diff --git a/.github/workflows/docker-build-publish.yaml b/.github/workflows/docker-build-publish.yaml index 9f9ae1e..68033a6 100644 --- a/.github/workflows/docker-build-publish.yaml +++ b/.github/workflows/docker-build-publish.yaml @@ -7,21 +7,21 @@ name: Build and Publish Docker Image on: schedule: - - cron: '0 10 * * *' + - cron: "0 10 * * *" # If any commit message in your push or the HEAD commit of your PR contains the strings # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] # workflows triggered on the push or pull_request events will be skipped. # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/ push: - branches: [ master ] + branches: [master] # Publish semver tags as releases. - tags: [ 'v[0-9]+.[0-9]+.[0-9]+' ] + tags: ["v[0-9]+.[0-9]+.[0-9]+"] # If any commit message in your push or the HEAD commit of your PR contains the strings # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] # workflows triggered on the push or pull_request events will be skipped. # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/ pull_request: - branches: [ master ] + branches: [master] env: # https://hub.docker.com/r/athenz/authorization-proxy/tags @@ -47,7 +47,6 @@ env: # Any cron builds (scheduled workflows) push the nightly tag image: type=schedule,pattern=nightly - jobs: set_matrix: runs-on: ubuntu-latest @@ -66,10 +65,10 @@ jobs: { "platform": "linux/arm64", "runner": "ubuntu-24.04-arm", "suffix": "-arm64" } ] }' - + # Store JSON data: echo "matrix=$(echo "$MATRIX_JSON" | jq -c .)" >> $GITHUB_OUTPUT - + # Store Suffix list: echo "suffixes=$(echo "$MATRIX_JSON" | jq -r '.include[].suffix' | xargs)" >> $GITHUB_OUTPUT @@ -95,16 +94,14 @@ jobs: steps: # A GitHub Action to expose useful environment variables. # https://github.com/FranzDiebold/github-env-vars-action - - - name: GitHub Environment Variables Action + - name: GitHub Environment Variables Action id: env # uses: https://github.com/FranzDiebold/github-env-vars-action/tags uses: FranzDiebold/github-env-vars-action@v2 # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. # https://github.com/actions/checkout - - - name: Checkout repository + - name: Checkout repository id: checkout # You may pin to the exact commit or the version. # uses: https://github.com/actions/checkout/tags @@ -114,8 +111,7 @@ jobs: # - Optionally downloading and caching a version of Go by version and adding to PATH. # - Registering problem matchers for error output. # https://github.com/actions/setup-go - - - name: Setup Golang + - name: Setup Golang id: setup-go # You may pin to the exact commit or the version. # uses: https://github.com/actions/setup-go/tags @@ -127,8 +123,7 @@ jobs: cache: true # A GitHub Action for golang tests - - - name: Golang Tests + - name: Golang Tests id: go-tests run: | go version @@ -149,8 +144,7 @@ jobs: # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) # https://github.com/sysdiglabs/benchmark-dockerfile - - - name: Sysdig Benchmark Dockerfile + - name: Sysdig Benchmark Dockerfile id: sysdig if: matrix.platform == 'linux/amd64' # Only required once for any platform, and will do the most general amd64 # You may pin to the exact commit or the version. @@ -167,8 +161,7 @@ jobs: # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10) # https://github.com/sysdiglabs/benchmark-dockerfile # TODO: Skipping CIS 4.1 check until https://github.com/yahoojapan/authorization-proxy/pull/95 is fixed. - - - name: Post Sysdig Benchmark Dockerfile + - name: Post Sysdig Benchmark Dockerfile id: postsysdig if: matrix.platform == 'linux/amd64' # Only required once for any platform, and will do the most general amd64 run: | @@ -181,8 +174,7 @@ jobs: # GitHub Action to install QEMU static binaries. # https://github.com/docker/setup-qemu-action - - - name: Set up QEMU + - name: Set up QEMU id: qemu # You may pin to the exact commit or the version. # uses: https://github.com/docker/setup-qemu-action/tags @@ -190,8 +182,7 @@ jobs: # GitHub Action to set up Docker Buildx. # https://github.com/docker/setup-buildx-action - - - name: Set up Docker Buildx + - name: Set up Docker Buildx id: buildx # You may pin to the exact commit or the version. # uses: https://github.com/docker/setup-buildx-action/tags @@ -221,8 +212,7 @@ jobs: cache-to: type=gha,mode=max # Test Docker image - - - name: Test Docker image + - name: Test Docker image id: test_docker run: | docker run --rm ${{ env.GHCR_IMAGE_ID }}:${{ github.sha }}${{ matrix.suffix }} --version @@ -298,14 +288,14 @@ jobs: - name: Delete Temporary Images using GitHub API env: - OWNER: ${{ github.repository_owner }} - PACKAGE_NAME: authorization-proxy + OWNER: ${{ github.repository_owner }} + PACKAGE_NAME: authorization-proxy SHA_TAG: ${{ github.sha }} PLATFORM_SUFFIXES: ${{ needs.set_matrix.outputs.suffixes }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "🧹 Cleanup using GitHub API..." - + for suffix in $PLATFORM_SUFFIXES; do TAG_NAME="${SHA_TAG}${suffix}" echo "🔍 Finding version ID for tag: $TAG_NAME" @@ -325,5 +315,5 @@ jobs: gh api -X DELETE "/orgs/$OWNER/packages/container/$PACKAGE_NAME/versions/$VERSION_ID" \ -H "Accept: application/vnd.github+json" || true done - + echo "✨ Cleanup finished!" diff --git a/.github/workflows/github-releases.yaml b/.github/workflows/github-releases.yaml deleted file mode 100644 index d95c949..0000000 --- a/.github/workflows/github-releases.yaml +++ /dev/null @@ -1,18 +0,0 @@ -name: Github Releases - -on: - push: - # Publish semver tags as releases. - tags: [ 'v[0-9]+.[0-9]+.[0-9]+' ] - -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - uses: actions/checkout@v3 - - uses: ncipollo/release-action@v1 - with: - generateReleaseNotes: true - skipIfReleaseExists: true diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4be4c0d..d1338bd 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -27,7 +27,7 @@ make test - Add tests relevant to the fixed bug or new feature. - Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations and container parameters. - Please use `Squash and merge` to merge a PR. -- Create a git tag to make a release. Docker image with the `latest` tag will also be updated. +- For release, check out the following: [About release](#about-release) ## Dependency management @@ -52,6 +52,31 @@ GO111MODULE=on go mod tidy You have to commit the changes to `go.mod` and `go.sum` before submitting the pull request. +## About release + +This section describes how to release a new version of the Authorization Proxy. + +### How to release + +> [!TIP] +> For consistent release DX, please refrain from creating a tag with git command + +> [!NOTE] +> Please note that: +> - `latest` tag will be updated as well +> - there is no pr tag release + +Create a release with GitHub UI from the following: https://github.com/AthenZ/authorization-proxy/releases + +![draft_a_new_release](./images/draft_a_new_release.png) + +### Architecture: Release Pipeline + +Here is a general architecture of the current [release pipeline](./.github/workflows/docker-build-publish.yaml): + +![release_pipeline_architecture](./images/release_pipeline_architecture.png) + + ## Contributor Covenant Code of Conduct ### Attribution diff --git a/README.md b/README.md index db50d03..e1b9c13 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # Authorization Proxy + [![License: Apache](https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=flat-square)](https://opensource.org/licenses/Apache-2.0) [![GitHub release (latest by date)](https://img.shields.io/github/v/release/AthenZ/authorization-proxy?style=flat-square&label=Github%20version)](https://github.com/AthenZ/authorization-proxy/releases/latest) [![Docker Image Version (tag latest)](https://img.shields.io/docker/v/athenz/authorization-proxy/latest?style=flat-square&label=Docker%20version)](https://hub.docker.com/r/athenz/authorization-proxy/tags) @@ -70,11 +71,11 @@ The mapping rules describe the elements used in the authorization proxy. You can The mapping rules are described as below. -| Concept | Description | Map to (Athenz) | Example | -|-----------------|------------------------------------------------------------|------------------|--------------------| -| Client Identity | Client Identity presented in the client credentials | Role | access token scope | -| Action | HTTP/HTTPS request method | Action | POST | -| Resource | HTTP/HTTPS request URL path, supports wildcard | Resource | /api/* | +| Concept | Description | Map to (Athenz) | Example | +|-----------------|-----------------------------------------------------|-----------------|--------------------| +| Client Identity | Client Identity presented in the client credentials | Role | access token scope | +| Action | HTTP/HTTPS request method | Action | POST | +| Resource | HTTP/HTTPS request URL path, supports wildcard | Resource | /api/* | ⚠️ All the HTTP/HTTPS methods and URI paths are normalized to lower case. @@ -82,14 +83,14 @@ The mapping rules are described as below. When a request is authorized by the authorization proxy, the following HTTP headers is added in the request. -| HTTP Header Name | Description | Example | -|---------------------|--------------------------------------------------------------------------|-------------------| -| X-Athenz-Principal | Authorized principal | principal | -| X-Athenz-Role | Authorized role (A comma-separated string if there is more than one) | role1,role2,role3 | -| X-Athenz-Domain | Authorized domain | domain | -| X-Athenz-Client-ID | Authorized client ID | client-id | -| X-Athenz-Issued-At | Unix timestamp in second that the authorized identity was issued | 1596158946 | -| X-Athenz-Expires-At | Unix timestamp in second that the authorized identity expires | 1596158953 | +| HTTP Header Name | Description | Example | +|---------------------|----------------------------------------------------------------------|-------------------| +| X-Athenz-Principal | Authorized principal | principal | +| X-Athenz-Role | Authorized role (A comma-separated string if there is more than one) | role1,role2,role3 | +| X-Athenz-Domain | Authorized domain | domain | +| X-Athenz-Client-ID | Authorized client ID | client-id | +| X-Athenz-Issued-At | Unix timestamp in second that the authorized identity was issued | 1596158946 | +| X-Athenz-Expires-At | Unix timestamp in second that the authorized identity expires | 1596158953 | ## Features to Debug @@ -99,11 +100,3 @@ When a request is authorized by the authorization proxy, the following HTTP head The example configuration file is [here](./test/data/example_config.yaml). For detail explanation, please read [config.go](./config/config.go). - ---- - -## About releases - -- Releases - - [![GitHub release (latest by date)](https://img.shields.io/github/v/release/AthenZ/authorization-proxy?style=flat-square&label=Github%20version)](https://github.com/AthenZ/authorization-proxy/releases/latest) - - [![Docker Image Version (tag latest)](https://img.shields.io/docker/v/athenz/authorization-proxy/latest?style=flat-square&label=Docker%20version)](https://hub.docker.com/r/athenz/authorization-proxy/tags) diff --git a/images/draft_a_new_release.png b/images/draft_a_new_release.png new file mode 100644 index 0000000..37004fb Binary files /dev/null and b/images/draft_a_new_release.png differ diff --git a/images/release_pipeline_architecture.png b/images/release_pipeline_architecture.png new file mode 100644 index 0000000..b3a7234 Binary files /dev/null and b/images/release_pipeline_architecture.png differ