diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml new file mode 100644 index 000000000..7632f4065 --- /dev/null +++ b/.github/actions/az-sync/action.yml @@ -0,0 +1,50 @@ +name: Sync Secrets from Azure Key Vault +author: s.breen +description: az-sync +inputs: + az_client_id: + description: 'Azure Client ID' + required: true + az_tenant_id: + description: 'Azure Tenant ID' + required: true + az_subscription_id: + description: 'Azure Subscription ID' + required: true + keyvault: + description: 'Azure Key Vault name' + required: true + secrets-filter: + description: 'Filter for secrets to sync (comma-separated patterns)' + required: true + default: '*' +runs: + using: "composite" + steps: + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ inputs.az_client_id }} + tenant-id: ${{ inputs.az_tenant_id }} + subscription-id: ${{ inputs.az_subscription_id }} + + - name: Sync + shell: bash + run: | + old_IFS=$IFS + IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}" + for pattern in "${array[@]}"; do + echo "Processing pattern: $pattern" + for secret_name in $(az keyvault secret list --vault-name ${{ inputs.keyvault }} --query "[?contains(name, '$pattern')].name" -o tsv); do + echo "Sync secret: env.$secret_name" + secret_value=$(az keyvault secret show --name "$secret_name" --vault-name ${{ inputs.keyvault }} --query value -o tsv) + echo "::add-mask::$secret_value" + echo "$secret_name=$secret_value" >> $GITHUB_ENV + done + done + IFS=$old_IFS + + - name: Azure logout + shell: bash + run: | + az logout diff --git a/.github/actions/configure-goproxy/action.yml b/.github/actions/configure-goproxy/action.yml index c9c825fc9..f7147f7b3 100644 --- a/.github/actions/configure-goproxy/action.yml +++ b/.github/actions/configure-goproxy/action.yml @@ -1,19 +1,6 @@ name: configure-goproxy author: s.breen -description: Sets the current Go module proxy based on the presence of a private proxy URL in secrets -inputs: - user: - description: Artifactory username secret name - required: false - default: "" - token: - description: Artifactory token secret name - required: false - default: "" - url: - description: Artifactory URL - required: false - default: "" +description: Sets the current Go module proxy based on the presence of a private proxy URL in environment variables. runs: using: 'composite' steps: @@ -21,16 +8,16 @@ runs: id: configure-goproxy shell: bash run: | - if [[ -z "${{ inputs.user }}" ]] || \ - [[ -z "${{ inputs.token }}" ]] || \ - [[ -z "${{ inputs.url }}" ]] || \ + if [[ -z "${{ env.artifactory-user }}" ]] || \ + [[ -z "${{ env.artifactory-token }}" ]] || \ + [[ -z "${{ env.artifactory-url-dev }}" ]] || \ [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] || [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then echo "No Artifactory secrets available - using direct GOPROXY" GOPROXY_VALUE="direct" else echo "Development mode - using dev Artifactory" - GOPROXY_VALUE="https://${{ inputs.user }}:${{ inputs.token }}@${{ inputs.url }}" + GOPROXY_VALUE="https://${{ env.artifactory-user }}:${{ env.artifactory-token }}@${{ env.artifactory-url-dev }}" fi echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 2380538b1..2fbfeddb9 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -16,28 +16,6 @@ on: type: boolean required: false default: false - workflow_call: - inputs: - packageVersion: - description: 'Agent version' - type: string - required: true - runId: - description: 'Run ID of the workflow that built the artifacts' - type: string - required: false - signAssertion: - description: 'Sign and store the assertion document' - type: boolean - required: false - default: false - secrets: - ARTIFACTORY_USER: - required: true - ARTIFACTORY_TOKEN: - required: true - ARTIFACTORY_URL: - required: true jobs: build-assertion-document: @@ -94,9 +72,9 @@ jobs: builder-id: 'github.com' builder-version: '${{env.GO_VERSION}}_test' invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} - artifactory-user: ${{ secrets.ARTIFACTORY_USER }} - artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} - artifactory-url: ${{ secrets.ARTIFACTORY_URL }} + artifactory-user: ${{ env.artifactory-user }} + artifactory-api-token: ${{ env.artifactory-token }} + artifactory-url: ${{ env.artifactory-url }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json build-content-path: ${{ env.goversionm }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 31813614c..dc3a2632e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,12 +31,17 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-tags: 'true' + + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -59,14 +64,20 @@ jobs: lint: name: Lint runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -94,15 +105,20 @@ jobs: name: Unit Tests runs-on: ubuntu-22.04 permissions: + id-token: write contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -124,14 +140,20 @@ jobs: race-condition-test: name: Unit tests with race condition detection runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -148,16 +170,22 @@ jobs: build-unsigned-snapshot: name: Build Unsigned Snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-tags: 'true' + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -188,6 +216,8 @@ jobs: name: Integration Tests needs: build-unsigned-snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -199,12 +229,16 @@ jobs: version: "3.23" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -244,6 +278,8 @@ jobs: name: Upgrade Tests needs: build-unsigned-snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -255,12 +291,16 @@ jobs: version: "3.22" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -301,6 +341,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -318,12 +360,16 @@ jobs: release: "alpine" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -366,6 +412,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -391,12 +439,16 @@ jobs: path: "/nginx-plus/agent" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -446,6 +498,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -463,12 +517,16 @@ jobs: release: "alpine" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -511,6 +569,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -536,12 +596,16 @@ jobs: path: "/nginx-plus/agent" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -591,15 +655,20 @@ jobs: runs-on: ubuntu-22.04 needs: build-unsigned-snapshot permissions: + id-token: write contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -633,6 +702,7 @@ jobs: name: Load Tests if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} permissions: + id-token: write contents: write runs-on: ubuntu-22.04 needs: build-unsigned-snapshot @@ -662,6 +732,15 @@ jobs: - name: Set env run: echo "GO_VERSION=$(cat go.mod | grep toolchain | sed 's/toolchain //; s/go//')" >> $GITHUB_ENV + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'nginx-crt,nginx-key' + - name: Build Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 env: diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml index 2b1dc3b1f..3c310dd7f 100644 --- a/.github/workflows/f5-cla.yml +++ b/.github/workflows/f5-cla.yml @@ -47,5 +47,5 @@ jobs: # Do not lock PRs after a merge. lock-pullrequest-aftermerge: false env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 256fee498..18a0dad13 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -18,4 +18,4 @@ jobs: with: disable-releaser: true env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 2ee34c00d..99007b264 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -291,23 +291,6 @@ jobs: run: | make release - assertion-document: - name: Build and Generate Assertion Document - needs: [build-and-upload-packages] - if : ${{ inputs.assertionDoc == true }} - uses: ./.github/workflows/assertion.yml - permissions: - id-token: write - contents: read - with: - packageVersion: ${{ inputs.packageVersion }} - runId: ${{ github.run_id }} - secrets: - ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} - ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} - ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }} - - merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} name: Merge release branch back into main branch diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml index d318841d7..d68930d97 100644 --- a/.github/workflows/vulncheck.yml +++ b/.github/workflows/vulncheck.yml @@ -5,13 +5,13 @@ on: target-branch: description: 'Target branch to run govulncheck against' type: string - required: false + required: true default: 'main' workflow_dispatch: inputs: target-branch: description: 'Target branch to run govulncheck against' - required: false + required: true default: 'main' jobs: @@ -25,7 +25,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 - ref: ${{ inputs.targetBranch || 'main' }} + ref: ${{ inputs.targetBranch || github.event.inputs.target-branch }} - name: Check Go version id: get-go-version