From d71514fd7a2c6808494d8c30e181cab1b2a8d3f0 Mon Sep 17 00:00:00 2001 From: finn Date: Thu, 14 Nov 2024 14:49:53 -0800 Subject: [PATCH] authenticate to artifactory with OIDC --- .github/workflows/{ci.yml => build.yml} | 26 +++++++++++++------------ .maven_settings.xml | 10 ++++++++++ 2 files changed, 24 insertions(+), 12 deletions(-) rename .github/workflows/{ci.yml => build.yml} (78%) diff --git a/.github/workflows/ci.yml b/.github/workflows/build.yml similarity index 78% rename from .github/workflows/ci.yml rename to .github/workflows/build.yml index 55e0c7f..ac72ac0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -# Runs on every commit to main. This is the main CI job; it runs in MacOS and Ubuntu environments which: +# Runs on every commit. This is the main CI job; it runs in MacOS and Ubuntu environments which: # * Build # * Run tests # @@ -9,7 +9,7 @@ # If triggered from workflow_dispatch, you may select a branch or tag to # deploy as an internal "release" (or SNAPSHOT, depending upon the version in the POM) # to Block's SaaS Artifactory instance by not specifying a version. -name: CI +name: Build, Test & Deploy Snapshot on: workflow_dispatch: @@ -47,6 +47,9 @@ jobs: # On Ubuntu we build, test, verify, and deploy: Code Coverage, Test Vectors, and SNAPSHOT artifacts to Block Artifactory build-test-deploy-snapshot-ubuntu: + permissions: + id-token: write + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -84,24 +87,23 @@ jobs: - name: Build, Test, and Deploy to Block SaaS Artifactory run: | + set -exuo pipefail + # Set newly resolved version in POM config mvn \ versions:set \ --batch-mode \ -DnewVersion=${{ steps.resolve_version.outputs.resolved_version }} - # Only attempt to publish artifact if we have credentials - if [ -n "${{ secrets.ARTIFACTORY_PASSWORD }}" ]; then - # Maven deploy lifecycle will build, run tests, verify, sign, and deploy - mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts - else - # Otherwise, Maven verify lifecycle will build, run tests, and verify - mvn verify --batch-mode - fi + set +x + GITHUB_ID_TOKEN="$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)" + export ARTIFACTORY_PASSWORD="$(curl -fsH "Content-Type: application/json" "https://blockxyz.jfrog.io/access/api/v1/oidc/token" -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${GITHUB_ID_TOKEN}\", \"provider_name\": \"github\"}" | jq -r .access_token)" + export ARTIFACTORY_USERNAME="github/${GITHUB_ACTOR}" + set -x + # Maven deploy lifecycle will build, run tests, verify, sign, and deploy + mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts env: - ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }} - ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }} SIGN_KEY_PASS: ${{ secrets.GPG_SECRET_PASSPHRASE }} SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }} diff --git a/.maven_settings.xml b/.maven_settings.xml index 3abc493..b15e703 100644 --- a/.maven_settings.xml +++ b/.maven_settings.xml @@ -1,5 +1,15 @@ + + block-oss-releases + ${env.ARTIFACTORY_USERNAME} + ${env.ARTIFACTORY_PASSWORD} + + + block-oss-snapshots + ${env.ARTIFACTORY_USERNAME} + ${env.ARTIFACTORY_PASSWORD} + block-oss-releases ${env.ARTIFACTORY_USERNAME}