Skip to content

apiserver: fix validating OIDC JWT claims #52

apiserver: fix validating OIDC JWT claims

apiserver: fix validating OIDC JWT claims #52

Workflow file for this run

name: API Server CI/CD
on:
workflow_dispatch:
inputs:
deploy:
description: "Deploy? Set to true"
required: true
push:
paths:
- .github/workflows/apiserver.yml
- apiserver/**
jobs:
build:
runs-on: ubuntu-24.04
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Install eclint
run: npm install -g eclint
- name: Check EditorConfig compliance
run: eclint check $(git ls-files) apiserver
- name: Check that we're using system Ruby
run: test "$(which ruby)" = /usr/bin/ruby
- uses: actions/cache@v4
with:
path: apiserver/vendor/bundle
key: ${{ runner.os }}-24.04-${{ runner.arch }}-gems-${{ hashFiles('apiserver/Gemfile.lock') }}
- name: Install matching Bundler version
run: sudo gem install bundler -v $(grep -A1 "BUNDLED WITH" Gemfile.lock | tail -n1) --no-document
working-directory: apiserver
- name: Install gem bundle
run: bundle install
working-directory: apiserver
env:
BUNDLE_DEPLOYMENT: "true"
BUNDLE_PATH: vendor/bundle
BUNDLE_JOBS: 4
BUNDLE_RETRY: 3
BUNDLE_CLEAN: "true"
- name: Create tarball
run: >
tar
-c
--use-compress-program 'zstd -T0'
--sort name
--owner root:0
--group root:0
--mtime '2024-01-01 00:00Z'
--preserve-permissions
--pax-option exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime
-f apiserver-"$GITHUB_RUN_NUMBER"-$(lsb_release --id --short | tr '[:upper:]' '[:lower:]')-$(lsb_release --release --short)-$(dpkg --print-architecture).tar.zst
-C apiserver
.
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: apiserver
path: "*.tar.zst"
compression-level: 0
deploy:
runs-on: ubuntu-24.04
needs: build
if: github.ref == 'refs/heads/main' || github.event.inputs.deploy == 'true'
environment: deploy
permissions:
contents: write
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: apiserver
- name: Create tag
run: git tag -f apiserver-"$GITHUB_RUN_NUMBER"
- name: Push tag
run: git push origin apiserver-"$GITHUB_RUN_NUMBER"
- name: Create release
run: >
gh release create
apiserver-"$GITHUB_RUN_NUMBER"
apiserver-*.tar.zst
--title "apiserver v$GITHUB_RUN_NUMBER"
--notes-from-tag
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/github-script@v7
id: get-id-token
with:
script: |
const fs = require('fs');
const token = await core.getIDToken('backend.fullstaqruby.org');
fs.writeFileSync(
process.env.GITHUB_OUTPUT,
`id_token<<EOF\n${token}\nEOF\n`,
{ flag: 'a' }
);
- name: Deploy
run: >
curl -fL --no-progress-meter -X POST -H "Authorization: Bearer $TOKEN"
https://apt.fullstaqruby.org/admin/upgrade_apiserver
env:
TOKEN: ${{ steps.get-id-token.outputs.id_token }}