This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/.github/workflows/ci-main.yml

300 lines
9.5 KiB
YAML
Raw Normal View History

2021-08-30 18:21:15 +00:00
name: authentik-ci-main
on:
push:
branches:
- main
- next
- version-*
2021-08-30 18:21:15 +00:00
paths-ignore:
- website
pull_request:
branches:
- main
- version-*
2021-08-30 18:21:15 +00:00
env:
POSTGRES_DB: authentik
POSTGRES_USER: authentik
POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
jobs:
lint:
strategy:
fail-fast: false
matrix:
job:
- bandit
- black
- codespell
- isort
- pending-migrations
- pylint
- pyright
- ruff
2021-08-30 18:21:15 +00:00
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup authentik env
uses: ./.github/actions/setup
- name: run job
2021-12-24 22:25:38 +00:00
run: poetry run make ci-${{ matrix.job }}
2021-08-30 18:21:15 +00:00
test-migrations:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup authentik env
uses: ./.github/actions/setup
2021-08-30 18:21:15 +00:00
- name: run migrations
2021-12-24 22:25:38 +00:00
run: poetry run python -m lifecycle.migrate
2021-08-30 18:21:15 +00:00
test-migrations-from-stable:
name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
2021-08-30 18:21:15 +00:00
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
psql:
- 12-alpine
- 15-alpine
- 16-alpine
2021-08-30 18:21:15 +00:00
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: checkout stable
run: |
# Delete all poetry envs
rm -rf /home/runner/.cache/pypoetry
# Copy current, latest config to local
cp authentik/lib/default.yml local.env.yml
cp -R .github ..
cp -R scripts ..
git checkout version/$(python -c "from authentik import __version__; print(__version__)")
rm -rf .github/ scripts/
mv ../.github ../scripts .
- name: Setup authentik env (stable)
uses: ./.github/actions/setup
with:
postgresql_version: ${{ matrix.psql }}
2021-08-30 18:21:15 +00:00
- name: run migrations to stable
2021-12-24 22:25:38 +00:00
run: poetry run python -m lifecycle.migrate
2021-08-30 18:21:15 +00:00
- name: checkout current code
run: |
set -x
outposts/proxyv2 (#1365) * outposts/proxyv2: initial commit Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add rs256 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> more stuff Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add forward auth an sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> match cookie name Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> re-add support for rs256 for backwards compat Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add error handler Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> ensure unique user-agent is used Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> set cookie duration based on id_token expiry Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> build proxy v2 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add ssl Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add basic auth and custom header support Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add application cert loading Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> implement whitelist Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add redis Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> migrate embedded outpost to v2 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> remove old proxy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> providers/proxy: make token expiration configurable Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> add metrics Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> fix tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/proxy: only allow one redirect URI Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix docker build for proxy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * remove default port offset Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add AUTHENTIK_HOST_BROWSER Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * tests: fix e2e/integration tests not using proper tags Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * remove references of old port Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix user_attributes not being loaded correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * cleanup dependencies Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * cleanup Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-09-08 18:04:56 +00:00
git fetch
git reset --hard HEAD
git clean -d -fx .
2021-12-24 22:25:38 +00:00
git checkout $GITHUB_SHA
# Delete previous poetry env
rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
- name: Setup authentik env (ensure latest deps are installed)
uses: ./.github/actions/setup
with:
postgresql_version: ${{ matrix.psql }}
2021-08-30 18:21:15 +00:00
- name: migrate to latest
run: |
poetry run python -m lifecycle.migrate
2021-08-30 18:21:15 +00:00
test-unittest:
name: test-unittest - PostgreSQL ${{ matrix.psql }}
2021-08-30 18:21:15 +00:00
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
psql:
- 12-alpine
core: bump django from 4.1.7 to 4.2 (#5238) * core: bump django from 4.1.7 to 4.2 (#5151) * core: bump django from 4.1.7 to 4.2 Bumps [django](https://github.com/django/django) from 4.1.7 to 4.2. - [Release notes](https://github.com/django/django/releases) - [Commits](https://github.com/django/django/compare/4.1.7...4.2) --- updated-dependencies: - dependency-name: django dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * upgrade to psycopg3, use custom engine for prometheus metrics See https://github.com/korfuri/django-prometheus/issues/350 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make scripts use pscopg3 Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start changelog Signed-off-by: Jens Langhammer <jens@goauthentik.io> * initial postgres upgrade guide Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update header Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2023-08-01 17:30:28 +00:00
