Merge branch 'main' into web/legibility/dual-select-events

goauthentik · Feb 25, 2025 · 1bc8fa0 · 1bc8fa0
2 parents 3ec0d30 + 91572b8
commit 1bc8fa0
Show file tree

Hide file tree

Showing 682 changed files with 41,877 additions and 16,892 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.12.2
+current_version = 2025.2.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final
@@ -31,4 +31,4 @@ optional_value = final
 
 [bumpversion:file:web/src/common/constants.ts]
 
-[bumpversion:file:website/docs/install-config/install/aws/template.yaml]
+[bumpversion:file:lifecycle/aws/template.yaml]
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -28,7 +28,11 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
--   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md
@@ -20,7 +20,12 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
--   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

diff --git a/.github/actions/comment-pr-instructions/action.yml b/.github/actions/comment-pr-instructions/action.yml
@@ -35,14 +35,6 @@ runs:
             AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
             ```
 
-            For arm64, use these values:
-
-            ```shell
-            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
-            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
-            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            ```
-
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
           <details>
@@ -60,18 +52,6 @@ runs:
                     tag: ${{ inputs.tag }}
             ```
 
-            For arm64, use these values:
-
-            ```yaml
-            authentik:
-                outposts:
-                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
-            ```
-
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
         edit-mode: replace
diff --git a/.github/actions/docker-push-variables/action.yml b/.github/actions/docker-push-variables/action.yml
@@ -9,6 +9,9 @@ inputs:
   image-arch:
     required: false
     description: "Docker image arch"
+  release:
+    required: true
+    description: "True if this is a release build, false if this is a dev/PR build"
 
 outputs:
   shouldPush:
@@ -29,15 +32,24 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
+  imageTagsJSON:
+    description: "Docker image tags, as a JSON array"
+    value: ${{ steps.ev.outputs.imageTagsJSON }}
   attestImageNames:
     description: "Docker image names used for attestation"
     value: ${{ steps.ev.outputs.attestImageNames }}
+  cacheTo:
+    description: "cache-to value for the docker build step"
+    value: ${{ steps.ev.outputs.cacheTo }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
   imageMainName:
     description: "Docker image main name"
     value: ${{ steps.ev.outputs.imageMainName }}
+  imageBuildArgs:
+    description: "Docker image build args"
+    value: ${{ steps.ev.outputs.imageBuildArgs }}
 
 runs:
   using: "composite"
@@ -48,6 +60,8 @@ runs:
       env:
         IMAGE_NAME: ${{ inputs.image-name }}
         IMAGE_ARCH: ${{ inputs.image-arch }}
+        RELEASE: ${{ inputs.release }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        REF: ${{ github.ref }}
       run: |
         python3 ${{ github.action_path }}/push_vars.py
diff --git a/.github/actions/docker-push-variables/push_vars.py b/.github/actions/docker-push-variables/push_vars.py
@@ -2,6 +2,7 @@
 
 import configparser
 import os
+from json import dumps
 from time import time
 
 parser = configparser.ConfigParser()
@@ -48,7 +49,7 @@
             ]
 else:
     suffix = ""
-    if image_arch and image_arch != "amd64":
+    if image_arch:
         suffix = f"-{image_arch}"
     for name in image_names:
         image_tags += [
@@ -70,12 +71,31 @@ def get_attest_image_names(image_with_tags: list[str]):
     return ",".join(set(image_tags))
 
 
+# Generate `cache-to` param
+cache_to = ""
+if should_push:
+    _cache_tag = "buildcache"
+    if image_arch:
+        _cache_tag += f"-{image_arch}"
+    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
+
+
+image_build_args = []
+if os.getenv("RELEASE", "false").lower() == "true":
+    image_build_args = [f"VERSION={os.getenv('REF')}"]
+else:
+    image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args = "\n".join(image_build_args)
+
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
     print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
+    print(f"cacheTo={cache_to}", file=_output)
+    print(f"imageBuildArgs={image_build_args}", file=_output)
diff --git a/.github/actions/docker-push-variables/test.sh b/.github/actions/docker-push-variables/test.sh
@@ -1,7 +1,18 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
     GITHUB_REF=ref \
     GITHUB_SHA=sha \
     IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    python $SCRIPT_DIR/push_vars.py
+
+# Pushing PR/main
+GITHUB_OUTPUT=/dev/stdout \
+    GITHUB_REF=ref \
+    GITHUB_SHA=sha \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    DOCKER_USERNAME=foo \
     python $SCRIPT_DIR/push_vars.py
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -35,7 +35,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry sync
         cd web && npm ci
     - name: Generate config
       shell: poetry run python {0}

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -82,6 +82,16 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
+  - package-ecosystem: npm
+    directory: "/lifecycle/aws"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "lifecycle/aws:"
+    labels:
+      - dependencies
   - package-ecosystem: pip
     directory: "/"
     schedule:

diff --git a/.github/workflows/_reusable-docker-build-single.yaml b/.github/workflows/_reusable-docker-build-single.yaml
@@ -0,0 +1,96 @@
+# Re-usable workflow for a single-architecture build
+name: Single-arch Container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      image_arch:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: false
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs:
+      image-digest:
+        value: ${{ jobs.build.outputs.image-digest }}
+
+jobs:
+  build:
+    name: Build ${{ inputs.image_arch }}
+    runs-on: ${{ inputs.runs-on }}
+    outputs:
+      image-digest: ${{ steps.push.outputs.digest }}
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3.4.0
+      - uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+          image-arch: ${{ inputs.image_arch }}
+          release: ${{ inputs.release }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        if: ${{ inputs.release }}
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: generate ts client
+        if: ${{ !inputs.release }}
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            ${{ steps.ev.outputs.imageBuildArgs }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-to: ${{ steps.ev.outputs.cacheTo }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true