From ecdd3702f85c04e62741fa15910e25f425d5c20d Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Thu, 20 Feb 2025 03:13:41 +0100
Subject: [PATCH 01/29] Hanle token refresh error

---
 src/oidc_test/main.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/oidc_test/main.py b/src/oidc_test/main.py
index 8fe32d8..8808562 100644
--- a/src/oidc_test/main.py
+++ b/src/oidc_test/main.py
@@ -306,7 +306,13 @@ async def refresh(
         refresh_token=token["refresh_token"],
         grant_type="refresh_token",
     )
-    await update_token(provider.id, new_token)
+    try:
+        await update_token(provider.id, new_token)
+    except PyJWTError as err:
+        logger.info(f"Cannot refresh token: {err.__class__.__name__}")
+        raise HTTPException(
+            status.HTTP_510_NOT_EXTENDED, f"Token refresh error: {err.__class__.__name__}"
+        )
     return RedirectResponse(url=request.url_for("home"))
 
 

From 3f945310a4aba2b898c7647728b9840dda9796c1 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Thu, 20 Feb 2025 03:20:09 +0100
Subject: [PATCH 02/29] Cosmetic

---
 src/oidc_test/templates/home.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/oidc_test/templates/home.html b/src/oidc_test/templates/home.html
index 7d2b1db..3c1ff3c 100644
--- a/src/oidc_test/templates/home.html
+++ b/src/oidc_test/templates/home.html
@@ -70,7 +70,7 @@
     -->
     {% if resources %}
       <p>
-        This application provides all these resources, eventually protected with roles:
+        This application provides all these resources, eventually protected with scope or roles:
       </p>
       <div class="links-to-check">
         {% for name, resource in resources.items() %}

From 347c3953943a1e0b7d84d5555727fae2f1d104be Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Thu, 20 Feb 2025 21:16:43 +0100
Subject: [PATCH 03/29] Fix auth provider resources

---
 src/oidc_test/main.py             | 25 +++++++++++++------------
 src/oidc_test/resource_server.py  | 25 ++++++++++++++++++++-----
 src/oidc_test/templates/home.html | 29 +++++++++++++++++++++++------
 3 files changed, 56 insertions(+), 23 deletions(-)

diff --git a/src/oidc_test/main.py b/src/oidc_test/main.py
index 8808562..54d69c5 100644
--- a/src/oidc_test/main.py
+++ b/src/oidc_test/main.py
@@ -108,7 +108,6 @@ async def home(
         "show_token": settings.show_token,
         "user": user,
         "now": datetime.now(),
-        "auth_provider": provider,
     }
     if provider is None or token is None:
         context["providers"] = providers
@@ -117,26 +116,28 @@ async def home(
         context["access_token_parsed"] = None
         context["refresh_token_parsed"] = None
         context["resources"] = None
+        context["auth_provider"] = None
     else:
+        context["auth_provider"] = provider
         context["access_token"] = token["access_token"]
         try:
             access_token_parsed = provider.decode(token["access_token"], verify_signature=False)
+            context["access_token_parsed"] = access_token_parsed
         except PyJWTError as err:
             access_token_parsed = {"Cannot parse": err.__class__.__name__}
         try:
-            context["access_token_scope"] = access_token_parsed["scope"]
-        except KeyError:
-            context["access_token_scope"] = None
-        context["id_token_parsed"] = provider.decode(token["id_token"], verify_signature=False)
-        context["access_token_parsed"] = access_token_parsed
+            id_token_parsed = provider.decode(token["id_token"], verify_signature=False)
+            context["id_token_parsed"] = id_token_parsed
+        except PyJWTError as err:
+            id_token_parsed = {"Cannot parse": err.__class__.__name__}
+        try:
+            refresh_token_parsed = provider.decode(token["refresh_token"], verify_signature=False)
+            context["refresh_token_parsed"] = refresh_token_parsed
+        except PyJWTError as err:
+            refresh_token_parsed = {"Cannot parse": err.__class__.__name__}
+        context["access_token_scope"] = access_token_parsed.get("scope")
         context["resources"] = registry.resources
         context["resource_providers"] = provider.resource_providers
-        try:
-            context["refresh_token_parsed"] = provider.decode(
-                token["refresh_token"], verify_signature=False
-            )
-        except PyJWTError as err:
-            context["refresh_token_parsed"] = {"Cannot parse": err.__class__.__name__}
     return templates.TemplateResponse(name="home.html", request=request, context=context)
 
 
diff --git a/src/oidc_test/resource_server.py b/src/oidc_test/resource_server.py
index 604052c..ddc5762 100644
--- a/src/oidc_test/resource_server.py
+++ b/src/oidc_test/resource_server.py
@@ -1,9 +1,10 @@
 from typing import Annotated, Any
 import logging
+from json import JSONDecodeError
 
 from authlib.oauth2.rfc6749 import OAuth2Token
-from httpx import AsyncClient
-from jwt.exceptions import ExpiredSignatureError, InvalidTokenError
+from httpx import AsyncClient, HTTPError
+from jwt.exceptions import DecodeError, ExpiredSignatureError, InvalidTokenError
 from fastapi import FastAPI, HTTPException, Depends, Request, status
 from fastapi.middleware.cors import CORSMiddleware
 
@@ -84,6 +85,10 @@ async def get_resource(
                             "auth_provider": user.auth_provider_id,
                         },
                     )
+                except HTTPError as err:
+                    raise HTTPException(
+                        status.HTTP_503_SERVICE_UNAVAILABLE, err.__class__.__name__
+                    )
                 except Exception as err:
                     raise HTTPException(
                         status.HTTP_500_INTERNAL_SERVER_ERROR, err.__class__.__name__
@@ -151,7 +156,7 @@ async def get_auth_provider_resource(
 ) -> ProcessResult:
     if token is None:
         raise HTTPException(status.HTTP_401_UNAUTHORIZED, "No auth token")
-    access_token = token["access_token"]
+    access_token = token
     async with AsyncClient() as client:
         resp = await client.get(
             url=provider.get_resource_url(resource_name),
@@ -165,9 +170,19 @@ async def get_auth_provider_resource(
     # Only a demo, real application would really process the response
     resp_length = len(resp.text)
     if resp_length > 1024:
-        return ProcessResult(msg=f"The resource is too long ({resp_length} bytes) to show here")
+        return ProcessResult(
+            msg=f"The resource is too long ({resp_length} bytes) to show in this demo, here is just the begining in raw format",
+            start=resp.text[:100] + "...",
+        )
     else:
-        return ProcessResult(**resp.json())
+        try:
+            resp_json = resp.json()
+        except JSONDecodeError:
+            return ProcessResult(msg="The resource is not formatted in JSON", text=resp.text)
+        if isinstance(resp_json, dict):
+            return ProcessResult(**resp.json())
+        elif isinstance(resp_json, list):
+            return ProcessResult(**{str(i): line for i, line in enumerate(resp_json)})
 
