-
Notifications
You must be signed in to change notification settings - Fork 3
130 lines (117 loc) · 5.31 KB
/
Copy pathoidc-conformance.yml
File metadata and controls
130 lines (117 loc) · 5.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: OIDC OP Conformance Monitoring
# Ongoing drift monitoring for the OpenID Connect OP after certification. It runs
# the OpenID Foundation conformance suite against the real deployment on every
# OIDC-affecting change so a regression that breaks conformance fails CI early.
# Conformance is driven entirely through standard OP endpoints; there is no
# suite-specific branch in the OP.
#
# This workflow is NOT the source of certification evidence. The certification
# evidence of record is produced and retained by the OIDF hosted portal
# (https://www.certification.openid.net). The per-module logs uploaded here are
# drift diagnostics only.
#
# The Go normative regression tests are not duplicated here; the main CI/CD
# pipeline (ci-cd.yml) already runs the full backend test suite, including
# internal/protocols/oidc, internal/crypto, and internal/mockidp, on every push.
#
# The suite run requires deployment secrets (the confidential client secret and
# the conformance end-user password). When those are absent the job verifies the
# harness can build and parse its config, then exits without claiming any result.
# No conformance pass is ever synthesised.
on:
push:
branches: [ master ]
paths:
- 'ProtocolLens/backend/internal/protocols/oidc/**'
- 'ProtocolLens/backend/internal/mockidp/**'
- 'ProtocolLens/backend/internal/crypto/**'
- 'ProtocolLens/backend/internal/core/**'
- 'ProtocolLens/scripts/conformance/**'
- 'ProtocolLens/scripts/conformance-run.sh'
- 'ProtocolLens/docker/docker-compose.conformance.yml'
- 'ProtocolLens/.github/workflows/oidc-conformance.yml'
pull_request:
branches: [ master ]
paths:
- 'ProtocolLens/backend/internal/protocols/oidc/**'
- 'ProtocolLens/backend/internal/mockidp/**'
- 'ProtocolLens/backend/internal/crypto/**'
- 'ProtocolLens/backend/internal/core/**'
- 'ProtocolLens/scripts/conformance/**'
- 'ProtocolLens/scripts/conformance-run.sh'
workflow_dispatch:
schedule:
- cron: '0 5 * * 1'
permissions:
contents: read
jobs:
op-conformance:
name: OIDF OP conformance suite
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Determine whether conformance secrets are configured
id: gate
env:
OIDC_CLIENT_SECRET: ${{ secrets.OIDC_CONFORMANCE_CLIENT_SECRET }}
OIDC_PASSWORD: ${{ secrets.OIDC_CONFORMANCE_PASSWORD }}
run: |
if [ -n "${OIDC_CLIENT_SECRET}" ] && [ -n "${OIDC_PASSWORD}" ]; then
echo "ready=true" >> "$GITHUB_OUTPUT"
else
echo "ready=false" >> "$GITHUB_OUTPUT"
echo "Conformance secrets not configured; running harness self-check only."
fi
- name: Add suite hostname to /etc/hosts
run: echo "127.0.0.1 localhost.emobix.co.uk" | sudo tee -a /etc/hosts
- name: Harness self-check (no result claimed)
working-directory: ProtocolLens
run: |
python3 -c "import json; json.load(open('docs/compliance/oidc-op-musts.json'))"
python3 -c "import json; json.load(open('scripts/conformance/expected_failures.json'))"
python3 -m py_compile scripts/conformance/runner.py scripts/conformance/divergence.py
test -f docker/docker-compose.conformance.yml
- name: Start conformance suite
if: steps.gate.outputs.ready == 'true'
working-directory: ProtocolLens
run: docker compose -f docker/docker-compose.conformance.yml up -d --wait
- name: Run OP test plans
if: steps.gate.outputs.ready == 'true'
working-directory: ProtocolLens
env:
OIDC_TARGET_BASE_URL: ${{ secrets.OIDC_CONFORMANCE_TARGET_BASE_URL }}
OIDC_CLIENT_ID: ${{ secrets.OIDC_CONFORMANCE_CLIENT_ID }}
OIDC_CLIENT_SECRET: ${{ secrets.OIDC_CONFORMANCE_CLIENT_SECRET }}
OIDC_CLIENT2_ID: ${{ secrets.OIDC_CONFORMANCE_CLIENT2_ID }}
OIDC_CLIENT2_SECRET: ${{ secrets.OIDC_CONFORMANCE_CLIENT2_SECRET }}
OIDC_USERNAME: ${{ secrets.OIDC_CONFORMANCE_USERNAME }}
OIDC_PASSWORD: ${{ secrets.OIDC_CONFORMANCE_PASSWORD }}
CONFORMANCE_RESULTS_DIR: .artifacts/conformance
run: bash scripts/conformance-run.sh
- name: Reflexive audit (adjudicator versus suite)
if: steps.gate.outputs.ready == 'true'
working-directory: ProtocolLens
run: |
python3 scripts/conformance/divergence.py \
--musts docs/compliance/oidc-op-musts.json \
--results-dir .artifacts/conformance \
--report .artifacts/conformance/DIVERGENCES.md
- name: Stop conformance suite
if: always() && steps.gate.outputs.ready == 'true'
working-directory: ProtocolLens
run: docker compose -f docker/docker-compose.conformance.yml down -v
- name: Upload conformance logs (drift diagnostics, not certification evidence)
if: always() && steps.gate.outputs.ready == 'true'
uses: actions/upload-artifact@v4
with:
name: oidc-op-conformance-monitoring-logs
path: ProtocolLens/.artifacts/conformance/**
retention-days: 30
if-no-files-found: warn