mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-15 19:10:47 +02:00
c4874deb5d
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.0 to 2.19.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.19.1</h2> <h2>What's Changed</h2> <ul> <li>fix: detect ubuntu-slim runners early and bail out by <a href="https://github.com/devantler"><code>@devantler</code></a> in <a href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li> </ul> <p>What the fix changes</p> <ul> <li>Harden-Runner will detect <code>ubuntu-slim</code> runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.</li> </ul> <p>What the fix does not do</p> <ul> <li>Jobs running on <code>ubuntu-slim</code> will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).</li> <li>Per GitHub's docs on <a href="https://docs.github.com/en/actions/reference/runners/github-hosted-runners#single-cpu-runners">single-CPU runners</a>: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.</li> </ul> <p>For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of <code>ubuntu-slim</code> via workflow run policies see the <a href="https://docs.stepsecurity.io/workflow-run-policies/policies#runner-label-policy">Runner Label Policy</a> docs. This lets you enforce that jobs only run on monitored runner types.</p> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/devantler"><code>@devantler</code></a> made their first contribution in <a href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1">https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/step-security/harden-runner/commit/a5ad31d6a139d249332a2605b85202e8c0b78450"><code>a5ad31d</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/657">#657</a> from devantler/fix/ubuntu-slim-user-env</li> <li><a href="https://github.com/step-security/harden-runner/commit/6e928567d74554b8842dd434908da31c593ba85c"><code>6e92856</code></a> build dist and trim ubuntu-slim message</li> <li><a href="https://github.com/step-security/harden-runner/commit/4e0504ee086374bdec7064e5c26d48af41ba6209"><code>4e0504e</code></a> Merge branch 'main' into fix/ubuntu-slim-user-env</li> <li><a href="https://github.com/step-security/harden-runner/commit/376d25a97f3a1640ff8cbbddaa4af25948df2cf3"><code>376d25a</code></a> fix: detect ubuntu-slim runners early and bail out</li> <li>See full diff in <a href="https://github.com/step-security/harden-runner/compare/8d3c67de8e2fe68ef647c8db1e6a09f647780f40...a5ad31d6a139d249332a2605b85202e8c0b78450">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
265 lines
12 KiB
YAML
265 lines
12 KiB
YAML
name: Enterprise E2E (Playwright)
|
|
|
|
# Enterprise Playwright suite — exercises premium-key gated features (audit,
|
|
# teams, analytics) plus full OAuth + SAML logins via the Keycloak compose
|
|
# stacks under testing/compose. Slow and secret-gated, so it runs in three
|
|
# situations:
|
|
#
|
|
# - PRs that touch proprietary / premium / SSO compose / enterprise tests
|
|
# (driven by build.yml via workflow_call, path-filtered against
|
|
# .github/config/.files.yaml `proprietary`),
|
|
# - every push to main (post-merge safety net),
|
|
# - on a nightly cron schedule (catches Keycloak image drift, license
|
|
# expiry, upstream proprietary changes),
|
|
# - manual workflow_dispatch.
|
|
#
|
|
# Auto-skipped when secrets.PREMIUM_KEY_ENTERPRISE is missing (forks, dependabot).
|
|
|
|
on:
|
|
workflow_call:
|
|
push:
|
|
branches: ["main"]
|
|
schedule:
|
|
- cron: "0 4 * * *"
|
|
workflow_dispatch:
