feat(core): KID in NanoTDF Policy Key Access #4416

Workflow file for this run

.github/workflows/checks.yaml at 0c348c8

	name: "Checks"

	env:
	IS_RELEASE_BRANCH: ${{ startsWith(github.head_ref, 'release-please-') }}

	on:
	pull_request:
	push:
	branches:
	- main
	merge_group:
	branches:
	- main
	types:
	- checks_requested

	jobs:
	pr:
	name: Validate PR title
	if: contains(fromJSON('["pull_request", "pull_request_target"]'), github.event_name)
	runs-on: ubuntu-22.04
	permissions:
	pull-requests: read
	steps:
	- uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	# Types include:
	# - fix: fixes
	# - feat: features and enhancements
	# - chore: non-feature or enhancement (i.e. docs, ci, linting, automated, etc)
	types: \|
	fix
	feat
	chore
	refactor
	revert
	# Scopes include:
	# - main: used for automated releases
	# - core: related to any core need such as the core service or monorepo
	# - ci: anything related to ci
	# - docs: anything related solely to documentation
	# - sdk: related to sdk changes in the /sdk directory
	# - policy: related to policy service changes (i.e. /service/policy)
	# - kas: related to key access service changes (i.e. /service/kas)
	# - authz: related to the authorization service changes (i.e. /service/authorization)
	scopes: \|
	main
	core
	ci
	docs
	sdk
	policy
	kas
	authz
	examples

	go:
	runs-on: ubuntu-22.04
	permissions:
	checks: write
	contents: read
	pull-requests: read
	strategy:
	matrix:
	directory:
	- examples
	- sdk
	- service
	- lib/ocrypto
	- lib/fixtures
	- lib/flattening
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
	with:
	fetch-depth: 0
	- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
	with:
	go-version: "1.22.5"
	check-latest: false
	cache-dependency-path: \|
	examples/go.sum
	protocol/go/go.sum
	sdk/go.sum
	service/go.sum
	- if: env.IS_RELEASE_BRANCH == 'true'
	name: prevent depending on unreleased upstream changes
	run: ./.github/scripts/work-init.sh
	- if: github.head_ref == format('release-please--branches--main--components--{0}', matrix.directory)
	name: prevent tagging with replace directives
	run: go mod edit --json \| jq -e '.Replace \| not'
	working-directory: ${{ matrix.directory }}
	- run: go mod download
	working-directory: ${{ matrix.directory }}
	- run: go mod verify
	working-directory: ${{ matrix.directory }}
	- run: go work use .
	if: env.IS_RELEASE_BRANCH == 'true'
	working-directory: ${{ matrix.directory }}
	- name: golangci-lint
	uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64
	with:
	version: v1.59
	working-directory: ${{ matrix.directory }}
	skip-cache: true
	args: --out-format=colored-line-number
	- name: Install softHSM
	if: matrix.directory == 'service'
	run: \|-
	sudo apt-get install -y softhsm opensc openssl
	sudo chmod +x /etc/softhsm
	sudo chmod +r /etc/softhsm/softhsm2.conf
	mkdir -p $(pwd)/.tmp/tokens
	echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf
	echo "log.level = DEBUG" >> softhsm2.conf
	echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV"
	- if: matrix.directory == 'service'
	run: .github/scripts/init-temp-keys.sh --hsm
	- run: go test ./... -short
	working-directory: ${{ matrix.directory }}
	- if: matrix.directory == 'service'
	run: go test ./service/integration -race -failfast
	- name: check go fmt and go mod tidy
	run: \|-
	go mod tidy
	go fmt ./...
	git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum"
	working-directory: ${{ matrix.directory }}
	- run: git diff
	- run: git diff-files --ignore-submodules
	- name: Check that files have been formatted before PR submission; see above for error details
	run: git diff-files --quiet --ignore-submodules
	if: env.IS_RELEASE_BRANCH == 'false'

