Skip to content

Commit 26afa1d

Browse files
committed
merge upstream changes
2 parents a2c5de0 + 2ecf64e commit 26afa1d

112 files changed

Lines changed: 6980 additions & 1475 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/analysis-scorecard.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,25 +23,25 @@ jobs:
2323

2424
steps:
2525
- name: Checkout repository
26-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2727
with:
2828
persist-credentials: false
2929

3030
- name: Run analysis
31-
uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
31+
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
3232
with:
3333
results_file: results.sarif
3434
results_format: sarif
3535
publish_results: true
3636

3737
- name: Upload results as artifact
38-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
38+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
3939
with:
4040
name: OpenSSF Scorecard results
4141
path: results.sarif
4242
retention-days: 5
4343

4444
- name: Upload results to GitHub Security tab
45-
uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
45+
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5
4646
with:
4747
sarif_file: results.sarif

.github/workflows/artifacts.yaml

Lines changed: 53 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -51,27 +51,29 @@ jobs:
5151

5252
steps:
5353
- name: Checkout repository
54-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
54+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
55+
with:
56+
fetch-tags: true
5557

5658
- name: Set up QEMU
57-
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
59+
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
5860

5961
- name: Set up Docker Buildx
60-
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
62+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
6163

6264
- name: Set up Syft
63-
uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
65+
uses: anchore/sbom-action/download-syft@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
6466

6567
- name: Install cosign
66-
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
68+
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
6769

6870
- name: Set image name
6971
id: image-name
7072
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
7173

7274
- name: Gather build metadata
7375
id: meta
74-
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
76+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
7577
with:
7678
images: |
7779
${{ steps.image-name.outputs.value }}
@@ -90,6 +92,12 @@ jobs:
9092
labels: |
9193
org.opencontainers.image.documentation=https://dexidp.io/docs/
9294
95+
# Multiple exporters are not supported yet
96+
# See https://github.com/moby/buildkit/pull/2760
97+
- name: Get version from git-version script
98+
id: version
99+
run: echo "value=$(bash ./scripts/git-version)" >> "$GITHUB_OUTPUT"
100+
93101
# Multiple exporters are not supported yet
94102
# See https://github.com/moby/buildkit/pull/2760
95103
- name: Determine build output
@@ -101,33 +109,34 @@ jobs:
101109
if_false: type=oci,dest=image.tar
102110

103111
- name: Login to GitHub Container Registry
104-
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
112+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
105113
with:
106114
registry: ghcr.io
107115
username: ${{ github.actor }}
108116
password: ${{ github.token }}
109117
if: inputs.publish
110118

111119
- name: Login to Docker Hub
112-
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
120+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
113121
with:
114122
username: ${{ secrets.DOCKER_USERNAME }}
115123
password: ${{ secrets.DOCKER_PASSWORD }}
116124
if: inputs.publish
117125

118126
- name: Build and push image
119127
id: build
120-
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
128+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
121129
with:
122130
context: .
123131
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
124132
tags: ${{ steps.meta.outputs.tags }}
125133
build-args: |
126134
BASE_IMAGE=${{ matrix.variant }}
127-
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
135+
VERSION=${{ steps.version.outputs.value }}
128136
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
129137
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
130-
labels: ${{ steps.meta.outputs.labels }}
138+
labels: |
139+
${{ steps.meta.outputs.labels }}
131140
# cache-from: type=gha
132141
# cache-to: type=gha,mode=max
133142
outputs: ${{ steps.build-output.outputs.value }}
@@ -154,10 +163,21 @@ jobs:
154163
# path: image.tar
155164

156165
- name: Extract OCI tarball
166+
id: extract-oci
157167
run: |
158168
mkdir -p image
159169
tar -xf image.tar -C image
160170
171+
image_name=$(jq -r '.manifests[0].annotations["io.containerd.image.name"]' image/index.json)
172+
image_tag=$(jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]' image/index.json)
173+
174+
echo "Copying $image_tag -> $image_name"
175+
skopeo copy "oci:image:$image_tag" "docker-daemon:$image_name"
176+
177+
echo "value=$image_name" >> "$GITHUB_OUTPUT"
178+
if: ${{ !inputs.publish }}
179+
180+
161181
# - name: List tags
162182
# run: skopeo --insecure-policy list-tags oci:image
163183
#
@@ -177,62 +197,73 @@ jobs:
177197

178198
# TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
179199
# - name: Generate build provenance attestation
180-
# uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
200+
# uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
181201
# with:
182202
# subject-name: dexidp/dex
183203
# subject-digest: ${{ steps.build.outputs.digest }}
184204
# push-to-registry: true
185205

