Merge branch 'main' into fix/respect-auto-verify-pres-v2

Author: dbluhm

.dockerignore

@@ -6,4 +6,6 @@ build
 docs
 dist
 test-reports
-.python-version
+.python-version
+docker
+env

actions/run-indy-tails-server/action.yml …actions/run-indy-tails-server/action.ymlactions/run-indy-tails-server/action.yml renamed to .github/actions/run-indy-tails-server/action.yml actions/run-indy-tails-server/action.yml renamed to .github/actions/run-indy-tails-server/action.yml

@@ -17,11 +17,11 @@ jobs:
         with:
           path: acapy
       #- name: run-von-network
-      #  uses: ./acapy/actions/run-von-network
+      #  uses: ./acapy/.github/actions/run-von-network
       #- name: run-indy-tails-server
-      #  uses: ./acapy/actions/run-indy-tails-server
+      #  uses: ./acapy/.github/actions/run-indy-tails-server
       - name: run-integration-tests
-        uses: ./acapy/actions/run-integration-tests
+        uses: ./acapy/.github/actions/run-integration-tests
         # to run with a specific set of tests include the following parameter:
         # with:
         #   TEST_SCOPE: "-t @T001-RFC0037"

actions/run-integration-tests/action.yml …actions/run-integration-tests/action.ymlactions/run-integration-tests/action.yml renamed to .github/actions/run-integration-tests/action.yml actions/run-integration-tests/action.yml renamed to .github/actions/run-integration-tests/action.yml

@@ -0,0 +1,97 @@
+name: Publish ACA-Py Image (Indy)
+run-name: Publish ACA-Py ${{ inputs.tag || github.event.release.tag_name }} Image (Indy ${{ inputs.indy_version || '1.16.0' }})
+on:
+  release:
+    types: [released]
+
+  workflow_dispatch:
+    inputs:
+      indy_version:
+        description: 'Indy SDK Version'
+        required: true
+        default: 1.16.0
+        type: string
+      tag:
+        description: 'Image tag'
+        required: true
+        type: string
+
+# Note:
+# - ACA-Py with Indy SDK image builds do not include support for the linux/arm64 platform.
+# - See notes below for details.
+
+env:
+  INDY_VERSION: ${{ inputs.indy_version || '1.16.0' }}
+
+jobs:
+  publish-image:
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.6', '3.9']
+
+    name: Publish ACA-Py Image (Indy)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Gather image info
+        id: info
+        run: |
+          echo "repo-owner=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_OUTPUT
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to the GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Image Metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ steps.info.outputs.repo-owner }}/aries-cloudagent-python
+          tags: |
+            type=raw,value=py${{ matrix.python-version }}-indy-${{ env.INDY_VERSION }}-${{ inputs.tag || github.event.release.tag_name }}
+
+      - name: Build and Push Image to ghcr.io
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          context: .
+          file: docker/Dockerfile.indy
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: main
+          build-args: |
+            python_version=${{ matrix.python-version }}
+            indy_version=${{ env.INDY_VERSION }}
+            acapy_version=${{ inputs.tag || github.event.release.tag_name }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+          # Images do not include support for the linux/arm64 platform due to a known issue compiling the postgres plugin
+          # - https://github.com/hyperledger/indy-sdk/issues/2445
+          # There is a pending PR to fix this issue here; https://github.com/hyperledger/indy-sdk/pull/2453
+          platforms: linux/amd64,linux/386
+
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

actions/run-von-network/action.yml …ithub/actions/run-von-network/action.ymlactions/run-von-network/action.yml renamed to .github/actions/run-von-network/action.yml actions/run-von-network/action.yml renamed to .github/actions/run-von-network/action.yml

@@ -0,0 +1,81 @@
+name: Publish ACA-Py Image
+run-name: Publish ACA-Py ${{ inputs.tag || github.event.release.tag_name }} Image
+on:
+  release:
+    types: [released]
+
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Image tag'
+        required: true
+        type: string
+
+jobs:
+  publish-image:
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.6', '3.9']
+
+    name: Publish ACA-Py Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Gather image info
+        id: info
+        run: |
+          echo "repo-owner=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_OUTPUT
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to the GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Image Metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ steps.info.outputs.repo-owner }}/aries-cloudagent-python
+          tags: |
+            type=raw,value=py${{ matrix.python-version }}-${{ inputs.tag || github.event.release.tag_name }}
+
+      - name: Build and Push Image to ghcr.io
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          context: .
+          file: docker/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: main
+          build-args: |
+            python_version=${{ matrix.python-version }}
+            acapy_version=${{ inputs.tag || github.event.release.tag_name }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+          platforms: linux/amd64,linux/arm64,linux/386
+
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

.github/workflows/integrationtests.yml

@@ -0,0 +1,119 @@
+# Container Images and Github Actions
+
+Aries Cloud Agent - Python is most frequently deployed using containers. From
+the first release of ACA-Py up through 0.7.4, much of the community has built
+their Aries stack using the container images graciously provided by BC Gov and
+hosted through their `bcgovimages` docker hub account. These images have been
+critical to the adoption of not only ACA-Py but also Hyperledger Aries and SSI
+more generally.
+
+Recognizing how critical these images are to the success of ACA-Py and
+consistent with Hyperledger's commitment to open collaboration, container images
+are now built and published directly from the Aries Cloud Agent - Python project
+repository and made available through the [Github Packages Container
+Registry](https://ghcr.io).
+
+
+## Image
+
+This project builds and publishes the `ghcr.io/hyperledger/aries-cloudagent-python` image.
+Multiple variants are available; see [Tags](#tags).
+
+### Tags
+
+ACA-Py is a foundation for building decentralized identity applications; to this
+end, there are multiple variants of ACA-Py built to suit the needs of a variety
+of environments and workflows. There are currently two main variants:
+
+- "Standard" - The default configuration of ACA-Py, including:
+    - Aries Askar for secure storage
+    - Indy VDR for Indy ledger communication
+    - Indy Shared Libraries for AnonCreds
+- "Indy" - The legacy configuration of ACA-Py, including:
+    - Indy SDK Wallet for secure storage
+    - Indy SDK Ledger for Indy ledger communication
+    - Indy SDK for AnonCreds
+
+These two image variants are largely distinguished by providers for Indy Network
+and AnonCreds support. The Standard variant is recommended for new projects.
+Migration from an Indy based image (whether the new Indy image variant or the
+original BC Gov images) to the Standard image is outside of the scope of this
+document.
+
+The ACA-Py images built by this project are tagged to indicate which of the
+above variants it is. Other tags may also be generated for use by developers.
+
+Below is a table of all generated images and their tags:
+
+Tag                     | Variant  | Example                  | Description                                                                                     |
+------------------------|----------|--------------------------|-------------------------------------------------------------------------------------------------|
+py3.6-X.Y.Z             | Standard | py3.6-0.7.4              | Standard image variant built on Python 3.6 for ACA-Py version X.Y.Z                             |
+py3.7-X.Y.Z             | Standard | py3.7-0.7.4              | Standard image variant built on Python 3.7 for ACA-Py version X.Y.Z                             |
+py3.8-X.Y.Z             | Standard | py3.8-0.7.4              | Standard image variant built on Python 3.8 for ACA-Py version X.Y.Z                             |
+py3.9-X.Y.Z             | Standard | py3.9-0.7.4              | Standard image variant built on Python 3.9 for ACA-Py version X.Y.Z                             |
+py3.10-X.Y.Z            | Standard | py3.10-0.7.4             | Standard image variant built on Python 3.10 for ACA-Py version X.Y.Z                            |
