Keycloak CI workflow refactoring (#15968)

* Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2022-12-14 16:12:23 +01:00 · 2022-12-14 16:12:23 +01:00 · a5670af745
commit a5670af745
parent 6f802b5c1f
35 changed files with 1027 additions and 925 deletions
--- a/.github/actions/build-keycloak/action.yml
+++ b/.github/actions/build-keycloak/action.yml
@ -0,0 +1,82 @@
+name: Build Keycloak
+description: Builds Keycloak providing Maven repository with all artifacts
+
+inputs:
+  upload-m2-repo:
+    description: Upload Maven repository for org.keycloak artifacts
+    required: false
+    default: true
+  upload-dist:
+    description: Upload distribution
+    required: false
+    default: false
+  jdk-dist:
+    description: JDK distribution
+    required: false
+    default: temurin
+  jdk-version:
+    description: JDK version
+    required: false
+    default: 11
+
+runs:
+  using: composite
+  steps:
+    - id: setup-java
+      name: Setup Java
+      uses: actions/setup-java@v3
+      with:
+        distribution: ${{ inputs.jdk-dist }}
+        java-version: ${{ inputs.jdk-version }}
+
+    - id: maven-cache
+      name: Maven cache
+      uses: ./.github/actions/maven-cache
+
+    - id: phantomjs-cache
+      name: PhantomJS cache
+      uses: ./.github/actions/phantomjs-cache
+
+    - id: npm-cache
+      name: NPM cache
+      uses: ./.github/actions/npm-cache
+
+    - id: build-keycloak
+      name: Build Keycloak
+      shell: bash
+      run: |
+        MVN_HTTP_CONFIG="-Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120"
+        ./mvnw install -nsu -B -e -DskipTests -DskipExamples $MVN_HTTP_CONFIG 
+
+    - id: compress-keycloak-maven-repository
+      name: Compress Keycloak Maven artifacts
+      if: inputs.upload-m2-repo == 'true'
+      shell: bash
+      run: |
+        tar -C ~/ --use-compress-program zstd -cf m2-keycloak.tzts \
+        --exclude '*.tar.gz' \
+        .m2/repository/org/keycloak
+
+    - id: upload-keycloak-maven-repository
+      name: Upload Keycloak Maven artifacts
+      if: inputs.upload-m2-repo == 'true'
+      uses: actions/upload-artifact@v3
+      with:
+        name: m2-keycloak.tzts
+        path: m2-keycloak.tzts
+        retention-days: 1
+
+    - id: upload-keycloak-dist
+      name: Upload Keycloak dist
+      if: inputs.upload-dist == 'true'
+      uses: actions/upload-artifact@v3
+      with:
+        name: keycloak-dist
+        path: quarkus/dist/target/keycloak*.tar.gz
+        retention-days: 1
+
+    - id: maven-cache-cleanup
+      name: Maven cache cleanup
+      if: steps.maven-cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: rm -rf ~/.m2/repository/org/keycloak
--- a/.github/actions/changed-files/action.yml
+++ b/.github/actions/changed-files/action.yml
@ -0,0 +1,49 @@
+name: Changed Files
+description: Checks changes against target branch
+
+outputs:
+  java:
+    description: Changes to Java files
+    value: ${{ steps.changes.outputs.java }}
+  themes:
+    description: Changes to themes
+    value: ${{ steps.changes.outputs.themes }}
+  js-adapter:
+    description: Changes to JavaScript adapter
+    value: ${{ steps.changes.outputs.js-adapter }}
+
+runs:
+  using: composite
+  steps:
+    - id: changes
+      name: Find changes
+      shell: bash
+      run: |
+        BASE_REF=${{ github.base_ref }}
+
+        changed () {
+          git diff --name-only origin/${{ github.base_ref }} | grep -E "$1" &>/dev/null && echo true || echo false
+        }
+        
+        if [ "$BASE_REF" != "" ]; then
+          echo "Checking changes against orgin/$BASE_REF"
+          git fetch origin
+
+          JAVA=`changed '^.*/.*.java$'`
+          THEMES=`changed '^themes/src/main/.*$'`
+          JS_ADAPTER=`changed '^adapters/oidc/js/.*$'`
+        else
+          echo "Not a pull request, marking everything as changed"
+        
+          JAVA=true
+          THEMES=true
+          JS_ADAPTER=true        
+        fi
+        
+        echo "Java changed:       $JAVA"
+        echo "Themes changed:     $THEMES"
+        echo "JS adapter changed: $JS_ADAPTER"
+
+        echo "java=$JAVA" >> $GITHUB_OUTPUT
+        echo "themes=$THEMES" >> $GITHUB_OUTPUT
+        echo "js-adapter=$JS_ADAPTER" >> $GITHUB_OUTPUT
--- a/.github/actions/checks-job-pass/action.yml
+++ b/.github/actions/checks-job-pass/action.yml
@ -0,0 +1,34 @@
+name: Check if a job passed
+description: Fails if the job is required and was not successful
+
+inputs:
+  required:
+    description: Is the job required
+    required: true
+    default: true
+  conclusion:
+    description: Job conclusion (success if passed, most likely empty otherwise)
+    required: true
+
+outputs:
+  status:
+    description: "Check status"
+    value: ${{ steps.changes.outputs.java }}
+
+runs:
+  using: "composite"
+  steps:
+    - id: check-job
+      name: Check job
+      shell: bash
+      run: |
+        if [ "${{ inputs.required }}" == "false" ]; then
+          echo "Not required to run, skipping"
+        else
+          if [ "${{ inputs.conclusion }}" == "success" ]; then
+            echo "Success"
+          else
+            echo "Required to run, but didn't succeed"
+            exit 1
+          fi        
+        fi
--- a/.github/actions/checks-success/action.yml
+++ b/.github/actions/checks-success/action.yml
@ -0,0 +1,16 @@
+name: Mark job as successful
+description: Workaround for GitHub Actions not setting conclusion on jobs passed through needs
+
+outputs:
+  conclusion:
+    description: Conclusion
+    value: ${{ steps.check.outputs.conclusion }}
+
+runs:
+  using: composite
+  steps:
+    - id: check
+      name: Set success
+      shell: bash
+      run: |
+        echo "conclusion=success" >> $GITHUB_OUTPUT
--- a/.github/actions/integration-test-setup/action.yml
+++ b/.github/actions/integration-test-setup/action.yml
@ -0,0 +1,41 @@
+name: Setup integration test
+description: Download Maven caches needed for integration tests
+
+inputs:
+  jdk-dist:
+    description: JDK distribution
+    required: false
+    default: temurin
+  jdk-version:
+    description: JDK version
+    required: false
+    default: 11
+
+runs:
+  using: composite
+  steps:
+    - id: setup-java
+      name: Setup Java
+      uses: actions/setup-java@v3
+      with:
+        distribution: ${{ inputs.jdk-dist }}
+        java-version: ${{ inputs.jdk-version }}
+
+    - id: maven-cache
+      name: Maven cache
+      uses: ./.github/actions/maven-cache
+
+    - id: phantomjs-cache
+      name: PhantomJS cache
+      uses: ./.github/actions/phantomjs-cache
+
+    - id: download-keycloak
+      name: Download Keycloak Maven artifacts
+      uses: actions/download-artifact@v3
+      with:
+        name: m2-keycloak.tzts
+
+    - id: extract-maven-artifacts
+      name: Extract Keycloak Maven artifacts
+      shell: bash
+      run: tar -C ~/ --use-compress-program unzstd -xf m2-keycloak.tzts
--- a/.github/actions/maven-cache/action.yml
+++ b/.github/actions/maven-cache/action.yml
@ -0,0 +1,28 @@
+name: Maven Cache
+description: Caches Maven artifacts
+
+runs:
+  using: composite
+  steps:
+    - id: weekly-cache-key
+      name: Key for weekly rotation of cache
+      shell: bash
+      run: echo "key=mvn-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT
+
+    - id: cache-maven-repository
+      name: Maven cache
+      uses: actions/cache@v3
+      with:
+        path: ~/.m2/repository
+        key: ${{ steps.weekly-cache-key.outputs.key }}
+
+    - id: check-maven-cache
+      name: Check cache has no Keycloak artifacts
+      if: steps.cache-maven-repository.outputs.cache-hit == 'true'
+      shell: bash
+      run: |
+        if ( stat ~/.m2/repository/org/keycloak &>/dev/null ); then
+          echo "Found org/keycloak artifacts in Maven repository cache"
+          ls ~/.m2/repository/org/keycloak
+          exit 1
+        fi
--- a/.github/actions/npm-cache/action.yml
+++ b/.github/actions/npm-cache/action.yml
@ -0,0 +1,17 @@
+name: NPM Cache
+description: Caches NPM artifacts
+
+runs:
+  using: composite
+  steps:
+    - id: weekly-cache-key
+      name: Key for weekly rotation of cache
+      shell: bash
+      run: echo "key=npm-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT
+
+    - id: cache-npm-repository
+      name: NPM cache
+      uses: actions/cache@v3
+      with:
+        path: ~/.npm
+        key: ${{ steps.weekly-cache-key.outputs.key }}
--- a/.github/actions/phantomjs-cache/action.yml
+++ b/.github/actions/phantomjs-cache/action.yml
@ -0,0 +1,26 @@
+name: PhantomJS Cache
+description: Caches PhantomJS driver
+
+inputs:
+  version:
+    description: PhantomJS Driver version
+    required: false
+    default: 2.1.1
+
+runs:
+  using: composite
+  steps:
+    - id: cache-phantomjs-driver
+      name: PhantomJS Driver cache
+      uses: actions/cache@v3
+      with:
+        path: ~/.arquillian/drone
+        key: phantomjs-${{ inputs.version }}
+
+    - id: download-phantomjs-driver
+      name: Download PhantomJS Driver
+      if: steps.cache-phantomjs-driver.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        mkdir -p ~/.arquillian/drone/phantomjs/${{ inputs.version }}/
+        curl -L https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-${{ inputs.version }}-linux-x86_64.tar.bz2 --output ~/.arquillian/drone/phantomjs/${{ inputs.version }}/phantomjs-${{ inputs.version }}-linux-x86_64.tar.bz2
--- a/.github/actions/unit-test-setup/action.yml
+++ b/.github/actions/unit-test-setup/action.yml
@ -0,0 +1,26 @@
+name: Setup unit test
+description: Download Maven caches needed for unit tests
+
+inputs:
+  jdk-dist:
+    description: JDK distribution
+    required: false
+    default: temurin
+  jdk-version:
+    description: JDK version
+    required: false
+    default: 11
+
+runs:
+  using: composite
+  steps:
+    - id: setup-java
+      name: Setup Java
+      uses: actions/setup-java@v3
+      with:
+        distribution: ${{ inputs.jdk-dist }}
+        java-version: ${{ inputs.jdk-version }}
+
+    - id: maven-cache
+      name: Maven cache
+      uses: ./.github/actions/maven-cache
--- a/.github/scripts/quickstarts/prepare-server.sh
+++ b/.github/scripts/quickstarts/prepare-server.sh
@ -1,11 +0,0 @@
-#!/bin/bash -e
-
-VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec -f keycloak)
-
-unzip ~/.m2/repository/org/keycloak/keycloak-server-dist/${VERSION}/keycloak-server-dist-${VERSION}.zip
-mv keycloak-${VERSION} keycloak-dist
-
-keycloak-dist/bin/add-user-keycloak.sh -u admin -p admin
-
-# update QS version to match KC version
-mvn versions:set -DnewVersion=$VERSION -DgenerateBackupPoms=false -DgroupId=org.keycloak* -DartifactId=* -Pbump-version -B
--- a/.github/settings.xml
+++ b/.github/settings.xml
@ -1,48 +0,0 @@
-<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
-          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
-                      https://maven.apache.org/xsd/settings-1.0.0.xsd">
-    <profiles>
-        <profile>
-            <id>update-policy</id>
-            <activation>
-                <activeByDefault>true</activeByDefault>
-            </activation>
-            <repositories>
-                <repository>
-                    <id>central</id>
-                    <name>Maven Central</name>
-                    <url>https://repo.maven.apache.org/maven2</url>
-                    <snapshots>
-                        <enabled>false</enabled>
-                    </snapshots>
-                    <releases>
-                        <updatePolicy>interval:43200</updatePolicy>
-                    </releases>
-                </repository>
-                <repository>
-                    <id>jboss-public-repository</id>
-                    <name>Jboss Public</name>
-                    <url>https://repository.jboss.org/nexus/content/groups/public/</url>
-                    <snapshots>
-                        <enabled>false</enabled>
-                    </snapshots>
-                    <releases>
-                        <updatePolicy>interval:43200</updatePolicy>
-                    </releases>
-                </repository>
-                <repository>
-                    <id>redhat-enterprise-maven-repository</id>
-                    <name>Red Hat Enterprise Maven Repository</name>
-                    <url>https://maven.repository.redhat.com/ga/</url>
-                    <snapshots>
-                        <enabled>false</enabled>
-                    </snapshots>
-                    <releases>
-                        <updatePolicy>interval:43200</updatePolicy>
-                    </releases>
-                </repository>
-            </repositories>
-        </profile>
-    </profiles>
-</settings>
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -2,374 +2,198 @@ name: Keycloak CI

