nginx · sean-breen · Dec 12, 2025 · Dec 12, 2025 · Dec 12, 2025 · Dec 12, 2025
@@ -0,0 +1,50 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+  az_client_id:
+    description: 'Azure Client ID'
+    required: true
+  az_tenant_id:
+    description: 'Azure Tenant ID'
+    required: true
+  az_subscription_id:
+    description: 'Azure Subscription ID'
+    required: true
+  keyvault:
+    description: 'Azure Key Vault name'
+    required: true
+  secrets-filter:
+    description: 'Filter for secrets to sync (comma-separated patterns)'
+    required: true
+    default: '*'
+runs:
+  using: "composite"
+  steps:
+    - name: Azure login
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      with:
+        client-id: ${{ inputs.az_client_id }}
+        tenant-id: ${{ inputs.az_tenant_id }}
+        subscription-id: ${{ inputs.az_subscription_id }}
+
+    - name: Sync
+      shell: bash
+      run: |
+        old_IFS=$IFS
+        IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+          for pattern in "${array[@]}"; do
+            echo "Processing pattern: $pattern"
+            for secret_name in $(az keyvault secret list --vault-name ${{ inputs.keyvault }} --query "[?contains(name, '$pattern')].name" -o tsv); do
+              echo "Sync secret: env.$secret_name"
+              secret_value=$(az keyvault secret show --name "$secret_name" --vault-name ${{ inputs.keyvault }} --query value -o tsv)
+              echo "::add-mask::$secret_value"
+              echo "$secret_name=$secret_value" >> $GITHUB_ENV
+            done
+          done
+        IFS=$old_IFS
+
+    - name: Azure logout
+      shell: bash
+      run: |
+        az logout
@@ -1,36 +1,23 @@
 name: configure-goproxy
 author: s.breen
-description: Sets the current Go module proxy based on the presence of a private proxy URL in secrets
-inputs:
-  user:
-    description: Artifactory username secret name
-    required: false
-    default: ""
-  token:
-    description: Artifactory token secret name
-    required: false
-    default: ""
-  url:
-    description: Artifactory URL
-    required: false
-    default: ""
+description: Sets the current Go module proxy based on the presence of a private proxy URL in environment variables.
 runs:
   using: 'composite'
   steps:
     - name: Configure Go Proxy
       id: configure-goproxy
       shell: bash
       run: |
-        if [[ -z "${{ inputs.user }}" ]] || \
-        [[ -z "${{ inputs.token }}" ]] || \
-        [[ -z "${{ inputs.url }}" ]] || \
+        if [[ -z "${{ env.artifactory-user }}" ]] || \
+        [[ -z "${{ env.artifactory-token }}" ]] || \
+        [[ -z "${{ env.artifactory-url-dev }}" ]] || \
         [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] ||
         [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then
           echo "No Artifactory secrets available - using direct GOPROXY"
           GOPROXY_VALUE="direct"
         else
           echo "Development mode - using dev Artifactory"
-          GOPROXY_VALUE="https://${{ inputs.user }}:${{ inputs.token }}@${{ inputs.url }}"
+          GOPROXY_VALUE="https://${{ env.artifactory-user }}:${{ env.artifactory-token }}@${{ env.artifactory-url-dev }}"
         fi
         echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
 
@@ -16,28 +16,6 @@ on:
         type: boolean
         required: false
         default: false
-  workflow_call:
-    inputs:
-      packageVersion:
-        description: 'Agent version'
-        type: string
-        required: true
-      runId:
-        description: 'Run ID of the workflow that built the artifacts'
-        type: string
-        required: false
-      signAssertion:
-        description: 'Sign and store the assertion document'
-        type: boolean
-        required: false
-        default: false
-    secrets:
-      ARTIFACTORY_USER:
-        required: true
-      ARTIFACTORY_TOKEN:
-        required: true
-      ARTIFACTORY_URL:
-        required: true
 
 jobs:
   build-assertion-document:
@@ -94,9 +72,9 @@ jobs:
           builder-id: 'github.com'
           builder-version: '${{env.GO_VERSION}}_test'
           invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
-          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
-          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
-          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-user: ${{ env.artifactory-user }}
+          artifactory-api-token: ${{ env.artifactory-token }}
+          artifactory-url: ${{ env.artifactory-url }}
           artifactory-repo: 'f5-nginx-go-local-approved-dependency'
           assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json
           build-content-path: ${{ env.goversionm }}