+py3.7-indy-A.B.C-X.Y.Z  | Indy     | py3.7-indy-1.16.0-0.7.4  | Standard image variant built on Python 3.7 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C  |
+py3.8-indy-A.B.C-X.Y.Z  | Indy     | py3.8-indy-1.16.0-0.7.4  | Standard image variant built on Python 3.8 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C  |
+py3.9-indy-A.B.C-X.Y.Z  | Indy     | py3.9-indy-1.16.0-0.7.4  | Standard image variant built on Python 3.9 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C  |
+py3.10-indy-A.B.C-X.Y.Z | Indy     | py3.10-indy-1.16.0-0.7.4 | Standard image variant built on Python 3.10 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C |
+
+### Image Comparison
+
+There are several key differences that should be noted between the two image
+variants and between the BC Gov ACA-Py images.
+
+- Standard Image
+    - Based on slim variant of Debian
+    - Does **NOT** include `libindy`
+    - Default user is `aries`
+    - Uses container's system python environment rather than `pyenv`
+    - Askar and Indy Shared libraries are installed as dependencies of ACA-Py through pip from pre-compiled binaries included in the python wrappers
+    - Built from repo contents
+- Indy Image
+    - Based on slim variant of Debian
+    - Built from multi-stage build step (`indy-base` in the Dockerfile) which includes Indy dependencies; this could be replaced with an explicit `indy-python` image from the Indy SDK repo
+    - Includes `libindy` but does **NOT** include the Indy CLI
+    - Default user is `indy`
+    - Uses container's system python environment rather than `pyenv`
+    - Askar and Indy Shared libraries are installed as dependencies of ACA-Py through pip from pre-compiled binaries included in the python wrappers
+    - Built from repo contents
+    - Includes Indy postgres storage plugin
+- `bcgovimages/aries-cloudagent`
+    - (Usually) based on Ubuntu
+    - Based on `von-image`
+    - Default user is `indy`
+    - Includes `libindy` and Indy CLI
+    - Uses `pyenv`
+    - Askar and Indy Shared libraries built from source
+    - Built from ACA-Py python package uploaded to PyPI
+    - Includes Indy postgres storage plugin
+
+## Github Actions
+
+- Tests (`.github/workflows/tests.yml`) - A reusable workflow that runs tests
+  for the Standard ACA-Py variant for a given python version.
+- Tests (Indy) (`.github/workflows/tests-indy.yml`) - A reusable workflow that
+  runs tests for the Indy ACA-Py variant for a given python and indy version.
+- PR Tests (`.github/workflows/pr-tests.yml`) - Run on pull requests; runs tests
+  for the Standard and Indy ACA-Py variants for a "default" python version.
+  Check this workflow for the current default python and Indy versions in use.
+- Nightly Tests (`.github/workflows/nightly-tests.yml`) - Run nightly; runs
+  tests for the Standard and Indy ACA-Py variants for all currently supported
+  python versions. Check this workflow for the set of currently supported
+  versions and Indy version(s) in use.
+- Publish (`.github/workflows/publish.yml`) - Run on new release published or
+  when manually triggered; builds and pushes the Standard ACA-Py variant to the
+  Github Container Registry.
+- Publish (Indy) (`.github/workflows/publish-indy.yml`) - Run on new release
+  published or when manually triggered; builds and pushes the Indy ACA-Py
+  variant to the Github Container Registry.
+- Integration Tests (`.github/workflows/integrationtests.yml`) - Run on pull
+  requests (to the hyperledger fork only); runs BDD integration tests.
+- Black Format (`.github/workflows/blackformat.yml`) - Run on pull requests;
+  checks formatting of files modified by the PR.
+- CodeQL (`.github/workflows/codeql.yml`) - Run on pull requests; performs
+  CodeQL analysis.
+- Python Publish (`.github/workflows/pythonpublish.yml`) - Run on release
+  created; publishes ACA-Py python package to PyPI.
+- PIP Audit (`.github/workflows/pipaudit.yml`) - Run when manually triggered;
+  performs pip audit.

.github/workflows/publish-indy.yml

@@ -837,7 +837,7 @@ class Meta:
     fmt = fields.Str(
         description="Format",
         required=False,
-        default="ldp_vp",
+        default="ldp_vc",
         data_key="format",
     )
     path = fields.Str(

.github/workflows/publish.yml

@@ -1377,7 +1377,7 @@ async def merge(
                     if f"{cred_id}-{cred_id}" not in dict_of_descriptors:
                         descriptor_map = InputDescriptorMapping(
                             id=desc_id,
-                            fmt="ldp_vp",
+                            fmt="ldp_vc",
                             path=(f"$.verifiableCredential[{dict_of_creds[cred_id]}]"),
                         )
                         descriptors.append(descriptor_map)