OIDC Logic Isolation and Backward Compatibility Improvements (#265)

Author: EyalDelarea

…ub/workflows/auto-build-publish-test.yml …o-build-publish-and-job-summary-test.yml.github/workflows/auto-build-publish-test.yml renamed to .github/workflows/auto-build-publish-and-job-summary-test.yml .github/workflows/auto-build-publish-test.yml renamed to .github/workflows/auto-build-publish-and-job-summary-test.yml

@@ -1,4 +1,8 @@
-name: Auto Build Publish Test
+name: Auto Build Publish Test And Job Summary
+# This test ensures that the auto build and publish process works correctly and that the job summary is generated.
+# These two are interconnected, as the summary must be generated.
+# This test only verifies its existence, not its content,
+# which is covered in the unit tests.
 on:
   push:
     branches:
@@ -80,4 +84,13 @@ jobs:
       - name: Add npm modules to local build-info
         run: |
           jf npm-config --repo-resolve npm-remote
-          jf npm install
+          jf npm install
+
+      - name: Validate job summary was written (sanity check)
+        shell: bash
+        run: |
+          if [ ! -s "$GITHUB_STEP_SUMMARY" ]; then
+            echo "❌ Job summary file is empty!"
+            exit 1
+          fi
+          echo "✅ Job summary written!"

.github/workflows/cli-oidc-test.yml

@@ -0,0 +1,112 @@
+name: OIDC Integration Test
+# This workflow tests the setup-jfrog-cli GitHub Action's OpenID Connect integration across OSes and CLI versions.
+# It ensures backward compatibility with older CLI versions and validates step outputs and connectivity.
+# CLI versions used:
+# - 2.74.1: Does not support `jf eot` command, validates manual fallback logic.
+# - 2.75.0: Introduced native OIDC token exchange.
+# - Latest: Ensures ongoing compatibility with the most recent CLI build.
+
+on:
+  push:
+    branches:
+      - master
+  # Triggers the workflow on labeled PRs only.
+  pull_request_target:
+    types: [ labeled ]
+# Ensures that only the latest commit is running for each PR at a time.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  oidc-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu, macos, windows ]
+        cli-version: [ '2.74.1', '2.75.0','latest' ]
+    runs-on: ${{ matrix.os }}-latest
+    name: OIDC Test - ${{ matrix.cli-version }} on ${{ matrix.os }}
+    env:
+      JFROG_CLI_LOG_LEVEL: DEBUG
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      # Setup OIDC platform integration
+      - name: Generate unique OIDC provider name
+        id: gen-oidc
+        shell: bash
+        run: |
+          cli_version="${{ matrix.cli-version }}" && cli_version="${cli_version//./-}"
+          echo "oidc_provider_name=oidc-integration-${cli_version}-${{ matrix.os }}-$(date +%s)" >> "$GITHUB_OUTPUT"
+
+      - name: Create OpenID Connect integration
+        shell: bash
+        run: |
+          curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \
+            -d '{
+              "name": "${{ steps.gen-oidc.outputs.oidc_provider_name }}",
+              "issuer_url": "https://token.actions.githubusercontent.com",
+              "provider_type": "GitHub",
+              "enable_permissive_configuration": "true",
+              "description": "Test configuration for CLI version ${{ matrix.cli-version }}"
+            }'
+
+      - name: Create OIDC Identity Mapping
+        shell: bash
+        run: |
+          curl -X POST "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ steps.gen-oidc.outputs.oidc_provider_name }}/identity_mappings" \
+            -H 'Content-Type: application/json' \
+            -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}" \
+            -d '{
+              "name": "oidc-test-mapping",
+              "priority": "1",
+              "claims": {
+                "repository": "${{ github.repository_owner }}/setup-jfrog-cli"
+              },
+              "token_spec": {
+                "scope": "applied-permissions/groups:readers",
+                "expires_in": 30
+              }
+            }'
+
+      # Setup
+      - name: Setup JFrog CLI
+        id: setup-jfrog-cli
+        uses: ./
+        env:
+          JF_URL: ${{ secrets.JFROG_PLATFORM_URL }}
+        with:
+          version: ${{ matrix.cli-version }}
+          oidc-provider-name: ${{ steps.gen-oidc.outputs.oidc_provider_name }}
+
+      # validate successful OIDC configuration
+      - name: Test JFrog CLI connectivity
+        run: jf rt ping
+
+      # Validate step outputs
+      - name: Validate user output
+        shell: bash
+        run: test -n "${{ steps.setup-jfrog-cli.outputs.oidc-user }}"
+
+      - name: Validate token output
+        shell: bash
+        run: test -n "${{ steps.setup-jfrog-cli.outputs.oidc-token }}"
+
+      # Cleanup
+      - name: Delete OIDC integration
+        shell: bash
+        if: always()
+        run: |
+          curl -X DELETE "${{ secrets.JFROG_PLATFORM_URL }}/access/api/v1/oidc/${{ steps.gen-oidc.outputs.oidc_provider_name }}" \
+            -H "Authorization: Bearer ${{ secrets.JFROG_PLATFORM_RT_TOKEN }}"

