keycloak · edewit · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024
@@ -7,7 +7,7 @@ inputs:
   release-branches:
     description: 'List of all related release branches (in JSON format)'
     required: false
-    default: '["refs/heads/release/22.0","refs/heads/release/24.0"]'
+    default: '["refs/heads/release/22.0","refs/heads/release/24.0","refs/heads/release/26.0"]'
   keep-days:
     description: 'For how many days to store the particular artifact.'
     required: false

@@ -24,9 +24,9 @@ runs:
       with:
         create-cache-if-it-doesnt-exist: true
 
-    - id: frontend-plugin-cache
-      name: Frontend Plugin Cache
-      uses: ./.github/actions/frontend-plugin-cache
+    - id: pnpm-store-cache
+      name: PNPM store cache
+      uses: ./.github/actions/pnpm-store-cache
 
     - id: build-keycloak
       name: Build Keycloak
@@ -35,7 +35,7 @@ runs:
         # Ensure this plugin is built first to avoid warnings in the build
         ./mvnw install -Pdistribution -am -pl distribution/maven-plugins/licenses-processor
         # By using "dependency:resolve", it will download all dependencies used in later stages for running the tests
-        ./mvnw install dependency:resolve -V -e -DskipTests -DskipExamples -DexcludeGroupIds=org.keycloak -Dsilent=true
+        ./mvnw install dependency:resolve -V -e -DskipTests -DskipExamples -DexcludeGroupIds=org.keycloak -Dsilent=true -DcommitProtoLockChanges=true
 
     - id: compress-keycloak-maven-repository
       name: Compress Keycloak Maven artifacts

@@ -0,0 +1,20 @@
+name: Cache Cypress
+description: Caches Cypress binary to speed up the build.
+
+runs:
+  using: composite
+  steps:
+    - id: cache-key
+      name: Cache key based on Cypress version
+      shell: bash
+      run: echo "key=cypress-binary-$(jq -r '.devDependencies.cypress' js/apps/admin-ui/package.json)" >> $GITHUB_OUTPUT
+
+    - uses: actions/cache@v4
+      name: Cache Cypress binary
+      with:
+        # See: https://docs.cypress.io/app/references/advanced-installation#Binary-cache
+        path: |
+          ~/.cache/Cypress
+          /AppData/Local/Cypress/Cache
+          ~/Library/Caches/Cypress
+        key: ${{ runner.os }}-${{ steps.cache-key.outputs.key }}
@@ -25,9 +25,9 @@ runs:
       name: Maven cache
       uses: ./.github/actions/maven-cache
 
-    - id: frontend-plugin-cache
-      name: Frontend Plugin Cache
-      uses: ./.github/actions/frontend-plugin-cache
+    - id: pnpm-store-cache
+      name: PNPM store cache
+      uses: ./.github/actions/pnpm-store-cache
 
     - id: download-keycloak
       name: Download Keycloak Maven artifacts

@@ -20,26 +20,19 @@ runs:
       shell: bash
       run: corepack enable
 
-    - name: Get PNPM store directory
-      id: pnpm-cache
-      shell: bash
-      run: |
-        echo "store-path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+    - name: PNPM store cache
+      uses: ./.github/actions/pnpm-store-cache
 
-    - uses: actions/cache@v4
-      name: Setup PNPM cache
-      with:
-        # Also cache Cypress binary.
-        path: |
-          ~/.cache/Cypress
-          ${{ steps.pnpm-cache.outputs.store-path }}
-        key: ${{ runner.os }}-pnpm-store-${{ hashFiles('pnpm-lock.yaml') }}
-        restore-keys: |
-          ${{ runner.os }}-pnpm-store-
+    - name: Cypress binary cache
+      uses: ./.github/actions/cypress-cache
 
     - name: Install dependencies
       shell: bash
-      # Run the store prune after the installation to avoid having caches which grow over time
-      run: |
-        pnpm install --prefer-offline --frozen-lockfile
-        pnpm store prune
+      run: pnpm install --prefer-offline --frozen-lockfile
+
+    # This step is only needed to ensure that the Cypress binary is installed.
+    # If the binary was retrieved from the cache, this step is a no-op.
+    - name: Install Cypress dependencies
+      shell: bash
+      working-directory: js/apps/admin-ui
+      run: pnpm exec cypress install
@@ -0,0 +1,20 @@
+name: Cache PNPM store
+description: Caches the PNPM store to speed up the build.
+
+runs:
+  using: composite
+  steps:
+    - id: weekly-cache-key
+      name: Key for weekly rotation of cache
+      shell: bash
+      run: echo "key=pnpm-store-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT
+
+    - uses: actions/cache@v4
+      name: Cache PNPM store
+      with:
+        # See: https://pnpm.io/npmrc#store-dir
+        path: |
+          ~/.local/share/pnpm/store
+          ~/AppData/Local/pnpm/store
+          ~/Library/pnpm/store
+        key: ${{ runner.os }}-${{ steps.weekly-cache-key.outputs.key }}
@@ -11,6 +11,6 @@ runs:
       name: Maven cache
       uses: ./.github/actions/maven-cache
 
