keycloak-admin-helper-plugin/.github/workflows/maven.yml at main · SwissOpenEM/keycloak-admin-helper-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Java CI with Maven

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  release:
    types: [ published ]

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      checks: write  # test report
      pull-requests: write  # test report
    outputs:
      version: ${{ steps.version.outputs.version }}
      mainVersion: ${{ steps.version.outputs.mainVersion }}
      keycloakVersion: ${{ steps.version.outputs.keycloakVersion }}
    steps:
    - uses: actions/checkout@v4
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
        cache: maven
    - name: Set version
      id: version
      run: |
        set -ex
        keycloakVersion="$(. docker/.env ; echo "${KEYCLOAK_IMAGE##*:}")"
        gitrev="$(git rev-parse --short HEAD)"
        timestamp="$(date +%Y%m%d%H%M%S)"
        if [ "${BRANCH_REF}" = 'refs/heads/main' ]; then
          eap=""
        else
          eap="-eap"
        fi

        # Use release tag if available, otherwise parse from pom.xml
        if [ -n "${RELEASE_TAG}" ] && [ "${RELEASE_TAG}" != "" ]; then
          mainVersion="${RELEASE_TAG#v}"  # Remove 'v' prefix if present
        else
          mainVersion="$(grep -m1 -oP '(?<=<version>)[^<]+' pom.xml)"
        fi

        ver="$mainVersion-$keycloakVersion${eap}-$gitrev"
        echo "version=$ver" >>"$GITHUB_OUTPUT"
        echo "mainVersion=$mainVersion" >>"$GITHUB_OUTPUT"
        echo "keycloakVersion=$keycloakVersion" >>"$GITHUB_OUTPUT"
        echo "## The version is: $ver"
        mvn --batch-mode versions:set "-DnewVersion=$ver"
      env:
        BRANCH_REF: ${{ github.ref }}
        RELEASE_TAG: ${{ github.event.release.tag_name }}
    - name: Check for update of KeyCloak
      run: |
        newestKcVersion="$(curl  https://api.github.com/repos/keycloak/keycloak/releases/latest | jq -r .name)"
        [ -n "$newestKcVersion" ]
        if [ "$KC_IMAGEVERSION" != "$newestKcVersion" ]; then
          echo "::warning title=KeyCloak Version::The newest version of keycloak on github is ($newestKcVersion) while the locally configured version is $KC_IMAGEVERSION"
        fi
      env:
        KC_IMAGEVERSION: ${{ steps.version.outputs.keycloakVersion }}

    - name: Run the Maven package phase
      run: mvn --batch-mode --update-snapshots package
    - name: Run the Maven verify phase
      run: mvn --batch-mode verify
    - name: Publish Test Results (brief)
      uses: EnricoMi/publish-unit-test-result-action@v2
      if: (!cancelled())
      with:
        files: |
          target/surefire-reports/**/*.xml
    - name: Publish Test Results (detailed but only visible on action)
      uses: dorny/test-reporter@v2
      if: (!cancelled())       # run this step even if previous step failed
      with:
        name: Java Tests           # Name of the check run which will be created
        path: |                   # Path to test results
          target/surefire-reports/**/*.xml
        reporter: java-junit      # Format of test results
    # https://docs.github.com/en/actions/use-cases-and-examples/publishing-packages/publishing-java-packages-with-maven
    - name: Publish to mvn artifact to GitHub Packages
      run: mvn --batch-mode deploy
      if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'release'
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - uses: actions/upload-artifact@v4
      with:
        name: Build
        path: target/*.jar

  docker:
    needs: build
    runs-on: ubuntu-latest
    if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'release'
    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ github.repository }}
    permissions:
      contents: read
      packages: write
      attestations: write
      id-token: write

    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: Build

      - name: Get Version & copy artifact
        id: version
        run: |
          set -ex
          read v1 v2 v3 rest <<.e
          $(echo "$mainVersion" | sed 's/[.-]/ /g')
          .e
          read k1 k2 k3 rest <<.e
          $(echo "$keycloakVersion" | sed 's/[.-]/ /g')
          .e

          echo "## The version is: $version"
          git tag v"$version"   # not pushed, but needed by docker/metadata-action

          rm -fv docker/plugins/*.jar
          mkdir -p docker/plugins/
          cp -pv ./keycloak-facilities-admin-plugin-*.jar docker/plugins/

          cat docker/.env >>"$GITHUB_OUTPUT"  # sets ${{ steps.version.outputs.KEYCLOAK_IMAGE }}
          cat >>"$GITHUB_OUTPUT" <<.e
          VERSION=$version
          MAJOR=$v1
          MINOR=$v2
          PATCH=$v3
          K1=$k1
          K12=$k1.$k2
          K123=$k1.$k2.$k3
          .e
        env:
          version: ${{needs.build.outputs.version}}
          mainVersion: ${{needs.build.outputs.mainVersion}}
          keycloakVersion: ${{needs.build.outputs.keycloakVersion}}
      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      ## This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}},value=${{ steps.version.outputs.VERSION }}
            type=raw,value=${{ steps.version.outputs.MAJOR }}
            type=raw,value=${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}
            type=raw,value=${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}.${{ steps.version.outputs.PATCH }}
            type=raw,value=k${{ steps.version.outputs.K1 }}
            type=raw,value=k${{ steps.version.outputs.K12 }}
            type=raw,value=k${{ steps.version.outputs.K123 }}

      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository.
      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@v6
        with:
          context: docker/
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            KEYCLOAK_IMAGE=${{ steps.version.outputs.KEYCLOAK_IMAGE }}

      # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true