Merge branch 'SUNET:main' into main

Author: leifj

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yaml

@@ -1,68 +1,40 @@
-name: build-main
+name: release-tag
 on:
   pull_request:
     types:
       - closed
 
+permissions:
+  contents: write
+
 jobs:
-  if_merged:
+  tag:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
-    outputs:
-      release_tag: ${{ steps.set_tag.outputs.release_tag }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-
-      - name: Set release tag with timestamp
-        id: set_tag
-        run: |
-          # Generate ISO8601-style timestamp with milliseconds
-          # Format: YYYY_MM_DD_HHMMSSmmm (e.g., 2025_12_08_123052345)
-          TIMESTAMP=$(date -u +'%Y_%m_%d_%H%M%S%3N')
-          echo "release_tag=${TIMESTAMP}" >> $GITHUB_OUTPUT
-          echo "Release tag: ${TIMESTAMP}"
-
-      - name: Install Go
-        uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-          cache-dependency-path: "**/*.sum"
-
-      - name: Install deb packages
-        uses: awalsh128/cache-apt-pkgs-action@latest
         with:
-          packages: protobuf-compiler
-          version: 1.0
+          fetch-depth: 0
 
-      - name: Install go packages
+      - name: Read version
+        id: version
         run: |
-          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28
-          go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2
-          export PATH="$PATH:$(go env GOPATH)/bin"
-          go install github.com/swaggo/swag/cmd/swag@latest
-
-      - name: Build
-        run: make build
+          VERSION=$(cat VERSION | tr -d '[:space:]')
+          RELEASE_TAG="v${VERSION}"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT
+          echo "Version: ${VERSION}, Release tag: ${RELEASE_TAG}"
 
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
-        with:
-          tag_name: release_${{ steps.set_tag.outputs.release_tag }}
-          name: Release ${{ steps.set_tag.outputs.release_tag }}
-          body: |
-            ## Docker Images
-            All services tagged with: `${{ steps.set_tag.outputs.release_tag }}`
-
-            ### Services
-            - apigw_${{ steps.set_tag.outputs.release_tag }}
-            - verifier_${{ steps.set_tag.outputs.release_tag }}
-            - registry_${{ steps.set_tag.outputs.release_tag }}
-            - mockas_${{ steps.set_tag.outputs.release_tag }}
-            - issuer_${{ steps.set_tag.outputs.release_tag }}
-            - ui_${{ steps.set_tag.outputs.release_tag }}
-            - verifier-proxy_${{ steps.set_tag.outputs.release_tag }}
-          draft: false
-          prerelease: false
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create git tag
+        run: |
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          if git rev-parse "${RELEASE_TAG}" >/dev/null 2>&1; then
+            echo "Tag ${RELEASE_TAG} already exists — skipping"
+          else
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag -a "${RELEASE_TAG}" -m "Release ${RELEASE_TAG}"
+            git push origin "${RELEASE_TAG}"
+            echo "Created and pushed tag ${RELEASE_TAG}"
+          fi

.github/workflows/pr-rc-build.yaml

@@ -0,0 +1,100 @@
+name: pr-rc-build
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  rc-build:
+    runs-on: ubuntu-latest
+    outputs:
+      rc_tag: ${{ steps.rc_tag.outputs.rc_tag }}
+      version: ${{ steps.rc_tag.outputs.version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Generate RC tag
+        id: rc_tag
+        run: |
+          VERSION=$(cat VERSION | tr -d '[:space:]')
+          SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-8)
+          PR_NUMBER=${{ github.event.pull_request.number }}
+          RC_TAG="${VERSION}-rc.${PR_NUMBER}.${SHORT_SHA}"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "rc_tag=${RC_TAG}" >> $GITHUB_OUTPUT
+          echo "RC tag: ${RC_TAG}"
+
+      - name: Install Go
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: "**/*.sum"
+
+      - name: Install deb packages
+        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
+        with:
+          packages: protobuf-compiler
+          version: 1.0
+
+      - name: Install go packages
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28
+          go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          go install github.com/swaggo/swag/cmd/swag@latest
+
+      - name: Build
+        run: make build
+
+      - name: Comment RC tag on PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const rcTag = '${{ steps.rc_tag.outputs.rc_tag }}';
+            const version = '${{ steps.rc_tag.outputs.version }}';
+            const body = `### 🏗️ Release Candidate Build
+
+            **RC Tag:** \`${rcTag}\`
+            **Target Release:** \`v${version}\`
+            **Commit:** \`${{ github.event.pull_request.head.sha }}\`
+
+            #### Docker Images
+            | Service | Image |
+            |---------|-------|
+            | apigw | \`docker.sunet.se/iam_vc/apigw:${rcTag}\` |
+            | verifier | \`docker.sunet.se/iam_vc/verifier:${rcTag}\` |
+            | registry | \`docker.sunet.se/iam_vc/registry:${rcTag}\` |
+            | mockas | \`docker.sunet.se/iam_vc/mockas:${rcTag}\` |
+            | issuer | \`docker.sunet.se/iam_vc/issuer:${rcTag}\` |
+            | ui | \`docker.sunet.se/iam_vc/ui:${rcTag}\` |
+
+            > Deploy with: \`VERSION=${rcTag} docker compose pull\``;
+
+            // Find and update existing RC comment or create new one
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const botComment = comments.find(c =>
+              c.user.type === 'Bot' && c.body.includes('Release Candidate Build')
+            );
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: body,
+              });
+            }

