From 7444309a1ca5e7f0b1f8b89cdf24e1da716e809d Mon Sep 17 00:00:00 2001 From: Albert Perez Toro Date: Mon, 29 Jul 2024 16:14:52 +0200 Subject: [PATCH] ci: Phylum integration --- .github/workflows/ci.yml | 18 ++++++ .github/workflows/phylum-daily-analysis.yaml | 65 ++++++++++++++++++++ .phylum_project | 7 +++ 3 files changed, 90 insertions(+) create mode 100644 .github/workflows/phylum-daily-analysis.yaml create mode 100644 .phylum_project diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 31f798e3afa..a7ab209aa0e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,6 +19,24 @@ concurrency: cancel-in-progress: true jobs: + + phylum-analyze: + if: ${{ github.event.pull_request }} + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main + permissions: + id-token: write + pull-requests: write + contents: read + deployments: write + secrets: + phylum_api_key: ${{ secrets.PHYLUM_API_KEY }} + with: + phylum_pr_number: ${{ github.event.number }} + phylum_pr_name: ${{ github.head_ref }} + phylum_group_name: Protocol + phylum_project_id: 851c8804-e9f6-423c-be8e-c529d22f4abd + github_repository: ${{ github.repository }} + add_report_comment_to_pull_request: true check-code-format: name: Check code format runs-on: ubuntu-latest diff --git a/.github/workflows/phylum-daily-analysis.yaml b/.github/workflows/phylum-daily-analysis.yaml new file mode 100644 index 00000000000..e98cd6664d3 --- /dev/null +++ b/.github/workflows/phylum-daily-analysis.yaml @@ -0,0 +1,65 @@ +name: Daily Analysis Phylum + +on: + schedule: + # Runs at 13:00 UTC every day + - cron: '0 13 * * *' + +env: + PHYLUM_PROJECT_ID: 851c8804-e9f6-423c-be8e-c529d22f4abd + PHYLUM_GROUP_NAME: Protocol + PHYLUM_NAME: radixdlt-scrypto +jobs: + analyze_branch_phylum: + name: Analyze dependencies with Phylum + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + strategy: + matrix: + branch: [main, develop, release/babylon, release/anemone, release/bottlenose] + include: + - branch: main + - branch: develop + - branch: release/babylon + - branch: release/anemone + - branch: release/bottlenose + fail-fast: false + steps: + - uses: RDXWorks-actions/checkout@main + with: + ref: ${{ matrix.branch }} + fetch-depth: 0 + - uses: RDXWorks-actions/setup-python@main + with: + python-version: 3.10.6 + - name: Install Phylum + run: | + curl https://sh.phylum.io/ | sh -s -- --yes + # Add the Python user base binary directory to PATH + echo "$HOME/.local/bin" >> $GITHUB_PATH + - name: Run Phylum Analysis + env: + PHYLUM_API_KEY: ${{ secrets.PHYLUM_API_KEY }} + run: | + phylum analyze --quiet --label ${{ matrix.branch }}_branch_daily_schedule > /dev/null 2>&1 || exit_code=$? + if [ $exit_code -eq 100 ]; then + echo "Phylum Analysis returned exit code 100, but continuing."; + echo "phylum_analyze_status=failure" >> $GITHUB_ENV + exit 0; + else + echo "phylum_analyze_status=success" >> $GITHUB_ENV + exit $?; + fi + - name: Analysis Status Failure notification + if: always() + uses: RDXWorks-actions/notify-slack-action@master + with: + status: ${{ env.phylum_analyze_status }} + notify_when: 'failure' + notification_title: ':clock3: Phylum Scheduled Daily Analysis:' + message_format: 'Automatic phylum analysis has found vulnerabilities on ${{ env.PHYLUM_NAME }} in ${{ matrix.branch }} branch:boom:' + footer: "Linked Repository <{repo_url}|{repo}> | " + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PHYLUM_PROTOCOL_TEAM_WEBHOOK }} \ No newline at end of file diff --git a/.phylum_project b/.phylum_project new file mode 100644 index 00000000000..f229a4f1149 --- /dev/null +++ b/.phylum_project @@ -0,0 +1,7 @@ +id: 851c8804-e9f6-423c-be8e-c529d22f4abd +name: radixdlt-scrypto +created_at: 2024-07-05T10:48:15.419011+02:00 +group_name: Protocol +depfiles: + - path: ./radix-clis/Cargo.lock + type: cargo \ No newline at end of file