feat(authz): ensure logging parity between authz v2 and v1 #10680
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Checks" | |
| env: | |
| IS_RELEASE_BRANCH: ${{ startsWith(github.head_ref, 'release-please-') }} | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| push: | |
| branches: | |
| - main | |
| merge_group: | |
| branches: | |
| - main | |
| types: | |
| - checks_requested | |
| workflow_call: | |
| permissions: {} | |
| jobs: | |
| go: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| checks: write | |
| contents: read | |
| pull-requests: read | |
| strategy: | |
| matrix: | |
| directory: | |
| - examples | |
| - sdk | |
| - service | |
| - lib/ocrypto | |
| - lib/fixtures | |
| - lib/flattening | |
| - lib/identifier | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version-file: ${{ matrix.directory }}/go.mod | |
| check-latest: false | |
| cache-dependency-path: | | |
| examples/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| service/go.sum | |
| - if: env.IS_RELEASE_BRANCH == 'true' | |
| name: prevent depending on unreleased upstream changes | |
| run: ./.github/scripts/work-init.sh | |
| - if: github.head_ref == format('release-please--branches--main--components--{0}', matrix.directory) | |
| name: prevent tagging with replace directives | |
| run: go mod edit --json | jq -e '.Replace | not' | |
| working-directory: ${{ matrix.directory }} | |
| - run: go mod download | |
| working-directory: ${{ matrix.directory }} | |
| - run: go mod verify | |
| working-directory: ${{ matrix.directory }} | |
| - run: go work use . | |
| if: env.IS_RELEASE_BRANCH == 'true' | |
| working-directory: ${{ matrix.directory }} | |
| - name: govluncheck | |
| uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 | |
| with: | |
| go-version-input: "1.24.4" | |
| work-dir: ${{ matrix.directory }} | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 | |
| with: | |
| version: v2.1 | |
| working-directory: ${{ matrix.directory }} | |
| skip-cache: true | |
| - if: matrix.directory == 'service' | |
| run: .github/scripts/init-temp-keys.sh | |
| - run: go test ./... -short | |
| working-directory: ${{ matrix.directory }} | |
| - if: matrix.directory == 'service' | |
| run: go test ./service/integration -race -failfast | |
| - name: check go fmt and go mod tidy | |
| run: |- | |
| go mod tidy | |
| go fmt ./... | |
| git restore go.sum | |
| working-directory: ${{ matrix.directory }} | |
| - run: git diff | |
| - run: git diff-files --ignore-submodules | |
| - name: Check that files have been formatted before PR submission; see above for error details | |
| run: git diff-files --quiet --ignore-submodules | |
| if: env.IS_RELEASE_BRANCH == 'false' | |
| integration: | |
| permissions: | |
| contents: read | |
| name: integration tests | |
| runs-on: ubuntu-22.04 | |
| env: | |
| TLS_ENABLED: "true" | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version-file: "service/go.mod" | |
| check-latest: false | |
| cache-dependency-path: | | |
| service/go.sum | |
| examples/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| - if: env.IS_RELEASE_BRANCH == 'true' | |
| run: ./.github/scripts/work-init.sh | |
| - run: go mod download | |
| - run: go mod verify | |
| - name: Install mkcert | |
| run: | | |
| sudo apt-get install -y libnss3-tools | |
| curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64" | |
| chmod +x mkcert-v*-linux-amd64 | |
| sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert | |
| - run: | | |
| .github/scripts/init-temp-keys.sh | |
| mkcert -install | |
| mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost | |
| cp opentdf-dev.yaml opentdf.yaml | |
| yq eval '.server.tls.enabled = true' -i opentdf.yaml | |
| - name: Added Trusted Certs | |
| run: | | |
| sudo chmod -R 777 ./keys | |
| sudo apt-get install -y ca-certificates | |
| sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates | |
| sudo update-ca-certificates | |
