ci(test): replace the service principal with federated managed identity to access AKV #482
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Github workflow for Notation Azure Key Vault plugin | |
name: test | |
on: | |
push: | |
branches: | |
- main | |
- release-* | |
pull_request: | |
branches: | |
- main | |
- release-* | |
permissions: | |
id-token: write # Require write permission to Fetch an OIDC token. | |
contents: read | |
jobs: | |
lint: | |
name: Lint Code Base | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: read | |
statuses: write | |
steps: | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Lint Code Base | |
uses: super-linter/super-linter@v7 | |
env: | |
VALIDATE_ALL_CODEBASE: false | |
DEFAULT_BRANCH: main | |
DEFAULT_WORKSPACE: ./Notation.Plugin.AzureKeyVault | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
FILTER_REGEX_EXCLUDE: '.*Tests/.*|.*.yml|.*/scripts/generate-certs.sh|.*.py' | |
VALIDATE_CHECKOV: false | |
VALIDATE_MARKDOWN: false | |
VALIDATE_JSCPD: false | |
VALIDATE_SHELL_SHFMT: false | |
test: | |
name: Unit Testing and Build | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
permissions: | |
contents: read | |
steps: | |
- name: Setup .NET | |
uses: actions/setup-dotnet@v4 | |
with: | |
dotnet-version: '8.0.x' | |
- name: Check out code into the project directory | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Run unit tests | |
run: make test | |
- name: Upload coverage reports to Codecov | |
uses: codecov/codecov-action@v4 | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
- name: Build Linux Binary | |
run: | | |
# the binary will be used in E2E test | |
python3 ./scripts/build.py v0.0.1 linux-x64 --enable-aot | |
- name: Upload Linux artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: linux-amd64-binary | |
path: ./bin/artifacts/notation-azure-kv_0.0.1_linux_amd64.tar.gz | |
retention-days: 1 | |
- name: Build macOS Binary | |
run: | | |
# the binary will be used in E2E test | |
python3 ./scripts/build.py v0.0.1 osx-x64 | |
- name: Upload macOS artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: darwin-amd64-binary | |
path: ./bin/artifacts/notation-azure-kv_0.0.1_darwin_amd64.tar.gz | |
retention-days: 1 | |
e2e-mariner-container: | |
name: E2E testing for Mariner container | |
runs-on: ubuntu-latest | |
environment: E2E | |
needs: test | |
steps: | |
- name: Check out code into the project directory | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: linux-amd64-binary | |
path: ./bin/artifacts | |
- name: Prepare container registry | |
run: | | |
docker run --name registry --rm -d -p 5000:5000 registry:2 | |
docker pull hello-world:latest | |
docker tag hello-world:latest localhost:5000/hello-world:v1 | |
docker push localhost:5000/hello-world:v1 | |
- name: Build notation-akv:v1 image | |
run: docker build -t notation-akv:v1 -f ./test/e2e/containerized/Dockerfile.mariner . | |
- name: Install OIDC Client from Core Package | |
run: npm install @actions/[email protected] @actions/http-client | |
- name: Write Id Token | |
uses: actions/github-script@v6 | |
id: idtoken | |
with: | |
script: | | |
try { | |
const core = require('@actions/core') | |
let id_token = await core.getIDToken('api://AzureADTokenExchange') | |
fs.writeFileSync("./federated_token", id_token); | |
console.log(`Federated Token written to ./federated_token`); | |
} catch (error) { | |
core.setFailed(`Action failed with error: ${error.message}`); | |
} | |
- name: Run e2e | |
run: bash ./test/e2e/containerized/test.sh | |
env: | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_FEDERATED_TOKEN_FILE: ./federated_token | |
e2e-linux: | |
name: E2E testing on Linux | |
runs-on: ubuntu-latest | |
environment: E2E | |
needs: test | |
steps: | |
- name: Check out code into the project directory | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: linux-amd64-binary | |
