Changed to latest sdk (#1209) #1

Workflow file for this run

.github/workflows/webapp-deploy-dev.yml at a7b6b09

	name: WebApp Deploy DEV (no Fleek)
	on:
	workflow_dispatch:
	push:
	branches:
	- 'develop'
	- 'DOPS-*' ## temporal branch for testing only

	jobs:
	setup-env-vars:
	runs-on: ubuntu-latest
	outputs:
	environment: ${{ steps.envtest.outputs.environment }}${{ steps.envdev.outputs.environment }}

	steps:
	- name: Set environment to TEST
	if: contains(github.ref, '/DOPS-')
	id: envtest
	run: \|
	echo "environment=development" >> $GITHUB_OUTPUT ## temp, change it if have another env

	- name: Set environment to DEV
	if: endsWith(github.ref, '/develop')
	id: envdev
	run: \|
	echo "environment=development" >> $GITHUB_OUTPUT

	- name: Set environment to PROD
	if: endsWith(github.ref, '/main')
	id: envprod
	run: \|
	echo "environment=production" >> $GITHUB_OUTPUT

	build-and-deploy:
	runs-on: ubuntu-latest
	needs: [setup-env-vars]
	if: needs.setup-env-vars.outputs.environment != '' && needs.setup-env-vars.outputs.environment != 'production'
	environment: ${{ needs.setup-env-vars.outputs.environment }}
	outputs:
	BRANCH_NAME: ${{ steps.myvars.outputs.BRANCH_NAME }}
	GIT_HASH_SHORT: ${{ steps.myvars.outputs.GIT_HASH_SHORT }}
	DATE_IN_SECS: ${{ steps.myvars.outputs.DATE_IN_SECS }}
	CONTAINER_TAG: ${{ steps.myvars.outputs.CONTAINER_TAG }}
	SHORT_ENV_OUT: ${{ steps.myvars.outputs.SHORT_ENV_OUT }}

	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Set myvars
	id: myvars
	run: \|
	branchname=$(echo ${GITHUB_REF#refs/heads/} \| tr '/' '-' )
	dateinsecs=$(date +%s)
	githashshort=$(git rev-parse --short HEAD)
	echo "BRANCH_NAME=$branchname" >> $GITHUB_OUTPUT
	echo "GIT_HASH_SHORT=$githashshort" >> $GITHUB_OUTPUT
	echo "DATE_IN_SECS=$dateinsecs" >> $GITHUB_OUTPUT
	if [ "$branchname" = "develop" ]; then
	echo "CURRENT_ENVIRONMENT=development" >> $GITHUB_OUTPUT
	echo "SHORT_ENV_OUT=DEV" >> $GITHUB_OUTPUT
	elif [ "$branchname" = "main" ]; then
	echo "CURRENT_ENVIRONMENT=production" >> $GITHUB_OUTPUT
	echo "SHORT_ENV_OUT=PROD" >> $GITHUB_OUTPUT
	else
	echo "BRANCH_NAME=test" >> $GITHUB_OUTPUT
	echo "CURRENT_ENVIRONMENT=testing" >> $GITHUB_OUTPUT
	## Set DEV since we haven't set vars for TEST
	echo "SHORT_ENV_OUT=DEV" >> $GITHUB_OUTPUT
	fi
	containertag="commit-$githashshort"
	echo "CONTAINER_TAG=$containertag" >> $GITHUB_OUTPUT

	- name: Setup NodeJS, install deps from parent folder
	uses: actions/setup-node@v3
	with:
	node-version: 18
	cache: 'yarn'

	- name: Install depdendencies
	run: yarn install --pure-lockfile

	- name: Build web-app
	run: yarn build --mode ${{ needs.setup-env-vars.outputs.environment }}
	env:
	VITE_REACT_APP_DEPLOY_VERSION: ${{ github.sha }}
	VITE_REACT_APP_DEPLOY_ENVIRONMENT: ${{ needs.setup-env-vars.outputs.environment }}
	VITE_REACT_APP_ANALYTICS_KEY: ${{ secrets.VITE_REACT_APP_ANALYTICS_KEY }}
	VITE_IPFS_API_KEY: ${{ secrets.VITE_IPFS_API_KEY }}
	VITE_ETHERSCAN_API_KEY: ${{ secrets.VITE_ETHERSCAN_API_KEY }}
	VITE_POLYGONSCAN_API_KEY: ${{secrets.VITE_POLYGONSCAN_API_KEY}}
	VITE_GATEWAY_RPC_API_KEY: ${{ secrets.VITE_GATEWAY_RPC_API_KEY }}
	VITE_WALLET_CONNECT_PROJECT_ID: ${{ secrets.VITE_WALLET_CONNECT_PROJECT_ID }}
	VITE_ALCHEMY_KEY_POLYGON_MUMBAI: ${{ secrets.VITE_ALCHEMY_KEY_POLYGON_MUMBAI }}
	VITE_ALCHEMY_KEY_POLYGON_MAINNET: ${{ secrets.VITE_ALCHEMY_KEY_POLYGON_MUMBAI }}
	VITE_ALCHEMY_KEY_MAINNET: ${{ secrets.VITE_ALCHEMY_KEY_MAINNET }}
	VITE_ALCHEMY_KEY_GOERLI: ${{ secrets.VITE_ALCHEMY_KEY_GOERLI }}
	VITE_COVALENT_API_KEY: ${{secrets.VITE_COVALENT_API_KEY}}
	NODE_OPTIONS: '--max-old-space-size=6656'

