From 37ebf7b7eb432d5d171637917c7ee6b1e9ec5f02 Mon Sep 17 00:00:00 2001
From: Fortune-Ndlovu <fndlovu@redhat.com>
Date: Thu, 24 Apr 2025 17:48:28 +0100
Subject: [PATCH 1/6] chore(ci): simplify Snyk workflow using matrix for chart
 scans

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
---
 .github/workflows/snyk.yaml | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index 57f135f2..425c98a3 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -8,6 +8,17 @@ jobs:
   scan-iac:
     name: Scan Rendered Templates
     runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        chart:
+          - name: backstage
+            path: ./charts/backstage
+            output: ./output/backstage
+          - name: orchestrator-infra
+            path: ./charts/orchestrator-infra
+            output: ./output/orchestrator-infra
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -23,28 +34,16 @@ jobs:
         run: |
           helm repo add bitnami https://charts.bitnami.com/bitnami
           helm repo add backstage https://backstage.github.io/charts
-          helm repo update    
-          helm dependency build ./charts/backstage
-          helm dependency build ./charts/orchestrator-infra
-          helm template ./charts/backstage --output-dir ./output/backstage
-          helm template ./charts/orchestrator-infra --output-dir ./output/orchestrator-infra
-
-      - name: Run SNYK IaC Scan for Developer Hub
-        continue-on-error: true
-        uses: snyk/actions/iac@b98d498629f1c368650224d6d212bf7dfa89e4bf # 0.4.0
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-          SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}
-        with:
-          args: --report --org=$SNYK_ORG_ID --target-name="redhat-developer/rhdh-chart/backstage"
-          file: ./output/backstage
+          helm repo update
+          helm dependency build ${{ matrix.chart.path }}
+          helm template ${{ matrix.chart.path }} --output-dir ${{ matrix.chart.output }}
 
-      - name: Run Snyk IaC Scan for Orchestrator Infra
+      - name: Run Snyk IaC Scan
         continue-on-error: true
         uses: snyk/actions/iac@b98d498629f1c368650224d6d212bf7dfa89e4bf # 0.4.0
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
           SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}
         with:
-          args: --report --org=$SNYK_ORG_ID --target-name="redhat-developer/rhdh-chart/orchestrator-infra"
-          file: ./output/orchestrator-infra
+          args: --report --org=$SNYK_ORG_ID --target-name="redhat-developer/rhdh-chart/${{ matrix.chart.name }}"
+          file: ${{ matrix.chart.output }}

From 595b51f844aa0066d5f75d84c23b6024d3813112 Mon Sep 17 00:00:00 2001
From: Fortune-Ndlovu <fndlovu@redhat.com>
Date: Thu, 24 Apr 2025 17:59:32 +0100
Subject: [PATCH 2/6] chore(ci): enable workflow_dispatch and PR triggers for
 Snyk matrix scan testing

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
---
 .github/workflows/snyk.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index 425c98a3..36f88df6 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -1,8 +1,12 @@
 name: SNYK
 
 on:
-  schedule:
-    - cron: "0 0 * * 0"
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+  # schedule:
+  #   - cron: "0 0 * * 0"  # Re-enable after validation
 
 jobs:
   scan-iac:

From 5d5582ffc966e1e8ed4f6eaa3735c8d5ed620ab8 Mon Sep 17 00:00:00 2001
From: Fortune-Ndlovu <fndlovu@redhat.com>
Date: Thu, 24 Apr 2025 18:07:29 +0100
Subject: [PATCH 3/6] chore(ci): dynamically name Snyk IaC scan step using
 chart name

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
---
 .github/workflows/snyk.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index 36f88df6..eb017d36 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -42,7 +42,7 @@ jobs:
           helm dependency build ${{ matrix.chart.path }}
           helm template ${{ matrix.chart.path }} --output-dir ${{ matrix.chart.output }}
 
-      - name: Run Snyk IaC Scan
+      - name: Run Snyk IaC Scan for ${{ matrix.chart.name }}
         continue-on-error: true
         uses: snyk/actions/iac@b98d498629f1c368650224d6d212bf7dfa89e4bf # 0.4.0
         env:

From 98151defe51f5de71b5b4a2d5e6b709216e310b1 Mon Sep 17 00:00:00 2001
From: Fortune-Ndlovu <fndlovu@redhat.com>
Date: Fri, 25 Apr 2025 00:20:58 +0100
Subject: [PATCH 4/6] fixup: Removed path and output from the matrix, now
 inferred directly from chart name. AND Kept workflow_dispatch so WE can
 trigger this manually from GitHub.

