Skip to content

Add read/write mutex for refreshing access token #18

Add read/write mutex for refreshing access token

Add read/write mutex for refreshing access token #18

on:
pull_request:
branches:
- master
types: [opened,synchronize]
paths:
- '**.go'
workflow_dispatch:
name: Vault & OpenBao Acceptance Tests
jobs:
acceptance-tests-matrix:
name: ${{ matrix.cli }}
runs-on: ubuntu-latest
continue-on-error: false
environment: development
strategy:
fail-fast: true
matrix:
cli: [vault, bao]
outputs:
artifactory_version: ${{ steps.run_artifactory_container.outputs.version }}
openbao_version: ${{ steps.get_bao_cli_version.outputs.version }}
vault_version: ${{ steps.get_vault_cli_version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Unshallow
run: git fetch --prune --unshallow
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.22
- name: Install Helm
uses: azure/setup-helm@v4.2.0
- name: Install GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
install-only: true
- name: Install Vault binary
uses: eLco/setup-vault@v1
if: ${{ matrix.cli == 'vault' }}
- name: Get Vault CLI version
id: get_vault_cli_version
if: ${{ matrix.cli == 'vault' }}
run: |
VAULT_VERSION=$(vault version | cut -d ' ' -f 2)
echo $VAULT_VERSION
echo "version=$VAULT_VERSION" >> "$GITHUB_OUTPUT"
- name: Install OpenBoa binary
if: ${{ matrix.cli == 'bao' }}
run: |
wget -nv -O ${{ runner.temp }}/bao_2.0.0_linux_amd64.deb https://github.com/openbao/openbao/releases/download/v2.0.0/bao_2.0.0_linux_amd64.deb
sudo dpkg -i ${{ runner.temp }}/bao_2.0.0_linux_amd64.deb
- name: Get OpenBao CLI version
id: get_bao_cli_version
if: ${{ matrix.cli == 'bao' }}
run: |
BAO_VERSION=$(bao version | cut -d ' ' -f 2)
echo $BAO_VERSION
echo "version=$BAO_VERSION" >> "$GITHUB_OUTPUT"
- name: Run Vault Dev server
if: ${{ matrix.cli == 'vault' }}
run: |
docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=root' -d --rm --name=dev-vault -p 8200:8200 hashicorp/vault
export VAULT_SERVER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.Gateway}}{{end}}' dev-vault)
echo "VAULT_ADDR=http://$VAULT_SERVER_IP:8200" >> "$GITHUB_ENV"
echo "VAULT_TOKEN=root" >> "$GITHUB_ENV"
- name: Run Bao Dev server
if: ${{ matrix.cli == 'bao' }}
run: |
docker run --cap-add=IPC_LOCK -e 'BAO_DEV_ROOT_TOKEN_ID=root' -d --rm --name=dev-bao -p 8200:8200 quay.io/openbao/openbao server -dev
export VAULT_SERVER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.Gateway}}{{end}}' dev-bao)
echo "VAULT_ADDR=http://$VAULT_SERVER_IP:8200" >> "$GITHUB_ENV"
echo "VAULT_TOKEN=root" >> "$GITHUB_ENV"
- name: Create Artifactory data directories and copy data
env:
ARTIFACTORY_LICENSE: ${{ secrets.ARTIFACTORY_LICENSE }}
run: |
mkdir -p ${{ runner.temp }}/artifactory/extra_conf
mkdir -p ${{ runner.temp }}/artifactory/var/etc
echo $ARTIFACTORY_LICENSE > ${{ runner.temp }}/artifactory/extra_conf/artifactory.lic
cp ${{ github.workspace }}/scripts/system.yaml ${{ runner.temp }}/artifactory/var/etc/system.yaml
sudo chown -R 1030:1030 ${{ runner.temp }}/artifactory/var
- name: Run Artifactory container
id: run_artifactory_container
run: |
echo "Get latest Artifactory image tag"
helm repo add artifactory https://charts.jfrog.io
helm repo update
ARTIFACTORY_VERSION=$(helm search repo | grep "artifactory " | awk '{$1=$1};1' | cut -f3 -d " ")
echo "version=$ARTIFACTORY_VERSION" >> "$GITHUB_OUTPUT"
echo "Start up Artifactory container"
docker run -i --name artifactory -d --rm \
-v ${{ runner.temp }}/artifactory/extra_conf:/artifactory_extra_conf \
-v ${{ runner.temp }}/artifactory/var:/var/opt/jfrog/artifactory \
-p 8081:8081 -p 8082:8082 \
releases-docker.jfrog.io/jfrog/artifactory-pro:${ARTIFACTORY_VERSION}
echo "Set localhost to a container IP address, since we run docker inside of docker"
export LOCALHOST=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.Gateway}}{{end}}' artifactory)
export JFROG_URL="http://${LOCALHOST}:8082"
echo "JFROG_URL=$JFROG_URL" >> "$GITHUB_ENV"
echo "Waiting for Artifactory services to start at ${JFROG_URL}"
until $(curl -sf -o /dev/null -m 5 ${JFROG_URL}/artifactory/api/system/ping/); do
printf '.'
sleep 5
done
