RaspberryPiFoundation
diff --git a/‎.github/workflows/build_publish.yml‎
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/build_publish.yml‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.github/workflows/changelog.yml‎
Lines changed: 29 additions & 0 deletions b/‎.github/workflows/changelog.yml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 11 additions & 6 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎.github/workflows/code_quality.yml‎
Lines changed: 20 additions & 0 deletions b/‎.github/workflows/code_quality.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎.rubocop_todo.yml‎
Lines changed: 6 additions & 14 deletions b/‎.rubocop_todo.yml‎
Lines changed: 6 additions & 14 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 38 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 38 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 4 additions & 0 deletions b/‎README.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎app/controllers/rpi_auth/auth_controller.rb‎
Lines changed: 12 additions & 0 deletions b/‎app/controllers/rpi_auth/auth_controller.rb‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎gemfiles/rails_6.1.gemfile.lock‎
Lines changed: 15 additions & 14 deletions b/‎gemfiles/rails_6.1.gemfile.lock‎
Lines changed: 15 additions & 14 deletions
@@ -0,0 +1,63 @@
+name: Build and publish
+
+on:
+  workflow_call: {}
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_6.1.gemfile
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+
+    - name: Build gem
+      run: bundle exec rake build
+
+    - name: Archive coverage
+      if: success()
+      uses: actions/upload-artifact@v4
+      with:
+        name: gem-pkg
+        path: pkg/*.gem
+
+  publish:
+    name: Publish
+    needs: build
+    if: github.ref_type == 'tag'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: '3.2'
+
+    - uses: actions/download-artifact@v4
+      with:
+        name: gem-pkg
+        path: pkg/
+
+    - name: Publish to GPR
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:github: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} pkg/*.gem
+      env:
+        GEM_HOST_API_KEY: "Bearer ${{secrets.GITHUB_TOKEN}}"
+        OWNER: ${{ github.repository_owner }}
+
@@ -0,0 +1,29 @@
+name: Changelog
+
+on:
+  pull_request:
+    branches:
+      - '**'
+
+jobs:
+  changelog-updated:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+    - name: Check if changelog updated
+      id: changed-files-specific
+      uses: tj-actions/changed-files@v44
+      with:
+        base_sha: ${{ github.event.pull_request.base.sha }}
+        files: |
+          CHANGELOG.md
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+
+    - name: Fail job if changelog not updated
+      if: steps.changed-files-specific.outputs.any_changed == 'false'
+      run: |
+        exit 1
+
@@ -2,14 +2,19 @@ name: CI
 
 on:
   push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
+    branches:
+      - '**'
+    tags:
+      - '**'
 
 jobs:
   test:
     if: github.ref_type == 'branch' && github.ref_name != 'main'
     uses: ./.github/workflows/test.yml
-  # code_quality:
-  #   if: github.ref_type == 'branch' && github.ref_name != 'main'
-  #   uses: ./.github/workflows/code_quality.yml
+
+  code_quality:
+    if: github.ref_type == 'branch' && github.ref_name != 'main'
+    uses: ./.github/workflows/code_quality.yml
+
+  build_publish:
+    uses: ./.github/workflows/build_publish.yml
@@ -0,0 +1,20 @@
+name: 'Code quality'
+on:
+  workflow_call: {}
+
+jobs:
+  rubocop:
+    name: Rubocop
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_7.2.gemfile
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+
+      - name: Inspecting with Rubocop
+        run: bundle exec rubocop
+
@@ -24,8 +24,7 @@ jobs:
     env:
       BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/${{ matrix.gemfile }}.gemfile
     steps:
-    - uses: actions/checkout@v3
-
+    - uses: actions/checkout@v4
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
 
@@ -1,20 +1,20 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2024-07-02 19:48:59 UTC using RuboCop version 1.64.1.
+# on 2025-06-04 10:53:17 UTC using RuboCop version 1.75.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 11
+# Offense count: 12
 # Configuration parameters: EnforcedStyle, AllowedGems, Include.
 # SupportedStyles: Gemfile, gems.rb, gemspec
 # Include: **/*.gemspec, **/Gemfile, **/gems.rb
 Gemspec/DevelopmentDependencies:
   Exclude:
-    - "rpi_auth.gemspec"
+    - 'rpi_auth.gemspec'
 
-# Offense count: 1
+# Offense count: 2
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
   Max: 23
@@ -28,20 +28,12 @@ RSpec/ExampleLength:
 RSpec/MultipleExpectations:
   Max: 4
 
-# Offense count: 8
+# Offense count: 9
 # Configuration parameters: AllowSubject.
 RSpec/MultipleMemoizedHelpers:
   Max: 6
 
