chore: externalize enrollment and validation (#13182) #1481
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish packages | |
| on: | |
| push: | |
| tags: | |
| - 'v**' | |
| - 'nightly' | |
| workflow_dispatch: | |
| inputs: | |
| target_tag: | |
| description: 'The release tag to upload assets to (e.g., v1.0.1 or nightly). Required.' | |
| required: true | |
| type: string | |
| run_binary_packages: | |
| description: 'Run "publish_binary_packages" job?' | |
| required: true | |
| type: boolean | |
| default: false | |
| run_python_packages: | |
| description: 'Run "build_and_upload_python_packages" job?' | |
| required: true | |
| type: boolean | |
| default: false | |
| run_cedarling_wasm: | |
| description: 'Run "build_cedarling_wasm" job?' | |
| required: true | |
| type: boolean | |
| default: false | |
| run_demo_packages: | |
| description: 'Run "build_demo_packages" job? (Needs wasm)' | |
| required: true | |
| type: boolean | |
| default: false | |
| run_cedarling_python: | |
| description: 'Run "build_cedarling_python" job?' | |
| required: true | |
| type: boolean | |
| default: false | |
| run_cedarling_go: | |
| description: 'Run "build_cedarling_go" job?' | |
| required: true | |
| type: boolean | |
| default: false | |
| run_cedarling_krakend: | |
| description: 'Run "build_cedarling_krakend" job? (Needs go)' | |
| required: true | |
| type: boolean | |
| default: false | |
| run_cedarling_uniffi: | |
| description: 'Run "build_cedarling_uniffi" job?' | |
| required: true | |
| type: boolean | |
| default: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| publish_binary_packages: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_binary_packages)) | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| name: [ubuntu24, ubuntu22, ubuntu20, el8, suse15] | |
| include: | |
| - name: ubuntu24 | |
| os: ubuntu-22.04 | |
| asset_suffix: ~ubuntu24.04_amd64.deb | |
| build_files: deb/noble | |
| asset_prefix: '_' | |
| asset_path: jans | |
| sign_cmd: cosign sign-blob --yes --output-certificate cert.pem --output-signature sig | |
| python_version: 3.11 | |
| - name: ubuntu22 | |
| os: ubuntu-22.04 | |
| asset_suffix: ~ubuntu22.04_amd64.deb | |
| build_files: deb/jammy | |
| asset_prefix: '_' | |
| asset_path: jans | |
| sign_cmd: cosign sign-blob --yes --output-certificate cert.pem --output-signature sig | |
| python_version: 3.8 | |
| - name: ubuntu20 | |
| os: ubuntu-22.04 | |
| asset_suffix: ~ubuntu20.04_amd64.deb | |
| build_files: deb/focal | |
| asset_prefix: '_' | |
| asset_path: jans | |
| sign_cmd: cosign sign-blob --yes --output-certificate cert.pem --output-signature sig | |
| python_version: 3.8 | |
| - name: el8 | |
| os: ubuntu-22.04 | |
| asset_suffix: .el8.x86_64.rpm | |
| build_files: rpm/el8 | |
| asset_prefix: '-' | |
| asset_path: jans/rpmbuild/RPMS/x86_64 | |
| sign_cmd: rpm --addsign | |
| python_version: 3.8 | |
| - name: suse15 | |
| os: ubuntu-22.04 | |
| asset_suffix: .suse15.x86_64.rpm | |
| build_files: rpm/suse15 | |
| asset_prefix: '-' | |
| asset_path: jans/rpmbuild/RPMS/x86_64 | |
| sign_cmd: rpm --addsign | |
| python_version: 3.8 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| path: temp-jans | |
| - name: Getting build dependencies | |
| id: get_dependencies | |
| run: | | |
| mkdir -p jans/jans-src/opt/ | |
| cp -rp temp-jans/automation/packaging/${{ matrix.build_files }}/* jans/ | |
| cp temp-jans/jans-linux-setup/jans_setup/install.py jans/install.py | |
| sudo add-apt-repository -y ppa:deadsnakes/ppa | |
| sudo apt-get update | |
| sudo apt-get install -y python${{ matrix.python_version }} | |
| sudo apt install -y build-essential devscripts debhelper rpm python3-dev python3-requests python3-ruamel.yaml python3-pymysql python3-prompt-toolkit python${{ matrix.python_version }}-distutils libpq-dev python${{ matrix.python_version }}-dev apache2 rsyslog python3-urllib3 python3-certifi postgresql postgresql-contrib | |