|
|
|
|
# No `concurrency:` block here on purpose. When this workflow is called via
|
|
# workflow_call from build.yml, ${{ github.workflow }}/event_name/pr_number
|
|
# resolve to the *caller's* values, producing the same group key as build.yml
|
|
# and causing the workflow_call instantiation to self-cancel — the job
|
|
# silently fails to spawn while `${{ needs.X.result }}` still reports
|
|
# `failure`. Standalone runs (push-to-main, nightly cron, dispatch) don't
|
|
# overlap often enough to need explicit concurrency control.
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
playwright-e2e-enterprise:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
env:
|
|
PREMIUM_KEY: ${{ secrets.PREMIUM_KEY_ENTERPRISE }}
|
|
PREMIUM_ENABLED: "true"
|
|
SYSTEM_ENABLEANALYTICS: "false"
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
|
|
with:
|
|
egress-policy: audit
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: Set up JDK 25
|
|
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
|
|
with:
|
|
java-version: "25"
|
|
distribution: "temurin"
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: "22"
|
|
cache: "npm"
|
|
cache-dependency-path: frontend/package-lock.json
|
|
- name: Install Task
|
|
uses: go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44 # v2.0.0
|
|
- name: Install Playwright (chromium only)
|
|
run: task frontend:test:e2e:install -- chromium
|
|
|
|
- name: Resolve kubernetes.docker.internal to localhost
|
|
# The compose stacks set KC_HOSTNAME=kubernetes.docker.internal so
|
|
# Keycloak issues redirect URIs against that host. Docker Desktop
|
|
# auto-resolves it; GHA runners don't. Map it to 127.0.0.1 so the
|
|
# browser-driven OAuth flow lands back on Stirling-PDF correctly.
|
|
run: |
|
|
echo "127.0.0.1 kubernetes.docker.internal" | sudo tee -a /etc/hosts
|
|
|
|
# Helper function used by all phases — boots `:stirling-pdf:bootRun`
|
|
# with the React frontend baked in (-PbuildWithFrontend=true) so the
|
|
# SPA serves on :8080 and OAuth/SAML callbacks land on the same host
|
|
# that the browser is interacting with.
|
|
- name: Define helpers
|
|
run: |
|
|
{
|
|
echo 'wait_for_backend() {'
|
|
echo ' start=$SECONDS'
|
|
echo ' for i in $(seq 1 300); do'
|
|
echo ' if curl -fsS http://localhost:8080/api/v1/info/status >/dev/null 2>&1; then'
|
|
echo ' echo "Backend up after $((SECONDS - start))s"; return 0'
|
|
echo ' fi; sleep 2'
|
|
echo ' done'
|
|
echo ' tail -200 /tmp/backend.log || true; return 1'
|
|
echo '}'
|
|
echo 'stop_backend() {'
|
|
echo ' if [ -f /tmp/backend.pid ]; then'
|
|
echo ' kill "$(cat /tmp/backend.pid)" 2>/dev/null || true'
|
|
echo ' rm -f /tmp/backend.pid'
|
|
echo ' fi'
|
|
echo ' pkill -f "gradlew :stirling-pdf:bootRun" 2>/dev/null || true'
|
|
echo ' for i in $(seq 1 30); do'
|
|
echo ' curl -fsS http://localhost:8080/api/v1/info/status >/dev/null 2>&1 || return 0'
|
|
echo ' sleep 1'
|
|
echo ' done'
|
|
echo '}'
|
|
} > /tmp/helpers.sh
|
|
chmod +x /tmp/helpers.sh
|
|
|
|
# ───────── OAuth round-trip ─────────
|
|
- name: Bring up Keycloak (OAuth realm)
|
|
working-directory: testing/compose
|
|
run: docker compose -f docker-compose-keycloak-oauth.yml up -d --no-deps keycloak-oauth-db keycloak-oauth
|
|
- name: Wait for Keycloak (OAuth) ready
|
|
working-directory: testing/compose
|
|
run: |
|
|
for i in $(seq 1 60); do
|
|
bash validate-oauth-test.sh 2>/dev/null && exit 0 || true
|
|
# validate script also pings stirling on :8080 — accept just the
|
|
# keycloak realm as our gate here, stirling boots in the next step
|
|
curl -fsS http://localhost:9080/realms/stirling-oauth >/dev/null 2>&1 && exit 0
|
|
sleep 5
|
|
done
|
|
docker compose -f docker-compose-keycloak-oauth.yml logs --tail=200 keycloak-oauth
|
|
exit 1
|
|
- name: Boot Stirling-PDF (frontend baked in, OAuth env)
|
|
env:
|
|
SECURITY_ENABLELOGIN: "true"
|
|
SECURITY_LOGINMETHOD: "all"
|
|
SECURITY_OAUTH2_ENABLED: "true"
|
|
SECURITY_OAUTH2_AUTOCREATEUSER: "true"
