chore(CORE-606): bump keycloak limits #11585
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2024-2026 Defense Unicorns | |
| # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial | |
| name: Filter | |
| # This workflow is triggered on pull requests | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - "release/**" | |
| # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). | |
| # labeled is added to support renovate-ready labelling on PRs | |
| types: [milestoned, labeled, opened, reopened, synchronize] | |
| paths-ignore: | |
| - "**.md" | |
| - "**.jpg" | |
| - "**.png" | |
| - "**.gif" | |
| - "**.svg" | |
| - docs/** | |
| - .vscode/** | |
| - .gitignore | |
| - renovate.json | |
| - .release-please-config.json | |
| - .codespellrc | |
| - release-please-config.json | |
| - CODEOWNERS | |
| - LICENSE | |
| - scripts/renovate/** | |
| - scripts/root-ca-retriever/** | |
| # Permissions for the GITHUB_TOKEN used by the workflow. | |
| permissions: | |
| id-token: write # Needed for OIDC-related operations. | |
| contents: read # Allows reading the content of the repository. | |
| pull-requests: write # Allows writing pull request metadata. | |
| packages: read # Allows reading the published GHCR packages | |
| # Default settings for all run commands in the workflow jobs. | |
| defaults: | |
| run: | |
| shell: bash -e -o pipefail {0} # Ensures that scripts fail on error and pipefail is set. | |
| # Abort prior jobs in the same workflow / PR | |
| concurrency: | |
| group: test-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| lint-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: lint-check | |
| uses: ./.github/actions/lint-check | |
| autogenerated-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: autogenerated-check | |
| uses: ./.github/actions/autogenerated-check | |
| unit-tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: unit-tests | |
| uses: ./.github/actions/unit-tests | |
| # This job checks if there are changes in specific paths source packages. | |
| check-paths: | |
| needs: [lint-check, autogenerated-check, unit-tests] | |
| runs-on: ubuntu-latest | |
| name: Select Jobs | |
| outputs: | |
| combined: ${{ steps.combine-path-filters.outputs.combined }} | |
| distros: ${{ steps.path-filter-iac.outputs.changes }} | |
| run_full_tests: ${{ steps.test-routing.outputs.run_full_tests }} | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: Check renovate readiness | |
| if: startsWith(github.event.pull_request.head.ref, 'renovate/') # Only call for Renovate PRs | |
| uses: ./.github/actions/renovate-readiness | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| # Add a custom filter for all packages that excludes any changes to IaC testing related config | |
| # Noting that adding `predicate-quantifier` produces a false warning message about an unexpected input, despite still being evaluated by the action | |
| - name: Check src paths - all | |
| id: path-filter-all | |
| uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 | |
| with: | |
| predicate-quantifier: "every" | |
| filters: | | |
| all: | |
| - "**" | |
| - "!.github/workflows/test-aks.yaml" | |
| - "!.github/workflows/test-eks.yaml" | |
| - "!.github/workflows/test-rke2.yaml" | |
| - "!.github/bundles/**" | |
| - "!.github/test-infra/**" | |
| - "!tasks/iac.yaml" | |
| # Uses a custom action to filter paths for source packages. | |
| - name: Check src paths - packages | |
| id: path-filter | |
| uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 | |
| with: | |
| filters: .github/filters.yaml | |
| - name: Merge Path Filter Outputs for Packages | |
| id: combine-path-filters | |
| run: | | |
| allPackageChanges='${{ steps.path-filter-all.outputs.changes }}' | |
| packageChanges='${{ steps.path-filter.outputs.changes }}' | |
| COMBINED=$(echo $allPackageChanges $packageChanges | jq -s 'add') | |
| echo combined=$COMBINED >> $GITHUB_OUTPUT | |
| echo The following packages will be triggered: $COMBINED | |
| - name: Compute test routing | |
| id: test-routing | |
| uses: ./.github/actions/test-routing | |
| with: | |
| event_name: ${{ github.event_name }} | |
| base_ref: ${{ github.base_ref }} | |
| head_ref: ${{ github.head_ref }} | |
| check-multiarch: | |
| runs-on: ubuntu-latest | |
| name: Check multi-arch images | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: Environment setup | |
| uses: ./.github/actions/setup | |
| with: | |
| ghToken: ${{ secrets.GITHUB_TOKEN }} | |
| registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} | |
| registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} | |
| chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} | |
| - name: Check multi-arch images | |
| uses: ./.github/actions/check-multiarch | |
| # @lulaStart 11948466-9230-4498-be44-dbac784d86d1 | |
| # This job triggers a separate workflow for each changed source package, if any. | |
| run-package-test: | |
| needs: check-paths | |
| if: ${{ needs.check-paths.outputs.run_full_tests == 'true' && needs.check-paths.outputs.combined != '' && needs.check-paths.outputs.combined != '[]' }} | |
| name: Schedule | |
| strategy: | |
| matrix: | |
| package: ${{ fromJson(needs.check-paths.outputs.combined) }} | |
| flavor: [upstream, registry1, unicorn] | |
| test_type: [install] | |
| # Upgrade tests are included for all flavors, but ONLY for `all` package tests | |
| include: | |
| - package: all | |
| flavor: registry1 | |
| test_type: upgrade | |
| - package: all | |
| flavor: upstream | |
| test_type: upgrade | |
| - package: all | |
| flavor: unicorn | |
| test_type: upgrade | |
| # Portal is not available in registry1; skip single-layer tests for that flavor | |
| exclude: | |
| - package: portal | |
| flavor: registry1 | |
| uses: ./.github/workflows/test.yaml | |
| with: | |
| package: ${{ matrix.package }} | |
| flavor: ${{ matrix.flavor }} | |
| test_type: ${{ matrix.test_type }} | |
| secrets: inherit # Inherits all secrets from the parent workflow. | |
| # @lulaEnd 11948466-9230-4498-be44-dbac784d86d1 | |
| # Shim required checks for backport PRs to release branches (i.e., non-release-please PRs) | |
| run-package-test-shim: | |
| needs: check-paths | |
| if: ${{ needs.check-paths.outputs.run_full_tests != 'true' && startsWith(github.base_ref, 'release/') }} | |
| name: Schedule | |
| strategy: | |
| matrix: | |
| package: [all] | |
| flavor: [upstream, registry1, unicorn] | |
| test_type: [install, upgrade] | |
| uses: ./.github/workflows/test-shim.yaml | |
| with: | |
| package: ${{ matrix.package }} | |
| flavor: ${{ matrix.flavor }} | |
| test_type: ${{ matrix.test_type }} | |
| secrets: inherit |