| - run: docker compose up -d --wait --wait-timeout 240 || (docker compose logs && exit 1) | |
| - run: go run ./service provision keycloak | |
| - run: go run ./service provision fixtures | |
| - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1.0.7 | |
| name: start server in background | |
| with: | |
| run: > | |
| go build -o opentdf -v service/main.go | |
| && .github/scripts/watch.sh opentdf.yaml ./opentdf start | |
| wait-on: | | |
| tcp:localhost:8080 | |
| log-output-if: true | |
| wait-for: 90s | |
| - run: go install github.com/fullstorydev/grpcurl/cmd/[email protected] | |
| - name: Setup Bats and bats libs | |
| uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1 | |
| - run: test/service-start.bats | |
| - run: test/tdf-roundtrips.bats | |
| - run: test/policy-service.bats | |
| - name: verify bultin casbin policy | |
| run: test/builtin-casbin.bats | |
| - name: create roundtrip test data and run tests | |
| run: go test ./service/rttests -v | |
| - name: enable static entitlements rego policy | |
| run: yq eval '.services.authorization.rego.path = "./test/rego/static-entitlements.rego"' -i opentdf.yaml | |
| - run: sleep 30 | |
| - name: validate static rego policy | |
| run: test/rego/static-entitlements.bats | |
| - name: enable custom entity rego policy | |
| run: yq eval '.services.authorization.rego.path = "./test/rego/custom-entity.rego"' -i opentdf.yaml | |
| - run: sleep 30 | |
| - name: validate custom entity rego policy | |
| run: test/rego/custom-entity.bats | |
| benchmark: | |
| permissions: | |
| contents: read | |
| name: benchmark tests | |
| outputs: | |
| markdown: ${{ steps.save-benchmark.outputs.BENCHMARK_MARKDOWN }} | |
| runs-on: ubuntu-22.04 | |
| env: | |
| TLS_ENABLED: "true" | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version-file: "service/go.mod" | |
| check-latest: false | |
| cache-dependency-path: | | |
| service/go.sum | |
| examples/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| - if: env.IS_RELEASE_BRANCH == 'true' | |
| run: ./.github/scripts/work-init.sh | |
| - run: go mod download | |
| - run: go mod verify | |
| - name: Install mkcert | |
| run: | | |
| sudo apt-get install -y libnss3-tools | |
| curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64" | |
| chmod +x mkcert-v*-linux-amd64 | |
| sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert | |
| - run: | | |
| .github/scripts/init-temp-keys.sh | |
| mkcert -install | |
| mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost | |
| cp opentdf-dev.yaml opentdf.yaml | |
| yq eval '.server.tls.enabled = true' -i opentdf.yaml | |
| yq eval '.trace = {"enabled":true}' -i opentdf.yaml | |
| - name: Added Trusted Certs | |
| run: | | |
| sudo chmod -R 777 ./keys | |
| sudo apt-get install -y ca-certificates | |
| sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates | |
| sudo update-ca-certificates | |
| - run: docker compose up -d --wait --wait-timeout 240 || (docker compose logs && exit 1) | |
| - run: go run ./service provision keycloak | |
| - run: go run ./service provision fixtures | |
| - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1.0.7 | |
| name: start server in background | |
| with: | |
| run: > | |
| go build -o opentdf -v service/main.go | |
| && .github/scripts/watch.sh opentdf.yaml ./opentdf start | |
| wait-on: | | |
| tcp:localhost:8080 | |
| log-output-if: true | |
| wait-for: 90s | |
| - name: build examples | |
| run: cd examples && go build -o examples . | |
| - name: run bulk rewrap benchmark tests | |
| run: | | |
| OUTPUT=$(./examples/examples benchmark-bulk --tdf tdf3 --count 100) | |
| echo "$OUTPUT" | |
| echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY" | |
| { | |
| echo "BENCHMARK_BULK_OUTPUT<<EOO"; | |
| echo "$OUTPUT"; | |
| echo "EOO" | |
| } >> "$GITHUB_ENV" | |
| - name: run decision benchmark tests | |
| run: | | |
| # Run the benchmark with a specific count (adjust as needed) | |
| OUTPUT=$(./examples/examples benchmark-decision --count 5000) | |
