fix: reject invalid JWKS in client configuration / dependency cleanup and bump #1518
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Tasks for Ory Hydra | |
on: | |
push: | |
branches: | |
- master | |
tags: | |
- "*" | |
pull_request: | |
# Cancel in-progress runs in current workflow. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
oidc-conformity: | |
name: Run OIDC conformity tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: ory/ci/checkout@master | |
with: | |
# We must fetch at least the immediate parents so that if this is | |
# a pull request then we can checkout the head. | |
fetch-depth: 2 | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "1.20" | |
- name: Start service | |
run: ./test/conformance/start.sh | |
- name: Run tests | |
run: ./test/conformance/test.sh -v -short -parallel 16 | |
sdk-generate: | |
name: Generate SDKs | |
runs-on: ubuntu-latest | |
outputs: | |
sdk-cache-key: ${{ steps.sdk-generate.outputs.sdk-cache-key }} | |
steps: | |
- uses: ory/ci/sdk/generate@master | |
with: | |
token: ${{ secrets.ORY_BOT_PAT }} | |
id: sdk-generate | |
test: | |
name: Run tests and lints | |
runs-on: ubuntu-latest | |
needs: | |
- sdk-generate | |
services: | |
postgres: | |
image: postgres:11.8 | |
env: | |
POSTGRES_DB: postgres | |
POSTGRES_PASSWORD: test | |
POSTGRES_USER: test | |
ports: | |
- 5432:5432 | |
mysql: | |
image: mysql:8.0.26 | |
env: | |
MYSQL_ROOT_PASSWORD: test | |
ports: | |
- 3306:3306 | |
env: | |
TEST_DATABASE_POSTGRESQL: "postgres://test:test@localhost:5432/postgres?sslmode=disable" | |
TEST_DATABASE_MYSQL: "mysql://root:test@(localhost:3306)/mysql?multiStatements=true&parseTime=true" | |
TEST_DATABASE_COCKROACHDB: "cockroach://root@localhost:26257/defaultdb?sslmode=disable" | |
steps: | |
- run: | | |
docker create --name cockroach -p 26257:26257 \ | |
cockroachdb/cockroach:v22.1.10 start-single-node --insecure | |
docker start cockroach | |
name: Start CockroachDB | |
- uses: ory/ci/checkout@master | |
with: | |
fetch-depth: 2 | |
- uses: actions/cache@v2 | |
with: | |
path: | | |
internal/httpclient | |
key: ${{ needs.sdk-generate.outputs.sdk-cache-key }} | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: "1.20" | |
- run: go list -json > go.list | |
- name: Run nancy | |
uses: sonatype-nexus-community/nancy-github-action@v1.0.2 | |
with: | |
nancyVersion: v1.0.42 | |
- name: Run golangci-lint | |
uses: golangci/golangci-lint-action@v3 | |
env: | |
GOGC: 100 | |
with: | |
args: --timeout 10m0s | |
version: v1.53.2 | |
skip-pkg-cache: true | |
- name: Run go-acc (tests) | |
run: | | |
make .bin/go-acc | |
.bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1 | |
- name: Submit to Codecov | |
run: | | |
bash <(curl -s https://codecov.io/bash) | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
test-hsm: | |
name: Run HSM tests | |
needs: | |
- sdk-generate | |
runs-on: ubuntu-latest | |
env: | |
HSM_ENABLED: true | |
HSM_LIBRARY: /usr/lib/softhsm/libsofthsm2.so | |
HSM_TOKEN_LABEL: hydra | |
HSM_PIN: 1234 | |
steps: | |
- uses: ory/ci/checkout@master | |
- uses: actions/cache@v2 | |
with: | |
path: | | |
internal/httpclient | |
key: ${{ needs.sdk-generate.outputs.sdk-cache-key }} | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "1.20" | |
- name: Setup HSM libs and packages | |
run: | | |
sudo apt install -y softhsm opensc | |
sudo rm -rf /var/lib/softhsm/tokens | |
sudo mkdir -p /var/lib/softhsm/tokens | |
sudo chmod -R a+rwx /var/lib/softhsm | |
sudo chmod a+rx /etc/softhsm | |
sudo chmod a+r /etc/softhsm/* | |
- name: HSM tests | |
run: | | |
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra | |
go test -p 1 -failfast -short -timeout=20m -tags=sqlite,hsm ./... | |
test-e2e: | |
name: Run end-to-end tests | |
runs-on: ubuntu-latest | |
needs: | |
- sdk-generate | |
strategy: | |
matrix: | |
database: ["memory", "postgres", "mysql", "cockroach"] | |
args: ["", "--jwt"] | |
