From e13f3e4cc668c4be49a7d58ba3487a90f2bf77ed Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Fri, 23 Jan 2026 09:39:10 -0400 Subject: [PATCH 1/7] Use desktop-engineering/go/generate instead of manual build Let's switch to using the desktop-engineering action to handle our go generates as it is more complete and easier to use. --- .github/workflows/tics-run.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml index b0c9035261..ce4840a545 100644 --- a/.github/workflows/tics-run.yaml +++ b/.github/workflows/tics-run.yaml @@ -40,6 +40,10 @@ jobs: go install honnef.co/go/tools/cmd/staticcheck@latest + - uses: canonical/desktop-engineering/gh-actions/go/generate@main + with: + tools-directory: ./tools + - name: Fetch last successful QA run id env: GITHUB_TOKEN: ${{ github.token }} @@ -73,7 +77,6 @@ jobs: # toolchain setup by the action is properly updated to the one we defined in go.mod. Prebuilding also # helps to speed up the TICS analysis, as we would already have the build cache populated. find pam -name '*.so' -print -delete - go generate -C pam -x go build ./cmd/authd go -C ./authd-oidc-brokers build -o authd-vanilla ./cmd/authd-oidc go -C ./authd-oidc-brokers build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc From a510ae1ebfaa88bf3383072e251699d6d8426d62 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Thu, 29 Jan 2026 06:54:01 -0400 Subject: [PATCH 2/7] Switch to using TICS github action Now that we have the project under the Canonical org, we can use the tics specific self-hosted runner and the tics action in order to run the SSDLC for our repo. --- .github/workflows/tics-run.yaml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml index ce4840a545..48e48ebc30 100644 --- a/.github/workflows/tics-run.yaml +++ b/.github/workflows/tics-run.yaml @@ -18,7 +18,7 @@ env: jobs: tics: name: TIOBE TICS Framework - runs-on: ubuntu-latest + runs-on: [self-hosted, amd64, tiobe, noble] steps: - uses: actions/checkout@v6 - uses: actions/setup-go@v6 @@ -58,20 +58,14 @@ jobs: path: .artifacts/ run-id: ${{ env.LAST_QA_ID }} - - name: TICS Scan - env: - TICSAUTHTOKEN: ${{ secrets.TICSAUTHTOKEN }} - GH_TOKEN: ${{ github.token }} + - name: Build artifacts run: | - set -e + set -eu # Move coverage to expected directory mkdir coverage mv .artifacts/coverage/Cobertura.xml coverage/coverage.xml - # Install TICS - . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=GoProjects&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') - # TICS needs to build the artifacts in order to run the analysis. # Since it uses the GOTOOLCHAIN=local stanza, it's better if we prebuild it to make sure that the Go # toolchain setup by the action is properly updated to the one we defined in go.mod. Prebuilding also @@ -82,4 +76,12 @@ jobs: go -C ./authd-oidc-brokers build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc go -C ./authd-oidc-brokers build -tags=withgoogle -o authd-google ./cmd/authd-oidc - TICSQServer -project authd -tmpdir /tmp/tics -branchdir . + - name: TICS Analysis + uses: tiobe/tics-github-action@v3 + with: + mode: qserver + project: authd + branchdir: . + viewerUrl: https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=GoProjects + ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }} + installTics: true From ff3167fec8f611da3ea3c579662fa094872ee85f Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Thu, 29 Jan 2026 08:15:00 -0400 Subject: [PATCH 3/7] Fix Rust update step The self-hosted runners do not have rustup by default like the github ones do, so we need to install it first before trying to update the Rust toolchain. --- .github/workflows/tics-run.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml index 48e48ebc30..ef40f6a1cc 100644 --- a/.github/workflows/tics-run.yaml +++ b/.github/workflows/tics-run.yaml @@ -14,6 +14,7 @@ env: libglib2.0-dev libpam-dev libpwquality-dev + rustup jobs: tics: @@ -25,11 +26,6 @@ jobs: with: go-version-file: go.mod - - - name: Update Rust version - run: | - rustup update stable - - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main - name: Install dependencies run: | @@ -40,6 +36,10 @@ jobs: go install honnef.co/go/tools/cmd/staticcheck@latest + - name: Update Rust version + run: | + rustup update stable + - uses: canonical/desktop-engineering/gh-actions/go/generate@main with: tools-directory: ./tools From 434a86c9a4dccf9c3ca16a85384f50465d78bb11 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Thu, 29 Jan 2026 09:46:23 -0400 Subject: [PATCH 4/7] Fix workflow name We changed the name of the QA workflow, so we need to propagate the change --- .github/workflows/tics-run.