Add read/write mutex for refreshing access token #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
pull_request: | |
branches: | |
- master | |
types: [opened,synchronize] | |
paths: | |
- '**.go' | |
workflow_dispatch: | |
name: Vault & OpenBao Acceptance Tests | |
jobs: | |
acceptance-tests-matrix: | |
name: ${{ matrix.cli }} | |
runs-on: ubuntu-latest | |
continue-on-error: false | |
environment: development | |
strategy: | |
fail-fast: true | |
matrix: | |
cli: [vault, bao] | |
outputs: | |
artifactory_version: ${{ steps.run_artifactory_container.outputs.version }} | |
openbao_version: ${{ steps.get_bao_cli_version.outputs.version }} | |
vault_version: ${{ steps.get_vault_cli_version.outputs.version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Unshallow | |
run: git fetch --prune --unshallow | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.22 | |
- name: Install Helm | |
uses: azure/setup-helm@v4.2.0 | |
- name: Install GoReleaser | |
uses: goreleaser/goreleaser-action@v6 | |
with: | |
install-only: true | |
- name: Install Vault binary | |
uses: eLco/setup-vault@v1 | |
if: ${{ matrix.cli == 'vault' }} | |
- name: Get Vault CLI version | |
id: get_vault_cli_version | |
if: ${{ matrix.cli == 'vault' }} | |
run: | | |
VAULT_VERSION=$(vault version | cut -d ' ' -f 2) | |
echo $VAULT_VERSION | |
echo "version=$VAULT_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Install OpenBoa binary | |
if: ${{ matrix.cli == 'bao' }} | |
run: | | |
wget -nv -O ${{ runner.temp }}/bao_2.0.0_linux_amd64.deb https://github.com/openbao/openbao/releases/download/v2.0.0/bao_2.0.0_linux_amd64.deb | |
sudo dpkg -i ${{ runner.temp }}/bao_2.0.0_linux_amd64.deb | |
- name: Get OpenBao CLI version | |
id: get_bao_cli_version | |
if: ${{ matrix.cli == 'bao' }} | |
run: | | |
BAO_VERSION=$(bao version | cut -d ' ' -f 2) | |
echo $BAO_VERSION | |
echo "version=$BAO_VERSION" >> "$GITHUB_OUTPUT" | |
- name: Run Vault Dev server | |
if: ${{ matrix.cli == 'vault' }} | |
run: | | |
docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=root' -d --rm --name=dev-vault -p 8200:8200 hashicorp/vault | |
export VAULT_SERVER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.Gateway}}{{end}}' dev-vault) | |
echo "VAULT_ADDR=http://$VAULT_SERVER_IP:8200" >> "$GITHUB_ENV" | |
echo "VAULT_TOKEN=root" >> "$GITHUB_ENV" | |
- name: Run Bao Dev server | |
if: ${{ matrix.cli == 'bao' }} | |
run: | | |
docker run --cap-add=IPC_LOCK -e 'BAO_DEV_ROOT_TOKEN_ID=root' -d --rm --name=dev-bao -p 8200:8200 quay.io/openbao/openbao server -dev | |
export VAULT_SERVER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.Gateway}}{{end}}' dev-bao) | |
echo "VAULT_ADDR=http://$VAULT_SERVER_IP:8200" >> "$GITHUB_ENV" | |
echo "VAULT_TOKEN=root" >> "$GITHUB_ENV" | |
- name: Create Artifactory data directories and copy data | |
env: | |
ARTIFACTORY_LICENSE: ${{ secrets.ARTIFACTORY_LICENSE }} | |
run: | | |
mkdir -p ${{ runner.temp }}/artifactory/extra_conf | |
mkdir -p ${{ runner.temp }}/artifactory/var/etc | |
echo $ARTIFACTORY_LICENSE > ${{ runner.temp }}/artifactory/extra_conf/artifactory.lic | |
cp ${{ github.workspace }}/scripts/system.yaml ${{ runner.temp }}/artifactory/var/etc/system.yaml | |
sudo chown -R 1030:1030 ${{ runner.temp }}/artifactory/var | |
- name: Run Artifactory container | |
id: run_artifactory_container | |
run: | | |
echo "Get latest Artifactory image tag" | |
helm repo add artifactory https://charts.jfrog.io | |
helm repo update | |
ARTIFACTORY_VERSION=$(helm search repo | grep "artifactory " | awk '{$1=$1};1' | cut -f3 -d " ") | |
echo "version=$ARTIFACTORY_VERSION" >> "$GITHUB_OUTPUT" | |
echo "Start up Artifactory container" | |
docker run -i --name artifactory -d --rm \ | |
-v ${{ runner.temp }}/artifactory/extra_conf:/artifactory_extra_conf \ | |
-v ${{ runner.temp }}/artifactory/var:/var/opt/jfrog/artifactory \ | |
-p 8081:8081 -p 8082:8082 \ | |
releases-docker.jfrog.io/jfrog/artifactory-pro:${ARTIFACTORY_VERSION} | |
echo "Set localhost to a container IP address, since we run docker inside of docker" | |
export LOCALHOST=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.Gateway}}{{end}}' artifactory) | |
export JFROG_URL="http://${LOCALHOST}:8082" | |
echo "JFROG_URL=$JFROG_URL" >> "$GITHUB_ENV" | |
echo "Waiting for Artifactory services to start at ${JFROG_URL}" | |
until $(curl -sf -o /dev/null -m 5 ${JFROG_URL}/artifactory/api/system/ping/); do | |
printf '.' | |
sleep 5 | |