| sudo apt install -y dpkg-sig python3-crypto python3-distutils || sudo apt install -y python3-distutils-extra python3-cryptography | |
| sudo cp -r /usr/lib/python3/dist-packages /usr/lib/python${{ matrix.python_version }}/ | |
| sudo python${{ matrix.python_version }} -m pip install psycopg2-binary psycopg2 || echo "failed to install psycopg2" | |
| - name: Import GPG key | |
| id: import_gpg | |
| continue-on-error: true | |
| uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
| with: | |
| gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: List keys | |
| id: list_keys | |
| run: gpg -K | |
| - name: Get tag and version | |
| id: previoustag | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| TAG_NAME="${{ inputs.target_tag }}" | |
| else | |
| TAG_NAME=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| echo "tag=${TAG_NAME}" >> $GITHUB_OUTPUT | |
| if [[ "${TAG_NAME}" == "nightly" ]]; then | |
| echo "version=0.0.0-nightly" >> $GITHUB_OUTPUT | |
| else | |
| echo "version=$(echo "${TAG_NAME}" | sed 's/^v//')-stable" >> $GITHUB_OUTPUT | |
| fi | |
| echo "PACKAGE_PREFIX=jans" >> ${GITHUB_ENV} | |
| - name: Print Version and tag | |
| run: | | |
| echo "Version: ${{ steps.previoustag.outputs.version }}" | |
| echo "Tag: ${{ steps.previoustag.outputs.tag }}" | |
| - name: Running install and build | |
| id: run_build | |
| run: | | |
| cd jans/ | |
| sudo python${{ matrix.python_version }} install.py -download-exit -yes --keep-downloads --keep-setup -force-download | |
| cp -r /opt/dist jans-src/opt/ | |
| cp -r /opt/jans jans-src/opt/ | |
| touch jans-src/opt/jans/jans-setup/package | |
| rm -rf install.py install jans-cli-tui | |
| rm -rf jans-src/opt/jans/jans-setup/logs/setup.log | |
| rm -rf jans-src/opt/jans/jans-setup/logs/setup_error.log | |
| sed -i "s/%VERSION%/${{ steps.previoustag.outputs.version }}/g" run-build.sh | |
| cat run-build.sh | |
| sudo ./run-build.sh | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 | |
| - name: Sign package | |
| id: sign_package | |
| run : | | |
| echo '%_gpg_name moauto (automation) <54212639+mo-auto@users.noreply.github.com>' >> ~/.rpmmacros | |
| ${{ matrix.sign_cmd }} ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }} | |
| gpg --armor --detach-sign ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }} | |
| - name: Upload binaries to release | |
| id: upload_binaries | |
| uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2 | |
| with: | |
| repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }} | |
| file: ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }} | |
| asset_name: ${{ env.PACKAGE_PREFIX }}${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }} | |
| tag: ${{ steps.previoustag.outputs.tag }} | |
| overwrite: true | |
| - name: Upload sig to release | |
| id: upload_sigs | |
| uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2 | |
| with: | |
| repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }} | |
| file: ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}.asc | |
| asset_name: ${{ env.PACKAGE_PREFIX }}${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}.asc | |
| tag: ${{ steps.previoustag.outputs.tag }} | |
| overwrite: true | |
| build_and_upload_python_packages: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_python_packages)) | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: ubuntu | |
| os: ubuntu-22.04 | |
| python_version: 3.8 | |
| - name: suse | |
| os: ubuntu-22.04 | |
| python_version: 3.8 | |
| use_docker: true | |
| docker_image: opensuse/leap:15.4 | |
| - name: macos | |
| os: macos-latest | |
| python_version: 3.8 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Set up Python | |
| if: matrix.name != 'suse' | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: ${{ matrix.python_version }} | |
| - name: Build with Docker (SUSE) | |
| if: matrix.use_docker | |
| uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 | |
