From 65fd773fc6a29245363baedbe5286e95f26419e5 Mon Sep 17 00:00:00 2001 From: Dan Date: Thu, 16 Nov 2023 17:14:46 +0200 Subject: [PATCH 01/10] Adding the files and actions required for the docker images --- .github/workflows/deploy.yml | 24 +++++++++++++++++++++++- docker/Dockerfile | 3 +++ 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 docker/Dockerfile diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 06e24432..89882ede 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,6 +7,8 @@ on: jobs: deployment: + permissions: + packages: write environment: deploy runs-on: ubuntu-latest @@ -30,4 +32,24 @@ jobs: run: mvn --batch-mode deploy -DskipTests env: MAVEN_USERNAME: ${{ secrets.BUILD_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }} \ No newline at end of file + MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push the oidcng-server + uses: docker/build-push-action@v4 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-oidcng/oidcng-server:${{ github.ref_name }} diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 00000000..c9a98d44 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,3 @@ +FROM eclipse-temurin:17-jdk-alpine +COPY target/*.jar app.jar +ENTRYPOINT ["java","-jar","/app.jar"] From 348a03566f336c1a854522cca5f25f6f1b569223 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 17 Nov 2023 17:00:11 +0200 Subject: [PATCH 02/10] Using java 11 --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index c9a98d44..6db5b001 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,3 +1,3 @@ -FROM eclipse-temurin:17-jdk-alpine +FROM eclipse-temurin:11-jdk-alpine COPY target/*.jar app.jar ENTRYPOINT ["java","-jar","/app.jar"] From 7cacf6bcbb0f4b93697694f243b7392c9e2cebe3 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 27 Nov 2023 17:45:50 +0200 Subject: [PATCH 03/10] Adding the posibility to build snapshot releases --- .github/workflows/deploy.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 89882ede..46e1ed40 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -14,6 +14,7 @@ jobs: steps: - uses: actions/checkout@v2 + - name: Set up JDK 11 uses: actions/setup-java@v1 with: @@ -21,6 +22,7 @@ jobs: server-id: openconext-releases server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD + - name: Set up cache uses: actions/cache@v1 with: @@ -28,6 +30,23 @@ jobs: key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} restore-keys: | ${{ runner.os }}-maven- + + - name: Determine the version + run: echo ::set-output name=version::$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) + id: versioncheck + + - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name + run: | + echo "Only SNAPSHOT releases can be triggered with the workflow_dispatch" + exit 1 + if: github.event_name == 'workflow_dispatch' && ( !endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) + + - name: Exit when a production build is triggered, and the github tag is not the same as the version in pom.xml + run: | + echo "Project version ${{ steps.versioncheck.outputs.version }} does not match git tag ${{ github.ref_name }}" + exit 1 + if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name + - name: Deploy with Maven run: mvn --batch-mode deploy -DskipTests env: @@ -52,4 +71,4 @@ jobs: platforms: linux/amd64 push: true tags: | - ghcr.io/openconext/openconext-oidcng/oidcng-server:${{ github.ref_name }} + ghcr.io/openconext/openconext-oidcng/oidcng-server:${{ steps.versioncheck.outputs.version }} From 31c57d311a8e70b4c254d5ae514b3386f32f4baf Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 1 Feb 2024 16:45:44 +0100 Subject: [PATCH 04/10] GHA Docker: Add labels and tags --- .github/workflows/deploy.yml | 38 ++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 46e1ed40..53a223da 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -47,6 +47,28 @@ jobs: exit 1 if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name + - name: Set up JDK 11 for snapshots + uses: actions/setup-java@v3 + with: + java-version: "11" + distribution: "temurin" + cache: "maven" + server-id: openconext-snapshots + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + if: ( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) + + - name: Set up JDK 11 for releases + uses: actions/setup-java@v3 + with: + java-version: "11" + distribution: "temurin" + cache: "maven" + server-id: openconext-releases + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + if: ${{!( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) }} + - name: Deploy with Maven run: mvn --batch-mode deploy -DskipTests env: @@ -63,6 +85,18 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/openconext/openconext-oidcng/oidcng + flavor: | + latest=false + tags: | + type=ref,event=tag + type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }} + type=sha + - name: Build and push the oidcng-server uses: docker/build-push-action@v4 with: @@ -70,5 +104,5 @@ jobs: file: docker/Dockerfile platforms: linux/amd64 push: true - tags: | - ghcr.io/openconext/openconext-oidcng/oidcng-server:${{ steps.versioncheck.outputs.version }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} From e4a1bd2ea9b2d440908fa123966741e43314519c Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 21 Feb 2024 14:13:58 +0100 Subject: [PATCH 05/10] Remove obsolete metadata signing certificate --- .../metadata-signing-certificate.pem | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 src/main/resources/metadata-signing-certificate.pem diff --git a/src/main/resources/metadata-signing-certificate.pem b/src/main/resources/metadata-signing-certificate.pem deleted file mode 100644 index 830c373b..00000000 --- a/src/main/resources/metadata-signing-certificate.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDXzCCAkegAwIBAgIJAO/SRRMh1qu5MA0GCSqGSIb3DQEBBQUAMEYxDzANBgNV -BAMMBkVuZ2luZTERMA8GA1UECwwIU2VydmljZXMxEzARBgNVBAoMCk9wZW5Db25l -eHQxCzAJBgNVBAYTAk5MMB4XDTE0MTAyMzA4MDIwMloXDTI0MTAyMjA4MDIwMlow -RjEPMA0GA1UEAwwGRW5naW5lMREwDwYDVQQLDAhTZXJ2aWNlczETMBEGA1UECgwK -T3BlbkNvbmV4dDELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQC8k23xFL7q2I13NgI0qpv7idgfQv1VyEoANY1+ot1Mkt30dDjGeUPd -5A+KqDZpH+NA/oOrgG9dXSyrx4vAhTqomJ1RlMnoohTj3fAQC5+eMP5mlmzzzvme -8dY4wOOq1ynGtpVDqqmBz1gzhzin0++0XOuRideo3/H6jZX0QSOwVe/KH7RJjW08 -+ECHLVZYPhFdLVTkQhGl0sox1HaV2O+CQhokrJzSjquf/WOAmv3vNWVZbvf2n9IC -PSvY5A0Q4aXLScvx8qxJ3FrY9xCd07sGdGV2BTog+LEgBDvrnM/E9Wy7HQE8c/dI -Q9WguV1kk1ApVYeSOrs9XnURW4zFP/sRAgMBAAGjUDBOMB0GA1UdDgQWBBSgDb9J -Mhj9nS9IgLn5Z63cpI/CLjAfBgNVHSMEGDAWgBSgDb9JMhj9nS9IgLn5Z63cpI/C -LjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBZO+zUTIJnIBmGG0s/ -8AQhkeJixx9ow413uZSMhPYFMkj+Zxoxl9g1y63BVzchxXKjVqOkV2gMGCw1n5vD -zsPTZRbzuXkbTk9fWp9+CYOc+hcOT29xGWNwORF+p7yGK4BRQx2VemQE9IoAo6h7 -Mcz83k3KXzAyOWvfpI9HNM3K/my7+cO3TY3ua/gzkS70pqANJZHZXcKmnbzsimIL -7N1ro9pk2M9XChHqrFwVXBESwpc3Ff3AsARGQsMO4SjywuwJ2Wr7HeWp1YHFucpY -ekNuE9UMfZE1Zd0f/TAcv8nr7c4rdt1vRwk8lPXZ8LaAtnfbAi6sC9gIfB6hHmFu -kEyC ------END CERTIFICATE----- From 9044dfb3ab2f1dc81b762bb24331bda599305964 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 21 Feb 2024 14:14:09 +0100 Subject: [PATCH 06/10] Add configuration used for the OpenConext Docker Compose environment --- src/main/resources/application-docker.yml | 59 ++++++++++++++++ .../engine.dev.openconext.local.default.pem | 22 ++++++ .../openid-configuration-docker.json | 70 +++++++++++++++++++ 3 files changed, 151 insertions(+) create mode 100644 src/main/resources/application-docker.yml create mode 100644 src/main/resources/engine.dev.openconext.local.default.pem create mode 100644 src/main/resources/openid-configuration-docker.json diff --git a/src/main/resources/application-docker.yml b/src/main/resources/application-docker.yml new file mode 100644 index 00000000..99cf92dd --- /dev/null +++ b/src/main/resources/application-docker.yml @@ -0,0 +1,59 @@ +server: + port: 80 + +mongodb_db: oidcng +oidc_saml_mapping_path: classpath:/oidc/saml_mapping.json +openid_configuration_path: classpath:/openid-configuration-docker.json +secret_key_set_path: classpath:/secret_keyset.json +associated_data: 4CEFFA8B-90DD-4737-8B04-6DA51C5B29AE +access_token_one_way_hash_salt: secret +private_key_path: file:///config/saml.key +certificate_path: file:///config/saml.crt +default_acr_value: http://dev.openconext.local/assurance/loa1 +secure_cookie: false +oidc_token_endpoint: https://dev.openconext.local/oidc/token +environment: SURFconext DEV + +features: + # Do we enforce that the RS - if eduID pseudonymisation is required - belongs to the SURF IdP linked to the eduID user account? + # We link RS's and SURF IdP's using