services: | |
postgres: | |
image: postgres:11.8 | |
env: | |
POSTGRES_DB: postgres | |
POSTGRES_PASSWORD: test | |
POSTGRES_USER: test | |
ports: | |
- 5432:5432 | |
mysql: | |
image: mysql:8.0.26 | |
env: | |
MYSQL_ROOT_PASSWORD: test | |
ports: | |
- 3306:3306 | |
env: | |
TEST_DATABASE_POSTGRESQL: "postgres://test:test@localhost:5432/postgres?sslmode=disable" | |
TEST_DATABASE_MYSQL: "mysql://root:test@(localhost:3306)/mysql?multiStatements=true&parseTime=true" | |
TEST_DATABASE_COCKROACHDB: "cockroach://root@localhost:26257/defaultdb?sslmode=disable" | |
steps: | |
- run: | | |
docker create --name cockroach -p 26257:26257 \ | |
cockroachdb/cockroach:v22.1.10 start-single-node --insecure | |
docker start cockroach | |
name: Start CockroachDB | |
- uses: ory/ci/checkout@master | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "1.20" | |
- uses: actions/cache@v2 | |
with: | |
path: ./test/e2e/hydra | |
key: ${{ runner.os }}-hydra | |
- uses: actions/cache@v2 | |
with: | |
path: | | |
internal/httpclient | |
key: ${{ needs.sdk-generate.outputs.sdk-cache-key }} | |
- run: ./test/e2e/circle-ci.bash ${{ matrix.database }} ${{ matrix.args }} | |
docs-cli: | |
runs-on: ubuntu-latest | |
name: Build CLI docs | |
needs: | |
- test | |
steps: | |
- uses: ory/ci/docs/cli-next@master | |
with: | |
token: ${{ secrets.ORY_BOT_PAT }} | |
output-dir: docs/hydra/cli | |
changelog: | |
name: Generate changelog | |
runs-on: ubuntu-latest | |
if: ${{ github.ref_type == 'tag' || github.ref_name == 'master' }} | |
needs: | |
- test | |
- test-hsm | |
- test-e2e | |
steps: | |
- uses: ory/ci/changelog@master | |
with: | |
token: ${{ secrets.ORY_BOT_PAT }} | |
sdk-release: | |
name: Release SDKs | |
runs-on: ubuntu-latest | |
if: ${{ github.ref_type == 'tag' }} | |
needs: | |
- test | |
- test-hsm | |
- sdk-generate | |
- release | |
steps: | |
- uses: ory/ci/sdk/release@master | |
with: | |
swag-spec-location: spec/api.json | |
token: ${{ secrets.ORY_BOT_PAT }} | |
release: | |
name: Generate release | |
runs-on: ubuntu-latest | |
if: ${{ github.ref_type == 'tag' }} | |
needs: | |
- oidc-conformity | |
- test | |
- test-hsm | |
- test-e2e | |
- changelog | |
steps: | |
- uses: ory/ci/releaser@master | |
with: | |
token: ${{ secrets.ORY_BOT_PAT }} | |
goreleaser_key: ${{ secrets.GORELEASER_KEY }} | |
cosign_pwd: ${{ secrets.COSIGN_PWD }} | |
docker_username: ${{ secrets.DOCKERHUB_USERNAME }} | |
docker_password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
render-version-schema: | |
name: Render version schema | |
runs-on: ubuntu-latest | |
if: ${{ github.ref_type == 'tag' }} | |
needs: | |
- release | |
steps: | |
- uses: ory/ci/releaser/render-version-schema@master | |
with: | |
schema-path: .schema/config.schema.json | |
token: ${{ secrets.ORY_BOT_PAT }} | |
newsletter-draft: | |
name: Draft newsletter | |
runs-on: ubuntu-latest | |
if: ${{ github.ref_type == 'tag' }} | |
needs: | |
- release | |
steps: | |
- uses: ory/ci/newsletter@master | |
with: | |
mailchimp_list_id: f605a41b53 | |
mailchmip_segment_id: 6479481 | |
mailchimp_api_key: ${{ secrets.MAILCHIMP_API_KEY }} | |
draft: "true" | |
ssh_key: ${{ secrets.ORY_BOT_SSH_KEY }} | |
slack-approval-notification: | |
name: Pending approval Slack notification | |
runs-on: ubuntu-latest | |
if: ${{ github.ref_type == 'tag' }} | |
needs: | |
- newsletter-draft | |
steps: | |
- uses: ory/ci/newsletter/slack-notify@master | |
with: | |
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} | |
newsletter-send: | |
name: Send newsletter | |
runs-on: ubuntu-latest | |
needs: | |
- newsletter-draft | |
if: ${{ github.ref_type == 'tag' }} | |
environment: production | |
steps: | |
- uses: ory/ci/newsletter@master | |
with: | |
mailchimp_list_id: f605a41b53 | |
mailchmip_segment_id: 6479481 | |
mailchimp_api_key: ${{ secrets.MAILCHIMP_API_KEY }} | |
draft: "false" | |
ssh_key: ${{ secrets.ORY_BOT_SSH_KEY }} |