 
 # @resource_server.get("/public")
diff --git a/src/oidc_test/templates/home.html b/src/oidc_test/templates/home.html
index 3c1ff3c..b4460ee 100644
--- a/src/oidc_test/templates/home.html
+++ b/src/oidc_test/templates/home.html
@@ -66,12 +66,8 @@
   {% endif %}
   <hr>
   <div class="content">
-    <!--
-    -->
     {% if resources %}
-      <p>
-        This application provides all these resources, eventually protected with scope or roles:
-      </p>
+      <p>This application provides all these resources, eventually protected with scope or roles:</p>
       <div class="links-to-check">
         {% for name, resource in resources.items() %}
           {% if resource.default_resource_id %}
@@ -91,8 +87,29 @@
         {% endfor %}
       </div>
     {% endif %}
+    {% if auth_provider.resources %}
+      <p>{{ auth_provider.name }} is also defined as a provider for these resources:</p>
+      <div class="links-to-check">
+        {% for resource in auth_provider.resources %}
+          {% if resource.default_resource_id %}
+            <button resource-name="{{ resource.resource_name }}"
+                    resource-id="{{ resource.default_resource_id  }}"
+                    onclick="get_resource('{{ resource.resource_name }}', '{{ access_token }}', '{{ auth_provider.id }}', '{{ resource.default_resource_id }}')"
+                    >
+              {{ resource.name }}
+            </button>
+          {% else %}
+            <button resource-name="{{ resource.name }}"
+                    onclick="get_resource('{{ resource.resource_name }}', '{{ access_token }}', '{{ auth_provider.id }}')"
+                    >
+              {{ resource.name }}
+            </button>
+          {% endif %}
+        {% endfor %}
+      </div>
+    {% endif %}
     {% if resource_providers %}
-      <p>{{ auth_provider.name }} allows this applicaiton to request resources from third party resource providers:</p>
+      <p>{{ auth_provider.name }} allows this application to request resources from third party resource providers:</p>
       {% for resource_provider in resource_providers %}
         <div class="links-to-check">
           {{ resource_provider.name }}

From 4c2b197850a1e4e16f7b4d690eeb0ecd123422c5 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Sat, 22 Feb 2025 14:02:05 +0100
Subject: [PATCH 04/29] Cosmetic

---
 src/oidc_test/auth/utils.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/oidc_test/auth/utils.py b/src/oidc_test/auth/utils.py
index 7dd0e3d..134131e 100644
--- a/src/oidc_test/auth/utils.py
+++ b/src/oidc_test/auth/utils.py
@@ -5,10 +5,8 @@ import logging
 from fastapi import HTTPException, Request, Depends, status
 from fastapi.security import OAuth2PasswordBearer
 from authlib.integrations.starlette_client import OAuth, OAuthError, StarletteOAuth2App
-from jwt import ExpiredSignatureError, InvalidKeyError, DecodeError, PyJWTError
-
-# from authlib.oauth1.auth import OAuthToken
 from authlib.oauth2.rfc6749 import OAuth2Token
+from jwt import ExpiredSignatureError, InvalidKeyError, DecodeError, PyJWTError
 
 from oidc_test.auth.provider import Provider
 from oidc_test.models import User

From f6a84fd3aaef82460c3a701ad4dc451aeb7ac73e Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Sat, 22 Feb 2025 18:57:25 +0100
Subject: [PATCH 05/29] Cosmetic

---
 src/oidc_test/auth/utils.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/oidc_test/auth/utils.py b/src/oidc_test/auth/utils.py
index 134131e..c51b039 100644
--- a/src/oidc_test/auth/utils.py
+++ b/src/oidc_test/auth/utils.py
@@ -20,7 +20,7 @@ logger = logging.getLogger("oidc-test")
 async def fetch_token(name, request):
     assert name is not None
     assert request is not None
-    logger.warn("TODO: fetch_token")
+    logger.warning("TODO: fetch_token")
     ...
     # if name in oidc_providers:
     #    model = OAuth2Token
@@ -32,7 +32,10 @@ async def fetch_token(name, request):
 
 
 async def update_token(
-    provider_id, token, refresh_token: str | None = None, access_token: str | None = None
+    provider_id,
+    token,
+    refresh_token: str | None = None,
+    access_token: str | None = None,
 ):
     """Update the token in the database"""
     provider = providers[provider_id]

From 850db9f59035645cb8530625388ae42ec69103c9 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Sun, 23 Feb 2025 16:37:47 +0100
Subject: [PATCH 06/29] Fix scope cannot be determined when the access token
 cannot be decoded

---
 src/oidc_test/main.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/oidc_test/main.py b/src/oidc_test/main.py
index 54d69c5..e5238c8 100644
--- a/src/oidc_test/main.py
+++ b/src/oidc_test/main.py
@@ -123,19 +123,20 @@ async def home(
         try:
             access_token_parsed = provider.decode(token["access_token"], verify_signature=False)
             context["access_token_parsed"] = access_token_parsed
+            context["access_token_scope"] = access_token_parsed.get("scope")
         except PyJWTError as err:
-            access_token_parsed = {"Cannot parse": err.__class__.__name__}
+            context["access_token_parsed"] = {"Cannot parse": err.__class__.__name__}
+            context["access_token_scope"] = None
         try:
             id_token_parsed = provider.decode(token["id_token"], verify_signature=False)
             context["id_token_parsed"] = id_token_parsed
         except PyJWTError as err:
-            id_token_parsed = {"Cannot parse": err.__class__.__name__}
+            context["id_token_parsed"] = {"Cannot parse": err.__class__.__name__}
         try:
             refresh_token_parsed = provider.decode(token["refresh_token"], verify_signature=False)
             context["refresh_token_parsed"] = refresh_token_parsed
         except PyJWTError as err:
-            refresh_token_parsed = {"Cannot parse": err.__class__.__name__}
-        context["access_token_scope"] = access_token_parsed.get("scope")
+            context["refresh_token_parsed"] = {"Cannot parse": err.__class__.__name__}
         context["resources"] = registry.resources
         context["resource_providers"] = provider.resource_providers
     return templates.TemplateResponse(name="home.html", request=request, context=context)