|
|
# Keycloak issues redirect URIs against KC_HOSTNAME, which the
|
|
# compose default sets to kubernetes.docker.internal. Match here
|
|
# (resolves to localhost via /etc/hosts mapping above).
|
|
SECURITY_OAUTH2_CLIENT_KEYCLOAK_ISSUER: "http://kubernetes.docker.internal:9080/realms/stirling-oauth"
|
|
SECURITY_OAUTH2_CLIENT_KEYCLOAK_CLIENTID: "stirling-pdf-client"
|
|
SECURITY_OAUTH2_CLIENT_KEYCLOAK_CLIENTSECRET: "test-client-secret-change-in-production"
|
|
SECURITY_OAUTH2_CLIENT_KEYCLOAK_USEASUSERNAME: "email"
|
|
SECURITY_OAUTH2_CLIENT_KEYCLOAK_SCOPES: "openid,profile,email"
|
|
run: |
|
|
source /tmp/helpers.sh
|
|
nohup ./gradlew :stirling-pdf:bootRun -PbuildWithFrontend=true > /tmp/backend.log 2>&1 &
|
|
echo $! > /tmp/backend.pid
|
|
wait_for_backend
|
|
- name: Run enterprise OAuth Playwright tests
|
|
id: oauth-tests
|
|
run: task frontend:test:e2e -- --project=enterprise --grep "OAuth"
|
|
- name: Stop backend + tear down OAuth Keycloak
|
|
if: always()
|
|
run: |
|
|
source /tmp/helpers.sh
|
|
stop_backend
|
|
(cd testing/compose && docker compose -f docker-compose-keycloak-oauth.yml down -v)
|
|
|
|
# ───────── SAML round-trip ─────────
|
|
- name: Bring up Keycloak (SAML realm)
|
|
working-directory: testing/compose
|
|
run: docker compose -f docker-compose-keycloak-saml.yml up -d --no-deps keycloak-saml-db keycloak-saml
|
|
- name: Wait for Keycloak (SAML) ready
|
|
working-directory: testing/compose
|
|
run: |
|
|
for i in $(seq 1 60); do
|
|
curl -fsS http://localhost:9080/realms/stirling-saml >/dev/null 2>&1 && exit 0
|
|
sleep 5
|
|
done
|
|
docker compose -f docker-compose-keycloak-saml.yml logs --tail=200 keycloak-saml
|
|
exit 1
|
|
- name: Generate SAML SP certs + fetch Keycloak IdP cert
|
|
# The .pem/.crt/.key files are gitignored (test-only certs); the
|
|
# docker-based start-saml-test.sh generates them at runtime, so do
|
|
# the same in CI before bootRun reads them.
|
|
working-directory: testing/compose
|
|
run: |
|
|
openssl req -x509 -newkey rsa:2048 \
|
|
-keyout saml-private-key.key \
|
|
-out saml-public-cert.crt \
|
|
-days 3650 -nodes \
|
|
-subj "/CN=stirling-pdf-saml-sp" >/dev/null 2>&1
|
|
# Fetch Keycloak's SAML signing cert from the realm descriptor
|
|
CERT_BODY=$(curl -sf http://localhost:9080/realms/stirling-saml/protocol/saml/descriptor \
|
|
| awk 'BEGIN{RS="<[^>]*X509Certificate>|</[^>]*X509Certificate>"} NR==2{gsub(/[[:space:]]+/,""); print; exit}')
|
|
{
|
|
echo "-----BEGIN CERTIFICATE-----"
|
|
echo "$CERT_BODY"
|
|
echo "-----END CERTIFICATE-----"
|
|
} > keycloak-saml-cert.pem
|
|
test -s saml-private-key.key
|
|
test -s saml-public-cert.crt
|
|
test -s keycloak-saml-cert.pem
|
|
echo "✓ SAML certs prepared"
|
|
- name: Boot Stirling-PDF (frontend baked in, SAML env)
|
|
env:
|
|
SECURITY_ENABLELOGIN: "true"
|
|
SECURITY_LOGINMETHOD: "all"
|
|
SECURITY_SAML2_ENABLED: "true"
|
|
SECURITY_SAML2_AUTOCREATEUSER: "true"
|
|
SECURITY_SAML2_PROVIDER: "keycloak"
|
|
SECURITY_SAML2_REGISTRATIONID: "keycloak"
|
|
SECURITY_SAML2_IDP_ISSUER: "http://localhost:9080/realms/stirling-saml"
|
|
SECURITY_SAML2_IDP_ENTITYID: "http://localhost:9080/realms/stirling-saml"
|
|
SECURITY_SAML2_IDP_METADATAURI: "http://localhost:9080/realms/stirling-saml/protocol/saml/descriptor"
|
|
SECURITY_SAML2_IDPSINGLELOGINURL: "http://localhost:9080/realms/stirling-saml/protocol/saml"
|
|
SECURITY_SAML2_IDPSINGLELOGOUTURL: "http://localhost:9080/realms/stirling-saml/protocol/saml"
|
|
SECURITY_SAML2_IDP_CERT: "${{ github.workspace }}/testing/compose/keycloak-saml-cert.pem"
|
|
SECURITY_SAML2_PRIVATEKEY: "${{ github.workspace }}/testing/compose/saml-private-key.key"
|
|
SECURITY_SAML2_SP_CERT: "${{ github.workspace }}/testing/compose/saml-public-cert.crt"