 on:
  push:
-    branches-ignore: [main]
-  # as the ci.yml contains actions that are required for PRs to be merged, it will always need to run on all PRs
-  pull_request: {}
+    branches-ignore:
+      - main
+      - dependabot/**
+  pull_request:
  schedule:
-    - cron: '0 20,23,2,5 * * *'
+    - cron: 0 20,23,2,5 * * *
  workflow_dispatch:

 env:
  DEFAULT_JDK_VERSION: 11
-  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
+  DEFAULT_JDK_DIST: temurin

 concurrency:
-  # Only cancel jobs for new commits on PRs, and always do a complete run on other branches (e.g. `main`).
-  # See: https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value
-  group: keycloak-ci-${{ github.head_ref || github.run_id }}
+  # Only cancel jobs for PR updates
+  group: ci-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

+defaults:
+  run:
+    shell: bash
+
 jobs:
  build:
    name: Build
-    if: ${{ ( github.event_name != 'schedule' ) || ( github.event_name == 'schedule' && github.repository == 'keycloak/keycloak' ) }}
+    if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          cache: 'maven'
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/

      - name: Build Keycloak
-        run: |
-           ./mvnw clean install -nsu -B -e -DskipTests -Pdistribution
-           ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server -Pauth-server-quarkus
-           ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server -Pauth-server-undertow
-
-      - name: Store Keycloak artifacts
-        id: store-keycloak
-        uses: actions/upload-artifact@v3
-        with:
-          name: keycloak-artifacts.zip
-          retention-days: 1
-          path: |
-            ~/.m2/repository/org/keycloak
-            !~/.m2/repository/org/keycloak/**/*.tar.gz
-
-      - name: Remove keycloak artifacts before caching
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: rm -rf ~/.m2/repository/org/keycloak
-
-# Tests: Regular distribution
+        uses: ./.github/actions/build-keycloak

  unit-tests:
-    name: Unit Tests
+    name: Base UT
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          cache: 'maven'
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-      - name: Cleanup org.keycloak artifacts
-        run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true
-      - name: Download built keycloak
-        id: download-keycloak
-        uses: actions/download-artifact@v3
-        with:
-          path: ~/.m2/repository/org/keycloak/
-          name: keycloak-artifacts.zip
+
+      - id: unit-test-setup
+        name: Unit test setup
+        uses: ./.github/actions/unit-test-setup
+
      - name: Run unit tests
-        run: |
-          if ! ./mvnw install -nsu -B -DskipTestsuite -DskipQuarkus -DskipExamples -f pom.xml; then
-            find . -path '*/target/surefire-reports/*.xml' | zip -q reports-unit-tests.zip -@
-            exit 1
-          fi
+        run: ./mvnw install -nsu -B -DskipTestsuite -DskipQuarkus -DskipExamples

