Update ghcr.io/navikt/mock-oauth2-server Docker tag to v3

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/navikt/mock-oauth2-server (source)	service-image	major	2.3.0 -> 3.0.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated test infrastructure dependencies to improve testing reliability and compatibility.

Walkthrough

The pull request updates the Docker image version for the bdd-tests service in the GitLab CI configuration from ghcr.io/navikt/mock-oauth2-server:2.3.0 to version 3.0.1. No other configuration, structure, or workflow steps are modified.

Changes

Cohort / File(s)	Summary
CI Configuration .gitlab-ci.yml	Updated mock-oauth2-server image version from 2.3.0 to 3.0.1 in the bdd-tests service.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete, missing most required template sections including Additional Context, Type of change, Testing steps, and Checklist items.	Complete the PR description by filling in required sections: Type of change (e.g., 'Bump-up dependent library'), Testing steps, and the Checklist items to verify pre-commit and other requirements.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating the mock-oauth2-server Docker image tag from v2 to v3.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/mintmaker/main/ghcr.io-navikt-mock-oauth2-server-3.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.gitlab-ci.yml:
- Line 79: The GitLab CI image was bumped to
ghcr.io/navikt/mock-oauth2-server:3.0.1 which contains breaking changes
(TokenExchangeGrant.kt removed, IntrospectResponse.aud type changed from String
to List<String>, and a Chainguard base image); ensure compatibility by either
pinning the image to the v2.x line used in GitHub Actions or updating all
affected components: update any consumer code handling IntrospectResponse.aud to
expect List<String>, remove/replace usages of TokenExchangeGrant.kt, and run
full integration tests of the external BDD service container
(insights-behavioral-spec) against mock-oauth2-server v3.0.1; also align the
GitHub Actions workflow (.github/workflows/bdd.yml) and .gitlab-ci.yml to use
the same mock-oauth2-server major version to avoid environment drift.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for token introspection, token exchange, and related code that might depend on mock-oauth2-server
rg -n -i "introspect|TokenExchangeGrant|token.*exchange" --type-list | head -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 469

---

🏁 Script executed:

#!/bin/bash
# Find BDD test files
fd -e feature -e py -e java -e kt -e scala 2>/dev/null | grep -i "bdd\|test\|feature" | head -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 556

---

🏁 Script executed:

#!/bin/bash
# Check the .gitlab-ci.yml file to understand the bdd-tests job
cat -n .gitlab-ci.yml | sed -n '70,90p'

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 741

---

🏁 Script executed:

#!/bin/bash
# Search for any references to mock-oauth2-server in the codebase
rg -n "mock-oauth2-server\|oauth2\|introspect" .gitlab-ci.yml -A 5 -B 5

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 62

---

🏁 Script executed:

#!/bin/bash
# Check test_auth.py for oauth2 server interaction
head -50 ccx_upgrades_data_eng/tests/test_auth.py

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 1588

---

🏁 Script executed:

#!/bin/bash
# Check test_sso_token_refresh.py
head -50 ccx_upgrades_data_eng/tests/test_sso_token_refresh.py

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 1876

---

🏁 Script executed:

#!/bin/bash
# Search for any HTTP requests to localhost:8081 or mock-oauth2-server in tests
rg -n "8081|mock-oauth2-server|localhost" ccx_upgrades_data_eng/tests/ -i

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 62

---

🏁 Script executed:

#!/bin/bash
# Search for introspect endpoint usage
rg -n "introspect\|/oauth\|token/exchange" ccx_upgrades_data_eng/ -i

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 62

---

🏁 Script executed:

#!/bin/bash
# Look for conftest.py which might set up mock-oauth2-server
find . -name "conftest.py" -o -name "pytest.ini" -o -name "setup.cfg" | head -10

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 91

---

🏁 Script executed:

#!/bin/bash
# Check if there are any references to the mock server in environment or configuration
rg -n "OAUTH|AUTH.*URL|ISSUER" ccx_upgrades_data_eng/ --type py -i | head -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 2161

---

🏁 Script executed:

#!/bin/bash
# Check the actual auth.py implementation to understand how OAuth2 is used
cat -n ccx_upgrades_data_eng/auth.py | head -80

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 3406

---

🏁 Script executed:

#!/bin/bash
# Search for where the mock-oauth2-server might be used - check environment files
find . -name ".env*" -o -name "conftest.py" | xargs cat 2>/dev/null

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 62

---

🏁 Script executed:

#!/bin/bash
# Double-check: search entire codebase for any reference to "8081" or localhost with oauth/auth context
rg -n "8081|localhost.*auth|auth.*localhost" . --type py --type yaml --type json

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 118

---

🏁 Script executed:

