Skip to content

Commit

Permalink
Merge pull request #2 from FlockFreight/AX-29019
Browse files Browse the repository at this point in the history
AX-29019: Implement client wildcard redirectURI support
  • Loading branch information
michaelliau authored Oct 17, 2023
2 parents f7f3108 + 4bf9479 commit 7a9cecb
Show file tree
Hide file tree
Showing 170 changed files with 10,402 additions and 10,337 deletions.
4 changes: 4 additions & 0 deletions .github/ISSUE_TEMPLATE/config.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
blank_issues_enabled: false
contact_links:
- name: 📖 Documentation enhancement
url: https://github.com/dexidp/website/issues
about: Suggest an improvement to the documentation

- name: ❓ Ask a question
url: https://github.com/dexidp/dex/discussions/new?category=q-a
about: Ask and discuss questions with other Dex community members
Expand Down
4 changes: 2 additions & 2 deletions .github/SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@ to confirm receipt of the issue.
## Review Process

Once a maintainer has confirmed the relevance of the report, a draft security
advisory will be created on Github. The draft advisory will be used to discuss
advisory will be created on GitHub. The draft advisory will be used to discuss
the issue with maintainers, the reporter(s).
If the reporter(s) wishes to participate in this discussion, then provide
reporter Github username(s) to be invited to the discussion. If the reporter(s)
reporter GitHub username(s) to be invited to the discussion. If the reporter(s)
does not wish to participate directly in the discussion, then the reporter(s)
can request to be updated regularly via email.

Expand Down
47 changes: 47 additions & 0 deletions .github/workflows/analysis-scorecard.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: OpenSSF Scorecard

on:
branch_protection_rule:
push:
branches: [ main ]
schedule:
- cron: '30 0 * * 5'

permissions:
contents: read

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest

permissions:
actions: read
contents: read
id-token: write
security-events: write

steps:
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: Upload results as artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: OpenSSF Scorecard results
path: results.sarif
retention-days: 5

- name: Upload results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
with:
sarif_file: results.sarif
172 changes: 131 additions & 41 deletions .github/workflows/artifacts.yaml
Original file line number Diff line number Diff line change
@@ -1,97 +1,187 @@
name: Artifacts

on:
push:
branches:
- master
tags:
- v[0-9]+.[0-9]+.[0-9]+
pull_request:
workflow_call:
inputs:
publish:
description: Publish artifacts to the artifact store
default: false
required: false
type: boolean
secrets:
DOCKER_USERNAME:
required: true
DOCKER_PASSWORD:
required: true
outputs:
container-image-name:
description: Container image name
value: ${{ jobs.container-image.outputs.name }}
container-image-digest:
description: Container image digest
value: ${{ jobs.container-image.outputs.digest }}
container-image-ref:
description: Container image ref
value: ${{ jobs.container-image.outputs.ref }}

permissions:
contents: read

jobs:
container-images:
name: Container images
container-image:
name: Container image
runs-on: ubuntu-latest

strategy:
matrix:
variant:
- alpine
- distroless

permissions:
contents: read
packages: write
id-token: write
security-events: write

outputs:
name: ${{ steps.image-name.outputs.value }}
digest: ${{ steps.build.outputs.digest }}
ref: ${{ steps.image-ref.outputs.value }}

steps:
- name: Checkout
uses: actions/checkout@v3
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0

- name: Gather metadata
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

- name: Set up Syft
uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3

- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"

- name: Gather build metadata
id: meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
with:
images: |
ghcr.io/dexidp/dex
${{ steps.image-name.outputs.value }}
dexidp/dex
flavor: |
latest = false
tags: |
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }}
type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
type=ref,event=branch,suffix=-${{ matrix.variant }}
type=ref,event=pr,suffix=-${{ matrix.variant }}
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }}
type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
labels: |
org.opencontainers.image.documentation=https://dexidp.io/docs/
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
# Multiple exporters are not supported yet
# See https://github.com/moby/buildkit/pull/2760
- name: Determine build output
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
id: build-output
with:
platforms: all

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
cond: ${{ inputs.publish }}
if_true: type=image,push=true
if_false: type=oci,dest=image.tar

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
username: ${{ github.actor }}
password: ${{ github.token }}
if: github.event_name == 'push'
if: inputs.publish

- name: Login to Docker Hub
uses: docker/login-action@v2
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name == 'push'
if: inputs.publish

- name: Build and push
uses: docker/build-push-action@v3
- name: Build and push image
id: build
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
with:
context: .
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
# cache-from: type=gha
# cache-to: type=gha,mode=max
push: ${{ github.event_name == 'push' }}
tags: ${{ steps.meta.outputs.tags }}
build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
labels: ${{ steps.meta.outputs.labels }}
# cache-from: type=gha
# cache-to: type=gha,mode=max
outputs: ${{ steps.build-output.outputs.value }}
# push: ${{ inputs.publish }}

- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"

- name: Fetch image
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
if: inputs.publish

# Uncomment the following lines for debugging:
# - name: Upload image as artifact
# uses: actions/upload-artifact@v3
# with:
# name: "[${{ github.job }}] OCI tarball"
# path: image.tar

- name: Extract OCI tarball
run: |
mkdir -p image
tar -xf image.tar -C image
# - name: List tags
# run: skopeo --insecure-policy list-tags oci:image
#
# # See https://github.com/anchore/syft/issues/1545
# - name: Extract image from multi-arch image
# run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar
#
# - name: Generate SBOM
# run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar
#
# - name: Upload SBOM as artifact
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: "[${{ github.job }}] SBOM"
# path: sbom-spdx.json
# retention-days: 5

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.7.1
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
with:
input: image
format: sarif
output: trivy-results.sarif

- name: Upload Trivy scan results as artifact
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
image-ref: "ghcr.io/dexidp/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}"
format: "sarif"
output: "trivy-results.sarif"
if: github.event_name == 'push'
name: "[${{ github.job }}] Trivy scan results"
path: trivy-results.sarif
retention-days: 5

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
with:
sarif_file: "trivy-results.sarif"
if: github.event_name == 'push'
sarif_file: trivy-results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:

steps:
- name: Check minimum labels
uses: mheap/github-action-required-labels@v2
uses: mheap/github-action-required-labels@v5
with:
mode: minimum
count: 1
Expand Down
Loading

0 comments on commit 7a9cecb

Please sign in to comment.