Skip to content

Add oauth2 Client Credentials Flow #1499

Add oauth2 Client Credentials Flow

Add oauth2 Client Credentials Flow #1499

Workflow file for this run

name: Build
on:
push:
tags: [ "v*.*.*" ]
branches: [ "main" ]
pull_request:
branches: [ "main" ]
merge_group:
jobs:
test:
env:
MAVEN_ARGS: -B -T1C -Dfts.retryTimeout=false
GITHUB_TOKEN: ${{ github.token }}
runs-on: ubuntu-24.04
strategy:
max-parallel: 6
matrix:
agent:
- clinical-domain-agent
- trust-center-agent
- research-domain-agent
auth:
- none
- basic
- cert
- oauth2
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up JDK 21
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4
with:
distribution: 'temurin'
java-version: 21
cache: 'maven'
- name: Run Tests
run: mvn ${MAVEN_ARGS} verify --also-make --projects ${{ matrix.agent }} -Dspring.profiles.active=auth:${{ matrix.auth }}
- name: Generate Code Coverage Report
run: mvn ${MAVEN_ARGS} jacoco:report-aggregate@report
- name: Upload coverage to Codecov
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
build-jar:
needs: [ test ]
env:
MAVEN_ARGS: -B -T1C -Dfts.retryTimeout=false
GITHUB_TOKEN: ${{ github.token }}
COMMIT_TAG: ${{ github.ref_type == 'tag' && github.ref_name || '' }}
runs-on: ubuntu-24.04
strategy:
matrix:
agent:
- clinical-domain-agent
- trust-center-agent
- research-domain-agent
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up JDK 21
uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4
with:
distribution: 'temurin'
java-version: 21
cache: 'maven'
- name: Build Agent
run: mvn ${MAVEN_ARGS} -DskipTests package ${COMMIT_TAG:+-Drevision=${COMMIT_TAG#v}}
- name: Upload Jar
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
name: ${{ matrix.agent }}
path: ${{ matrix.agent }}/target/${{ matrix.agent }}.jar
if-no-files-found: error
build-image:
needs: [ build-jar ]
runs-on: ubuntu-24.04
strategy:
matrix:
agent:
- clinical-domain-agent
- trust-center-agent
- research-domain-agent
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download Agent Jar
if: ${{ matrix.agent }}
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: ${{ matrix.agent }}
path: ${{ matrix.agent }}/target
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
- name: Build and Save Container Image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
with:
context: ${{ matrix.agent }}
tags: ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }}:local
outputs: type=docker,dest=/tmp/${{ matrix.agent }}.tar
- name: Upload Container Image
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
name: ${{ matrix.agent }}-image
path: /tmp/${{ matrix.agent }}.tar
if-no-files-found: error
scan-image:
needs: [ build-image ]
runs-on: ubuntu-24.04
strategy:
matrix:
agent:
- clinical-domain-agent
- trust-center-agent
- research-domain-agent
steps:
- name: Download Container Image
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: ${{ matrix.agent }}-image
path: /tmp
- name: Load Container Image
run: docker load --input /tmp/${{ matrix.agent }}.tar
- name: Run Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
image-ref: ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }}:local
format: sarif
output: trivy-results.sarif
severity: 'CRITICAL,HIGH'
timeout: '15m0s'
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1
- name: Upload Trivy Scan Results to GitHub Security Tab
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
with:
sarif_file: trivy-results.sarif
e2e-tests:
needs: [ build-image ]
runs-on: ubuntu-24.04
defaults:
run:
working-directory: .github/test
env:
TEST_SET_SIZE: 100
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download Agent Images
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
pattern: '*-image'
merge-multiple: true
path: /tmp
- name: Load Agent Images
run: |
echo -n "clinical-domain-agent trust-center-agent research-domain-agent" \
| xargs -d' ' -I{} docker load --input /tmp/{}.tar
- name: Pull Container Images
run: make pull
- name: Configure PATH
run: echo "${GITHUB_WORKSPACE}/.github/scripts" >> ${GITHUB_PATH}
- name: Install Blazectl
run: install-blazectl.sh
- name: Start Test Environment
run: make start
- name: Cache Test Data
id: cache-test-data
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
with:
path: .github/test/test-data
key: test-data-${{ env.TEST_SET_SIZE }}
- name: Download Test Data
if: steps.cache-test-data.outputs.cache-hit != 'true'
run: make download
- name: Upload Test Data
run: make upload
- name: Check Consent
run: make check-consent
- name: Run e2e for all Consented Patients
run: |
make transfer-all wait
make check-status check-resources
- name: Clean RD HDS and gPAS DB
run: make clean-rd-hds-and-gpas-db
- name: Run e2e for Selected Patients
run: |
make transfer-list wait
make check-status check-resources
- name: Collect Agent Logs
if: failure() || cancelled()
run: docker compose logs cd-agent tc-agent rd-agent
- name: Collect MOSAIC Logs
if: failure() || cancelled()
run: docker compose logs gics gpas
- name: Collect HDS Logs
if: failure() || cancelled()
run: docker compose logs cd-hds rd-hds
- name: Collect DB Logs
if: failure() || cancelled()
run: docker compose logs gics-db gpas-db keystore
push-image:
if: github.event_name != 'pull_request' || (github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name)
needs:
- scan-image
- e2e-tests
runs-on: ubuntu-24.04
permissions:
packages: write
strategy:
matrix:
agent:
- clinical-domain-agent
- trust-center-agent
- research-domain-agent
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download Agent Jar
if: ${{ matrix.agent }}
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: ${{ matrix.agent }}
path: ${{ matrix.agent }}/target
- name: Download Container Image
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: ${{ matrix.agent }}-image
path: /tmp
- name: Load Container Image
run: docker load --input /tmp/${{ matrix.agent }}.tar
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate Container Image Metadata
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
with:
images: |
ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and Push Container Image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
with:
context: ${{ matrix.agent }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
create-release:
needs: push-image
runs-on: ubuntu-24.04
defaults:
run:
working-directory: .github/release
permissions:
contents: write
actions: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Create Release Archives
env:
COMMIT_TAG: ${{ github.ref_type == 'tag' && github.ref_name || 'latest' }}
run: make cd-agent tc-agent rd-agent
- name: Upload Archives
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
path: |
.github/release/cd-agent.tar.gz
.github/release/tc-agent.tar.gz
.github/release/rd-agent.tar.gz
if-no-files-found: error
- name: Recognize Prerelease
env:
GITHUB_REF: ${{ github.ref_name }}
# In SemVer 2.0, a prerelease version is always indicated by the presence of a hyphen
run: |
if [[ "${GITHUB_REF}" == *-* ]]; then
echo "is_prerelease=true" >>$GITHUB_ENV
fi
- name: Release
if: github.ref_type == 'tag'
uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2
with:
files: |
.github/release/cd-agent.tar.gz
.github/release/tc-agent.tar.gz
.github/release/rd-agent.tar.gz
draft: false
prerelease: ${{ env.is_prerelease }}
generate_release_notes: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Trigger Pages Build
if: github.ref_type == 'tag'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh workflow run Pages --ref main --repo ${{ github.repository }}