From 5f429797ff7a8656dee9dfc9cbc156dfe27f9c8f Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Sun, 23 Feb 2025 17:14:04 +0100
Subject: [PATCH 07/29] Fix auto check of auth provider resource (resource_name
 in template)

---
 src/oidc_test/templates/home.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/oidc_test/templates/home.html b/src/oidc_test/templates/home.html
index b4460ee..167616f 100644
--- a/src/oidc_test/templates/home.html
+++ b/src/oidc_test/templates/home.html
@@ -93,13 +93,13 @@
         {% for resource in auth_provider.resources %}
           {% if resource.default_resource_id %}
             <button resource-name="{{ resource.resource_name }}"
-                    resource-id="{{ resource.default_resource_id  }}"
+                    resource-id="{{ resource.default_resource_id }}"
                     onclick="get_resource('{{ resource.resource_name }}', '{{ access_token }}', '{{ auth_provider.id }}', '{{ resource.default_resource_id }}')"
                     >
               {{ resource.name }}
             </button>
           {% else %}
-            <button resource-name="{{ resource.name }}"
+            <button resource-name="{{ resource.resource_name }}"
                     onclick="get_resource('{{ resource.resource_name }}', '{{ access_token }}', '{{ auth_provider.id }}')"
                     >
               {{ resource.name }}

From 9249885c8080a9afaca61d22022cd9be2e6bd8bd Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Mon, 24 Feb 2025 03:29:23 +0100
Subject: [PATCH 08/29] Update README (config example)