186206
- name: Generate build provenance attestation
187-
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
207+
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
188208
with:
189209
subject-name: ghcr.io/${{ github.repository }}
190210
subject-digest: ${{ steps.build.outputs.digest }}
191211
push-to-registry: true
192212
if: inputs.publish
193213

214+
- name: Prepare image fs for scanning
215+
run: |
216+
image_ref=${{ steps.extract-oci.outputs.value != '' && steps.extract-oci.outputs.value || steps.image-ref.outputs.value }}
217+
docker export $(docker create --rm $image_ref) -o docker-image.tar
218+
219+
mkdir -p docker-image
220+
tar -xf docker-image.tar -C docker-image
221+
194222
## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397
195223
## To avoid the trivy-db becoming outdated, we save the cache for one day
196224
- name: Get data
197225
id: date
198226
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
199227

200228
- name: Restore trivy cache
201-
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
229+
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
202230
with:
203231
path: cache/db
204232
key: trivy-cache-${{ steps.date.outputs.date }}
205233
restore-keys: trivy-cache-
206234

207235
- name: Run Trivy vulnerability scanner
208-
uses: aquasecurity/trivy-action@f9424c10c36e288d5fa79bd3dfd1aeb2d6eae808 # 0.33.0
236+
uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
209237
with:
210-
input: image
238+
input: docker-image
211239
format: sarif
212240
output: trivy-results.sarif
213-
scan-type: "fs"
241+
scan-type: "rootfs"
214242
scan-ref: "."
215243
cache-dir: "./cache"
216244
# Disable skipping trivy cache for now
217-
# env:
218-
# TRIVY_SKIP_DB_UPDATE: true
219-
# TRIVY_SKIP_JAVA_DB_UPDATE: true
245+
env:
246+
TRIVY_SKIP_DB_UPDATE: true
247+
TRIVY_SKIP_JAVA_DB_UPDATE: true
220248

221249
## Trivy-db uses `0600` permissions.
222250
## But `action/cache` use `runner` user by default
223251
## So we need to change the permissions before caching the database.
224252
- name: change permissions for trivy.db
225253
run: sudo chmod 0644 ./cache/db/trivy.db
226254

255+
- name: Check Trivy sarif
256+
run: cat trivy-results.sarif
257+
227258
- name: Upload Trivy scan results as artifact
228-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
259+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
229260
with:
230261
name: "[${{ github.job }}] Trivy scan results"
231262
path: trivy-results.sarif
232263
retention-days: 5
233264
overwrite: true
234265

235266
- name: Upload Trivy scan results to GitHub Security tab
236-
uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
267+
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5
237268
with:
238269
sarif_file: trivy-results.sarif

.github/workflows/ci.yaml

Lines changed: 30 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -64,12 +64,30 @@ jobs:
6464
- 35357
6565
options: --health-cmd "curl --fail http://localhost:5000/v3" --health-interval 10s --health-timeout 5s --health-retries 5
6666

67+
vault:
68+
image: hashicorp/vault:1.21
69+
ports:
70+
- 8200
71+
env:
72+
VAULT_DEV_ROOT_TOKEN_ID: root-token
73+
VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
74+
options: --health-cmd "vault status -address=http://localhost:8200 || exit 1" --health-interval 10s --health-timeout 5s --health-retries 5
75+
76+
openbao:
77+
image: quay.io/openbao/openbao:2.5
78+
ports:
79+
- 8210
80+
env:
81+
BAO_DEV_ROOT_TOKEN_ID: root-token
82+
BAO_DEV_LISTEN_ADDRESS: "0.0.0.0:8210"
83+
options: --health-cmd "bao status -address=http://localhost:8210 || exit 1" --health-interval 10s --health-timeout 5s --health-retries 5
84+
6785
steps:
6886
- name: Checkout repository
69-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
87+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7088

7189
- name: Set up Go
72-
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
90+
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
7391
with:
7492
go-version: "1.25"
7593

@@ -86,7 +104,7 @@ jobs:
86104
run: docker compose -f docker-compose.test.yaml up -d
87105

88106
- name: Create kind cluster
89-
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
107+
uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
90108
with:
91109
version: "v0.17.0"
92110
node_image: "kindest/node:v1.25.3@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5"
@@ -129,6 +147,11 @@ jobs:
129147
DEX_KEYSTONE_ADMIN_USER: demo
130148
DEX_KEYSTONE_ADMIN_PASS: DEMO_PASS
131149

