Improve OpenID Connect integration #21
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action is an integration test for OIDC workflow | |
| name: OpenID Connect Test | |
| on: | |
| push: | |
| branches: | |
| - '**' | |
| tags-ignore: | |
| - '**' | |
| # Triggers the workflow on labeled PRs only. | |
| pull_request_target: | |
| types: [ labeled ] | |
| # Ensures that only the latest commit is running for each PR at a time. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write | |
| jobs: | |
| OIDC-Test: | |
| if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push' | |
| name: OIDC-Access integration test (${{ matrix.os }}) | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu, windows, macos ] | |
| runs-on: ${{ matrix.os }}-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| # Generating a unique name for the Integration Configuration that will be created in the following step | |
| - name: Generate unique OIDC config name | |
| shell: bash | |
| run: echo "OIDC_CONFIG_NAME=oidc-integration-test-config-$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV | |
| - name: Create OpenID Connect integration | |
| shell: bash | |
| run: | | |
| curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc" -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" -d '{ | |
| "name": "${{ env.OIDC_CONFIG_NAME }}", | |
| "issuer_url": "https://token.actions.githubusercontent.com/", | |
| "provider_type": "GitHub", | |
| "description": "This is a test configuration created for OIDC-Access integration test" }' | |
| - name: Set subject | |
| shell: bash | |
| run: | | |
| if [[ $GITHUB_EVENT_NAME == 'pull_request_target' ]]; then | |
| echo "SUB=repo:${{ github.repository_owner }}/setup-jfrog-cli:pull_request" >> "$GITHUB_ENV" | |
| else | |
| echo "SUB=repo:${{ github.repository_owner }}/setup-jfrog-cli:ref:${{ github.ref }}" >> "$GITHUB_ENV" | |
| fi | |
| - name: Create OIDC integration Identity Mapping | |
| shell: bash | |
| run: | | |
| curl -X POST ${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ env.OIDC_CONFIG_NAME }}/identity_mappings \ | |
| -H 'Content-Type: application/json' \ | |
| -H 'Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}' \ | |
| -d '{ | |
| "name": "oidc-test-identity-mapping", | |
| "priority": "1", | |
| "claims": { | |
| "sub": "${{ env.SUB }}", | |
| "iss": "https://token.actions.githubusercontent.com" | |
| }, | |
| "token_spec": { | |
| "scope": "applied-permissions/admin", | |
| "expires_in": 60 | |
| } | |
| }' | |
| - name: Setup JFrog CLI | |
| uses: ./ | |
| env: | |
| JF_URL: ${{ secrets.JFROG_PLATFORM_URL }} | |
| with: | |
| oidc-provider-name: ${{ env.OIDC_CONFIG_NAME }} | |
| - name: Test JFrog CLI | |
| run: | | |
| jf rt s "some-repo/" | |
| # Removing the OIDC integration will remove the Identity Mapping as well | |
| - name: Delete OIDC integration | |
| shell: bash | |
| if: always() | |
| run: | | |
| curl -X DELETE ${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ env.OIDC_CONFIG_NAME }} -H 'Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}' |