	- name: Setup Docker Buildx
	uses: docker/setup-buildx-action@v2

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v2
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Set swap space on Runner
	uses: pierotofy/set-swap-space@master
	with:
	swap-size-gb: 12

	## Use this step instead of `docker/build-push-action@v4` to avoid JavaScript heap out memory error
	## Using 'docker buildx build ...' allows controlling memory and memory-swap
	## https://developer.ibm.com/articles/nodejs-memory-management-in-container-environments/
	## https://docs.docker.com/engine/reference/commandline/buildx_build/#build-arg
	- name: Build container and Push to GHCR.IO ( ${{ steps.myvars.outputs.SHORT_ENV_OUT }} )
	run: \|
	mkdir -p /tmp/docker-build-push-${{ steps.myvars.outputs.DATE_IN_SECS }}/
	docker buildx build . --file ./Dockerfile.webapp.dev --push \
	--build-arg VITE_REACT_APP_DEPLOY_VERSION=${{ github.sha }} \
	--build-arg VITE_REACT_APP_DEPLOY_ENVIRONMENT=${{ needs.setup-env-vars.outputs.environment }} \
	--build-arg VITE_REACT_APP_ANALYTICS_KEY=${{ secrets.VITE_REACT_APP_ANALYTICS_KEY }} \
	--build-arg VITE_IPFS_API_KEY=${{ secrets.VITE_IPFS_API_KEY }} \
	--build-arg VITE_ETHERSCAN_API_KEY=${{ secrets.VITE_ETHERSCAN_API_KEY }} \
	--build-arg VITE_GATEWAY_RPC_API_KEY=${{ secrets.VITE_GATEWAY_RPC_API_KEY }} \
	--build-arg VITE_WALLET_CONNECT_PROJECT_ID=${{ secrets.VITE_WALLET_CONNECT_PROJECT_ID }} \
	--build-arg VITE_ALCHEMY_KEY_POLYGON_MUMBAI=${{ secrets.VITE_ALCHEMY_KEY_POLYGON_MUMBAI }} \
	--build-arg VITE_ALCHEMY_KEY_POLYGON_MAINNET=${{ secrets.VITE_ALCHEMY_KEY_POLYGON_MAINNET }} \
	--build-arg VITE_ALCHEMY_KEY_MAINNET=${{ secrets.VITE_ALCHEMY_KEY_MAINNET }} \
	--build-arg VITE_ALCHEMY_KEY_GOERLI=${{ secrets.VITE_ALCHEMY_KEY_GOERLI }} \
	--build-arg VITE_COVALENT_API_KEY=${{secrets.VITE_COVALENT_API_KEY}} \
	--build-arg NODE_OPTIONS='--max-old-space-size=6656' \
	--cache-from type=gha \
	--cache-to type=gha,mode=max \
	--iidfile /tmp/docker-build-push-${{ steps.myvars.outputs.DATE_IN_SECS }}/iidfile \
	--provenance mode=max,builder-id=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} \
	--metadata-file /tmp/docker-build-push-${{ steps.myvars.outputs.DATE_IN_SECS }}/metadata-file \
	--tag ghcr.io/${{ github.repository }}:${{ steps.myvars.outputs.BRANCH_NAME }} \
	--tag ghcr.io/${{ github.repository }}:commit-${{ steps.myvars.outputs.GIT_HASH_SHORT }} \
	--tag ghcr.io/${{ github.repository }}:webapp-${{ steps.myvars.outputs.BRANCH_NAME }}-${{ steps.myvars.outputs.DATE_IN_SECS }}

