Skip to content

TT-11298 added possibilit to fill the state by url or form encoded body #389 #967

TT-11298 added possibilit to fill the state by url or form encoded body #389

TT-11298 added possibilit to fill the state by url or form encoded body #389 #967

Workflow file for this run

# yamllint disable rule:line-length rule:truthy
name: Release
# Generated by: gromit policy
# Distribution channels covered by this workflow
# - Ubuntu and Debian
# - RHEL and AL
# - docker hub
# - devenv ECR
# - Cloudsmith
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
on:
# Trigger release every monday at midnight for master CI images
schedule:
- cron: "0 0 * * 1"
pull_request:
push:
branches:
- master
- release-**
tags:
- 'v*'
env:
GOPRIVATE: github.com/TykTechnologies
VARIATION: inverted
DOCKER_BUILD_SUMMARY: false
DOCKER_BUILD_RECORD_UPLOAD: false
# startsWith covers pull_request_target too
BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}}
jobs:
goreleaser:
if: github.event.pull_request.draft == false
name: '${{ matrix.golang_cross }}'
runs-on: ubuntu-latest-m
permissions:
id-token: write # AWS OIDC JWT
contents: read # actions/checkout
strategy:
fail-fast: false
matrix:
golang_cross:
- 1.21-bookworm
include:
- golang_cross: 1.21-bookworm
goreleaser: 'ci/goreleaser/goreleaser.yml'
cgo: 0
rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye debian/bookworm'
outputs:
tags: ${{ steps.ci_metadata.outputs.tags }}
commit_author: ${{ steps.set_outputs.outputs.commit_author}}
steps:
- name: Checkout of tyk-identity-broker
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set some outputs for later
id: set_outputs
shell: bash
env:
HEAD_REF: ${{github.head_ref}}
run: |
echo "commit_author=$(git show -s --format='%ae' HEAD)" >> $GITHUB_OUTPUT
echo "branch=${HEAD_REF##*/}" >> $GITHUB_OUTPUT
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: startsWith(github.ref, 'refs/tags')
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Cloudsmith
if: startsWith(github.ref, 'refs/tags')
uses: docker/login-action@v3
with:
registry: docker.tyk.io
username: ${{ secrets.CLOUDSMITH_USERNAME }}
password: ${{ secrets.CLOUDSMITH_API_KEY }}
- uses: actions/cache@v4
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Build
env:
NFPM_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
run: |
echo '#!/bin/sh
ci/bin/unlock-agent.sh
git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com"
git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk-identity-broker
goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign' || '' }}' | tee /tmp/build.sh
chmod +x /tmp/build.sh
docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \
-e GOPRIVATE=github.com/TykTechnologies \
-e DEBVERS='${{ matrix.debvers }}' \
-e RPMVERS='${{ matrix.rpmvers }}' \
-e CGO_ENABLED=${{ matrix.cgo }} \
-e NFPM_PASSPHRASE="$NFPM_PASSPHRASE" \
-e GPG_FINGERPRINT=12B5D62C28F57592D1575BD51ED14C59E37DAC20 \
-e PKG_SIGNING_KEY="$PKG_SIGNING_KEY" \
-e PACKAGECLOUD_TOKEN=$PACKAGECLOUD_TOKEN \
-v ${{github.workspace}}:/go/src/github.com/TykTechnologies/tyk-identity-broker \
-v /var/run/docker.sock:/var/run/docker.sock \
-v ~/.docker/config.json:/root/.docker/config.json \
-e GOCACHE=/cache/go-build \
-e GOMODCACHE=/go/pkg/mod \
-v ~/go/pkg/mod:/go/pkg/mod \
-v ~/.cache/go-build:/cache/go-build \
-v /tmp/build.sh:/tmp/build.sh \
-w /go/src/github.com/TykTechnologies/tyk-identity-broker \
tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
role-session-name: cipush
aws-region: eu-central-1
# Don't mask to pass it across job boundaries
mask-aws-account-id: false
- uses: aws-actions/amazon-ecr-login@v2
id: ecr
if: ${{ matrix.golang_cross == '1.21-bookworm' }}
with:
mask-password: 'true'
- name: Docker metadata for CI
id: ci_metadata
if: ${{ matrix.golang_cross == '1.21-bookworm' }}
uses: docker/metadata-action@v5
with:
images: ${{ steps.ecr.outputs.registry }}/tyk-identity-broker
flavor: |
latest=false
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,format=long
type=semver,pattern={{major}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern={{version}},prefix=v
- name: push image to CI
if: ${{ matrix.golang_cross == '1.21-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64,linux/arm64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ steps.ci_metadata.outputs.tags }}
labels: ${{ steps.tag_metadata.outputs.labels }}
- name: Docker metadata for tag push
id: tag_metadata
uses: docker/metadata-action@v5