- 15-alpine
- 16-alpine
2021-08-30 18:21:15 +00:00
steps:
- uses: actions/checkout@v4
- name: Setup authentik env
uses: ./.github/actions/setup
with:
postgresql_version: ${{ matrix.psql }}
2021-08-30 18:21:15 +00:00
- name: run unittest
run: |
2021-12-24 22:25:38 +00:00
poetry run make test
poetry run coverage xml
- if: ${{ always() }}
uses: codecov/codecov-action@v3
with:
flags: unit
2021-08-30 18:21:15 +00:00
test-integration:
runs-on: ubuntu-latest
timeout-minutes: 30
2021-08-30 18:21:15 +00:00
steps:
- uses: actions/checkout@v4
- name: Setup authentik env
uses: ./.github/actions/setup
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1.8.0
2021-08-30 18:21:15 +00:00
- name: run integration
run: |
poetry run coverage run manage.py test tests/integration
2021-12-24 22:25:38 +00:00
poetry run coverage xml
- if: ${{ always() }}
uses: codecov/codecov-action@v3
with:
flags: integration
2023-01-04 18:45:31 +00:00
test-e2e:
name: test-e2e (${{ matrix.job.name }})
2021-08-30 18:21:15 +00:00
runs-on: ubuntu-latest
timeout-minutes: 30
2023-01-04 18:45:31 +00:00
strategy:
fail-fast: false
matrix:
job:
- name: proxy
glob: tests/e2e/test_provider_proxy*
- name: oauth
glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
2023-01-04 18:45:31 +00:00
- name: oauth-oidc
glob: tests/e2e/test_provider_oidc*
2023-01-04 18:45:31 +00:00
- name: saml
glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
- name: ldap
glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
- name: radius
glob: tests/e2e/test_provider_radius*
2023-01-04 18:45:31 +00:00
- name: flows
glob: tests/e2e/test_flows*
2021-08-30 18:21:15 +00:00
steps:
- uses: actions/checkout@v4
- name: Setup authentik env
uses: ./.github/actions/setup
- name: Setup e2e env (chrome, etc)
2021-08-30 18:21:15 +00:00
run: |
2021-10-13 17:06:19 +00:00
docker-compose -f tests/e2e/docker-compose.yml up -d
- id: cache-web
uses: actions/cache@v3
with:
path: web/dist
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
2021-08-30 18:21:15 +00:00
- name: prepare web ui
if: steps.cache-web.outputs.cache-hit != 'true'
working-directory: web
2021-08-30 18:21:15 +00:00
run: |
npm ci
make -C .. gen-client-ts
2021-08-30 18:21:15 +00:00
npm run build
- name: run e2e
run: |
2023-01-04 18:45:31 +00:00
poetry run coverage run manage.py test ${{ matrix.job.glob }}
2021-12-24 22:25:38 +00:00
poetry run coverage xml
- if: ${{ always() }}
uses: codecov/codecov-action@v3
with:
flags: e2e
ci-core-mark:
2021-08-30 18:21:15 +00:00
needs:
- lint
2021-08-30 18:21:15 +00:00
- test-migrations
- test-migrations-from-stable
- test-unittest
- test-integration
2023-01-04 18:45:31 +00:00
- test-e2e
2021-08-30 18:21:15 +00:00
runs-on: ubuntu-latest
steps:
- run: echo mark
build:
needs: ci-core-mark
runs-on: ubuntu-latest
permissions:
# Needed to upload contianer images to ghcr.io
packages: write
timeout-minutes: 120
2021-08-30 18:21:15 +00:00
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3.0.0
2021-08-30 18:21:15 +00:00
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
2021-08-30 18:21:15 +00:00
- name: prepare variables
uses: ./.github/actions/docker-push-variables
2021-08-30 18:21:15 +00:00
id: ev
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
- name: Login to Container Registry
uses: docker/login-action@v3
if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
2021-08-30 18:21:15 +00:00
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: generate ts client
run: make gen-client-ts
- name: Build Docker Image
uses: docker/build-push-action@v5
2021-08-30 18:21:15 +00:00
with:
context: .
secrets: |
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
2021-08-30 18:21:15 +00:00
tags: |
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
2021-08-30 18:21:15 +00:00
build-args: |
GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
VERSION=${{ steps.ev.outputs.version }}
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Comment on PR
if: github.event_name == 'pull_request'
continue-on-error: true
uses: ./.github/actions/comment-pr-instructions
with:
tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
build-arm64:
needs: ci-core-mark
runs-on: ubuntu-latest
permissions:
# Needed to upload contianer images to ghcr.io
packages: write
timeout-minutes: 120
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: prepare variables
uses: ./.github/actions/docker-push-variables
id: ev
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
- name: Login to Container Registry
uses: docker/login-action@v3
if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: generate ts client
run: make gen-client-ts
- name: Build Docker Image
uses: docker/build-push-action@v5
with:
context: .
secrets: |
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
tags: |
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-arm64
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}-arm64
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}-arm64
build-args: |
GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
VERSION=${{ steps.ev.outputs.version }}
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
platforms: linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max