	- name: Upload sourcemap to Kibana sourcemap endpoint (APM)
	env:
	COMMIT_SHA: ${{ github.sha }}
	run: \|
	for f in $(find ./dist/assets/ -name *.js.map) ; do
	curl -X POST "https://kibana-sourcemaps.aragon.org/api/apm/sourcemaps" \
	-H 'Content-Type: multipart/form-data' \
	-H 'kbn-xsrf: true' \
	-H 'Authorization: ApiKey ${{ secrets.APM_API_KEY }}' \
	-F service_name="aragon-app" \
	-F service_version="$COMMIT_SHA" \
	-F bundle_filepath="http://localhost/assets/$(basename $f)" \
	-F sourcemap=@$f
	done

	scan-vulns-repo:
	name: Scan Vulnerabilities in Repo
	runs-on: ubuntu-latest
	needs: [build-and-deploy]

	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	## The 'fs' scan mode requires *.lock files in order to scan for vulns
	## and to collect license info of packages you should run npm install before.
	- name: Setup NodeJS before scanning with Trivy
	uses: actions/setup-node@v3
	with:
	node-version: 18
	cache: 'yarn'

	- name: Install depdendencies
	run: yarn install --pure-lockfile

	- name: Scan in Repo (html)
	uses: aquasecurity/trivy-action@master
	if: success() \|\| failure()
	with:
	scan-type: fs
	scanners: vuln,secret,config
	scan-ref: .
	format: template
	template: '@/contrib/html.tpl'
	output: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.html
	skip-dirs: node_modules/browser-resolve/node_modules/resolve/
	#skip-dirs: node_modules/browser-resolve/node_modules/resolve/test/resolver/biz/node_modules/garply/package.json
	env:
	TRIVY_USERNAME: ${{ github.repository_owner }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Scan in Repo (sarif)
	uses: aquasecurity/trivy-action@master
	if: success() \|\| failure()
	with:
	scan-type: fs
	scanners: vuln,secret,config
	scan-ref: .
	format: sarif
	output: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif
	skip-dirs: node_modules/browser-resolve/node_modules/resolve/
	#skip-dirs: node_modules/browser-resolve/node_modules/resolve/test/resolver/biz/node_modules/garply/package.json
	env:
	TRIVY_USERNAME: ${{ github.repository_owner }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Publish Repo Scan Results as Artifact
	uses: actions/upload-artifact@v3
	if: success() \|\| failure()
	with:
	name: trivy-results-repo-${{ needs.build-and-deploy.outputs.DATE_IN_SECS }}.zip
	path: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.*

	- name: Load Repo Scan Results (sarif) to Github
	uses: github/codeql-action/upload-sarif@v2
	if: always()
	#if: false ## false = bypass
	with:
	sarif_file: trivy-results-repo-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif
	category: sca-vulns-repo

	scan-vulns-docker:
	name: Scan Vulnerabilities in Docker
	runs-on: ubuntu-latest
	needs: [build-and-deploy]

	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Vuln scan in Docker (table)
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: image
	scanners: vuln,secret,config
	image-ref: ghcr.io/${{ github.repository }}:${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}
	format: table
	env:
	TRIVY_USERNAME: ${{ github.repository_owner }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Vuln scan in Docker (html)
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: image
	scanners: vuln,secret,config
	image-ref: ghcr.io/${{ github.repository }}:${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}
	format: template
	template: '@/contrib/html.tpl'
	output: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.html
	env:
	TRIVY_USERNAME: ${{ github.repository_owner }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Vuln scan in Docker (sarif)
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: image
	scanners: vuln,secret,config
	image-ref: ghcr.io/${{ github.repository }}:${{ needs.build-and-deploy.outputs.CONTAINER_TAG }}
	format: sarif
	output: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif
	env:
	TRIVY_USERNAME: ${{ github.repository_owner }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

	- name: Publish Docker Scan Results as Artifact
	uses: actions/upload-artifact@v3
	if: success() \|\| failure()
	with:
	name: trivy-results-docker-${{ needs.build-and-deploy.outputs.DATE_IN_SECS }}.zip
	path: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.*

	## If have error is because "Advanced Security" must be enabled for this repository to use code scanning.
	## If this repo is private and CodeQL features can not be enabled and used, so the next step will not work.
	## Info: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
	- name: Load Docker Scan Results (sarif) to Github
	uses: github/codeql-action/upload-sarif@v2
	if: always()
	#if: false ## false = bypass
	with:
	sarif_file: trivy-results-docker-${{ needs.build-and-deploy.outputs.GIT_HASH_SHORT }}.sarif
	category: sca-vulns-docker

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Changed to latest sdk (#1209) #1

Workflow file

Changed to latest sdk (#1209) #1

Jobs

Run details

Workflow file for this run