path: ./bin/artifacts | |
- name: Run download server locally | |
run: | | |
nohup python3 -m http.server --directory ./bin/artifacts/ & | |
# prepare the environment variables for E2E | |
artifactName=notation-azure-kv_0.0.1_linux_amd64.tar.gz | |
checksum=$(shasum -a 256 "./bin/artifacts/$artifactName" | awk '{print $1}') | |
echo "pluginChecksum=$checksum" >> "$GITHUB_ENV" | |
echo "pluginDownloadURL=http://localhost:8000/$artifactName" >> "$GITHUB_ENV" | |
- name: Prepare container registry | |
run: | | |
docker run --name registry --rm -d -p 5000:5000 registry:2 | |
docker pull hello-world:latest | |
docker tag hello-world:latest localhost:5000/hello-world:v1 | |
docker push localhost:5000/hello-world:v1 | |
- name: Azure login | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: E2E testing | |
uses: ./test/e2e | |
with: | |
pluginDownloadURL: ${{ env.pluginDownloadURL }} | |
pluginChecksum: ${{ env.pluginChecksum }} | |
e2e-windows: | |
name: E2E testing on Windows | |
runs-on: windows-latest | |
environment: E2E | |
needs: test | |
steps: | |
- name: Check out code into the project directory | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup .NET | |
uses: actions/setup-dotnet@v4 | |
with: | |
dotnet-version: '8.0.x' | |
- name: Build Windows Binary | |
run: python3 ./scripts/build.py v0.0.1 win-x64 --enable-aot | |
- name: Run download server locally | |
run: | | |
# wsl bash | |
bash -c 'nohup python3 -m http.server --directory ./bin/artifacts/ &' | |
# Prepare the environment variables for E2E | |
$artifactName = "notation-azure-kv_0.0.1_windows_amd64.zip" | |
$checksum = (Get-FileHash ".\bin\artifacts\$artifactName" -Algorithm SHA256).Hash | |
"pluginChecksum=$checksum" | Out-File -Append -FilePath $Env:GITHUB_ENV | |
"pluginDownloadURL=http://localhost:8000/$artifactName" | Out-File -Append -FilePath $Env:GITHUB_ENV | |
shell: pwsh | |
- name: Prepare container registry | |
run: | | |
docker run --name registry --rm -d -p 5000:5000 junjiegaomsft/registry:v2.8.2-ltsc2022 | |
docker pull hello-world:latest | |
docker tag hello-world:latest localhost:5000/hello-world:v1 | |
docker push localhost:5000/hello-world:v1 | |
shell: pwsh | |
- name: Azure login | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: E2E testing | |
uses: ./test/e2e | |
with: | |
pluginDownloadURL: ${{ env.pluginDownloadURL }} | |
pluginChecksum: ${{ env.pluginChecksum }} | |
e2e-macos: | |
name: E2E testing on macOS | |
runs-on: macos-13 | |
environment: E2E | |
needs: test | |
steps: | |
- name: Check out code into the project directory | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: darwin-amd64-binary | |
path: ./bin/artifacts | |
- name: Run download server locally | |
run: | | |
nohup python3 -m http.server --directory ./bin/artifacts/ & | |
# prepare the environment variables for E2E | |
artifactName=notation-azure-kv_0.0.1_darwin_amd64.tar.gz | |
checksum=$(shasum -a 256 "./bin/artifacts/$artifactName" | awk '{print $1}') | |
echo "pluginChecksum=$checksum" >> "$GITHUB_ENV" | |
echo "pluginDownloadURL=http://localhost:8000/$artifactName" >> "$GITHUB_ENV" | |
- name: Prepare container registry | |
run: | | |
# start zot registry | |
wget -O zot https://github.com/project-zot/zot/releases/download/v2.0.0-rc7/zot-darwin-amd64-minimal | |
chmod +x zot | |
nohup ./zot serve ./test/e2e/zot/config.json & | |
# install oras | |
wget -O oras.tar.gz https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_darwin_amd64.tar.gz | |
tar -zxf oras.tar.gz | |
./oras push localhost:5000/hello-world:v1 --artifact-type application/octet-stream ./LICENSE | |
- name: Azure login | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: E2E testing | |
uses: ./test/e2e | |
with: | |
pluginDownloadURL: ${{ env.pluginDownloadURL }} | |
pluginChecksum: ${{ env.pluginChecksum }} |