150+
DEX_VAULT_ADDR: http://localhost:${{ job.services.vault.ports[8200] }}
151+
DEX_VAULT_TOKEN: root-token
152+
DEX_OPENBAO_ADDR: http://localhost:${{ job.services.openbao.ports[8210] }}
153+
DEX_OPENBAO_TOKEN: root-token
154+
132155
DEX_KUBERNETES_CONFIG_PATH: ~/.kube/config
133156

134157
lint:
@@ -137,10 +160,10 @@ jobs:
137160

138161
steps:
139162
- name: Checkout repository
140-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
163+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
141164

142165
- name: Set up Go
143-
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
166+
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
144167
with:
145168
go-version: "1.25"
146169

@@ -172,7 +195,7 @@ jobs:
172195

173196
steps:
174197
- name: Checkout repository
175-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
198+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
176199

177200
- name: Dependency Review
178-
uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
201+
uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3

.github/workflows/trivydb-cache.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,15 @@ on:
77
- cron: '0 0 * * *' # Run daily at midnight UTC
88
workflow_dispatch: # Allow manual triggering
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
update-trivy-db:
1215
runs-on: ubuntu-latest
1316
steps:
1417
- name: Setup oras
15-
uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
18+
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
1619

1720
- name: Get current date
1821
id: date
@@ -33,7 +36,7 @@ jobs:
3336
rm javadb.tar.gz
3437
3538
- name: Cache DBs
36-
uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
39+
uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
3740
with:
3841
path: ${{ github.workspace }}/.cache/trivy
3942
key: cache-trivy-${{ steps.date.outputs.date }}

ADOPTERS.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,12 @@ This is a list of production adopters of Dex (in alphabetical order).
1515

1616
- [Argo CD](https://argoproj.github.io/cd) integrates Dex to provide convenient Single Sign On capabilities to its web UI and CLI
1717
- [Chef](https://chef.io) uses Dex for authenticating users in [Chef Automate](https://automate.chef.io/). The code is Open Source, available at [`github.com/chef/automate`](https://github.com/chef/automate).
18-
- [Elastisys](https://elastisys.com) uses Dex for authentication in their [Compliant Kubernetes](https://compliantkubernetes.io) distribution, including SSO to the custom dashboard, Grafana, Kibana, and Harbor.
18+
- [Elastisys](https://elastisys.com) uses Dex for authentication in [Welkin, The Application Platform for Software Critical to Society](https://elastisys.io/welkin/), including SSO to Grafana, OpenSearch, and Harbor.
1919
- [Kasten](https://www.kasten.io) is using Dex for authenticating access to the dashboard of [K10](https://www.kasten.io/product/), a Kubernetes-native platform for backup, disaster recovery and mobility of Kubernetes applications. K10 is widely used by a variety of customers including large enterprises, financial services, design firms, and IT companies.
2020
- [Kubeflow](https://www.kubeflow.org/) [uses](https://github.com/kubeflow/manifests#dex) Dex as one of its components in the Kubeflow Platform for external OIDC authentication.
2121
- [Kyma](https://kyma-project.io) is using Dex to authenticate access to Kubernetes API server (even for managed Kubernetes like Google Kubernetes Engine or Azure Kubernetes Service) and for protecting web UI of [Kyma Console](https://github.com/kyma-project/console) and other UIs integrated in Kyma ([Grafana](https://github.com/grafana/grafana), [Loki](https://github.com/grafana/loki), and [Jaeger](https://github.com/jaegertracing/jaeger)). Kyma is an open-source project ([`github.com/kyma-project`](https://github.com/kyma-project/kyma)) designed natively on Kubernetes, that allows you to extend and customize your applications in a quick and modern way, using serverless computing or microservice architecture.
2222
- [LitmusChaos](https://litmuschaos.io/) uses Dex to [implement](https://docs.litmuschaos.io/docs/user-guides/chaoscenter-oauth-dex-installation#deploy-dex-oidc-provider) OAuth2 login support in ChaosCenter, its centralized chaos management tool.
2323
- [LLMariner](https://llmariner.ai/) uses Dex for [user management](https://llmariner.ai/docs/features/user_management/).
2424
- [Pydio](https://pydio.com/) Pydio Cells is an open source sync & share platform written in Go. Cells is using Dex as an OIDC service for authentication and authorizations. Check out [Pydio Cells repository](https://github.com/pydio/cells) for more information and/or to contribute.
2525
- [sigstore](https://sigstore.dev) uses Dex for authentication in their public Fulcio instance, which is a certificate authority for code signing certificates bound to OIDC-based identities.
26+
- [Terrakube](https://docs.terrakube.io/) relies on Dex for [user authentication](https://docs.terrakube.io/getting-started/deployment/user-authentication-dex). Its Helm chart uses Dex as a dependency.

0 commit comments

Comments
 (0)