| with: | |
| image: ${{ matrix.docker_image }} | |
| options: -v ${{ github.workspace }}:/workspace | |
| run: | | |
| zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.1/standard/openSUSE:Leap:15.1.repo | |
| zypper --gpg-auto-import-keys refresh | |
| zypper --non-interactive install -y gcc-c++ make gcc automake autoconf libtool python3-pip python3-setuptools python3-wheel openssl | |
| zypper addrepo https://download.opensuse.org/repositories/home:smarty12:Python/RaspberryPi_Leap_15.2/home:smarty12:Python.repo | |
| zypper --gpg-auto-import-keys refresh | |
| zypper download python3-dev | |
| rpm -i --nodeps /var/cache/zypp/packages/home_smarty12_Python/noarch/python3-dev-0.4.0-lp152.1.4.noarch.rpm | |
| zypper --non-interactive install -y python3 python3-devel | |
| pip install shiv | |
| cd /workspace/jans-linux-setup | |
| make zipapp | |
| mv jans-linux-setup.pyz jans-linux-suse-X86-64-setup.pyz | |
| cd ../jans-cli-tui | |
| make zipapp | |
| mv jans-cli-tui.pyz jans-cli-tui-linux-suse-X86-64.pyz | |
| - name: Build with Ubuntu | |
| if: matrix.name == 'ubuntu' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y python3 build-essential ca-certificates dbus systemd iproute2 gpg python3-pip python3-dev libpq-dev gcc | |
| python3 -m pip install --upgrade pip || echo "Failed to upgrade pip" | |
| pip3 install shiv wheel setuptools | |
| sudo chown -R runner:docker /home/runner/work/jans/jans | |
| cd jans-linux-setup | |
| make zipapp || echo "Creating linux setup failed for ubuntu" | |
| mv jans-linux-setup.pyz jans-linux-ubuntu-X86-64-setup.pyz || echo "Failed" | |
| cd ../jans-cli-tui | |
| make zipapp | |
| mv jans-cli-tui.pyz jans-cli-tui-linux-ubuntu-X86-64.pyz | |
| - name: Build with macOS | |
| if: matrix.name == 'macos' | |
| run: | | |
| python3 -m pip install --upgrade pip || echo "Failed to upgrade pip" | |
| pip3 install shiv wheel setuptools | |
| cd jans-linux-setup | |
| make zipapp || echo "Creating linux setup failed for macOS" | |
| mv jans-linux-setup.pyz jans-linux-macos-setup.pyz || echo "Failed" | |
| cd ../jans-cli-tui | |
| make zipapp | |
| mv jans-cli-tui.pyz jans-cli-tui-macos.pyz | |
| - name: Get tag and version | |
| id: previoustag | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| TAG_NAME="${{ inputs.target_tag }}" | |
| else | |
| TAG_NAME=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| echo "tag=${TAG_NAME}" >> $GITHUB_OUTPUT | |
| if [[ "${TAG_NAME}" == "nightly" ]]; then | |
| echo "version=0.0.0-nightly" >> $GITHUB_OUTPUT | |
| else | |
| echo "version=$(echo "${TAG_NAME}" | sed 's/^v//')-stable" >> $GITHUB_OUTPUT | |
| fi | |
| echo "SETUP_PREFIX=jans-linux" >> ${GITHUB_ENV} | |
| echo "TUI_PREFIX=jans-cli-tui-linux" >> ${GITHUB_ENV} | |
| - name: Upload setup binaries to release | |
| continue-on-error: true | |
| uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2 | |
| with: | |
| repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }} | |
| file: ${{github.workspace}}/jans-linux-setup/jans-linux-${{ matrix.name }}-${{ matrix.name == 'macos' && 'setup' || 'X86-64-setup' }}.pyz | |
| asset_name: ${{ env.SETUP_PREFIX }}-${{ matrix.name }}-${{ matrix.name == 'macos' && 'setup' || 'X86-64-setup' }}.pyz | |
| tag: ${{ steps.previoustag.outputs.tag }} | |
| overwrite: true | |
| - name: Upload CLI binaries to release | |
| continue-on-error: true | |
| uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2 | |
| with: | |
| repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }} | |
| file: ${{github.workspace}}/jans-cli-tui/jans-cli-tui-${{ matrix.name == 'macos' && 'macos' || format('linux-{0}-X86-64', matrix.name) }}.pyz | |
| asset_name: ${{ env.TUI_PREFIX }}-${{ matrix.name == 'macos' && 'macos' || format('{0}-X86-64', matrix.name) }}.pyz | |
| tag: ${{ steps.previoustag.outputs.tag }} | |
| overwrite: true | |
| build_cedarling_wasm: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_cedarling_wasm)) | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Import GPG key | |