-      - name: Analyze Test and/or Coverage Results
-        uses: runforesight/foresight-test-kit-action@v1.3.0
-        if: always() && github.repository == 'keycloak/keycloak'
-        with:
-          api_key: ${{ secrets.FORESIGHT_API_KEY }}
-          test_format: JUNIT
-          test_framework: JUNIT
-          test_path: '**/target/surefire-reports/*.xml'
-
-      - name: Unit test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: reports-unit-tests
-          retention-days: 14
-          path: reports-unit-tests.zip
-          if-no-files-found: ignore
-
-  crypto-tests:
-    name: Crypto Tests
-    runs-on: ubuntu-latest
-    needs: build
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          cache: 'maven'
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-      - name: Cleanup org.keycloak artifacts
-        run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true
-      - name: Download built keycloak
-        id: download-keycloak
-        uses: actions/download-artifact@v3
-        with:
-          path: ~/.m2/repository/org/keycloak/
-          name: keycloak-artifacts.zip
-      - name: Run crypto tests (BCFIPS non-approved mode)
-        run: |
-          if ! ./mvnw install -nsu -B -f crypto/pom.xml -Dcom.redhat.fips=true; then
-            find . -path 'crypto/target/surefire-reports/*.xml' | zip -q reports-crypto-tests.zip -@
-            exit 1
-          fi
-
-      - name: Run crypto tests (BCFIPS approved mode)
-        run: |
-          if ! ./mvnw install -nsu -B -f crypto/pom.xml -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true; then
-            find . -path 'crypto/target/surefire-reports/*.xml' | zip -q reports-crypto-tests.zip -@
-            exit 1
-          fi          
-
-      - name: Crypto test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: reports-crypto-tests
-          retention-days: 14
-          path: reports-crypto-tests.zip
-          if-no-files-found: ignore
-
-  model-tests:
-    name: Model Tests
-    runs-on: ubuntu-latest
-    needs: build
-    timeout-minutes: 60
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          cache: 'maven'
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-      - name: Cleanup org.keycloak artifacts
-        run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true
-      - name: Download built keycloak
-        id: download-keycloak
-        uses: actions/download-artifact@v3
-        with:
-          path: ~/.m2/repository/org/keycloak/
-          name: keycloak-artifacts.zip
-      - name: Run model tests
-        run: |
-          if ! testsuite/model/test-all-profiles.sh; then
-            find . -path '*/target/surefire-reports*/*.xml' | zip -q reports-model-tests.zip -@
-            exit 1
-          fi
-
-      - name: Analyze Test and/or Coverage Results
-        uses: runforesight/foresight-test-kit-action@v1.3.0
-        if: always() && github.repository == 'keycloak/keycloak'
-        with:
-          api_key: ${{ secrets.FORESIGHT_API_KEY }}
-          test_format: JUNIT
-          test_framework: JUNIT
-          test_path: 'testsuite/model/target/surefire-reports/*.xml'
-
-      - name: Model test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: reports-model-tests
-          retention-days: 14
-          path: reports-model-tests.zip
-          if-no-files-found: ignore
-
-  test:
-    name: Base testsuite
+  base-integration-tests:
+    name: Base IT
    needs: build
    runs-on: ubuntu-latest
    timeout-minutes: 100
    strategy:
      matrix:
-        server: ['quarkus', 'quarkus-map', 'quarkus-map-hot-rod', 'quarkus-map-jpa']
-        tests: ['group1','group2','group3']
+        group: [1, 2, 3, 4, 5, 6]
      fail-fast: false
    steps:
      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2

-      - name: Check whether HEAD^ contains HotRod storage relevant changes
-        run: echo "GIT_HOTROD_RELEVANT_DIFF=$( git diff --name-only HEAD^ | egrep -ic -e '^model/map-hot-rod|^model/map/|^model/build-processor' )" >> $GITHUB_ENV
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup

-      - name: Check whether HotRod storage matrix should be executed
-        if: ${{ endsWith(matrix.server, '-map-hot-rod') && env.GIT_HOTROD_RELEVANT_DIFF == 0 }}
-        run: echo "SHOULD_BE_EXECUTED=false" >> $GITHUB_ENV
-
-      - name: Check whether HEAD^ contains JPA map storage relevant changes
-        run: echo "GIT_MAP_JPA_RELEVANT_DIFF=$( git diff --name-only HEAD^ | egrep -ic -e '^model/map-jpa/|^model/map/|^model/build-processor' )" >> $GITHUB_ENV
-
-      - name: Check whether Map-JPA storage matrix should be executed
-        if: ${{ endsWith(matrix.server, '-map-jpa') && env.GIT_MAP_JPA_RELEVANT_DIFF == 0 }}
-        run: echo "SHOULD_BE_EXECUTED=false" >> $GITHUB_ENV
-
-      - name: Cache Maven packages
-        if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }}
-        uses: actions/cache@v3
-        with:
-          path: ~/.m2/repository
-          key: cache-2-${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: cache-1-${{ runner.os }}-m2
-
-      - name: Download built keycloak
-        if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }}
-        id: download-keycloak
-        uses: actions/download-artifact@v3
-        with:
-          path: ~/.m2/repository/org/keycloak/
-          name: keycloak-artifacts.zip
-
-      # - name: List M2 repo
-      #   run: |
-      #     find ~ -name *dist*.zip
-      #     ls -lR ~/.m2/repository
-
-      - uses: actions/setup-java@v3
-        if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }}
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-      - name: Update maven settings
-        if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }}
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-      - name: Prepare test providers
-        if: ${{ matrix.server == 'quarkus' || matrix.server == 'quarkus-map' }}
-        run: ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers -Pauth-server-quarkus
      - name: Run base tests
-        if: ${{ github.event_name != 'pull_request' || env.SHOULD_BE_EXECUTED != 'false' }}
        run: |
-          declare -A PARAMS TESTGROUP
-          PARAMS["quarkus"]="-Pauth-server-quarkus"
-          PARAMS["quarkus-map"]="-Pauth-server-quarkus -Pmap-storage -Dpageload.timeout=90000"
-          PARAMS["quarkus-map-hot-rod"]="-Pauth-server-quarkus -Pmap-storage,map-storage-hot-rod -Dpageload.timeout=90000"
-          PARAMS["quarkus-map-jpa"]="-Pauth-server-quarkus -Pmap-storage,map-storage-jpa -Dpageload.timeout=90000"
-          TESTGROUP["group1"]="-Dtest=!**.crossdc.**,!**.cluster.**,%regex[org.keycloak.testsuite.(a[abc]|ad[a-l]|[^a-q]).*]"   # Tests alphabetically before admin tests and those after "r"
-          TESTGROUP["group2"]="-Dtest=!**.crossdc.**,!**.cluster.**,%regex[org.keycloak.testsuite.(ad[^a-l]|a[^a-d]|b).*]"      # Admin tests and those starting with "b"
-          TESTGROUP["group3"]="-Dtest=!**.crossdc.**,!**.cluster.**,%regex[org.keycloak.testsuite.([c-q]).*]"                   # All the rest
+          TESTS=`testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh ${{ matrix.group }}`
+          echo "Tests: $TESTS"
+          ./mvnw install -nsu -B -Pauth-server-quarkus -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh

-          ./mvnw clean install -nsu -B ${PARAMS["${{ matrix.server }}"]} ${TESTGROUP["${{ matrix.tests }}"]} -f testsuite/integration-arquillian/tests/base/pom.xml | misc/log/trimmer.sh
+  quarkus-integration-tests:
+    name: Quarkus IT
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 115
+    strategy:
+      matrix:
+        server: [zip, container, storage]
+      fail-fast: false
+    env:
+      MAVEN_OPTS: -Xmx1024m
+    steps:
+      - uses: actions/checkout@v3

-          TEST_RESULT=${PIPESTATUS[0]}
-          find . -path '*/target/surefire-reports/*.xml' | zip -q reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip -@
-          exit $TEST_RESULT
+      - id: unit-test-setup
+        name: Unit test setup
+        uses: ./.github/actions/unit-test-setup

-      - name: Analyze Test and/or Coverage Results
-        uses: runforesight/foresight-test-kit-action@v1.3.0
-        if: always() && github.repository == 'keycloak/keycloak'
+      - name: Run Quarkus integration Tests
+        run: |
+          declare -A PARAMS
+          PARAMS["zip"]=""
+          PARAMS["container"]="-Dkc.quarkus.tests.dist=docker"
+          PARAMS["storage"]="-Ptest-database -Dtest=PostgreSQLDistTest,MariaDBDistTest#testSuccessful,MySQLDistTest#testSuccessful,DatabaseOptionsDistTest,JPAStoreDistTest,HotRodStoreDistTest,MixedStoreDistTest"
+
+          ./mvnw install -nsu -B -pl quarkus/tests/integration -am -DskipTests
+          ./mvnw test -nsu -B -pl quarkus/tests/integration ${PARAMS["${{ matrix.server }}"]} | misc/log/trimmer.sh
+
+  jdk-integration-tests:
+    name: Java Distribution IT
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 100
+    strategy:
+      matrix:
+        dist: [temurin]
+        version: [17, 19]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v3
+
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup
        with:
-          api_key: ${{ secrets.FORESIGHT_API_KEY }}
-          test_format: JUNIT
-          test_framework: JUNIT
-          test_path: 'testsuite/integration-arquillian/tests/base/target/surefire-reports/*.xml'
+          jdk-dist: ${{ matrix.dist }}
+          jdk-version: ${{ matrix.version }}

-      - name: Base test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}
-          retention-days: 14
-          path: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip
-          if-no-files-found: ignore
+      - name: Prepare Quarkus distribution with current JDK
+        run: ./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus

-  test-fips:
-    name: Base testsuite (fips)
+      - name: Run base tests
+        run: |
+          TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh jdk`
+          echo "Tests: $TESTS"
+          ./mvnw install -nsu -B -Pauth-server-quarkus -Pdb-${{ matrix.db }} -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh
+
+  new-store-integration-tests:
+    name: New Store IT
    needs: build
    runs-on: ubuntu-latest
    timeout-minutes: 45
    strategy:
      matrix:
-        server: ['bcfips-nonapproved-pkcs12']
-        tests: ['group1', 'group2']
+        db: [chm, hot-rod, jpa]
      fail-fast: false
    steps:
      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2

-      - name: Cache Maven packages
-        uses: actions/cache@v3
-        with:
-          path: ~/.m2/repository
-          key: cache-2-${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: cache-1-${{ runner.os }}-m2
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup

-      - name: Download built keycloak
-        id: download-keycloak
-        uses: actions/download-artifact@v3
-        with:
-          path: ~/.m2/repository/org/keycloak/
-          name: keycloak-artifacts.zip
-
-      # - name: List M2 repo
-      #   run: |
-      #     find ~ -name *dist*.zip
-      #     ls -lR ~/.m2/repository
-
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-      - name: Prepare quarkus distribution with BCFIPS
-        run: ./mvnw clean install -nsu -B -e -f testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2
      - name: Run base tests
        run: |
-          declare -A PARAMS TESTGROUP
-          PARAMS["bcfips-nonapproved-pkcs12"]="-Pauth-server-quarkus,auth-server-fips140-2"
-          # Tests in the package "forms" and some keystore related tests
-          TESTGROUP["group1"]="-Dtest=org.keycloak.testsuite.forms.**,ClientAuthSignedJWTTest,CredentialsTest,JavaKeystoreKeyProviderTest,ServerInfoTest,UserFederationLdapConnectionTest,LDAPUserLoginTest"
-          TESTGROUP["group2"]="-Dtest=org.keycloak.testsuite.x509.**,MutualTLSClientTest,FAPI1Test,FAPICIBATest,KcRegTest,KcRegCreateTest,KcAdmTest,KcAdmCreateTest"   # Tests for X.509 authentication with users and clients and CLI tests
-          
-          ./mvnw clean install -nsu -B ${PARAMS["${{ matrix.server }}"]} ${TESTGROUP["${{ matrix.tests }}"]} -f testsuite/integration-arquillian/tests/base/pom.xml | misc/log/trimmer.sh
-          
-          TEST_RESULT=${PIPESTATUS[0]}
-          find . -path '*/target/surefire-reports/*.xml' | zip -q reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip -@
-          exit $TEST_RESULT
+          declare -A PARAMS
+          PARAMS["chm"]="-Pmap-storage -Dpageload.timeout=90000"
+          PARAMS["hot-rod"]="-Pmap-storage,map-storage-hot-rod -Dpageload.timeout=90000"
+          PARAMS["jpa"]="-Pmap-storage,map-storage-jpa -Dpageload.timeout=90000"

-      - name: Analyze Test and/or Coverage Results
-        uses: runforesight/foresight-test-kit-action@v1.3.0
-        if: always() && github.repository == 'keycloak/keycloak'
-        with:
-          api_key: ${{ secrets.FORESIGHT_API_KEY }}
-          test_format: JUNIT
-          test_framework: JUNIT
-          test_path: 'testsuite/integration-arquillian/tests/base/target/surefire-reports/*.xml'
+          TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh database`
+          echo "Tests: $TESTS"
+          ./mvnw install -nsu -B -Pauth-server-quarkus ${PARAMS["${{ matrix.db }}"]} -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh

-      - name: Base test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}
-          retention-days: 14
-          path: reports-${{ matrix.server }}-base-tests-${{ matrix.tests }}.zip
-          if-no-files-found: ignore
+  legacy-store-integration-tests:
+    name: Legacy Store IT
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    strategy:
+      matrix:
+        db: [postgres, mysql] # 'mariadb' is not always shutting down, 'mssql', 'oracle11g' containers not available
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v3

-### Tests: Quarkus distribution
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup

-  quarkus-test-cluster:
-    name: Quarkus Test Clustering
+      - name: Run base tests
+        run: |
+          TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh database`
+          echo "Tests: $TESTS"
+          ./mvnw install -nsu -B -Pauth-server-quarkus -Pdb-${{ matrix.db }} -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh
+
+  store-model-tests:
+    name: Store Model Tests
+    runs-on: ubuntu-latest
+    needs: build
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v3
+
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup
+
+      - name: Run model tests
+        run: testsuite/model/test-all-profiles.sh
+
+  clustering-integration-tests:
+    name: Legacy Clustering IT
    needs: build
    runs-on: ubuntu-latest
    timeout-minutes: 35
@ -378,181 +202,86 @@ jobs:
    steps:
      - uses: actions/checkout@v3

-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          cache: 'maven'
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup

-      - name: Cleanup org.keycloak artifacts
-        run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true
-
-      - name: Download built keycloak
-        id: download-keycloak
-        uses: actions/download-artifact@v3
-        with:
-          path: ~/.m2/repository/org/keycloak/
-          name: keycloak-artifacts.zip
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-      - name: Run Quarkus cluster tests
+      - name: Run cluster tests
        run: |
-          echo '::group::Compiling testsuite'
-          ./mvnw clean install -nsu -B -Pauth-server-quarkus -DskipTests -f testsuite/pom.xml
-          echo '::endgroup::'
-          ./mvnw clean install -nsu -B -Pauth-server-cluster-quarkus -Dsession.cache.owners=2 -Dtest=**.cluster.** -f testsuite/integration-arquillian/pom.xml  | misc/log/trimmer.sh
-          TEST_RESULT=${PIPESTATUS[0]}
-          find . -path '*/target/surefire-reports/*.xml' | zip -q reports-quarkus-cluster-tests.zip -@
-          exit $TEST_RESULT
+          ./mvnw install -nsu -B -Pauth-server-cluster-quarkus -Dsession.cache.owners=2 -Dtest=**.cluster.** -pl testsuite/integration-arquillian/tests/base  | misc/log/trimmer.sh

-      - name: Analyze Test and/or Coverage Results
-        uses: runforesight/foresight-test-kit-action@v1.3.0
-        if: always() && github.repository == 'keycloak/keycloak'
-        with:
-          api_key: ${{ secrets.FORESIGHT_API_KEY }}
-          test_format: JUNIT
-          test_framework: JUNIT
-          test_path: 'testsuite/integration-arquillian/tests/base/target/surefire-reports/*.xml'
-
-      - name: Quarkus cluster test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: reports-quarkus-cluster-tests
-          retention-days: 14
-          path: reports-quarkus-cluster-tests.zip
-          if-no-files-found: ignore
-
-  ### Tests: Quarkus distribution
-
-  quarkus-tests:
-    name: Quarkus Tests
-    needs: build
+  fips-unit-tests:
+    name: FIPS UT
    runs-on: ubuntu-latest
-    timeout-minutes: 115
-    env:
-      MAVEN_OPTS: -Xmx1024m
+    needs: build
+    timeout-minutes: 20
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
-        with:
-          distribution: 'temurin'
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          cache: 'maven'
-      - name: Cleanup org.keycloak artifacts
-        run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true

-      - name: Download built keycloak
-        id: download-keycloak
-        uses: actions/download-artifact@v3
-        with:
-          path: ~/.m2/repository/org/keycloak/
-          name: keycloak-artifacts.zip
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
+      - id: unit-test-setup
+        name: Unit test setup
+        uses: ./.github/actions/unit-test-setup

-      - name: Prepare the local distribution archives
-        run: ./mvnw clean install -DskipTests -Pdistribution
+      - name: Run crypto tests (BCFIPS non-approved mode)
+        run: ./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402,crypto/elytron -Dcom.redhat.fips=true

-      - name: Run Quarkus Integration Tests
+      - name: Run crypto tests (BCFIPS approved mode)
+        run: ./mvnw install -nsu -B -am -pl crypto/default,crypto/fips1402,crypto/elytron -Dcom.redhat.fips=true -Dorg.bouncycastle.fips.approved_only=true
+
+  fips-integration-tests:
+    name: FIPS IT
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v3
+
+      - id: integration-test-setup
+        name: Integration test setup
+        uses: ./.github/actions/integration-test-setup
+
+      - name: Prepare Quarkus distribution with BCFIPS
+        run: ./mvnw install -nsu -B -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2
+
+      - name: Run base tests
        run: |
-          ./mvnw clean install -nsu -B -f quarkus/tests/pom.xml | misc/log/trimmer.sh
-          TEST_RESULT=${PIPESTATUS[0]}
-          find . -path '*/target/surefire-reports/*.xml' | zip -q reports-quarkus-tests.zip -@
-          exit $TEST_RESULT
+          TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips`
+          echo "Tests: $TESTS"
+          ./mvnw install -nsu -B -Pauth-server-quarkus,auth-server-fips140-2 -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base | misc/log/trimmer.sh

