Skip to content

adds the audience mapping to the router #4786

adds the audience mapping to the router

adds the audience mapping to the router #4786

Workflow file for this run

name: build
on:
push:
branches:
- main
- release-v*
pull_request:
workflow_dispatch:
# cancel older, redundant runs of same workflow on same branch
concurrency:
group: ${{ github.workflow }}-${{github.event_name}}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
env:
GOFLAGS: "-tags=pkcs11 -trimpath"
GOX_OUTPUT: "release/{{.Arch}}/{{.OS}}/{{.Dir}}"
GOX_TEST_OUTPUT: "test/{{.Arch}}/{{.OS}}/bin/{{.Dir}}"
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: "us-east-2"
gh_ci_key: ${{ secrets.GH_CI_KEY }}
CONSUL_ENCRYPTION_KEY: ${{ secrets.CONSUL_ENCRYPTION_KEY }}
ELASTIC_ENDPOINT: ${{ secrets.ELASTIC_ENDPOINT }}
ELASTIC_USERNAME: ${{ secrets.ELASTIC_USERNAME }}
ELASTIC_PASSWORD: ${{ secrets.ELASTIC_PASSWORD }}
CONSUL_ENDPOINT: ${{ secrets.CONSUL_ENDPOINT }}
CONSUL_AGENT_CERT: ${{ secrets.CONSUL_AGENT_CERT }}
BUILD_NUMBER: ${{ format('{0}-{1}-{2}', github.run_id, github.run_number, github.run_attempt) }}
ZITI_BASE_VERSION: ${{ vars.ZITI_BASE_VERSION || null }}
jobs:
mac-os-build:
name: Build Mac OS binaries
# allow fors to opt-out of time-consuming macOS builds
if: vars.ZITI_SKIP_MACOS_BUILD != 'true'
runs-on: macos-latest
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Build and Test
shell: bash
run: |
go install github.com/mitchellh/gox@latest
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./...
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./...
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: darwin-release-${{ github.run_id }}
path: release/
retention-days: 5
windows-build:
name: Build Windows binaries
# allow fors to opt-out of time-consuming Windows builds
if: vars.ZITI_SKIP_WINDOWS_BUILD != 'true'
runs-on: windows-2019
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Build and Test
shell: bash
run: |
go install github.com/mitchellh/gox@latest
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./...
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: windows-release-${{ github.run_id }}
path: release/
retention-days: 5
linux-build:
name: Build Linux binaries
runs-on: ubuntu-20.04
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Build and Test
shell: bash
run: |
sudo apt-get update
sudo apt-get -yq install gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf gcc-aarch64-linux-gnu
go install github.com/mitchellh/gox@latest
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./...
CC=arm-linux-gnueabihf-gcc \
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./...
CC=aarch64-linux-gnu-gcc \
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q go-build-flags -n)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./...
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: linux-release-${{ github.run_id }}
path: release/
retention-days: 5
tests:
name: Run Unit and Integration Tests
runs-on: ubuntu-20.04
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Run Go Quickstart Test
timeout-minutes: 5
shell: bash
run: |
go test -v -tags "quickstart automated" ./ziti/cmd/edge/...;
- name: Run Unit and Integration Tests
timeout-minutes: 10
shell: bash
run: |
go test ./... --tags apitests
fablab-smoketest:
name: Fablab Smoketest
# not applicable to forks. shouldn't run on release build
if: github.repository_owner == 'openziti' && !startsWith(github.ref_name, 'release-v')
runs-on: ubuntu-20.04
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Build and Test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }}
ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }}
shell: bash
run: |
$(go env GOPATH)/bin/ziti-ci configure-git
$(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version
go test ./...
pushd zititest && go mod tidy && go install ./... && popd
go install -tags=all,tests ./...
- name: Create Test Environment
shell: bash
run: |
echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV"
$(go env GOPATH)/bin/smoketest create -d smoketest-${GITHUB_RUN_NUMBER} -n smoketest-${GITHUB_RUN_NUMBER} -l environment=gh-fablab-smoketest,ziti_version=$($(go env GOPATH)/bin/ziti-ci -q get-current-version)
$(go env GOPATH)/bin/smoketest up
- name: Test Ziti Command
shell: bash
run: |
echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV"
pushd zititest && go test -timeout 30m -v ./tests/... 2>&1 | tee test.out && popd
- name: Create fablab instance archive
# always create, even if cancelled, because the teardown job needs it to destroy the created test environment
if: always()
timeout-minutes: 30
env:
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }}
shell: bash
run: |
cp $(go env GOPATH)/bin/smoketest smoketest-${GITHUB_RUN_NUMBER}