| id: import_gpg | |
| continue-on-error: true | |
| uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
| with: | |
| gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: Setup Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: '20.x' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install latest stable Rust | |
| uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable | |
| with: | |
| toolchain: stable | |
| - name: Build WASM build | |
| id: sign-cedarling | |
| working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_wasm | |
| run: | | |
| rustup default stable | |
| rustup target add wasm32-unknown-unknown | |
| cargo install wasm-pack | |
| echo "--- rustc version ---" | |
| rustc --version | |
| echo "--- cargo version ---" | |
| cargo --version | |
| echo "--- wasm-pack version ---" | |
| wasm-pack --version | |
| echo "---------------------" | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| TAG_NAME="${{ inputs.target_tag }}" | |
| else | |
| TAG_NAME=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${TAG_NAME}" | sed 's/^v//') | |
| NPM_TAG=latest | |
| VERSION_TO_PUBLISH="${TAG}" | |
| if [ "${TAG}" == "nightly" ]; then | |
| NPM_TAG=nightly | |
| LAST_NIGHTLY_NPM_VERSION=$(npm dist-tag ls @janssenproject/cedarling_wasm | grep nightly | awk '{print $2}' | sort -V | tail -n 1) || echo "Failed to get last nightly version" | |
| VERSION_TO_PUBLISH=$(echo $LAST_NIGHTLY_NPM_VERSION | awk -F. '{print $1"."$2"."$3+1}') | |
| fi | |
| # Update Cargo.toml with the version to publish | |
| sed -i "s/^version = \".*\"/version = \"${VERSION_TO_PUBLISH}\"/" Cargo.toml | |
| echo "Set version to ${VERSION_TO_PUBLISH} in Cargo.toml" | |
| wasm-pack build --release --target web --scope janssenproject | |
| cd pkg | |
| npm login --registry https://registry.npmjs.org --scope=janssenproject --access=public --always-auth | |
| npm publish --provenance --access=public --tag "${NPM_TAG}" || { | |
| echo "npm publish failed (may already be published), continuing..." | |
| cat $(ls -t /home/runner/.npm/_logs/*-debug-0.log | head -n 1) || true | |
| } | |
| cd .. | |
| # Build for Node.js target with modified version | |
| NODEJS_VERSION="${VERSION_TO_PUBLISH}-nodejs" | |
| sed -i "s/^version = \".*\"/version = \"${NODEJS_VERSION}\"/" Cargo.toml | |
| echo "Set Node.js version to ${NODEJS_VERSION} in Cargo.toml" | |
| wasm-pack build --release --target nodejs --scope janssenproject --out-dir pkg-nodejs | |
| cd pkg-nodejs | |
| npm publish --provenance --access=public --tag "${NPM_TAG}-nodejs" || { | |
| echo "npm publish (nodejs) failed (may already be published), continuing..." | |
| cat $(ls -t /home/runner/.npm/_logs/*-debug-0.log | head -n 1) || true | |
| } | |
| - name: Archive and sign pkg contents | |
| id: archive_pkg | |
| working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_wasm | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ inputs.target_tag }}" | |
| else | |
| VERSION=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${VERSION}" | sed 's/^v//') | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| fi | |
| rm -rf pkg/.gitignore || echo "Failed to remove gitignore" | |
| tar -czvf cedarling_wasm_"${TAG}"_pkg.tar.gz -C pkg . | |
| gpg --armor --detach-sign cedarling_wasm_"${TAG}"_pkg.tar.gz || echo "Failed to sign" | |
| echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
| gh release upload "${VERSION}" *.tar.gz *.asc --clobber || { | |
| echo "gh release upload failed (assets may already exist), continuing..." | |
| } | |
| build_demo_packages: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_demo_packages)) | |
| needs: build_cedarling_wasm | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Build with Ubuntu | |
| continue-on-error: true | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y zip jq | |
| cd demos | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VER="${{ inputs.target_tag }}" | |
| else | |
| VER=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| for i in $(ls -d */); do zip -r demo-${i%/}-$VER-source.zip $i; done | |
| sudo rm demo-janssen-tarp-$VER-source.zip || echo "No such file or directory" | |
| cd janssen-tarp/browser-extension | |
| TAG=$(echo "${VER}" | sed 's/^v//') | |
| VERSION_TO_SET="${TAG}" | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| RANDOM_NUMBER=$((RANDOM % 9000 + 1000)) | |
| VERSION_TO_SET="0.0.${RANDOM_NUMBER}" | |
| fi | |
| # Update version in all manifest and package files | |
| echo "Setting extension version to ${VERSION_TO_SET}" | |
| jq --arg version "${VERSION_TO_SET}" '.version = $version' src/static/firefox/manifest.json > temp.json && mv temp.json src/static/firefox/manifest.json | |
| jq --arg version "${VERSION_TO_SET}" '.version = $version' src/static/chrome/manifest.json > temp.json && mv temp.json src/static/chrome/manifest.json | |
| jq --arg version "${VERSION_TO_SET}" '.version = $version' package.json > temp.json && mv temp.json package.json | |
| wget https://github.com/${{ github.repository }}/releases/download/"${VER}"/cedarling_wasm_"${TAG}"_pkg.tar.gz -O cedarling_wasm.tar.gz | |
| mkdir -p wasm | |
| tar -xvf cedarling_wasm.tar.gz -C wasm | |
| rm cedarling_wasm.tar.gz | |
| ls wasm | |
| npm install --global web-ext | |
| npm install | |
| npm run build | |
| cd ./dist/firefox | |
| web-ext sign --channel=unlisted --api-key="${{ secrets.MOZILLA_API_KEY }}" --api-secret="${{ secrets.MOZILLA_API_SECRET }}" || echo "Sign your extension for self-distribution to mozilla failed" | |
| cd ../.. | |
| npm run pack | |
| mv ./release/janssen-tarp-chrome-*.zip ../demo-janssen-tarp-chrome-$VER.zip | |
| mv ./dist/firefox/web-ext-artifacts/*.xpi ../demo-janssen-tarp-firefox-$VER.xpi || touch ../demo-janssen-tarp-firefox-$VER.xpi | |
| cd .. | |
| echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
| gh release upload $VER *.zip --clobber | |
| gh release upload $VER *.xpi --clobber || echo "Sign your extension for self-distribution to mozilla failed" | |
| build_cedarling_python: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_cedarling_python)) | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Import GPG key | |
| id: import_gpg | |
| continue-on-error: true | |
| uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
| with: | |
| gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| - uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4 | |
| with: | |
| working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_python | |
| command: build | |
| args: --release -i python3.10 python3.11 | |
| - name: Sign and upload Cedarling Python wheels | |
| id: sign-cedarling | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ inputs.target_tag }}" | |
| else | |
| VERSION=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${VERSION}" | sed 's/^v//') | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| fi | |
| cd ${{ github.workspace }}/jans-cedarling/target/wheels | |
| gpg --armor --detach-sign cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl || echo "Failed to sign" | |
| gpg --armor --detach-sign cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl || echo "Failed to sign" | |
| echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
| gh release upload "${VERSION}" *.whl *.asc | |
| build_cedarling_go: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_cedarling_go)) | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| name: [ubuntu22, ubuntu22-arm, mac, windows] | |
| include: | |
| - name: ubuntu22 | |
| os: ubuntu-22.04 | |
| - name: ubuntu22-arm | |
| os: ubuntu-22.04-arm | |
| - name: mac | |
| os: macos-15 | |
| - name: windows | |
| os: windows-2025 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Import GPG key | |
| id: import_gpg | |
| continue-on-error: true | |
| uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
| with: | |
| gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: Install Golang dependencies | |
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 | |
| with: | |
| go-version: '1.24' | |
| - name: Install latest stable Rust | |
| uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable | |
| with: | |
| toolchain: stable | |
| - name: Build rust artifacts | |
| working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_go | |
| shell: bash | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ inputs.target_tag }}" | |
| else | |
| VERSION=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${VERSION}" | sed 's/^v//') | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| fi | |
| cargo build -r -p cedarling_go | |
| case "${{ matrix.name }}" in | |
| ubuntu22) | |
| cp ../../target/release/libcedarling_go.so libcedarling_go-${TAG}_x86-64.so | |
| ;; | |
| ubuntu22-arm) | |
| cp ../../target/release/libcedarling_go.so libcedarling_go-${TAG}_arm64.so | |
| ;; | |
| mac) | |
| cp ../../target/release/libcedarling_go.dylib libcedarling_go-${TAG}.dylib | |
| ;; | |
| windows) | |
| cp ../../target/release/cedarling_go.dll cedarling_go-${TAG}.dll | |
| cp ../../target/release/cedarling_go.dll.lib cedarling_go-${TAG}.lib | |
| ;; | |
| esac | |
| - name: Sign and upload Cedarling Go libraries | |
| working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_go | |
| shell: bash | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ inputs.target_tag }}" | |
| else | |
| VERSION=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${VERSION}" | sed 's/^v//') | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| fi | |
| FILE_LIB="" | |
| case "${{ matrix.name }}" in | |
| ubuntu22) | |
| FILE="libcedarling_go-${TAG}_x86-64.so" | |
| ;; | |
| ubuntu22-arm) | |
| FILE="libcedarling_go-${TAG}_arm64.so" | |
| ;; | |
| mac) | |
| FILE="libcedarling_go-${TAG}.dylib" | |
| ;; | |
| windows) | |
| FILE="cedarling_go-${TAG}.dll" | |
| FILE_LIB="cedarling_go-${TAG}.lib" | |
| ;; | |
| esac | |
| gpg --armor --detach-sign $FILE || echo "Failed to sign $FILE" | |
| if [ -n "$FILE_LIB" ]; then | |
| gpg --armor --detach-sign $FILE_LIB || echo "Failed to sign $FILE_LIB" | |
| fi | |
| echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
| gh release upload "${VERSION}" $FILE $FILE.asc --clobber | |
| if [ -n "$FILE_LIB" ]; then | |
| gh release upload "${VERSION}" $FILE_LIB $FILE_LIB.asc --clobber | |
| fi | |
| build_cedarling_krakend: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_cedarling_krakend)) | |
| needs: build_cedarling_go | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| krakend-builder-image: [ 'builder:2.9.0', 'builder:2.9.0-linux-generic' ] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Import GPG key | |
| id: import_gpg | |
| continue-on-error: true | |
| uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
| with: | |
| gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: Set environment variables | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ inputs.target_tag }}" | |
| else | |
| VERSION=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${VERSION}" | sed 's/^v//') | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| fi | |
| echo TAG=${TAG} >> $GITHUB_ENV | |
| echo VERSION=${VERSION} >> $GITHUB_ENV | |
| KRAKEND_BUILDER_IMAGE_CLEAN=${{ matrix.krakend-builder-image }} | |
| KRAKEND_BUILDER_IMAGE_CLEAN=${KRAKEND_BUILDER_IMAGE_CLEAN/:/-} | |
| echo KRAKEND_BUILDER_IMAGE_CLEAN=${KRAKEND_BUILDER_IMAGE_CLEAN} >> $GITHUB_ENV | |
| echo CC="aarch64-linux-musl-gcc" >> $GITHUB_ENV | |
| echo ADD_GIT="apk add --no-cache git" >> $GITHUB_ENV | |
| if [ "${{ matrix.krakend-builder-image }}" == "builder:2.9.0-linux-generic" ]; then | |
| echo CC="aarch64-linux-gnu-gcc" >> $GITHUB_ENV | |
| echo ADD_GIT="ls" >> $GITHUB_ENV # no-op | |
| fi | |
| - name: Build plugin for AMD64 | |
