feat(policy): policy unsafe namespace RPCs wired up to database #3674
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Checks" | |
| env: | |
| IS_RELEASE_BRANCH: ${{ startsWith(github.head_ref, 'release-please-') }} | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| merge_group: | |
| branches: | |
| - main | |
| types: | |
| - checks_requested | |
| jobs: | |
| pr: | |
| name: Validate PR title | |
| if: contains(fromJSON('["pull_request", "pull_request_target"]'), github.event_name) | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| pull-requests: read | |
| steps: | |
| - uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| # Types include: | |
| # - fix: fixes | |
| # - feat: features and enhancements | |
| # - chore: non-feature or enhancement (i.e. docs, ci, linting, automated, etc) | |
| types: | | |
| fix | |
| feat | |
| chore | |
| refactor | |
| revert | |
| # Scopes include: | |
| # - main: used for automated releases | |
| # - core: related to any core need such as the core service or monorepo | |
| # - ci: anything related to ci | |
| # - docs: anything related solely to documentation | |
| # - sdk: related to sdk changes in the /sdk directory | |
| # - policy: related to policy service changes (i.e. /service/policy) | |
| # - kas: related to key access service changes (i.e. /service/kas) | |
| # - authz: related to the authorization service changes (i.e. /service/authorization) | |
| scopes: | | |
| main | |
| core | |
| ci | |
| docs | |
| sdk | |
| policy | |
| kas | |
| authz | |
| examples | |
| go: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| checks: write | |
| contents: read | |
| pull-requests: read | |
| strategy: | |
| matrix: | |
| directory: | |
| - examples | |
| - sdk | |
| - service | |
| - lib/ocrypto | |
| - lib/fixtures | |
| - lib/flattening | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
| with: | |
| go-version: "1.22.3" | |
| check-latest: false | |
| cache-dependency-path: | | |
| examples/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| service/go.sum | |
| - if: env.IS_RELEASE_BRANCH == 'true' | |
| name: prevent depending on unreleased upstream changes | |
| run: ./.github/scripts/work-init.sh | |
| - if: github.head_ref == format('release-please--branches--main--components--{0}', matrix.directory) | |
| name: prevent tagging with replace directives | |
| run: go mod edit --json | jq -e '.Replace | not' | |
| working-directory: ${{ matrix.directory }} | |
| - run: go mod download | |
| working-directory: ${{ matrix.directory }} | |
| - run: go mod verify | |
| working-directory: ${{ matrix.directory }} | |
| - run: go work use . | |
| if: env.IS_RELEASE_BRANCH == 'true' | |
| working-directory: ${{ matrix.directory }} | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 | |
| with: | |
| version: v1.58 | |
| working-directory: ${{ matrix.directory }} | |
| skip-cache: true | |
| args: --out-format=colored-line-number | |
| - name: Install softHSM | |
| if: matrix.directory == 'service' | |
| run: |- | |
| sudo apt-get install -y softhsm opensc openssl | |
| sudo chmod +x /etc/softhsm | |
| sudo chmod +r /etc/softhsm/softhsm2.conf | |
| mkdir -p $(pwd)/.tmp/tokens | |
| echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf | |
| echo "log.level = DEBUG" >> softhsm2.conf | |
| echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" | |
| - if: matrix.directory == 'service' | |
| run: .github/scripts/init-temp-keys.sh --hsm | |
| - run: go test ./... -short | |
| working-directory: ${{ matrix.directory }} | |
| - if: matrix.directory == 'service' | |
| run: go test ./service/integration -race -failfast | |
| - name: check go fmt and go mod tidy | |
| run: |- | |
| go mod tidy | |
| go fmt ./... | |
| git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum" | |
| working-directory: ${{ matrix.directory }} | |
| - run: git diff | |
| - run: git diff-files --ignore-submodules | |
| - name: Check that files have been formatted before PR submission; see above for error details | |
| run: git diff-files --quiet --ignore-submodules | |
| if: env.IS_RELEASE_BRANCH == 'false' | |
| integration: | |
| name: integration tests | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| crypto: | |
| - standard | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
| with: | |
| go-version: "1.22.3" | |
| check-latest: false | |
| cache-dependency-path: | | |
| service/go.sum | |
