Update single-token.yml #26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - dev | |
| - multi-oidc | |
| - single-token | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write #package for uploading attestation. | |
| contents: read | |
| jobs: | |
| build-publish-maven: | |
| runs-on: ubuntu-latest | |
| env: | |
| DOCKER_REPO: 'optum-main-docker-virtual' | |
| IMAGE_NAME: 'my-very-cool-image-from-edge:${{ github.run_number }}' | |
| JF_URL: https://${{ vars.JF_URL }}/ | |
| DOCKER_CLI_EXPERIMENTAL: enabled | |
| JFROG_PLATFORM_REPO: 'optum-main-smart-virtual' | |
| JFROG_PLATFORM_REPO_DEPLOY : 'optum-main-maven-virtual' | |
| #JFROG_PLATFORM_REPO: 'maven-edge-local' | |
| JF_PROJECT: optum-main | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v4 | |
| - name: Get id token | |
| run: | | |
| ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
| "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=optum-main-aud" | jq .value | tr -d '"') | |
| echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_ENV | |
| - name: Exchange token with access | |
| env: | |
| ID_TOKEN: ${{env.ID_TOKEN}} | |
| JFROG_PLATFORM_URL: psazuse.jfrog.io | |
| run: | | |
| ACCESS_TOKEN=$(curl -XPOST -H "Content-Type: application/json" "https://psazuse.jfrog.io/access/api/v1/oidc/token" -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"optum-main-oidc\", \"project_key\": \"\"}" | jq .access_token | tr -d '"') | |
| echo "ACCESS_TOKEN=${ACCESS_TOKEN}" >> $GITHUB_ENV | |
| echo "ACCESS_TOKEN=${ACCESS_TOKEN}" | |
| # - name: Setup JFrog CLI | |
| - name: Configure JFrog CLI | |
| id: setup-cli | |
| uses: jfrog/setup-jfrog-cli@v4 | |
| env: | |
| JF_URL: https://psazeuwedge.jfrog.io | |
| #JF_ACCESS_TOKEN: ${ACCESS_TOKEN} | |
| - run: | | |
| jf config add setup-jfrog-cli-server-on-edge --url https://psazeuwedge.jfrog.io --access-token ${ACCESS_TOKEN} --interactive=false | |
| # with: | |
| #oidc-provider-name: github-oidc-edge-group | |
| #oidc-audience: jfrog-github-edge-group-aud | |
| #oidc-provider-name: optum-main-oidc | |
| #oidc-audience: optum-main-aud | |
| - name: Check Edge Auth | |
| run: | | |
| jf rt ping | |
| jf config show | |
| - name: Configure Maven | |
| # run: jf mvnc --repo-deploy-releases $JFROG_PLATFORM_REPO --repo-deploy-snapshots $JFROG_PLATFORM_REPO --repo-resolve-releases $JFROG_PLATFORM_REPO --repo-resolve-snapshots $JFROG_PLATFORM_REPO | |
| #run: jf mvnc --repo-resolve-releases optum-main-maven-smart-repo --repo-resolve-snapshots optum-main-maven-smart-repo | |
| run: jf mvnc --server-id-resolve setup-jfrog-cli-server-on-edge --repo-resolve-releases $JFROG_PLATFORM_REPO --repo-resolve-snapshots $JFROG_PLATFORM_REPO | |
| - name: Build and Upload JAR to Artifactory | |
| env: | |
| JF_URL: https://psazeuwedge.jfrog.io/ | |
| JF_PROJECT: "" | |
| run: | | |
| jf config use setup-jfrog-cli-server-on-edge | |
| jf config show | |
| jf mvn clean compile package | |
| - name: Setup JFrog CLI JPD | |
| id: setup-cli-JPD | |
| uses: jfrog/setup-jfrog-cli@v4 | |
| env: | |
| JF_URL: https://psazuse.jfrog.io/ | |
| JF_PROJECT: optum-main | |
| with: | |
| oidc-provider-name: optum-main-oidc | |
| oidc-audience: optum-main-aud | |
| - name: Build and Upload JAR to Artifactory | |
| env: | |
| JF_URL: https://psazuse.jfrog.io/ | |
| JF_PROJECT: mgm-project | |
| run: | | |
| jf config use setup-jfrog-cli-server | |
| ACCESS_TOKEN=${{ steps.setup-cli-JPD.outputs.oidc-token }} | |
| echo ${ACCESS_TOKEN} | |
| jf mvnc --server-id-resolve setup-jfrog-cli-server --repo-deploy-releases $JFROG_PLATFORM_REPO_DEPLOY --repo-deploy-snapshots $JFROG_PLATFORM_REPO_DEPLOY --repo-resolve-releases $JFROG_PLATFORM_REPO_DEPLOY --repo-resolve-snapshots $JFROG_PLATFORM_REPO_DEPLOY | |
| jf mvn deploy | |
| - name: Authenticate Docker | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ vars.JF_URL }} | |
| username: ${{ steps.setup-cli-JPD.outputs.oidc-user }} | |
| password: ${{ steps.setup-cli-JPD.outputs.oidc-token }} | |
| - name: docker build through | |
| run: | | |
| jf docker --version | |
| jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} --metadata-file metadata.json --push . | |
| - name: publish build info | |
| run: | | |
| jf config show | |
| jf rt build-collect-env | |
| jf rt build-add-dependencies . | |
| jf rt build-add-git | |
| jf rt build-publish | |
| jf rt bp $CI_JOB_NAME $CI_JOB_ID | |
| #jf build-scan $CI_JOB_NAME $CI_JOB_ID | |