---
 README.md | 60 ++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 44 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 9e00474..68f335d 100644
--- a/README.md
+++ b/README.md
@@ -52,31 +52,59 @@ given by the OIDC providers.
 For example:
 
 ```yaml
-oidc:
-  secret_key: "ASecretNoOneKnows"
-  show_session_details: yes
+secret_key: AVeryWellKeptSecret
+debug_token: no
+show_token: yes
+log: yes
+
+auth:
   providers:
     - id: auth0
       name: Okta / Auth0
-      url: "https://<your_auth0_app_URL>"
-      client_id: "<your_auth0_client_id>"
-      client_secret: "client_secret_generated_by_auth0"
-      hint: "A hint for test credentials"
+      url: https://<your_auth0_app_URL>
+      public_key_url: https://<your_auth0_app_URL>/pem
+      client_id: <your_auth0_client_id>
+      client_secret: client_secret_generated_by_auth0
+      hint: A hint for test credentials
 
     - id: keycloak
       name: Keycloak at somewhere
-      url: "https://<the_keycloak_realm_url>"
-      account_url_template: "/account"
-      client_id: "<your_keycloak_client_id>"
-      client_secret: "client_secret_generated_by_keycloak"
-      hint: "User: foo, password: foofoo"
+      url: https://<the_keycloak_realm_url>
+      info_url: https://philo.ydns.eu/auth/realms/test
+      account_url_template: /account
+      client_id: <your_keycloak_client_id>
+      client_secret: <client_secret_generated_by_keycloak>
+      hint: A hint for test credentials
+      code_challenge_method: S256
+      resource_provider_scopes:
+        - get:time
+        - get:bs
+      resource_providers:
+        - id: <third_party_resource_provider_id>
+          name: A third party resource provider
+          base_url: https://some.example.com/
+          verify_ssl: yes
+          resources:
+            - name: Public RS2
+              resource_name: public
+              url: resource/public
+            - name: BS RS2
+              resource_name: bs
+              url: resource/bs
+            - name: Time RS2
+              resource_name: time
+              url: resource/time
 
     - id: codeberg
+      disabled: no
       name: Codeberg
-      url: "https://codeberg.org"
-      account_url_template: "/user/settings"
-      client_id: "<your_codeberg_client_id>"
-      client_secret: "client_secret_generated_by_codeberg"
+      url: https://codeberg.org
+      account_url_template: /user/settings
+      client_id: <your_codeberg_client_id>
+      client_secret: client_secret_generated_by_codeberg
+      info_url: https://codeberg.org/login/oauth/keys
+      session_key: sub
+      skip_verify_signature: no
       resources:
         - name: List of repos
           id: repos

From 395ec1c7f757ba919224c781fb76f53a0204ea34 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Mon, 24 Feb 2025 19:56:00 +0100
Subject: [PATCH 09/29] Dynamic versioning

---
 pyproject.toml | 15 +++++++++++----
 uv.lock        | 16 +++++++++++++++-
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index b1e6504..9c205e7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,7 +1,7 @@
 [project]
 name = "oidc-fastapi-test"
-version = "0.0.0"
-# dynamic = ["version"]
+#version = "0.0.0"
+dynamic = ["version"]
 description = "Add your description here"
 readme = "README.md"
 requires-python = ">=3.13"
@@ -24,12 +24,19 @@ dependencies = [
 oidc-test = "oidc_test.main:main"
 
 [dependency-groups]
-dev = ["ipdb>=0.13.13", "pytest>=8.3.4"]
+dev = [
+    "dunamai>=1.23.0",
+    "ipdb>=0.13.13",
+ "pytest>=8.3.4",
+]
 
 [build-system]
-requires = ["hatchling"]
+requires = ["hatchling", "uv-dynamic-versioning"]
 build-backend = "hatchling.build"
 
+[tool.hatch.version]
+source = "uv-dynamic-versioning"
+
 [tool.hatch.build.targets.wheel]
 packages = ["src/oidc_test"]
 
diff --git a/uv.lock b/uv.lock
index 01b64de..0566bb5 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1,4 +1,5 @@
 version = 1
+revision = 1
 requires-python = ">=3.13"
 
 [[package]]
@@ -206,6 +207,18 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/68/1b/e0a87d256e40e8c888847551b20a017a6b98139178505dc7ffb96f04e954/dnspython-2.7.0-py3-none-any.whl", hash = "sha256:b4c34b7d10b51bcc3a5071e7b8dee77939f1e878477eeecc965e9835f63c6c86", size = 313632 },
 ]
 
+[[package]]
+name = "dunamai"
+version = "1.23.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "packaging" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/06/4e/a5c8c337a1d9ac0384298ade02d322741fb5998041a5ea74d1cd2a4a1d47/dunamai-1.23.0.tar.gz", hash = "sha256:a163746de7ea5acb6dacdab3a6ad621ebc612ed1e528aaa8beedb8887fccd2c4", size = 44681 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/21/4c/963169386309fec4f96fd61210ac0a0666887d0fb0a50205395674d20b71/dunamai-1.23.0-py3-none-any.whl", hash = "sha256:a0906d876e92441793c6a423e16a4802752e723e9c9a5aabdc5535df02dbe041", size = 26342 },
+]
+
 [[package]]
 name = "ecdsa"
 version = "0.19.0"
@@ -482,7 +495,6 @@ wheels = [
 
 [[package]]
 name = "oidc-fastapi-test"
-version = "0.0.0"
 source = { editable = "." }
 dependencies = [
     { name = "authlib" },
@@ -501,6 +513,7 @@ dependencies = [
 
 [package.dev-dependencies]
 dev = [
+    { name = "dunamai" },
     { name = "ipdb" },
     { name = "pytest" },
 ]
@@ -523,6 +536,7 @@ requires-dist = [
 
 [package.metadata.requires-dev]
 dev = [
+    { name = "dunamai", specifier = ">=1.23.0" },
     { name = "ipdb", specifier = ">=0.13.13" },
     { name = "pytest", specifier = ">=8.3.4" },
 ]

From ef7c265d8e4b70d283d9d7d161165003b62ae7fa Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 00:38:43 +0100
Subject: [PATCH 10/29] Cleanup pyproject

---
 pyproject.toml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 9c205e7..f634fbe 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -24,11 +24,7 @@ dependencies = [
 oidc-test = "oidc_test.main:main"
 
 [dependency-groups]
-dev = [
-    "dunamai>=1.23.0",
-    "ipdb>=0.13.13",
- "pytest>=8.3.4",
-]
+dev = ["dunamai>=1.23.0", "ipdb>=0.13.13", "pytest>=8.3.4"]
 
 [build-system]
 requires = ["hatchling", "uv-dynamic-versioning"]
@@ -39,6 +35,12 @@ source = "uv-dynamic-versioning"
 
 [tool.hatch.build.targets.wheel]
 packages = ["src/oidc_test"]
+package = true
+
+[tool.uv-dynamic-versioning]
+metadata = true
+dirty = true
+format = semver
 
 [tool.uv]
 package = true

From 9c1f84328399104e8759a5d8c2f12d4a7f4113b7 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 00:40:33 +0100
Subject: [PATCH 11/29] Cleanup pyproject

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index f634fbe..1e23a8d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -40,7 +40,7 @@ package = true
 [tool.uv-dynamic-versioning]
 metadata = true
 dirty = true
-format = semver
+style = "semver"
 
 [tool.uv]
 package = true

From 3da485c945e221c73721f71540e0c57c12f7c22b Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 00:41:36 +0100
Subject: [PATCH 12/29] Cleanup pyproject

---