| working-directory: ${{ github.workspace }}/jans-cedarling/cedarling-krakend | |
| run: | | |
| wget https://github.com/JanssenProject/jans/releases/download/${{ env.VERSION }}/libcedarling_go-${{ env.TAG }}_x86-64.so -O libcedarling_go.so | |
| docker run --rm -v "$PWD:/app" -w /app krakend/"${{ matrix.krakend-builder-image }}" sh -c "${{ env.ADD_GIT }} && go build -buildmode=plugin -o cedarling-krakend-amd64-${{ env.KRAKEND_BUILDER_IMAGE_CLEAN }}-${{ env.TAG }}.so ." | |
| rm libcedarling_go.so | |
| - name: Build plugin for ARM64 | |
| working-directory: ${{ github.workspace }}/jans-cedarling/cedarling-krakend | |
| run: | | |
| wget https://github.com/JanssenProject/jans/releases/download/${{ env.VERSION }}/libcedarling_go-${{ env.TAG }}_arm64.so -O libcedarling_go.so | |
| docker run --rm -v "$PWD:/app" -w /app -e "CGO_ENABLED=1" -e "CC=${{ env.CC }}" -e "GOARCH=arm64" -e "GOHOSTARCH=amd64" krakend/"${{ matrix.krakend-builder-image }}" sh -c "${{ env.ADD_GIT }} && go build -ldflags='-extldflags=-fuse-ld=bfd -extld=${{ env.CC }}' -buildmode=plugin -o cedarling-krakend-arm64-${{ env.KRAKEND_BUILDER_IMAGE_CLEAN }}-${{ env.TAG }}.so ." | |
| rm libcedarling_go.so | |
| - name: Sign and upload Cedarling Krakend plugins | |
| working-directory: ${{ github.workspace }}/jans-cedarling/cedarling-krakend | |
| run: | | |
| gpg --armor --detach-sign cedarling-krakend-amd64-${{ env.KRAKEND_BUILDER_IMAGE_CLEAN }}-${{ env.TAG }}.so || echo "Failed to sign" | |
| gpg --armor --detach-sign cedarling-krakend-arm64-${{ env.KRAKEND_BUILDER_IMAGE_CLEAN }}-${{ env.TAG }}.so || echo "Failed to sign" | |
| echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
| gh release upload "${{ env.VERSION }}" *.so *.asc | |
| build_cedarling_uniffi: | |
| if: | | |
| github.repository == 'JanssenProject/jans' && | |
| (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.run_cedarling_uniffi)) | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Import GPG key | |
| id: import_gpg | |
| continue-on-error: true | |
| uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
| with: | |
| gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: Install latest stable Rust | |
| uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable | |
| with: | |
| toolchain: stable | |
| - name: Build and release cedarling uniffi build in linux | |
| working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_uniffi | |
| run: | | |
| rustup default stable | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ inputs.target_tag }}" | |
| else | |
| VERSION=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${VERSION}" | sed 's/^v//') | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| fi | |
| cargo build -r -p cedarling_uniffi | |
| cp ../../target/release/libcedarling_uniffi.so libcedarling_uniffi-${TAG}.so | |
| FILE="libcedarling_uniffi-${TAG}.so" | |
| gpg --armor --detach-sign $FILE || echo "Failed to sign" | |
| echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
| gh release upload "${VERSION}" $FILE $FILE.asc | |
| - name: Build kotlin binding in linux | |
| working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_uniffi | |
| run: | | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| VERSION="${{ inputs.target_tag }}" | |
| else | |
| VERSION=$(echo "${{ github.event.ref }}" | cut -d '/' -f 3) | |
| fi | |
| TAG=$(echo "${VERSION}" | sed 's/^v//') | |
| if [ "${TAG}" == "nightly" ]; then | |
| TAG="0.0.0" | |
| fi | |
| cargo build -r -p cedarling_uniffi | |
| cargo run --bin uniffi-bindgen generate --library ${{ github.workspace }}/jans-cedarling/target/release/libcedarling_uniffi.so --language kotlin --out-dir ./ | |
| zip -r cedarling_uniffi-kotlin-${TAG}.zip uniffi | |
| FILE="cedarling_uniffi-kotlin-${TAG}.zip" | |
| gpg --armor --detach-sign $FILE || echo "Failed to sign" | |
| echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
| gh release upload "${VERSION}" $FILE $FILE.asc |