-    - id: frontend-plugin-cache
+    - id: pnpm-store-cache
       name: Frontend Plugin Cache
-      uses: ./.github/actions/frontend-plugin-cache
+      uses: ./.github/actions/pnpm-store-cache
@@ -13,7 +13,7 @@ CLUSTER_NAME=$3
 case $OPERATION in
   requirements)
     ansible-galaxy collection install -r requirements.yml
-    pip3 install --user "ansible==9.*" boto3 botocore
+    pip3 install ansible boto3 botocore
   ;;
   create|delete|start|stop)
     if [ -f "env.yml" ]; then ANSIBLE_CUSTOM_VARS_ARG="-e @env.yml"; fi

@@ -4,7 +4,8 @@ cluster_size: 1
 
 cidr_ip: "{{ control_host_ip.stdout }}/32"
 
-ami_name: RHEL-8.8.0_HVM-20230503-x86_64-54-Hourly2-GP2
+# aws ec2 describe-images --owners 309956199498 --filters "Name=architecture,Values=x86_64" "Name=virtualization-type,Values=hvm"  --region eu-west-1 --no-include-deprecated     --query 'Images[] | sort_by(@, &CreationDate)[].Name'
+ami_name: RHEL-9.4_HVM_GA-20240827-x86_64-0-Hourly2-GP3
 
 instance_type: t3.large
 instance_volume_size: 20

@@ -16,5 +16,23 @@ echo "Tests: $TESTS"
 export JAVA_HOME=/etc/alternatives/java_sdk_21
 set -o pipefail
 
+# Build adapter distributions
+./mvnw install -DskipTests -f distribution/pom.xml
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
+# Build app servers
+./mvnw install -DskipTests -Pbuild-app-servers -f testsuite/integration-arquillian/servers/app-server/pom.xml
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
+# Prepare Quarkus distribution with BCFIPS
+./mvnw install -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
 # Profile app-server-wildfly needs to be explicitly set for FIPS tests
 ./mvnw test -Dsurefire.rerunFailingTestsCount=$SUREFIRE_RERUN_FAILING_COUNT -nsu -B -Pauth-server-quarkus,auth-server-fips140-2,app-server-wildfly -Dcom.redhat.fips=false $STRICT_OPTIONS -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh
@@ -33,7 +33,6 @@ jobs:
       ci-store: ${{ steps.conditional.outputs.ci-store }}
       ci-sssd: ${{ steps.conditional.outputs.ci-sssd }}
       ci-webauthn: ${{ steps.conditional.outputs.ci-webauthn }}
-      ci-test-poc: ${{ steps.conditional.outputs.ci-test-poc }}
       ci-aurora: ${{ steps.auroradb-tests.outputs.run-aurora-tests }}
 
     steps:
@@ -64,6 +63,10 @@ jobs:
       - name: Build Keycloak
         uses: ./.github/actions/build-keycloak
 
+      - name: Check for unstaged proto.lock files
+        if: github.event_name == 'pull_request' && startsWith(github.event.pull_request.base.ref, 'release/')
+        run: git diff --name-only --exit-code -- "**/proto.lock"
+
   unit-tests:
     name: Base UT
     runs-on: ubuntu-latest
@@ -206,7 +209,7 @@ jobs:
         if: always()
         uses: ./.github/actions/archive-surefire-reports
         with:
-          job-id: quarkus-unit-tests
+          job-id: quarkus-unit-tests-${{ matrix.os }}
 
   quarkus-integration-tests:
     name: Quarkus IT
@@ -265,7 +268,7 @@ jobs:
         if: always()
         uses: ./.github/actions/archive-surefire-reports
         with:
-          job-id: quarkus-integration-tests-${{ matrix.os }}-${{ matrix.server }}
+          job-id: quarkus-integration-tests-${{ matrix.os }}-${{ matrix.suite }}
 
   jdk-integration-tests:
     name: Java Distribution IT
@@ -455,7 +458,10 @@ jobs:
           zip -u /tmp/keycloak.zip aws.pem
 
           cd .github/scripts/ansible
+          python3 -m venv .venv
+          source .venv/bin/activate
           ./aws_ec2.sh requirements
+          pipx inject ansible-core boto3 botocore
           ./aws_ec2.sh create ${AWS_REGION} ${EC2_CLUSTER_NAME}
           ./keycloak_ec2_installer.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} /tmp/keycloak.zip
           ./mvn_ec2_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B -DskipTests -Pdistribution"
@@ -553,6 +559,7 @@ jobs:
         if: always()
         working-directory: .github/scripts/ansible
         run: |
+          source .venv/bin/activate
           ./aws_ec2.sh delete ${{ steps.aurora-init.outputs.region }} ${{ steps.ec2-create.outputs.ec2_cluster }}
 
