Add Swedish translation for admin messages

Adds messages_sv.properties to provide Swedish translations for all admin interface messages including password validation, LDAP errors, client URL validation, and error messages.

Closes #45281

Signed-off-by: Rickard Otvos <rickard.0413@gmail.com>

.editorconfig

@@ -1,11 +1,13 @@
 root = true
 
-[{*.java,*.js,*.tsx,*.adoc}]
+[{*.js,*.tsx,*.adoc}]
 insert_final_newline = true
 trim_trailing_whitespace = true
 
 [*.java]
+insert_final_newline = true
 # Don't use class imports with an asterisk ('*') in IntelliJ
 ij_java_use_single_class_imports = true
 ij_java_class_count_to_use_import_on_demand = 999
 ij_java_names_count_to_use_import_on_demand = 999
+ij_java_imports_layout = java.**,javax.**,|,jakarta.**,|,org.keycloak.**,|,*,|,$jakarta.**,$java.**,javax.**,|,$org.keycloak.**,|,$*

.github/CODEOWNERS

@@ -2,7 +2,7 @@
 # Overview
 #
 # Pattern used to match files follows most of the same rules as used in gitignore files. Order is
-# important; the last matching pattern takes precendence.
+# important; the last matching pattern takes precedence.
 #
 # For more info see:
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
@@ -30,7 +30,6 @@
 # Core Clients (@keycloak/core-clients-maintainers)
 ###################################################################################################
 
-/js/libs/keycloak-js/                                       @keycloak/core-clients-maintainers
 
 ###################################################################################################
 # Cloud Native (@keycloak/cloud-native-maintainers)
@@ -41,19 +40,24 @@
 /docs/guides/server/                                        @keycloak/cloud-native-maintainers @keycloak/maintainers
 /docs/guides/operator/                                      @keycloak/cloud-native-maintainers @keycloak/maintainers
 /integration/client-cli/admin-cli/                          @keycloak/cloud-native-maintainers @keycloak/maintainers
+/rest/admin-v2/                                             @keycloak/cloud-native-maintainers @keycloak/maintainers
 
 ###################################################################################################
 # UI (@keycloak/ui-maintainers)
 ###################################################################################################
 
-/eslint.config.js                                           @keycloak/ui-maintainers
-/package.json                                               @keycloak/ui-maintainers
-/pnpm-lock.yaml                                             @keycloak/ui-maintainers
-/pnpm-workspace.yaml                                        @keycloak/ui-maintainers
-/tsconfig.eslint.json                                       @keycloak/ui-maintainers
-/tsconfig.json                                              @keycloak/ui-maintainers
 /themes/                                                    @keycloak/ui-maintainers @keycloak/maintainers
-/js/                                                        @keycloak/ui-maintainers
-/js/**/maven-resources-community/**/messages_*.properties   @keycloak/ui-maintainers @keycloak/maintainers
-/adapters/oidc/js/                                          @keycloak/ui-maintainers
-/rest/admin-ui-ext/                                         @keycloak/ui-maintainers
+/js/                                                        @keycloak/ui-maintainers @keycloak/maintainers
+/js/**/messages_*.properties                                @keycloak/ui-maintainers @keycloak/maintainers
+/adapters/oidc/js/                                          @keycloak/ui-maintainers @keycloak/maintainers
+/rest/admin-ui-ext/                                         @keycloak/ui-maintainers @keycloak/maintainers
+
+###################################################################################################
+# SRE (@keycloak/sre-maintainers)
+###################################################################################################
+
+/model/infinispan/                                          @keycloak/sre-maintainers @keycloak/maintainers
+/tests/clustering/                                          @keycloak/sre-maintainers @keycloak/maintainers
+/test-framework/clustering/                                 @keycloak/sre-maintainers @keycloak/maintainers
+/docs/guides/high-availability/                             @keycloak/sre-maintainers @keycloak/maintainers
+/docs/guides/observability/                                 @keycloak/sre-maintainers @keycloak/maintainers

.github/ISSUE_TEMPLATE/bug.yml

@@ -1,6 +1,7 @@
 name: Bug Report
 description: Report a non-security sensitive bug in Keycloak
 labels: ["kind/bug", "status/triage"]
+type: bug
 body:
   - type: checkboxes
     attributes:
@@ -48,6 +49,7 @@ body:
         - infinispan
         - ldap
         - login/ui
+        - observability
         - oidc
         - oid4vc
         - operator

.github/ISSUE_TEMPLATE/enhancement.yml

@@ -1,12 +1,34 @@
 name: Enhancement Request
 description: Request an enhancement to an existing feature
 labels: ["kind/enhancement", "status/triage"]
+type: enhancement
 body:
   - type: textarea
     id: description
     attributes:
       label: Description
-      description: Describe the enhancement at a high-level.
+      description: Describe the enhancement at a high-level
+    validations:
+      required: true
+  - type: textarea
+    id: value_proposition
+    attributes:
+      label: Value Proposition
+      description: Describe what value the enhancement brings
+    validations:
+      required: true
+  - type: textarea
+    id: goals
+    attributes:
+      label: Goals
+      description: Describe what the enhancement should provide
+    validations:
+      required: true
+  - type: textarea
+    id: non_goals
+    attributes:
+      label: Non-Goals
+      description: Describe what the enhancement should not provide, or is out of scope
     validations:
       required: true
   - type: input
@@ -16,20 +38,13 @@ body:
       description: |
         If there has been a discussion around the enhancement, provide a link to the discussion.
 
-        Please note that larger enhancements should be discussed through [GitHub Discussion](https://github.com/keycloak/keycloak/discussions/categories/ideas).
+        Please note that all, except small requests, should be discussed through [GitHub Discussion](https://github.com/keycloak/keycloak/discussions/categories/ideas).
     validations:
       required: false
   - type: textarea
-    id: motivation
+    id: notes
     attributes:
-      label: Motivation
-      description: Describe why the feature should be added.
-    validations:
-      required: false
-  - type: textarea
-    id: details
-    attributes:
-      label: Details
-      description: More details? Implementation ideas? Anything that will give us more context about the enhancement you are proposing!
+      label: Notes
+      description: Design ideas? Implementation ideas? Anything that will give us more context about the enhancement you are proposing!
     validations:
       required: false

.github/ISSUE_TEMPLATE/epic.yml

@@ -1,36 +0,0 @@
-name: Epic
-description: A large feature that is broken down into multiple linked issues.
-labels: ["kind/epic", "status/triage"]
-body:
-  - type: textarea
-    id: description
-    attributes:
-      label: Description
-      description: Describe the feature at a high-level.
-    validations:
-      required: true
-  - type: input
-    id: discussion
-    attributes:
-      label: Discussion
-      description: |
-        Provide a link to the GitHub Discussion for the feature.
-    validations:
-      required: true
-  - type: textarea
-    id: issues
-    attributes:
-      label: Issues
-      description: List the issues related to this epic.
-      placeholder: |
-        - #1
-        - #2
-    validations:
-      required: false
-  - type: textarea
-    id: motivation
-    attributes:
-      label: Motivation
-      description: Provide a brief explanation of why the feature should be added.
-    validations:
-      required: false

.github/ISSUE_TEMPLATE/feature.yml

@@ -1,12 +1,34 @@
 name: Feature Request
 description: Request a new feature to be added to Keycloak
 labels: ["kind/feature", "status/triage"]
+type: feature
 body:
   - type: textarea
     id: description
     attributes:
       label: Description
-      description: Describe the feature at a high-level.
+      description: Describe the feature at a high-level
+    validations:
+      required: true
+  - type: textarea
+    id: value_proposition
+    attributes:
+      label: Value Proposition
+      description: Describe what value the feature brings
+    validations:
+      required: true
+  - type: textarea
+    id: goals
+    attributes:
+      label: Goals
+      description: Describe what capabilities the feature should provide
+    validations:
+      required: true
+  - type: textarea
+    id: non_goals
+    attributes:
+      label: Non-Goals
+      description: Describe capabilities the feature should not provide, or is out of scope
     validations:
       required: true
   - type: input
@@ -20,16 +42,9 @@ body:
     validations:
       required: false
   - type: textarea
-    id: motivation
+    id: notes
     attributes:
-      label: Motivation
-      description: Describe why the feature should be added.
-    validations:
-      required: false
-  - type: textarea
-    id: details
-    attributes:
-      label: Details
+      label: Notes
       description: Design ideas? Implementation ideas? Anything that will give us more context about the feature you are proposing!
     validations:
       required: false

.github/ISSUE_TEMPLATE/milestone.yml

@@ -0,0 +1,33 @@
+name: Milestone
+description: Milestones are used to break up larger features
+labels: ["kind/milestone", "status/triage"]
+type: milestone
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: Describe the milestone at a high-level
+    validations:
+      required: true
+  - type: textarea
+    id: goals
+    attributes:
+      label: Goals
+      description: Describe what capabilities the milestone should provide
+    validations:
+      required: true
+  - type: textarea
+    id: non_goals
+    attributes:
+      label: Non-Goals
+      description: Describe capabilities the milestone should not provide, or is out of scope
+    validations:
+      required: true
+  - type: textarea
+    id: notes
+    attributes:
+      label: Notes
+      description: Design ideas? Implementation ideas? Anything that will give us more about the milestone
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/task.yml

@@ -1,6 +1,7 @@
 name: Task
 description: Any tasks that are not directly adding a new feature, enhancement or fixing a bug
 labels: ["kind/task"]
+type: task
 body:
   - type: textarea
     id: description

.github/actions/archive-surefire-reports/action.yml

@@ -1,46 +0,0 @@
-name: Archive Surefire reports
-description: It will upload and archive surefire reports per particular test run.
-inputs:
-  job-id:
-    description: 'Id of the particular job run.'
-    required: true
-  release-branches:
-    description: 'List of all related release branches (in JSON format)'
-    required: false
-    default: '["refs/heads/release/22.0","refs/heads/release/24.0"]'
-  keep-days:
-    description: 'For how many days to store the particular artifact.'
-    required: false
-    default: 1
-
-runs:
-  using: composite
-  steps:
-    - id: find-surefire-reports-linux
-      name: Find Surefire reports directories
-      if: runner.os == 'Linux'
-      shell: bash
-      run: |
-        echo "dirs<<EOF" >> $GITHUB_OUTPUT
-        echo "$(find ~+ -type d -not -empty -name surefire-reports*)" >> $GITHUB_OUTPUT 
-        echo "EOF" >> $GITHUB_OUTPUT
-
-    - id: find-surefire-reports-win
-      name: Find Surefire reports directories
-      if: runner.os == 'Windows'
-      shell: bash
-      run: |
-        echo "dirs<<EOF" >> $GITHUB_OUTPUT
-        echo "$(find ~+ -type d -not -empty -name surefire-reports* | sed 's@/d@D:@')" >> $GITHUB_OUTPUT
-        echo "EOF" >> $GITHUB_OUTPUT
-
-    - id: upload-surefire-linux
-      name: Upload Surefire reports
-      if: (!cancelled() && contains(fromJSON(inputs.release-branches), github.ref) && contains(fromJSON('["push", "workflow_dispatch"]'), github.event_name))
-      uses: actions/upload-artifact@v4
-      with:
-        name: surefire-${{ inputs.job-id }}
-        path: |
-          ${{ steps.find-surefire-reports-linux.outputs.dirs }}
-          ${{ steps.find-surefire-reports-win.outputs.dirs }}
-        retention-days: ${{ inputs.keep-days }}

.github/actions/azure-create-database/action.yml

@@ -0,0 +1,102 @@
+name: Create Azure SQL Database
+description: Create Azure SQL Database
+
+inputs:
+  name:
+    description: 'The name prefix for the Azure SQL resources'
+    required: true
+  region:
+    description: 'The Azure region used to host the SQL server'
+    required: true
+  admin-user:
+    description: 'The admin username for the SQL server'
+    required: false
+    default: 'sqladmin'
+  db-user:
+    description: 'The db username for the Keycloak DB'
+    required: false
+    default: 'keycloak'
+  admin-password:
+    description: 'Override admin password (auto-generated if not provided)'
+    required: false
+  db-password:
+    description: 'Override DB password (auto-generated if not provided)'
+    required: false
+  subscription:
+    description: 'Azure subscription ID'
+    required: true
+
+outputs:
+  endpoint:
+    description: 'The Endpoint URL for SQL clients to connect to'
+    value: ${{ steps.create.outputs.endpoint }}
+  db:
+    description: 'Database name'
+    value: ${{ steps.create.outputs.db }}
+  username:
+    description: 'DB user principal'
+    value: ${{ steps.create.outputs.username }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Generate secure passwords
+      id: generate-passwords
+      shell: bash
+      run: |
+        # Generate passwords using OpenSSL
+        generate_password() {
+          openssl rand -base64 48 | tr -d '\n/' | head -c 32
+        }
+        
+        # Use provided passwords or generate random ones
+        if [[ -n "${{ inputs.admin-password }}" ]]; then
+          ADMIN_PASSWORD="${{ inputs.admin-password }}"
+          echo "INFO: Using provided admin password"
+        else
+          ADMIN_PASSWORD=$(generate_password)
+          echo "INFO: Using generated admin password"
+        fi
+        
+        if [[ -n "${{ inputs.db-password }}" ]]; then
+          DB_PASSWORD="${{ inputs.db-password }}"
+          echo "INFO: Using provided DB password"
+        else
+          DB_PASSWORD=$(generate_password)
+          echo "INFO: Using generated DB password"
+        fi
+        
+        # Mask passwords
+        echo "::add-mask::$ADMIN_PASSWORD"
+        echo "::add-mask::$DB_PASSWORD"
+        
+        # Export to environment for subsequent steps
+        {
+          echo "AZURE_ADMIN_PASSWORD=$ADMIN_PASSWORD"
+          echo "AZURE_DB_PASSWORD=$DB_PASSWORD"
+        } >> $GITHUB_ENV
+    
+    - name: Install sqlcmd (mssql-tools)
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo ACCEPT_EULA=Y apt-get install -y curl apt-transport-https gnupg
+        curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+        curl https://packages.microsoft.com/config/ubuntu/22.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list
+        sudo apt-get update
+        sudo ACCEPT_EULA=Y apt-get install -y mssql-tools unixodbc-dev
+        echo "/opt/mssql-tools/bin" >> $GITHUB_PATH
+
+    - id: create
+      shell: bash
+      run: |
+        ./azure_create_sql.sh
+      working-directory: .github/scripts/azure/sql
+      env:
+        AZURE_NAME: ${{ inputs.name }}
+        AZURE_REGION: ${{ inputs.region }}
+        AZURE_SUBSCRIPTION: ${{ inputs.subscription }}
+        AZURE_ADMIN_PASSWORD: ${{ env.AZURE_ADMIN_PASSWORD }}
+        AZURE_ADMIN_USER: ${{ inputs.admin-user }}
+        AZURE_DB_PASSWORD: ${{ env.AZURE_DB_PASSWORD }}
+        AZURE_DB_USER: ${{ inputs.db-user }}

.github/actions/build-keycloak/action.yml

@@ -24,9 +24,9 @@ runs:
       with:
         create-cache-if-it-doesnt-exist: true
 
-    - id: frontend-plugin-cache
-      name: Frontend Plugin Cache
-      uses: ./.github/actions/frontend-plugin-cache
+    - id: pnpm-store-cache
+      name: PNPM store cache
+      uses: ./.github/actions/pnpm-store-cache
 
     - id: build-keycloak
       name: Build Keycloak
@@ -35,7 +35,7 @@ runs:
         # Ensure this plugin is built first to avoid warnings in the build
         ./mvnw install -Pdistribution -am -pl distribution/maven-plugins/licenses-processor
         # By using "dependency:resolve", it will download all dependencies used in later stages for running the tests
-        ./mvnw install dependency:resolve -V -e -DskipTests -DskipExamples -DexcludeGroupIds=org.keycloak -Dsilent=true
+        ./mvnw install dependency:resolve -V -e -DskipTests -DskipExamples -DexcludeGroupIds=org.keycloak -Dsilent=true -DcommitProtoLockChanges=true
 
     - id: compress-keycloak-maven-repository
       name: Compress Keycloak Maven artifacts
@@ -49,7 +49,7 @@ runs:
     - id: upload-keycloak-maven-repository
       name: Upload Keycloak Maven artifacts
       if: inputs.upload-m2-repo == 'true'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: m2-keycloak.tzts
         path: m2-keycloak.tzts
@@ -58,7 +58,7 @@ runs:
     - id: upload-keycloak-dist
       name: Upload Keycloak dist
       if: inputs.upload-dist == 'true'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: keycloak-dist
         path: quarkus/dist/target/keycloak*.tar.gz

