feat(SCIM): Wire flagsmith-private SCIM app into the api#7512
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. 3 Skipped Deployments
|
github-actions
Bot
added
api
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7512 +/- ##
=======================================
Coverage 98.46% 98.47%
=======================================
Files 1398 1400 +2
Lines 52900 52986 +86
=======================================
+ Hits 52090 52176 +86
Misses 810 810 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
70722d7 to
4dad568
Compare
github-actions
Bot
added
feature
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
4dad568 to
4167bbf
Compare
github-actions
Bot
added
feature
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
4167bbf to
cce228c
Compare
github-actions
Bot
added
feature
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
cce228c to
32ddcbf
Compare
github-actions
Bot
added
feature
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
github-actions
Bot
added
feature
Docker builds report
|
Conditionally register the SCIM Django app, the auth middleware, and
the django-scim2 `SCIM_SERVICE_PROVIDER` settings when the `scim`
module from `flagsmith-private` is on the path. Mount the protocol
URLs at `/scim/v2/` and the configuration management URLs at
`/api/v1/organisations/{organisation_pk}/scim/`.
flagsmith-private bumped to v0.5.0 for the SCIM app and a new `scim`
extra is exposed for parity with the other private modules.
Refs #7150.
beep boop
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
32ddcbf to
07e8f84
Compare
github-actions
Bot
added
feature
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
|
Visual Regression16 screenshots compared. See report for details. |
Dependabot natively supports OIDC for AWS CodeArtifact private indexes (`registries[].type: python-index` + `role-name` etc.) — no cron-based token refresh needed. Reuses the existing `codeartifact-github-actions-production` role; its trust policy already accepts `repo:Flagsmith/*` subject claims, which matches Dependabot's `repo:Flagsmith/flagsmith:dependabot` sub. Unblocks `uv lock` re-resolution during Dependabot scans for /api, which would otherwise 401 against the private index even for unrelated public-package bumps. beep boop
github-actions
Bot
added
feature
emyller
left a comment
emyller
left a comment
There was a problem hiding this comment.
Approved with one question.
github-actions
Bot
added
feature
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
046598c to
2d1c9f6
Compare
github-actions
Bot
added
feature
github-actions
Bot
added
feature
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
8613629 to
7117445
Compare
django-scim2 builds resource `meta.location` URLs by `urljoin`ing
`reverse('scim:...')` onto `BASE_LOCATION_GETTER(request)`. The
default getter pulls from the `NETLOC`/`SCHEME` SCIM_SERVICE_PROVIDER
settings, which we were populating from `FLAGSMITH_API_URL` — forcing
self-hosters to configure that env var correctly for SCIM URLs to
render.
Override `BASE_LOCATION_GETTER` with one that returns
`request.build_absolute_uri('/')` instead. The host follows whatever
the request was served on, no configuration required.
beep boop
khvn26
force-pushed
the
feat/scim-main-repo-integration
branch
from
7117445 to
94be7de
Compare
github-actions
Bot
added
feature
github-actions
Bot
added
feature
2 participants
Thanks for submitting a PR! Please check the boxes below:
docs/if required so people know about the feature.Changes
Closes #7150.
Conditionally registers the SCIM Django app shipped by
flagsmith-privatewhen thescimmodule is importable: addsdjango_scimandscimtoINSTALLED_APPS, sets the django-scim2SCIM_SERVICE_PROVIDERsettings (withAUTH_CHECK_MIDDLEWAREpointed atscim.middleware.ScimAuthenticationMiddleware), and mounts the protocol URLs at/api/v1/scim/v2/plus the configuration management URLs at/api/v1/organisations/<int:organisation_pk>/scim/.flagsmith-privateis now installed from the prod CodeArtifact PyPI repository (flagsmith-pypi-production) rather than a git ref, pinned to>=0.5.1,<1. The new.github/actions/codeartifact-logincomposite action assumes thecodeartifact-github-actions-productionrole via OIDC, fetches a token, and exports it asUV_INDEX_FLAGSMITH_PYPI_PRODUCTION_*. Every CI job and Dockerfile stage that installs thescim/release-pipelinesextras runs the login step first. For local dev,make codeartifact-loginwrites the same env vars to a git-ignored.env-codeartifactfile that the Makefile auto-includes.Dependabot is wired to the same index via its native OIDC support for CodeArtifact — a
registries:block in.github/dependabot.ymlreuses the same IAM role (its trust policy already acceptsrepo:Flagsmith/*). No cron-based token refresh required.How did you test this code?
Integration tests under
api/tests/integration/scim/cover:GET /api/v1/scim/v2/{ServiceProviderConfig,Schemas,ResourceTypes}with a valid SCIM bearer for an Enterprise org → 200./api/v1/organisations/{pk}/scim/.SCIM_INSTALLED,INSTALLED_APPSentries, andSCIM_SERVICE_PROVIDERshape.Tests are gated on
settings.SCIM_INSTALLEDand skip on the public PR job (which doesn't install--extra scim).