openid-client/.github/workflows/conformance.yml at main · panva/openid-client · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Conformance Checks

permissions: {}

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '20 11 * * 1'
  workflow_dispatch:
    inputs:
      conformance_suite_version:
        description: 'Conformance Suite version override, e.g. release-v5.1.39 (takes precedence over vars.CONFORMANCE_SUITE_VERSION)'
        required: false
        type: string

jobs:
  build:
    uses: panva/.github/.github/workflows/build-conformance-suite.yml@main
    with:
      version: ${{ inputs.conformance_suite_version || vars.CONFORMANCE_SUITE_VERSION || '' }}

  run:
    runs-on: ubuntu-latest
    needs:
      - build
    strategy:
      fail-fast: false
      matrix:
        setup:
          # Core 1.0 response_type=code
          - plan: oidcc-client-basic-certification-test-plan
          - plan: oidcc-client-basic-certification-test-plan
            variant:
              client_registration: dynamic_client

          # Core 1.0 response_type=code id_token
          - plan: oidcc-client-hybrid-certification-test-plan
          - plan: oidcc-client-hybrid-certification-test-plan
            variant:
              client_registration: dynamic_client

          # Core 1.0 response_type=id_token
          - plan: oidcc-client-implicit-certification-test-plan
          - plan: oidcc-client-implicit-certification-test-plan
            variant:
              client_registration: dynamic_client

          # Comprehensive Core 1.0 client test
          - plan: oidcc-client-test-plan
          - plan: oidcc-client-test-plan
            variant:
              response_type: code id_token
          - plan: oidcc-client-test-plan
            variant:
              response_type: id_token

          # Financial-grade API Security Profile 1.0 - Part 2: Advanced
          - plan: fapi1-advanced-final-client-test-plan
            variant:
              client_auth_type: 'private_key_jwt'
          - plan: fapi1-advanced-final-client-test-plan
            variant:
              client_auth_type: 'mtls'
          - plan: fapi1-advanced-final-client-test-plan
            variant:
              fapi_response_mode: 'plain_response'
              fapi_auth_request_method: 'by_value'

          # FAPI 2.0 Security Profile Final
          - plan: fapi2-security-profile-final-client-test-plan
            variant:
              client_auth_type: 'private_key_jwt'
              sender_constrain: 'dpop'
          - plan: fapi2-security-profile-final-client-test-plan
            variant:
              client_auth_type: 'private_key_jwt'
              sender_constrain: 'mtls'
          - plan: fapi2-security-profile-final-client-test-plan
            variant:
              client_auth_type: 'mtls'
              sender_constrain: 'dpop'
          - plan: fapi2-security-profile-final-client-test-plan
            variant:
              client_auth_type: 'mtls'
              sender_constrain: 'mtls'

          # FAPI 2.0 Message Signing Final
          - plan: fapi2-message-signing-final-client-test-plan
          - plan: fapi2-message-signing-final-client-test-plan
            variant:
              fapi_client_type: 'plain_oauth'

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Load Cached Conformance Suite Build
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        id: cache
        with:
          path: ./conformance-suite
          key: ${{ needs.build.outputs.cache-key }}
          fail-on-cache-miss: true
      - name: Run Conformance Suite
        working-directory: ./conformance-suite
        env:
          COMPOSE_BAKE: true
        run: |
          docker compose -f docker-compose-dev.yml up -d
          while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done
      - name: Setup node
        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version: lts/*
          cache: 'npm'
      - run: npm clean-install
      - name: npm run conformance
        run: |
          set -o pipefail
          npm run conformance | tee capture.txt
        env:
          NODE_TLS_REJECT_UNAUTHORIZED: 0
          SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
          PLAN_NAME: ${{ matrix.setup.plan }}
          VARIANT: ${{ toJSON(matrix.setup.variant) }}
      - run: node ./conformance/.parse-logs.mjs capture.txt
      - name: Stop Conformance Suite
        working-directory: ./conformance-suite
        env:
          COMPOSE_BAKE: true
        run: |
          docker compose -f docker-compose-dev.yml down
          sudo rm -rf mongo
      - name: Upload test artifacts
        id: artifact-upload-step
        uses: actions/upload-artifact@v7.0.0
        with:
          path: |
            *.zip
            *.txt
          name: conformance results idx(${{ strategy.job-index }})
          if-no-files-found: error
        if: ${{ always() }}
      - if: ${{ success() }}
        run: |
          echo "### [:tada:](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/${{ steps.artifact-upload-step.outputs.artifact-id }})" >> $GITHUB_STEP_SUMMARY
      - if: ${{ failure() }}
        run: |
          echo "### [:exclamation:](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/${{ steps.artifact-upload-step.outputs.artifact-id }})" >> $GITHUB_STEP_SUMMARY