 pyproject.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 1e23a8d..8770c8d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -39,7 +39,6 @@ package = true
 
 [tool.uv-dynamic-versioning]
 metadata = true
-dirty = true
 style = "semver"
 
 [tool.uv]

From 9c462379051155cdf834dfd64309cc97da348f4c Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 01:37:17 +0100
Subject: [PATCH 13/29] Semver versioning, show version on web page

---
 pyproject.toml                    |  1 -
 src/oidc_test/__init__.py         | 11 +++++++++++
 src/oidc_test/main.py             |  2 ++
 src/oidc_test/static/styles.css   |  6 ++++++
 src/oidc_test/templates/base.html |  1 +
 5 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 8770c8d..c44e9f3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -38,7 +38,6 @@ packages = ["src/oidc_test"]
 package = true
 
 [tool.uv-dynamic-versioning]
-metadata = true
 style = "semver"
 
 [tool.uv]
diff --git a/src/oidc_test/__init__.py b/src/oidc_test/__init__.py
index e69de29..f449e2b 100644
--- a/src/oidc_test/__init__.py
+++ b/src/oidc_test/__init__.py
@@ -0,0 +1,11 @@
+import importlib.metadata
+
+try:
+    from dunamai import Version, Style
+
+    __version__ = Version.from_git().serialize(style=Style.SemVer, dirty=True)
+except ImportError:
+    # __name__ could be used if the package name is the same
+    # as the directory - not the case here
+    # __version__ = importlib.metadata.version(__name__)
+    __version__ = importlib.metadata.version("oidc-fastapi-test")
diff --git a/src/oidc_test/main.py b/src/oidc_test/main.py
index e5238c8..e882cda 100644
--- a/src/oidc_test/main.py
+++ b/src/oidc_test/main.py
@@ -29,6 +29,7 @@ from authlib.oauth2.rfc6749 import OAuth2Token
 # from fastapi.security import OpenIdConnect
 # from pkce import generate_code_verifier, generate_pkce_pair
 
+from oidc_test import __version__
 from oidc_test.registry import registry
 from oidc_test.auth.provider import NoPublicKey, Provider
 from oidc_test.auth.utils import (
@@ -108,6 +109,7 @@ async def home(
         "show_token": settings.show_token,
         "user": user,
         "now": datetime.now(),
+        "__version__": __version__,
     }
     if provider is None or token is None:
         context["providers"] = providers
diff --git a/src/oidc_test/static/styles.css b/src/oidc_test/static/styles.css
index 2baa748..1e8dc03 100644
--- a/src/oidc_test/static/styles.css
+++ b/src/oidc_test/static/styles.css
@@ -21,6 +21,12 @@ hr {
 .hidden {
   display: none;
 }
+.version {
+  position: absolute;
+  font-size: 75%;
+  top: 0.3em;
+  right: 0.3em;
+}
 .center {
   text-align: center;
 }
diff --git a/src/oidc_test/templates/base.html b/src/oidc_test/templates/base.html
index 4cb56f5..157e26f 100644
--- a/src/oidc_test/templates/base.html
+++ b/src/oidc_test/templates/base.html
@@ -5,6 +5,7 @@
     <script src="{{ url_for('static', path='/utils.js') }}"></script>
   </head>
   <body onload="checkPerms('links-to-check', '{{ access_token }}', '{{ auth_provider.id }}')">
+    <div class="version">v. {{ __version__}}</div>
     <h1>OIDC-test - FastAPI client</h1>
     {% block content %}
     {% endblock %}

From b4653947660be16fbfee161fc4c52e2f4747f0f9 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 01:42:49 +0100
Subject: [PATCH 14/29] CI: WIP

---
 .forgejo/workflows/build.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index 352a0a9..c58230e 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -27,6 +27,15 @@ jobs:
       - name: Run tests (API call)
         run: .venv/bin/pytest -s tests/basic.py
 
+      - name: Get version
+        uses: mtkennerly/dunamai-action@v1
+        with:
+          env-var: VERSION
+          args: --style semver
+
+      - name: Version
+        run: echo $VERSION
+
       - name: Get version with git describe
         id: version
         run: |

From f4b38e1c69d3a1f288ddba1b62ae84ae4184d362 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 02:20:35 +0100
Subject: [PATCH 15/29] CI: use dunamai for version

---
 .forgejo/workflows/build.yaml | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index c58230e..9f21750 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -30,32 +30,29 @@ jobs:
       - name: Get version
         uses: mtkennerly/dunamai-action@v1
         with:
-          env-var: VERSION
           args: --style semver
+          env-var: VERSION
 
       - name: Version
         run: echo $VERSION
 
-      - name: Get version with git describe
-        id: version
-        run: |
-          echo "version=$(git describe)" >> $GITHUB_OUTPUT
-          echo "$VERSION"
+      - name: Get distance from tag
+        uses: mtkennerly/dunamai-action@v1
+        with:
+          args: --format "{distance}"
+          env-var: DISTANCE
 
-      - name: Check if the container should be built
+      - name: Distance
+        run: echo $DISTANCE
+
+      - name: Check if the container should be built (distance from git tag is 0, or force build)
         id: builder
         env:
-          RUN: ${{ toJSON(inputs.build || !contains(steps.version.outputs.version, '-')) }}
+          RUN: ${{ toJSON(inputs.build || env.DISTANCE == "0" }}
         run: |
           echo "run=$RUN" >> $GITHUB_OUTPUT
           echo "Run build: $RUN"
 
-      - name: Set the version in pyproject.toml (workaround for uv not supporting dynamic version)
-        if: fromJSON(steps.builder.outputs.run)
-        env:
-          VERSION: ${{ steps.version.outputs.version }}
-        run: sed "s/0.0.0/$VERSION/" -i pyproject.toml
-
       - name: Workaround for bug of podman-login
         if: fromJSON(steps.builder.outputs.run)
         run: |

From 6f060dc2bfd726eec57607ef7ca911de22aa4177 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 02:26:37 +0100
Subject: [PATCH 16/29] CI: bump uv

---
 .forgejo/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index 9f21750..18a89ee 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -19,7 +19,7 @@ jobs:
       - name: Install the latest version of uv
         uses: astral-sh/setup-uv@v4
         with:
-          version: "0.5.16"
+          version: "0.6.3"
 
       - name: Install
         run: uv sync

From 22d0a9852c3c97ffeac9a6cdbff5e4f31ee6e6a0 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 03:04:14 +0100
Subject: [PATCH 17/29] CI: not use dunamai github action as it uses plain pip,
 not uv pip

---
 .forgejo/workflows/build.yaml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index 18a89ee..8284c15 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -28,19 +28,13 @@ jobs:
         run: .venv/bin/pytest -s tests/basic.py
 
       - name: Get version
-        uses: mtkennerly/dunamai-action@v1
-        with:
-          args: --style semver
-          env-var: VERSION
+        run: echo "VERSION=$(.venv/bin/dunamai --style semver)" >> $GITHUB_ENV
 
       - name: Version
         run: echo $VERSION
 
       - name: Get distance from tag
-        uses: mtkennerly/dunamai-action@v1
-        with:
-          args: --format "{distance}"
-          env-var: DISTANCE
+        run: echo "DISTANCE=$(.venv/bin/dunamai --format '{distance}')" >> $GITHUB_ENV
 
       - name: Distance
         run: echo $DISTANCE

From 9f7b0902739534127c9e5890b40c9be7e42dfac7 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 03:12:46 +0100
Subject: [PATCH 18/29] CI: WIP

---
 .forgejo/workflows/build.yaml | 6 +++---
 .forgejo/workflows/test.yaml  | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index 8284c15..645d5d2 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -28,13 +28,13 @@ jobs:
         run: .venv/bin/pytest -s tests/basic.py
 
       - name: Get version
-        run: echo "VERSION=$(.venv/bin/dunamai --style semver)" >> $GITHUB_ENV
+        run: echo "VERSION=$(.venv/bin/dunamai from any --style semver)" >> $GITHUB_ENV
 
       - name: Version
         run: echo $VERSION
 
       - name: Get distance from tag
-        run: echo "DISTANCE=$(.venv/bin/dunamai --format '{distance}')" >> $GITHUB_ENV
+        run: echo "DISTANCE=$(.venv/bin/dunamai from any --format '{distance}')" >> $GITHUB_ENV
 
       - name: Distance
         run: echo $DISTANCE
@@ -42,7 +42,7 @@ jobs:
       - name: Check if the container should be built (distance from git tag is 0, or force build)
         id: builder
         env:
-          RUN: ${{ toJSON(inputs.build || env.DISTANCE == "0" }}
+          RUN: ${{ toJSON(inputs.build || env.DISTANCE == "0") }}
         run: |
           echo "run=$RUN" >> $GITHUB_OUTPUT
           echo "Run build: $RUN"
diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml
index a56a9ce..f4d994e 100644
--- a/.forgejo/workflows/test.yaml
+++ b/.forgejo/workflows/test.yaml
@@ -19,7 +19,7 @@ jobs:
       - name: Install the latest version of uv
         uses: astral-sh/setup-uv@v4
         with:
-          version: "0.5.16"
+          version: "0.6.3"
 
       - name: Install
         run: uv sync

From 821df027587eaee24b3db792033266564f66c62c Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 04:28:04 +0100
Subject: [PATCH 19/29] CI: WIP

---
 .forgejo/workflows/build.yaml | 32 +++++++++++---------------------
 1 file changed, 11 insertions(+), 21 deletions(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index 645d5d2..cf079d9 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -28,33 +28,23 @@ jobs:
         run: .venv/bin/pytest -s tests/basic.py
 
       - name: Get version
-        run: echo "VERSION=$(.venv/bin/dunamai from any --style semver)" >> $GITHUB_ENV
-
-      - name: Version
-        run: echo $VERSION
+        run: |
+          echo "VERSION=$(.venv/bin/dunamai from any --style semver)" >> $GITHUB_ENV
+          echo $VERSION
 
       - name: Get distance from tag
-        run: echo "DISTANCE=$(.venv/bin/dunamai from any --format '{distance}')" >> $GITHUB_ENV
-
-      - name: Distance
-        run: echo $DISTANCE
-
-      - name: Check if the container should be built (distance from git tag is 0, or force build)
-        id: builder
-        env:
-          RUN: ${{ toJSON(inputs.build || env.DISTANCE == "0") }}
         run: |
-          echo "run=$RUN" >> $GITHUB_OUTPUT
-          echo "Run build: $RUN"
+          echo "DISTANCE=$(.venv/bin/dunamai from any --format '{distance}')" >> $GITHUB_ENV
+          echo $DISTANCE
 
       - name: Workaround for bug of podman-login
-        if: fromJSON(steps.builder.outputs.run)
+        if: env.DISTANCE == '0'
         run: |
           mkdir -p $HOME/.docker
           echo "{ \"auths\": {} }" > $HOME/.docker/config.json
 
       - name: Log in to the container registry (with another workaround)
-        if: fromJSON(steps.builder.outputs.run)
+        if: env.DISTANCE == '0'
         uses: actions/podman-login@v1
         with:
           registry: ${{ vars.REGISTRY }}
@@ -63,7 +53,7 @@ jobs:
           auth_file_path: /tmp/auth.json
 
       - name: Build the container image
-        if: fromJSON(steps.builder.outputs.run)
+        if: env.DISTANCE == '0'
         uses: actions/buildah-build@v1
         with:
           image: oidc-fastapi-test
@@ -74,7 +64,7 @@ jobs:
             ./Containerfile
 
       - name: Push the image to the registry
-        if: fromJSON(steps.builder.outputs.run)
+        if: env.DISTANCE == '0'
         uses: actions/push-to-registry@v2
         with:
           registry: "docker://${{ vars.REGISTRY }}/${{ vars.ORGANISATION }}"
@@ -82,11 +72,11 @@ jobs:
           tags: latest ${{ steps.version.outputs.version }}
 
       - name: Build wheel
-        if: fromJSON(steps.builder.outputs.run)
+        if: env.DISTANCE == '0'
         run: uv build --wheel
 
       - name: Publish Python package (home)
-        if: fromJSON(steps.builder.outputs.run)
+        if: env.DISTANCE == '0'
         env:
           LOCAL_PYPI_TOKEN: ${{ secrets.LOCAL_PYPI_TOKEN }}
         run: uv publish --publish-url https://code.philo.ydns.eu/api/packages/philorg/pypi --token $LOCAL_PYPI_TOKEN

From c5b1bdeda92d885749c38360a81572f2ef147087 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 04:31:31 +0100
Subject: [PATCH 20/29] CI: WIP

---
 .forgejo/workflows/build.yaml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index cf079d9..06c8be1 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -28,14 +28,16 @@ jobs:
         run: .venv/bin/pytest -s tests/basic.py
 
       - name: Get version
-        run: |
-          echo "VERSION=$(.venv/bin/dunamai from any --style semver)" >> $GITHUB_ENV
-          echo $VERSION
+        run: echo "VERSION=$(.venv/bin/dunamai from any --style semver)" >> $GITHUB_ENV
+
+      - name: Version
+        run: echo $VERSION
 
       - name: Get distance from tag
-        run: |
-          echo "DISTANCE=$(.venv/bin/dunamai from any --format '{distance}')" >> $GITHUB_ENV
-          echo $DISTANCE
+        run: echo "DISTANCE=$(.venv/bin/dunamai from any --format '{distance}')" >> $GITHUB_ENV
+
+      - name: Distance
+        run: echo $DISTANCE
 
       - name: Workaround for bug of podman-login
         if: env.DISTANCE == '0'

From c3ebad42d575b91d221f13a3b93d9cbbbcd80af8 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 04:34:19 +0100
Subject: [PATCH 21/29] CI: WIP

---
 .forgejo/workflows/build.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index 06c8be1..e617190 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -61,7 +61,7 @@ jobs:
           image: oidc-fastapi-test
           oci: true
           labels: oidc-fastapi-test
-          tags: latest ${{ steps.version.outputs.version }}
+          tags: latest env.VERSION
           containerfiles: |
             ./Containerfile
 
@@ -71,7 +71,7 @@ jobs:
         with:
           registry: "docker://${{ vars.REGISTRY }}/${{ vars.ORGANISATION }}"
           image: oidc-fastapi-test
-          tags: latest ${{ steps.version.outputs.version }}
