6262 PREMIUM_KEY : ${{ secrets.PREMIUM_KEY_ENTERPRISE }}
6363 PREMIUM_ENABLED : " true"
6464 SYSTEM_ENABLEANALYTICS : " false"
65- # The compose stacks default KEYCLOAK_HOST to kubernetes.docker.internal,
66- # which only resolves on Docker Desktop. Override to localhost so the
67- # Keycloak-issued redirect URLs are reachable from the GHA runner.
68- KEYCLOAK_HOST : localhost
6965 steps :
7066 - name : Harden Runner
7167 uses : step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
8985 - name : Install Playwright (chromium only)
9086 run : task frontend:test:e2e:install -- chromium
9187
88+ - name : Resolve kubernetes.docker.internal to localhost
89+ # The compose stacks set KC_HOSTNAME=kubernetes.docker.internal so
90+ # Keycloak issues redirect URIs against that host. Docker Desktop
91+ # auto-resolves it; GHA runners don't. Map it to 127.0.0.1 so the
92+ # browser-driven OAuth flow lands back on Stirling-PDF correctly.
93+ run : |
94+ echo "127.0.0.1 kubernetes.docker.internal" | sudo tee -a /etc/hosts
95+
9296# Helper function used by all phases — boots `:stirling-pdf:bootRun`
9397 # with the React frontend baked in (-PbuildWithFrontend=true) so the
9498 # SPA serves on :8080 and OAuth/SAML callbacks land on the same host
@@ -141,7 +145,10 @@ jobs:
141145 SECURITY_LOGINMETHOD : " all"
142146 SECURITY_OAUTH2_ENABLED : " true"
143147 SECURITY_OAUTH2_AUTOCREATEUSER : " true"
144- SECURITY_OAUTH2_CLIENT_KEYCLOAK_ISSUER : " http://localhost:9080/realms/stirling-oauth"
148+ # Keycloak issues redirect URIs against KC_HOSTNAME, which the
149+ # compose default sets to kubernetes.docker.internal. Match here
150+ # (resolves to localhost via /etc/hosts mapping above).
151+ SECURITY_OAUTH2_CLIENT_KEYCLOAK_ISSUER : " http://kubernetes.docker.internal:9080/realms/stirling-oauth"
145152 SECURITY_OAUTH2_CLIENT_KEYCLOAK_CLIENTID : " stirling-pdf-client"
146153 SECURITY_OAUTH2_CLIENT_KEYCLOAK_CLIENTSECRET : " test-client-secret-change-in-production"
147154 SECURITY_OAUTH2_CLIENT_KEYCLOAK_USEASUSERNAME : " email"
@@ -169,7 +176,7 @@ jobs:
169176 working-directory : testing/compose
170177 run : |
171178 for i in $(seq 1 60); do
172- curl -fsS http://localhost :9080/realms/stirling-saml >/dev/null 2>&1 && exit 0
179+ curl -fsS http://kubernetes.docker.internal :9080/realms/stirling-saml >/dev/null 2>&1 && exit 0
173180 sleep 5
174181 done
175182 docker compose -f docker-compose-keycloak-saml.yml logs --tail=200 keycloak-saml
@@ -182,11 +189,11 @@ jobs:
182189 SECURITY_SAML2_AUTOCREATEUSER : " true"
183190 SECURITY_SAML2_PROVIDER : " keycloak"
184191 SECURITY_SAML2_REGISTRATIONID : " keycloak"
185- SECURITY_SAML2_IDP_ISSUER : " http://localhost :9080/realms/stirling-saml"
186- SECURITY_SAML2_IDP_ENTITYID : " http://localhost :9080/realms/stirling-saml"
187- SECURITY_SAML2_IDP_METADATAURI : " http://localhost :9080/realms/stirling-saml/protocol/saml/descriptor"
188- SECURITY_SAML2_IDPSINGLELOGINURL : " http://localhost :9080/realms/stirling-saml/protocol/saml"
189- SECURITY_SAML2_IDPSINGLELOGOUTURL : " http://localhost :9080/realms/stirling-saml/protocol/saml"
192+ SECURITY_SAML2_IDP_ISSUER : " http://kubernetes.docker.internal :9080/realms/stirling-saml"
193+ SECURITY_SAML2_IDP_ENTITYID : " http://kubernetes.docker.internal :9080/realms/stirling-saml"
194+ SECURITY_SAML2_IDP_METADATAURI : " http://kubernetes.docker.internal :9080/realms/stirling-saml/protocol/saml/descriptor"
195+ SECURITY_SAML2_IDPSINGLELOGINURL : " http://kubernetes.docker.internal :9080/realms/stirling-saml/protocol/saml"
196+ SECURITY_SAML2_IDPSINGLELOGOUTURL : " http://kubernetes.docker.internal :9080/realms/stirling-saml/protocol/saml"
190197 SECURITY_SAML2_IDP_CERT : " ${{ github.workspace }}/testing/compose/keycloak-saml-cert.pem"
191198 SECURITY_SAML2_PRIVATEKEY : " ${{ github.workspace }}/testing/compose/saml-private-key.key"
192199 SECURITY_SAML2_SP_CERT : " ${{ github.workspace }}/testing/compose/saml-public-cert.crt"
0 commit comments