artifactory oidc

.github/workflows/ci.yml → .github/workflows/build.yml

@@ -1,4 +1,4 @@
-# Runs on every commit to main. This is the main CI job; it runs in MacOS and Ubuntu environments which:
+# Runs on every commit. This is the main CI job; it runs in MacOS and Ubuntu environments which:
 # * Build
 # * Run tests
 #
@@ -9,7 +9,7 @@
 # If triggered from workflow_dispatch, you may select a branch or tag to
 # deploy as an internal "release" (or SNAPSHOT, depending upon the version in the POM)
 # to Block's SaaS Artifactory instance by not specifying a version.
-name: CI
+name: Build, Test & Deploy Snapshot
 
 on:
   workflow_dispatch:
@@ -47,6 +47,9 @@ jobs:
 
   # On Ubuntu we build, test, verify, and deploy: Code Coverage, Test Vectors, and SNAPSHOT artifacts to Block Artifactory
   build-test-deploy-snapshot-ubuntu:
+    permissions:
+      id-token: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -84,24 +87,23 @@ jobs:
 
       - name: Build, Test, and Deploy to Block SaaS Artifactory
         run: |
+          set -exuo pipefail
+
           # Set newly resolved version in POM config
           mvn \
             versions:set \
             --batch-mode \
             -DnewVersion=${{ steps.resolve_version.outputs.resolved_version }}
 
-          # Only attempt to publish artifact if we have credentials
-          if [ -n "${{ secrets.ARTIFACTORY_PASSWORD }}" ]; then
-            # Maven deploy lifecycle will build, run tests, verify, sign, and deploy
-            mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts
-          else
-            # Otherwise, Maven verify lifecycle will build, run tests, and verify
-            mvn verify --batch-mode
-          fi
+          set +x
+          GITHUB_ID_TOKEN="$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)"
+          export ARTIFACTORY_PASSWORD="$(curl -fsH "Content-Type: application/json" "https://blockxyz.jfrog.io/access/api/v1/oidc/token" -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${GITHUB_ID_TOKEN}\", \"provider_name\": \"github\"}" | jq -r .access_token)"
+          export ARTIFACTORY_USERNAME="github/${GITHUB_ACTOR}"
+          set -x
 
+          # Maven deploy lifecycle will build, run tests, verify, sign, and deploy
+          mvn deploy --batch-mode --settings .maven_settings.xml -P sign-artifacts
         env:
-          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
-          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
           SIGN_KEY_PASS: ${{ secrets.GPG_SECRET_PASSPHRASE }}
           SIGN_KEY: ${{ secrets.GPG_SECRET_KEY }}
 

.maven_settings.xml

@@ -1,5 +1,15 @@
 <settings>
   <servers>
+    <server>
+      <id>block-oss-releases</id>
+      <username>${env.ARTIFACTORY_USERNAME}</username>
+      <password>${env.ARTIFACTORY_PASSWORD}</password>
+    </server>
+    <server>
+      <id>block-oss-snapshots</id>
+      <username>${env.ARTIFACTORY_USERNAME}</username>
+      <password>${env.ARTIFACTORY_PASSWORD}</password>
+    </server>
     <server>
       <id>block-oss-releases</id>
       <username>${env.ARTIFACTORY_USERNAME}</username>