	integration:
	name: integration tests
	runs-on: ubuntu-22.04
	strategy:
	matrix:
	crypto:
	- standard
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
	- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
	with:
	go-version: "1.22.5"
	check-latest: false
	cache-dependency-path: \|
	service/go.sum
	examples/go.sum
	protocol/go/go.sum
	sdk/go.sum
	- if: env.IS_RELEASE_BRANCH == 'true'
	run: ./.github/scripts/work-init.sh
	- run: go mod download
	- run: go mod verify
	- name: Install softHSM
	if: matrix.crypto == 'hsm'
	run: \|-
	sudo apt-get install -y softhsm opensc openssl
	sudo chmod +x /etc/softhsm
	sudo chmod +r /etc/softhsm/softhsm2.conf
	mkdir -p $(pwd)/.tmp/tokens
	echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf
	echo "log.level = DEBUG" >> softhsm2.conf
	echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV"
	- run: \|
	.github/scripts/init-temp-keys.sh --hsm
	cp opentdf-with-hsm.yaml opentdf.yaml
	if: matrix.crypto == 'hsm'
	- run: \|
	.github/scripts/init-temp-keys.sh
	cp opentdf-dev.yaml opentdf.yaml
	if: matrix.crypto == 'standard'
	- name: Added Trusted Certs
	run: \|
	sudo chmod -R 777 ./keys
	sudo apt-get install -y ca-certificates
	sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates
	sudo update-ca-certificates
	- run: docker compose up -d --wait --wait-timeout 240
	- run: go run ./service provision keycloak
	- run: go run ./service provision fixtures
	- uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635
	name: start server in background
	with:
	run: >
	go build -o opentdf ${{ matrix.crypto == 'hsm' && '--tags=opentdf.hsm' \|\| '' }} -v service/main.go
	&& .github/scripts/watch.sh opentdf.yaml ./opentdf start
	wait-on: \|
	tcp:localhost:8080
	log-output-if: true
	wait-for: 90s
	- run: go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.8.9
	- name: Setup Bats and bats libs
	uses: bats-core/bats-action@2.0.0
	- run: test/service-start.bats
	- run: test/tdf-roundtrips.bats
	- run: test/policy-service.bats
	- name: create roundtrip test data and run tests
	run: go test ./service/rttests -v
	- name: enable static entitlements rego policy
	run: yq eval '.services.authorization.rego.path = "./test/rego/static-entitlements.rego"' -i opentdf.yaml
	- run: sleep 30
	- name: validate static rego policy
	run: test/rego/static-entitlements.bats
	- name: enable custom entity rego policy
	run: yq eval '.services.authorization.rego.path = "./test/rego/custom-entity.rego"' -i opentdf.yaml
	- run: sleep 30
	- name: validate custom entity rego policy
	run: test/rego/custom-entity.bats

	image:
	name: image build
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
	- uses: docker/setup-buildx-action@v3
	- uses: docker/build-push-action@v6.3.0
	with:
	context: .
	file: ./Dockerfile
	push: false

	buflint:
	name: Protocol Buffer Lint and Gencode Up-to-date check
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
	- uses: bufbuild/buf-setup-action@35c243d7f2a909b1d4e40399b348a7fdab27d78d
	- uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325
	with:
	input: service
	- uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba
	with:
	input: service
	against: "https://github.com/opentdf/platform.git#branch=main,subdir=service"
	- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
	with:
	go-version: "1.22.5"
	check-latest: false
	cache-dependency-path: \|
	service/go.sum
	protocol/go/go.sum
	sdk/go.sum
	examples/go.sum
	- run: cd service && go get github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc
	- run: cd service && go install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc
	- run: make proto-generate
	- name: Restore go.mod after installing protoc-gen-doc
	run: git restore {service,protocol/go}/go.{mod,sum}
	- name: validate go mod tidy
	run: \|-
	cd protocol/go
	go mod tidy
	git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum"
	- run: git diff
	- run: git diff-files --ignore-submodules
	- name: Check that make proto-generate has run before PR submission; see above for error details
	run: git diff-files --quiet --ignore-submodules

	ci:
	needs:
	- buflint
	- go
	- image
	- integration
	- license
	- pr
	runs-on: ubuntu-latest
	if: always()
	steps:
	- if: contains(needs.*.result, 'failure')
	run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1

	license:
	name: license check
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
	- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
	with:
	go-version: "1.22.5"
	check-latest: false
	cache: false
	- name: install go-licenses
	run: go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
	- name: check service licenses
	run: >
	go-licenses check --disallowed_types=forbidden --include_tests
	./service
	- name: check sdk licenses
	run: >
	go-licenses check --disallowed_types=forbidden --include_tests
	./sdk
	- name: check examples licenses
	run: >
	go-licenses check --disallowed_types=forbidden --include_tests
	./examples

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(core): KID in NanoTDF Policy Key Access #4416

Workflow file

feat(core): KID in NanoTDF Policy Key Access #4416

Jobs

Run details

Workflow file for this run