-
Notifications
You must be signed in to change notification settings - Fork 87
91 lines (82 loc) · 3.35 KB
/
oidc-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# This action is an integration test for OIDC workflow
name: OpenID Connect Test
on:
push:
branches:
- '**'
tags-ignore:
- '**'
# Triggers the workflow on labeled PRs only.
pull_request_target:
types: [ labeled ]
# Ensures that only the latest commit is running for each PR at a time.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }}
cancel-in-progress: true
permissions:
id-token: write
jobs:
OIDC-Test:
if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push'
name: OIDC-Access integration test (${{ matrix.os }})
strategy:
fail-fast: false
matrix:
os: [ ubuntu, windows, macos ]
runs-on: ${{ matrix.os }}-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
# Generating a unique name for the Integration Configuration that will be created in the following step
- name: Generate unique OIDC config name
shell: bash
run: echo "OIDC_CONFIG_NAME=oidc-integration-test-config-$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
- name: Create OpenID Connect integration
shell: bash
run: |
curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc" -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" -d '{
"name": "${{ env.OIDC_CONFIG_NAME }}",
"issuer_url": "https://token.actions.githubusercontent.com/",
"provider_type": "GitHub",
"description": "This is a test configuration created for OIDC-Access integration test" }'
- name: Set subject
shell: bash
run: |
if [[ $GITHUB_EVENT_NAME == 'pull_request_target' ]]; then
echo "SUB=repo:${{ github.repository_owner }}/setup-jfrog-cli:pull_request" >> "$GITHUB_ENV"
else
echo "SUB=repo:${{ github.repository_owner }}/setup-jfrog-cli:ref:${{ github.ref }}" >> "$GITHUB_ENV"
fi
- name: Create OIDC integration Identity Mapping
shell: bash
run: |
curl -X POST ${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ env.OIDC_CONFIG_NAME }}/identity_mappings \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}' \
-d '{
"name": "oidc-test-identity-mapping",
"priority": "1",
"claims": {
"sub": "${{ env.SUB }}",
"iss": "https://token.actions.githubusercontent.com"
},
"token_spec": {
"scope": "applied-permissions/admin",
"expires_in": 60
}
}'
- name: Setup JFrog CLI
uses: ./
env:
JF_URL: ${{ secrets.JFROG_PLATFORM_URL }}
with:
oidc-provider-name: ${{ env.OIDC_CONFIG_NAME }}
- name: Test JFrog CLI
run: |
jf rt s "some-repo/"
# Removing the OIDC integration will remove the Identity Mapping as well
- name: Delete OIDC integration
shell: bash
if: always()
run: |
curl -X DELETE ${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ env.OIDC_CONFIG_NAME }} -H 'Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}'