with:
images: |
tykio/tyk-identity-broker
docker.tyk.io/tyk-identity-broker/tyk-identity-broker
flavor: |
latest=false
prefix=v
tags: |
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{version}}
labels: "org.opencontainers.image.title=tyk-identity-broker (distroless) \norg.opencontainers.image.description=Tyk Authentication Proxy for third-party login\norg.opencontainers.image.vendor=tyk.io\norg.opencontainers.image.version=${{ github.ref_name }}\n"
- name: push image to prod
if: ${{ matrix.golang_cross == '1.21-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64,linux/arm64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
push: ${{ startsWith(github.ref, 'refs/tags') }}
tags: ${{ steps.tag_metadata.outputs.tags }}
labels: ${{ steps.tag_metadata.outputs.labels }}
- name: save deb
uses: actions/upload-artifact@v4
if: ${{ matrix.golang_cross == '1.21-bookworm' }}
with:
name: deb
retention-days: 1
path: |
dist/*.deb
!dist/*PAYG*.deb
!dist/*fips*.deb
- name: save rpm
uses: actions/upload-artifact@v4
if: ${{ matrix.golang_cross == '1.21-bookworm' }}
with:
name: rpm
retention-days: 1
path: |
dist/*.rpm
!dist/*PAYG*.rpm
!dist/*fips*.rpm
test-controller-distros:
if: github.event.pull_request.draft == false
needs:
- goreleaser
runs-on: ubuntu-latest
outputs:
deb: ${{ steps.params.outputs.deb }}
rpm: ${{ steps.params.outputs.rpm }}
steps:
- name: set params
id: params
shell: bash
env:
# startsWith covers pull_request_target too
BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}}
run: |
set -eo pipefail
curl -s --retry 5 --retry-delay 10 --fail-with-body "http://tui.internal.dev.tyk.technology/v2/$VARIATION/tyk-identity-broker/$BASE_REF/${{ github.event_name}}/api/Distros.gho" | tee -a "$GITHUB_OUTPUT"
if ! [[ $VARIATION =~ prod ]];then
echo "::warning file=.github/workflows/release.yml,line=24,col=1,endColumn=8::Using test variation"
fi
upgrade-deb:
services:
httpbin.org:
image: kennethreitz/httpbin
runs-on: ubuntu-latest
needs:
- test-controller-distros
strategy:
fail-fast: true
matrix:
arch:
- amd64
- arm64
distro: ${{ fromJson(needs.test-controller-distros.outputs.deb) }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
sparse-checkout: ci
- uses: actions/download-artifact@v4
with:
name: deb
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: generate dockerfile
run: |
echo 'FROM ${{ matrix.distro }}
ARG TARGETARCH
COPY tyk-identity-broker*_${TARGETARCH}.deb /tyk-identity-broker.deb
RUN apt-get update && apt-get install -y curl
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-identity-broker/script.deb.sh | bash && apt-get install -y tyk-identity-broker=1.1.0
RUN dpkg -i /tyk-identity-broker.deb
' | tee Dockerfile
- name: install on ${{ matrix.distro }}
uses: docker/build-push-action@v6
with:
context: "."
platforms: linux/${{ matrix.arch }}
build-args: |
RHELARCH=${{ startsWith(matrix.arch, 'arm64') && 'aarch64' || 'x86_64' }}
cache-from: type=gha
cache-to: type=gha,mode=max
file: Dockerfile
push: false
upgrade-rpm:
services:
httpbin.org:
image: kennethreitz/httpbin
runs-on: ubuntu-latest
needs:
- test-controller-distros
strategy:
fail-fast: true
matrix:
arch:
- amd64
- arm64
distro: ${{ fromJson(needs.test-controller-distros.outputs.rpm) }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
sparse-checkout: ci
- uses: actions/download-artifact@v4
with:
name: rpm
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: generate dockerfile
run: |
echo 'FROM ${{ matrix.distro }}
ARG RHELARCH
COPY tyk-identity-broker*.${RHELARCH}.rpm /tyk-identity-broker.rpm
RUN command -v curl || yum install -y curl
RUN command -v useradd || yum install -y shadow-utils
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-identity-broker/script.rpm.sh | bash && yum install -y tyk-identity-broker-1.1.0-1
RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-identity-broker.key && rpm --import tyk-identity-broker.key
RUN rpm --checksig /tyk-identity-broker.rpm
RUN rpm -Uvh --force /tyk-identity-broker.rpm
' | tee Dockerfile
- name: install on ${{ matrix.distro }}
uses: docker/build-push-action@v6
with:
context: "."
platforms: linux/${{ matrix.arch }}
build-args: |
RHELARCH=${{ startsWith(matrix.arch, 'arm64') && 'aarch64' || 'x86_64' }}
cache-from: type=gha
cache-to: type=gha,mode=max
file: Dockerfile
push: false
sbom:
needs: goreleaser
uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main
secrets:
DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}