-      - name: Run Quarkus Storage Tests
-        run: |
-          ./mvnw clean install -nsu -B -f quarkus/tests/pom.xml -Ptest-database -Dtest=PostgreSQLDistTest,MariaDBDistTest#testSuccessful,MySQLDistTest#testSuccessful,DatabaseOptionsDistTest,JPAStoreDistTest,HotRodStoreDistTest,MixedStoreDistTest | misc/log/trimmer.sh
-          TEST_RESULT=${PIPESTATUS[0]}
-          find . -path '*/target/surefire-reports/*.xml' | zip -q reports-quarkus-tests.zip -@
-          exit $TEST_RESULT
+  check-set-status:
+    name: Set check conclusion
+    needs:
+      - unit-tests
+      - base-integration-tests
+      - quarkus-integration-tests
+      - jdk-integration-tests
+      - new-store-integration-tests
+      - legacy-store-integration-tests
+      - store-model-tests
+      - clustering-integration-tests
+      - fips-unit-tests
+      - fips-integration-tests
+    runs-on: ubuntu-latest
+    outputs:
+      conclusion: ${{ steps.check.outputs.conclusion }}

-      - name: Run Quarkus Tests in Docker
-        run: |
-          ./mvnw clean install -nsu -B -f quarkus/tests/pom.xml -Dkc.quarkus.tests.dist=docker -Dtest=StartCommandDistTest | misc/log/trimmer.sh
-          TEST_RESULT=${PIPESTATUS[0]}
-          exit $TEST_RESULT
+    steps:
+      - uses: actions/checkout@v3

-      - name: Analyze Test and/or Coverage Results
-        uses: runforesight/foresight-test-kit-action@v1.3.0
-        if: always() && github.repository == 'keycloak/keycloak'
+      - id: check
+        uses: ./.github/actions/checks-success
+
+  check:
+    name: Check
+    if: always() && ( github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' )
+    needs: [check-set-status]
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Check status
+        uses: ./.github/actions/checks-job-pass
        with:
-          api_key: ${{ secrets.FORESIGHT_API_KEY }}
-          test_format: JUNIT
-          test_framework: JUNIT
-          test_path: 'quarkus/tests/integration/target/surefire-reports/*.xml'
-
-      - name: Quarkus test reports
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: reports-quarkus-tests
-          retention-days: 14
-          path: reports-quarkus-tests.zip
-          if-no-files-found: ignore
-
-# NOTE: WebAuthn tests can be enabled once the issue #12621 is resolved
-#
-#  webauthn-test:
-#    name: WebAuthn Tests
-#    needs: build
-#    runs-on: ubuntu-latest
-#    steps:
-#      - uses: actions/checkout@v2
-#        with:
-#          fetch-depth: 2
-#
-#      - name: Check whether this phase should run
-#        run: echo "GIT_DIFF=$[ $( git diff --name-only HEAD^ | egrep -ic 'webauthn|passwordless' ) ]" >> $GITHUB_ENV
-#
-#      - uses: actions/setup-java@v1
-#        if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }}
-#        with:
-#          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-#
-#      - name: Update maven settings
-#        if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }}
-#        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-#
-#      - name: Cache Maven packages
-#        if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }}
-#        uses: actions/cache@v2
-#        with:
-#          path: ~/.m2/repository
-#          key: cache-1-${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-#          restore-keys: cache-1-${{ runner.os }}-m2
-#
-#      - name: Cleanup org.keycloak artifacts
-#        if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }}
-#        run: rm -rf ~/.m2/repository/org/keycloak >/dev/null || true
-#
-#      - name: Download built keycloak
-#        if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }}
-#        id: download-keycloak
-#        uses: actions/download-artifact@v2
-#        with:
-#          path: ~/.m2/repository/org/keycloak/
-#          name: keycloak-artifacts.zip
-#
-#      - name: Run WebAuthn tests
-#        if: ${{ github.event_name != 'pull_request' || env.GIT_DIFF != 0 }}
-#        run: |
-#          mvn clean install -nsu -B -Dbrowser=chrome -Pwebauthn -f testsuite/integration-arquillian/tests/other/pom.xml -Dtest=org.keycloak.testsuite.webauthn.**.*Test | misc/log/trimmer.sh
-#
-#          TEST_RESULT=${PIPESTATUS[0]}
-#          find . -path '*/target/surefire-reports/*.xml' | zip -q reports-webauthn-tests.zip -@
-#          exit $TEST_RESULT
-#
-#      - name: WebAuthn test reports
-#        uses: actions/upload-artifact@v2
-#        if: failure()
-#        with:
-#          name: reports-webauthn-tests
-#          retention-days: 14
-#          path: reports-webauthn-tests.zip
-#          if-no-files-found: ignore
+          conclusion: ${{ needs.check-set-status.outputs.conclusion }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,150 @@
+name: CodeQL
+
+on:
+  push:
+    branches-ignore:
+      - main
+      - dependabot/**
+  pull_request:
+     branches: [main]
+  schedule:
+    - cron: 0 9 * * 2
+
+concurrency:
+  # Only cancel jobs for PR updates
+  group: codeql-analysis-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+
+  changes:
+    name: Check changes
+    if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
+    runs-on: ubuntu-latest
+    outputs:
+      java: ${{ steps.changes.outputs.java }}
+      themes: ${{ steps.changes.outputs.themes }}
+      js-adapter: ${{ steps.changes.outputs.js-adapter }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - id: changes
+        uses: ./.github/actions/changed-files
+
+  java:
+    name: CodeQL Java
+    needs: changes
+    runs-on: ubuntu-latest
+    if: needs.changes.outputs.java == 'true'
+    outputs:
+      conclusion: ${{ steps.check.outputs.conclusion }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2.1.36
+        with:
+          languages: java
+
+      - name: Build Keycloak
+        uses: ./.github/actions/build-keycloak
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2.1.36
+        with:
+          wait-for-processing: true
+        env:
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'
+
+      - id: check
+        uses: ./.github/actions/checks-success
+
+  js-adapter:
+    name: CodeQL JavaScript Adapter
+    needs: changes
+    runs-on: ubuntu-latest
+    if: needs.changes.outputs.js-adapter == 'true'
+    outputs:
+      conclusion: ${{ steps.check.outputs.conclusion }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2.1.36
+        env:
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
+        with:
+          languages: javascript
+          source-root: adapters/oidc/js/src/
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2.1.36
+        with:
+          wait-for-processing: true
+        env:
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'
+
+      - id: check
+        uses: ./.github/actions/checks-success
+
+  themes:
+    name: CodeQL Themes
+    needs: changes
+    runs-on: ubuntu-latest
+    if: needs.changes.outputs.themes == 'true'
+    outputs:
+      conclusion: ${{ steps.check.outputs.conclusion }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2.1.36
+        env:
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
+        with:
+          languages: javascript
+          source-root: themes/src/main/
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2.1.36
+        with:
+          wait-for-processing: true
+        env:
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'
+
+      - id: check
+        uses: ./.github/actions/checks-success
+
+  check:
+    name: Check
+    if: always() && ( github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' )
+    needs: [changes, java, js-adapter, themes]
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: CodeQL Java
+        uses: ./.github/actions/checks-job-pass
+        with:
+          required: ${{ needs.changes.outputs.java }}
+          conclusion: ${{ needs.java.outputs.conclusion }}
+
+      - name: CodeQL JavaScript Adapter
+        uses: ./.github/actions/checks-job-pass
+        with:
+          required: ${{ needs.changes.outputs.js-adapter }}
+          conclusion: ${{ needs.js-adapter.outputs.conclusion }}
+
+      - name: CodeQL Themes
+        uses: ./.github/actions/checks-job-pass
+        with:
+          required: ${{ needs.changes.outputs.themes }}
+          conclusion: ${{ needs.themes.outputs.conclusion }}
--- a/.github/workflows/codeql-java-analysis.yml
+++ b/.github/workflows/codeql-java-analysis.yml
@ -1,59 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-name: "CodeQL Java"
-
-on:
-  push:
-    branches-ignore:
-      - 'main'
-      - 'dependabot/**'
-  pull_request:
-    branches: [main]
-    paths: 
-      - '**.java'
-      - '.github/workflows/codeql-java-analysis.yml'
-  schedule:
-    - cron: '0 9 * * 2'
-
-concurrency:
-  # Only run once for latest commit per ref and cancel other (previous) runs.
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
-
-jobs:
-  analyze:
-    name: CodeQL analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'keycloak/keycloak'
-
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-java@v3
-      with:
-        distribution: 'temurin'
-        java-version: '11'
-        cache: 'maven'
-
-    - name: Update maven settings
-      run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2.1.36
-      with:
-        languages: java
-      
-    - name: Build Keycloak
-      run: mvn -B install -DskipTests -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2.1.36
-      with:
-        wait-for-processing: true
-      env: 
-        CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'
--- a/.github/workflows/codeql-js-adapter-analysis.yml
+++ b/.github/workflows/codeql-js-adapter-analysis.yml
@ -1,62 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-name: "CodeQL JS Adapter"
-
-on:
-  push:
-    branches-ignore:
-      - 'main'
-      - 'dependabot/**'
-  pull_request:
-    branches: [main]
-    paths: 
-      - 'adapters/oidc/js/**'
-      - '.github/workflows/codeql-js-adapter-analysis.yml'
-  schedule:
-    - cron: '0 9 * * 2'
-
-concurrency:
-  # Only run once for latest commit per ref and cancel other (previous) runs.
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
-
-jobs:
-  analyze:
-    name: CodeQL analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'keycloak/keycloak'
-
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-java@v3
-      with:
-        distribution: 'temurin'
-        java-version: '11'
-        cache: 'maven'
-
-    - name: Update maven settings
-      run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2.1.36
-      env: 
-        CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
-      with:
-        languages: javascript
-        source-root: adapters/oidc/js/
-
-    - name: Build Keycloak
-      run: mvn -B install -DskipTests -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2.1.36
-      with:
-        wait-for-processing: true
-      env: 
-        CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'
--- a/.github/workflows/codeql-theme-analysis.yml
+++ b/.github/workflows/codeql-theme-analysis.yml
@ -1,62 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-name: "CodeQL Themes"
-
-on:
-  push:
-    branches-ignore:
-      - 'main'
-      - 'dependabot/**'
-  pull_request:
-    branches: [main]
-    paths: 
-      - 'themes/src/**'
-      - '.github/workflows/codeql-theme-analysis.yml'
-  schedule:
-    - cron: '0 9 * * 2'
-
-concurrency:
-  # Only run once for latest commit per ref and cancel other (previous) runs.
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
-
-jobs:
-  analyze:
-    name: CodeQL analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'keycloak/keycloak'
-
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-java@v3
-      with:
-        distribution: 'temurin'
-        java-version: '11'
-        cache: 'maven'
-
-    - name: Update maven settings
-      run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2.1.36
-      env: 
-        CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
-      with:
-        languages: javascript
-        source-root: themes/
-
-    - name: Build Keycloak
-      run: mvn -B install -DskipTests -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2.1.36
-      with:
-        wait-for-processing: true
-      env: 
-        CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'
--- a/.github/workflows/operator-ci.yml
+++ b/.github/workflows/operator-ci.yml
@ -2,49 +2,42 @@ name: Keycloak Operator CI