cp ~/.fablab/config.yml smoketest-${GITHUB_RUN_NUMBER}/
tar --exclude *terraform-provider-aws* -czvf - smoketest-${GITHUB_RUN_NUMBER}/ | gpg --symmetric --cipher-algo aes256 --batch --quiet --passphrase ${FABLAB_PASSPHRASE} -o smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg
aws s3 cp ./smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg s3://ziti-smoketest-fablab-instances/
- name: Create Logs Archive
if: always()
run: |
$(go env GOPATH)/bin/smoketest get files '*' "./logs/{{ .Id }}/" ./logs
- name: Upload artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: logs-${{ github.run_id }}
path: logs/
compression-level: 7
retention-days: 5
- name: Test Report Generation
if: ${{ !cancelled() }}
shell: bash
run: |
go install github.com/jstemmer/go-junit-report/v2@latest
$(go env GOPATH)/bin/go-junit-report -in zititest/test.out -out test-report.xml
- name: Test Summary
uses: test-summary/action@v2
if: ${{ !cancelled() }}
with:
paths: |
test-report.xml
show: "fail, skip"
fablab-smoketest-teardown:
name: Teardown SmokeTest
# ensure reasonable timeout-minutes on steps in this un-cancellable job
if: always()
runs-on: ubuntu-20.04
needs: [ fablab-smoketest ]
steps:
# release cloud resources if the smoketest succeeded, failed, or was cancelled; unnecessary if skipped
- name: Teardown Test Environment
if: needs.fablab-smoketest.result != 'skipped'
timeout-minutes: 30
env:
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }}
shell: bash
run: |
if aws s3api head-object \
--bucket ziti-smoketest-fablab-instances \
--key smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg
then
aws s3 cp s3://ziti-smoketest-fablab-instances/smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg .
gpg --quiet --batch --yes --decrypt --passphrase=${FABLAB_PASSPHRASE} --output smoketest-${GITHUB_RUN_NUMBER}.tar.gz smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg
tar -xzf smoketest-${GITHUB_RUN_NUMBER}.tar.gz
./smoketest-${GITHUB_RUN_NUMBER}/smoketest import smoketest-${GITHUB_RUN_NUMBER}
./smoketest-${GITHUB_RUN_NUMBER}/smoketest dispose
aws s3 rm s3://ziti-smoketest-fablab-instances/smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg
else
echo "WARN: No instance archive found for smoketest-${GITHUB_RUN_NUMBER}.tar.gz.gpg" >&2
fi
fablab-ha-smoketest:
name: Fablab HA Smoketest
# not applicable to forks. shouldn't run on release build
if: github.repository_owner == 'openziti' && !startsWith(github.ref_name, 'release-v')
runs-on: ubuntu-20.04
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Build and Test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }}
ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }}
shell: bash
run: |
$(go env GOPATH)/bin/ziti-ci configure-git
$(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION}
pushd zititest && go mod tidy && go install ./... && popd
go install -tags=all,tests ./...
- name: Create Test Environment
shell: bash
run: |
echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV"
$(go env GOPATH)/bin/smoketest create -d smoketest-ha-${GITHUB_RUN_NUMBER} -n smoketest-ha-${GITHUB_RUN_NUMBER} -l ha=true,environment=gh-fablab-ha-smoketest,ziti_version=$($(go env GOPATH)/bin/ziti-ci -q get-current-version)
$(go env GOPATH)/bin/smoketest up
- name: Test Ziti Command
shell: bash
run: |
echo "ZITI_ROOT=$(go env GOPATH)/bin" >> "$GITHUB_ENV"
pushd zititest && go test -timeout 30m -v ./tests/... 2>&1 | tee test.out && popd
- name: Create fablab instance archive
if: always()
timeout-minutes: 30
env:
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }}
shell: bash
run: |
cp $(go env GOPATH)/bin/smoketest smoketest-ha-${GITHUB_RUN_NUMBER}
cp ~/.fablab/config.yml smoketest-ha-${GITHUB_RUN_NUMBER}/
tar --exclude *terraform-provider-aws* -czvf - smoketest-ha-${GITHUB_RUN_NUMBER}/ | gpg --symmetric --cipher-algo aes256 --batch --quiet --passphrase ${FABLAB_PASSPHRASE} -o smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg
aws s3 cp ./smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg s3://ziti-smoketest-fablab-instances/
- name: Create Logs Archive
if: always()
run: |
$(go env GOPATH)/bin/smoketest get files '*' "./logs/{{ .Id }}/" ./logs
- name: Upload artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: logs-ha-${{ github.run_id }}
path: logs/
compression-level: 7
retention-days: 5
- name: Test Report Generation
if: ${{ !cancelled() }}
shell: bash
run: |
go install github.com/jstemmer/go-junit-report/v2@latest
$(go env GOPATH)/bin/go-junit-report -in zititest/test.out -out test-report.xml
- name: Test Summary
uses: test-summary/action@v2
if: ${{ !cancelled() }}
with:
paths: |
test-report.xml
show: "fail, skip"
fablab-ha-smoketest-teardown:
name: Teardown HA SmokeTest
if: always()
runs-on: ubuntu-20.04
needs: [ fablab-ha-smoketest ]
steps:
# release cloud resources if the smoketest succeeded, failed, or was cancelled; unnecessary if skipped
- name: Teardown Test Environment
if: needs.fablab-smoketest-ha.result != 'skipped'
timeout-minutes: 30
env:
FABLAB_PASSPHRASE: ${{ secrets.FABLAB_PASSPHRASE }}
shell: bash
run: |
if aws s3api head-object \
--bucket ziti-smoketest-fablab-instances \
--key smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg
then
aws s3 cp s3://ziti-smoketest-fablab-instances/smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg .
gpg --quiet --batch --yes --decrypt --passphrase=${FABLAB_PASSPHRASE} --output smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg
tar -xzf smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz
./smoketest-ha-${GITHUB_RUN_NUMBER}/smoketest import smoketest-ha-${GITHUB_RUN_NUMBER}
./smoketest-ha-${GITHUB_RUN_NUMBER}/smoketest dispose
aws s3 rm s3://ziti-smoketest-fablab-instances/smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg
else
echo "WARN: No instance archive found for smoketest-ha-${GITHUB_RUN_NUMBER}.tar.gz.gpg" >&2
fi
publish:
name: Publish Binaries
# - !cancelled() allows evaluating further conditional expressions even if needed jobs were skipped; this unblocks
# the job allowing it to run even if needed jobs failed, unless explicitly required in the "if" expression
if: ${{
!cancelled()
&& (needs.mac-os-build.result == 'success' || needs.mac-os-build.result == 'skipped')
&& (needs.windows-build.result == 'success' || needs.windows-build.result == 'skipped')
&& (needs.fablab-smoketest.result == 'success' || needs.fablab-smoketest.result == 'skipped')
&& (needs.tests.result == 'success')
}}
runs-on: ubuntu-20.04
# ensure required job outcomes are specified in "if" expression
needs: [ tests, linux-build, mac-os-build, windows-build, fablab-smoketest, fablab-ha-smoketest ]
outputs:
ZITI_VERSION: ${{ steps.get_version.outputs.ZITI_VERSION }}
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: '3.7'
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Download linux release artifact
uses: actions/download-artifact@v4
with:
name: linux-release-${{ github.run_id }}
path: release/
- name: Download darwin release artifact
if: needs.mac-os-build.result == 'success'
uses: actions/download-artifact@v4
with:
name: darwin-release-${{ github.run_id }}
path: release/
- name: Download windows release artifact
if: needs.windows-build.result == 'success'
uses: actions/download-artifact@v4
with:
name: windows-release-${{ github.run_id }}
path: release/
- name: List downloaded release artifacts
shell: bash
run: |
ls -lAhR release/
- name: Restore execute filemode on macOS and Linux release artifacts before publishing
shell: bash
run: |
find ./release \
-type f \
-print0 \
-path "./release/*/darwin/ziti" \
-o \
-path "./release/*/linux/ziti" \
| xargs -0 chmod -c +x
# only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches
- name: Get next version for downstream release candidates
id: get_version
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REF: ${{ github.ref }}
GITHUB_RUN_ID: ${{ github.run_id }}
shell: bash
run: |
function validateSemver() {
if ! [[ "${1}" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "ERROR: ${1} is not a release semver" >&2
return 1
fi
}
echo "DEBUG: GITHUB_REPOSITORY=${GITHUB_REPOSITORY} GITHUB_REF=${GITHUB_REF} GITHUB_RUN_ID=${GITHUB_RUN_ID}"
(set -x; git remote -v show;)
# compute next release candidate version on non-release branches
ZITI_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-next-version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION})"
validateSemver "${ZITI_VERSION}"
# drop the leading 'v', if any, and append run id
ZITI_VERSION=${ZITI_VERSION#v}-${GITHUB_RUN_ID}
echo ZITI_VERSION="${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT
call-publish-docker-images:
# - !cancelled() allows evaluating further conditional expressions even if
# needed jobs were skipped
if: ${{
!cancelled()
&& needs.publish.result == 'success'
&& github.ref_name == 'main'
}}
name: Publish Release Candidate Docker Images
needs: publish
uses: ./.github/workflows/publish-docker-images.yml
secrets: inherit
with:
ziti-tag: main
# call on default branch "main" to publish linux packages to "testing" package repos in Artifactory
call-publish-linux-packages:
# - !cancelled() allows evaluating further conditional expressions even if
# needed jobs were skipped
if: ${{
!cancelled()
&& needs.publish.result == 'success'
&& github.ref_name == 'main'
}}
name: Publish Release Candidate Linux Packages
needs: publish
uses: ./.github/workflows/publish-linux-packages.yml
secrets: inherit
with:
ziti-version: ${{ needs.publish.outputs.ZITI_VERSION }}