3c2b39158b
Add end-to-end tests for workload identity federation. Depends on https://code.forgejo.org/forgejo/runner/pulls/1232 Depends on https://codeberg.org/forgejo/forgejo/pulls/10481 Signed-off-by: Mario Minardi <mminardi@shaw.ca>
45 lines
2 KiB
YAML
45 lines
2 KiB
YAML
on: [push]
|
|
jobs:
|
|
generation-allowed:
|
|
enable-openid-connect: true
|
|
runs-on: docker
|
|
steps:
|
|
- run: curl -L -o jq https://github.com/jqlang/jq/releases/latest/download/jq-linux-amd64 && chmod a+x ./jq
|
|
- name: validate token generation works
|
|
run: |
|
|
DECODED_JWT_BODY=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | ./jq -r ".value" | ./jq -R 'split(".") | .[1] | @base64d | fromjson')
|
|
if [[ -z "$DECODED_JWT_BODY" ]]; then
|
|
echo "Error: DECODED_JWT_BODY should be set"
|
|
exit 1
|
|
fi
|
|
|
|
WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq '.workflow')
|
|
AUD=$(echo $DECODED_JWT_BODY | ./jq '.aud')
|
|
EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq '.event_name')
|
|
if [[ "$WORKFLOW" != '"test.yml"' ]]; then
|
|
echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
|
|
exit 1
|
|
fi
|
|
if [[ "$AUD" != '"exampleAudience"' ]]; then
|
|
echo "Error: AUD should be exampleAudience but is $AUD"
|
|
exit 1
|
|
fi
|
|
if [[ "$EVENT_NAME" != '"push"' ]]; then
|
|
echo "Error: EVENT_NAME should be push but is $EVENT_NAME"
|
|
exit 1
|
|
fi
|
|
|
|
generation-not-allowed:
|
|
enable-openid-connect: false
|
|
runs-on: docker
|
|
steps:
|
|
- name: check variables are unset
|
|
run: |
|
|
if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then
|
|
echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
|
|
exit 1
|
|
fi
|
|
if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]]; then
|
|
echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
|
|
exit 1
|
|
fi
|