radixdlt · duje-begonja-rdx · Dec 5, 2025 · Mar 14, 2025 · Oct 15, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,139 +16,8 @@ on:
   workflow_dispatch:
 
 jobs:
-  snyk-scan-deps-licences:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access'
-          app_name: 'signaling-server'
-          step_name: 'snyk-scan-deps-licenses'
-          secret_prefix: 'SNYK'
-          secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX'
-          parse_json: true
-      - name: Run Snyk to check for deps vulnerabilities
-        uses: RDXWorks-actions/snyk-actions/node@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical
-
-  snyk-scan-code:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access'
-          app_name: 'signaling-server'
-          step_name: 'snyk-scan-code'
-          secret_prefix: 'SNYK'
-          secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX'
-          parse_json: true
-      - name: Run Snyk to check for code vulnerabilities
-        uses: RDXWorks-actions/snyk-actions/node@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
-          command: code test
-
-  snyk-sbom:
-    runs-on: ubuntu-latest
-    permissions: write-all
-    needs:
-      - snyk-scan-deps-licences
-      - snyk-scan-code
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access'
-          app_name: 'signaling-server'
-          step_name: 'snyk-sbom'
-          secret_prefix: 'SNYK'
-          secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX'
-          parse_json: true
-      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
-        uses: RDXWorks-actions/snyk-actions/node@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
-          command: sbom
-      - name: Upload SBOM
-        if: github.event_name == 'release'
-        uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a
-        with:
-          files: sbom.json
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-
-  snyk-monitor:
-    runs-on: ubuntu-latest
-    if: >
-      ( github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') ) ||
-      ( ${{ github.event_name == 'release' && github.event.release.prerelease == false }} )
-    needs:
-      - build
-      - push
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access'
-          app_name: 'signaling-server'
-          step_name: 'snyk-monitor'
-          secret_prefix: 'SNYK'
-          secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX'
-          parse_json: true
-      - name: Enable Snyk online monitoring to check for vulnerabilities
-        uses: RDXWorks-actions/snyk-actions/node@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
-          command: monitor
-
-  snyk-container-monitor:
-    runs-on: ubuntu-latest
-    if: >
-     ( github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') ) ||
-     ( ${{ github.event_name == 'release' && github.event.release.prerelease == false }} )
-    needs:
-      - build
-      - push
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
-        with:
-          role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access'
-          app_name: 'signaling-server'
-          step_name: 'snyk-container-monitor'
-          dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/dockerhub-credentials'
-          snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX'
-          parse_json: true
-          snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
-          image: docker.io/radixdlt/signaling-server:${{ needs.build.outputs.tag }}
-          target_ref: ${{ github.ref_name }}
-
   build:
     runs-on: ubuntu-latest
-    needs:
-      - snyk-scan-deps-licences
-      - snyk-scan-code
     outputs:
       tag: ${{ steps.setup_tags.outputs.tag}}
     steps:
@@ -223,9 +92,8 @@ jobs:
       dockerfile: "./Dockerfile"
       context: ./
       platforms: "linux/amd64"
-      scan_image: true
+      scan_image: false
       continue_on_scan_image_finding: true
-      snyk_target_ref: ${{ github.ref_name }}
     secrets:
       workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
       service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

diff --git a/deploy/helm/helmfile.yaml b/deploy/helm/helmfile.yaml
@@ -39,6 +39,10 @@ releases:
        auth:
          enabled: true
          password: redis
+       image:
+         registry: public.ecr.aws
+         repository: u2o0d2a1/bitnami-redis
+         tag: 7.2.4-debian-12-r16
        master:
          resources:
            limits: