diff --git a/.github/workflows/artifacts-fork.yaml b/.github/workflows/artifacts-fork.yaml index fca377ae90..2cb749132a 100644 --- a/.github/workflows/artifacts-fork.yaml +++ b/.github/workflows/artifacts-fork.yaml @@ -9,6 +9,76 @@ on: pull_request: jobs: + cf-images: + name: Cloudfoundry images + runs-on: ubuntu-latest + strategy: + matrix: + variant: + - alpine + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Gather metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/philips-forks/dex + flavor: | + latest = false + tags: | + type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} + type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }} + type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }} + type=ref,event=branch,suffix=-${{ matrix.variant }} + type=ref,event=pr,suffix=-${{ matrix.variant }} + type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}-cf + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }}-cf + labels: | + org.opencontainers.image.documentation=https://dexidp.io/docs/ + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ github.token }} + if: github.event_name == 'push' + + - name: Build and push + uses: docker/build-push-action@v4 + with: + context: . + platforms: linux/amd64 + provenance: false + sbom: false + push: ${{ github.event_name == 'push' }} + tags: ${{ steps.meta.outputs.tags }} + build-args: | + BASE_IMAGE=${{ matrix.variant }} + VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} + COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.10.0 + with: + image-ref: "ghcr.io/philips-forks/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}" + format: "sarif" + output: "trivy-results.sarif" + if: github.event_name == 'push' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" + if: github.event_name == 'push' + container-images: name: Container images runs-on: ubuntu-latest diff --git a/server/handlers.go b/server/handlers.go index 1a84b431ba..cca20c3445 100644 --- a/server/handlers.go +++ b/server/handlers.go @@ -1400,9 +1400,9 @@ func (s *Server) handleTokenExchange(w http.ResponseWriter, r *http.Request, cli var expiry time.Time switch requestedTokenType { case tokenTypeID: - resp.AccessToken, expiry, err = s.newIDToken(client.ID, claims, scopes, "", "", "", connID) + resp.AccessToken, expiry, err = s.newIDToken(client.ID, claims, scopes, "", "", "", connID, identity.ConnectorData) case tokenTypeAccess: - resp.AccessToken, expiry, err = s.newAccessToken(client.ID, claims, scopes, "", connID) + resp.AccessToken, expiry, err = s.newAccessToken(client.ID, claims, scopes, "", connID, identity.ConnectorData) default: s.tokenErrHelper(w, errRequestNotSupported, "Invalid requested_token_type.", http.StatusBadRequest) return