Merge remote-tracking branch 'origin/dev' into v2

Author: jfrog-ecosystem

.github/workflows/accessTests.yml

@@ -12,6 +12,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }}
   cancel-in-progress: true
+permissions:
+  id-token: write
+  contents: read
 jobs:
   Access-Tests:
     if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push'
@@ -35,5 +38,12 @@ jobs:
         with:
           RTLIC: ${{ secrets.RTLIC }}
 
+      - name: Get ID Token and Exchange Token
+        shell: bash
+        run: |
+          ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+          echo "JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=${ID_TOKEN}" >> $GITHUB_ENV
+
       - name: Run Access tests
         run: go test -v github.com/jfrog/jfrog-cli --timeout 0 --test.access --jfrog.url=http://127.0.0.1:8082 --jfrog.adminToken=${{ env.JFROG_TESTS_LOCAL_ACCESS_TOKEN }}

.github/workflows/lifecycleTests.yml

@@ -1,4 +1,6 @@
 name: Lifecycle Tests
+env:
+  JFROG_CLI_LOG_LEVEL: DEBUG
 on:
   push:
     branches:

.github/workflows/oidcTests.yml

@@ -0,0 +1,74 @@
+# These Tests validate successful OIDC server configuration in the CLI.
+# After the server has been configured the CLI will ping the server to make sure we have access
+name: "Config OIDC test"
+on:
+  push:
+    branches:
+      - '**'
+    tags-ignore:
+      - '**'
+  # Triggers the workflow on labeled PRs only.
+  pull_request_target:
+    types: [ labeled ]
+# Ensures that only the latest commit is running for each PR at a time.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  JFROG_CLI_LOG_LEVEL: DEBUG
+
+# Needed for OIDC
+permissions:
+  id-token: write
+  contents: read
+jobs:
+  config-oidc:
+    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push'
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Go with cache
+        uses: jfrog/.github/actions/install-go-with-cache@main
+
+      - name: Checkout the repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Build CLI
+        run: |
+          if [ "$RUNNER_OS" == "Windows" ]; then
+            ./build/build.bat
+          else
+            ./build/build.sh
+          fi
+        shell: bash
+
+      - name: Get ID Token from GitHub
+        shell: bash
+        run: |
+          ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+          echo "JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=${ID_TOKEN}" >> $GITHUB_ENV
+
+      - name: Run config command
+        shell: bash
+        run: |
+          if [ "$RUNNER_OS" == "Windows" ]; then
+            ./jfrog.exe c add --url=https://ecosysjfrog.jfrog.io --oidc-provider-name=setup-jfrog-cli-test --interactive=false
+          else
+            ./jf c add --url=https://ecosysjfrog.jfrog.io --oidc-provider-name=setup-jfrog-cli-test --interactive=false
+          fi
+
+      - name: Ping the server to validate successful OIDC configuration
+        shell: bash
+        run: |
+          if [ "$RUNNER_OS" == "Windows" ]; then
+            ./jfrog.exe rt ping
+          else
+           ./jf rt ping
+          fi

.github/workflows/scriptTests.yml

@@ -22,7 +22,7 @@ jobs:
         suite:
           - os: "ubuntu-latest"
 
-          - os: "ubuntu-20.04"
+          - os: "ubuntu-22.04"
 
           - os: "macos-latest"
 

.github/workflows/transferTests.yml

@@ -43,7 +43,7 @@ jobs:
     if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push'
     name: artifactory-6
     # Fixed runner image to set the java tools needed for artifactory 6
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

Jenkinsfile

@@ -31,7 +31,7 @@ node("docker-ubuntu20-xlarge") {
     repo = 'jfrog-cli'
     sh 'rm -rf temp'
     sh 'mkdir temp'
-    def goRoot = tool 'go-1.23.4'
+    def goRoot = tool 'go-1.23.7'
     env.GOROOT="$goRoot"
     env.PATH+=":${goRoot}/bin:/tmp/node-${nodeVersion}-linux-x64/bin"
     env.GO111MODULE="on"

access_test.go

@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"os"
+	"regexp"
 	"testing"
 
 	"github.com/jfrog/jfrog-cli-core/v2/artifactory/utils"
@@ -269,6 +271,35 @@ func TestAccessTokenCreate(t *testing.T) {
 	}
 }
 
+func TestOidcExchangeToken(t *testing.T) {
+	// If token ID was not provided by the CI, skip this test
+	if os.Getenv(coreutils.OidcExchangeTokenId) == "" {
+		t.Skip("No token ID available in environment,skipping test")
+		return
+	}
+	accessCli = coreTests.NewJfrogCli(execMain, "jfrog", "")
+	var testCases = []struct {
+		name           string
+		args           []string
+		expectedOutput string
+	}{
+		{
+			name:           "Successful exchange",
+			args:           []string{"eot", "setup-jfrog-cli-test", "--url=https://ecosysjfrog.jfrog.io"},
+			expectedOutput: `\{ AccessToken: [^\s]+ Username: [^\s]+ \}`,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			output := accessCli.RunCliCmdWithOutput(t, testCase.args...)
+			matched, err := regexp.MatchString(testCase.expectedOutput, output)
+			assert.NoError(t, err)
+			assert.True(t, matched, "Output did not match expected pattern")
+		})
+	}
+}
+
 func assertNotEmptyIfExpected(t *testing.T, expected bool, output string) {
 	if expected {
 		assert.NotEmpty(t, output)