.github/actions/conditional/action.yml

@@ -22,9 +22,6 @@ outputs:
   ci-webauthn:
     description: Should "ci.yml" execute (WebAuthn)
     value: ${{ steps.changes.outputs.ci-webauthn }}
-  ci-test-poc:
-    description: Should "ci.yml" execute (Test PoC)
-    value: ${{ steps.changes.outputs.ci-test-poc }}
   operator:
     description: Should "operator-ci.yml" execute
     value: ${{ steps.changes.outputs.operator }}
@@ -37,6 +34,9 @@ outputs:
   codeql-javascript:
     description: Should "codeql-analysis.yml / javascript" execute
     value: ${{ steps.changes.outputs.codeql-javascript }}
+  codeql-actions:
+    description: Should "codeql-analysis.yml / GitHub Actions" execute
+    value: ${{ steps.changes.outputs.codeql-actions }}
   codeql-typescript:
     description: Should "codeql-analysis.yml / typescript" execute
     value: ${{ steps.changes.outputs.codeql-typescript }}
@@ -49,6 +49,9 @@ outputs:
   sssd:
     description: Should "sssd.yml" execute
     value: ${{ steps.changes.outputs.sssd }}
+  admin-v2:
+    description: Should Admin v2 tests execute
+    value: ${{ steps.changes.outputs.admin-v2 }}
 
 runs:
   using: composite

.github/actions/conditional/conditions

@@ -3,6 +3,7 @@
 # To test a pattern run '.github/actions/conditional/conditional.sh <remote name> <branch>'
 
 .github/actions/                            ci ci-quarkus ci-store ci-sssd operator js codeql-java codeql-javascript codeql-typescript guides documentation
+.github/fake_fips/                          ci
 .github/scripts/                            ci ci-quarkus ci-sssd
 .github/scripts/ansible/                    ci-store
 .github/scripts/aws/                        ci-store
@@ -10,9 +11,13 @@
 .github/workflows/ci.yml                    ci ci-quarkus ci-store ci-sssd ci-webauthn
 .github/workflows/operator-ci.yml           operator
 .github/workflows/js-ci.yml                 js
-.github/workflows/codeql-analysis.yml       codeql-java codeql-javascript codeql-typescript
+.github/workflows/codeql-analysis.yml       codeql-java codeql-javascript codeql-typescript codeql-actions
+.github/codeql/codeql-config-javascript.yml codeql-javascript
+.github/codeql/codeql-config-typescript.yml codeql-typescript
 .github/workflows/guides.yml                guides
 .github/workflows/documentation.yml         documentation
+.github/workflows/*.yml                     codeql-actions
+.github/actions/**/*.yml                    codeql-actions
 
 .mvn/                                       ci ci-quarkus ci-store ci-sssd ci-webauthn operator js codeql-java codeql-javascript codeql-typescript guides documentation
 mvnw                                        ci ci-quarkus ci-store ci-sssd ci-webauthn operator js codeql-java codeql-javascript codeql-typescript guides documentation
@@ -32,18 +37,12 @@ operator/                                   operator
 docs/guides/                                guides
 docs/documentation/                         documentation
 
-eslint.config.js                            js
-package.json                                js
-pnpm-lock.yaml                              js
-pnpm-workspace.yaml                         js
-tsconfig.eslint.json                        js
-tsconfig.json                               js
 js/                                         js
 rest/admin-ui-ext/                          js
 services/                                   js
+themes/                                     js
 js/apps/account-ui/                         ci ci-webauthn
 js/libs/ui-shared/                          ci ci-webauthn
-js/libs/keycloak-js/                        ci ci-quarkus
 
 # The sections below contain a sub-set of files existing in the project which are supported languages by CodeQL.
 # See: https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
@@ -61,4 +60,4 @@ js/libs/keycloak-js/                        ci ci-quarkus
 
 testsuite::database-suite                   ci-store
 
-test-poc/                                   ci ci-test-poc
+rest/admin-v2/                              admin-v2

.github/actions/corepack-setup/action.yml

@@ -0,0 +1,36 @@
+name: Setup Corepack
+description: Sets up and caches the Corepack tools to speed up the build.
+
+runs:
+  using: composite
+  steps:
+    - name: Enable Corepack
+      shell: bash
+      run: corepack enable
+
+    - id: cache-key
+      name: Generate key for tools cache
+      shell: bash
+      working-directory: js
+      run: echo "key=corepack-tools-$(jq -r '.packageManager' package.json)" >> $GITHUB_OUTPUT
+
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      id: cache
+      name: Cache Corepack tools
+      with:
+        # See: https://github.com/nodejs/corepack?tab=readme-ov-file#offline-workflow
+        path: ./js/corepack.tgz
+        key: ${{ runner.os }}-${{ steps.cache-key.outputs.key }}
+
+    - name: Install Corepack tools from cache
+      if: steps.cache.outputs.cache-hit == 'true'
+      shell: bash
+      working-directory: js
+      run: corepack install -g --cache-only ./corepack.tgz
+
+    - name: Package Corepack tools
+      if: steps.cache.outputs.cache-hit != 'true'
+      shell: bash
+      working-directory: js
+      run: corepack pack
+

.github/actions/frontend-plugin-cache/action.yml

@@ -1,21 +0,0 @@
-name: Frontend Plugin Cache
-description: Caches NPM dependencies for the frontend-maven-plugin to speed up builds
-
-runs:
-  using: composite
-  steps:
-    - name: Get PNPM version
-      id: pnpm-version
-      shell: bash
-      run: |
-        echo "version=$(mvn help:evaluate -Dexpression=pnpm.version -q -DforceStdout)" >> $GITHUB_OUTPUT
-
-    - uses: actions/cache@v4
-      name: Cache PNPM store
-      with:
-        # See: https://pnpm.io/npmrc#store-dir
-        path: |
-          ~/.local/share/pnpm/store
-          ~/AppData/Local/pnpm/store
-          ~/Library/pnpm/store
-        key: ${{ runner.os }}-frontend-plugin-pnpm-store-${{ steps.pnpm-version.outputs.version }}-${{ hashFiles('pnpm-lock.yaml') }}

.github/actions/install-chrome/action.yml

@@ -0,0 +1,39 @@
+name: Install Chrome browser and driver for Testing
+description: Download and install the compatible Chrome and Chromedriver
+
+inputs:
+  version:
+    description: The version of Chrome and Chromedriver to install. By default none is installed.
+    required: false
+    default: default # E.g. 135.0.7049.84 (fixed version), default (chrome provided by GHA box)
+
+runs:
+  using: composite
+  steps:
+
+    - id: install-chrome
+      name: Install Chrome
+      if: inputs.version != 'default'
+      shell: bash
+      run: |
+        sudo apt-get remove google-chrome-stable
+        wget http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${{ inputs.version }}-1_amd64.deb -O /tmp/google-chrome-stable.deb --no-verbose
+        sudo apt-get install -y /tmp/google-chrome-stable.deb
+
+    - id: install-chromedriver
+      name: Install Chromedriver
+      if: inputs.version != 'default'
+      shell: bash
+      run: |
+        wget https://storage.googleapis.com/chrome-for-testing-public/${{ inputs.version }}/linux64/chromedriver-linux64.zip -O /tmp/chromedriver.zip --no-verbose
+        unzip -j /tmp/chromedriver.zip -d /tmp
+        sudo mv -f /tmp/chromedriver $CHROMEWEBDRIVER/chromedriver
+        sudo chmod +x $CHROMEWEBDRIVER/chromedriver
+
+    - id: show-version
+      name: Show Version
+      if: inputs.version == 'default'
+      shell: bash
+      run: |
+        google-chrome --version
+        $CHROMEWEBDRIVER/chromedriver --version

.github/actions/integration-test-setup/action.yml

@@ -14,6 +14,10 @@ inputs:
 runs:
   using: composite
   steps:
+    - id: update-hosts
+      name: Update /etc/hosts
+      uses: ./.github/actions/update-hosts
+
     - id: setup-java
       name: Setup Java
       uses: ./.github/actions/java-setup
@@ -25,13 +29,13 @@ runs:
       name: Maven cache
       uses: ./.github/actions/maven-cache
 
-    - id: frontend-plugin-cache
-      name: Frontend Plugin Cache
-      uses: ./.github/actions/frontend-plugin-cache
+    - id: pnpm-store-cache
+      name: PNPM store cache
+      uses: ./.github/actions/pnpm-store-cache
 
     - id: download-keycloak
       name: Download Keycloak Maven artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: m2-keycloak.tzts
 

.github/actions/java-setup/action.yml

@@ -16,7 +16,7 @@ runs:
   steps:
     - id: setup-java
       name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
       with:
         distribution: ${{ inputs.distribution }}
         java-version: ${{ inputs.java-version }}

.github/actions/maven-cache/action.yml

@@ -3,7 +3,7 @@ description: Caches Maven artifacts
 
 inputs:
   create-cache-if-it-doesnt-exist:
-    description: > 
+    description: >
       Only those callers which fill the cache with the right contents should set this to true to avoid creating a cache
       which contains too few or too many entries.
     required: false
@@ -19,46 +19,46 @@ runs:
 
     - id: cache-maven-repository
       name: Maven cache
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       if: inputs.create-cache-if-it-doesnt-exist == 'true'
       with:
         # Two asterisks are needed to make the follow-up exclusion work
         # see https://github.com/actions/toolkit/issues/713 for the upstream issue
+        #
+        # Hybrid cache strategy: Use an OS-specific key for writing, but allow fallback to a cross-OS cache for reading.
         path: |
           ~/.m2/repository/*/*
           !~/.m2/repository/org/keycloak
-        key: ${{ steps.weekly-cache-key.outputs.key }}
+        key: mvn-${{ runner.os }}-${{ steps.weekly-cache-key.outputs.key }}
+        restore-keys: |
+          mvn--${{ steps.weekly-cache-key.outputs.key }}
         # Enable cross-os archive use the cache on both Linux and Windows
         enableCrossOsArchive: true
 
-    - id: download-node-for-windows
-      # This is necessary as the build which creates the cache will run on a Linux node and therefore will never download the Windows artifact by default.
-      # If we wouldn't download it manually, it would be downloaded on each Windows build, which proved to be unstable as downloads would randomly fail in the middle of the download.
-      if: inputs.create-cache-if-it-doesnt-exist == 'true' && steps.cache-maven-repository.outputs.cache-hit != 'true'
-      shell: bash
-      run: |
-        export VERSION=$(mvn help:evaluate -Dexpression=node.version -q -DforceStdout  | cut -c 2-)
-        curl -Lf https://nodejs.org/dist/v${VERSION}/win-x64/node.exe --create-dirs -o ~/.m2/repository/com/github/eirslett/node/${VERSION}/node-${VERSION}-win-x64.exe
-
-    - shell: powershell
-      name: Link the cached Maven repository to the OS-dependent location
-      if: inputs.create-cache-if-it-doesnt-exist == 'false' && runner.os == 'Windows'
-      # The cache restore in the next step uses the relative path which was valid on Linux and that is part of the archive it downloads.
-      # You'll see that path when you enable debugging for the GitHub workflow on Windows.
-      # On Windows, the .m2 folder is in different location, so move all the contents to the right folder here.
-      # Also, not using the C: drive will speed up the build, see https://github.com/actions/runner-images/issues/8755
-      run: |
-        mkdir -p ../../../.m2/repository
-        cmd /c mklink /d $HOME\.m2\repository D:\.m2\repository
-
     - id: restore-maven-repository
       name: Maven cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       if: inputs.create-cache-if-it-doesnt-exist == 'false'
       with:
         # This needs to repeat the same path pattern as above to find the matching cache
+        # Hybrid cache strategy used again
         path: |
           ~/.m2/repository/*/*
           !~/.m2/repository/org/keycloak
-        key: ${{ steps.weekly-cache-key.outputs.key }}
-        enableCrossOsArchive: true
+        key: mvn-${{ runner.os }}-${{ steps.weekly-cache-key.outputs.key }}
+        restore-keys: |
+          mvn--${{ steps.weekly-cache-key.outputs.key }}
+        enableCrossOsArchive: true
+
+    - shell: bash
+      name: Copy restored maven repo to home folder in Windows
+      if: (steps.cache-maven-repository.outputs.cache-hit == 'true' || steps.restore-maven-repository.outputs.cache-hit == 'true') && runner.os == 'Windows'
+      run: |
+        if [ -d ../../../.m2/repository ]; then
+          cp -r ../../../.m2/repository ~/.m2
+          rm -r ../../../.m2/repository
+        fi
+
+    - id: node-cache
+      name: Node cache
+      uses: ./.github/actions/node-cache

.github/actions/node-cache/action.yml

@@ -0,0 +1,27 @@
+name: Node Cache
+description: Caches Node and PNPM binaries
+
+runs:
+  using: composite
+  steps:
+    - name: Get Node.js and PNPM versions
+      id: tooling-versions
+      shell: bash
+      run: |
+        echo "node=$(cat js/pom.xml | grep '<node.version>' | cut -d '>' -f 2 | cut -d '<' -f 1 | cut -c 2-)" >> $GITHUB_OUTPUT
+        echo "pnpm=$(cat js/pom.xml | grep '<pnpm.version>' | cut -d '>' -f 2 | cut -d '<' -f 1 | cut -c 1-)" >> $GITHUB_OUTPUT
+
+    # Downloading Node.js often fails due to network issues, therefore we cache the artifacts downloaded by the frontend plugin.
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      id: cache-binaries
+      name: Cache Node.js and PNPM binaries
+      with:
+        path: |
+          ~/.m2/repository/com/github/eirslett/node
+          ~/.m2/repository/com/github/eirslett/pnpm
+        key: ${{ runner.os }}-frontend-plugin-artifacts-${{ steps.tooling-versions.outputs.node }}-${{ steps.tooling-versions.outputs.pnpm }}
+
+    - name: Download Node.js and PNPM
+      if: steps.cache-binaries.outputs.cache-hit != 'true'
+      shell: bash
+      run: ./.github/scripts/download-node-tooling.sh ${{ steps.tooling-versions.outputs.node }} ${{ steps.tooling-versions.outputs.pnpm }}

.github/actions/pnpm-setup/action.yml

@@ -5,41 +5,24 @@ inputs:
   node-version:
     description: Node.js version
     required: false
-    default: "20"
+    default: "24"
 
 runs:
   using: composite
   steps:
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: ${{ inputs.node-version }}
         check-latest: true
 
-    - name: Enable Corepack
-      shell: bash
-      run: corepack enable
+    - name: Setup Corepack
+      uses: ./.github/actions/corepack-setup
 
-    - name: Get PNPM store directory
-      id: pnpm-cache
-      shell: bash
-      run: |
-        echo "store-path=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
-
-    - uses: actions/cache@v4
-      name: Setup PNPM cache
-      with:
-        # Also cache Cypress binary.
-        path: |
-          ~/.cache/Cypress
-          ${{ steps.pnpm-cache.outputs.store-path }}
-        key: ${{ runner.os }}-pnpm-store-${{ hashFiles('pnpm-lock.yaml') }}
-        restore-keys: |
-          ${{ runner.os }}-pnpm-store-
+    - name: PNPM store cache
+      uses: ./.github/actions/pnpm-store-cache
 
     - name: Install dependencies
       shell: bash
-      # Run the store prune after the installation to avoid having caches which grow over time
-      run: |
-        pnpm install --prefer-offline --frozen-lockfile
-        pnpm store prune
+      run: pnpm install --prefer-offline --frozen-lockfile
+      working-directory: js

.github/actions/pnpm-store-cache/action.yml

@@ -0,0 +1,20 @@
+name: Cache PNPM store
+description: Caches the PNPM store to speed up the build.
+
+runs:
+  using: composite
+  steps:
+    - id: weekly-cache-key
+      name: Key for weekly rotation of cache
+      shell: bash
+      run: echo "key=pnpm-store-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT
+
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      name: Cache PNPM store
+      with:
+        # See: https://pnpm.io/npmrc#store-dir
+        path: |
+          ~/.local/share/pnpm/store
+          ~/AppData/Local/pnpm/store
+          ~/Library/pnpm/store
+        key: ${{ runner.os }}-${{ steps.weekly-cache-key.outputs.key }}

