Skip to content
CI

feat(lab-02): Keycloak PostgreSQL backend — JDBC persistence + realm … #10

Sign in to view logs

feat(lab-02): Keycloak PostgreSQL backend — JDBC persistence + realm …

feat(lab-02): Keycloak PostgreSQL backend — JDBC persistence + realm … #10

Workflow file for this run

.github/workflows/ci.yml at fac797a
name: CI
on:
push:
branches: [main, develop, 'feature/**', 'bugfix/**']
pull_request:
branches: [main, develop]
permissions:
contents: read
security-events: write
jobs:
validate:
name: Validate Configuration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate Docker Compose files
run: |
echo "Validating: docker/docker-compose.standalone.yml"
docker compose -f docker/docker-compose.standalone.yml config -q
echo "OK: docker/docker-compose.standalone.yml"
echo "Validating: docker/docker-compose.lan.yml"
docker compose -f docker/docker-compose.lan.yml config -q
echo "OK: docker/docker-compose.lan.yml"
for f in docker/docker-compose.advanced.yml \
docker/docker-compose.sso.yml docker/docker-compose.integration.yml \
docker/docker-compose.production.yml; do
echo "Checking scaffold: $f"
docker compose -f "$f" config --no-interpolate -q 2>&1 && echo "OK: $f" \
|| echo "WARN: $f has placeholder variables (scaffold — not yet built out)"
done
- name: ShellCheck — lab test scripts
run: |
sudo apt-get install -y shellcheck -qq
shellcheck tests/labs/*.sh
- name: Validate module manifest
run: |
python3 -c "
import sys, re
with open('it-stack-keycloak.yml') as f:
content = f.read()
required = ['module:', 'version:', 'phase:', 'category:', 'ports:']
missing = [k for k in required if k not in content]
if missing:
print('Missing fields:', missing); sys.exit(1)
print('Manifest valid')
"
security-scan:
name: Security Scan
runs-on: ubuntu-latest
needs: validate
steps:
- uses: actions/checkout@v4
- name: Trivy — scan Dockerfile
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
scan-ref: .
exit-code: '0'
severity: CRITICAL,HIGH
- name: Trivy — SARIF output
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
scan-ref: .
format: sarif
output: trivy-results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
lab-01-smoke:
name: Lab 01 — Smoke Test
runs-on: ubuntu-latest
needs: validate
continue-on-error: true # scaffold stubs; full lab runs on real VMs
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y netcat-openbsd
- name: Start standalone stack
run: docker compose -f docker/docker-compose.standalone.yml up -d
- name: Wait for Keycloak to be ready
run: |
echo "Waiting for Keycloak (start-dev mode takes ~90 seconds)..."
timeout 180 bash -c '
until curl -sf http://localhost:8080/health/ready > /dev/null 2>&1; do
sleep 5
done'
echo "Keycloak is ready"
docker compose -f docker/docker-compose.standalone.yml ps
- name: Run Lab 02-01 test script
run: bash tests/labs/test-lab-02-01.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.standalone.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.standalone.yml down -v
lab-02-smoke:
name: Lab 02 — PostgreSQL Persistence
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y netcat-openbsd curl
- name: Start LAN stack (keycloak + postgres)
run: docker compose -f docker/docker-compose.lan.yml up -d
- name: Wait for Keycloak health
run: |
timeout 200 bash -c '
until curl -sf http://localhost:8080/health/ready; do
sleep 5
done'
echo "Keycloak is ready"
- name: Run Lab 02-02 test script
env:
KC_PASS: "Lab02Password!"
run: bash tests/labs/test-lab-02-02.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.lan.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.lan.yml down -v