SSO Login Nightly #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2025 Collate | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| name: SSO Login Nightly | |
| on: | |
| schedule: | |
| - cron: '0 3 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| sso_provider: | |
| description: 'SSO provider (or "all")' | |
| required: true | |
| default: okta | |
| type: choice | |
| options: | |
| - okta | |
| - keycloak-azure-saml | |
| - keycloak-azure-saml-crosssite | |
| - all | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: sso-login-nightly-${{ github.event.inputs.sso_provider || 'scheduled' }} | |
| cancel-in-progress: true | |
| jobs: | |
| # To onboard a new provider: | |
| # 1. Add a matrix entry below (`name` is the lowercase provider id used by | |
| # the Playwright helper; `env_prefix` is the uppercase/underscore form | |
| # used to look up credentials). Also add `name` to the dispatch | |
| # `options:` list above. | |
| # 2. Add <ENV_PREFIX>_SSO_USERNAME (variable) and <ENV_PREFIX>_SSO_PASSWORD | |
| # (variable) to the `test` environment. Use a secret instead of a | |
| # variable for the password if the provider uses a real (non-fixture) | |
| # credential. | |
| # 3. Register the helper in playwright/utils/sso-providers/index.ts. | |
| sso-login: | |
| runs-on: ubuntu-latest | |
| environment: test | |
| timeout-minutes: 45 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| provider: | |
| ${{ (github.event_name == 'schedule' || github.event.inputs.sso_provider == 'all') | |
| && fromJSON('[{"name":"okta","env_prefix":"OKTA"},{"name":"keycloak-azure-saml","env_prefix":"KEYCLOAK_AZURE_SAML"},{"name":"keycloak-azure-saml-crosssite","env_prefix":"KEYCLOAK_AZURE_SAML"}]') | |
| || (github.event.inputs.sso_provider == 'keycloak-azure-saml' | |
| && fromJSON('[{"name":"keycloak-azure-saml","env_prefix":"KEYCLOAK_AZURE_SAML"}]') | |
| || (github.event.inputs.sso_provider == 'keycloak-azure-saml-crosssite' | |
| && fromJSON('[{"name":"keycloak-azure-saml-crosssite","env_prefix":"KEYCLOAK_AZURE_SAML"}]') | |
| || fromJSON('[{"name":"okta","env_prefix":"OKTA"}]'))) }} | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: false | |
| swap-storage: true | |
| docker-images: false | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Cache Maven Dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Setup OpenMetadata Test Environment | |
| uses: ./.github/actions/setup-openmetadata-test-environment | |
| with: | |
| python-version: '3.10' | |
| args: '-d postgresql -i false' | |
| ingestion_dependency: 'all' | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'openmetadata-ui/src/main/resources/ui/.nvmrc' | |
| - name: Install dependencies | |
| working-directory: openmetadata-ui/src/main/resources/ui/ | |
| run: yarn --ignore-scripts --frozen-lockfile | |
| - name: Install Playwright Browsers | |
| run: npx playwright@1.57.0 install chromium --with-deps | |
| - name: Start Keycloak SAML IdP | |
| if: startsWith(matrix.provider.name, 'keycloak-') | |
| run: | | |
| docker compose -f docker/local-sso/keycloak-saml/docker-compose.yml up -d | |
| timeout 180 bash -c 'until curl -fsS http://localhost:8080/realms/om-azure-saml >/dev/null; do sleep 2; done' | |
| - name: Run SSO Login Spec | |
| working-directory: openmetadata-ui/src/main/resources/ui | |
| env: | |
| SSO_PROVIDER_TYPE: ${{ matrix.provider.name }} | |
| SSO_USERNAME: ${{ vars[format('{0}_SSO_USERNAME', matrix.provider.env_prefix)] }} | |
| SSO_PASSWORD: ${{ vars[format('{0}_SSO_PASSWORD', matrix.provider.env_prefix)] || secrets[format('{0}_SSO_PASSWORD', matrix.provider.env_prefix)] }} | |
| # The '-crosssite' variant fronts the IdP on 127.0.0.1 while OM stays on localhost. The two | |
| # are a same registrable-domain pair but a *different site* (SameSite ignores port; 127.0.0.1 | |
| # and localhost are distinct sites), so the SAML callback POST is cross-site and the browser | |
| # drops the SameSite=Lax OM_SESSION cookie. This reproduces the production "No pending session" | |
| # failure that the localhost-only job cannot, guarding the SAML RelayState fix. | |
| KEYCLOAK_SAML_BASE_URL: ${{ matrix.provider.name == 'keycloak-azure-saml-crosssite' && 'http://127.0.0.1:8080' || 'http://localhost:8080' }} | |
| PLAYWRIGHT_IS_OSS: true | |
| run: npx playwright test --project=sso-auth --workers=1 | |
| - name: Upload HTML report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sso-login-html-report-${{ matrix.provider.name }} | |
| path: openmetadata-ui/src/main/resources/ui/playwright/output/playwright-report | |
| retention-days: 5 | |
| - name: Send Slack Notification | |
| if: always() | |
| working-directory: openmetadata-ui/src/main/resources/ui | |
| env: | |
| RUN_TITLE: "SSO Login Nightly: ${{ matrix.provider.name }} (${{ github.ref_name }})" | |
| RUN_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| SLACK_BOT_USER_OAUTH_TOKEN: ${{ secrets.E2E_SLACK_BOT_OAUTH_TOKEN }} | |
| run: | | |
| npx playwright-slack-report -c playwright/slack-cli.config.json -j playwright/output/results.json > slack_report.json | |
| - name: Clean Up | |
| if: always() | |
| run: | | |
| docker compose -f docker/local-sso/keycloak-saml/docker-compose.yml down --remove-orphans || true | |
| cd ./docker/development | |
| docker compose down --remove-orphans | |
| sudo rm -rf ${PWD}/docker-volume |