.github/actions/prunsrv-setup/action.yml

@@ -0,0 +1,81 @@
+name: Setup Apache Commons Daemon (Procrun)
+description: Download and cache Apache Commons Daemon prunsrv.exe for Windows service tests
+
+inputs:
+  version:
+    description: Apache Commons Daemon version (leave empty for latest)
+    required: false
+    default: ""
+
+outputs:
+  prunsrv-path:
+    description: Path to the prunsrv.exe executable
+    value: ${{ steps.setup.outputs.prunsrv-path }}
+  version:
+    description: The resolved Apache Commons Daemon version
+    value: ${{ steps.resolve-version.outputs.version }}
+
+runs:
+  using: composite
+  steps:
+    - name: Resolve latest version
+      id: resolve-version
+      shell: pwsh
+      run: |
+        $inputVersion = "${{ inputs.version }}"
+        if ([string]::IsNullOrWhiteSpace($inputVersion)) {
+          Write-Host "No version specified, detecting latest version from Apache downloads..."
+          $indexUrl = "https://downloads.apache.org/commons/daemon/binaries/windows/"
+          $response = Invoke-WebRequest -Uri $indexUrl -UseBasicParsing
+          # Parse the HTML to find the zip file and extract version
+          $match = [regex]::Match($response.Content, 'commons-daemon-(\d+\.\d+\.\d+)-bin-windows\.zip')
+          if ($match.Success) {
+            $version = $match.Groups[1].Value
+            Write-Host "Detected latest version: $version"
+          } else {
+            Write-Error "Could not detect latest version from Apache downloads page"
+            exit 1
+          }
+        } else {
+          $version = $inputVersion
+          Write-Host "Using specified version: $version"
+        }
+        echo "version=$version" >> $env:GITHUB_OUTPUT
+
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      id: cache
+      name: Cache Apache Commons Daemon
+      with:
+        path: ${{ runner.temp }}/commons-daemon
+        key: commons-daemon-${{ steps.resolve-version.outputs.version }}-windows-amd64
+
+    - name: Download Apache Commons Daemon
+      if: steps.cache.outputs.cache-hit != 'true'
+      shell: pwsh
+      run: |
+        $version = "${{ steps.resolve-version.outputs.version }}"
+        $downloadUrl = "https://downloads.apache.org/commons/daemon/binaries/windows/commons-daemon-${version}-bin-windows.zip"
+        $zipPath = Join-Path "${{ runner.temp }}" "commons-daemon.zip"
+        $extractPath = Join-Path "${{ runner.temp }}" "commons-daemon"
+
+        Write-Host "Downloading Apache Commons Daemon $version from $downloadUrl"
+        Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath -UseBasicParsing
+
+        Write-Host "Extracting to $extractPath"
+        Expand-Archive -Path $zipPath -DestinationPath $extractPath -Force
+        Remove-Item $zipPath -Force
+
+    - name: Setup environment
+      id: setup
+      shell: pwsh
+      run: |
+        $prunsrvPath = "${{ runner.temp }}/commons-daemon/amd64/prunsrv.exe"
+
+        if (-not (Test-Path $prunsrvPath)) {
+          Write-Error "prunsrv.exe not found at $prunsrvPath"
+          exit 1
+        }
+
+        Write-Host "Apache Commons Daemon prunsrv.exe found at: $prunsrvPath"
+        echo "COMMONS_DAEMON_HOME=${{ runner.temp }}/commons-daemon/amd64" >> $env:GITHUB_ENV
+        echo "prunsrv-path=$prunsrvPath" >> $env:GITHUB_OUTPUT

.github/actions/run-store-tests/action.yml

@@ -0,0 +1,85 @@
+name: Store IT
+description: Run Store integration tests
+
+inputs:
+  db:
+    description: The database to use for tests
+    required: true
+
+runs:
+  using: composite
+  steps:
+
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+    - id: integration-test-setup
+      name: Integration test setup
+      uses: ./.github/actions/integration-test-setup
+
+    - name: Run new base tests
+      shell: bash
+      run: |
+        KC_TEST_DATABASE=${{ inputs.db }} KC_TEST_DATABASE_REUSE=true TESTCONTAINERS_REUSE_ENABLE=true ./mvnw package -f tests/pom.xml -Dtest=DatabaseTestSuite -Dkeycloak.distribution.start.timeout=360
+
+    - name: Database container port
+      shell: bash
+      run: |
+        # The Ryuk container process exists temporarily after the JVM terminates, wait for only the database container to remain
+        while [ "$(docker ps -q | wc -l)" -ne 1 ]; do
+          docker ps
+          sleep 10
+        done
+        DATABASE_PORT=$(docker ps -l --format '{{ .ID }}' | xargs docker port | cut -d ':' -f 2)
+        echo "DATABASE_PORT=$DATABASE_PORT" >> $GITHUB_ENV 
+
+    - name: Run base tests
+      shell: bash
+      run: |
+        TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh database`
+        echo "Tests: $TESTS"
+        ./mvnw test ${{ env.SUREFIRE_RETRY }} \
+          -Pauth-server-quarkus -Pdb-${{ inputs.db }} \
+          "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" \
+          -Dtest=$TESTS \
+          -Ddocker.database.skip=true \
+          -Ddocker.database.port=$DATABASE_PORT \
+          -Ddocker.container.testdb.ip=localhost \
+          -Dkeycloak.distribution.start.timeout=360 \
+          -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh
+
+    - name: Run cluster JDBC_PING2 UDP smoke test
+      shell: bash
+      run: |
+        ./mvnw test ${{ env.SUREFIRE_RETRY }} \
+          -Pauth-server-cluster-quarkus \
+          -Pdb-${{ inputs.db }} \
+          -Dtest=RealmInvalidationClusterTest \
+          -Dsession.cache.owners=2 \
+          -Dauth.server.quarkus.cluster.stack=jdbc-ping-udp \
+          -Ddocker.database.skip=true \
+          -Ddocker.database.port=$DATABASE_PORT \
+          -Ddocker.container.testdb.ip=localhost \
+          -pl testsuite/integration-arquillian/tests/base \
+          2>&1 | misc/log/trimmer.sh
+
+    - name: Run cluster JDBC_PING2 TCP smoke test
+      shell: bash
+      run: |
+        ./mvnw test ${{ env.SUREFIRE_RETRY }} \
+          -Pauth-server-cluster-quarkus \
+          -Pdb-${{ inputs.db }} \
+          -Dtest=RealmInvalidationClusterTest \
+          -Dsession.cache.owners=2 \
+          -Dauth.server.quarkus.cluster.stack=jdbc-ping \
+          -Ddocker.database.skip=true \
+          -Ddocker.database.port=$DATABASE_PORT \
+          -Ddocker.container.testdb.ip=localhost \
+          -pl testsuite/integration-arquillian/tests/base \
+          2>&1 | misc/log/trimmer.sh
+
+    - uses: ./.github/actions/upload-flaky-tests
+      name: Upload flaky tests
+      env:
+        GH_TOKEN: ${{ github.token }}
+      with:
+        job-name: Store IT

.github/actions/unit-test-setup/action.yml

@@ -11,6 +11,6 @@ runs:
       name: Maven cache
       uses: ./.github/actions/maven-cache
 
-    - id: frontend-plugin-cache
+    - id: pnpm-store-cache
       name: Frontend Plugin Cache
-      uses: ./.github/actions/frontend-plugin-cache
+      uses: ./.github/actions/pnpm-store-cache

.github/actions/update-hosts/action.yml

@@ -0,0 +1,21 @@
+name: Update /etc/hosts
+description: Update /etc/hosts file to hardcode known hostnames. This is to avoid test instability due to DNS resolution issues.
+
+runs:
+  using: composite
+  steps:
+
+    - id: update-hosts-linux
+      name: Update /etc/hosts
+      if: runner.os == 'Linux'
+      shell: bash
+      run: |
+        printf "\n\n$(cat .github/actions/update-hosts/hosts)" | sudo tee -a /etc/hosts
+
+    - id: update-hosts-windows
+      name: Update C:\Windows\System32\drivers\etc\hosts
+      if: runner.os == 'Windows'
+      shell: powershell
+      run: |
+        "`n`n" | Add-Content C:\Windows\System32\drivers\etc\hosts
+        Get-Content .github/actions/update-hosts/hosts | Add-Content C:\Windows\System32\drivers\etc\hosts

.github/actions/update-hosts/hosts

@@ -0,0 +1,2 @@
+127.0.0.1 localtest.me admin.localtest.me localhost-myapp.localtest.me localhost-sso.localtest.me realmFrontend.localtest.me proxy.kc.localtest.me
+::1 localtest.me admin.localtest.me localhost-myapp.localtest.me localhost-sso.localtest.me realmFrontend.localtest.me proxy.kc.localtest.me

.github/actions/upload-flaky-tests/action.yml

@@ -47,9 +47,9 @@ runs:
           echo "EOF" >> $GITHUB_OUTPUT
         fi
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: ${{ steps.flaky-tests.outputs.flakes }}
       with:
         name: flaky-tests-${{ github.job }}-${{ join(matrix.*, '-') }}
         path: ${{ steps.flaky-tests.outputs.flakes }}
-        if-no-files-found: error
+        if-no-files-found: error

.github/actions/upload-heapdumps/action.yml

@@ -1,17 +0,0 @@
-name: Upload JVM Heapdumps
-description: Upload JVM Heapdumps
-
-runs:
-  using: composite
-  steps:
-    - id: upload-jvm-heapdumps
-      name: Upload JVM Heapdumps
-      # Windows runners are running into https://github.com/actions/upload-artifact/issues/240
-      if: runner.os != 'Windows'
-      uses: actions/upload-artifact@v4
-      with:
-        name: jvm-heap-dumps
-        path: |
-          '**/java_pid*.hprof'
-          !distribution/**
-        if-no-files-found: ignore

.github/codeql/codeql-config-javascript.yml

@@ -0,0 +1,3 @@
+paths-ignore:
+  # This file is invalid on purpose for testing. Exclude it to prevent an "Unexpected token" error in CodeQL being reported.
+  - testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers-deployment/src/main/resources/scripts/test-bad-script-mapper3.js

.github/codeql/codeql-config-typescript.yml

@@ -0,0 +1,3 @@
+paths-ignore:
+  # This file is invalid on purpose for testing. Exclude it to prevent an "Unexpected token" error in CodeQL being reported.
+  - testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers-deployment/src/main/resources/scripts/test-bad-script-mapper3.js

.github/dependabot.yml

@@ -2,23 +2,53 @@ version: 2
 updates:
   - package-ecosystem: github-actions
     directory: /
-    open-pull-requests-limit: 999
-    rebase-strategy: disabled
     schedule:
-      interval: daily
-      time: "00:00"
+      interval: weekly
+      day: "sunday"
+      time: "03:00"
       timezone: Etc/GMT
+    open-pull-requests-limit: 10 # It's wise to keep this low even with grouping
+    rebase-strategy: disabled
     labels:
       - area/dependencies
       - area/ci
+    groups:
+      actions-dependencies: # This name will be used in the PR title
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
   - package-ecosystem: npm
-    directory: /
+    directory: js
     schedule:
-      interval: daily
-      time: "00:00"
+      interval: weekly
+      day: "thursday"
+      time: "03:00"
       timezone: Etc/GMT
-    open-pull-requests-limit: 999
+    open-pull-requests-limit: 10 # It's wise to keep this low even with grouping
     rebase-strategy: disabled
     labels:
       - area/dependencies
       - team/ui
+    ignore:
+      - dependency-name: "@patternfly/*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: react
+        update-types: ["version-update:semver-major"]
+      - dependency-name: react-dom
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "@types/react"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "@types/react-dom"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "react-router-dom"
+        update-types: ["version-update:semver-major"]
+    groups:
+      npm-dependencies: # This name will be used in the PR title
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"

.github/fake_fips/fake_fips.c

@@ -34,7 +34,9 @@ static struct ctl_table crypto_sysctl_table[] = {
 		.mode		= 0444,
 		.proc_handler	= proc_dointvec
 	},
-        {}
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0))
+	{}
+#endif
 };
 static struct ctl_table crypto_dir_table[] = {
 	{
@@ -44,7 +46,9 @@ static struct ctl_table crypto_dir_table[] = {
 		.child          = crypto_sysctl_table
 #endif
 	},
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0))
 	{}
+#endif
 };
 
 static struct ctl_table_header *crypto_sysctls;

.github/mvn-rel-settings.xml

@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
-          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
-    <activeProfiles>
-        <activeProfile>keycloak-rel</activeProfile>
-    </activeProfiles>
-    <profiles>
-        <profile>
-            <id>keycloak-rel</id>
-            <repositories>
-                <repository>
-                    <id>${env.MAVEN_ID}</id>
-                    <url>${env.MAVEN_URL}</url>
-                    <snapshots>
-                        <enabled>true</enabled>
-                    </snapshots>
-                    <releases>
-                        <enabled>true</enabled>
-                  </releases>
-                </repository>
-            </repositories>
-        </profile>
-    </profiles>
-    <servers>
-        <server>
-            <id>${env.MAVEN_ID}</id>
-            <username>${env.MAVEN_USERNAME}</username>
-           <password>${env.MAVEN_PASSWORD}</password>
-        </server>
-        <server>
-            <id>gpg.passphrase</id>
-            <passphrase>${env.MAVEN_GPG_PASSPHRASE}</passphrase>
-        </server>
-    </servers>
-
-</settings>

.github/scripts/ansible/aws_ec2.sh

@@ -13,7 +13,7 @@ CLUSTER_NAME=$3
 case $OPERATION in
   requirements)
     ansible-galaxy collection install -r requirements.yml
-    pip3 install --user "ansible==9.*" boto3 botocore
+    pip3 install ansible boto3 botocore
   ;;
   create|delete|start|stop)
     if [ -f "env.yml" ]; then ANSIBLE_CUSTOM_VARS_ARG="-e @env.yml"; fi

.github/scripts/ansible/azure_vm_manager.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Usage: ./azure_vm_manager.sh <create|delete> <region> <cluster_name>
+ACTION=${1:-}
+REGION=${2:-}
+CLUSTER=${3:-}
+
+if [[ -z "$ACTION" || -z "$REGION" || -z "$CLUSTER" ]]; then
+  echo "Usage: $0 <create|delete> <region> <cluster_name>"
+  exit 1
+fi
+
+SSH_KEY="$CLUSTER"_"$REGION"
+ADMIN_USER="azureuser"
+VM_SIZE="Standard_D2s_v5"
+IMAGE="Ubuntu2404"
+
+if [[ "$ACTION" == "create" ]]; then
+  # 1. Resource group (created via idempotent command)
+  az group create --name "$CLUSTER" --location "$REGION"
+
+  # 2. SSH key
+  if [[ ! -f "${SSH_KEY}" ]]; then
+    ssh-keygen -t rsa -b 2048 -f "${SSH_KEY}" -N ""
+  fi
+
+  # 3. Network security group
+  az network nsg create --resource-group "$CLUSTER" --name "$CLUSTER-nsg"
+  az network nsg rule create --resource-group "$CLUSTER" --nsg-name "$CLUSTER-nsg" --name Allow-SSH --protocol Tcp --priority 1000 --destination-port-range 22 --access Allow --direction Inbound
+
+  # 4. Public IP
+  az network public-ip create --resource-group "$CLUSTER" --name "$CLUSTER-pip" --allocation-method Static
+
+  # 5. Virtual network
+  az network vnet create --resource-group "$CLUSTER" --name "$CLUSTER-vnet" --address-prefix 10.0.0.0/16
+
+  # 6. Subnet
+  az network vnet subnet create --resource-group "$CLUSTER" --vnet-name "$CLUSTER-vnet" --name "$CLUSTER-subnet" --address-prefix 10.0.0.0/24
+
+  # 7. Network interface
+  az network nic create --resource-group "$CLUSTER" --name "$CLUSTER-nic" --vnet-name "$CLUSTER-vnet" --subnet "$CLUSTER-subnet" --network-security-group "$CLUSTER-nsg" --public-ip-address "$CLUSTER-pip"
+
+  # 8. VM
+  az vm create \
+    --resource-group "$CLUSTER" \
+    --name "$CLUSTER-vm" \
+    --nics "$CLUSTER-nic" \
+    --image "$IMAGE" \
+    --size "$VM_SIZE" \
+    --admin-username "$ADMIN_USER" \
+    --ssh-key-values "${SSH_KEY}.pub" \
+    --authentication-type ssh \
+    --no-wait
+
+  # 9. Wait for VM IP
+  az vm wait --created --resource-group "$CLUSTER" --name "$CLUSTER-vm"
+  VM_IP=$(az network public-ip show --resource-group "$CLUSTER" --name "$CLUSTER-pip" --query ipAddress -o tsv)
+
+  # 10. Wait for SSH
+  for i in {1..30}; do
+    if nc -z "$VM_IP" 22; then break; fi
+    sleep 5
+  done
+
+  # 11. Create inventory file with both host and group
+  cat > "${CLUSTER}_${REGION}_inventory.yml" <<EOF
+all:
+  hosts:
+    keycloak:
+      ansible_host: $VM_IP
+      ansible_user: $ADMIN_USER
+      ansible_ssh_private_key_file: ${SSH_KEY}
+  children:
+    keycloak_group:
+      hosts:
+        keycloak:
+EOF
+
+  echo "VM provisioned. Inventory: ${CLUSTER}_${REGION}_inventory.yml"
+
+elif [[ "$ACTION" == "delete" ]]; then
+  az group delete --name "$CLUSTER" --yes --no-wait
+  echo "Resource group $CLUSTER deletion initiated."
+else
+  echo "Unknown action: $ACTION"
+  exit 2
+fi

.github/scripts/ansible/keycloak.yml

@@ -1,2 +1,2 @@
 - hosts: keycloak
-  roles: [keycloak_ec2_installer]
+  roles: [keycloak_remote_installer]

.github/scripts/ansible/keycloak_ec2_installer.sh

@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-set -e
-cd $(dirname "${BASH_SOURCE[0]}")
-
-if [[ "$RUNNER_DEBUG" == "1" ]]; then
-  set -x
-fi
-
-REGION=$1
-CLUSTER_NAME=$2
-KEYCLOAK_SRC=$3
-
-ansible-playbook -i ${CLUSTER_NAME}_${REGION}_inventory.yml keycloak.yml \
-  -e "keycloak_src=\"${KEYCLOAK_SRC}\""

.github/scripts/ansible/keycloak_remote_installer.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -e
+cd $(dirname "${BASH_SOURCE[0]}")
+
+if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  set -x
+fi
+
+REGION=$1
+CLUSTER_NAME=$2
+KEYCLOAK_SRC=$3
+MAVEN_ARCHIVE=$4
+
+ansible-playbook -vvvv -i ${CLUSTER_NAME}_${REGION}_inventory.yml keycloak.yml \
+  -e "keycloak_src=\"${KEYCLOAK_SRC}\"" \
+  -e "maven_archive=\"${MAVEN_ARCHIVE}\""

.github/scripts/ansible/mvn.yml

@@ -1,2 +1,2 @@
 - hosts: keycloak
-  roles: [mvn_ec2_runner]
+  roles: [mvn_remote_runner]

.github/scripts/ansible/roles/aws_ec2/defaults/main.yml

@@ -4,7 +4,8 @@ cluster_size: 1
 
 cidr_ip: "{{ control_host_ip.stdout }}/32"
 
-ami_name: RHEL-8.8.0_HVM-20230503-x86_64-54-Hourly2-GP2
+# aws ec2 describe-images --owners 309956199498 --filters "Name=architecture,Values=x86_64" "Name=virtualization-type,Values=hvm"  --region eu-west-1 --no-include-deprecated     --query 'Images[] | sort_by(@, &CreationDate)[].Name'
+ami_name: RHEL-9.4_HVM_GA-20240827-x86_64-0-Hourly2-GP3
 
 instance_type: t3.large
 instance_volume_size: 20

.github/scripts/ansible/roles/keycloak_ec2_installer/README.md

@@ -1,35 +0,0 @@
-# Ansible Role `keycloak_ec2_installer`
-
-Ansible role for installing Keycloak sources and build dependencies on remote nodes.
-
-Role assumes presence of host inventory file and a matching SSH key for "sudoer" access to the hosts.
-The hosts are expected to be included in `keycloak` group.
-
-## Parameters
-
-See `defaults/main.yml` for default values.
-
-### Execution
-- `keycloak_src`: Path to a local `*.zip` file containing the Keycloak src
-
-### Other
-- `update_system_packages`: Whether to update the system packages. Defaults to `no`.
-- `install_java`: Whether to install OpenJDK on the system. Defaults to `yes`.
-- `java_version`: Version of OpenJDK to be installed. Defaults to `21`.
-
-
-## Example Playbook
-
-An example playbook `keycloak.yml` that applies the role to hosts in the `keycloak` group:
-```
-- hosts: keycloak
-  roles: [keycloak]
-```
-
-## Run keycloak-benchmark
-
-Run:
-```
-ansible-playbook -i ${CLUSTER_NAME}_${REGION}_inventory.yml keycloak.yml \
-  -e "keycloak_src=\"/tmp/keycloak.zip\""
-```

.github/scripts/ansible/roles/keycloak_ec2_installer/defaults/main.yml

@@ -1,7 +0,0 @@
-# This should match the user in the *_inventory.yml
-ansible_ssh_user: ec2-user
-# Workspace on the remote hosts
-kc_home: /opt/keycloak
-update_system_packages: no
-install_java: yes
-java_version: 21

.github/scripts/ansible/roles/keycloak_ec2_installer/tasks/install.yml

@@ -1,29 +0,0 @@
-- name: Update system packages on the remote hosts
-  when: update_system_packages
-  package:
-    name: "*"
-    state: latest
-
-- name: Install Java {{ java_version }} packages on the remote hosts
-  when: install_java
-  package:
-    name:
-      - "java-{{ java_version }}-openjdk"
-      - "java-{{ java_version }}-openjdk-devel"
-    state: present
-
-- name: Install dependencies on the remote hosts
-  package: name={{item}} state=present
-  with_items:
-    - unzip
-
-- name: Create Keycloak src dir
-  file:
-    path: "{{ kc_home }}"
-    state: directory
-
-- name: Install Keycloak src on the remote hosts
-  unarchive:
-    src: "{{ keycloak_src }}"
-    dest: "{{ kc_home }}"
-    owner: "{{ ansible_ssh_user }}"

.github/scripts/ansible/roles/keycloak_remote_installer/README.md

@@ -0,0 +1,35 @@
+# Ansible Role `keycloak_remote_installer`
+
+Ansible role for installing Keycloak sources and build dependencies on remote nodes.
+
+Role assumes presence of host inventory file and a matching SSH key for "sudoer" access to the hosts.
+The hosts are expected to be included in `keycloak` group.
+
+## Parameters
+
+See `defaults/main.yml` for default values.
+
+### Execution
+- `keycloak_src`: Path to a local `*.zip` file containing the Keycloak src
+
+### Other
+- `update_system_packages`: Whether to update the system packages. Defaults to `no`.
+- `install_java`: Whether to install OpenJDK on the system. Defaults to `yes`.
+- `java_version`: Version of OpenJDK to be installed. Defaults to `21`.
+
+
+## Example Playbook
+
+An example playbook `keycloak.yml` that applies the role to hosts in the `keycloak` group:
+```
+- hosts: keycloak
+  roles: [keycloak]
+```
+
+## Run keycloak-benchmark
+
+Run:
+```
+ansible-playbook -i ${CLUSTER_NAME}_${REGION}_inventory.yml keycloak.yml \
+  -e "keycloak_src=\"/tmp/keycloak.zip\""
+```

.github/scripts/ansible/roles/keycloak_remote_installer/defaults/main.yml

@@ -0,0 +1,6 @@
+# Workspace on the remote hosts
+kc_home: /opt/keycloak
+m2_home: ~/.m2
+update_system_packages: no
+install_java: yes
+java_version: 21

.github/scripts/ansible/roles/keycloak_remote_installer/tasks/install.yml

@@ -0,0 +1,54 @@
+- name: Update system packages on the remote hosts
+  when: update_system_packages
+  package:
+    name: "*"
+    state: latest
+
+- name: Update apt cache on Ubuntu/Debian
+  when: ansible_os_family == 'Debian'
+  apt:
+    update_cache: yes
+
+
+- name: Install Java {{ java_version }} packages on Ubuntu/Debian
+  when:
+    - install_java
+    - ansible_os_family == 'Debian'
+  package:
+    name:
+      - "openjdk-{{ java_version }}-jdk"
+      - "openjdk-{{ java_version }}-jre"
+    state: present
+
+- name: Install Java {{ java_version }} packages on RedHat/Amazon
+  when:
+    - install_java
+    - ansible_os_family != 'Debian'
+  package:
+    name:
+      - "java-{{ java_version }}-openjdk"
+      - "java-{{ java_version }}-openjdk-devel"
+    state: present
+
+- name: Install dependencies on the remote hosts
+  package: name={{item}} state=present
+  with_items:
+    - unzip
+
+- name: Create Keycloak src dir
+  file:
+    path: "{{ kc_home }}"
+    state: directory
+
+- name: Install Keycloak src on the remote hosts
+  unarchive:
+    src: "{{ keycloak_src }}"
+    dest: "{{ kc_home }}"
+    owner: "{{ ansible_ssh_user }}"
+
+- name: Install Maven repository on the remote hosts
+  unarchive:
+    src: "{{ maven_archive }}"
+    creates: "{{ kc_home }}"
+    dest: "{{ kc_home }}"
+    owner: "{{ ansible_ssh_user }}"

.github/scripts/ansible/roles/mvn_ec2_runner/README.md

@@ -1,33 +0,0 @@
-# Ansible Role `mvn_ec2_runner`
-
-Ansible role for executing `mvn` commands against a Keycloak src on a remote node.
-
-Role assumes presence of host inventory file and a matching SSH key for "sudoer" access to the hosts.
-The hosts are expected to be included in `keycloak` group.
-
-## Parameters
-
-See `defaults/main.yml` for default values.
-
-### Execution
-- `mvn_params`: The `mvn` command to execute on the remote nodes.
-
-### Other
-- `kc_home`: Location of the Keycloak src on the remote node.
-
-
-## Example Playbook
-
-An example playbook `keycloak.yml` that applies the role to hosts in the `keycloak` group:
-```
-- hosts: keycloak
-  roles: [mvn]
-```
-
-## Run keycloak-benchmark
-
-Run:
-```
-ansible-playbook -i ${CLUSTER_NAME}_${REGION}_inventory.yml mvn.yml \
-  -e "mvn_params=\"mvn clean install\""
-```

.github/scripts/ansible/roles/mvn_remote_runner/README.md

@@ -0,0 +1,33 @@
+# Ansible Role `mvn_remote_runner`
+
+Ansible role for executing `mvn` commands against a Keycloak src on a remote node.
+
+Role assumes presence of host inventory file and a matching SSH key for "sudoer" access to the hosts.
+The hosts are expected to be included in `keycloak` group.
+
+## Parameters
+
+See `defaults/main.yml` for default values.
+
+### Execution
+- `mvn_params`: The `mvn` command to execute on the remote nodes.
+
+### Other
+- `kc_home`: Location of the Keycloak src on the remote node.
+
+
+## Example Playbook
+
+An example playbook `keycloak.yml` that applies the role to hosts in the `keycloak` group:
+```
+- hosts: keycloak
+  roles: [mvn]
+```
+
+## Run keycloak-benchmark
+
+Run:
+```
+ansible-playbook -i ${CLUSTER_NAME}_${REGION}_inventory.yml mvn.yml \
+  -e "mvn_params=\"mvn clean install\""
+```

.github/scripts/aws/rds/aurora_create.sh

@@ -116,6 +116,7 @@ aws rds create-db-cluster \
 # For now only two AZs in each region are supported due to the two subnets created above
 for i in $( seq ${AURORA_INSTANCES} ); do
   aws rds create-db-instance \
+    --no-auto-minor-version-upgrade \
     --db-cluster-identifier ${AURORA_CLUSTER} \
     --db-instance-identifier "${AURORA_CLUSTER}-instance-${i}" \
     --db-instance-class ${AURORA_INSTANCE_CLASS} \

.github/scripts/azure/sql/README.md

@@ -0,0 +1,63 @@
+# Azure SQL Automation
+
+This folder contains scripts, a composite action, and Ansible helpers to:
+- Create an Azure SQL Server + database and the Keycloak DB user
+- Provision an Azure VM and run Maven/Keycloak tasks on it (Ansible role)
+
+---
+
+## Prerequisites
+
+Make sure that your Azure subscription is registered to use the `Microsoft.Sql` resource provider in order to create SQL resources. You can do this via the Azure Portal or Azure CLI:
+
+```bash
+# Ensure correct subscription is selected
+az account set --subscription <your-subscription-id>
+
+# Check registration status
+az provider show --namespace Microsoft.Sql --query registrationState -o table
+
+# Register the provider
+az provider register --namespace Microsoft.Sql
+```
+
+---
+
+## Files
+
+### Azure-specific scripts
+- **`azure_common.sh`** - Shared defaults and environment checks
+- **`azure_create_sql.sh`** - Create resource group, server, database and DB user using Azure CLI + sqlcmd
+- **`azure_vm_manager.sh`** - CLI wrapper to create/delete Azure VM and produce inventory via Ansible
+
+### Common files shared with EC2 automation
+- **`mvn_remote_runner.sh`** - Runs the existing `mvn.yml` Ansible playbook against the created Azure or EC2 VM
+- **`keycloak_remote_installer.sh`** - Shell script that runs the Ansible playbook to install Keycloak on the provisioned VM
+- **Ansible playbooks and roles** - Under `.github/scripts/ansible/roles/`
+
+---
+
+## GitHub Secrets and Configuration
+
+### Required Secret
+
+**`AZURE_CREDENTIALS`** *(required)* - Service principal JSON used by the `azure/login` action
+
+Create via Azure CLI:
+```bash
+az ad sp create-for-rbac \
+  --name "keycloak-ci" \
+  --role contributor \
+  --scopes /subscriptions/<your-subscription-id> \
+  --sdk-auth
+```
+
+### Optional Variables (override defaults)
+
+- **`AZURE_ADMIN_USER`** - SQL Server admin username *(default: `sqladmin`)*
+- **`AZURE_DB_USER`** - Keycloak database username *(default: `keycloak`)*
+
+### Optional Secrets (override auto-generated passwords)
+
+- **`AZURE_ADMIN_PASSWORD`** - SQL Server admin password *(default: auto-generated)*
+- **`AZURE_DB_PASSWORD`** - Keycloak database user password *(default: auto-generated)*

.github/scripts/azure/sql/azure_common.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -e
+
+if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  set -x
+fi
+
+function requiredEnv() {
+  for ENV in $@; do
+      if [ -z "${!ENV}" ]; then
+        echo "${ENV} variable must be set"
+        exit 1
+      fi
+  done
+}
+
+requiredEnv AZURE_NAME AZURE_REGION AZURE_ADMIN_PASSWORD AZURE_DB_PASSWORD
+
+SCRIPT_DIR=${SCRIPT_DIR:-$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )}
+export AZURE_RG=${AZURE_RG:-"${AZURE_NAME}-rg"}
+export AZURE_ADMIN_USER=${AZURE_ADMIN_USER:-"sqladmin"}
+export AZURE_ADMIN_PASSWORD=${AZURE_ADMIN_PASSWORD}
+export AZURE_DB=${AZURE_DB:-"keycloakdb"}
+export AZURE_DB_USER=${AZURE_DB_USER:-"keycloak"}
+export AZURE_DB_PASSWORD=${AZURE_DB_PASSWORD}
+export AZURE_ALLOW_ALL_FIREWALL=${AZURE_ALLOW_ALL_FIREWALL:-"true"}

.github/scripts/azure/sql/azure_create_sql.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+set -e
+
+if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  set -x
+fi
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source ${SCRIPT_DIR}/azure_common.sh
+
+requiredEnv AZURE_SUBSCRIPTION AZURE_ADMIN_USER AZURE_DB_USER
+
+# Login is expected to be done by the workflow via az login with service principal
+
+# Resource group (created via idempotent command)
+echo "Creating resource group ${AZURE_RG} in ${AZURE_REGION}"
+az group create --name ${AZURE_RG} --location ${AZURE_REGION} --subscription ${AZURE_SUBSCRIPTION}
+
+echo "Creating SQL server ${AZURE_NAME}-sqlsrv"
+az sql server create \
+  --name ${AZURE_NAME}-sqlsrv \
+  --resource-group ${AZURE_RG} \
+  --location ${AZURE_REGION} \
+  --admin-user ${AZURE_ADMIN_USER} \
+  --admin-password "${AZURE_ADMIN_PASSWORD}" \
+  --subscription ${AZURE_SUBSCRIPTION}
+
+echo "Creating database ${AZURE_DB}"
+az sql db create \
+  --resource-group ${AZURE_RG} \
+  --server ${AZURE_NAME}-sqlsrv \
+  --name ${AZURE_DB} \
+  --service-objective Basic \
+  --subscription ${AZURE_SUBSCRIPTION}
+
+if [ "${AZURE_ALLOW_ALL_FIREWALL}" = "true" ]; then
+  echo "Allowing Azure services and current IP (0.0.0.0) - use with caution"
+  az sql server firewall-rule create --resource-group ${AZURE_RG} --server ${AZURE_NAME}-sqlsrv --name AllowAll --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 --subscription ${AZURE_SUBSCRIPTION}
+fi
+
+# Create login in master and then create user in the database
+# Wait until server is provisioned
+echo "Waiting for SQL server to be provisioned..."
+for i in {1..30}; do
+  state=$(az sql server show --name ${AZURE_NAME}-sqlsrv --resource-group ${AZURE_RG} --subscription ${AZURE_SUBSCRIPTION} --query "state" -o tsv || echo "")
+  if [ "${state}" = "Ready" ] || [ -z "${state}" ]; then
+    break
+  fi
+  echo "server state=${state}, retrying..."
+  sleep 5
+done
+
+ENDPOINT="${AZURE_NAME}-sqlsrv.database.windows.net"
+ADMIN_USER_FULL="${AZURE_ADMIN_USER}@${AZURE_NAME}-sqlsrv"
+
+echo "Creating login ${AZURE_DB_USER} in master via sqlcmd"
+PASS_ESCAPED=${AZURE_DB_PASSWORD//\'/''}
+sqlcmd -S ${ENDPOINT} -U "${ADMIN_USER_FULL}" -P "${AZURE_ADMIN_PASSWORD}" -d master -Q "IF EXISTS (SELECT 1 FROM sys.sql_logins WHERE name = '${AZURE_DB_USER}') BEGIN ALTER LOGIN [${AZURE_DB_USER}] WITH PASSWORD='${PASS_ESCAPED}'; END ELSE BEGIN CREATE LOGIN [${AZURE_DB_USER}] WITH PASSWORD='${PASS_ESCAPED}'; END"
+
+echo "Creating user ${AZURE_DB_USER} in database ${AZURE_DB} and adding db_owner"
+sqlcmd -S ${ENDPOINT} -U "${ADMIN_USER_FULL}" -P "${AZURE_ADMIN_PASSWORD}" -d ${AZURE_DB} -Q "IF NOT EXISTS (SELECT name FROM sys.database_principals WHERE name = '${AZURE_DB_USER}') BEGIN CREATE USER [${AZURE_DB_USER}] FOR LOGIN [${AZURE_DB_USER}]; END; IF NOT EXISTS (SELECT 1 FROM sys.database_role_members drm JOIN sys.database_principals r ON drm.role_principal_id = r.principal_id JOIN sys.database_principals m ON drm.member_principal_id = m.principal_id WHERE r.name = 'db_owner' AND m.name='${AZURE_DB_USER}') BEGIN ALTER ROLE db_owner ADD MEMBER [${AZURE_DB_USER}]; END"
+
+echo "endpoint=${ENDPOINT}" >> $GITHUB_OUTPUT
+echo "db=${AZURE_DB}" >> $GITHUB_OUTPUT
+echo "username=${AZURE_DB_USER}@${AZURE_NAME}-sqlsrv" >> $GITHUB_OUTPUT