| echo "--- Decision Benchmark Output ---" | |
| echo "$OUTPUT" | |
| echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY" # Add to job summary page | |
| # Save the output to an environment variable for the comment step | |
| { | |
| echo "BENCHMARK_DECISION_OUTPUT<<EODECISION"; # Unique delimiter | |
| echo "$OUTPUT"; | |
| echo "EODECISION" | |
| } >> "$GITHUB_ENV" | |
| - name: run decision v2 benchmark tests | |
| run: | | |
| # Run the benchmark with a specific count (adjust as needed) | |
| OUTPUT=$(./examples/examples benchmark-decision-v2 --count 5000) | |
| echo "--- Decision Benchmark v2 Output ---" | |
| echo "$OUTPUT" | |
| echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY" # Add to job summary page | |
| # Save the output to an environment variable for the comment step | |
| { | |
| echo "BENCHMARK_DECISION_V2_OUTPUT<<EODECISIONV2"; # Unique delimiter | |
| echo "$OUTPUT"; | |
| echo "EODECISIONV2" | |
| } >> "$GITHUB_ENV" | |
| - name: run tdf3 benchmark tests | |
| run: | | |
| OUTPUT=$(./examples/examples benchmark --count=5000 --concurrent=50) | |
| echo "$OUTPUT" | |
| echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY" | |
| { | |
| echo "BENCHMARK_TDF3_OUTPUT<<EOO"; | |
| echo "$OUTPUT"; | |
| echo "EOO" | |
| } >> "$GITHUB_ENV" | |
| - name: run nanotdf benchmark tests | |
| run: | | |
| OUTPUT=$(./examples/examples benchmark --storeCollectionHeaders=false --tdf=nanotdf --count=5000 --concurrent=50) | |
| echo "$OUTPUT" | |
| echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY" | |
| { | |
| echo "BENCHMARK_NANO_OUTPUT<<EOO"; | |
| echo "$OUTPUT" | |
| echo "EOO" | |
| } >> "$GITHUB_ENV" | |
| - name: collect the metrics from the benchmark tests | |
| run: | | |
| OUTPUT=$(./examples/examples metrics) | |
| echo "$OUTPUT" | |
| echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY" | |
| { | |
| echo "BENCHMARK_METRICS_OUTPUT<<EOO"; | |
| echo "$OUTPUT"; | |
| echo "EOO" | |
| } >> "$GITHUB_ENV" | |
| - name: save benchmark results as an output variable | |
| id: save-benchmark | |
| run: | | |
| # helper functions | |
| h2() { | |
| if [ -z "$1" ]; then | |
| echo "## ${2} Skipped or Failed" | |
| else | |
| echo "$1" | |
| fi | |
| } | |
| { | |
| echo "BENCHMARK_MARKDOWN<<EOO" | |
| h2 "${BENCHMARK_DECISION_OUTPUT}" "Decision Benchmark" | |
| h2 "${BENCHMARK_DECISION_V2_OUTPUT}" "Decision Benchmark v2" | |
| h2 "${BENCHMARK_METRICS_OUTPUT}" "Standard Benchmark Metrics" | |
| h2 "${BENCHMARK_BULK_OUTPUT}" "Bulk Benchmark" | |
| h2 "${BENCHMARK_TDF3_OUTPUT}" "TDF3 Benchmark" | |
| h2 "${BENCHMARK_NANO_OUTPUT}" "Nano Benchmark" | |
| echo EOO | |
| } >>"$GITHUB_OUTPUT" | |
| - name: save benchmark results as a step summary | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const metricsOutput = process.env.BENCHMARK_METRICS_OUTPUT || '## Standard Benchmark Skipped or Failed'; | |
| const bulkOutput = process.env.BENCHMARK_BULK_OUTPUT || '## Bulk Benchmark Skipped or Failed'; | |
| const summaryContent = `${metricsOutput}\n\n${bulkOutput}`; | |
| fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, summaryContent + '\n'); | |
| comment-benchmark: | |
| if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| name: benchmark tests | |
| needs: benchmark | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| persist-credentials: false | |
| - name: save benchmark results as a comment | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| const decisionOutput = process.env.BENCHMARK_MARKDOWN; | |
| const body = `<details><summary>Benchmark results, click to expand</summary>\n\n${decisionOutput}</details>`; | |
| github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body, | |
| }); | |
| env: | |
| BENCHMARK_MARKDOWN: ${{ needs.benchmark.outputs.markdown }} | |
| image: | |
| permissions: | |
| contents: read | |
| name: image build | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| persist-credentials: false | |
| - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 | |
| with: | |
| cache-binary: false | |
| - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| platform-xtest: | |
| permissions: | |
| contents: read | |
| packages: read | |
| uses: opentdf/tests/.github/workflows/xtest.yml@main | |
| with: | |
| focus-sdk: go | |
| # use commit instead of ref so we can "go get" specific sdk version | |
| platform-ref: ${{ github.event.pull_request.head.sha || github.sha }} lts | |
| # test latest otdfctl CLI 'main' against platform PR branch | |
| otdfctl-test: | |
| permissions: | |
| contents: read | |
| name: otdfctl e2e tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: opentdf/platform/test/start-up-with-containers@main | |
| with: | |
| platform-ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - uses: opentdf/otdfctl/e2e@main | |
| with: | |
| otdfctl-ref: "main" | |
| buflint: | |
| permissions: | |
| contents: read | |
| name: Protocol Buffer Lint and Gencode Up-to-date check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| persist-credentials: false | |
| - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0 | |
| with: | |
| github_token: ${{ github.token }} | |
| - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1 | |
| with: | |
| input: service | |
| - uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # v1.1.4 | |
| with: | |
| input: service | |
| against: "https://github.com/opentdf/platform.git#branch=main,subdir=service" | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version-file: "service/go.mod" | |
| check-latest: false | |
| cache-dependency-path: | | |
| service/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| examples/go.sum | |
| - run: cd service && go get github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
| - run: cd service && go install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
| - run: cd service && go install github.com/sudorandom/protoc-gen-connect-openapi@latest | |
| - run: make proto-generate | |
| - name: generate connect wrappers | |
| run: make connect-wrapper-generate | |
| # Ensure all generated files are staged before checking for diffs | |
| - run: git add docs/openapi/* docs/grpc/* || true | |
| - name: Restore go.mod after installing protoc-gen-doc | |
| run: git restore {service,protocol/go}/go.{mod,sum} | |
| - name: validate go mod tidy | |
| run: |- | |
| cd protocol/go | |
| go mod tidy | |
| git restore go.sum | |
| - run: git diff | |
| - run: git diff-files --ignore-submodules | |
| - name: Check that make proto-generate and connect-wrapper-generate have run before PR submission; see above for error details | |
| run: git diff-files --quiet --ignore-submodules | |
| ci: | |
| permissions: {} | |
| needs: | |
| - buflint | |
| - go | |
| - image | |
| - integration | |
| - benchmark | |
| - license | |
| - platform-xtest | |
| - otdfctl-test | |
| runs-on: ubuntu-22.04 | |
| if: ${{ !cancelled() }} | |
| steps: | |
| - if: contains(needs.*.result, 'failure') | |
| name: Check for failed jobs | |
| run: echo "One or more jobs failed. Please look at the failed jobs for details." && exit 1 | |
| license: | |
| permissions: | |
| contents: read | |
| name: license check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version-file: "service/go.mod" | |
| check-latest: false | |
| cache: false | |
| - name: check service licenses | |
| run: > | |
| "$(go env GOROOT)"/bin/go run github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e | |
| check --disallowed_types=forbidden --include_tests | |
| ./service | |
| - name: check sdk licenses | |
| run: > | |
| "$(go env GOROOT)"/bin/go run github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e | |
| check --disallowed_types=forbidden --include_tests | |
| ./sdk | |
| - name: check examples licenses | |
| run: > | |
| "$(go env GOROOT)"/bin/go run github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e | |
| check --disallowed_types=forbidden --include_tests | |
| ./examples |