top of page
Writer's pictureAlex Martinez

Part 5: CI/CD pipeline with MuleSoft and GitHub Actions - Enabling MFA through a Connected App



 

Other posts from this series:

 

In this post:

 


So far we’ve been setting up our CI/CD pipelines using our Anypoint Platform username and password. However, if you’re using an enterprise account, most likely you’re using MFA or Multi-Factor Authentication for your account. The process to create your CI/CD pipeline with this authentication method is quite different.


If you haven’t been following the series or you’re not familiar with GitHub Actions, we recommend you start from the first article to understand how we are setting up all the configurations we need.


In this post, we’ll learn how to set up our pipeline with a connected app, which is useful when you have multi-factor authentication activated in Anypoint Platform.




Prerequisites


You should already understand the basic CI/CD setup we’ve been doing in the previous articles. In summary, this is what you should already know:

  • How to configure and run the build.yml file for the pipeline under .github/workflows.

  • How to configure secrets in your GitHub repository.


ℹ️ Note: The code for this article is not located on the main branch of the github-actions repository. Instead, a new branch was created to avoid confusion: connected-app. If you want to check the rest of the files we discuss here, like pom or build, please refer to that branch.


Create a connected app in Anypoint Platform


Because we are signing in to Anypoint Platform using MFA (through an app on your phone or an SMS code, for example), we can no longer rely on just our username and password. We have to create something called Connected App. To do this, sign in to Anypoint Platform and navigate to Access Management > Connected Apps.



Click on Create app. Add any name you want to identify this app, like github-actions. Select App acts on its own behalf and click on Add Scopes.


Select the following scopes for your current business group and the Sandbox environment (since this is the one we’re using for this demo):

  • Design Center Developer

  • View Environment

  • View Organization

  • Profile

  • Cloudhub Organization Admin

  • Create Applications

  • Delete Applications

  • Download Applications

  • Read Applications

  • Read Servers


Click on Save.


After you create the app, make sure to copy both ID and Secret. We will use these in the pipeline for our authentication method.



In this case, for demonstration purposes, these are the credentials I’ll be using:


ID: bf51f105b644471f812b2e0c0cb8a97b
Secret: 66B5ADCB18D4439D9C744236e3c590d3


Set up your credentials on GitHub


Just as we’ve done before, go to your GitHub repository and click on the Settings tab. Select Secrets and variables > Actions and add these two new secrets.

  • CONNECTED_APP_CLIENT_ID

  • CONNECTED_APP_CLIENT_SECRET

The values should match what you previously extracted from Anypoint Platform.



Modify your pom.xml


In our pom.xml file, in the org.mule.tools.maven plugin, we used to have something like the following to authenticate via username and password.


<configuration>
  <cloudHubDeployment>
    ...
    <username>${anypoint.username}</username>
    <password>${anypoint.password}</password>

We are going to replace the username and password fields with the following.


<connectedAppClientId>${client.id}</connectedAppClientId>
<connectedAppClientSecret>${client.secret}</connectedAppClientSecret>
<connectedAppGrantType>client_credentials</connectedAppGrantType>

Here's the complete pom.xml for this example:



That’s it for this file! Now let’s set up the pipeline to send these new credentials.



Modify your build.yml


Open the build.yml file we created inside .github/workflows. If you haven’t created this file yet, please refer to the first article to learn how to set it up.


Go to the deploy job and locate the last step: Deploy to Sandbox. This is what we used to have under env:


USERNAME: ${{ secrets.anypoint_platform_username }}
PASSWORD: ${{ secrets.anypoint_platform_password }}

And this is what we’ll replace it with:


ID: ${{ secrets.CONNECTED_APP_CLIENT_ID }}
SECRET: ${{ secrets.CONNECTED_APP_CLIENT_SECRET }}

We’ll change the Maven command to match these new secrets/properties. Instead of sending username and password, like this:


-Danypoint.username="$USERNAME" \
-Danypoint.password="$PASSWORD" \

We’ll now send the app’s ID and secret. Like this:


-Dclient.id="$ID" \
-Dclient.secret="$SECRET" \

Here's the complete build.yml for this example:




Run the pipeline


That’s it! Once you’re done with the changes, simply push a new change to the main branch and this will trigger the pipeline.




More resources


You can check out my GitHub profile for more CI/CD repos:


I hope this was helpful!


Don't forget to subscribe so you don't miss any future content.









2,597 views0 comments

Comments


bottom of page