.github/scripts/download-node-tooling.sh

@@ -0,0 +1,52 @@
+#!/bin/bash -e
+
+abort() {
+  echo $1
+  exit 1
+}
+
+download_file() {
+    local url=$1
+    local target=$2
+
+    echo "Downloading $(basename "$url")..."
+    mkdir -p "$(dirname "$target")"
+    curl --silent --fail --show-error --retry 3 --retry-delay 30 --output "$target" "$url"
+}
+
+node_url() {
+    local version=$1
+    local platform=$2
+    local root_url="https://nodejs.org/dist/v$version"
+
+    if [ "$platform" == "windows" ]; then
+        echo "$root_url/win-x64/node.exe"
+    elif [ "$platform" == "linux" ]; then
+        echo "$root_url/node-v$version-linux-x64.tar.gz"
+    else
+        abort "Unsupported platform: $platform"
+    fi
+}
+
+pnpm_url() {
+    local version=$1
+
+    echo "https://registry.npmjs.org/pnpm/-/pnpm-$version.tgz"
+}
+
+main() {
+    local node_version=$1
+    local pnpm_version=$2
+
+    if [ "$node_version" == "" ] || [ "$pnpm_version" == "" ]; then
+        abort "Usage: download-node-tooling.sh <NODE_VERSION> <PNPM_VERSION>"
+    fi
+
+    local target_directory=~/.m2/repository/com/github/eirslett
+
+    download_file "$(node_url "$node_version" "linux")" "$target_directory/node/$node_version/node-$node_version-linux-x64.tar.gz"
+    download_file "$(node_url "$node_version" "windows")" "$target_directory/node/$node_version/node-$node_version-win-x64.exe"
+    download_file "$(pnpm_url "$pnpm_version")" "$target_directory/pnpm/$pnpm_version/pnpm-$pnpm_version.tar.gz"
+}
+
+main "$1" "$2"

.github/scripts/find-modules-with-unit-tests.sh

@@ -0,0 +1,9 @@
+#!/bin/bash -e
+
+find . -path '**/src/test/java' -type d \
+  | grep -v -E '\./(docs|distribution|misc|operator|((.+/)?tests)|testsuite|test-framework|quarkus)/' \
+  | sed 's|/src/test/java||' \
+  | sed 's|./||' \
+  | sort \
+  | tr '\n' ',' \
+  | sed 's/,$//'

.github/scripts/pr-find-issues-test.sh

@@ -5,7 +5,7 @@ source ./pr-find-issues.sh
 
 function testParsing() {
     echo -n "$1 -> $2 "
-    if [ $(parse_issues "$1") != "$2" ]; then
+    if [ "$(parse_issues "$1")" != "$2" ]; then
         echo "(failure)"
         return 1
     fi
@@ -22,3 +22,4 @@ trap 'testFailed' ERR
 testParsing "Closes #123" "123"
 testParsing "Fixes #123" "123"
 testParsing "Fixes: #123" "123"
+testParsing "Fixes https://github.com/keycloak/keycloak/issues/123" "123"

.github/scripts/pr-find-issues.sh

@@ -8,7 +8,11 @@ if [ "$REPO" == "" ]; then
 fi
 
 function parse_issues() {
-    echo "$1" | grep -i -P -o "(close|closes|closed|resolve|resolves|resolved|fixes|fixed):? #[[:digit:]]*" | cut -d '#' -f 2 | sort -n
+    echo "$1" | \
+      grep -i -P -o "(close|closes|closed|resolve|resolves|resolved|fixes|fixed):? (#|https://github.com/keycloak/keycloak/issues/)[[:digit:]]*" | \
+      sed -e 's|https://github.com/keycloak/keycloak/issues/|#|g' | \
+      sed -e 's|keycloak/keycloak/issues/|#|g' | \
+      cut -d '#' -f 2 | sort -n
 }
 
 if [ "$PR" != "" ]; then

.github/scripts/prepare-quarkus-next.sh

@@ -7,7 +7,7 @@ add_repository() {
 
   local id="sonatype-snapshots"
   local name="Sonatype Snapshots"
-  local url="https://s01.oss.sonatype.org/content/repositories/snapshots/"
+  local url="https://central.sonatype.com/repository/maven-snapshots/"
 
   # Decide the tag based on the element
   local tag

.github/scripts/run-fips-it.sh

@@ -1,5 +1,6 @@
 #!/bin/bash -x
 
+rm -f /etc/system-fips
 dnf install -y java-21-openjdk-devel
 fips-mode-setup --enable --no-bootcfg
 fips-mode-setup --is-enabled
@@ -7,8 +8,10 @@ if [ $? -ne 0 ]; then
   exit 1
 fi
 STRICT_OPTIONS=""
+TESTSUITE_NAME="FipsNonStrictTestSuite"
 if [ "$1" = "strict" ]; then
-  STRICT_OPTIONS="-Dauth.server.fips.mode=strict -Dauth.server.supported.keystore.types=BCFKS -Dauth.server.keystore.type=bcfks -Dauth.server.supported.rsa.key.sizes=2048,4096"
+  STRICT_OPTIONS="-Dauth.server.fips.mode=strict -Dauth.server.supported.keystore.types=BCFKS -Dauth.server.keystore.type=bcfks -Dauth.server.supported.rsa.key.sizes=2048,3072,4096"
+  TESTSUITE_NAME="FipsStrictTestSuite"
 fi
 echo "STRICT_OPTIONS: $STRICT_OPTIONS"
 TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips`
@@ -16,5 +19,26 @@ echo "Tests: $TESTS"
 export JAVA_HOME=/etc/alternatives/java_sdk_21
 set -o pipefail
 
+# Build adapter distributions
+./mvnw install -DskipTests -f distribution/pom.xml
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
+# Build app servers
+./mvnw install -DskipTests -Pbuild-app-servers -f testsuite/integration-arquillian/servers/app-server/pom.xml
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
+# Prepare Quarkus distribution with BCFIPS
+./mvnw install -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
 # Profile app-server-wildfly needs to be explicitly set for FIPS tests
 ./mvnw test -Dsurefire.rerunFailingTestsCount=$SUREFIRE_RERUN_FAILING_COUNT -nsu -B -Pauth-server-quarkus,auth-server-fips140-2,app-server-wildfly -Dcom.redhat.fips=false $STRICT_OPTIONS -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh
+
+# New Base Tests
+./mvnw package -nsu -B -Dcom.redhat.fips=false -Dtest=$TESTSUITE_NAME -pl tests/base

.github/scripts/run-fips-ut.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+rm -f /etc/system-fips
 dnf install -y java-21-openjdk-devel crypto-policies-scripts
 fips-mode-setup --enable --no-bootcfg
 fips-mode-setup --is-enabled

.github/scripts/snyk-report.sh

@@ -1,120 +0,0 @@
-#!/bin/bash -e
-
-KEYCLOAK_REPO="keycloak/keycloak"
-BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD)
-
-# Extract the version number if BRANCH_NAME contains a slash
-if [[ $BRANCH_NAME == *\/* ]]; then
-    BRANCH_NAME=$(echo $BRANCH_NAME | grep -oP '\d+\.\d+')
-fi
-
-# Prevent duplicates by checking if a similar CVE ID exists
-check_github_issue_exists() {
-    local issue_title="$1"
-    # Extract the CVE ID
-    local CVE_ID=$(echo "$issue_title" | grep -oE '(CVE-[0-9]{4}-[0-9]{4,7}|SNYK-[A-Z]+-[A-Z0-9]+-[0-9]{4,7})')
-    local search_url="https://api.github.com/search/issues?q=$CVE_ID+is%3Aissue+sort%3Aupdated-desc+repo:$KEYCLOAK_REPO"
-    local response=$(curl -f -s -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/vnd.github.v3+json" "$search_url")
-    local count=$(echo "$response" | jq '.total_count')
-
-    # Check for bad credentials
-    if printf "%s" "$response" | jq -e '.message == "Bad credentials"' > /dev/null; then
-        printf "Error: Bad credentials\n%s\n" "$response"
-        echo "Error: Bad credentials. Aborting script."
-        exit 1
-    fi
-
-    # Check for rate limiting
-    if printf "%s" "$response" | jq -e '.message == "API rate limit exceeded"' > /dev/null; then
-        printf "Error: API rate limit exceeded\n%s\n" "$response"
-        exit 1
-    fi
-
-    # Check if total_count is available
-    if [[ $count == "null" ]]; then
-        printf "Error: total_count not available in response\n%s\n" "$response"
-        exit 1
-    fi
-
-    if [[ $count -gt 0 ]]; then
-        local issue_id=$(echo "$response" | jq -r '.items[0].number')
-        echo "$issue_id"
-    else
-        echo "1"
-    fi
-}
-
-# Create a GH issue based on the content of the CVE
-create_github_issue() {
-    local title="$1"
-    local body="$2"
-
-    local api_url="https://api.github.com/repos/$KEYCLOAK_REPO/issues"
-    local data=$(jq -n --arg title "$title" --arg body "$body" --arg branch "backport/$BRANCH_NAME" \
-                 '{title: $title, body: $body, labels: ["status/triage", "kind/cve", "kind/bug", $branch]}')
-    local response=$(curl -f -s -w "%{http_code}" -X POST -H "Authorization: token $GITHUB_TOKEN" -H "Content-Type: application/json" -d "$data" "$api_url")
-    local http_code=$(echo "$response" | tail -n1)
-
-    if [[ $http_code -eq 201 ]]; then
-        return 0
-    else
-        printf "Issue creation failed with status: %s\n" "$http_code"
-        exit 1
-    fi
-}
-
-# Update existing issue based on the branches affected
-update_github_issue() {
-    local issue_id="$1"
-    local api_url="https://api.github.com/repos/$KEYCLOAK_REPO/issues/$issue_id"
-    local existing_labels=$(curl -f -s -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/vnd.github.v3+json" "$api_url" | jq '.labels | .[].name' | jq -s .)
-    local new_label="backport/$BRANCH_NAME"
-    local updated_labels=$(echo "$existing_labels" | jq --arg new_label "$new_label" '. + [$new_label] | unique')
-    local data=$(jq -n --argjson labels "$updated_labels" '{labels: $labels}')
-    local response=$(curl -f -s -w "%{http_code}" -X PATCH -H "Authorization: token $GITHUB_TOKEN" -H "Content-Type: application/json" -d "$data" "$api_url")
-    local http_code=$(echo "$response" | tail -n1)
-
-    if [[ $http_code -eq 200 ]]; then
-        return 0
-    else
-        printf "Issue update failed with status: %s\n" "$http_code"
-        exit 1
-    fi
-}
-
-check_dependencies() {
-    command -v jq >/dev/null 2>&1 || { echo >&2 "jq is required. Exiting."; exit 1; }
-}
-
-# Parse the CVE report coming from SNYK
-parse_and_process_vulnerabilities() {
-    jq -c '.vulnerabilities[] | select(.type != "license")' | while IFS= read -r vulnerability; do
-        local cve_title=$(echo "$vulnerability" | jq -r '(.identifiers.CVE[0] // .id) + " - " + (.title // "N/A")')
-        local module=$(echo "$vulnerability" | jq -r '((.mavenModuleName.groupId // "unknown") + ":" + (.mavenModuleName.artifactId // "unknown"))')
-        local title="${cve_title} in ${module}"
-        local from_path=$(echo "$vulnerability" | jq -r 'if .from != [] then "Introduced through: " + (.from | join(" › ")) else "" end')
-        local description=$(echo "$vulnerability" | jq -r '.description // "N/A"')
-
-        printf -v body "%s\n%s\n%s\n%s" "$title" "$module" "$from_path" "$description"
-        issue_id=$(check_github_issue_exists "$cve_title")
-        if [[ $issue_id -eq 1 ]]; then
-            create_github_issue "$title" "$body"
-        else
-            update_github_issue "$issue_id"
-        fi
-    done
-}
-
-main() {
-    check_dependencies
-
-    if [ -t 0 ]; then
-        echo "Error: No input provided. Please pipe in a JSON file."
-        echo "Usage: cat snyk-report.json | $0"
-        exit 1
-    else
-        parse_and_process_vulnerabilities
-    fi
-}
-
-main "$@"

.github/scripts/version-compatibility.sh

@@ -0,0 +1,30 @@
+#!/bin/bash -e
+
+if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  set -x
+fi
+
+TARGET_BRANCH="$1"
+REPO="${2:-keycloak}"
+ORG="${3:-keycloak}"
+
+if [[ "${TARGET_BRANCH}" != "release/"* ]]; then
+  echo "skip"
+  exit 0
+fi
+
+ALL_RELEASES=$(gh release list \
+  --repo "${ORG}/${REPO}" \
+  --exclude-drafts \
+  --exclude-pre-releases \
+  --json name \
+  --template '{{range .}}{{.name}}{{"\n"}}{{end}}'
+)
+MAJOR_MINOR=${TARGET_BRANCH#"release/"}
+MAJOR_MINOR_RELEASES=$(echo "${ALL_RELEASES}" | (grep "${MAJOR_MINOR}" || true))
+
+if [[ -z "${MAJOR_MINOR_RELEASES}" ]]; then
+  echo "skip"
+else
+  echo -n "${MAJOR_MINOR_RELEASES}" | jq -cnR '[inputs] | map({version: .})'
+fi

.github/teams.yml

@@ -2,8 +2,10 @@ team/cloud-native:
   - area/admin/cli
   - area/dist/quarkus
   - area/operator
+  - area/observability
+  - area/welcome/ui
 
-team/continuous-testing:
+team/continuous-delivery:
   - area/ci
   - area/testsuite
 
@@ -29,6 +31,7 @@ team/core-iam:
   - area/ldap
   - area/organizations
   - area/user-profile
+  - area/workflows
 
 team/core-shared:
   - area/account/api
@@ -38,14 +41,12 @@ team/core-shared:
   - area/import-export
   - area/infinispan
   - area/storage
-
-team/sre:
-
-team/ui:
   - area/account/ui
   - area/admin/client-js
   - area/admin/ui
-  - area/welcome/ui
+
+team/sre:
+  - area/observability
 
 team/community:
   - area/translations

.github/workflows/aurora-delete.yml

@@ -12,12 +12,15 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   delete:
     name: Delete Aurora DB
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize AWS client
         run: |

.github/workflows/codeql-analysis.yml

@@ -22,8 +22,10 @@ defaults:
   run:
     shell: bash
 
-jobs:
+permissions:
+  contents: read
 
+jobs:
   conditional:
     name: Check conditional workflows and jobs
     runs-on: ubuntu-latest
@@ -31,8 +33,12 @@ jobs:
       java: ${{ steps.conditional.outputs.codeql-java }}
       javascript: ${{ steps.conditional.outputs.codeql-javascript }}
       typescript: ${{ steps.conditional.outputs.codeql-typescript }}
+      actions: ${{ steps.conditional.outputs.codeql-actions }}
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - id: conditional
         uses: ./.github/actions/conditional
@@ -43,15 +49,17 @@ jobs:
     name: CodeQL Java
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.java == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: java
 
@@ -59,7 +67,7 @@ jobs:
         uses: ./.github/actions/build-keycloak
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           wait-for-processing: true
         env:
@@ -69,22 +77,25 @@ jobs:
     name: CodeQL JavaScript
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.javascript == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         env:
           CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
         with:
           languages: javascript
+          config-file: ./.github/codeql/codeql-config-javascript.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           wait-for-processing: true
         env:
@@ -94,22 +105,52 @@ jobs:
     name: CodeQL TypeScript
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.typescript == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         env:
           CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
         with:
           languages: typescript
+          config-file: ./.github/codeql/codeql-config-typescript.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        with:
+          wait-for-processing: true
+        env:
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'
+
+  actions:
+    name: CodeQL GitHub Actions
+    needs: conditional
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
+    if: needs.conditional.outputs.actions == 'true'
+    outputs:
+      conclusion: ${{ steps.check.outputs.conclusion }}
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        env:
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
+        with:
+          languages: actions
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           wait-for-processing: true
         env:
@@ -123,9 +164,10 @@ jobs:
       - java
       - javascript
       - typescript
+      - actions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ./.github/actions/status-check
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/documentation.yml

