Merge branch 'main' into lock_update

JanssenProject · Jan 20, 2025 · fc166a5 · fc166a5
2 parents e7066dc + dec678a
commit fc166a5
Show file tree

Hide file tree

Showing 486 changed files with 13,246 additions and 8,360 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -6,15 +6,16 @@ We appreciate your efforts to responsibly disclose your findings, and will make
 
 ## Supported versions
 
-Security updates will typically only be applied to the latest release (at least until **Janssen** reaches first stable major version).
+Security updates will typically only be applied to the latest release.
 
-| Version  | Supported          |
-| -------- | ------------------ |
-| >=0.1 | :white_check_mark: |
+| Version | Supported          |
+|---------|--------------------|
+| <1.0.0  | :x:                |
+| >=1.0.0 | :white_check_mark: |
 
 ## Reporting a vulnerability
 
-To report a security issue, send an email to [[email protected]](mailto:[email protected]?subject=SECURITY)
+To report a security issue email [[email protected]](mailto:[email protected]?subject=SECURITY)
 
 The **Janssen** team will send a response indicating the next steps in handling your report.
 After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement,

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -26,10 +26,6 @@ updates:
     schedule:
       interval: daily
 
-  - package-ecosystem: pip
-    directory: /demos/jans-tent
-    schedule:
-      interval: daily
 
   - package-ecosystem: docker
     directory: /docker-jans-all-in-one

diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml
@@ -57,7 +57,7 @@ jobs:
           egress-policy: audit
 
       - name: Install Cosign
-        uses: sigstore/[email protected]
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -91,9 +91,9 @@ jobs:
         if: steps.build_docker_image.outputs.build || github.event_name == 'tags'
         run: |
           sudo apt-get update
-          sudo python3 -m pip install --upgrade pip
-          sudo pip3 install setuptools --upgrade
-          sudo pip3 install -r ./automation/requirements.txt
+          sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
+          sudo pip3 install --ignore-installed setuptools --upgrade
+          sudo pip3 install --ignore-installed -r ./automation/requirements.txt 
           sudo apt-get update
 
       #- uses: actions/delete-package-versions@v5
@@ -165,19 +165,19 @@ jobs:
           fi
 
       # UPDATE BUILD DATES INSIDE THE DOCKERFILE BEFORE BUILDING THE DEV IMAGES TRIGGERED BY JENKINS
-      - name: Setup Python 3.7
+      - name: Setup Python 3.10
         if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter'
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.7
+          python-version: "3.10"
 
       - name: Install Python dependencies
         if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter'
         run: |
           sudo apt-get update
-          sudo python3 -m pip install --upgrade pip
-          sudo pip3 install setuptools --upgrade
-          sudo pip3 install -r ./automation/requirements.txt
+          sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
+          sudo pip3 install --ignore-installed setuptools --upgrade
+          sudo pip3 install --ignore-installed -r ./automation/requirements.txt
           sudo apt-get update
           sudo apt-get install jq
 

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
@@ -209,7 +209,10 @@ jobs:
           # END move generated chart from a previous step
           
           # copy search from nightly to all other versions. This is to ensure that the search index is available for all versions
-          for folder in v*/; do cp -r nightly/search "$folder"; done
+          for folder in v*/; do
+            cp -r nightly/search "$folder"
+            git add $folder/search && git update-index --refresh
+          done
           # END copy search from nightly to all other versions
 
           echo "Replacing release number markers with actual release number"

diff --git a/.github/workflows/build-nightly-build.yml b/.github/workflows/build-nightly-build.yml
@@ -2,6 +2,11 @@ name: Activate Nightly Build
 