+          tags: latest env.VERSION
 
       - name: Build wheel
         if: env.DISTANCE == '0'

From 4355e6dc423b0db8ac5ca4746287dc20fd8c8d39 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 12:30:23 +0100
Subject: [PATCH 22/29] CI: WIP

---
 Containerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index 2e3fd28..0ec45d1 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/library/python:alpine
+FROM docker.io/library/python:latest
 
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
 

From b01f2332086a08b4ad7c619d8fcb1a67e9a8e99c Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 25 Feb 2025 18:34:52 +0100
Subject: [PATCH 23/29] Add log messages for debugging connection to auth
 server

---
 src/oidc_test/auth/provider.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/oidc_test/auth/provider.py b/src/oidc_test/auth/provider.py
index c614805..ce288a6 100644
--- a/src/oidc_test/auth/provider.py
+++ b/src/oidc_test/auth/provider.py
@@ -61,28 +61,34 @@ class Provider(AuthProviderSettings):
             if self.info_url is not None:
                 try:
                     provider_info = await client.get(self.info_url)
-                except Exception:
+                except Exception as err:
+                    logger.debug("Provider_info: cannot connect")
+                    logger.exception(err)
                     raise NoPublicKey
                 try:
                     self.info = provider_info.json()
                 except JSONDecodeError:
+                    logger.debug("Provider_info: cannot decode json response")
                     raise NoPublicKey
                 if "public_key" in self.info:
                     # For Keycloak
                     try:
                         public_key = str(self.info["public_key"])
                     except KeyError:
+                        logger.debug("Provider_info: cannot get public_key")
                         raise NoPublicKey
                 elif "keys" in self.info:
                     # For Forgejo/Gitea
                     try:
                         public_key = str(self.info["keys"][0]["n"])
                     except KeyError:
+                        logger.debug("Provider_info: cannot get key 0.n")
                         raise NoPublicKey
             if self.public_key_url is not None:
                 resp = await client.get(self.public_key_url)
                 public_key = resp.text
             if public_key is None:
+                logger.debug("Provider_info: cannot determine public key")
                 raise NoPublicKey
             self.public_key = "\n".join(
                 ["-----BEGIN PUBLIC KEY-----", public_key, "-----END PUBLIC KEY-----"]

From 8b3a339196d92aa36dd17480af0586783bf1121e Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Sat, 22 Mar 2025 01:01:32 +0100
Subject: [PATCH 24/29] CI: fix container tag

---
 .forgejo/workflows/build.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index e617190..379aaa8 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -19,7 +19,7 @@ jobs:
       - name: Install the latest version of uv
         uses: astral-sh/setup-uv@v4
         with:
-          version: "0.6.3"
+          version: "0.6.9"
 
       - name: Install
         run: uv sync
@@ -61,7 +61,7 @@ jobs:
           image: oidc-fastapi-test
           oci: true
           labels: oidc-fastapi-test
-          tags: latest env.VERSION
+          tags: "latest ${{ env.VERSION }}"
           containerfiles: |
             ./Containerfile
 
@@ -71,7 +71,7 @@ jobs:
         with:
           registry: "docker://${{ vars.REGISTRY }}/${{ vars.ORGANISATION }}"
           image: oidc-fastapi-test
-          tags: latest env.VERSION
+          tags: "latest ${{ env.VERSION }}"
 
       - name: Build wheel
         if: env.DISTANCE == '0'

From 0e6ff98f03a83cea53606607ba3240ddbc413ec0 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Tue, 27 May 2025 16:44:13 +0200
Subject: [PATCH 25/29] CI: use slim base image

---
 Containerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index 0ec45d1..357cc84 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,6 +1,7 @@
-FROM docker.io/library/python:latest
+FROM docker.io/library/python:3.13-slim
 
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
+COPY --from=docker.io/python:3.13 /usr/bin/git /usr/local/bin/git
 
 COPY . /app
 

From 1b6d754855d2f539e822e24e5eff10e385bfd7ea Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Fri, 27 Jun 2025 17:11:35 +0200
Subject: [PATCH 26/29] CI: switch to woodpecker

---
 .forgejo/workflows/build.yaml | 85 -----------------------------------
 .forgejo/workflows/test.yaml  | 28 ------------
 .woodpecker/build.yaml        | 66 +++++++++++++++++++++++++++
 .woodpecker/test.yaml         | 21 +++++++++
 src/oidc_test/__init__.py     |  2 +-
 5 files changed, 88 insertions(+), 114 deletions(-)
 delete mode 100644 .forgejo/workflows/build.yaml
 delete mode 100644 .forgejo/workflows/test.yaml
 create mode 100644 .woodpecker/build.yaml
 create mode 100644 .woodpecker/test.yaml

diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
deleted file mode 100644
index 379aaa8..0000000
--- a/.forgejo/workflows/build.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-on:
-  push:
-  workflow_dispatch:
-    inputs:
-      verbose:
-        description: "Verbose"
-        required: false
-        default: false
-        type: boolean
-
-jobs:
-  build:
-    runs-on: container
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v4
-        with:
-          version: "0.6.9"
-
-      - name: Install
-        run: uv sync
-
-      - name: Run tests (API call)
-        run: .venv/bin/pytest -s tests/basic.py
-
-      - name: Get version
-        run: echo "VERSION=$(.venv/bin/dunamai from any --style semver)" >> $GITHUB_ENV
-
-      - name: Version
-        run: echo $VERSION
-
-      - name: Get distance from tag
-        run: echo "DISTANCE=$(.venv/bin/dunamai from any --format '{distance}')" >> $GITHUB_ENV
-
-      - name: Distance
-        run: echo $DISTANCE
-
-      - name: Workaround for bug of podman-login
-        if: env.DISTANCE == '0'
-        run: |
-          mkdir -p $HOME/.docker
-          echo "{ \"auths\": {} }" > $HOME/.docker/config.json
-
-      - name: Log in to the container registry (with another workaround)
-        if: env.DISTANCE == '0'
-        uses: actions/podman-login@v1
-        with:
-          registry: ${{ vars.REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-          auth_file_path: /tmp/auth.json
-
-      - name: Build the container image
-        if: env.DISTANCE == '0'
-        uses: actions/buildah-build@v1
-        with:
-          image: oidc-fastapi-test
-          oci: true
-          labels: oidc-fastapi-test
-          tags: "latest ${{ env.VERSION }}"
-          containerfiles: |
-            ./Containerfile
-
