Merging to release-1.4: TT-10352 upgraded saml library and updated tib version (#341) #565
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by: gromit policy | |
# Generated on: Wed Jul 26 09:35:16 UTC 2023 | |
# Distribution channels covered by this workflow | |
# - Ubuntu and Debian | |
# - RHEL and AL | |
# - docker hub | |
# - devenv ECR | |
# - AWS mktplace (not active atm) | |
# - Cloudsmith | |
name: Release | |
on: | |
pull_request: | |
push: | |
branches: | |
- master | |
- release-** | |
tags: | |
- 'v*' | |
env: | |
SLACK_CLI_TOKEN: ${{ secrets.BENDER_TOKEN }} | |
GOPRIVATE: github.com/TykTechnologies | |
jobs: | |
goreleaser: | |
name: '${{ matrix.golang_cross }}' | |
runs-on: ubuntu-latest | |
container: 'tykio/golang-cross:${{ matrix.golang_cross }}' | |
strategy: | |
fail-fast: false | |
matrix: | |
golang_cross: [ 1.19-bullseye ] | |
include: | |
- golang_cross: 1.19-bullseye | |
goreleaser: 'ci/goreleaser/goreleaser.yml' | |
rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023' | |
debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye' | |
outputs: | |
tag: ${{ steps.targets.outputs.tag }} | |
steps: | |
- name: Fix private module deps | |
env: | |
TOKEN: '${{ secrets.ORG_GH_TOKEN }}' | |
run: > | |
git config --global url."https://${TOKEN}@github.com".insteadOf "https://github.com" | |
- name: Checkout of tyk-identity-broker | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- name: "Add Git safe.directory" | |
run: git config --global --add safe.directory $GITHUB_WORKSPACE | |
- uses: docker/setup-qemu-action@v2 | |
- uses: docker/setup-buildx-action@v2 | |
- name: Login to DockerHub | |
if: startsWith(github.ref, 'refs/tags') | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Login to Cloudsmith | |
if: startsWith(github.ref, 'refs/tags') | |
uses: docker/login-action@v2 | |
with: | |
registry: docker.tyk.io | |
username: ${{ secrets.CLOUDSMITH_USERNAME }} | |
password: ${{ secrets.CLOUDSMITH_API_KEY }} | |
- name: Unlock agent and set tag | |
id: targets | |
shell: bash | |
env: | |
NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | |
GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20 | |
PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
run: | | |
ci/bin/unlock-agent.sh | |
current_tag=${GITHUB_REF##*/} | |
echo "tag=${current_tag}" >> $GITHUB_OUTPUT | |
- name: Delete old release assets | |
if: startsWith(github.ref, 'refs/tags') | |
uses: mknejp/delete-release-assets@v1 | |
with: | |
token: ${{ github.token }} | |
tag: ${{ github.ref }} | |
fail-if-no-assets: false | |
fail-if-no-release: false | |
assets: | | |
*.deb | |
*.rpm | |
*.tar.gz | |
*.txt.sig | |
*.txt | |
- uses: goreleaser/goreleaser-action@v4 | |
with: | |
version: latest | |
args: release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot' || '' }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
CGO_ENABLED: 0 | |
NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | |
NFPM_PAYG_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} | |
GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20 | |
PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
GOLANG_CROSS: ${{ matrix.golang_cross }} | |
DEBVERS: ${{ matrix.debvers }} | |
RPMVERS: ${{ matrix.rpmvers }} | |
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: deb | |
retention-days: 1 | |
path: | | |
dist/*.deb | |
!dist/*PAYG*.deb | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: rpm | |
retention-days: 1 | |
path: | | |
dist/*.rpm | |
!dist/*PAYG*.rpm | |
ci: | |
needs: | |
- goreleaser | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
steps: | |
- name: Shallow checkout of tyk-identity-broker | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk | |
role-session-name: cipush | |
aws-region: eu-central-1 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: deb | |
- name: Docker metadata | |
id: metadata | |
uses: docker/metadata-action@v4 | |
with: | |
images: ${{ steps.login-ecr.outputs.registry }}/tyk-identity-broker | |