.github/workflows/manual-oidc-test.yml

@@ -4,7 +4,7 @@ author: "JFrog"
 inputs:
     version:
         description: "JFrog CLI Version"
-        default: "2.74.1"
+        default: "2.75.0"
         required: false
     download-repository:
         description: "Remote repository in Artifactory pointing to 'https://releases.jfrog.io/artifactory/jfrog-cli'. Use this parameter in case you don't have an Internet access."

.github/workflows/oidc-integration-test.yml

@@ -34,6 +34,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const utils_1 = require("./utils");
+const job_summary_1 = require("./job-summary");
 function cleanup() {
     return __awaiter(this, void 0, void 0, function* () {
         if (yield shouldSkipCleanup()) {
@@ -66,7 +67,7 @@ function cleanup() {
 function buildInfoPostTasks() {
     return __awaiter(this, void 0, void 0, function* () {
         const disableAutoBuildPublish = core.getBooleanInput(utils_1.Utils.AUTO_BUILD_PUBLISH_DISABLE);
-        const disableJobSummary = core.getBooleanInput(utils_1.Utils.JOB_SUMMARY_DISABLE) || !utils_1.Utils.isJobSummarySupported();
+        const disableJobSummary = core.getBooleanInput(utils_1.Utils.JOB_SUMMARY_DISABLE) || !job_summary_1.JobSummary.isJobSummarySupported();
         if (disableAutoBuildPublish && disableJobSummary) {
             core.info(`Both auto-build-publish and job-summary are disabled. Skipping Build Info post tasks.`);
             return;
@@ -94,11 +95,11 @@ function buildInfoPostTasks() {
 function hasUnpublishedModules(workingDirectory) {
     return __awaiter(this, void 0, void 0, function* () {
         // Save the old value of the environment variable to revert it later
-        const origValue = process.env[utils_1.Utils.JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR_ENV];
+        const origValue = process.env[job_summary_1.JobSummary.JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR_ENV];
         try {
             core.startGroup('Check for unpublished modules');
             // Avoid saving a command summary for this dry-run command
-            core.exportVariable(utils_1.Utils.JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR_ENV, '');
+            core.exportVariable(job_summary_1.JobSummary.JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR_ENV, '');
             // Running build-publish command with a dry-run flag to check if there are any unpublished modules, 'silent' to avoid polluting the logs
             const responseStr = yield utils_1.Utils.runCliAndGetOutput(['rt', 'build-publish', '--dry-run'], { cwd: workingDirectory });
             // Parse the JSON string to an object
@@ -111,7 +112,7 @@ function hasUnpublishedModules(workingDirectory) {
             return false;
         }
         finally {
-            core.exportVariable(utils_1.Utils.JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR_ENV, origValue);
+            core.exportVariable(job_summary_1.JobSummary.JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR_ENV, origValue);
             core.endGroup();
         }
     });
@@ -184,10 +185,10 @@ function generateJobSummary() {
         try {
             core.startGroup('Generating Job Summary');
             yield utils_1.Utils.runCli(['generate-summary-markdown']);
-            yield utils_1.Utils.setMarkdownAsJobSummary();
-            yield utils_1.Utils.populateCodeScanningTab();
+            yield job_summary_1.JobSummary.setMarkdownAsJobSummary();
+            yield job_summary_1.JobSummary.populateCodeScanningTab();
             // Clear files
-            yield utils_1.Utils.clearCommandSummaryDir();
+            yield job_summary_1.JobSummary.clearCommandSummaryDir();
         }
         catch (error) {
             core.warning('Failed while attempting to generate job summary: ' + error);