done | |
echo "Waiting for Artifactory UI to start" | |
until $(curl -sf -o /dev/null -m 5 ${JFROG_URL}/ui/login/); do | |
printf '.' | |
sleep 5 | |
done | |
export COOKIES=$(curl -s -c - "${JFROG_URL}/ui/api/v1/ui/auth/login?_spring_security_remember_me=false" \ | |
--header "accept: application/json, text/plain, */*" \ | |
--header "content-type: application/json;charset=UTF-8" \ | |
--header "x-requested-with: XMLHttpRequest" \ | |
-d '{"user":"admin","password":"'"${{ secrets.ARTIFACTORY_PASSWORD }}"'","type":"login"}' | grep FALSE) | |
export REFRESHTOKEN=$(echo $COOKIES | grep REFRESHTOKEN | awk '{print $7}') | |
export ACCESSTOKEN=$(echo $COOKIES | grep ACCESSTOKEN | awk '{print $14}') | |
export JFROG_ACCESS_TOKEN=$(curl -s -g --request GET "${JFROG_URL}/ui/api/v1/system/security/token?services[]=all" \ | |
--header "accept: application/json, text/plain, */*" \ | |
--header "x-requested-with: XMLHttpRequest" \ | |
--header "cookie: ACCESSTOKEN=${ACCESSTOKEN}; REFRESHTOKEN=${REFRESHTOKEN}") | |
echo "::add-mask::$JFROG_ACCESS_TOKEN" | |
echo "JFROG_ACCESS_TOKEN=$JFROG_ACCESS_TOKEN" >> "$GITHUB_ENV" | |
- name: Execute all tests | |
run: make alltests | |
- name: Clean up Docker container | |
if: always() && ${{ steps.run_artifactory_container.outcome == 'success' }} | |
run: docker stop artifactory | |
- name: Send workflow status to Slack | |
uses: slackapi/slack-github-action@v1.26.0 | |
if: always() | |
with: | |
payload: | | |
{ | |
"text": "${{ github.workflow }} https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/${{ github.job }} GitHub Action result: ${{ job.status == 'success' && ':white_check_mark:' || ':x:' }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "${{ github.workflow }} <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/${{ github.job }}| GitHub Action result>: ${{ job.status == 'success' && ':white_check_mark:' || ':x:' }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}" | |
} | |
} | |
] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PR_WEBHOOK }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
update-changelog: | |
runs-on: ubuntu-latest | |
needs: acceptance-tests-matrix | |
if: github.event_name == 'pull_request' && needs.acceptance-tests-matrix.result == 'success' | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: Update CHANGELOG and push commit | |
env: | |
ARTIFACTORY_VERSION: ${{ needs.acceptance-tests-matrix.outputs.artifactory_version }} | |
OPENBAO_VERSION: ${{ needs.acceptance-tests-matrix.outputs.openbao_version }} | |
VAULT_VERSION: ${{ needs.acceptance-tests-matrix.outputs.vault_version }} | |
run: | | |
echo "Adding Artifactory version to CHANGELOG.md" | |
sed -i -E "0,/(##\s.+\..+\..+\s\(.+\)).*/ s/(##\s.+\..+\..+\s\(.+\)).*/\1. Tested on Artifactory $ARTIFACTORY_VERSION with Vault $VAULT_VERSION and OpenBao $OPENBAO_VERSION/" CHANGELOG.md | |
head -10 CHANGELOG.md | |
git add CHANGELOG.md | |
export REGEX="Changes to be committed*" | |
export GIT_STATUS=$(git status) | |
if [[ ${GIT_STATUS} =~ ${REGEX} ]]; then | |
echo "Commiting changes" | |
git config --global user.name 'JFrog CI' | |
git config --global user.email 'jfrog-solutions-ci+1@jfrog.com' | |
git config --get user.name | |
git config --get user.email | |
git commit --author="JFrog CI <jfrog-solutions-ci+1@jfrog.com>" -m "JFrog Pipelines - Add Artifactory version to CHANGELOG.md" | |
git push | |
else | |
echo "There is nothing to commit: Artifactory version hadn't changed." | |
fi | |
- name: Send workflow status to Slack | |
uses: slackapi/slack-github-action@v1.26.0 | |
if: success() | |
with: | |
payload: | | |
{ | |
"text": "Vault Artifactory Secrets Plugin. A new PR was submitted by ${{ github.event.pull_request.user.login }} - ${{ github.event.pull_request.html_url }}, branch ${{ github.event.pull_request.base.ref }}. Changes tested successfully. <@U01H1SLSPA8> or <@UNDRUL1EU> please, review and merge.", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "<http://github.com/${{ github.repository }}|Vault Artifactory Secrets Plugin>. A new PR was submitted by *${{ github.event.pull_request.user.login }}* - <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}>, branch *${{ github.event.pull_request.base.ref }}*. Changes tested successfully. <@U01H1SLSPA8> or <@UNDRUL1EU> please, review and merge." | |
} | |
} | |
] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PR_WEBHOOK }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |