From 64ae8b1f41c3ae4ea49b6bbf25979ea1a40e05fb Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 13:01:33 +0000 Subject: [PATCH 01/12] add az-sync github action to handle secrets --- .github/actions/az-sync/action.yml | 51 ++++++++++++++++++++++++++++++ .github/workflows/ci.yml | 29 +++++++++++++---- 2 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 .github/actions/az-sync/action.yml diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml new file mode 100644 index 000000000..0edca16fd --- /dev/null +++ b/.github/actions/az-sync/action.yml @@ -0,0 +1,51 @@ +name: Sync Secrets from Azure Key Vault +author: s.breen +description: az-sync +inputs: + az_client_id: + description: 'Azure Client ID' + required: true + az_tenant_id: + description: 'Azure Tenant ID' + required: true + az_subscription_id: + description: 'Azure Subscription ID' + required: true + keyvault: + description: 'Azure Key Vault name' + required: true + secrets-filter: + description: 'Filter for secrets to sync (comma-separated patterns)' + required: true + default: '*' +runs: + using: "composite" + steps: + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ inputs.az_client_id }} + tenant-id: ${{ inputs.az_tenant_id }} + subscription-id: ${{ inputs.az_subscription_id }} + + - name: Sync + shell: bash + run: | + old_IFS=$IFS + IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}" + for pattern in "${array[@]}"; do + echo "Processing pattern: $pattern" + for secret_name in $(az keyvault secret list --vault-name ${{ inputs.keyvault }} --query "[?contains(name, '$pattern')].name" -o tsv); do + echo "Fetching secret: $secret_name" + secret_value=$(az keyvault secret show --name "$secret_name" --vault-name ${{ inputs.keyvault }} --query value -o tsv) + echo "::add-mask::$secret_value" + echo "$secret_name=$secret_value" >> $GITHUB_OUTPUT + echo "Set secret env.$secret_name" + done + done + IFS=$old_IFS + + - name: Azure logout + shell: bash + run: | + az logout diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 013b3cbec..0feabc106 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,12 +31,21 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-tags: 'true' + + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -61,12 +70,20 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' From 5987c760f1c96f5af726d768522253de27b39056 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 13:04:30 +0000 Subject: [PATCH 02/12] add write permission --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0feabc106..959fc29f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,8 @@ jobs: lint: name: Lint runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Get Secrets from Azure Key Vault From 18838b66b9c4d497f9ddf8364270134c37926396 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 13:14:50 +0000 Subject: [PATCH 03/12] use env vars --- .github/actions/az-sync/action.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml index 0edca16fd..7632f4065 100644 --- a/.github/actions/az-sync/action.yml +++ b/.github/actions/az-sync/action.yml @@ -36,11 +36,10 @@ runs: for pattern in "${array[@]}"; do echo "Processing pattern: $pattern" for secret_name in $(az keyvault secret list --vault-name ${{ inputs.keyvault }} --query "[?contains(name, '$pattern')].name" -o tsv); do - echo "Fetching secret: $secret_name" + echo "Sync secret: env.$secret_name" secret_value=$(az keyvault secret show --name "$secret_name" --vault-name ${{ inputs.keyvault }} --query value -o tsv) echo "::add-mask::$secret_value" - echo "$secret_name=$secret_value" >> $GITHUB_OUTPUT - echo "Set secret env.$secret_name" + echo "$secret_name=$secret_value" >> $GITHUB_ENV done done IFS=$old_IFS From e95c4f7c8867314b5a6558c01c11d980a68432ec Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 14:28:18 +0000 Subject: [PATCH 04/12] add az-sync step to every job --- .github/workflows/ci.yml | 149 +++++++++++++++++++++++++++++++-------- 1 file changed, 119 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 959fc29f0..02bf6d7c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -116,12 +116,20 @@ jobs: contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -145,12 +153,20 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -171,12 +187,20 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-tags: 'true' + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -218,12 +242,20 @@ jobs: version: "3.22" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -274,12 +306,20 @@ jobs: version: "3.22" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -337,12 +377,20 @@ jobs: release: "alpine" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -410,12 +458,20 @@ jobs: path: "/nginx-plus/agent" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -482,12 +538,20 @@ jobs: release: "alpine" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -555,12 +619,20 @@ jobs: path: "/nginx-plus/agent" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -613,12 +685,20 @@ jobs: contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy with: - user: ${{ secrets.ARTIFACTORY_USER }} - token: ${{ secrets.ARTIFACTORY_TOKEN }} - url: ${{ secrets.ARTIFACTORY_URL_DEV }} + user: ${{ env.artifactory_user }} + token: ${{ env.artifactory_token }} + url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -681,6 +761,15 @@ jobs: - name: Set env run: echo "GO_VERSION=$(cat go.mod | grep toolchain | sed 's/toolchain //; s/go//')" >> $GITHUB_ENV + - name: Get Secrets from Azure Key Vault + uses: ./.github/actions/az-sync + with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} + secrets-filter: 'nginx-crt,nginx-key' + - name: Build Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 env: From cd73af173351079674b03a08809fe682800da533 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 14:31:29 +0000 Subject: [PATCH 05/12] add az-sync step to every job --- .github/workflows/ci.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02bf6d7c9..20bd9929d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -113,6 +113,7 @@ jobs: name: Unit Tests runs-on: ubuntu-22.04 permissions: + id-token: write contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -151,6 +152,8 @@ jobs: race-condition-test: name: Unit tests with race condition detection runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Get Secrets from Azure Key Vault @@ -183,6 +186,8 @@ jobs: build-unsigned-snapshot: name: Build Unsigned Snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: @@ -231,6 +236,8 @@ jobs: name: Integration Tests needs: build-unsigned-snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -295,6 +302,8 @@ jobs: name: Upgrade Tests needs: build-unsigned-snapshot runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -360,6 +369,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -433,6 +444,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -521,6 +534,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -594,6 +609,8 @@ jobs: needs: build-unsigned-snapshot if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} runs-on: ubuntu-22.04 + permissions: + id-token: write strategy: matrix: container: @@ -682,6 +699,7 @@ jobs: runs-on: ubuntu-22.04 needs: build-unsigned-snapshot permissions: + id-token: write contents: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -732,6 +750,7 @@ jobs: name: Load Tests if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }} permissions: + id-token: write contents: write runs-on: ubuntu-22.04 needs: build-unsigned-snapshot From 8c656372beaef4aba0e93008783f42d56c023cf0 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 15:01:05 +0000 Subject: [PATCH 06/12] simplify the goproxy config action --- .github/actions/configure-goproxy/action.yml | 23 +++++--------------- .github/workflows/ci.yml | 5 +---- 2 files changed, 6 insertions(+), 22 deletions(-) diff --git a/.github/actions/configure-goproxy/action.yml b/.github/actions/configure-goproxy/action.yml index c9c825fc9..01c7f00cb 100644 --- a/.github/actions/configure-goproxy/action.yml +++ b/.github/actions/configure-goproxy/action.yml @@ -1,19 +1,6 @@ name: configure-goproxy author: s.breen -description: Sets the current Go module proxy based on the presence of a private proxy URL in secrets -inputs: - user: - description: Artifactory username secret name - required: false - default: "" - token: - description: Artifactory token secret name - required: false - default: "" - url: - description: Artifactory URL - required: false - default: "" +description: Sets the current Go module proxy based on the presence of a private proxy URL in environment variables. runs: using: 'composite' steps: @@ -21,16 +8,16 @@ runs: id: configure-goproxy shell: bash run: | - if [[ -z "${{ inputs.user }}" ]] || \ - [[ -z "${{ inputs.token }}" ]] || \ - [[ -z "${{ inputs.url }}" ]] || \ + if [[ -z "${{ env.artifactory-user }}" ]] || \ + [[ -z "${{ env.artifactory-token }}" ]] || \ + [[ -z "${{ env.artifactory-url }}" ]] || \ [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] || [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then echo "No Artifactory secrets available - using direct GOPROXY" GOPROXY_VALUE="direct" else echo "Development mode - using dev Artifactory" - GOPROXY_VALUE="https://${{ inputs.user }}:${{ inputs.token }}@${{ inputs.url }}" + GOPROXY_VALUE="https://${{ env.artifactory-user }}:${{ env.artifactory-token }}@${{ env.artifactory-url-dev }}" fi echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 20bd9929d..def7cfe40 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -82,10 +82,7 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} + - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' From 7cf04a88a5bf9765e491bb7ab6e1be2679ae0d09 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 15:02:29 +0000 Subject: [PATCH 07/12] fix dev url --- .github/actions/configure-goproxy/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/configure-goproxy/action.yml b/.github/actions/configure-goproxy/action.yml index 01c7f00cb..f7147f7b3 100644 --- a/.github/actions/configure-goproxy/action.yml +++ b/.github/actions/configure-goproxy/action.yml @@ -10,7 +10,7 @@ runs: run: | if [[ -z "${{ env.artifactory-user }}" ]] || \ [[ -z "${{ env.artifactory-token }}" ]] || \ - [[ -z "${{ env.artifactory-url }}" ]] || \ + [[ -z "${{ env.artifactory-url-dev }}" ]] || \ [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] || [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then echo "No Artifactory secrets available - using direct GOPROXY" From 449daf433f3004bef181692583c81ea50b9e4ec3 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 12 Dec 2025 15:10:35 +0000 Subject: [PATCH 08/12] remove input from goproxy config --- .github/workflows/ci.yml | 45 ---------------------------------------- 1 file changed, 45 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index def7cfe40..93a13e2db 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -82,7 +78,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -124,10 +119,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -163,10 +154,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -199,10 +186,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -256,10 +239,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -322,10 +301,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -395,10 +370,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -478,10 +449,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -560,10 +527,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -643,10 +606,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -710,10 +669,6 @@ jobs: secrets-filter: 'artifactory' - name: Configure Go Proxy uses: ./.github/actions/configure-goproxy - with: - user: ${{ env.artifactory_user }} - token: ${{ env.artifactory_token }} - url: ${{ env.artifactory_url_dev }} - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' From 5726f23cfa9ac92ebe7ebad3b4807411df2cda2a Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Mon, 15 Dec 2025 15:33:01 +0000 Subject: [PATCH 09/12] simplify az-sync action --- .github/actions/az-sync/action.yml | 15 ++-------- .github/workflows/assertion.yml | 28 ++----------------- .github/workflows/ci.yml | 41 +--------------------------- .github/workflows/f5-cla.yml | 2 +- .github/workflows/label-pr.yml | 2 +- .github/workflows/release-branch.yml | 17 ------------ .github/workflows/vulncheck.yml | 6 ++-- 7 files changed, 12 insertions(+), 99 deletions(-) diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml index 7632f4065..9cbe05338 100644 --- a/.github/actions/az-sync/action.yml +++ b/.github/actions/az-sync/action.yml @@ -2,15 +2,6 @@ name: Sync Secrets from Azure Key Vault author: s.breen description: az-sync inputs: - az_client_id: - description: 'Azure Client ID' - required: true - az_tenant_id: - description: 'Azure Tenant ID' - required: true - az_subscription_id: - description: 'Azure Subscription ID' - required: true keyvault: description: 'Azure Key Vault name' required: true @@ -24,9 +15,9 @@ runs: - name: Azure login uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: - client-id: ${{ inputs.az_client_id }} - tenant-id: ${{ inputs.az_tenant_id }} - subscription-id: ${{ inputs.az_subscription_id }} + client-id: ${{ env.AZ_KEYVAULT_CLIENT_ID }} + tenant-id: ${{ env.AZ_KEYVAULT_TENANT_ID }} + subscription-id: ${{ env.AZ_SUBSCRIPTION_ID }} - name: Sync shell: bash diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 2380538b1..2fbfeddb9 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -16,28 +16,6 @@ on: type: boolean required: false default: false - workflow_call: - inputs: - packageVersion: - description: 'Agent version' - type: string - required: true - runId: - description: 'Run ID of the workflow that built the artifacts' - type: string - required: false - signAssertion: - description: 'Sign and store the assertion document' - type: boolean - required: false - default: false - secrets: - ARTIFACTORY_USER: - required: true - ARTIFACTORY_TOKEN: - required: true - ARTIFACTORY_URL: - required: true jobs: build-assertion-document: @@ -94,9 +72,9 @@ jobs: builder-id: 'github.com' builder-version: '${{env.GO_VERSION}}_test' invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} - artifactory-user: ${{ secrets.ARTIFACTORY_USER }} - artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} - artifactory-url: ${{ secrets.ARTIFACTORY_URL }} + artifactory-user: ${{ env.artifactory-user }} + artifactory-api-token: ${{ env.artifactory-token }} + artifactory-url: ${{ env.artifactory-url }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json build-content-path: ${{ env.goversionm }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 93a13e2db..b64982e3d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,9 +35,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -71,9 +68,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -112,9 +106,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -147,9 +138,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -179,9 +167,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -232,9 +217,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -294,9 +276,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -363,9 +342,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -442,9 +418,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -520,9 +493,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -599,9 +569,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -662,9 +629,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -735,9 +699,6 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: - az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'nginx-crt,nginx-key' @@ -787,4 +748,4 @@ jobs: - name: Push load test result if: ${{ success() && github.ref_name == 'main' }} - run: git push 'https://github-actions:${{ secrets.GITHUB_TOKEN }}@github.com/nginx/agent.git' benchmark-results:benchmark-results + run: git push 'https://github-actions:${{ github.token }}@github.com/nginx/agent.git' benchmark-results:benchmark-results diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml index 2b1dc3b1f..3c310dd7f 100644 --- a/.github/workflows/f5-cla.yml +++ b/.github/workflows/f5-cla.yml @@ -47,5 +47,5 @@ jobs: # Do not lock PRs after a merge. lock-pullrequest-aftermerge: false env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 256fee498..18a0dad13 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -18,4 +18,4 @@ jobs: with: disable-releaser: true env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 2ee34c00d..99007b264 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -291,23 +291,6 @@ jobs: run: | make release - assertion-document: - name: Build and Generate Assertion Document - needs: [build-and-upload-packages] - if : ${{ inputs.assertionDoc == true }} - uses: ./.github/workflows/assertion.yml - permissions: - id-token: write - contents: read - with: - packageVersion: ${{ inputs.packageVersion }} - runId: ${{ github.run_id }} - secrets: - ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} - ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} - ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }} - - merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} name: Merge release branch back into main branch diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml index d318841d7..d68930d97 100644 --- a/.github/workflows/vulncheck.yml +++ b/.github/workflows/vulncheck.yml @@ -5,13 +5,13 @@ on: target-branch: description: 'Target branch to run govulncheck against' type: string - required: false + required: true default: 'main' workflow_dispatch: inputs: target-branch: description: 'Target branch to run govulncheck against' - required: false + required: true default: 'main' jobs: @@ -25,7 +25,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 - ref: ${{ inputs.targetBranch || 'main' }} + ref: ${{ inputs.targetBranch || github.event.inputs.target-branch }} - name: Check Go version id: get-go-version From e6471098b0dd9e272cac88c23c1f19a3634e2bd4 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Mon, 15 Dec 2025 15:34:29 +0000 Subject: [PATCH 10/12] fix login details --- .github/actions/az-sync/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml index 9cbe05338..8e124e9dc 100644 --- a/.github/actions/az-sync/action.yml +++ b/.github/actions/az-sync/action.yml @@ -15,9 +15,9 @@ runs: - name: Azure login uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: - client-id: ${{ env.AZ_KEYVAULT_CLIENT_ID }} - tenant-id: ${{ env.AZ_KEYVAULT_TENANT_ID }} - subscription-id: ${{ env.AZ_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }} - name: Sync shell: bash From db9b612f71697608ed58c5f971472fd8161ca3cd Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Mon, 15 Dec 2025 15:39:48 +0000 Subject: [PATCH 11/12] revert to use input to pass secrets --- .github/actions/az-sync/action.yml | 15 ++++++++-- .github/workflows/ci.yml | 44 ++++++++++++++++++++++++++++-- 2 files changed, 54 insertions(+), 5 deletions(-) diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml index 8e124e9dc..7632f4065 100644 --- a/.github/actions/az-sync/action.yml +++ b/.github/actions/az-sync/action.yml @@ -2,6 +2,15 @@ name: Sync Secrets from Azure Key Vault author: s.breen description: az-sync inputs: + az_client_id: + description: 'Azure Client ID' + required: true + az_tenant_id: + description: 'Azure Tenant ID' + required: true + az_subscription_id: + description: 'Azure Subscription ID' + required: true keyvault: description: 'Azure Key Vault name' required: true @@ -15,9 +24,9 @@ runs: - name: Azure login uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: - client-id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} - tenant-id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} - subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }} + client-id: ${{ inputs.az_client_id }} + tenant-id: ${{ inputs.az_tenant_id }} + subscription-id: ${{ inputs.az_subscription_id }} - name: Sync shell: bash diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b64982e3d..bdfa053f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,8 @@ on: - opened - reopened - synchronize - +#f5-nginx-github-nginx-service-account +#eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJZSTNYR0xuYU1ISW1aN3hsUVBqX0lrSkNfMUJseGppSXcwSjlrVW1mcTQwIn0eyJzdWIiOiJqZmFjQDAxYzhncTBlMWpkYTV6MWEzcTN4OHYweW5uL3VzZXJzL2Y1LW5naW54LWdpdGh1Yi1uZ2lueC1zZXJ2aWNlLWFjY291bnQiLCJzY3AiOiJhcHBsaWVkLXBlcm1pc3Npb25zL3VzZXIiLCJhdWQiOiIqQCoiLCJpc3MiOiJqZmZlQDAxYzhncTBlMWpkYTV6MWEzcTN4OHYweW5uIiwiZXhwIjoxNzczOTU0NDExLCJpYXQiOjE3NDI0MTg0MTEsImp0aSI6IjRkY2NmMWFiLTAwZWUtNDQ2Zi1iNDAyLWIzMTRlNDgwYTU2NyJ9BTYk_Qs64JYfr30oEgJ0YaCXJcrViAa5-5sC4AaaM_MP8sm80LJRC_a1rLmYnA408yMkenYayC6diDhWy1Bx_5JO7tmn1iNQnEHJHz7rLLBJRaNNFee9mE5W36ZRUhCKtDQ1MOr9jSinibwxKXt8frwioUhjXQ29YNJcW6KYivFiviBxjU_xS-vyxhmWH0z85SxG-YDFkzOYbKbBIIgNN0iHgEfThmWbrGf7nWroP0jCnKaomLlASGZD_Z0bEmQ7KXfuxiQ9pfWDlYP0ak62s-QZmwEDB71RP-raxVaKYAMW1-DLh2ikBXkQHMAj7gzKCf163YnQce9hWce0X8DgAg permissions: contents: read @@ -35,6 +36,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -68,6 +72,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -106,6 +113,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -138,6 +148,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -167,6 +180,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -217,6 +233,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -276,6 +295,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -342,6 +364,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -418,6 +443,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -493,6 +521,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -569,6 +600,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -629,6 +663,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - name: Configure Go Proxy @@ -699,6 +736,9 @@ jobs: - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: + az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }} + az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }} + az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'nginx-crt,nginx-key' @@ -748,4 +788,4 @@ jobs: - name: Push load test result if: ${{ success() && github.ref_name == 'main' }} - run: git push 'https://github-actions:${{ github.token }}@github.com/nginx/agent.git' benchmark-results:benchmark-results + run: git push 'https://github-actions:${{ secrets.GITHUB_TOKEN }}@github.com/nginx/agent.git' benchmark-results:benchmark-results From b713dd4b0f2568a16366a4989b62672750f46313 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Tue, 16 Dec 2025 11:58:10 +0000 Subject: [PATCH 12/12] remove comment --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bdfa053f7..93a13e2db 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,8 +14,7 @@ on: - opened - reopened - synchronize -#f5-nginx-github-nginx-service-account -#eyJ2ZXIiOiIyIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYiLCJraWQiOiJZSTNYR0xuYU1ISW1aN3hsUVBqX0lrSkNfMUJseGppSXcwSjlrVW1mcTQwIn0eyJzdWIiOiJqZmFjQDAxYzhncTBlMWpkYTV6MWEzcTN4OHYweW5uL3VzZXJzL2Y1LW5naW54LWdpdGh1Yi1uZ2lueC1zZXJ2aWNlLWFjY291bnQiLCJzY3AiOiJhcHBsaWVkLXBlcm1pc3Npb25zL3VzZXIiLCJhdWQiOiIqQCoiLCJpc3MiOiJqZmZlQDAxYzhncTBlMWpkYTV6MWEzcTN4OHYweW5uIiwiZXhwIjoxNzczOTU0NDExLCJpYXQiOjE3NDI0MTg0MTEsImp0aSI6IjRkY2NmMWFiLTAwZWUtNDQ2Zi1iNDAyLWIzMTRlNDgwYTU2NyJ9BTYk_Qs64JYfr30oEgJ0YaCXJcrViAa5-5sC4AaaM_MP8sm80LJRC_a1rLmYnA408yMkenYayC6diDhWy1Bx_5JO7tmn1iNQnEHJHz7rLLBJRaNNFee9mE5W36ZRUhCKtDQ1MOr9jSinibwxKXt8frwioUhjXQ29YNJcW6KYivFiviBxjU_xS-vyxhmWH0z85SxG-YDFkzOYbKbBIIgNN0iHgEfThmWbrGf7nWroP0jCnKaomLlASGZD_Z0bEmQ7KXfuxiQ9pfWDlYP0ak62s-QZmwEDB71RP-raxVaKYAMW1-DLh2ikBXkQHMAj7gzKCf163YnQce9hWce0X8DgAg + permissions: contents: read