@@ -21,6 +21,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+  
 jobs:
 
   conditional:
@@ -28,8 +31,11 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       documentation: ${{ steps.conditional.outputs.documentation }}
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - id: conditional
         uses: ./.github/actions/conditional
@@ -42,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: conditional
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - id: setup-java
         name: Setup Java
@@ -60,7 +66,7 @@ jobs:
 
       - id: upload-keycloak-documentation
         name: Upload Keycloak documentation
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: keycloak-documentation
           path: docs/documentation/dist/target/*.zip
@@ -72,7 +78,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: conditional
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - id: setup-java
         name: Setup Java
@@ -96,7 +102,7 @@ jobs:
       - build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ./.github/actions/status-check
         with:
-          jobs: ${{ toJSON(needs) }}
+          jobs: ${{ toJSON(needs) }}

.github/workflows/guides.yml

@@ -21,6 +21,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
@@ -29,8 +32,11 @@ jobs:
     outputs:
       guides: ${{ steps.conditional.outputs.guides }}
       ci: ${{ steps.conditional.outputs.ci }}
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - id: conditional
         uses: ./.github/actions/conditional
@@ -44,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: conditional
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Build Keycloak
         uses: ./.github/actions/build-keycloak
@@ -57,7 +63,7 @@ jobs:
       - build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ./.github/actions/status-check
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/js-ci.yml

@@ -21,14 +21,20 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   conditional:
     name: Check conditional workflows and jobs
     runs-on: ubuntu-latest
     outputs:
       js-ci: ${{ steps.conditional.outputs.js }}
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - id: conditional
         uses: ./.github/actions/conditional
@@ -41,7 +47,7 @@ jobs:
     if: needs.conditional.outputs.js-ci == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Build Keycloak
         uses: ./.github/actions/build-keycloak
@@ -51,7 +57,7 @@ jobs:
           mv ./quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz ./keycloak-999.0.0-SNAPSHOT.tar.gz
 
       - name: Upload Keycloak dist
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: keycloak
           path: keycloak-999.0.0-SNAPSHOT.tar.gz
@@ -64,13 +70,15 @@ jobs:
     env:
       WORKSPACE: "@keycloak/keycloak-admin-client"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - uses: ./.github/actions/pnpm-setup
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} lint
+        working-directory: js
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} build
+        working-directory: js
 
   ui-shared:
     name: UI Shared
@@ -80,13 +88,15 @@ jobs:
     env:
       WORKSPACE: "@keycloak/keycloak-ui-shared"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - uses: ./.github/actions/pnpm-setup
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} lint
+        working-directory: js
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} build
+        working-directory: js
 
   account-ui:
     name: Account UI
@@ -96,13 +106,15 @@ jobs:
     env:
       WORKSPACE: "@keycloak/keycloak-account-ui"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - uses: ./.github/actions/pnpm-setup
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} lint
+        working-directory: js
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} build
+        working-directory: js
 
   admin-ui:
     name: Admin UI
@@ -112,17 +124,18 @@ jobs:
     env:
       WORKSPACE: keycloak-admin-ui
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - uses: ./.github/actions/pnpm-setup
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} lint
+        working-directory: js
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} test
+        working-directory: js
 
       - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} build
-
-      - run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} cy:check-types
+        working-directory: js
 
   account-ui-e2e:
     name: Account UI E2E
@@ -133,13 +146,20 @@ jobs:
     runs-on: ubuntu-latest
     env:
       WORKSPACE: "@keycloak/keycloak-account-ui"
+    strategy:
+      matrix:
+        browser: [chromium, firefox]
+        exclude:
+          # Only test with Firefox on scheduled runs
+          - browser: ${{ github.event_name != 'workflow_dispatch' && 'firefox' || '' }}
+      fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - uses: ./.github/actions/pnpm-setup
 
       - name: Download Keycloak server
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: keycloak
 
@@ -156,81 +176,51 @@ jobs:
 
       - name: Install Playwright browsers
         run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} exec playwright install --with-deps
+        working-directory: js
 
       - name: Run Playwright tests
-        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} test
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} test -- --project=${{ matrix.browser }}
+        working-directory: js
 
       - name: Upload Playwright report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         if: always()
         with:
-          name: account-ui-playwright-report
+          name: account-ui-playwright-report-${{ matrix.browser }}
           path: js/apps/account-ui/playwright-report
           retention-days: 30
 
       - name: Upload server logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
-          name: account-ui-server-log
+          name: account-ui-server-log-${{ matrix.browser }}
           path: ~/server.log
 
-
-  generate-test-seed:
-    name: Generate Test Seed
-    needs:
-      - conditional
-    if: needs.conditional.outputs.js-ci == 'true'
-    runs-on: ubuntu-latest
-    outputs:
-      seed: ${{ steps.generate-random-number.outputs.value }}
-    steps:
-      - name: Generate random number
-        id: generate-random-number
-        shell: bash
-        run: |
-          echo "value=$(shuf -i 1-100 -n 1)" >> $GITHUB_OUTPUT
-
   admin-ui-e2e:
     name: Admin UI E2E
     needs:
       - conditional
       - build-keycloak
-      - generate-test-seed
     if: needs.conditional.outputs.js-ci == 'true'
     runs-on: ubuntu-latest
     env:
-      WORKSPACE: keycloak-admin-ui
+      WORKSPACE: "@keycloak/keycloak-admin-ui"
+      RETRY_COUNT: 3
     strategy:
       matrix:
-        container: [1, 2, 3, 4, 5]
-        browser: [chrome, firefox]
+        browser: [chromium, firefox]
         exclude:
           # Only test with Firefox on scheduled runs
           - browser: ${{ github.event_name != 'workflow_dispatch' && 'firefox' || '' }}
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Install Google Chrome
-        if: matrix.browser == 'chrome'
-        uses: browser-actions/setup-chrome@v1
-        with:
-          chrome-version: stable
-
-      - name: Install Firefox
-        if: matrix.browser == 'firefox'
-        uses: browser-actions/setup-firefox@v1
-        with:
-          firefox-version: latest
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - uses: ./.github/actions/pnpm-setup
 
-      - name: Compile Admin Client
-        run: pnpm --fail-if-no-match --filter @keycloak/keycloak-admin-client build
-
       - name: Download Keycloak server
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: keycloak
 
@@ -240,43 +230,71 @@ jobs:
       - name: Start Keycloak server
         run: |
           tar xfvz keycloak-999.0.0-SNAPSHOT.tar.gz
-          keycloak-999.0.0-SNAPSHOT/bin/kc.sh start-dev --features=admin-fine-grained-authz,transient-users &> ~/server.log &
+          keycloak-999.0.0-SNAPSHOT/bin/kc.sh start-dev --features=admin-fine-grained-authz:v2,transient-users,spiffe,oid4vc-vci,kubernetes-service-accounts,jwt-authorization-grant,workflows &> ~/server.log &
         env:
           KC_BOOTSTRAP_ADMIN_USERNAME: admin
           KC_BOOTSTRAP_ADMIN_PASSWORD: admin
           KC_BOOTSTRAP_ADMIN_CLIENT_ID: temporary-admin-service
           KC_BOOTSTRAP_ADMIN_CLIENT_SECRET: temporary-admin-service
 
-      - name: Start LDAP server
-        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} cy:ldap-server &
+      - name: Install Playwright browsers
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} exec playwright install --with-deps
+        working-directory: js
 
-      - name: Run Cypress
-        uses: cypress-io/github-action@v6
+      - name: Run Playwright tests
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} test:integration -- --project=${{ matrix.browser }}
+        working-directory: js
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        if: always()
         with:
-          install: false
-          browser: ${{ matrix.browser }}
-          wait-on: http://localhost:8080
-          working-directory: js/apps/admin-ui
-        env:
-          SPLIT: ${{ strategy.job-total }}
-          SPLIT_INDEX: ${{ strategy.job-index }}
-          SPLIT_RANDOM_SEED: ${{ needs.generate-test-seed.outputs.seed }}
+          name: admin-ui-playwright-report-${{ matrix.browser }}
+          path: js/apps/admin-ui/playwright-report
+          retention-days: 30
 
       - name: Upload server logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
-          name: admin-ui-server-log-${{ matrix.container }}-${{ matrix.browser }}
+          name: admin-ui-server-log-${{ matrix.browser }}
           path: ~/server.log
 
-      - name: Upload Cypress videos
-        uses: actions/upload-artifact@v4
-        if: always() && github.repository != 'keycloak/keycloak-private'
+  keycloak-admin-client:
+    name: Keycloak Admin Client
+    needs:
+      - conditional
+      - build-keycloak
+    if: needs.conditional.outputs.js-ci == 'true'
+    runs-on: ubuntu-latest
+    env:
+      WORKSPACE: "@keycloak/keycloak-admin-client"
+      RETRY_COUNT: 3
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Download Keycloak server
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
-          name: cypress-videos-${{ matrix.container }}-${{ matrix.browser }}
-          path: js/apps/admin-ui/cypress/videos
-          if-no-files-found: ignore
-          retention-days: 10
+          name: keycloak
+
+      - name: Setup Java
+        uses: ./.github/actions/java-setup
+
+      - name: Start Keycloak server
+        run: |
+          tar xfvz keycloak-999.0.0-SNAPSHOT.tar.gz
+          keycloak-999.0.0-SNAPSHOT/bin/kc.sh start-dev --http-port 8180 --features transient-users,oid4vc-vci,declarative-ui,quick-theme,spiffe,kubernetes-service-accounts,workflows,client-auth-federated,jwt-authorization-grant &> ~/server.log &
+          curl --connect-timeout 5 --max-time 10 --retry 10 --retry-all-errors --retry-delay 10 --retry-max-time 120 -s -o /dev/null http://127.0.0.1:8180
+        env:
+          KC_BOOTSTRAP_ADMIN_USERNAME: admin
+          KC_BOOTSTRAP_ADMIN_PASSWORD: admin
+
+      - uses: ./.github/actions/pnpm-setup
+
+      - name: Run tests
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} run test
+        working-directory: js
 
   check:
     name: Status Check - Keycloak JavaScript CI
@@ -290,9 +308,10 @@ jobs:
       - account-ui-e2e
       - admin-ui
       - admin-ui-e2e
+      - keycloak-admin-client
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ./.github/actions/status-check
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/label.yml

@@ -3,16 +3,17 @@ on:
   pull_request_target:
     types: closed
 
+permissions:
+  contents: read
+  
 jobs:
   label:
 
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      issues: write
-
+      issues: write # Required to add labels to Issues
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           sparse-checkout: .github/scripts
       - name: Add release labels on merge
@@ -25,9 +26,11 @@ jobs:
           echo "**PR:** [$PR_NUMBER](https://github.com/$GITHUB_REPOSITORY/pull/$PR_NUMBER)" >> $GITHUB_STEP_SUMMARY
           
           if [ "$GITHUB_BASE_REF" == "main" ]; then
-            LAST_MAJOR="$(gh api /repos/$GITHUB_REPOSITORY/branches --paginate --jq .[].name | grep '^release/' | cut -d '/' -f 2 | cut -d '.' -f 1 | sort -n -r | head -n 1)"
-            NEXT_MAJOR="$(($LAST_MAJOR + 1))"
-            LABEL="release/$NEXT_MAJOR.0.0"
+            LAST_RELEASE="$(gh api /repos/$GITHUB_REPOSITORY/branches --paginate --jq .[].name | grep '^release/' | cut -d '/' -f 2 | sort -n -r | head -n 1)"
+            LAST_MINOR=$(echo $LAST_RELEASE | cut -d '.' -f 2)
+            NEXT_MAJOR=$(echo $LAST_RELEASE | cut -d '.' -f 1)
+            NEXT_MINOR="$(($LAST_MINOR + 1))"
+            LABEL="release/$NEXT_MAJOR.$NEXT_MINOR.0"
             BACKPORT_LABEL="backport/main"
           elif [[ "$GITHUB_BASE_REF" = release/* ]]; then
             MAJOR_MINOR="$(echo $GITHUB_BASE_REF | cut -d '/' -f 2)"
@@ -38,9 +41,9 @@ jobs:
           fi
           
           echo "Label:      $LABEL"
-          echo "**Label:** [$LABEL](https://github.com/$GITHUB_REPOSITORY/labels/$(echo $LABEL | sed 's|/|%2F|g'))" >> $GITHUB_STEP_SUMMARY
+          echo "**Label:** [$LABEL](https://github.com/$GITHUB_REPOSITORY/labels/$LABEL)" >> $GITHUB_STEP_SUMMARY
           
-          gh api "repos/$GITHUB_REPOSITORY/labels/$(echo $LABEL | sed 's|/|%2F|g')" --silent 2>/dev/null || gh label create -R "$GITHUB_REPOSITORY" "$LABEL" -c "0E8A16"
+          gh api "/repos/$GITHUB_REPOSITORY/labels/$LABEL" --silent 2>/dev/null || gh label create -R "$GITHUB_REPOSITORY" "$LABEL" -c "0E8A16"
           
           echo ""
           echo "" >> $GITHUB_STEP_SUMMARY

.github/workflows/operator-ci.yml

@@ -10,8 +10,8 @@ on:
 
 env:
   MAVEN_ARGS: "-B -nsu -Daether.connector.http.connectionMaxTtl=25"
-  MINIKUBE_VERSION: v1.32.0
-  KUBERNETES_VERSION: v1.27.10 # OCP 4.14
+  MINIKUBE_VERSION: v1.37.0
+  KUBERNETES_VERSION: v1.32.9 # OCP 4.19
   MINIKUBE_MEMORY: 4096 # Without explicitly setting memory, minikube uses ~25% of available memory which might be too little on smaller GitHub runners for running the tests
 
 defaults:
@@ -23,6 +23,9 @@ concurrency:
   group: operator-ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
@@ -30,8 +33,11 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       operator: ${{ steps.conditional.outputs.operator }}
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - id: conditional
         uses: ./.github/actions/conditional
@@ -44,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: conditional
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Build Keycloak
         uses: ./.github/actions/build-keycloak
@@ -52,56 +58,29 @@ jobs:
           upload-m2-repo: false
           upload-dist: true
 
-  test-local:
-    name: Test local
+  test-local-apiserver:
+    name: Test local apiserver
     runs-on: ubuntu-latest
     needs: [build]
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Set version
-        id: vars
-        run: echo "version_local=0.0.1-${GITHUB_SHA::6}" >> $GITHUB_ENV
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Java
         uses: ./.github/actions/java-setup
 
-      - name: Setup Minikube-Kubernetes
-        uses: manusa/actions-setup-minikube@v2.11.0
-        with:
-          minikube version: ${{ env.MINIKUBE_VERSION }}
-          kubernetes version: ${{ env.KUBERNETES_VERSION }}
-          github token: ${{ secrets.GITHUB_TOKEN }}
-          driver: docker
-          start args: --addons=ingress --memory=${{ env.MINIKUBE_MEMORY }}
-
-      - name: Download keycloak distribution
-        id: download-keycloak-dist
-        uses: actions/download-artifact@v4
-        with:
-          name: keycloak-dist
-          path: quarkus/container
-
-      - name: Build Keycloak Docker images
-        run: |
-          eval $(minikube -p minikube docker-env)
-          (cd quarkus/container && docker build --build-arg KEYCLOAK_DIST=$(ls keycloak-*.tar.gz) . -t keycloak:${{ env.version_local }})
-          (cd operator && ./scripts/build-testing-docker-images.sh ${{ env.version_local }} keycloak custom-keycloak)
-
       - name: Test operator running locally
         run: |
-          ./mvnw install -Poperator -pl :keycloak-operator -am \
-              -Dquarkus.kubernetes.image-pull-policy=IfNotPresent \
-              -Dkc.operator.keycloak.image=keycloak:${{ env.version_local }} \
-              -Dtest.operator.custom.image=custom-keycloak:${{ env.version_local }} \
-              -Dkc.operator.keycloak.image-pull-policy=Never
+          ./mvnw install -Poperator -pl :keycloak-operator -am
 
   test-remote:
     name: Test remote
     runs-on: ubuntu-latest
     needs: [build]
+    strategy:
+          matrix:
+            suite: [slow, fast]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set version
         id: vars
@@ -111,17 +90,17 @@ jobs:
         uses: ./.github/actions/java-setup
 