-# Offense count: 10
+# Offense count: 13
 # Configuration parameters: AllowedGroups.
 RSpec/NestedGroups:
   Max: 5
-
-# Offense count: 1
-# Configuration parameters: Include, CustomTransform, IgnoreMethods, IgnoreMetadata.
-# Include: **/*_spec.rb
-RSpec/SpecFilePathFormat:
-  Exclude:
-    - "spec/rpi_auth/models/authenticatable_spec.rb"
-    - "spec/rpi_auth/models/with_tokens_spec.rb"
@@ -10,9 +10,42 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 ### Fixed
+- Reinstated static code analysis checks in CI (#73)
 
 ### Removed
 
+## [v4.3.0]
+
+### Added
+
+- Add optional `on_login_success` callback (#90)
+
+### Fixed
+
+- Return boolean from `AccountTypes#student_account?` (#91)
+
+### Removed
+
+## [v4.2.1]
+
+### Fixed
+
+- Refresh access tokens before expiry (#89)
+
+## [v4.2.0]
+
+### Added
+
+- Allow OmniAuth setup phase to be configured (#76)
+- Add `RpiAuth::Models::Roles#parsed_roles` (extracted from experience-cs) (#87)
+- Add `RpiAuth::Models::AccountTypes#student_account?` (extracted from experience-cs) (#87)
+
+## [v4.1.1]
+
+### Fixed
+
+- Fix requiring of oauth2 to avoid `NoMethodError: undefined method 'config' for module OAuth2` (#86)
+
 ## [v4.1.0]
 
 ### Added
@@ -140,7 +173,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - rails model concern to allow host app to add auth behaviour to a model
 - callback, logout and failure routes to handle auth
 
-[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.1.0...HEAD
+[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.3.0...HEAD
+[v4.3.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.3.0
+[v4.2.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.1
+[v4.2.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.0
+[v4.1.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.1
 [v4.1.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.0
 [v4.0.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.0.0
 [v3.6.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v3.6.0
 
@@ -170,6 +170,10 @@ link_to 'Log out', rpi_auth_logout_path, params: { returnTo: '/thanks-dude' }
 
 This has to be a relative URL, i.e. it has to start with a slash.  This is to ensure there's no open redirect.
 
+### Callback on successful login
+
+If the RpiAuth configuration option `on_login_success` is set to a `Proc`, this will be called in the context of the `RpiAuth::AuthController#callback` action, i.e. `current_user` will be available. This is intended to allow apps to record successful logins.
+
 ### Globbed/catch-all routes
 
 If your app has a catch-all route at the end of the routing table, you must
 
@@ -27,6 +27,8 @@ def callback
       auth = request.env['omniauth.auth']
       self.current_user = RpiAuth.user_model.from_omniauth(auth)
 
+      run_login_success_callback
+
       redirect_to ensure_relative_url(login_redirect_path)
     end
 
@@ -53,6 +55,16 @@ def failure
 
     private
 
+    def run_login_success_callback
+      return unless RpiAuth.configuration.on_login_success.is_a?(Proc)
+
+      begin
+        instance_exec(&RpiAuth.configuration.on_login_success)
+      rescue StandardError => e
+        Rails.logger.warn("Caught #{e} while processing on_login_success proc.")
+      end
+    end
+
     def login_redirect_path
       unless RpiAuth.configuration.success_redirect.is_a?(Proc)
         return RpiAuth.configuration.success_redirect || request.env['omniauth.origin']
 
@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.1.0)
+    rpi_auth (4.3.0)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)
@@ -100,13 +100,13 @@ GEM
     email_validator (2.2.4)
       activemodel
     erubi (1.13.1)
-    faraday (2.13.0)
+    faraday (2.13.4)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
-    faraday-net_http (3.4.0)
+    faraday-net_http (3.4.1)
       net-http (>= 0.5.0)
     ffi (1.17.1)
     globalid (1.2.1)
@@ -116,14 +116,14 @@ GEM
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     json (2.10.2)
-    json-jwt (1.16.7)
+    json-jwt (1.17.0)
       activesupport (>= 4.2)
       aes_key_wrap
       base64
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
-    jwt (2.10.1)
+    jwt (3.1.2)
       base64
     language_server-protocol (3.17.0.4)
     lint_roller (1.1.0)
@@ -162,13 +162,14 @@ GEM
     nokogiri (1.18.7)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    oauth2 (2.0.9)
-      faraday (>= 0.17.3, < 3.0)
-      jwt (>= 1.0, < 3.0)
+    oauth2 (2.0.12)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
+      snaky_hash (~> 2.0, >= 2.0.3)
+      version_gem (>= 1.1.8, < 3)
     omniauth (2.1.3)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
@@ -308,9 +309,9 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.13.1)
     simplecov_json_formatter (0.1.4)
-    snaky_hash (2.0.1)
-      hashie
-      version_gem (~> 1.1, >= 1.1.1)
+    snaky_hash (2.0.3)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
     sprockets (4.2.1)
       concurrent-ruby (~> 1.0)
       rack (>= 2.2.4, < 4)
@@ -334,7 +335,7 @@ GEM
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
-    version_gem (1.1.7)
+    version_gem (1.1.8)
     webfinger (2.1.3)
       activesupport
       faraday (~> 2.0)