echo "Waiting for Artifactory UI to start"
until $(curl -sf -o /dev/null -m 5 ${JFROG_URL}/ui/login/); do
printf '.'
sleep 5
done
export COOKIES=$(curl -s -c - "${JFROG_URL}/ui/api/v1/ui/auth/login?_spring_security_remember_me=false" \
--header "accept: application/json, text/plain, */*" \
--header "content-type: application/json;charset=UTF-8" \
--header "x-requested-with: XMLHttpRequest" \
-d '{"user":"admin","password":"'"${{ secrets.ARTIFACTORY_PASSWORD }}"'","type":"login"}' | grep FALSE)
export REFRESHTOKEN=$(echo $COOKIES | grep REFRESHTOKEN | awk '{print $7}')
export ACCESSTOKEN=$(echo $COOKIES | grep ACCESSTOKEN | awk '{print $14}')
export JFROG_ACCESS_TOKEN=$(curl -s -g --request GET "${JFROG_URL}/ui/api/v1/system/security/token?services[]=all" \
--header "accept: application/json, text/plain, */*" \
--header "x-requested-with: XMLHttpRequest" \
--header "cookie: ACCESSTOKEN=${ACCESSTOKEN}; REFRESHTOKEN=${REFRESHTOKEN}")
echo "::add-mask::$JFROG_ACCESS_TOKEN"
echo "JFROG_ACCESS_TOKEN=$JFROG_ACCESS_TOKEN" >> "$GITHUB_ENV"
- name: Execute all tests
run: make alltests
- name: Clean up Docker container
if: always() && ${{ steps.run_artifactory_container.outcome == 'success' }}
run: docker stop artifactory
- name: Send workflow status to Slack
uses: slackapi/slack-github-action@v1.26.0
if: always()
with:
payload: |
{
"text": "${{ github.workflow }} https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/${{ github.job }} GitHub Action result: ${{ job.status == 'success' && ':white_check_mark:' || ':x:' }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "${{ github.workflow }} <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/${{ github.job }}| GitHub Action result>: ${{ job.status == 'success' && ':white_check_mark:' || ':x:' }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PR_WEBHOOK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
update-changelog:
runs-on: ubuntu-latest
needs: acceptance-tests-matrix
if: github.event_name == 'pull_request' && needs.acceptance-tests-matrix.result == 'success'
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.ref }}
- name: Update CHANGELOG and push commit
env:
ARTIFACTORY_VERSION: ${{ needs.acceptance-tests-matrix.outputs.artifactory_version }}
OPENBAO_VERSION: ${{ needs.acceptance-tests-matrix.outputs.openbao_version }}
VAULT_VERSION: ${{ needs.acceptance-tests-matrix.outputs.vault_version }}
run: |
echo "Adding Artifactory version to CHANGELOG.md"
sed -i -E "0,/(##\s.+\..+\..+\s\(.+\)).*/ s/(##\s.+\..+\..+\s\(.+\)).*/\1. Tested on Artifactory $ARTIFACTORY_VERSION with Vault $VAULT_VERSION and OpenBao $OPENBAO_VERSION/" CHANGELOG.md
head -10 CHANGELOG.md
git add CHANGELOG.md
export REGEX="Changes to be committed*"
export GIT_STATUS=$(git status)
if [[ ${GIT_STATUS} =~ ${REGEX} ]]; then
echo "Commiting changes"
git config --global user.name 'JFrog CI'
git config --global user.email 'jfrog-solutions-ci+1@jfrog.com'
git config --get user.name
git config --get user.email
git commit --author="JFrog CI <jfrog-solutions-ci+1@jfrog.com>" -m "JFrog Pipelines - Add Artifactory version to CHANGELOG.md"
git push
else
echo "There is nothing to commit: Artifactory version hadn't changed."
fi
- name: Send workflow status to Slack
uses: slackapi/slack-github-action@v1.26.0
if: success()
with:
payload: |
{
"text": "Vault Artifactory Secrets Plugin. A new PR was submitted by ${{ github.event.pull_request.user.login }} - ${{ github.event.pull_request.html_url }}, branch ${{ github.event.pull_request.base.ref }}. Changes tested successfully. <@U01H1SLSPA8> or <@UNDRUL1EU> please, review and merge.",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<http://github.com/${{ github.repository }}|Vault Artifactory Secrets Plugin>. A new PR was submitted by *${{ github.event.pull_request.user.login }}* - <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}>, branch *${{ github.event.pull_request.base.ref }}*. Changes tested successfully. <@U01H1SLSPA8> or <@UNDRUL1EU> please, review and merge."
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PR_WEBHOOK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK