Add CZITI_TEST_INSECURE_KEYS compile flag for CI integration tests #698
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - alpha | |
| pull_request: | |
| branches: | |
| - main | |
| - alpha | |
| permissions: | |
| contents: write | |
| jobs: | |
| build-tsdk: | |
| runs-on: macos-15 | |
| strategy: | |
| matrix: | |
| spec: | |
| - { name: 'build-iphoneos-arm64', toolchain: 'iOS-arm64' } | |
| - { name: 'build-iphonesimulator-x86_64', toolchain: 'iOS-Simulator-x86_64' } | |
| - { name: 'build-iphonesimulator-arm64', toolchain: 'iOS-Simulator-arm64' } | |
| - { name: 'build-macosx-arm64', toolchain: 'macOS-arm64' } | |
| - { name: 'build-macosx-x86_64', toolchain: 'macOS-x86_64' } | |
| steps: | |
| - name: Checkout Project | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - uses: maxim-lobanov/setup-xcode@v1 | |
| with: | |
| xcode-version: '26.2' | |
| - name: macOS tools | |
| if: runner.os == 'macOS' | |
| shell: bash | |
| run: brew install autoconf autoconf-archive automake libtool pkg-config | |
| - uses: lukka/run-vcpkg@v11 | |
| with: | |
| vcpkgJsonGlob: './deps/ziti-tunnel-sdk-c/vcpkg.json' | |
| - name: get vcpkg cache key | |
| id: get_vcpkg_cache_key | |
| shell: bash | |
| env: | |
| KEY_PREFIX: vcpkg_cache-${{ matrix.spec.toolchain }} | |
| run: | | |
| common_key="${KEY_PREFIX}-vcpkg_json_md5=$(md5sum ./deps/ziti-tunnel-sdk-c/vcpkg.json | awk '{ print $1 }')" | |
| echo "key=${common_key}-ImageVersion=${ImageVersion}" | tee -a $GITHUB_OUTPUT | |
| - uses: actions/cache@v5 | |
| with: | |
| key: ${{ steps.get_vcpkg_cache_key.outputs.key }} | |
| path: ./deps/ziti-tunnel-sdk-c/${{ matrix.spec.toolchain }}/vcpkg_cache | |
| - name: ${{ matrix.spec.name }} | |
| env: | |
| TOOLCHAIN: ${{ matrix.spec.toolchain && format('../../toolchains/{0}.cmake', matrix.spec.toolchain) || '' }} | |
| VCPKG_BINARY_SOURCES: "clear;files,/Users/runner/work/ziti-sdk-swift/ziti-sdk-swift/deps/ziti-tunnel-sdk-c/${{ matrix.spec.toolchain }}/vcpkg_cache,readwrite" | |
| run: | | |
| (cd deps/ziti-tunnel-sdk-c && git fetch --tags) | |
| cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DTLSUV_TLSLIB=openssl -DEXCLUDE_PROGRAMS=ON -DVCPKG_INSTALL_OPTIONS="--overlay-ports=./deps/vcpkg-overlays/json-c" -DZITI_TUNNEL_BUILD_TESTS=OFF -DCMAKE_TOOLCHAIN_FILE="${TOOLCHAIN}" -S ./deps/ziti-tunnel-sdk-c -B ./deps/ziti-tunnel-sdk-c/${{ matrix.spec.name }} | |
| cmake --build ./deps/ziti-tunnel-sdk-c/${{ matrix.spec.name }} | |
| tar -cvzf ${{ matrix.spec.name }}.tgz -C ./deps/ziti-tunnel-sdk-c ${{ matrix.spec.name }} | |
| - name: Upload Build | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.spec.name }} | |
| path: ${{ matrix.spec.name }}.tgz | |
| build-cziti: | |
| runs-on: macos-15 | |
| needs: [ build-tsdk ] | |
| steps: | |
| - name: Checkout Project | |
| uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - uses: maxim-lobanov/setup-xcode@v1 | |
| with: | |
| xcode-version: '26.2' | |
| - name: Download Artifacts | |
| uses: actions/download-artifact@v4 | |
| - name: Extract TSDK Builds | |
| run: | | |
| ARTIFACT="build-iphoneos-arm64"; tar -xzvf ${ARTIFACT}/${ARTIFACT}.tgz -C ./deps/ziti-tunnel-sdk-c | |
| ARTIFACT="build-iphonesimulator-x86_64"; tar -xzvf ${ARTIFACT}/${ARTIFACT}.tgz -C ./deps/ziti-tunnel-sdk-c | |
| ARTIFACT="build-iphonesimulator-arm64"; tar -xzvf ${ARTIFACT}/${ARTIFACT}.tgz -C ./deps/ziti-tunnel-sdk-c | |
| ARTIFACT="build-macosx-x86_64"; tar -xzvf ${ARTIFACT}/${ARTIFACT}.tgz -C ./deps/ziti-tunnel-sdk-c | |
| ARTIFACT="build-macosx-arm64"; tar -xzvf ${ARTIFACT}/${ARTIFACT}.tgz -C ./deps/ziti-tunnel-sdk-c | |
| - name: Build CZiti | |
| run: | | |
| set -o pipefail | |
| xcodebuild build -configuration Release -scheme CZiti-iOS -derivedDataPath ./DerivedData/CZiti \ | |
| -arch arm64 -sdk iphoneos | xcpretty | |
| xcodebuild build -configuration Release -scheme CZiti-iOS -derivedDataPath ./DerivedData/CZiti \ | |
| -arch x86_64 -arch arm64 ONLY_ACTIVE_ARCH=NO -sdk iphonesimulator | xcpretty | |
| xcodebuild build -configuration Release -scheme CZiti-macOS -derivedDataPath ./DerivedData/CZiti \ | |
| -arch x86_64 -arch arm64 ONLY_ACTIVE_ARCH=NO -sdk macosx | xcpretty | |
| - name: Run Tests | |
| run: | | |
| set -o pipefail | |
| xcodebuild test -scheme CZitiTests -derivedDataPath ./DerivedData/CZiti \ | |