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml index ef40f6a1cc..d340e91fa1 100644 --- a/.github/workflows/tics-run.yaml +++ b/.github/workflows/tics-run.yaml @@ -49,7 +49,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} run: | set -eu - echo "LAST_QA_ID=$(gh run list --workflow 'QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV + echo "LAST_QA_ID=$(gh run list --workflow 'authd QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV - name: Download coverage artifact uses: actions/download-artifact@v7 From 0ce6859c0cfb01e9d95c057984ece7df78196c59 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Fri, 30 Jan 2026 06:52:35 -0400 Subject: [PATCH 5/7] Fix command to build authd-msentraid We need to sync our submodules and build libhimmelblau before building the authd-msentraid broker --- .github/workflows/tics-run.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml index d340e91fa1..85ea72b231 100644 --- a/.github/workflows/tics-run.yaml +++ b/.github/workflows/tics-run.yaml @@ -73,9 +73,14 @@ jobs: find pam -name '*.so' -print -delete go build ./cmd/authd go -C ./authd-oidc-brokers build -o authd-vanilla ./cmd/authd-oidc - go -C ./authd-oidc-brokers build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc go -C ./authd-oidc-brokers build -tags=withgoogle -o authd-google ./cmd/authd-oidc + # We also need to build libhimmelblau when building the msentraid variant + git submodule update --init + cd ./authd-oidc-brokers + go generate --tags=withmsentraid ./internal/providers/msentraid/... + go build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc + - name: TICS Analysis uses: tiobe/tics-github-action@v3 with: From e5c9ee255e9902f7467cbd4cda04e5f67e8fae6c Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Mon, 2 Feb 2026 09:56:20 -0400 Subject: [PATCH 6/7] Rename executable for vanilla broker We switched to using authd-oidc as the name for the vanilla oidc broker, so let's use the same name for the executable here to keep consistency and avoid any confusions. --- .github/workflows/tics-run.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml index 85ea72b231..6889d7d04d 100644 --- a/.github/workflows/tics-run.yaml +++ b/.github/workflows/tics-run.yaml @@ -72,7 +72,7 @@ jobs: # helps to speed up the TICS analysis, as we would already have the build cache populated. find pam -name '*.so' -print -delete go build ./cmd/authd - go -C ./authd-oidc-brokers build -o authd-vanilla ./cmd/authd-oidc + go -C ./authd-oidc-brokers build -o authd-oidc ./cmd/authd-oidc go -C ./authd-oidc-brokers build -tags=withgoogle -o authd-google ./cmd/authd-oidc # We also need to build libhimmelblau when building the msentraid variant From 755f953c4b6fcc8d8069f7589c7e81236929dfdd Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Mon, 2 Feb 2026 10:16:13 -0400 Subject: [PATCH 7/7] Merge authd and brokers coverage reports Now that we are running the analysis as a single project, we need to merge the coverage reports and provide the coverage as expected. --- .github/workflows/tics-run.yaml | 42 ++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/.github/workflows/tics-run.yaml b/.github/workflows/tics-run.yaml index 6889d7d04d..221e15b25e 100644 --- a/.github/workflows/tics-run.yaml +++ b/.github/workflows/tics-run.yaml @@ -11,6 +11,7 @@ env: build_dependencies: >- clang-tools clang + dotnet8 libglib2.0-dev libpam-dev libpwquality-dev @@ -44,27 +45,50 @@ jobs: with: tools-directory: ./tools - - name: Fetch last successful QA run id + - name: Fetch last successful QA runs ids env: GITHUB_TOKEN: ${{ github.token }} run: | set -eu - echo "LAST_QA_ID=$(gh run list --workflow 'authd QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV + echo "LAST_AUTHD_QA_ID=$(gh run list --workflow 'authd QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV + echo "LAST_BROKERS_QA_ID=$(gh run list --workflow 'Brokers QA & sanity checks' --limit 1 --status success --json databaseId -b main | jq '.[].databaseId')" >> $GITHUB_ENV - - name: Download coverage artifact + - name: Download coverage artifact from authd QA uses: actions/download-artifact@v7 with: github-token: ${{ github.token }} - path: .artifacts/ - run-id: ${{ env.LAST_QA_ID }} + path: .artifacts/authd + run-id: ${{ env.LAST_AUTHD_QA_ID }} - - name: Build artifacts + - name: Download coverage artifact from brokers QA + uses: actions/download-artifact@v7 + with: + github-token: ${{ github.token }} + path: .artifacts/brokers + run-id: ${{ env.LAST_BROKERS_QA_ID }} + + - name: Merge coverage reports run: | set -eu - # Move coverage to expected directory - mkdir coverage - mv .artifacts/coverage/Cobertura.xml coverage/coverage.xml + dotnet tool install -g dotnet-reportgenerator-globaltool + + export PATH="$PATH:/home/ubuntu/.dotnet/tools" + + mv .artifacts/authd/coverage/Cobertura.xml .artifacts/authd-coverage.xml + mv .artifacts/brokers/Cobertura.xml .artifacts/broker-coverage.xml + + # TICS expects the coverage report to: + # - be in a directory named 'coverage' in the current working directory + mkdir -p coverage + + # - have a single report named coverage.xml + reportgenerator -reports:.artifacts/*.xml -targetdir:coverage -reporttypes:Cobertura + mv coverage/Cobertura.xml coverage/coverage.xml + + - name: Build artifacts + run: | + set -eu # TICS needs to build the artifacts in order to run the analysis. # Since it uses the GOTOOLCHAIN=local stanza, it's better if we prebuild it to make sure that the Go