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
---
 .github/workflows/snyk.yaml | 29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index eb017d36..f20f76a0 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -1,12 +1,9 @@
 name: SNYK
 
 on:
-  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-  # schedule:
-  #   - cron: "0 0 * * 0"  # Re-enable after validation
+  workflow_dispatch:  # allow manual runs from UI
+  schedule:
+    - cron: "0 0 * * 0"  # weekly scan (every Sunday at 00:00 UTC)
 
 jobs:
   scan-iac:
@@ -16,12 +13,8 @@ jobs:
     strategy:
       matrix:
         chart:
-          - name: backstage
-            path: ./charts/backstage
-            output: ./output/backstage
-          - name: orchestrator-infra
-            path: ./charts/orchestrator-infra
-            output: ./output/orchestrator-infra
+          - backstage
+          - orchestrator-infra
 
     steps:
       - name: Checkout
@@ -34,20 +27,20 @@ jobs:
         with:
           version: v3.17.0
 
-      - name: Render Templates
+      - name: Render Templates for ${{ matrix.chart }}
         run: |
           helm repo add bitnami https://charts.bitnami.com/bitnami
           helm repo add backstage https://backstage.github.io/charts
           helm repo update
-          helm dependency build ${{ matrix.chart.path }}
-          helm template ${{ matrix.chart.path }} --output-dir ${{ matrix.chart.output }}
+          helm dependency build ./charts/${{ matrix.chart }}
+          helm template ./charts/${{ matrix.chart }} --output-dir ./output/${{ matrix.chart }}
 
-      - name: Run Snyk IaC Scan for ${{ matrix.chart.name }}
+      - name: Run Snyk IaC Scan for ${{ matrix.chart }}
         continue-on-error: true
         uses: snyk/actions/iac@b98d498629f1c368650224d6d212bf7dfa89e4bf # 0.4.0
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
           SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}
         with:
-          args: --report --org=$SNYK_ORG_ID --target-name="redhat-developer/rhdh-chart/${{ matrix.chart.name }}"
-          file: ${{ matrix.chart.output }}
+          args: --report --org=$SNYK_ORG_ID --target-name="redhat-developer/rhdh-chart/${{ matrix.chart }}"
+          file: ./output/${{ matrix.chart }}

From 97cf8d27ef09deec98559d1667d8fbcdf5c12f0e Mon Sep 17 00:00:00 2001
From: Fortune-Ndlovu <fndlovu@redhat.com>
Date: Fri, 25 Apr 2025 00:31:04 +0100
Subject: [PATCH 5/6] test

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
---
 .github/workflows/snyk.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index f20f76a0..a4d86b84 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -34,6 +34,14 @@ jobs:
           helm repo update
           helm dependency build ./charts/${{ matrix.chart }}
           helm template ./charts/${{ matrix.chart }} --output-dir ./output/${{ matrix.chart }}
+    
+      - name: Debug rendered files
+        run: |
+          echo "Files rendered for ${{ matrix.chart }}:"
+          find ./output/${{ matrix.chart }} -type f
+          echo "---"
+          echo "First 20 lines of a rendered YAML file:"
+          head -n 20 $(find ./output/${{ matrix.chart }} -type f -name '*.yaml' | head -n 1 || echo "/dev/null")        
 
       - name: Run Snyk IaC Scan for ${{ matrix.chart }}
         continue-on-error: true

From c917a5410aa2d59e7ae25657cdef158b7b128a66 Mon Sep 17 00:00:00 2001
From: Fortune-Ndlovu <fndlovu@redhat.com>
Date: Fri, 25 Apr 2025 00:58:16 +0100
Subject: [PATCH 6/6] chore(ci): remove debug step from Snyk matrix workflow

Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com>
---
 .github/workflows/snyk.yaml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index a4d86b84..f20f76a0 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -34,14 +34,6 @@ jobs:
           helm repo update
           helm dependency build ./charts/${{ matrix.chart }}
           helm template ./charts/${{ matrix.chart }} --output-dir ./output/${{ matrix.chart }}
-    
-      - name: Debug rendered files
-        run: |
-          echo "Files rendered for ${{ matrix.chart }}:"
-          find ./output/${{ matrix.chart }} -type f
-          echo "---"
-          echo "First 20 lines of a rendered YAML file:"
-          head -n 20 $(find ./output/${{ matrix.chart }} -type f -name '*.yaml' | head -n 1 || echo "/dev/null")        
 
       - name: Run Snyk IaC Scan for ${{ matrix.chart }}
         continue-on-error: true