       - name: Setup Minikube-Kubernetes
-        uses: manusa/actions-setup-minikube@v2.11.0
+        uses: manusa/actions-setup-minikube@b589f2d61bf96695c546929c72b38563e856059d # v2.14.0
         with:
           minikube version: ${{ env.MINIKUBE_VERSION }}
           kubernetes version: ${{ env.KUBERNETES_VERSION }}
           github token: ${{ secrets.GITHUB_TOKEN }}
           driver: docker
-          start args: --addons=ingress --memory=${{ env.MINIKUBE_MEMORY }}
+          start args: --addons=ingress --memory=${{ env.MINIKUBE_MEMORY }} --cni calico --cpus=max
 
       - name: Download keycloak distribution
         id: download-keycloak-dist
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: keycloak-dist
           path: quarkus/container
@@ -134,6 +113,10 @@ jobs:
 
       - name: Test operator running in cluster
         run: |
+          declare -A PARAMS
+          PARAMS["slow"]="-Dkc.quarkus.tests.groups=slow"
+          PARAMS["fast"]='-Dkc.quarkus.tests.groups=!slow'
+          
           eval $(minikube -p minikube docker-env)
           ./mvnw install -Poperator -pl :keycloak-operator -am \
               -Dquarkus.container-image.build=true \
@@ -141,33 +124,38 @@ jobs:
               -Dkc.operator.keycloak.image=keycloak:${{ env.version_remote }} \
               -Dquarkus.kubernetes.env.vars.kc-operator-keycloak-image-pull-policy=Never \
               -Dtest.operator.custom.image=custom-keycloak:${{ env.version_remote }} \
-              --no-transfer-progress -Dtest.operator.deployment=remote
+              --no-transfer-progress -Dtest.operator.deployment=remote ${PARAMS["${{ matrix.suite }}"]}
 
   test-olm:
     name: Test OLM installation
     runs-on: ubuntu-latest
     needs: [build]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Java
         uses: ./.github/actions/java-setup
 
       - name: Setup Minikube-Kubernetes
-        uses: manusa/actions-setup-minikube@v2.11.0
+        uses: manusa/actions-setup-minikube@b589f2d61bf96695c546929c72b38563e856059d # v2.14.0
         with:
           minikube version: ${{ env.MINIKUBE_VERSION }}
           kubernetes version: ${{ env.KUBERNETES_VERSION }}
           github token: ${{ secrets.GITHUB_TOKEN }}
           driver: docker
-          start args: --memory=${{ env.MINIKUBE_MEMORY }}
+          start args: --memory=${{ env.MINIKUBE_MEMORY }} --addons=registry --insecure-registry=192.168.49.0/24
 
       - name: Install OPM
-        uses: redhat-actions/openshift-tools-installer@v1
+        uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1.13.1
         with:
           source: github
           opm: 1.21.0
 
+      - name: Install OC
+        uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1.13.1
+        with:
+          oc: 4
+
       - name: Install Yq
         run: sudo snap install yq
 
@@ -177,7 +165,7 @@ jobs:
 
       - name: Download keycloak distribution
         id: download-keycloak-dist
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: keycloak-dist
           path: quarkus/container
@@ -185,29 +173,20 @@ jobs:
       - name: Arrange OLM test installation
         working-directory: operator
         run: |
+          echo "Minikube IP $(minikube ip)"
           eval $(minikube -p minikube docker-env)
-          ./scripts/olm-testing.sh ${GITHUB_SHA::6}
+          REGISTRY=$(minikube ip):5000 ./scripts/olm-testing.sh ${GITHUB_SHA::6}
 
       - name: Deploy an example Keycloak and wait for it to be ready
-        working-directory: operator
+        working-directory: operator/scripts
         run: |
-          kubectl apply -f src/test/resources/example-postgres.yaml
-          ./scripts/check-crds-installed.sh
-          kubectl apply -f src/test/resources/example-db-secret.yaml
-          kubectl apply -f src/test/resources/example-tls-secret.yaml
-          kubectl apply -f src/test/resources/example-keycloak.yaml
-          kubectl apply -f src/test/resources/example-realm.yaml
-          # Wait for the CRs to be ready
-          ./scripts/check-examples-installed.sh
+          ./check-crd-installed.sh keycloaks
+          ./check-crd-installed.sh keycloakrealmimports
+          ./deploy-examples.sh
           
       - name: Single namespace cleanup
-        working-directory: operator
-        run: |
-          kubectl delete -f src/test/resources/example-postgres.yaml
-          kubectl delete -f src/test/resources/example-db-secret.yaml
-          kubectl delete -f src/test/resources/example-tls-secret.yaml
-          kubectl delete -f src/test/resources/example-keycloak.yaml
-          kubectl delete -f src/test/resources/example-realm.yaml
+        working-directory: operator/scripts
+        run: ./undeploy-examples.sh
       
       - name: Arrange OLM test installation for all namespaces
         working-directory: operator
@@ -216,16 +195,41 @@ jobs:
           kubectl patch operatorgroup og --type json --patch '[{"op":"remove","path":"/spec/targetNamespaces"}]'
        
       - name: Deploy an example Keycloak in a different namespace and wait for it to be ready
-        working-directory: operator
+        working-directory: operator/scripts
         run: |
           kubectl create ns keycloak
-          kubectl apply -f src/test/resources/example-postgres.yaml -n keycloak
-          kubectl apply -f src/test/resources/example-db-secret.yaml -n keycloak
-          kubectl apply -f src/test/resources/example-tls-secret.yaml -n keycloak
-          kubectl apply -f src/test/resources/example-keycloak.yaml -n keycloak
-          kubectl apply -f src/test/resources/example-realm.yaml -n keycloak
-          # Wait for the CRs to be ready
-          ./scripts/check-examples-installed.sh keycloak
+          ./deploy-examples.sh keycloak
+          ./undeploy-examples.sh keycloak
+
+      - name: Install ServiceMonitor CRD
+        working-directory: operator
+        run: |
+          kubectl apply -f src/test/resources/service-monitor-crds.yml
+          ./scripts/check-crd-installed.sh servicemonitors
+          kubectl delete pod -l name=keycloak-operator
+
+      - name: Deploy an example Keycloak with ServiceMonitor
+        working-directory: operator/scripts
+        run: |
+          ./deploy-examples.sh keycloak
+          kubectl -n keycloak wait servicemonitor/example-kc --for=jsonpath='{.metadata.name}' --timeout=60s
+
+      - name: Debug Custom Resources
+        if: failure()
+        run: |
+          kubectl get keycloaks -A -o yaml
+          kubectl get keycloakrealmimports -A -o yaml
+
+      - name: Gather inspect report
+        if: failure()
+        run: oc adm inspect ns
+
+      - name: Upload inspect report
+        if: failure()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: oc-inspect
+          path: inspect.*
 
   check:
     name: Status Check - Keycloak Operator CI
@@ -233,12 +237,12 @@ jobs:
     needs:
       - conditional
       - build
-      - test-local
+      - test-local-apiserver
       - test-remote
       - test-olm
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ./.github/actions/status-check
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/quarkus-next.yml

@@ -14,14 +14,18 @@ concurrency:
   group: quarkus-next-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  
 jobs:
   update-quarkus-next-branch:
     name: Update quarkus-next branch
     if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write # Required to push changes to the repository
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: main
           fetch-depth: 0
@@ -42,6 +46,8 @@ jobs:
   run-matrix-with-quarkus-next:
     name: Run workflow matrix with the quarkus-next branch
     runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
     needs:
       - update-quarkus-next-branch
 

.github/workflows/schedule-nightly.yml

@@ -2,20 +2,24 @@ name: Scheduled nightly workflows
 
 on: 
   schedule:
-    - cron: '0 0 * * *'
+    - cron: '0 4 * * *'
   workflow_dispatch:
 
-jobs:
+permissions:
+  contents: read
 
+jobs:
   setup:
     if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
     runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
     outputs:
       latest-release-branch: ${{ steps.latest-release.outputs.branch }}
     steps:
       - id: latest-release
         run: |
-          branch="release/$(gh api repos/keycloak/keycloak/branches | jq -r '.[].name' | sort -r | awk -F'/' '/[0-9.]+$/ {print $NF; exit}')"
+          branch="$(gh api --paginate repos/keycloak/keycloak/branches -q '.[].name' | grep '^release/' | sort -r -V | head -n 1)"
           echo "branch=$branch"
           echo "branch=$branch" >> "$GITHUB_OUTPUT"
         env:
@@ -24,8 +28,9 @@ jobs:
   run-default-branch:
     name: Run default branch
     runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
     needs: setup
-
     strategy:
       matrix:
         workflow:
@@ -47,7 +52,8 @@ jobs:
     name: Run latest release branch
     needs: setup
     runs-on: ubuntu-latest
-
+    permissions:
+      actions: write # Required to trigger workflows using gh
     strategy:
       matrix:
         workflow:

.github/workflows/snyk-analysis.yml

@@ -10,31 +10,47 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     name: Analysis of Quarkus and Operator
     runs-on: ubuntu-latest
     if: github.repository == 'keycloak/keycloak'
+    permissions:
+      security-events: write # Required for SARIF uploads
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Build Keycloak
         uses: ./.github/actions/build-keycloak
 
-      - uses: snyk/actions/setup@master
+      - uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # master
 
       - name: Check for vulnerabilities in Quarkus
-        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --json quarkus/deployment | .github/scripts/snyk-report.sh
+        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus/deployment
         continue-on-error: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
+      - name: Upload Quarkus scanner results to GitHub
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        continue-on-error: true
+        with:
+          sarif_file: quarkus-report.sarif
+          category: snyk-quarkus-report
+
       - name: Check for vulnerabilities in Operator
         run: |
           ./mvnw -Poperator -pl operator -am -DskipTests clean install
-          snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --json operator | .github/scripts/snyk-report.sh
+          snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
         continue-on-error: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Operator scanner results to GitHub
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        with:
+          sarif_file: operator-report.sarif
+          category: snyk-operator-report

.github/workflows/stability-base-reruns.yml

@@ -0,0 +1,62 @@
+name: Stability - Base Reruns
+
+on:
+  workflow_dispatch:
+    inputs:
+      tests:
+        type: string
+        description: Tests to run
+        required: true
+      count:
+        type: number
+        description: Number of re-runs
+        default: 50
+
+env:
+  MAVEN_ARGS: "-B -nsu -Daether.connector.http.connectionMaxTtl=25"
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Build Keycloak
+        uses: ./.github/actions/build-keycloak
+
+  base-integration-tests:
+    name: Base IT
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup
+
+      - name: Run base tests
+        run: |
+          TESTS="${{ inputs.tests }}"
+          COUNT=${{ inputs.count }}
+          echo "Tests: $TESTS, count: $COUNT"
+          FAILURES=0
+          for i in $(seq 1 $COUNT); do
+            echo "========================================================================="
+            echo Run: $i
+            echo "========================================================================="
+            ./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh || FAILURES=$(($FAILURES + 1)) 
+            FAILURES=$(($FAILURES + $?))
+          done
+          echo "Failures: $FAILURES"
+          exit $FAILURES

.github/workflows/stability-base.yml

@@ -0,0 +1,61 @@
+name: Stability - Base
+
+on:
+  workflow_dispatch:
+
+env:
+  MAVEN_ARGS: "-B -nsu -Daether.connector.http.connectionMaxTtl=25"
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Build Keycloak
+        uses: ./.github/actions/build-keycloak
+
+  base-integration-tests:
+    name: Base IT
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 100
+    strategy:
+      matrix:
+        group: [ 1, 2, 3, 4, 5, 6 ]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup
+
+      - name: Run base tests
+        run: |
+          TESTS=`testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh ${{ matrix.group }}`
+          echo "Tests: $TESTS"
+          ./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh
+
+  delete-artifacts:
+    name: Delete artifacts
+    needs: base-integration-tests
+    runs-on: ubuntu-latest
+    if: always()
+    env:
+      GH_TOKEN: ${{ github.token }}
+    permissions:
+      actions: write
+    steps:
+      - name: Delete artifacts
+        run:
+          gh api /repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts | jq .artifacts[].id | xargs -I {} gh api -X DELETE /repos/${{ github.repository }}/actions/artifacts/{}

.github/workflows/stability-clustering.yml

@@ -0,0 +1,57 @@
+name: Stability - Clustering
+
+on:
+  workflow_dispatch:
+
+env:
+  MAVEN_ARGS: "-B -nsu -Daether.connector.http.connectionMaxTtl=25"
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Build Keycloak
+        uses: ./.github/actions/build-keycloak
+
+  clustering-integration-tests:
+    name: Clustering IT
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 35
+    env:
+      MAVEN_OPTS: -Xmx1024m
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup
+
+      - name: Run cluster tests
+        run: |
+          ./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-cluster-quarkus,db-postgres "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" -Dsession.cache.owners=2 -Dtest=**.cluster.** -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh
+
+  delete-artifacts:
+    name: Delete artifacts
+    needs: clustering-integration-tests
+    runs-on: ubuntu-latest
+    if: always()
+    env:
+      GH_TOKEN: ${{ github.token }}
+    permissions:
+      actions: write
+    steps:
+      - name: Delete artifacts
+        run:
+          gh api /repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts | jq .artifacts[].id | xargs -I {} gh api -X DELETE /repos/${{ github.repository }}/actions/artifacts/{}

.github/workflows/stability-js-ci.yml

@@ -0,0 +1,172 @@
+name: Stability - Keycloak JavaScript CI
+
+on:
+  workflow_dispatch:
+
+env:
+  MAVEN_ARGS: "-B -nsu -Daether.connector.http.connectionMaxTtl=25"
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  build-keycloak:
+    name: Build Keycloak
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Build Keycloak
+        uses: ./.github/actions/build-keycloak
+
+      - name: Prepare archive for upload
+        run: |
+          mv ./quarkus/dist/target/keycloak-999.0.0-SNAPSHOT.tar.gz ./keycloak-999.0.0-SNAPSHOT.tar.gz
+
+      - name: Upload Keycloak dist
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: keycloak
+          path: keycloak-999.0.0-SNAPSHOT.tar.gz
+
+  account-ui-e2e:
+    name: Account UI E2E
+    needs:
+      - build-keycloak
+    runs-on: ubuntu-latest
+    env:
+      WORKSPACE: "@keycloak/keycloak-account-ui"
+    strategy:
+      matrix:
+        browser: [chromium, firefox]
+        exclude:
+          # Only test with Firefox on scheduled runs
+          - browser: ${{ github.event_name != 'workflow_dispatch' && 'firefox' || '' }}
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - uses: ./.github/actions/pnpm-setup
+
+      - name: Download Keycloak server
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: keycloak
+
+      - name: Setup Java
+        uses: ./.github/actions/java-setup
+
+      - name: Start Keycloak server
+        run: |
+          tar xfvz keycloak-999.0.0-SNAPSHOT.tar.gz
+          keycloak-999.0.0-SNAPSHOT/bin/kc.sh start-dev --features=transient-users,oid4vc-vci &> ~/server.log &
+        env:
+          KC_BOOTSTRAP_ADMIN_USERNAME: admin
+          KC_BOOTSTRAP_ADMIN_PASSWORD: admin
+
+      - name: Install Playwright browsers
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} exec playwright install --with-deps
+        working-directory: js
+
+      - name: Run Playwright tests
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} test -- --project=${{ matrix.browser }}
+        working-directory: js
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        if: failure()
+        with:
+          name: account-ui-playwright-report-${{ matrix.browser }}
+          path: js/apps/account-ui/playwright-report
+          retention-days: 7
+
+      - name: Upload server logs
+        if: failure()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: account-ui-server-log-${{ matrix.browser }}
+          path: ~/server.log
+          retention-days: 7
+
+  admin-ui-e2e:
+    name: Admin UI E2E
+    needs:
+      - build-keycloak
+    runs-on: ubuntu-latest
+    env:
+      WORKSPACE: "@keycloak/keycloak-admin-ui"
+    strategy:
+      matrix:
+        browser: [chromium, firefox]
+        exclude:
+          # Only test with Firefox on scheduled runs
+          - browser: ${{ github.event_name != 'workflow_dispatch' && 'firefox' || '' }}
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - uses: ./.github/actions/pnpm-setup
+
+      - name: Download Keycloak server
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: keycloak
+
+      - name: Setup Java
+        uses: ./.github/actions/java-setup
+
+      - name: Start Keycloak server
+        run: |
+          tar xfvz keycloak-999.0.0-SNAPSHOT.tar.gz
+          keycloak-999.0.0-SNAPSHOT/bin/kc.sh start-dev --features=admin-fine-grained-authz:v2,transient-users,spiffe,oid4vc-vci &> ~/server.log &
+        env:
+          KC_BOOTSTRAP_ADMIN_USERNAME: admin
+          KC_BOOTSTRAP_ADMIN_PASSWORD: admin
+          KC_BOOTSTRAP_ADMIN_CLIENT_ID: temporary-admin-service
+          KC_BOOTSTRAP_ADMIN_CLIENT_SECRET: temporary-admin-service
+
+      - name: Install Playwright browsers
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} exec playwright install --with-deps
+        working-directory: js
+
+      - name: Run Playwright tests
+        run: pnpm --fail-if-no-match --filter ${{ env.WORKSPACE }} test:integration -- --project=${{ matrix.browser }}
+        working-directory: js
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        if: failure()
+        with:
+          name: admin-ui-playwright-report-${{ matrix.browser }}
+          path: js/apps/admin-ui/playwright-report
+          retention-days: 7
+
+      - name: Upload server logs
+        if: failure()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: admin-ui-server-log-${{ matrix.browser }}
+          path: ~/server.log
+          retention-days: 7
+
+  delete-artifacts:
+    name: Delete artifacts
+    needs:
+      - account-ui-e2e
+      - admin-ui-e2e
+    runs-on: ubuntu-latest
+    if: always()
+    env:
+      GH_TOKEN: ${{ github.token }}
+    permissions:
+      actions: write
+    steps:
+      - name: Delete artifacts (excluding Playwright reports and server logs)
+        run: |
+          gh api /repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts \
+          | jq '.artifacts[] | select(.name | test("playwright-report|server-log") | not) | .id' \
+          | xargs -I {} gh api -X DELETE /repos/${{ github.repository }}/actions/artifacts/{}