flavor: | | |
latest=false | |
prefix=v | |
tags: | | |
type=semver,pattern=v{{version}} | |
type=semver,pattern=v{{major}}.{{minor}} | |
type=semver,pattern=v{{major}} | |
type=ref,event=branch | |
- uses: docker/setup-qemu-action@v2 | |
- uses: docker/setup-buildx-action@v2 | |
- name: CI build | |
uses: docker/build-push-action@v4 | |
with: | |
push: true | |
context: "." | |
file: ci/Dockerfile.std | |
platforms: linux/amd64,linux/arm64 | |
tags: | | |
${{ steps.metadata.outputs.tags }} | |
${{ steps.login-ecr.outputs.registry }}/tyk-identity-broker:${{ needs.goreleaser.outputs.tag }} | |
${{ steps.login-ecr.outputs.registry }}/tyk-identity-broker:${{ github.sha }} | |
sbom: | |
needs: ci | |
uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main | |
secrets: | |
TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }} | |
DEPDASH_URL: ${{ secrets.DEPDASH_URL }} | |
DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }} | |
ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} | |
upgrade-deb: | |
if: startsWith(github.ref, 'refs/tags') | |
services: | |
httpbin.org: | |
image: kennethreitz/httpbin | |
runs-on: ubuntu-latest | |
needs: goreleaser | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: | |
- amd64 | |
- arm64 | |
distro: | |
- ubuntu:bionic | |
- ubuntu:focal | |
- debian:bullseye | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: deb | |
- uses: docker/setup-qemu-action@v2 | |
- uses: docker/setup-buildx-action@v2 | |
- name: generate dockerfile | |
run: | | |
echo 'FROM ${{ matrix.distro }} | |
ARG TARGETARCH | |
COPY tyk-identity-broker*_${TARGETARCH}.deb /tyk-identity-broker.deb | |
RUN apt-get update && apt-get install -y curl | |
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-identity-broker/script.deb.sh | bash && apt-get install -y tyk-identity-broker=1.1.0 | |
RUN dpkg -i tyk-identity-broker.deb | |
' > Dockerfile | |
- name: install on ${{ matrix.distro }} | |
uses: docker/build-push-action@v4 | |
with: | |
context: "." | |
platforms: linux/${{ matrix.arch }} | |
file: Dockerfile | |
push: false | |
upgrade-rpm: | |
if: startsWith(github.ref, 'refs/tags') | |
services: | |
httpbin.org: | |
image: kennethreitz/httpbin | |
needs: goreleaser | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
distro: | |
- ubi8/ubi | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: rpm | |
- uses: docker/setup-buildx-action@v2 | |
- name: generate dockerfile | |
run: | | |
echo 'FROM registry.access.redhat.com/${{ matrix.distro }} | |
COPY tyk-identity-broker*.x86_64.rpm /tyk-identity-broker.rpm | |
RUN yum install --allowerasing -y curl | |
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-identity-broker/script.rpm.sh | bash && yum install -y tyk-identity-broker-1.1.0-1 | |
RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-identity-broker.key && rpm --import tyk-identity-broker.key | |
RUN rpm --checksig tyk-identity-broker.rpm | |
RUN rpm -Uvh --force tyk-identity-broker.rpm | |
' > Dockerfile | |
- name: install on ${{ matrix.distro }} | |
uses: docker/build-push-action@v4 | |
with: | |
context: "." | |
file: Dockerfile | |
push: false | |
smoke-tests: | |
if: startsWith(github.ref, 'refs/tags') | |
needs: | |
- goreleaser | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- name: Run tests | |
shell: bash | |
env: | |
GITHUB_TAG: ${{ github.ref }} | |
run: | | |
set -eaxo pipefail | |
if [ ! -d smoke-tests ]; then | |
echo "::warning No repo specific smoke tests defined" | |
fi | |
if [ ! -d ci/tests ]; then | |
echo "::warning No ci tests defined" | |
exit 0 | |
fi | |
for d in ci/tests/*/ | |
do | |
echo Attempting to test $d | |
if [ -d $d ] && [ -e $d/test.sh ]; then | |
cd $d | |
./test.sh ${{ needs.goreleaser.outputs.tag }} | |
cd - | |
fi | |
done | |
for d in smoke-tests/*/ | |
do | |
echo Attempting to test $d | |
if [ -d $d ] && [ -e $d/test.sh ]; then | |
cd $d | |
./test.sh ${{ needs.goreleaser.outputs.tag }} | |
cd - | |
fi | |
done | |