Mention SAML in confidential app description #619
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom Build | |
| on: | |
| push: | |
| branches: | |
| - '*' | |
| - '!gh-pages' | |
| tags: | |
| - '*' | |
| # We need to set id-token to write. | |
| # But we cannot simply write | |
| # permissions: | |
| # id-token: write | |
| # because those unspecified permissions are 'none', instead of taking their default values, as documented in | |
| # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions | |
| # So we repeat the defaults here. | |
| permissions: | |
| # The following are the default values we have to repeat here. | |
| actions: "write" | |
| attestations: "write" | |
| checks: "write" | |
| contents: "write" | |
| deployments: "write" | |
| discussions: "write" | |
| issues: "write" | |
| packages: "write" | |
| pages: "write" | |
| pull-requests: "write" | |
| repository-projects: "write" | |
| security-events: "write" | |
| statuses: "write" | |
| # The above are the default values we have to repeat here. | |
| # We need to set id-token: write so that we can fetch the ID token. | |
| # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings | |
| # The ID token is used in Workload Identity Federation. | |
| id-token: "write" | |
| jobs: | |
| authgear-image-custom: | |
| runs-on: ubuntu-24.04 | |
| if: ${{ github.repository == 'authgear/authgear-server' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # https://aran.dev/posts/github-actions-go-private-modules/ | |
| - name: Set up SSH key | |
| env: | |
| SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
| AUTHGEAR_PRIVATE_DEPLOY_KEY: ${{ secrets.AUTHGEAR_PRIVATE_DEPLOY_KEY }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| eval $(ssh-agent -a $SSH_AUTH_SOCK) | |
| printf "$AUTHGEAR_PRIVATE_DEPLOY_KEY" | base64 --decode | ssh-add - | |
| echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV" | |
| echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV" | |
| - run: make -C custombuild build-image TARGET=authgearx IMAGE_NAME=authgear-server-custom | |
| - name: Clean up SSH key | |
| if: ${{ always() }} | |
| run: | | |
| ssh-add -D | |
| ssh-agent -k | |
| echo "SSH_AUTH_SOCK=" >> "$GITHUB_ENV" | |
| echo "SSH_AGENT_PID=" >> "$GITHUB_ENV" | |
| - uses: oursky/google-github-actions-auth@v2 | |
| with: | |
| project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_HK }} | |
| workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_HK }} | |
| - uses: oursky/google-github-actions-setup-gcloud@v2 | |
| - name: Configure docker | |
| env: | |
| REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_HK }} | |
| run: | | |
| gcloud auth configure-docker "$REPO" | |
| - name: Push to HK | |
| env: | |
| REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_HK }} | |
| run: | | |
| make -C custombuild tag-image IMAGE_NAME=authgear-server-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server" | |
| make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server" || docker logout "$REPO" | |
| - uses: oursky/google-github-actions-auth@v2 | |
| with: | |
| project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_US }} | |
| workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_US }} | |
| - uses: oursky/google-github-actions-setup-gcloud@v2 | |
| - name: Configure docker | |
| env: | |
| REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_US }} | |
| run: | | |
| gcloud auth configure-docker "$REPO" | |
| - name: Push to US | |
| env: | |
| REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_US }} | |
| run: | | |
| make -C custombuild tag-image IMAGE_NAME=authgear-server-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server" | |
| make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server" || docker logout "$REPO" | |
| portal-image-custom: | |
| runs-on: ubuntu-24.04 | |
| if: ${{ github.repository == 'authgear/authgear-server' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # https://aran.dev/posts/github-actions-go-private-modules/ | |
| - name: Set up SSH key | |
| env: | |
| SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
| AUTHGEAR_PRIVATE_DEPLOY_KEY: ${{ secrets.AUTHGEAR_PRIVATE_DEPLOY_KEY }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| eval $(ssh-agent -a $SSH_AUTH_SOCK) | |
| printf "$AUTHGEAR_PRIVATE_DEPLOY_KEY" | base64 --decode | ssh-add - | |
| echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV" | |
| echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV" | |
| - run: make -C custombuild build-image TARGET=portalx IMAGE_NAME=authgear-portal-custom | |
| - name: Clean up SSH key | |
| if: ${{ always() }} | |
| run: | | |
| ssh-add -D | |
| ssh-agent -k | |
| echo "SSH_AUTH_SOCK=" >> "$GITHUB_ENV" | |
| echo "SSH_AGENT_PID=" >> "$GITHUB_ENV" | |
| - uses: oursky/google-github-actions-auth@v2 | |
| with: | |
| project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_HK }} | |
| workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_HK }} | |
| - uses: oursky/google-github-actions-setup-gcloud@v2 | |
| - name: Configure docker | |
| env: | |
| REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_HK }} | |
| run: | | |
| gcloud auth configure-docker "$REPO" | |
| - name: Push to HK | |
| env: | |
| REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_HK }} | |
| run: | | |
| make -C custombuild tag-image IMAGE_NAME=authgear-portal-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal" | |
| make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal" || docker logout "$REPO" | |
| - uses: oursky/google-github-actions-auth@v2 | |
| with: | |
| project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_US }} | |
| workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_US }} | |
| - uses: oursky/google-github-actions-setup-gcloud@v2 | |
| - name: Configure docker | |
| env: | |
| REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_US }} | |
| run: | | |
| gcloud auth configure-docker "$REPO" | |
| - name: Push to US | |
| env: | |
| REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_US }} | |
| run: | | |
| make -C custombuild tag-image IMAGE_NAME=authgear-portal-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal" | |
| make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal" || docker logout "$REPO" |