feat: Support OIDC Provider OIDC Clients #946
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request | |
| on: | |
| pull_request: | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_OWNER: ${{ github.repository_owner }} | |
| NIX_INSTALL_SHA: de490f61fcbaf9a5cabf2fa621ddb9ef93ad35d9a23a04e7d51b26e092b63691 | |
| NIX_INSTALL_VERSION: 2.34.4 | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| - name: build binaries | |
| env: | |
| CROSS: 1 | |
| VERSION: ${{ github.ref_name }} | |
| run: | | |
| make build | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: Run make test | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: | | |
| make test | |
| terraform: | |
| name: 'Terraform' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: lint terraform | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: | | |
| terraform fmt -check -recursive | |
| tflint --recursive | |
| actionlint: | |
| name: 'Lint Workflows' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: action lint | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: actionlint | |
| node-check: | |
| name: 'Node Check' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: check | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: | | |
| while read -r file; do | |
| echo "Checking $file"; | |
| node --check "$file"; | |
| done <<<"$(find . -type f \( -name "*.js" \))" | |
| eslint: | |
| name: 'ESLint' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: check | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: | | |
| npm install --save-dev eslint @eslint/js | |
| eslint . | |
| shellcheck: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: shell check | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: | | |
| while read -r file; do | |
| echo "checking $file..." | |
| shellcheck -x "$file" | |
| done <<<"$(grep -Rl -e '^#!' | grep -v '.terraform'| grep -v '.git')" | |
| validate-commit-message: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: Check commit message | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: | | |
| set -e | |
| # Check commit messages | |
| # This steps enforces https://www.conventionalcommits.org/en/v1.0.0/ | |
| # This format enables automatic generation of changelogs and versioning | |
| filter() { | |
| COMMIT="$1" | |
| output="$(echo "$COMMIT" | grep -v -e '^fix: ' -e '^feature: ' -e '^feat: ' -e '^refactor!: ' -e '^feature!: ' -e '^feat!: ' -e '^chore(main): ' -e '^Merge branch ')" | |
| echo "$output" | |
| } | |
| prefix_check() { | |
| message="$1" | |
| if [ "" != "$(filter "$message")" ]; then | |
| cat <<EOF | |
| ...Commit message does not start with the required prefix. | |
| Please use one of the following prefixes: "fix:", "feature:", "feat:", "refactor!:", "feature!:", or "feat!:". | |
| This enables release-please to automatically format release notes based on the commit message. | |
| $message | |
| EOF | |
| exit 1 | |
| else | |
| echo "...Commit message starts with the required prefix." | |
| fi | |
| } | |
| empty_check() { | |
| message="$1" | |
| if [ "" == "$message" ]; then | |
| echo "...Empty commit message." | |
| exit 1 | |
| else | |
| echo "...Commit message isnt empty." | |
| fi | |
| } | |
| length_check() { | |
| message="$1" | |
| length="$(wc -m <<<"$message")" | |
| if [ $length -gt 100 ]; then | |
| echo "...Commit message subject line should be less than 100 characters, found $length." | |
| exit 1 | |
| else | |
| echo "...Commit message subject line is less than 100 characters." | |
| fi | |
| } | |
| spell_check() { | |
| message="$1" | |
| WORDS="$(aspell list --dont-validate-words <<<"$message")" | |
| if [ "" != "$WORDS" ]; then | |
| echo "...Commit message contains spelling errors on: ^$WORDS\$" | |
| echo "...Also try updating the PR title." | |
| echo "...If this is a mistake, add your word to the aspell_custom.txt file, it is case insensitive." | |
| exit 1 | |
| else | |
| echo "...Commit message doesnt contain spelling errors." | |
| fi | |
| } | |
| # Fetch the commit messages | |
| COMMIT_MESSAGES="$(gh pr view ${{github.event.number}} --json commits | jq -r '.commits[].messageHeadline')" | |
| echo "Commit messages found: " | |
| echo "$COMMIT_MESSAGES" | |
| while read -r message; do | |
| echo "checking message ^$message\$" | |
| empty_check "$message" | |
| prefix_check "$message" | |
| length_check "$message" | |
| spell_check "$message" | |
| echo "message ^$message\$ passed all checks" | |
| done <<<"$COMMIT_MESSAGES" | |
| gitleaks: | |
| name: 'Scan for Secrets' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout | |
| with: | |
| fetch-depth: 0 | |
| - name: install-nix | |
| run: | | |
| curl -L -o nix_install.sh "https://releases.nixos.org/nix/nix-${NIX_INSTALL_VERSION}/install" | |
| echo "${NIX_INSTALL_SHA} nix_install.sh" | sha256sum -c - | |
| chmod +x nix_install.sh | |
| ./nix_install.sh | |
| source /home/runner/.nix-profile/etc/profile.d/nix.sh | |
| nix --version | |
| rm -f ./nix_install.sh | |
| - name: Check for secrets | |
| shell: /home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
| run: | | |
| gitleaks detect --no-banner -v --no-git | |
| gitleaks detect --no-banner -v | |
| continue-on-error: true |