|
|
# Realm registers the SP entity as the metadata URL — see
|
|
# keycloak-realm-saml.json `clientId`. Match it here so Keycloak
|
|
# accepts the AuthnRequest issuer.
|
|
SECURITY_SAML2_SP_ENTITYID: "http://localhost:8080/saml2/service-provider-metadata/keycloak"
|
|
SECURITY_SAML2_SP_ACS: "http://localhost:8080/login/saml2/sso/keycloak"
|
|
SECURITY_SAML2_SP_SLS: "http://localhost:8080/logout/saml2/slo"
|
|
run: |
|
|
source /tmp/helpers.sh
|
|
nohup ./gradlew :stirling-pdf:bootRun -PbuildWithFrontend=true > /tmp/backend.log 2>&1 &
|
|
echo $! > /tmp/backend.pid
|
|
wait_for_backend
|
|
- name: Run enterprise SAML Playwright tests
|
|
id: saml-tests
|
|
run: task frontend:test:e2e -- --project=enterprise --grep "SAML"
|
|
- name: Stop backend + tear down SAML Keycloak
|
|
if: always()
|
|
run: |
|
|
source /tmp/helpers.sh
|
|
stop_backend
|
|
(cd testing/compose && docker compose -f docker-compose-keycloak-saml.yml down -v)
|
|
|
|
# ───────── License-gated feature tests (no IdP needed) ─────────
|
|
- name: Wipe DB so InitialSecuritySetup re-runs with admin/adminadmin
|
|
# Earlier phases (OAuth, SAML) create the default admin/stirling user.
|
|
# InitialSecuritySetup only honours SECURITY_INITIALLOGIN_* when the
|
|
# admin user doesn't already exist, so the persisted DB has to be
|
|
# cleared between phases for the feature env vars to take effect.
|
|
run: |
|
|
rm -f app/core/configs/stirling-pdf-DB*.mv.db
|
|
rm -rf app/core/configs/backup
|
|
- name: Boot Stirling-PDF (frontend baked in, premium only)
|
|
env:
|
|
SECURITY_INITIALLOGIN_USERNAME: admin
|
|
SECURITY_INITIALLOGIN_PASSWORD: adminadmin
|
|
SECURITY_ENABLELOGIN: "true"
|
|
SECURITY_LOGINMETHOD: "all"
|
|
run: |
|
|
source /tmp/helpers.sh
|
|
nohup ./gradlew :stirling-pdf:bootRun -PbuildWithFrontend=true > /tmp/backend.log 2>&1 &
|
|
echo $! > /tmp/backend.pid
|
|
wait_for_backend
|
|
- name: Run enterprise feature Playwright tests
|
|
id: feature-tests
|
|
run: task frontend:test:e2e -- --project=enterprise --grep "Enterprise license"
|
|
- name: Print backend log on failure
|
|
if: failure()
|
|
run: |
|
|
echo "::group::Enterprise backend log"
|
|
tail -500 /tmp/backend.log || true
|
|
echo "::endgroup::"
|
|
- name: Stop backend (final)
|
|
if: always()
|
|
run: |
|
|
source /tmp/helpers.sh
|
|
stop_backend
|
|
- name: Upload Playwright report
|
|
if: always()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: playwright-report-enterprise-${{ github.run_id }}
|
|
path: frontend/playwright-report/
|
|
retention-days: 7
|