| -sdk macosx -destination 'platform=macOS' ONLY_ACTIVE_ARCH=YES | xcpretty | |
| # Build ziti-test-runner with the insecure-keys test flag so enrollment can generate | |
| # ephemeral keys and store them in the .zid file instead of the macOS data protection | |
| # keychain (which requires provisioning-profile-backed entitlements CI doesn't have). | |
| # NEVER use this flag in a release build. | |
| - name: Build ziti-test-runner (insecure test keys) | |
| run: | | |
| set -o pipefail | |
| xcodebuild build -configuration Debug -scheme ziti-test-runner \ | |
| -derivedDataPath ./DerivedData/CZiti -sdk macosx \ | |
| -destination 'platform=macOS' ONLY_ACTIVE_ARCH=YES \ | |
| SWIFT_ACTIVE_COMPILATION_CONDITIONS='$(inherited) CZITI_TEST_INSECURE_KEYS' \ | |
| CODE_SIGNING_ALLOWED=NO | xcpretty | |
| - name: Install ziti CLI | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| gh release download --repo openziti/ziti \ | |
| --pattern '*darwin-arm64*.tar.gz' \ | |
| --output /tmp/ziti.tgz | |
| sudo tar -xzf /tmp/ziti.tgz -C /usr/local/bin ziti | |
| ziti version | |
| - name: Integration test (OTT enrollment against quickstart) | |
| run: | | |
| set -euo pipefail | |
| rm -rf /tmp/qs && mkdir /tmp/qs | |
| nohup ziti edge quickstart --home /tmp/qs > /tmp/qs.log 2>&1 & | |
| QS_PID=$! | |
| trap "kill $QS_PID 2>/dev/null || true; cat /tmp/qs.log | tail -60" EXIT | |
| # Wait for controller | |
| for i in $(seq 1 60); do | |
| if curl -sk https://localhost:1280/edge/client/v1/version >/dev/null 2>&1; then | |
| echo "controller ready after ${i}s"; break | |
| fi | |
| sleep 1 | |
| done | |
| # Login, create an OTT identity, and preseed a service + dial policy so the | |
| # test verifies service discovery after auth (not just auth). | |
| ziti edge login localhost:1280 -u admin -p admin -y | |
| ziti edge create identity ztr-integ -a ztr-integ -o /tmp/ztr.jwt | |
| ziti edge create service ztr-svc -a ztr-svc | |
| ziti edge create service-policy ztr-svc-dial Dial \ | |
| --identity-roles '#ztr-integ' --service-roles '#ztr-svc' | |
| TOOL=./DerivedData/CZiti/Build/Products/Debug/ziti-test-runner | |
| # Pass 1: enroll and verify context auth, keeping the .zid for pass 2. | |
| echo "=== Pass 1: enroll + run ===" | |
| "$TOOL" --timeout 60 --keep-zid /tmp/ztr.zid /tmp/ztr.jwt | |
| # Pass 2: fresh process, load the .zid and re-auth. Verifies that the persisted | |
| # key+cert are sufficient to start Ziti without any in-memory state carryover. | |
| echo "=== Pass 2: only-run from saved zid ===" | |
| "$TOOL" --timeout 60 --only-run /tmp/ztr.zid | |
| - name: Create Frameworks | |
| run: | | |
| ./make_dist.sh | |
| pushd ./dist && zip -r ../CZiti.xcframework.zip CZiti.xcframework && popd | |
| - name: Upload CZiti.xcframework | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: CZiti.xcframework | |
| path: CZiti.xcframework.zip | |
| - name: Gen Docs | |
| run: | | |
| gem install jazzy | |
| jazzy --hide-documentation-coverage -x '-arch,x86_64,-scheme,CZiti-macOS,-sdk,macosx' -m CZiti | |
| tar -cvzf ./ziti-sdk-swift-docs.tgz -C ./docs . | |
| - name: Upload Docs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ziti-sdk-swift-docs | |
| path: ziti-sdk-swift-docs.tgz | |
| draft-release: | |
| runs-on: ubuntu-latest | |
| needs: [ build-cziti ] | |
| if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/alpha') | |
| steps: | |
| - name: Checkout Project | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download Docs | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ziti-sdk-swift-docs | |
| - name: Download CZiti.xcframework | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: CZiti.xcframework | |
| - name: Draft Release | |
| id: release_drafter | |
| uses: release-drafter/release-drafter@v5 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload Docs | |
| uses: shogo82148/actions-upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
| asset_path: ./ziti-sdk-swift-docs.tgz | |
| asset_name: ziti-sdk-swift-docs.tgz | |
| asset_content_type: application/tgz | |
| overwrite: true | |
| - name: Upload CZiti.xcframework | |
| uses: shogo82148/actions-upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.release_drafter.outputs.upload_url }} | |
| asset_path: ./CZiti.xcframework.zip | |
| asset_name: CZiti.xcframework.zip | |
| asset_content_type: application/zip | |
| overwrite: true |