 on:
  push:
-    branches-ignore: [main]
+    branches-ignore:
+      - main
+      - dependabot/**
  pull_request:
-    paths-ignore:
-      - '.github/workflows/**'
-      - '!.github/workflows/operator-ci.yml'
  schedule:
-    - cron: '0 20,22,0,2,4 * * *'
+    - cron: 0 20,23,2,5 * * *
+  workflow_dispatch:

 env:
-  JDK_VERSION: 11
-  MINIKUBE_VERSION: "v1.24.0"
-  KUBERNETES_VERSION: "v1.22.3"
-  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
+  DEFAULT_JDK_VERSION: 11
+  DEFAULT_JDK_DIST: temurin
+  MINIKUBE_VERSION: v1.24.0
+  KUBERNETES_VERSION: v1.22.3
+
+defaults:
+  run:
+    shell: bash

 concurrency:
-  # Only run once for latest commit per ref and cancel other (previous) runs.
-  group: ${{ github.workflow }}-${{ github.ref }}
+  # Only cancel jobs for PR updates
+  group: operator-ci-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

 jobs:
  build:
    name: Build distribution
-    if: ${{ ( github.event_name != 'schedule' ) || ( github.event_name == 'schedule' && github.repository == 'keycloak/keycloak' ) }}
+    if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
-      - uses: actions/setup-java@v3
+
+      - name: Build Keycloak
+        uses: ./.github/actions/build-keycloak
        with:
-          distribution: 'temurin'
-          java-version: ${{ env.JDK_VERSION }}
-          cache: 'maven'
-      - name: Create the Keycloak distribution
-        run: |
-          mvn clean install -Pdistribution -DskipTests -DskipExamples -DskipTestsuite
-      - name: Store Keycloak distribution
-        id: store-keycloak
-        uses: actions/upload-artifact@v3
-        with:
-          name: keycloak-distribution
-          retention-days: 1
-          path: quarkus/dist/target/keycloak*.tar.gz
+          upload-m2-repo: false
+          upload-dist: true

  test-local:
    name: Test local
@ -52,16 +45,16 @@ jobs:
    needs: [build]
    steps:
      - uses: actions/checkout@v3
-      - name: Set outputs
+
+      - name: Set version
        id: vars
        run: echo "version_local=0.0.1-${GITHUB_SHA::6}" >> $GITHUB_ENV
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
+
      - uses: actions/setup-java@v2
        with:
-          distribution: 'temurin'
-          java-version: ${{ env.JDK_VERSION }}
-          cache: 'maven'
+          distribution: ${{ env.DEFAULT_JDK_DIST }}
+          java-version: ${{ env.DEFAULT_JDK_VERSION }}
+
      - name: Setup Minikube-Kubernetes
        uses: manusa/actions-setup-minikube@v2.7.1
        with:
@ -69,13 +62,15 @@ jobs:
          kubernetes version: ${{ env.KUBERNETES_VERSION }}
          github token: ${{ secrets.GITHUB_TOKEN }}
          driver: docker
-          start args: '--addons=ingress'
+          start args: --addons=ingress
+
      - name: Download keycloak distribution
        id: download-keycloak-dist
        uses: actions/download-artifact@v3
        with:
-          name: keycloak-distribution
+          name: keycloak-dist
          path: quarkus/container
+
      - name: Build Keycloak Docker images
        run: |
          eval $(minikube -p minikube docker-env)
@ -84,7 +79,7 @@ jobs:

      - name: Test operator running locally
        run: |
-          mvn clean install -Poperator -pl :keycloak-operator -am \
+          mvn install -Poperator -pl :keycloak-operator -am \
              -Dquarkus.kubernetes.image-pull-policy=IfNotPresent \
              -Doperator.keycloak.image=keycloak:${{ env.version_local }} \
              -Dtest.operator.custom.image=custom-keycloak:${{ env.version_local }} \
@ -97,16 +92,16 @@ jobs:
    needs: [build]
    steps:
      - uses: actions/checkout@v3
-      - name: Set outputs
+
+      - name: Set version
        id: vars
        run: echo "version_remote=0.0.1-${GITHUB_SHA::6}" >> $GITHUB_ENV
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
+
      - uses: actions/setup-java@v2
        with:
-          distribution: 'temurin'
-          java-version: ${{ env.JDK_VERSION }}
-          cache: 'maven'
+          distribution: ${{ env.DEFAULT_JDK_DIST }}
+          java-version: ${{ env.DEFAULT_JDK_VERSION }}
+
      - name: Setup Minikube-Kubernetes
        uses: manusa/actions-setup-minikube@v2.7.1
        with:
@ -114,13 +109,15 @@ jobs:
          kubernetes version: ${{ env.KUBERNETES_VERSION }}
          github token: ${{ secrets.GITHUB_TOKEN }}
          driver: docker
-          start args: '--addons=ingress'
+          start args: --addons=ingress
+
      - name: Download keycloak distribution
        id: download-keycloak-dist
        uses: actions/download-artifact@v3
        with:
-          name: keycloak-distribution
+          name: keycloak-dist
          path: quarkus/container
+
      - name: Build Keycloak Docker images
        run: |
          eval $(minikube -p minikube docker-env)
@ -130,7 +127,7 @@ jobs:
      - name: Test operator running in cluster
        run: |
          eval $(minikube -p minikube docker-env)
-          mvn clean install -Poperator -pl :keycloak-operator -am \
+          mvn install -Poperator -pl :keycloak-operator -am \
              -Dquarkus.container-image.build=true \
              -Dquarkus.kubernetes.image-pull-policy=IfNotPresent \
              -Doperator.keycloak.image=keycloak:${{ env.version_remote }} \
@ -145,13 +142,12 @@ jobs:
    needs: [build]
    steps:
      - uses: actions/checkout@v3
-      - name: Update maven settings
-        run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
+
      - uses: actions/setup-java@v2
        with:
-          distribution: 'temurin'
-          java-version: ${{ env.JDK_VERSION }}
-          cache: 'maven'
+          distribution: ${{ env.DEFAULT_JDK_DIST }}
+          java-version: ${{ env.DEFAULT_JDK_VERSION }}
+
      - name: Setup Minikube-Kubernetes
        uses: manusa/actions-setup-minikube@v2.7.1
        with:
@ -159,22 +155,27 @@ jobs:
          kubernetes version: ${{ env.KUBERNETES_VERSION }}
          github token: ${{ secrets.GITHUB_TOKEN }}
          driver: docker
+
      - name: Install OPM
        uses: redhat-actions/openshift-tools-installer@v1
        with:
-          source: "github"
-          opm: "1.21.0"
+          source: github
+          opm: 1.21.0
+
      - name: Install Yq
        run: sudo snap install yq
+
      - name: Install OLM
        working-directory: operator
        run: ./scripts/install-olm.sh
+
      - name: Download keycloak distribution
        id: download-keycloak-dist
        uses: actions/download-artifact@v3
        with:
-          name: keycloak-distribution
+          name: keycloak-dist
          path: quarkus/container
+
      - name: Arrange OLM test installation
        working-directory: operator
        run: |
@ -192,3 +193,33 @@ jobs:
          kubectl apply -f src/main/resources/example-realm.yaml
          # Wait for the CRs to be ready
          ./scripts/check-examples-installed.sh
+
+  check-set-status:
+    name: Set check conclusion
+    needs:
+      - test-local
+      - test-remote
+      - test-olm
+    runs-on: ubuntu-latest
+    outputs:
+      conclusion: ${{ steps.check.outputs.conclusion }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - id: check
+        uses: ./.github/actions/checks-success
+
+  check:
+    name: Check
+    if: always() && ( github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' )
+    needs: [check-set-status]
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Check status
+        uses: ./.github/actions/checks-job-pass
+        with:
+          conclusion: ${{ needs.check-set-status.outputs.conclusion }}
--- a/.github/workflows/snyk-analysis.yml
+++ b/.github/workflows/snyk-analysis.yml
@ -0,0 +1,45 @@
+name: Snyk
+
+on:
+  schedule:
+    - cron: 0 0 * * *
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  analysis:
+    name: Analysis of Quarkus and Operator
+    runs-on: ubuntu-latest
+    if: github.repository == 'keycloak/keycloak'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build Keycloak
+        uses: ./.github/actions/build-keycloak
+
+      - uses: snyk/actions/setup@master
+
+      - name: Check for vulnerabilities in Quarkus
+        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Quarkus scanner results to GitHub
+        uses: github/codeql-action/upload-sarif@v2.1.36
+        with:
+          sarif_file: quarkus-report.sarif
+
+      - name: Check for vulnerabilities in Operator
+        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Operator scanner results to GitHub
+        uses: github/codeql-action/upload-sarif@v2.1.36
+        with:
+          sarif_file: operator-report.sarif
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@ -1,68 +0,0 @@
-name: "Snyk"
-
-on:
-  schedule:
-    - cron: "0 0 * * *"
-
-env:
-  DEFAULT_JDK_VERSION: 11
-  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
-
-jobs:
-  quarkus:
-    name: Quarkus
-    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'keycloak/keycloak' }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - uses: actions/setup-java@v3
-        with:
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          distribution: temurin
-          cache: maven
-
-      - name: Build Quarkus
-        run: mvn -Psnyk-quarkus -pl quarkus/dist -am -DskipTests clean install
-
-      - uses: snyk/actions/setup@master
-      - name: Check for vulnerabilities
-        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-      - name: Upload scanner results to GitHub
-        uses: github/codeql-action/upload-sarif@v2.1.36
-        with:
-          sarif_file: quarkus-report.sarif
-
-  operator:
-    name: Operator
-    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'keycloak/keycloak' }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - uses: actions/setup-java@v3
-        with:
-          java-version: ${{ env.DEFAULT_JDK_VERSION }}
-          distribution: temurin
-          cache: maven
-
-      - name: Build Keycloak
-        run: mvn -Poperator -pl operator -am -DskipTests clean install
-
-      - uses: snyk/actions/setup@master
-      - name: Check for vulnerabilities for the Operator
-        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-      - name: Upload scanner results for the Operator to GitHub
-        uses: github/codeql-action/upload-sarif@v2.1.36
-        with:
-          sarif_file: operator-report.sarif
--- a/.github/workflows/trivy-analysis.yml
+++ b/.github/workflows/trivy-analysis.yml
@ -1,63 +1,36 @@
 name: Trivy
+
 on:
-  workflow_dispatch:
  schedule:
-    - cron: "0 6 * * *"
+    - cron: 0 6 * * *
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash

 jobs:
-  quarkus-dist:
-    name: Vulnerability scanner for Quarkus distribution images
-    runs-on: "ubuntu-18.04"
+
+  analysis:
+    name: Vulnerability scanner for nightly containers
+    runs-on: ubuntu-latest
+    if: github.repository == 'keycloak/keycloak'
+    strategy:
+      matrix:
+        container: [keycloak, keycloak-operator]
+      fail-fast: false
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
        with:
-          image-ref: 'quay.io/keycloak/keycloak:nightly'
-          format: 'template'
+          image-ref: quay.io/keycloak/${{ matrix.container}}:nightly
+          format: template
          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'MEDIUM,CRITICAL,HIGH'
+          output: trivy-results.sarif
+          severity: MEDIUM,CRITICAL,HIGH
          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2.1.36
        with:
-          sarif_file: 'trivy-results.sarif'
-
-  legacy-dist:
-    name: Vulnerability scanner for WildFly distribution images
-    runs-on: "ubuntu-18.04"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
-        with:
-          image-ref: 'quay.io/keycloak/keycloak:legacy'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'legacy-results.sarif'
-          severity: 'MEDIUM,CRITICAL,HIGH'
-          ignore-unfixed: true
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2.1.36
-        with:
-          sarif_file: 'legacy-results.sarif'
-
-  keycloak-operator:
-    name: Vulnerability scanner for Keycloak Operator distribution images
-    runs-on: "ubuntu-18.04"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
-        with:
-          image-ref: 'quay.io/keycloak/keycloak-operator:nightly'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'operator-results.sarif'
-          severity: 'MEDIUM,CRITICAL,HIGH'
-          ignore-unfixed: true
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2.1.36
-        with:
-          sarif_file: 'operator-results.sarif'
+          sarif_file: trivy-results.sarif
--- a/.gitignore
+++ b/.gitignore
@ -83,3 +83,6 @@ quarkus/data/*.db

 # Git ephemeral files
 *.versionsBackup
+
+# Node.js for frontend-maven-plugin #
+node
--- a/adapters/oidc/js/pom.xml
+++ b/adapters/oidc/js/pom.xml
@ -77,6 +77,7 @@
 				</executions>
 				<configuration>
 					<nodeVersion>${node.version}</nodeVersion>
+					<installDirectory>../../../</installDirectory>
 				</configuration>
 			</plugin>
 		</plugins>
--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java
+++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java
@ -44,6 +44,11 @@ public class QuarkusPlatform implements PlatformProvider {

    private static final Logger log = Logger.getLogger(QuarkusPlatform.class);

+    @Override
+    public String name() {
+        return "Quarkus";
+    }
+
    public static void addInitializationException(Throwable throwable) {
        QuarkusPlatform platform = (QuarkusPlatform) Platform.getPlatform();
        platform.addDeferredException(throwable);
--- a/services/src/main/java/org/keycloak/platform/PlatformProvider.java
+++ b/services/src/main/java/org/keycloak/platform/PlatformProvider.java
@ -22,6 +22,8 @@ import java.io.File;
 import org.keycloak.Config;

 public interface PlatformProvider {
+
+    String name();
    
    void onStartup(Runnable runnable);

--- a/testsuite/integration-arquillian/servers/auth-server/pom.xml
+++ b/testsuite/integration-arquillian/servers/auth-server/pom.xml
@ -37,21 +37,6 @@
    <modules>
        <module>services</module>
        <module>undertow</module>
+        <module>quarkus</module>
    </modules>
-    
-    <profiles>
-        <profile>
-            <id>auth-server-quarkus</id>
-            <modules>
-                <module>quarkus</module>
-            </modules>
-        </profile>
-        <profile>
-            <id>auth-server-cluster-quarkus</id>
-            <modules>
-                <module>quarkus</module>
-            </modules>
-        </profile>
-    </profiles>
-
 </project>
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml
@ -115,26 +115,4 @@
            </plugin>
        </plugins>
    </build>
-
-    <profiles>
-        <profile>
-            <id>auth-server-quarkus</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-jar-plugin</artifactId>
-                        <configuration>
-                            <excludes>
-                                <!-- For quarkus we don't want the test provider installed to avoid false positives -->
-                                <!-- Themes from providers are automatically registered -->
-                                <excludes>**/TestThemeResourceProvider**</excludes>
-                                <excludes>**/org.keycloak.theme.ThemeResourceProviderFactory</excludes>
-                            </excludes>
-                        </configuration>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-    </profiles>
 </project>
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/theme/TestThemeResourceProvider.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/theme/TestThemeResourceProvider.java
@ -1,11 +1,22 @@
 package org.keycloak.testsuite.theme;

