Proof-of-concept authentication in workflows with Authoirization Code Flow with PKCE method

Author: davehadley

.github/workflows/_oidc_bff_code.yaml

@@ -0,0 +1,70 @@
+name: OIDC BFF Code
+
+on:
+  workflow_call:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v5
+
+      - name: Install stable toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+        with:
+          cache: false
+          components: clippy,rustfmt
+
+      - name: Cache Rust Build
+        uses: Swatinem/rust-cache@v2.8.1
+        with:
+          shared-key: backend/oidc-bff
+          workspaces: backend
+
+      - name: Check Formatting
+        working-directory: backend/oidc-bff
+        run: >
+          cargo fmt
+          --check
+
+      - name: Lint with Clippy
+        working-directory: backend/oidc-bff
+        run: >
+          cargo clippy
+          --all-targets
+          --all-features
+          --no-deps
+          --
+          --deny warnings
+
+      - name: Check Dependencies with Cargo Deny
+        uses: EmbarkStudios/cargo-deny-action@v2.0.13
+        with:
+          command: check licenses ban
+          manifest-path: backend/Cargo.toml
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v5
+
+      - name: Install stable toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+        with:
+          cache: false
+          components: rustfmt
+
+      - name: Cache Rust Build
+        uses: Swatinem/rust-cache@v2.8.1
+        with:
+          shared-key: backend/oidc-bff
+          workspaces: backend
+
+      - name: Run Tests
+        working-directory: backend/oidc-bff
+        run: >
+          cargo test
+          --all-targets
+          --all-features

.github/workflows/_oidc_bff_container.yaml

@@ -0,0 +1,53 @@
+name: OIDC BFF Container
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v5
+
+      - name: Generate Image Name
+        run: echo IMAGE_REPOSITORY=ghcr.io/$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]' | tr '[_]' '[\-]')-oidc-bff >> $GITHUB_ENV
+
+      - name: Log in to GitHub Docker Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Version from Tag
+        id: tags
+        run: echo version=$(echo "${{ github.ref }}" | awk -F '[@v]' '{print $3}') >> $GITHUB_OUTPUT 
+
+      - name: Docker Metadata
+        id: meta
+        uses: docker/metadata-action@v5.9.0
+        with:
+          images: ${{ env.IMAGE_REPOSITORY }}
+          tags: |
+            type=raw,value=${{ steps.tags.outputs.version }}
+            type=raw,value=latest
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.11.1
+
+      - name: Build Image
+        uses: docker/build-push-action@v6.18.0
+        with:
+          context: backend
+          file: backend/Dockerfile.oidc-bff
+          target: deploy
+          push: true
+          load: ${{ !(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/oidc-bff@')) }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/ci.yaml

@@ -63,6 +63,20 @@ jobs:
       contents: read
       packages: write
 
+  oidc_bff_code:
+    # Deduplicate jobs from pull requests and branch pushes within the same repo.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
+    uses: ./.github/workflows/_oidc_bff_code.yaml
+
+  oidc_bff_container:
+    # Deduplicate jobs from pull requests and branch pushes within the same repo.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
+    needs: oidc_bff_code
+    uses: ./.github/workflows/_oidc_bff_container.yaml
+    permissions:
+      contents: read
+      packages: write
+
   supergraph_update:
     # Deduplicate jobs from pull requests and branch pushes within the same repo.
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository