apiserver: fix validating OIDC JWT claims #52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: API Server CI/CD | |
on: | |
workflow_dispatch: | |
inputs: | |
deploy: | |
description: "Deploy? Set to true" | |
required: true | |
push: | |
paths: | |
- .github/workflows/apiserver.yml | |
- apiserver/** | |
jobs: | |
build: | |
runs-on: ubuntu-24.04 | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: "20" | |
- name: Install eclint | |
run: npm install -g eclint | |
- name: Check EditorConfig compliance | |
run: eclint check $(git ls-files) apiserver | |
- name: Check that we're using system Ruby | |
run: test "$(which ruby)" = /usr/bin/ruby | |
- uses: actions/cache@v4 | |
with: | |
path: apiserver/vendor/bundle | |
key: ${{ runner.os }}-24.04-${{ runner.arch }}-gems-${{ hashFiles('apiserver/Gemfile.lock') }} | |
- name: Install matching Bundler version | |
run: sudo gem install bundler -v $(grep -A1 "BUNDLED WITH" Gemfile.lock | tail -n1) --no-document | |
working-directory: apiserver | |
- name: Install gem bundle | |
run: bundle install | |
working-directory: apiserver | |
env: | |
BUNDLE_DEPLOYMENT: "true" | |
BUNDLE_PATH: vendor/bundle | |
BUNDLE_JOBS: 4 | |
BUNDLE_RETRY: 3 | |
BUNDLE_CLEAN: "true" | |
- name: Create tarball | |
run: > | |
tar | |
-c | |
--use-compress-program 'zstd -T0' | |
--sort name | |
--owner root:0 | |
--group root:0 | |
--mtime '2024-01-01 00:00Z' | |
--preserve-permissions | |
--pax-option exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime | |
-f apiserver-"$GITHUB_RUN_NUMBER"-$(lsb_release --id --short | tr '[:upper:]' '[:lower:]')-$(lsb_release --release --short)-$(dpkg --print-architecture).tar.zst | |
-C apiserver | |
. | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: apiserver | |
path: "*.tar.zst" | |
compression-level: 0 | |
deploy: | |
runs-on: ubuntu-24.04 | |
needs: build | |
if: github.ref == 'refs/heads/main' || github.event.inputs.deploy == 'true' | |
environment: deploy | |
permissions: | |
contents: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: apiserver | |
- name: Create tag | |
run: git tag -f apiserver-"$GITHUB_RUN_NUMBER" | |
- name: Push tag | |
run: git push origin apiserver-"$GITHUB_RUN_NUMBER" | |
- name: Create release | |
run: > | |
gh release create | |
apiserver-"$GITHUB_RUN_NUMBER" | |
apiserver-*.tar.zst | |
--title "apiserver v$GITHUB_RUN_NUMBER" | |
--notes-from-tag | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/github-script@v7 | |
id: get-id-token | |
with: | |
script: | | |
const fs = require('fs'); | |
const token = await core.getIDToken('backend.fullstaqruby.org'); | |
fs.writeFileSync( | |
process.env.GITHUB_OUTPUT, | |
`id_token<<EOF\n${token}\nEOF\n`, | |
{ flag: 'a' } | |
); | |
- name: Deploy | |
run: > | |
curl -fL --no-progress-meter -X POST -H "Authorization: Bearer $TOKEN" | |
https://apt.fullstaqruby.org/admin/upgrade_apiserver | |
env: | |
TOKEN: ${{ steps.get-id-token.outputs.id_token }} |