITHUB_WORKER_ENCODED_BASIC_AUTH}}' \
--header 'Content-Type: application/json' \
--data-raw '{
"event_type": "${{env.EVENT_TYPE}}",
"client_payload": {
"namespace_postfix": "${{env.NAMESPACE}}",
"data_aggregator_image_tag": "${{ needs.setup-tags.outputs.data-aggregator-tag }}",
"gateway_api_image_tag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
"database_migrations_image_tag": "${{ needs.setup-tags.outputs.database-migrations-tag }}"
}
}'
ephemeral-deploy-and-test:
runs-on: ubuntu-22.04
needs:
- docker-gateway-api-private
- docker-data-aggregator-private
- docker-database-migrations-private
- setup-tags
if: github.event_name == 'pull_request' && github.base_ref == 'develop'
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: ./.github/actions/fetch-secrets
with:
role_name: ${{ secrets.GH_BABYLON_GATEWAY_SECRETS_READ_ACCESS_ROLE }}
app_name: "babylon-gateway"
step_name: "ephemeral-deploy-and-test"
secret_prefix: "JENKINS"
secret_name: "github-actions/radixdlt/babylon-gateway/jenkins-api-token"
parse_json: true
- name: Export branch name in github's environment
run: |
echo "GATEWAY_BRANCH=$GITHUB_HEAD_REF" >> $GITHUB_ENV
- name: Process ci.env
run: |
export $(grep -v '^#' ./deployment/ci.env | xargs)
echo "FULLNODE_VERSION=$FULLNODE_VERSION" >> $GITHUB_ENV
echo "POSTGRES_VERSION=$POSTGRES_VERSION" >> $GITHUB_ENV
- name: Deploy and test on an ephemeral network
uses: toptal/jenkins-job-trigger-action@649c04c83c099c759aba134bf78138a303ec095f
with:
jenkins_url: "${{ env.JENKINS_URL }}"
jenkins_user: ${{ env.JENKINS_USER }}
jenkins_token: ${{ env.JENKINS_TOKEN }}
job_name: "ephemeral-deployments/job/ephemeral-gateway-env-deploy-and-test"
job_params: |
{
"gatewayDockerTag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
"gatewayBranch": "${{ env.GATEWAY_BRANCH }}",
"nodeDockerTag": "${{ env.FULLNODE_VERSION }}",
"postgresVersion": "${{ env.POSTGRES_VERSION }}"
}
job_timeout: "3600"
sonarcloud:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- uses: ./.github/actions/fetch-secrets
with:
role_name: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }}
app_name: "babylon-gateway"
step_name: "sonarcloud"
secret_prefix: "SONAR"
# SonarCloud access token should be generated from https://sonarcloud.io/account/security/
secret_name: "github-actions/common/sonar-token"
parse_json: true
- name: SonarScanner for .NET
uses: highbyte/sonarscan-dotnet@8410b6452e036aff2fb830831e508e723b8af60d
with:
sonarProjectKey: radixdlt_babylon-gateway
sonarProjectName: babylon-gateway
sonarOrganization: radixdlt-github
dotnetTestArguments: --filter RadixDlt.NetworkGateway.UnitTests --logger trx --collect:"XPlat Code Coverage" -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover
sonarBeginArguments: /d:sonar.cs.opencover.reportsPaths="**/TestResults/**/coverage.opencover.xml" -d:sonar.cs.vstest.reportsPaths="**/TestResults/*.trx"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ env.SONAR_TOKEN }}