.github/workflows/trivy-analysis.yml

@@ -7,6 +7,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+  
 jobs:
 
   analysis:
@@ -17,19 +20,28 @@ jobs:
       matrix:
         container: [keycloak, keycloak-operator]
       fail-fast: false
+    permissions:
+      security-events: write # Required for SARIF uploads
     steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
         with:
-          image-ref: quay.io/keycloak/${{ matrix.container}}:nightly
+          image-ref: quay.io/keycloak/${{ matrix.container }}:nightly
           format: sarif
           output: trivy-results.sarif
           severity: MEDIUM,CRITICAL,HIGH
           ignore-unfixed: true
+          version: v0.57.1
           timeout: 15m
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: trivy-results.sarif
-          category: ${{ matrix.container}}
+          category: ${{ matrix.container }}

.github/workflows/weblate.yml

@@ -22,6 +22,9 @@ concurrency:
   group: weblate-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  
 jobs:
   update-weblate:
     name: Trigger Weblate to pull the latest changes
@@ -32,4 +35,5 @@ jobs:
       - run: |
           if [ '${{ secrets.WEBLATE_TOKEN }}' != '' ]; then
             curl --fail-with-body -d operation=pull -H "Authorization: Token ${{ secrets.WEBLATE_TOKEN }}" https://hosted.weblate.org/api/projects/keycloak/repository/
+            curl --fail-with-body -d operation=push -H "Authorization: Token ${{ secrets.WEBLATE_TOKEN }}" https://hosted.weblate.org/api/projects/keycloak/repository/
           fi

.gitignore

@@ -5,6 +5,7 @@
 # Intellij
 ###################
 .idea
+.run
 *.iml
 !.idea/icon.png
 
@@ -86,24 +87,9 @@ quarkus/data/*.db
 # Git ephemeral files
 *.versionsBackup
 
-# frontend-maven-plugin
-node
-
-# Wireit
-.wireit
-
-# Vite
-dist
-
 !/quarkus/dist
 !/quarkus/**/src/**/dist
 
-# ESLint
-.eslintcache
-
-# NPM
-node_modules
-
 # SDKMAM environment file
 .sdkmanrc
 
@@ -111,3 +97,8 @@ node_modules
 .java-version
 
 .env
+.env.test
+
+# Keycloak state dir as suggested in the docs
+# -Dkc.home.dir=.kc
+.kc

.mvn/maven-build-cache-config.xml

@@ -41,6 +41,8 @@
         <runAlways>
             <plugins>
                 <plugin artifactId="maven-failsafe-plugin"/>
+                <!-- The Maven Frontend plugin will build all JS parts in the subfolders, and has its own caching, therefore, run it always -->
+                <plugin groupId="com.github.eirslett" artifactId="frontend-maven-plugin"/>
             </plugins>
             <goalsLists>
                 <goalsList artifactId="maven-install-plugin">

ADOPTERS.md

@@ -39,6 +39,7 @@ List of organization names below is based on information collected using Keycloa
 * ITROI Solutions
 * Kindly Ops, LLC
 * [Microcks](https://landscape.cncf.io/?selected=microcks)
+* [Minder](https://github.com/mindersec/minder)
 * msg systems ag
 * Netdava International
 * Ohio Supercomputer Center
@@ -49,7 +50,10 @@ List of organization names below is based on information collected using Keycloa
 * Prodesan
 * Quest Software
 * Research Industrial Software Engineering (RISE)
+* [SICK AG](https://www.sick.com)
+* [SMF](https://www.smf.de)
 * Sportsbet.com.au
+* [Stacklok](https://stacklok.com/)
 * Stack Labs
 * Storebrand
 * Synekus
@@ -59,4 +63,5 @@ List of organization names below is based on information collected using Keycloa
 * TRT9 - Brasil
 * UnitedHealthcare
 * Wayfair LLC
+* [Xata](https://xata.io)
 * ...More individuals

CONTRIBUTING.md

@@ -13,17 +13,20 @@ Keycloak is an Open Source community-driven project and we welcome contributions
 Firstly, if you want to contribute a larger change to Keycloak we ask that you open a 
 discussion first. For minor changes you can skip this part and go straight ahead to sending a contribution. Bear in mind that if you open a discussion first you can identify if the change will be accepted, as well as getting early feedback.  
 
+Each PR, no matter how small, should have a GitHub issue associated with it.
+Issues are important for administrative purposes such as generating a changelog and handling backports.
+
 Here's a quick checklist for a good PR, more details below:
 
 1. A discussion around the change (https://github.com/keycloak/keycloak/discussions/categories/ideas)
-2. A GitHub Issue with a good description associated with the PR
-3. One feature/change per PR
-4. One commit per PR
-5. PR rebased on main (`git rebase`, not `git pull`) 
-5. [Good descriptive commit message, with link to issue](#commit-messages-and-issue-linking)
-6. No changes to code not directly related to your PR
-7. Includes functional/integration test
-8. Includes documentation
+1. A GitHub Issue with a good description associated with the PR
+1. One feature/change per PR
+1. One commit per PR
+1. PR rebased on main (`git rebase`, not `git pull`) 
+1. [Good descriptive commit message, with link to issue](#commit-messages-and-issue-linking)
+1. No changes to code not directly related to your PR
+1. Includes functional/integration test
+1. Includes documentation
 
 Once you have submitted your PR please monitor it for comments/feedback. We reserve the right to close inactive PRs if
 you do not respond within 2 weeks (bear in mind you can always open a new PR if it is closed due to inactivity).
@@ -107,6 +110,33 @@ git commit --signoff --message "This is the commit message"
 
 This option adds a `Signed-off-by` trailer at the end of the commit log message.
 
+### Spotless
+
+Spotless is used to check and apply code formatting. To check your code locally before sending a PR run:
+
+```
+./mvnw spotless:check
+```
+
+You can either use your IDE to fix these issues; or Spotless can fix them for you by running:
+
+```
+./mvnw spotless:apply
+```
+
+A good practice is to create a commit with your changes prior to running `spotless:apply` then you can see and
+review what changes Spotless has applied, for example by using a diff tool. Finally, if you are happy with the changes
+Spotless has applied you can amend the changes to your commit by running:
+
+```
+git add -a
+git commit --amend
+```
+
+Note: If you get the error `Could not find goal 'verify' in plugin com.diffplug.spotless:spotless-maven-plugin` you are
+probably running `mvn spotless:check` instead of `./mvnw spotless:check`. This is most likely a bug in Maven or the 
+Spotless plugin.
+ 
 ### Commit messages and issue linking
 
 The format for a commit message should look like:

MAINTAINERS.md

@@ -1,12 +1,11 @@
 # Active maintainers
 
 * [Alexander Schwartz](https://github.com/ahus1)
-* [Bruno Oliveira da Silva](https://github.com/abstractj)
 * [Marek Posolda](https://github.com/mposolda)
-* [Michal Hajas](https://github.com/mhajas)
 * [Pedro Igor](https://github.com/pedroigor)
 * [Sebastian Schuster](https://github.com/sschu)
 * [Stan Silvert](https://github.com/ssilvert)
+* [Steven Hawkins](https://github.com/shawkins)
 * [Stian Thorgersen](https://github.com/stianst) (project lead)
 * [Takashi Norimatsu](https://github.com/tnorimat)
 * [Thomas Darimont](https://github.com/thomasdarimont)
@@ -14,6 +13,8 @@
 
 # Emeritus maintainers
 
+* [Bruno Oliveira da Silva](https://github.com/abstractj)
 * [Hynek Mlnařík](https://github.com/hmlnarik)
+* [Michal Hajas](https://github.com/mhajas)
 * [Pavel Drozd](https://github.com/pdrozd)
 

README.md

@@ -2,9 +2,12 @@
 
 ![GitHub Release](https://img.shields.io/github/v/release/keycloak/keycloak?label=latest%20release)
 [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/6818/badge)](https://bestpractices.coreinfrastructure.org/projects/6818)
+[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/keycloak/badge)](https://clomonitor.io/projects/cncf/keycloak)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/keycloak/keycloak/badge)](https://securityscorecards.dev/viewer/?uri=github.com/keycloak/keycloak)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/keycloak-operator)](https://artifacthub.io/packages/olm/community-operators/keycloak-operator)
 ![GitHub Repo stars](https://img.shields.io/github/stars/keycloak/keycloak?style=flat)
 ![GitHub commit activity](https://img.shields.io/github/commit-activity/m/keycloak/keycloak)
-
+[![Translation status](https://hosted.weblate.org/widget/keycloak/svg-badge.svg)](docs/translation.md)
 
 # Open Source Identity and Access Management
 
@@ -17,6 +20,7 @@ Keycloak provides user federation, strong authentication, user management, fine-
 
 * [Documentation](https://www.keycloak.org/documentation.html)
 * [User Mailing List](https://groups.google.com/d/forum/keycloak-user) - Mailing list for help and general questions about Keycloak
+* Join [#keycloak](https://cloud-native.slack.com/archives/C056HC17KK9) for general questions, or [#keycloak-dev](https://cloud-native.slack.com/archives/C056XU905S6) on Slack for design and development discussions, by creating an account at [https://slack.cncf.io/](https://slack.cncf.io/).
 
 
 ## Reporting Security Vulnerabilities
@@ -62,6 +66,7 @@ To write tests, refer to the [writing tests](docs/tests-development.md) guide.
 
 Before contributing to Keycloak, please read our [contributing guidelines](CONTRIBUTING.md). Participation in the Keycloak project is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
 
+Joining a [community meeting](https://www.keycloak.org/community) is a great way to get involved and help shape the future of Keycloak.
 
 ## Other Keycloak Projects
 

adapters/pom.xml

@@ -24,7 +24,7 @@
         <relativePath>../pom.xml</relativePath>
     </parent>
     <name>Keycloak Adapters</name>
-    <description/>
+    <description>Keycloak Adapters Parent</description>
     <modelVersion>4.0.0</modelVersion>
 
     <artifactId>keycloak-adapters-pom</artifactId>

adapters/saml/core-public/pom.xml

@@ -28,7 +28,7 @@
 
     <artifactId>keycloak-saml-adapter-api-public</artifactId>
     <name>Keycloak SAML Client Adapter Public API</name>
-    <description/>
+    <description>Keycloak SAML Client Adapter Public API</description>
 
 
     <properties>

adapters/saml/core-public/src/main/java/org/keycloak/adapters/saml/SamlAuthenticationError.java

@@ -17,11 +17,12 @@
 
 package org.keycloak.adapters.saml;
 
+import java.util.Objects;
+
 import org.keycloak.adapters.spi.AuthenticationError;
 import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
 import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
-import java.util.Objects;
 
 /**
  * Object that describes the SAML error that happened.

adapters/saml/core-public/src/main/java/org/keycloak/adapters/saml/SamlPrincipal.java

@@ -17,10 +17,6 @@
 
 package org.keycloak.adapters.saml;
 
-import org.keycloak.common.util.MultivaluedHashMap;
-import org.keycloak.dom.saml.v2.assertion.AssertionType;
-
-import org.keycloak.dom.saml.v2.assertion.NameIDType;
 import java.io.Serializable;
 import java.net.URI;
 import java.security.Principal;
@@ -28,6 +24,11 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+
+import org.keycloak.common.util.MultivaluedHashMap;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
 import org.w3c.dom.Document;
 
 /**

adapters/saml/core/pom.xml

@@ -28,7 +28,7 @@
 
     <artifactId>keycloak-saml-adapter-core</artifactId>
     <name>Keycloak SAML Client Adapter Core</name>
-    <description/>
+    <description>Keycloak SAML Client Adapter Core</description>
 
     <properties>
         <timestamp>${maven.build.timestamp}</timestamp>

adapters/saml/core/src/main/java/org/keycloak/adapters/cloned/HttpAdapterUtils.java

@@ -17,19 +17,20 @@
 
 package org.keycloak.adapters.cloned;
 
-import org.apache.http.HttpEntity;
-import org.apache.http.HttpResponse;
-
 import java.io.IOException;
 import java.io.InputStream;
 import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+
+import org.keycloak.adapters.saml.descriptor.parsers.SamlDescriptorIDPKeysExtractor;
+import org.keycloak.common.util.MultivaluedHashMap;
+import org.keycloak.saml.common.exceptions.ParsingException;
+
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.util.EntityUtils;
-import org.keycloak.adapters.saml.descriptor.parsers.SamlDescriptorIDPKeysExtractor;
-import org.keycloak.common.util.MultivaluedHashMap;
-import org.keycloak.saml.common.exceptions.ParsingException;
 
 /**
  * @author <a href="mailto:hmlnarik@redhat.com">Hynek Mlnařík</a>

adapters/saml/core/src/main/java/org/keycloak/adapters/cloned/HttpClientBuilder.java

@@ -17,9 +17,32 @@
 
 package org.keycloak.adapters.cloned;
 
+import java.io.IOException;
+import java.net.URI;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Date;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import org.keycloak.common.util.EnvUtil;
+import org.keycloak.common.util.KeystoreUtil;
+
 import org.apache.http.HttpHost;
 import org.apache.http.client.CookieStore;
 import org.apache.http.client.HttpClient;
+import org.apache.http.client.params.ClientPNames;
+import org.apache.http.client.params.CookiePolicy;
 import org.apache.http.conn.ClientConnectionManager;
 import org.apache.http.conn.params.ConnRoutePNames;
 import org.apache.http.conn.scheme.PlainSocketFactory;
@@ -36,28 +59,6 @@ import org.apache.http.impl.conn.SingleClientConnManager;
 import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
 import org.apache.http.params.BasicHttpParams;
 import org.apache.http.params.HttpConnectionParams;
-import org.keycloak.common.util.EnvUtil;
-import org.keycloak.common.util.KeystoreUtil;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-import java.io.IOException;
-import java.net.URI;
-import java.security.KeyStore;
-import java.security.SecureRandom;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
-import java.util.concurrent.TimeUnit;
-import org.apache.http.client.params.ClientPNames;
-import org.apache.http.client.params.CookiePolicy;
 
 /**
  * Abstraction for creating HttpClients. Allows SSL configuration.

adapters/saml/core/src/main/java/org/keycloak/adapters/cloned/SniSSLSocketFactory.java

@@ -17,16 +17,6 @@
 
 package org.keycloak.adapters.cloned;
 
-import org.apache.http.HttpHost;
-import org.apache.http.conn.scheme.HostNameResolver;
-import org.apache.http.conn.ssl.SSLSocketFactory;
-import org.apache.http.conn.ssl.TrustStrategy;
-import org.apache.http.conn.ssl.X509HostnameVerifier;
-import org.apache.http.protocol.HttpContext;
-import org.keycloak.common.util.Environment;
-
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSocket;
 import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
@@ -44,6 +34,17 @@ import java.security.UnrecoverableKeyException;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+
+import org.keycloak.common.util.Environment;
+
+import org.apache.http.HttpHost;
+import org.apache.http.conn.scheme.HostNameResolver;
+import org.apache.http.conn.ssl.SSLSocketFactory;
+import org.apache.http.conn.ssl.TrustStrategy;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
+import org.apache.http.protocol.HttpContext;
 
 /**
  * SSLSocketFactory that uses Server Name Indication (SNI) TLS extension.

adapters/saml/core/src/main/java/org/keycloak/adapters/saml/AbstractInitiateLogin.java

@@ -17,8 +17,10 @@
 
 package org.keycloak.adapters.saml;
 
+import java.io.IOException;
+import java.security.KeyPair;
+
 import org.keycloak.adapters.saml.SamlDeployment.IDP.SingleSignOnService;
-import org.jboss.logging.Logger;
 import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.saml.BaseSAML2BindingBuilder;
@@ -28,8 +30,7 @@ import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
 
-import java.io.IOException;
-import java.security.KeyPair;
+import org.jboss.logging.Logger;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>