       - name: Delete Aurora DB
@@ -728,16 +735,6 @@ jobs:
         with:
           jdk-version: 21
 
-      - name: Build adapter distributions
-        run: ./mvnw install -DskipTests -f distribution/pom.xml
-
-      - name: Build app servers
-        run: ./mvnw install -DskipTests -Pbuild-app-servers -f testsuite/integration-arquillian/servers/app-server/pom.xml
-
-
-      - name: Prepare Quarkus distribution with BCFIPS
-        run: ./mvnw install -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2
-
       - name: Run base tests
         run: docker run --rm --workdir /github/workspace -e "SUREFIRE_RERUN_FAILING_COUNT" -v "${{ github.workspace }}":"/github/workspace" -v "$HOME/.m2":"/root/.m2" registry.access.redhat.com/ubi8/ubi:latest .github/scripts/run-fips-it.sh ${{ matrix.mode }}
 
@@ -938,26 +935,6 @@ jobs:
       - name: Run tests
         run: ./mvnw test -f test-framework/pom.xml
 
-  test-poc:
-    name: Test PoC
-    runs-on: ubuntu-latest
-    if: needs.conditional.outputs.ci-test-poc == 'true'
-    needs:
-      - conditional
-      - build
-    timeout-minutes: 30
-    steps:
-      - uses: actions/checkout@v4
-
-      - id: integration-test-setup
-        name: Integration test setup
-        uses: ./.github/actions/integration-test-setup
-
-      - name: Run tests
-        env:
-          KC_TEST_BROWSER: chrome-headless
-        run: ./mvnw clean install -f test-poc/pom.xml
-
   check:
     name: Status Check - Keycloak CI
     if: always()
@@ -981,7 +958,6 @@ jobs:
       - sssd-unit-tests
       - migration-tests
       - external-infinispan-tests
-      - test-poc
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

@@ -67,7 +67,7 @@ jobs:
         uses: ./.github/actions/java-setup
 
       - name: Setup Minikube-Kubernetes
-        uses: manusa/actions-setup-minikube@v2.11.0
+        uses: manusa/actions-setup-minikube@v2.13.0
         with:
           minikube version: ${{ env.MINIKUBE_VERSION }}
           kubernetes version: ${{ env.KUBERNETES_VERSION }}
@@ -111,7 +111,7 @@ jobs:
         uses: ./.github/actions/java-setup
 
       - name: Setup Minikube-Kubernetes
-        uses: manusa/actions-setup-minikube@v2.11.0
+        uses: manusa/actions-setup-minikube@v2.13.0
         with:
           minikube version: ${{ env.MINIKUBE_VERSION }}
           kubernetes version: ${{ env.KUBERNETES_VERSION }}
@@ -154,7 +154,7 @@ jobs:
         uses: ./.github/actions/java-setup
 
       - name: Setup Minikube-Kubernetes
-        uses: manusa/actions-setup-minikube@v2.11.0
+        uses: manusa/actions-setup-minikube@v2.13.0
         with:
           minikube version: ${{ env.MINIKUBE_VERSION }}
           kubernetes version: ${{ env.KUBERNETES_VERSION }}

@@ -58,6 +58,17 @@
             <artifactId>jackson-annotations</artifactId>
             <scope>provided</scope>
         </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

@@ -30,6 +30,7 @@
 import org.keycloak.authorization.client.resource.ProtectionResource;
 import org.keycloak.authorization.client.util.Http;
 import org.keycloak.authorization.client.util.TokenCallable;
+import org.keycloak.common.crypto.CryptoIntegration;
 import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.util.SystemPropertiesJsonParserFactory;
@@ -91,6 +92,7 @@ public static AuthzClient create(InputStream configStream) throws RuntimeExcepti
      * @return a new instance
      */
     public static AuthzClient create(Configuration configuration) {
+        CryptoIntegration.init(AuthzClient.class.getClassLoader());
         return new AuthzClient(configuration);
     }