ci: use default CodeQL #282
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Conformance Checks | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
schedule: | |
- cron: '55 11 * * 1' | |
workflow_dispatch: | |
jobs: | |
build: | |
if: ${{ github.repository == 'panva/node-oidc-provider' || github.event_name == 'workflow_dispatch' }} | |
uses: panva/.github/.github/workflows/build-conformance-suite.yml@main | |
run: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
env: | |
SUITE_BASE_URL: https://localhost.emobix.co.uk:8443 | |
SETUP: ${{ toJSON(matrix.setup) }} | |
strategy: | |
fail-fast: false | |
matrix: | |
setup: | |
# OP Basic | |
- plan: oidcc-basic-certification-test-plan | |
# OP Hybrid | |
- plan: oidcc-hybrid-certification-test-plan | |
# OP Implicit | |
- plan: oidcc-implicit-certification-test-plan | |
# OP Dynamic | |
- plan: oidcc-dynamic-certification-test-plan | |
response_type: code | |
- plan: oidcc-dynamic-certification-test-plan | |
response_type: id_token | |
- plan: oidcc-dynamic-certification-test-plan | |
response_type: id_token token | |
- plan: oidcc-dynamic-certification-test-plan | |
response_type: code id_token | |
- plan: oidcc-dynamic-certification-test-plan | |
response_type: code token | |
- plan: oidcc-dynamic-certification-test-plan | |
response_type: code id_token token | |
# RP-Initiated OP | |
- plan: oidcc-rp-initiated-logout-certification-test-plan | |
# Back-Channel OP | |
- plan: oidcc-backchannel-rp-initiated-logout-certification-test-plan | |
# FAPI 2.0 Security Profile ID2 | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: dpop | |
openid: openid_connect | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: dpop | |
openid: plain_oauth | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: mtls | |
openid: openid_connect | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: mtls | |
openid: plain_oauth | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: mtls | |
sender_constrain: dpop | |
openid: openid_connect | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: mtls | |
sender_constrain: dpop | |
openid: plain_oauth | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: mtls | |
sender_constrain: mtls | |
openid: openid_connect | |
- plan: fapi2-security-profile-id2-test-plan | |
client_auth_type: mtls | |
sender_constrain: mtls | |
openid: plain_oauth | |
# FAPI 2.0 Message Signing ID1 | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: dpop | |
openid: openid_connect | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: dpop | |
openid: plain_oauth | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: mtls | |
openid: openid_connect | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: private_key_jwt | |
sender_constrain: mtls | |
openid: plain_oauth | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: mtls | |
sender_constrain: dpop | |
openid: openid_connect | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: mtls | |
sender_constrain: dpop | |
openid: plain_oauth | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: mtls | |
sender_constrain: mtls | |
openid: openid_connect | |
- plan: fapi2-message-signing-id1-test-plan | |
client_auth_type: mtls | |
sender_constrain: mtls | |
openid: plain_oauth | |
# FAPI 1.0 Advanced (Final) | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: by_value | |
client_auth_type: private_key_jwt | |
fapi_response_mode: plain_response | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: pushed | |
client_auth_type: private_key_jwt | |
fapi_response_mode: plain_response | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: by_value | |
client_auth_type: private_key_jwt | |
fapi_response_mode: jarm | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: pushed | |
client_auth_type: private_key_jwt | |
fapi_response_mode: jarm | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: by_value | |
client_auth_type: mtls | |
fapi_response_mode: plain_response | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: pushed | |
client_auth_type: mtls | |
fapi_response_mode: plain_response | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: by_value | |
client_auth_type: mtls | |
fapi_response_mode: jarm | |
- plan: fapi1-advanced-final-test-plan | |
fapi_auth_request_method: pushed | |
client_auth_type: mtls | |
fapi_response_mode: jarm | |
# FAPI RW-CIBA-ID1 | |
- plan: fapi-ciba-id1-test-plan | |
client_auth_type: private_key_jwt | |
ciba_mode: poll | |
- plan: fapi-ciba-id1-test-plan | |
client_auth_type: private_key_jwt | |
ciba_mode: ping | |
- plan: fapi-ciba-id1-test-plan | |
client_auth_type: mtls | |
ciba_mode: poll | |
- plan: fapi-ciba-id1-test-plan | |
client_auth_type: mtls | |
ciba_mode: ping | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: lts/* | |
cache: 'npm' | |
- run: npm clean-install | |
- name: Run oidc-provider (OIDC) | |
run: | | |
set -o pipefail | |
node certification/oidc/docker |& tee server.log & | |
if: ${{ startsWith(matrix.setup.plan, 'oidcc') }} | |
env: | |
PORT: 3000 | |
DEBUG: oidc-provider:* | |
ISSUER: https://172.17.0.1:3000 | |
NODE_TLS_REJECT_UNAUTHORIZED: 0 | |
- name: Run oidc-provider (FAPI) | |
run: | | |
set -o pipefail | |
node certification/fapi |& tee server.log & | |
if: ${{ startsWith(matrix.setup.plan, 'fapi') }} | |
env: | |
ISSUER: https://172.17.0.1:3000 | |
PORT: 3000 | |
DEBUG: oidc-provider:* | |
NODE_OPTIONS: --tls-cipher-list="ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384" | |
NODE_TLS_REJECT_UNAUTHORIZED: 0 | |
- name: Set Conformance Suite Version | |
run: | | |
export VERSION=($(curl --silent "https://gitlab.com/api/v4/projects/4175605/releases" | jq -r '.[0].tag_name')) | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- name: Load Cached Conformance Suite Build | |
uses: actions/cache@v4 | |
id: cache | |
with: | |
path: ./conformance-suite | |
key: ${{ needs.build.outputs.cache-key }} | |
fail-on-cache-miss: true | |
- name: Run Conformance Suite | |
working-directory: ./conformance-suite | |
run: | | |
docker compose -f docker-compose-dev.yml up -d | |
while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done | |
- name: Adjust configuration files for CI | |
run: | | |
sed -i -e 's/op.panva.cz/172.17.0.1:3000/g' certification/oidc/plan.json | |
sed -i -e 's/mtls.fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json | |
sed -i -e 's/fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json | |
- name: Run the plan | |
run: npx mocha --timeout 0 --retries 1 certification/runner | |
env: | |
NODE_TLS_REJECT_UNAUTHORIZED: 0 | |
- name: Add server log to artifact | |
if: ${{ failure() }} | |
run: | | |
zip -ur ${{ env.EXPORT_FILE }} server.log | |
- name: Upload test artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
path: export-*.zip | |
name: certification html results idx(${{ strategy.job-index }}) | |
if-no-files-found: ignore | |
if: ${{ always() }} | |
- name: Stop Conformance Suite | |
working-directory: ./conformance-suite | |
run: | | |
killall -SIGINT node | |
docker compose -f docker-compose-dev.yml down | |
sudo rm -rf mongo |