the coin:institution-guid + enforce-eduid-resource-server-linked-account: true + # Do we show consent if configured for a RP in manage + consent-enabled: true + +sp: + entity_id: https://connect.dev.openconext.local + acs_location: https://connect.dev.openconext.local/login/saml2/sso/oidcng + +idp: + entity_id: https://dev.openconext.local/authentication/idp/metadata + sso_location: https://dev.openconext.local/authentication/idp/single-sign-on + saml_assertion_signing_key: classpath:/engine.dev.openconext.local.default.pem + +spring: + data: + mongodb: + uri: mongodb://oidcngrw:secret@mongo:27017/oidcng?ssl=false + thymeleaf: + cache: false + main: + banner-mode: off + +manage: + user: manage + password: secret + +token-api: + # Is the token API enabled for Profile and eduID? If not access to the token API endpoints is forbidden + enabled: true + users: + - user: eduid + password: secret + - user: profile + password: secret + +eduid: + user: oidcng + password: secret + uri: https://eduid.dev.openconext.local/myconext/api/attribute-manipulation + enabled: true diff --git a/src/main/resources/engine.dev.openconext.local.default.pem b/src/main/resources/engine.dev.openconext.local.default.pem new file mode 100644 index 00000000..7046e760 --- /dev/null +++ b/src/main/resources/engine.dev.openconext.local.default.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuDCCAqCgAwIBAgIJAPdqJ9JQKN6vMA0GCSqGSIb3DQEBBQUAMEYxDzANBgNV +BAMTBkVuZ2luZTERMA8GA1UECxMIU2VydmljZXMxEzARBgNVBAoTCk9wZW5Db25l +eHQxCzAJBgNVBAYTAk5MMB4XDTE1MDQwMjE0MDE1NFoXDTI1MDQwMTE0MDE1NFow +RjEPMA0GA1UEAxMGRW5naW5lMREwDwYDVQQLEwhTZXJ2aWNlczETMBEGA1UEChMK +T3BlbkNvbmV4dDELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCeVodghQwFR0pItxGaJ3LXHA+ZLy1w/TMaGDcJaszAZRWRkL/6djwb +abR7TB45QN6dfKOFGzobQxG1Oksky3gz4Pki1BSzi/DwsjWCw+Yi40cYpYeg/XM0 +tvHKVorlsx/7Thm5WuC7rwytujr/lV7f6lavf/ApnLHnOORU2h0ZWctJiestapMa +C5mc40msruWWp04axmrYICmTmGhEy7w0qO4/HLKjXtWbJh71GWtJeLzG5Hj04X44 +wI+D9PUJs9U3SYh9SCFZwq0v+oYeqajiX0JPzB+8aVOPmOOM5WqoT8OCddOM/Tls +L/0PcxByGHsgJuWbWMI1PKlK3omR764PAgMBAAGjgagwgaUwHQYDVR0OBBYEFLow +msUCD2CrHU0lich1DMkNppmLMHYGA1UdIwRvMG2AFLowmsUCD2CrHU0lich1DMkN +ppmLoUqkSDBGMQ8wDQYDVQQDEwZFbmdpbmUxETAPBgNVBAsTCFNlcnZpY2VzMRMw +EQYDVQQKEwpPcGVuQ29uZXh0MQswCQYDVQQGEwJOTIIJAPdqJ9JQKN6vMAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIF9tGG1C9HOSTQJA5qL13y5Ad8G +57bJjBfTjp/dw308zwagsdTeFQIgsP4tdQqPMwYmBImcTx6vUNdiwlIol7TBCPGu +qQAHD0lgTkChCzWezobIPxjitlkTUZGHqn4Kpq+mFelX9x4BElmxdLj0RQV3c3Bh +oW0VvJvBkqVKWkZ0HcUTQMlMrQEOq6D32jGh0LPCQN7Ke6ir0Ix5knb7oegND49f +bLSxpdo5vSuxQd+Zn6nI1/VLWtWpdeHMKhiw2+/ArR9YM3cY8UwFQOj9Y6wI6gPC +Gh/q1qv2HnngmnPrNzZik8XucGcf1Wm2zE4UIVYKW31T52mqRVDKRk8F3Eo= +-----END CERTIFICATE----- diff --git a/src/main/resources/openid-configuration-docker.json b/src/main/resources/openid-configuration-docker.json new file mode 100644 index 00000000..d80cb741 --- /dev/null +++ b/src/main/resources/openid-configuration-docker.json @@ -0,0 +1,70 @@ +{ + "issuer": "https://connect.dev.openconext.local", + "authorization_endpoint": "https://connect.dev.openconext.local/oidc/authorize", + "token_endpoint": "https://connect.dev.openconext.local/oidc/token", + "userinfo_endpoint": "https://connect.dev.openconext.local/oidc/userinfo", + "introspect_endpoint": "https://connect.dev.openconext.local/oidc/introspect", + "jwks_uri": "https://connect.dev.openconext.local/oidc/certs", + "response_types_supported": [ + "code", + "token", + "id_token", + "code token", + "code id_token", + "token id_token", + "code token id_token" + ], + "response_modes_supported": ["fragment", "query", "form_post"], + "grant_types_supported": [ + "authorization_code", + "implicit", + "refresh_token", + "client_credentials" + ], + "subject_types_supported": ["public", "pairwise"], + "id_token_signing_alg_values_supported": ["RS256"], + "scopes_supported": [ + "openid", + "groups", + "profile", + "email", + "address", + "phone" + ], + "token_endpoint_auth_methods_supported": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt" + ], + "claims_supported": [ + "aud", + "nbf", + "iss", + "exp", + "iat", + "jti", + "nonce", + "at_hash", + "c_hash", + "s_hash", + "sub", + "edumember_is_member_of", + "eduperson_affiliation", + "eduperson_entitlement", + "eduperson_principal_name", + "eduperson_scoped_affiliation", + "email", + "family_name", + "given_name", + "name", + "nickname", + "preferred_username", + "schac_home_organization", + "schac_home_organization_type", + "schac_personal_unique_code", + "uids" + ], + "claims_parameter_supported": true, + "code_challenge_methods_supported": ["plain", "S256"] +} From 4e10f4c19b423bbb143d2d4277a1991b028ad415 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 21 Feb 2024 14:18:06 +0100 Subject: [PATCH 07/10] GHA: Version updates for the docker build action --- .github/workflows/deploy.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 53a223da..ae0a76a8 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -4,6 +4,8 @@ on: push: tags: - "*" + workflow_dispatch: + jobs: deployment: @@ -13,18 +15,19 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Set up JDK 11 - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: java-version: 11 + distribution: "temurin" server-id: openconext-releases server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD - name: Set up cache - uses: actions/cache@v1 + uses: actions/cache@v4 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -48,7 +51,7 @@ jobs: if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name - name: Set up JDK 11 for snapshots - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: "11" distribution: "temurin" @@ -59,7 +62,7 @@ jobs: if: ( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) - name: Set up JDK 11 for releases - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: "11" distribution: "temurin" @@ -76,10 +79,10 @@ jobs: MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -98,7 +101,7 @@ jobs: type=sha - name: Build and push the oidcng-server - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . file: docker/Dockerfile From dc51e4eec5bbb0e9ca9abce268a60944c52734fb Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 21 Feb 2024 14:19:37 +0100 Subject: [PATCH 08/10] Change to SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7a3c16e4..1cfdf7ba 100644 --- a/pom.xml +++ b/pom.xml @@ -21,7 +21,7 @@ org.openconext oidcng - 6.1.12 + 6.1.13-SNAPSHOT oidcng From a90911206915b476b529a4f74abf2bcfb681c782 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 11 Mar 2024 14:15:55 +0100 Subject: [PATCH 09/10] Rename docker config to devconf config as this config is only used for the developement and integration testing --- .../{application-docker.yml => application-devconf.yml} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename src/main/resources/{application-docker.yml => application-devconf.yml} (87%) diff --git a/src/main/resources/application-docker.yml b/src/main/resources/application-devconf.yml similarity index 87% rename from src/main/resources/application-docker.yml rename to src/main/resources/application-devconf.yml index 99cf92dd..bcd1f1ed 100644 --- a/src/main/resources/application-docker.yml +++ b/src/main/resources/application-devconf.yml @@ -11,7 +11,7 @@ private_key_path: file:///config/saml.key certificate_path: file:///config/saml.crt default_acr_value: http://dev.openconext.local/assurance/loa1 secure_cookie: false -oidc_token_endpoint: https://dev.openconext.local/oidc/token +oidc_token_endpoint: https://connect.dev.openconext.local/oidc/token environment: SURFconext DEV features: @@ -26,8 +26,8 @@ sp: acs_location: https://connect.dev.openconext.local/login/saml2/sso/oidcng idp: - entity_id: https://dev.openconext.local/authentication/idp/metadata - sso_location: https://dev.openconext.local/authentication/idp/single-sign-on + entity_id: https://engine.dev.openconext.local/authentication/idp/metadata + sso_location: https://engine.dev.openconext.local/authentication/idp/single-sign-on saml_assertion_signing_key: classpath:/engine.dev.openconext.local.default.pem spring: From 202e3063c0e55b3be2fa91024e702a16505f5207 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 12 Mar 2024 10:51:12 +0100 Subject: [PATCH 10/10] Docker: Add :latest tag to production builds and :snapshot for snapshots --- .github/workflows/deploy.yml | 169 ++++++++++++++++++----------------- 1 file changed, 85 insertions(+), 84 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index ae0a76a8..90975dbb 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -5,7 +5,6 @@ on: tags: - "*" workflow_dispatch: - jobs: deployment: @@ -15,97 +14,99 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v4 - with: - java-version: 11 - distribution: "temurin" - server-id: openconext-releases - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: 11 + distribution: "temurin" + server-id: openconext-releases + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD - - name: Set up cache - uses: actions/cache@v4 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- + - name: Set up cache + uses: actions/cache@v4 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- - - name: Determine the version - run: echo ::set-output name=version::$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) - id: versioncheck + - name: Determine the version + run: echo ::set-output name=version::$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) + id: versioncheck - - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name - run: | - echo "Only SNAPSHOT releases can be triggered with the workflow_dispatch" - exit 1 - if: github.event_name == 'workflow_dispatch' && ( !endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) + - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name + run: | + echo "Only SNAPSHOT releases can be triggered with the workflow_dispatch" + exit 1 + if: github.event_name == 'workflow_dispatch' && ( !endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) - - name: Exit when a production build is triggered, and the github tag is not the same as the version in pom.xml - run: | - echo "Project version ${{ steps.versioncheck.outputs.version }} does not match git tag ${{ github.ref_name }}" - exit 1 - if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name + - name: Exit when a production build is triggered, and the github tag is not the same as the version in pom.xml + run: | + echo "Project version ${{ steps.versioncheck.outputs.version }} does not match git tag ${{ github.ref_name }}" + exit 1 + if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name - - name: Set up JDK 11 for snapshots - uses: actions/setup-java@v4 - with: - java-version: "11" - distribution: "temurin" - cache: "maven" - server-id: openconext-snapshots - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - if: ( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) + - name: Set up JDK 11 for snapshots + uses: actions/setup-java@v4 + with: + java-version: "11" + distribution: "temurin" + cache: "maven" + server-id: openconext-snapshots + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + if: ( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) - - name: Set up JDK 11 for releases - uses: actions/setup-java@v4 - with: - java-version: "11" - distribution: "temurin" - cache: "maven" - server-id: openconext-releases - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - if: ${{!( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) }} - - - name: Deploy with Maven - run: mvn --batch-mode deploy -DskipTests - env: - MAVEN_USERNAME: ${{ secrets.BUILD_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }} + - name: Set up JDK 11 for releases + uses: actions/setup-java@v4 + with: + java-version: "11" + distribution: "temurin" + cache: "maven" + server-id: openconext-releases + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + if: ${{!( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Deploy with Maven + run: mvn --batch-mode deploy -DskipTests + env: + MAVEN_USERNAME: ${{ secrets.BUILD_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ghcr.io/openconext/openconext-oidcng/oidcng - flavor: | - latest=false - tags: | - type=ref,event=tag - type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }} - type=sha + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push the oidcng-server - uses: docker/build-push-action@v5 - with: - context: . - file: docker/Dockerfile - platforms: linux/amd64 - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/openconext/openconext-oidcng/oidcng + flavor: | + latest=false + tags: | + type=ref,event=tag + type=raw,event=tag,value=latest + type=raw,event=workflow_dispatch,value=snapshot + type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }} + type=sha + + - name: Build and push the oidcng-server + uses: docker/build-push-action@v5 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }}