artifactory oidc #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Runs on every commit to main. This is the main CI job; it runs in MacOS and Ubuntu environments which: | |
# * Build | |
# * Run tests | |
# | |
# In the Ubuntu environment only, to avoid double uploads from MacOS, it also: | |
# * Uploads Test reports to BuildKite | |
# * Uploads Coverage reports to CodeCov | |
# * Publishes (deploys) to Block's SaaS Artifactory instance as version commit-$shortSHA-SNAPSHOT | |
# | |
# If triggered from workflow_dispatch, you may select a branch or tag to | |
# deploy as an internal "release" (or SNAPSHOT, depending upon the version in the POM) | |
# to Block's SaaS Artifactory instance by not specifying a version. | |
name: CI | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: 'Version to publish. For example "1.0.0-SNAPSHOT". If not supplied, will default to version specified in the POM. Must end in "-SNAPSHOT".' | |
required: false | |
default: "0.0.0-SNAPSHOT" | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
jobs: | |
# On MacOS we only build, test, and verify | |
build-test-macos: | |
runs-on: macOS-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
# https://cashapp.github.io/hermit/usage/ci/ | |
- name: Init Hermit | |
uses: cashapp/activate-hermit@v1 | |
with: | |
cache: true | |
- name: Build, Test, and Verify | |
run: | | |
# Maven "test" lifecycle will build and test only on MacOS | |
mvn test | |
# On Ubuntu we build, test, verify, and deploy: Code Coverage, Test Vectors, and SNAPSHOT artifacts to TBD Artifactory | |
build-test-deploy-snapshot-ubuntu: | |
permissions: | |
id-token: write | |
contents: read | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
# https://cashapp.github.io/hermit/usage/ci/ | |
- name: Init Hermit | |
uses: cashapp/activate-hermit@v1 | |
with: | |
cache: true | |
- name: Resolve Snapshot Version | |
id: resolve_version | |
run: | | |
# Version resolution: use provided | |
if [ -n "${{ github.event.inputs.version }}" ]; then | |
resolvedVersion=${{ github.event.inputs.version }} | |
# Otherwise, construct a version for deployment in form X.Y.Z-commit-$shortSHA-SNAPSHOT | |
else | |
longSHA=$(git rev-parse --verify HEAD) | |
shortSHA=$(echo "${longSHA:0:7}") | |
resolvedVersion="commit-$shortSHA-SNAPSHOT" | |
echo "Requesting deployment as version: $resolvedVersion" | |
fi | |
# Postcondition check; only allow this to proceed if we have a version ending in "-SNAPSHOT" | |
if [[ ! "$resolvedVersion" =~ -SNAPSHOT$ ]]; then | |
echo "Error: The version does not end with \"-SNAPSHOT\": $resolvedVersion" | |
exit 1 | |
fi | |
echo "Resolved SNAPSHOT Version: $resolvedVersion" | |
echo "resolved_version=$resolvedVersion" >> $GITHUB_OUTPUT | |
- name: Build, Test, and Deploy to Block SaaS Artifactory | |
run: | | |
set -exuo pipefail | |
# Set newly resolved version in POM config | |
mvn \ | |
versions:set \ | |
--batch-mode \ | |
-DnewVersion=${{ steps.resolve_version.outputs.resolved_version }} | |
GITHUB_ID_TOKEN="$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)" | |
export ARTIFACTORY_PASSWORD="$(curl -fH "Content-Type: application/json" "https://blockxyz.jfrog.io/access/api/v1/oidc/token" -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${GITHUB_ID_TOKEN}\", \"provider_name\": \"github-oidc\"}" | jq -r .access_token)" | |
# Maven deploy lifecycle will build, run tests, verify, sign, and deploy | |
mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts | |
env: | |
SIGN_KEY_PASS: ${{ secrets.GPG_SECRET_PASSPHRASE }} | |
SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }} | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} | |
- name: Upload coverage reports to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
verbose: true | |
flags: ${{ runner.os }} | |
- name: Upload JUnit tests report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tests-report-junit | |
path: | | |
**/target/surefire-reports/*.xml | |
# Ensure both MacOS and Ubuntu build/test jobs succeeded | |
confirm-successful-build-and-tests: | |
# Wait on both jobs to succeed | |
needs: [build-test-macos, build-test-deploy-snapshot-ubuntu] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Log Success | |
run: | | |
echo "Builds for MacOS and Ubuntu succeeded." |