Part 5: CI/CD pipeline with MuleSoft and GitHub Actions - Enabling MFA through a Connected App

Other posts from this series:

1. Part 1: How to set up a CI/CD pipeline to deploy your MuleSoft apps to CloudHub using GitHub Actions

2. Part 2: CI/CD pipeline with MuleSoft and GitHub Actions - secured/encrypted properties

3. Part 3: CI/CD pipeline with MuleSoft and GitHub Actions - MUnit testing

4. Part 4: CI/CD pipeline with MuleSoft and GitHub Actions - MUnit minimum coverage percentage

5. Part 5: CI/CD pipeline with MuleSoft and GitHub Actions - Enabling MFA through a Connected App

In this post:

• Prerequisites

• Create a connected app in Anypoint Platform

• Set up your credentials on GitHub

• Modify your pom.xml

• Modify your build.yml

• Run the pipeline

• More resources

So far we’ve been setting up our CI/CD pipelines using our Anypoint Platform username and password. However, if you’re using an enterprise account, most likely you’re using MFA or Multi-Factor Authentication for your account. The process to create your CI/CD pipeline with this authentication method is quite different.

If you haven’t been following the series or you’re not familiar with GitHub Actions, we recommend you start from the first article to understand how we are setting up all the configurations we need.

In this post, we’ll learn how to set up our pipeline with a connected app, which is useful when you have multi-factor authentication activated in Anypoint Platform.

Prerequisites

You should already understand the basic CI/CD setup we’ve been doing in the previous articles. In summary, this is what you should already know:

• How to configure and run the build.yml file for the pipeline under .github/workflows.

• How to configure secrets in your GitHub repository.

ℹ️ Note: The code for this article is not located on the main branch of the github-actions repository. Instead, a new branch was created to avoid confusion: connected-app. If you want to check the rest of the files we discuss here, like pom or build, please refer to that branch.

Create a connected app in Anypoint Platform

Because we are signing in to Anypoint Platform using MFA (through an app on your phone or an SMS code, for example), we can no longer rely on just our username and password. We have to create something called Connected App. To do this, sign in to Anypoint Platform and navigate to Access Management > Connected Apps.

Click on Create app. Add any name you want to identify this app, like github-actions. Select App acts on its own behalf and click on Add Scopes.

Select the following scopes for your current business group and the Sandbox environment (since this is the one we’re using for this demo):

• Design Center Developer

• View Environment

• View Organization

• Profile

• Cloudhub Organization Admin

• Create Applications

• Delete Applications

• Download Applications

• Read Applications

• Read Servers

Click on Save.

After you create the app, make sure to copy both ID and Secret. We will use these in the pipeline for our authentication method.

In this case, for demonstration purposes, these are the credentials I’ll be using:

ID: bf51f105b644471f812b2e0c0cb8a97b
Secret: 66B5ADCB18D4439D9C744236e3c590d3

Set up your credentials on GitHub

Just as we’ve done before, go to your GitHub repository and click on the Settings tab. Select Secrets and variables > Actions and add these two new secrets.

• CONNECTED_APP_CLIENT_ID

• CONNECTED_APP_CLIENT_SECRET

The values should match what you previously extracted from Anypoint Platform.

Modify your pom.xml

In our pom.xml file, in the org.mule.tools.maven plugin, we used to have something like the following to authenticate via username and password.

<configuration>
  <cloudHubDeployment>
    ...
    <username>${anypoint.username}</username>
    <password>${anypoint.password}</password>

We are going to replace the username and password fields with the following.

<connectedAppClientId>${client.id}</connectedAppClientId>
<connectedAppClientSecret>${client.secret}</connectedAppClientSecret>
<connectedAppGrantType>client_credentials</connectedAppGrantType>

Here's the complete pom.xml for this example:

That’s it for this file! Now let’s set up the pipeline to send these new credentials.

Modify your build.yml

Open the build.yml file we created inside .github/workflows. If you haven’t created this file yet, please refer to the first article to learn how to set it up.

Go to the deploy job and locate the last step: Deploy to Sandbox. This is what we used to have under env:

USERNAME: ${{ secrets.anypoint_platform_username }}
PASSWORD: ${{ secrets.anypoint_platform_password }}

And this is what we’ll replace it with:

ID: ${{ secrets.CONNECTED_APP_CLIENT_ID }}
SECRET: ${{ secrets.CONNECTED_APP_CLIENT_SECRET }}

We’ll change the Maven command to match these new secrets/properties. Instead of sending username and password, like this:

-Danypoint.username="$USERNAME" \
-Danypoint.password="$PASSWORD" \

We’ll now send the app’s ID and secret. Like this:

-Dclient.id="$ID" \
-Dclient.secret="$SECRET" \

Here's the complete build.yml for this example:

Run the pipeline

That’s it! Once you’re done with the changes, simply push a new change to the main branch and this will trigger the pipeline.

More resources

You can check out my GitHub profile for more CI/CD repos:

• github-actions to deploy a Mule app to CloudHub

• dataweave-utilities-library to publish a DataWeave library to Exchange

• api-catalog-cli-example to update APIs in Exchange using the API Catalog CLI

I hope this was helpful!

Don't forget to subscribe so you don't miss any future content.