| examples/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| - if: env.IS_RELEASE_BRANCH == 'true' | |
| run: ./.github/scripts/work-init.sh | |
| - run: go mod download | |
| - run: go mod verify | |
| - name: Install softHSM | |
| if: matrix.crypto == 'hsm' | |
| run: |- | |
| sudo apt-get install -y softhsm opensc openssl | |
| sudo chmod +x /etc/softhsm | |
| sudo chmod +r /etc/softhsm/softhsm2.conf | |
| mkdir -p $(pwd)/.tmp/tokens | |
| echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf | |
| echo "log.level = DEBUG" >> softhsm2.conf | |
| echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" | |
| - run: | | |
| .github/scripts/init-temp-keys.sh --hsm | |
| cp opentdf-with-hsm.yaml opentdf.yaml | |
| if: matrix.crypto == 'hsm' | |
| - run: | | |
| .github/scripts/init-temp-keys.sh | |
| cp opentdf-dev.yaml opentdf.yaml | |
| if: matrix.crypto == 'standard' | |
| - name: Added Trusted Certs | |
| run: | | |
| sudo chmod -R 777 ./keys | |
| sudo apt-get install -y ca-certificates | |
| sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates | |
| sudo update-ca-certificates | |
| - run: docker compose up -d --wait --wait-timeout 240 | |
| - run: go run ./service provision keycloak | |
| - run: go run ./service provision fixtures | |
| - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 | |
| name: start server in background | |
| with: | |
| run: > | |
| go build -o opentdf ${{ matrix.crypto == 'hsm' && '--tags=opentdf.hsm' || '' }} -v service/main.go | |
| && .github/scripts/watch.sh opentdf.yaml ./opentdf start | |
| wait-on: | | |
| tcp:localhost:8080 | |
| log-output-if: true | |
| wait-for: 90s | |
| - run: go install github.com/fullstorydev/grpcurl/cmd/[email protected] | |
| - name: Setup Bats and bats libs | |
| uses: bats-core/[email protected] | |
| - run: test/service-start.bats | |
| - run: test/tdf-roundtrips.bats | |
| - name: create roundtrip test data and run tests | |
| run: go test ./service/rttests -v | |
| image: | |
| name: image build | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: docker/[email protected] | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| buflint: | |
| name: Protocol Buffer Lint and Gencode Up-to-date check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: bufbuild/buf-setup-action@dde0b9351db90fbf78e345f41a57de8514bf1091 | |
| - uses: bufbuild/buf-lint-action@044d13acb1f155179c606aaa2e53aea304d22058 | |
| with: | |
| input: service | |
| - uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 | |
| with: | |
| input: service | |
| against: "https://github.com/opentdf/platform.git#branch=main,subdir=service" | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
| with: | |
| go-version: "1.22.3" | |
| check-latest: false | |
| cache-dependency-path: | | |
| service/go.sum | |
| protocol/go/go.sum | |
| sdk/go.sum | |
| examples/go.sum | |
| - run: cd service && go get github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
| - run: cd service && go install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
| - run: make proto-generate | |
| - name: Restore go.mod after installing protoc-gen-doc | |
| run: git restore {service,protocol/go}/go.{mod,sum} | |
| - name: validate go mod tidy | |
| run: |- | |
| cd protocol/go | |
| go mod tidy | |
| git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum" | |
| - run: git diff | |
| - run: git diff-files --ignore-submodules | |
| - name: Check that make proto-generate has run before PR submission; see above for error details | |
| run: git diff-files --quiet --ignore-submodules | |
| ci: | |
| needs: | |
| - buflint | |
| - go | |
| - image | |
| - integration | |
| - license | |
| - pr | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - if: contains(needs.*.result, 'failure') | |
| run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1 | |
| license: | |
| name: license check | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
| with: | |
| go-version: "1.22.4" | |
| check-latest: false | |
| cache: false | |
| - name: install go-licenses | |
| run: go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e | |
| - name: check service licenses | |
| run: > | |
| go-licenses check --disallowed_types=forbidden --include_tests | |
| ./service | |
| - name: check sdk licenses | |
| run: > | |
| go-licenses check --disallowed_types=forbidden --include_tests | |
| ./sdk | |
| - name: check examples licenses | |
| run: > | |
| go-licenses check --disallowed_types=forbidden --include_tests | |
| ./examples |