-      - name: Push the image to the registry
-        if: env.DISTANCE == '0'
-        uses: actions/push-to-registry@v2
-        with:
-          registry: "docker://${{ vars.REGISTRY }}/${{ vars.ORGANISATION }}"
-          image: oidc-fastapi-test
-          tags: "latest ${{ env.VERSION }}"
-
-      - name: Build wheel
-        if: env.DISTANCE == '0'
-        run: uv build --wheel
-
-      - name: Publish Python package (home)
-        if: env.DISTANCE == '0'
-        env:
-          LOCAL_PYPI_TOKEN: ${{ secrets.LOCAL_PYPI_TOKEN }}
-        run: uv publish --publish-url https://code.philo.ydns.eu/api/packages/philorg/pypi --token $LOCAL_PYPI_TOKEN
-        continue-on-error: true
diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml
deleted file mode 100644
index f4d994e..0000000
--- a/.forgejo/workflows/test.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-on:
-  push:
-  workflow_dispatch:
-    inputs:
-      verbose:
-        description: "Verbose"
-        required: false
-        default: false
-        type: boolean
-
-jobs:
-  test:
-    runs-on: container
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v4
-        with:
-          version: "0.6.3"
-
-      - name: Install
-        run: uv sync
-
-      - name: Run tests (API call)
-        run: .venv/bin/pytest -s tests/basic.py
diff --git a/.woodpecker/build.yaml b/.woodpecker/build.yaml
new file mode 100644
index 0000000..6cdc17d
--- /dev/null
+++ b/.woodpecker/build.yaml
@@ -0,0 +1,66 @@
+when:
+  - event: manual
+  - event: tag
+
+depends_on:
+  - test
+
+steps:
+  python_sync:
+    image: code.philo.ydns.eu/philorg/uv
+    volumes:
+      - uv-cache:/uv-cache
+    environment:
+      UV_CACHE_DIR: /uv-cache
+      UV_LINK_MODE: copy
+    commands:
+      - uv sync
+
+  python_build:
+    image: code.philo.ydns.eu/philorg/uv
+    volumes:
+      - uv-cache:/uv-cache
+    environment:
+      UV_CACHE_DIR: /uv-cache
+      UV_LINK_MODE: copy
+    commands:
+      - uv build --wheel
+      - uv cache prune --ci
+
+  python_publish:
+    image: code.philo.ydns.eu/philorg/uv
+    environment:
+      OWNER: philorg
+      REGISTRY_URL: https://code.philo.ydns.eu
+      REGISTRY_TOKEN:
+        from_secret: registry_token
+    commands:
+      - uv publish --publish-url $REGISTRY_URL/api/packages/$OWNER/pypi --token $REGISTRY_TOKEN dist/*.whl
+    failure: ignore
+
+  container_build_publish:
+    image: quay.io/podman/stable:latest
+    # Caution: This image is built daily. It might fill up your image store quickly.
+    #pull: true
+    volumes:
+      - containers:/var/lib/containers
+      - uv:/root/.cache/uv
+    # Fill in the trusted checkbox in Woodpecker's settings as well
+    privileged: true
+    environment:
+      registry: code.philo.ydns.eu
+      org: philorg
+      container_name: oidc-fastapi-test
+      registry_token:
+        from_secret: registry_token
+    commands:
+      # Login at the registry
+      - podman login -u __token__ --password $registry_token $registry
+      # Build the container image
+      - podman build --volume=/var/lib/containers:/var/lib/containers --tag $registry/$org/$container_name:latest --tag $registry/$org/$container_name:$CI_COMMIT_TAG .
+      # Push the image
+      - podman push $registry/$org/$container_name:latest
+      - podman push $registry/$org/$container_name:$CI_COMMIT_TAG
+      - podman build --volume=/var/lib/containers:/var/lib/containers --tag $registry/$org/$container_name:latest-full --tag $registry/$org/$container_name:$CI_COMMIT_TAG-full -f Containerfile.with_plugins
+      - podman push $registry/$org/$container_name:latest-full
+      - podman push $registry/$org/$container_name:$CI_COMMIT_TAG-full
diff --git a/.woodpecker/test.yaml b/.woodpecker/test.yaml
new file mode 100644
index 0000000..a02e51d
--- /dev/null
+++ b/.woodpecker/test.yaml
@@ -0,0 +1,21 @@
+when:
+  - event: push
+    branch: main
+  - event: manual
+  - event: tag
+
+steps:
+  sync:
+    image: code.philo.ydns.eu/philorg/uv
+    volumes:
+      - uv-cache:/uv-cache
+    environment:
+      UV_CACHE_DIR: /uv-cache
+      UV_LINK_MODE: copy
+    commands:
+      - uv sync
+
+  test:
+    image: pyton:alpine
+    commands:
+      - .venv/bin/pytest -s tests/basic.py
diff --git a/src/oidc_test/__init__.py b/src/oidc_test/__init__.py
index f449e2b..f154022 100644
--- a/src/oidc_test/__init__.py
+++ b/src/oidc_test/__init__.py
@@ -4,7 +4,7 @@ try:
     from dunamai import Version, Style
 
     __version__ = Version.from_git().serialize(style=Style.SemVer, dirty=True)
-except ImportError:
+except (ImportError, RuntimeError):
     # __name__ could be used if the package name is the same
     # as the directory - not the case here
     # __version__ = importlib.metadata.version(__name__)

From 1dec3988d5a83294d4f7d77942d603d6aedf0154 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Fri, 27 Jun 2025 17:15:16 +0200
Subject: [PATCH 27/29] CI: fix test

---
 .woodpecker/test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.woodpecker/test.yaml b/.woodpecker/test.yaml
index a02e51d..d8816b2 100644
--- a/.woodpecker/test.yaml
+++ b/.woodpecker/test.yaml
@@ -16,6 +16,6 @@ steps:
       - uv sync
 
   test:
-    image: pyton:alpine
+    image: code.philo.ydns.eu/philorg/uv
     commands:
       - .venv/bin/pytest -s tests/basic.py

From b14e6a0be5eadfe49a71ff12233f892f23fa7d44 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Fri, 27 Jun 2025 17:21:43 +0200
Subject: [PATCH 28/29] CI: fix build

---
 .woodpecker/build.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.woodpecker/build.yaml b/.woodpecker/build.yaml
index 6cdc17d..3af8132 100644
--- a/.woodpecker/build.yaml
+++ b/.woodpecker/build.yaml
@@ -61,6 +61,3 @@ steps:
       # Push the image
       - podman push $registry/$org/$container_name:latest
       - podman push $registry/$org/$container_name:$CI_COMMIT_TAG
-      - podman build --volume=/var/lib/containers:/var/lib/containers --tag $registry/$org/$container_name:latest-full --tag $registry/$org/$container_name:$CI_COMMIT_TAG-full -f Containerfile.with_plugins
-      - podman push $registry/$org/$container_name:latest-full
-      - podman push $registry/$org/$container_name:$CI_COMMIT_TAG-full

From e1e755fde5075b714a1df6b967a5c32cc966e752 Mon Sep 17 00:00:00 2001
From: phil <phil.dev@philome.mooo.com>
Date: Fri, 27 Jun 2025 17:23:28 +0200
Subject: [PATCH 29/29] Update README

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 68f335d..c7f8741 100644
--- a/README.md
+++ b/README.md
@@ -127,3 +127,5 @@ with the setting file in the current working directory:
 ```sh
 podman run -p 8000:80 --env OIDC_TEST_CONFIG_FILE=/app/settings.yaml --mount type=bind,source=settings.yaml,destination=/app/settings.yaml code.philo.ydns.eu/philorg/oidc-fastapi-test:latest
 ```
+
+[![status-badge](https://code.philo.ydns.eu/woodpecker/api/badges/22/status.svg)](https://code.philo.ydns.eu/woodpecker/repos/22)