+import org.keycloak.platform.Platform;
+import org.keycloak.provider.EnvironmentDependentProviderFactory;
 import org.keycloak.theme.ClasspathThemeResourceProviderFactory;

-public class TestThemeResourceProvider extends ClasspathThemeResourceProviderFactory {
+public class TestThemeResourceProvider extends ClasspathThemeResourceProviderFactory implements EnvironmentDependentProviderFactory {

    public TestThemeResourceProvider() {
        super("test-resources", TestThemeResourceProvider.class.getClassLoader());
    }

+    /**
+     * Quarkus detects theme resources automatically, so this provider should only be enabled on Undertow
+     *
+     * @return true if platform is Undertow
+     */
+    @Override
+    public boolean isSupported() {
+        return Platform.getPlatform().name().equals("Undertow");
+    }
 }
--- a/testsuite/integration-arquillian/tests/base/testsuites/base-suite
+++ b/testsuite/integration-arquillian/tests/base/testsuites/base-suite
@ -0,0 +1,47 @@
+account,4
+actions,1
+adapter,2
+admin,1
+authz,3
+broker,3
+cli,4
+client,4
+cluster,IGNORED
+composites,4
+cookies,4
+crossdc,IGNORED
+docker,4
+domainextension,4
+error,4
+events,4
+exportimport,4
+feature,4
+federation,5
+forms,5
+i18n,5
+jaas,5
+javascript,5
+keys,4
+login,4
+metrics,4
+migration,4
+model,6
+oauth,6
+oidc,6
+openshift,6
+policy,6
+runonserver,6
+saml,6
+script,6
+session,6
+sessionlimits,6
+ssl,6
+theme,6
+transactions,6
+url,6
+user,4
+util,4
+validation,6
+vault,4
+welcomepage,6
+x509,4
--- a/testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh
+++ b/testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh
@ -0,0 +1,43 @@
+#!/bin/bash -e
+
+GROUP="$1"
+if [ "$GROUP" == "" ]; then
+  echo 'Usage: base-suite.sh <group>'
+  exit
+fi
+
+cd "`readlink -f "$0" | xargs dirname`"
+
+TESTSUITE_FILE='base-suite'
+TEST_DIR='../src/test/java/org/keycloak/testsuite'
+BASE_PACKAGE='org.keycloak.testsuite'
+
+PACKAGES=`cat $TESTSUITE_FILE | grep -v '^[[:space:]]*$' | grep -v '^[[:space:]]*#'`
+
+# Check all packages in testsuite are included
+for i in `ls -d $TEST_DIR/*/ | sed "s|$TEST_DIR||g" | sed "s|/||g"`; do
+  if ( ! cat $TESTSUITE_FILE | grep "^$i," >/dev/null ); then
+    echo "Package 'org.keycloak.testsuite.$i' not defined in base-suite"
+    exit 1
+  fi
+done
+
+SEP=""
+TESTS=""
+for i in `echo $PACKAGES`; do
+  PACKAGE=`echo $i | cut -d ',' -f 1`
+  PACKAGE_GROUP=`echo $i | cut -d ',' -f 2`
+
+  # Check package exists
+  if [ ! -d "$TEST_DIR/$PACKAGE" ]; then
+    echo "Package 'org.keycloak.testsuite.$PACKAGE' not found"
+    exit 1
+  fi
+
+  if [ "$GROUP" == "$PACKAGE_GROUP" ]; then
+    TESTS="$TESTS$SEP$BASE_PACKAGE.$PACKAGE.**"
+    SEP=','
+  fi
+done
+
+echo "$TESTS"
--- a/testsuite/integration-arquillian/tests/base/testsuites/database-suite
+++ b/testsuite/integration-arquillian/tests/base/testsuites/database-suite
@ -0,0 +1,18 @@
+AccountRestServiceTest
+AuthorizationCodeTest
+AuthorizationTest
+ClientRegistrationTest
+EventStoreProviderTest
+ExportImportTest
+GeneratedRsaKeyProviderTest
+KcOidcBrokerTest
+LDAPUserLoginTest
+LoginTest
+PasswordPolicyTest
+RequiredActionUpdateProfileTest
+SSOTest
+SamlClientTest
+TransactionsTest
+UserProfileTest
+org.keycloak.testsuite.admin.**
+org.keycloak.testsuite.authz.**ManagementTest
--- a/testsuite/integration-arquillian/tests/base/testsuites/fips-suite
+++ b/testsuite/integration-arquillian/tests/base/testsuites/fips-suite
@ -0,0 +1,15 @@
+org.keycloak.testsuite.forms.**
+ClientAuthSignedJWTTest
+CredentialsTest
+JavaKeystoreKeyProviderTest
+ServerInfoTest
+UserFederationLdapConnectionTest
+LDAPUserLoginTest
+org.keycloak.testsuite.x509.**
+MutualTLSClientTest
+FAPI1Test
+FAPICIBATest
+KcRegTest
+KcRegCreateTest
+KcAdmTest
+KcAdmCreateTest
--- a/testsuite/integration-arquillian/tests/base/testsuites/jdk-suite
+++ b/testsuite/integration-arquillian/tests/base/testsuites/jdk-suite
@ -0,0 +1,17 @@
+AccountRestServiceTest
+AuthorizationCodeTest
+CredentialsTest
+DeployedScriptAuthenticatorTest
+ExportImportTest
+GeneratedRsaKeyProviderTest
+JavaKeystoreKeyProviderTest
+KcOidcBrokerTest
+KerberosLdapTest
+LDAPUserLoginTest
+LoginTest
+MutualTLSClientTest
+PasswordPolicyTest
+SSOTest
+SamlClientTest
+TransactionsTest
+X509BrowserLoginTest
--- a/testsuite/integration-arquillian/tests/base/testsuites/suite.sh
+++ b/testsuite/integration-arquillian/tests/base/testsuites/suite.sh
@ -0,0 +1,35 @@
+#!/bin/bash -e
+
+GROUP="$1"
+if [ "$GROUP" == "" ]; then
+  echo 'Usage: suite.sh <group>'
+  exit
+fi
+
+cd "`readlink -f "$0" | xargs dirname`"
+
+TEST_DIR="../src/test/java/"
+SUITE_FILE="$GROUP-suite"
+
+if [ ! -f "$SUITE_FILE" ]; then
+  echo "$SUITE_FILE not found"
+  exit 1
+fi
+
+SEP=""
+TESTS=""
+for i in `cat "$SUITE_FILE" | grep -v '^[[:space:]]*$' | grep -v '^[[:space:]]*#'`; do
+  # Check test exists, ignoring checking packages for now
+  if [[ "$i" != *'.'* ]]; then
+    SEARCH=`find "$TEST_DIR" -name "$i.java"`
+    if [ "$SEARCH" == "" ]; then
+      echo "$i not found in testsuite"
+      exit 1
+    fi
+  fi
+
+  TESTS="$TESTS$SEP$i"
+  SEP=","
+done
+
+echo "$TESTS"
--- a/testsuite/utils/src/main/java/org/keycloak/testsuite/TestPlatform.java
+++ b/testsuite/utils/src/main/java/org/keycloak/testsuite/TestPlatform.java
@ -41,6 +41,11 @@ public class TestPlatform implements PlatformProvider {
        );
    }

+    @Override
+    public String name() {
+        return "Undertow";
+    }
+
    @Override
    public void onStartup(Runnable startupHook) {
        startupHook.run();
--- a/themes/pom.xml
+++ b/themes/pom.xml
@ -134,7 +134,7 @@
                        </executions>
                        <configuration>
                            <nodeVersion>${node.version}</nodeVersion>
-                            <installDirectory>${project.basedir}</installDirectory>
+                            <installDirectory>../</installDirectory>
                        </configuration>
                    </plugin>
                </plugins>
@ -187,7 +187,7 @@
                        </executions>
                        <configuration>
                            <nodeVersion>${node.version}</nodeVersion>
-                            <installDirectory>${project.basedir}</installDirectory>
+                            <installDirectory>../</installDirectory>
                        </configuration>
                    </plugin>
                </plugins>