#!/bin/bash
# Check if there are any integration tests or BDD tests in a different location
find . -name "*.feature" -o -name "*integration*test*" -o -name "*bdd*" 2>/dev/null

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 107

---

🏁 Script executed:

#!/bin/bash
# Check what the actual .gitlab-ci.yml bdd-tests job does
cat -n .gitlab-ci.yml | sed -n '60,90p'

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 1070

---

🏁 Script executed:

#!/bin/bash
# Check the GitHub Actions BDD workflow
cat .github/workflows/bdd.yml

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 1216

---

🏁 Script executed:

#!/bin/bash
# Check what BDD_PATH points to and look for test files there
grep -n "BDD_PATH" .gitlab-ci.yml | head -5

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 221

---

🏁 Script executed:

#!/bin/bash
# Search for Makefile to understand what "make data-engineering-service-tests" does
find . -name "Makefile" -o -name "makefile" | xargs grep -l "data-engineering-service-tests" 2>/dev/null

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 64

---

🏁 Script executed:

#!/bin/bash
# Check if there's a previous version of .gitlab-ci.yml in git history
git log --oneline .gitlab-ci.yml 2>/dev/null | head -5

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 145

---

🏁 Script executed:

#!/bin/bash
# Show the diff for the mock-oauth2-server change in .gitlab-ci.yml
git show HEAD:.gitlab-ci.yml 2>/dev/null | grep -n "mock-oauth2-server" || echo "Could not get previous version"

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 169

---

🌐 Web query:

mock-oauth2-server v3.0.1 breaking changes release notes

💡 Result:

mock-oauth2-server v3.0.1 (released Nov 3, 2025): breaking changes

None called out in the v3.0.1 release notes. The release notes list only “What’s Changed” (image-tagging tweak) and dependency upgrades (ktor, kotest, Kotlin serialization plugin, logback, okhttp mockwebserver, JUnit, etc.), but no “⚠️ Breaking Changes” section for v3.0.1. [1], [2]

Closest relevant breaking changes (in v3.0.0, released Sep 18, 2025)

If you’re upgrading to 3.0.x from 2.x, the breaking changes are documented under v3.0.0, including:

• Removal of TokenExchangeGrant.kt in favor of Nimbus SDK com.nimbusds.oauth2.sdk.tokenexchange.TokenExchangeGrant (impacts TokenRequest.tokenExchangeGrantOrNull())
• IntrospectResponse.aud changed from String to List<String>
• Docker image base changed to Chainguard jre:latest-dev (healthcheck support) [1]

---

🌐 Web query:

mock-oauth2-server GitHub releases v3.0.0 v3.0.1 breaking changes

💡 Result:

v3.0.0 — breaking changes (released Sep 18, 2025)

• Token exchange grant refactor: TokenExchangeGrant.kt was removed and replaced with Nimbus SDK’s com.nimbusds.oauth2.sdk.tokenexchange.TokenExchangeGrant, affecting TokenRequest.tokenExchangeGrantOrNull(). [1]
• Introspection response change: IntrospectResponse.aud changed from String to List<String>. [1]
• Docker image base image change: Docker image moved to Chainguard jre:latest-dev (noted as a breaking change in the release notes). [1]

v3.0.1 — breaking changes? (released Nov 3, 2025)

• None listed in the GitHub release notes; it contains build/image-tagging changes and dependency upgrades only. [2]

Sources: [1] [2]

---

Major version update — verify compatibility with external BDD service.

This upgrade from v2.3.0 to v3.0.1 introduces breaking changes in mock-oauth2-server v3.0.0: TokenExchangeGrant.kt removal, IntrospectResponse.aud changed from String to List<String>, and a Docker base image update to Chainguard jre:latest-dev.

Note: GitHub Actions workflows still use v2.2.1 (see .github/workflows/bdd.yml), while GitLab CI now uses v3.0.1. The external BDD service container (insights-behavioral-spec) should be tested to ensure it handles these changes correctly.

🤖 Prompt for AI Agents

In @.gitlab-ci.yml at line 79, The GitLab CI image was bumped to
ghcr.io/navikt/mock-oauth2-server:3.0.1 which contains breaking changes
(TokenExchangeGrant.kt removed, IntrospectResponse.aud type changed from String
to List<String>, and a Chainguard base image); ensure compatibility by either
pinning the image to the v2.x line used in GitHub Actions or updating all
affected components: update any consumer code handling IntrospectResponse.aud to
expect List<String>, remove/replace usages of TokenExchangeGrant.kt, and run
full integration tests of the external BDD service container
(insights-behavioral-spec) against mock-oauth2-server v3.0.1; also align the
GitHub Actions workflow (.github/workflows/bdd.yml) and .gitlab-ci.yml to use
the same mock-oauth2-server major version to avoid environment drift.