 on:
   workflow_dispatch:
+    inputs:
+      branch:
+        description: 'The branch to build night release from'
+        required: false
+        default: 'main'
   schedule:
     - cron: "0 23 * * *"
 permissions:
@@ -37,4 +42,8 @@ jobs:
         gh release delete ${NIGHTLY_VERSION} --cleanup-tag --yes || echo "v${NIGHTLY_VERSION}" does not exist
         gh release delete ${NIGHTLY_VERSION} --cleanup-tag --yes || echo "v${NIGHTLY_VERSION}" does not exist
         git push --delete origin ${NIGHTLY_VERSION} || echo "v${NIGHTLY_VERSION}" does not exist
-        gh release create ${NIGHTLY_VERSION} --generate-notes --prerelease --title "${NIGHTLY_VERSION}"
+        TARGET_BRANCH=${{ github.event.inputs.branch }}
+        if [ -z "$TARGET_BRANCH" ]; then
+          TARGET_BRANCH="main"
+        fi
+        gh release create ${NIGHTLY_VERSION} --generate-notes --prerelease --title "${NIGHTLY_VERSION}" --target "${TARGET_BRANCH}"
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
@@ -5,6 +5,8 @@ on:
     tags:
     - 'v**'
     - 'nightly'
+permissions:
+  contents: read
 jobs:
   publish_binary_packages:
     if: github.repository == 'JanssenProject/jans'
@@ -196,7 +198,7 @@ jobs:
       run: |
         sudo apt-get update
         sudo apt-get install -y python3 build-essential ca-certificates dbus systemd iproute2 gpg python3-pip python3-dev libpq-dev gcc
-        python3 -m pip install --upgrade pip
+        python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
         pip3 install shiv wheel setuptools
         echo "Building jans-linux-setup package"
         sudo chown -R runner:docker /home/runner/work/jans/jans        
@@ -305,6 +307,8 @@ jobs:
         overwrite: true
   build_demo_packages:
     if: github.repository == 'JanssenProject/jans'
+    # Needs cedarling wasm as jans-tarp uses the wasm package
+    needs: build_cedarling_wasm
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
@@ -324,6 +328,17 @@ jobs:
         for i in $(ls -d */); do zip -r demo-${i%/}-$VER-source.zip $i && sha256sum demo-${i%/}-$VER-source.zip > demo-${i%/}-$VER-source.zip.sha256sum; done
         sudo rm demo-jans-tarp-$VER-source.zip demo-jans-tarp-$VER-source.zip.sha256sum
         cd jans-tarp
+        # Get the latest cedarling wasm package
+        TAG=$(echo ${{ github.event.ref }} | cut -d '/' -f 3 | sed 's/^v//')
+        if [ "${TAG}" == "nightly" ]; then
+          TAG="0.0.0"
+        fi
+        wget https://github.com/${{ github.repository }}/releases/download/"${VER}"/cedarling_wasm_"${TAG}"_pkg.tar.gz -O cedarling_wasm.tar.gz
+        mkdir -p wasm
+        tar -xvf cedarling_wasm.tar.gz -C wasm
+        rm cedarling_wasm.tar.gz
+        ls wasm
+        # END Get the latest cedarling wasm package
         npm install
         npm run build
         npm run pack
@@ -337,7 +352,7 @@ jobs:
         gh release upload $VER *.zip *.sha256sum --clobber
   build_cedarling_python:
     if: github.repository == 'JanssenProject/jans'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
@@ -356,8 +371,8 @@ jobs:
         git_user_signingkey: true
         git_commit_gpgsign: true
 
-    - uses: actions/setup-python@v5
-    - uses: PyO3/maturin-action@v1
+    - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+    - uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1.45.0
       with:
         working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_python
         command: build
@@ -373,9 +388,53 @@ jobs:
           TAG="0.0.0"
         fi
         cd ${{ github.workspace }}/jans-cedarling/target/wheels
-        sha256sum cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl > cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl.sha256sum
-        sha256sum cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl > cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl.sha256sum
-        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl || echo "Failed to sign"
-        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl || echo "Failed to sign"
+        sha256sum cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_31_x86_64.whl > cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_31_x86_64.whl.sha256sum
+        sha256sum cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_31_x86_64.whl > cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_31_x86_64.whl.sha256sum
+        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_31_x86_64.whl || echo "Failed to sign"
+        gpg --armor --detach-sign cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_31_x86_64.whl || echo "Failed to sign"
+        echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
+        gh release upload "${VERSION}" *.whl *.sha256sum *.asc
+  build_cedarling_wasm:
+    if: github.repository == 'JanssenProject/jans'
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      with:
+        egress-policy: audit
+
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Import GPG key
+      id: import_gpg
+      continue-on-error: true
+      uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+      with:
+        gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }}
+        passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }}
+        git_user_signingkey: true
+        git_commit_gpgsign: true
+    - name: Build WASM build
+      id: sign-cedarling
+      working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_wasm
+      run: |
+        rustup update stable && rustup default stable
+        cargo install wasm-pack
+        wasm-pack build --release --target web
+        ls pkg
+    - name: Archive and sign pkg contents
+      id: archive_pkg
+      working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_wasm
+      run: |
+        TAG=$(echo ${{ github.event.ref }} | cut -d '/' -f 3 | sed 's/^v//')
+        VERSION="$(echo ${{ github.event.ref }} | cut -d '/' -f 3)"
+        if [ "${TAG}" == "nightly" ]; then
+          VERSION=nightly
+          TAG="0.0.0"
+        fi
+        rm -rf pkg/.gitignore || echo "Failed to remove gitignore"
+        tar -czvf cedarling_wasm_"${TAG}"_pkg.tar.gz -C pkg .
+        sha256sum cedarling_wasm_"${TAG}"_pkg.tar.gz > cedarling_wasm_"${TAG}"_pkg.tar.gz.sha256sum
+        gpg --armor --detach-sign cedarling_wasm_"${TAG}"_pkg.tar.gz || echo "Failed to sign"
         echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
-        gh release upload "${VERSION}" *.whl *.sha256sum *.asc
+        gh release upload "${VERSION}" *.tar.gz *.sha256sum *.asc