diff --git a/.github/workflows/bridge-explorer-develop-staging.yml b/.github/workflows/bridge-explorer-develop-staging.yml index d7829097..acc52c0b 100644 --- a/.github/workflows/bridge-explorer-develop-staging.yml +++ b/.github/workflows/bridge-explorer-develop-staging.yml @@ -12,48 +12,14 @@ on: - staging - develop -env: - GCP_PROJECT: gnosischain-staging - GCP_REGION: europe-west1 - GKE_CLUSTER: gnosischain-staging - NAMESPACE: gc-tools - # Permission can be added at job level or workflow level permissions: id-token: write # This is required for requesting the JWT contents: write # This is required for actions/checkout jobs: - security-audit: - name: Dependency Security Audit - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - with: - fetch-depth: 0 - - - name: Enable Corepack - run: | - npm install -g corepack@0.34.6 - corepack enable - - - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - with: - node-version-file: '.nvmrc' - cache: 'pnpm' - - - name: Install dependencies - run: pnpm install --frozen-lockfile - - - name: Run security audit - run: pnpm audit --audit-level=high - build-and-push: name: Build and Push to Artifact Registry - needs: security-audit runs-on: ubuntu-latest outputs: environment: ${{ steps.set-env.outputs.environment }} @@ -91,7 +57,7 @@ jobs: - name: Configure Docker for Artifact Registry run: | - gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet + gcloud auth configure-docker ${{ secrets.GCP_REGION }}-docker.pkg.dev --quiet - name: Build and push DEVELOP to Artifact Registry if: inputs.environment == 'develop' @@ -100,7 +66,7 @@ jobs: context: . file: ./app/Dockerfile push: true - tags: ${{ env.GCP_REGION }}-docker.pkg.dev/${{ env.GCP_PROJECT }}/bridge/bridge:develop + tags: ${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/bridge/bridge:develop platforms: linux/amd64 build-args: | "NEXT_PUBLIC_APP_NAME=GnosisBridge" @@ -123,7 +89,7 @@ jobs: context: . file: ./app/Dockerfile push: true - tags: ${{ env.GCP_REGION }}-docker.pkg.dev/${{ env.GCP_PROJECT }}/bridge/bridge:staging + tags: ${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/bridge/bridge:staging platforms: linux/amd64 build-args: | "NEXT_PUBLIC_APP_NAME=GnosisBridge" @@ -165,35 +131,35 @@ jobs: - name: Configure kubectl run: | - gcloud container clusters get-credentials ${{ env.GKE_CLUSTER }} \ - --region ${{ env.GCP_REGION }} \ - --project ${{ env.GCP_PROJECT }} \ + gcloud container clusters get-credentials ${{ secrets.GKE_CLUSTER }} \ + --region ${{ secrets.GCP_REGION }} \ + --project ${{ secrets.GCP_PROJECT }} \ --internal-ip - name: Verify deployment exists run: | - if ! kubectl get deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} &> /dev/null; then - echo "Deployment ${{ needs.build-and-push.outputs.deployment_name }} does not exist in namespace ${{ env.NAMESPACE }}" + if ! kubectl get deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ secrets.NAMESPACE }} &> /dev/null; then + echo "Deployment ${{ needs.build-and-push.outputs.deployment_name }} does not exist in namespace ${{ secrets.NAMESPACE }}" echo "Please ensure Terraform has been applied first to create the deployment" exit 1 fi - name: Restart deployment run: | - kubectl rollout restart deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} + kubectl rollout restart deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ secrets.NAMESPACE }} - name: Wait for rollout to complete run: | - kubectl rollout status deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} --timeout=5m + kubectl rollout status deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ secrets.NAMESPACE }} --timeout=5m - name: Get deployment status if: always() run: | echo "=== Deployment Status ===" - kubectl get deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} + kubectl get deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ secrets.NAMESPACE }} echo "" echo "=== Pod Status ===" - kubectl get pods -n ${{ env.NAMESPACE }} -l app=${{ needs.build-and-push.outputs.deployment_name }} + kubectl get pods -n ${{ secrets.NAMESPACE }} -l app=${{ needs.build-and-push.outputs.deployment_name }} echo "" echo "=== Recent Events ===" - kubectl get events -n ${{ env.NAMESPACE }} --sort-by='.lastTimestamp' | tail -20 \ No newline at end of file + kubectl get events -n ${{ secrets.NAMESPACE }} --sort-by='.lastTimestamp' | tail -20 \ No newline at end of file diff --git a/.github/workflows/publish-ghcr-image-release.yml b/.github/workflows/publish-ghcr-image-release.yml index 80a658df..3b6dd016 100644 --- a/.github/workflows/publish-ghcr-image-release.yml +++ b/.github/workflows/publish-ghcr-image-release.yml @@ -11,7 +11,34 @@ permissions: packages: write # This is required for pushing to GHCR jobs: + security-audit: + name: Dependency Security Audit + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + fetch-depth: 0 + + - name: Enable Corepack + run: | + npm install -g corepack@0.34.6 + corepack enable + + - name: Setup Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: + node-version-file: '.nvmrc' + cache: 'pnpm' + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Run security audit + run: pnpm audit --audit-level=high + Build_and_push_image_to_GHCR: + needs: security-audit runs-on: ubuntu-latest steps: - name: Git clone the repository