.github/workflows/version-bump.yaml

@@ -0,0 +1,88 @@
+name: version-bump
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: "Version bump type"
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Bump version
+        id: bump
+        run: |
+          CURRENT=$(cat VERSION | tr -d '[:space:]')
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT"
+
+          case "${{ inputs.bump }}" in
+            major)
+              MAJOR=$((MAJOR + 1))
+              MINOR=0
+              PATCH=0
+              ;;
+            minor)
+              MINOR=$((MINOR + 1))
+              PATCH=0
+              ;;
+            patch)
+              PATCH=$((PATCH + 1))
+              ;;
+          esac
+
+          NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"
+          echo "${NEW_VERSION}" > VERSION
+
+          echo "old_version=${CURRENT}" >> $GITHUB_OUTPUT
+          echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT
+          echo "Bumped ${CURRENT} -> ${NEW_VERSION}"
+
+      - name: Update CHANGELOG.md
+        run: |
+          OLD="${{ steps.bump.outputs.old_version }}"
+          NEW="${{ steps.bump.outputs.new_version }}"
+          DATE=$(date -u +%Y-%m-%d)
+
+          # Insert new version header after [Unreleased]
+          sed -i "/^## \[Unreleased\]/a\\
+\\
+## [${NEW}] - ${DATE}" CHANGELOG.md
+
+      - name: Create version bump PR
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore: bump version to ${{ steps.bump.outputs.new_version }}"
+          branch: "version-bump/${{ steps.bump.outputs.new_version }}"
+          title: "chore: bump version ${{ steps.bump.outputs.old_version }} → ${{ steps.bump.outputs.new_version }}"
+          body: |
+            ## Version Bump
+
+            | | Version |
+            |---|---------|
+            | **Previous** | `${{ steps.bump.outputs.old_version }}` |
+            | **New** | `${{ steps.bump.outputs.new_version }}` |
+            | **Bump type** | `${{ inputs.bump }}` |
+
+            This PR was auto-generated by the version-bump workflow.
+
+            After merging, all subsequent PRs will produce RC builds tagged as
+            `${{ steps.bump.outputs.new_version }}-rc.{PR#}.{sha}`.
+          labels: |
+            release
+            automated

.gitignore

@@ -35,12 +35,16 @@ docs/design/
 config.conformance.yaml
 .ngrok-url
 ngrok.log
-verifier-proxy.log
+verifier.log
 playwright-screenshots/
 
 # VS Code MCP configuration (contains personal tokens)
 .vscode/mcp.json
 
+# MDOC manual
 ISO_IEC_18013_5_2021_EN.pdf
 # Temporary debug/test files
 tmp/
+
+# Runtime secrets – never commit real values
+secrets.yaml

.jenkins.yaml

@@ -0,0 +1,59 @@
+builders:
+  - script
+
+triggers:
+  github_push: true
+
+slack:
+  room: "dc4eu-builds"
+
+pre_build_script:
+  - "apt-get update && apt-get install -y protobuf-compiler"
+
+script:
+  - |
+    set -e
+
+    # Determine version tag based on branch
+    VERSION=$(cat VERSION | tr -d '[:space:]')
+    BRANCH=$(git rev-parse --abbrev-ref HEAD)
+    SHORT_SHA=$(git rev-parse --short=8 HEAD)
+
+    if [ "$BRANCH" = "main" ]; then
+      BUILD_TAG="${VERSION}"
+      PUSH_LATEST=true
+    else
+      PR_NUM=$(echo "$BRANCH" | grep -oP '\d+' | head -1)
+      if [ -n "$PR_NUM" ]; then
+        BUILD_TAG="${VERSION}-rc.${PR_NUM}.${SHORT_SHA}"
+      else
+        BUILD_TAG="${VERSION}-rc.${SHORT_SHA}"
+      fi
+      PUSH_LATEST=false
+    fi
+
+    echo "Branch: ${BRANCH}"
+    echo "Build tag: ${BUILD_TAG}"
+    echo "Push latest: ${PUSH_LATEST}"
+
+    # Build and push Docker images (vanilla, no build tags)
+    make docker-build VERSION=${BUILD_TAG}
+    make docker-push VERSION=${BUILD_TAG}
+
+    # Build and push Docker images with PKCS#11 HSM support
+    make docker-build VERSION=${BUILD_TAG}-hsm GO_BUILD_TAGS=pkcs11
+    make docker-push VERSION=${BUILD_TAG}-hsm
+
+    # Tag and push dev on RC builds
+    if [ "$PUSH_LATEST" = "false" ]; then
+      make docker-tag VERSION=${BUILD_TAG} NEWTAG=dev
+      make docker-push VERSION=dev
+    fi
+
+    # Tag and push latest on main branch
+    if [ "$PUSH_LATEST" = "true" ]; then
+      make docker-tag VERSION=${BUILD_TAG} NEWTAG=latest
+      make docker-push VERSION=latest
+    fi
+
+clean_workspace: true