From 56c37bbd5d4bec5f216d6da28a6dd2132b42b823 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 6 Nov 2025 12:00:01 +0000 Subject: [PATCH 1/9] Pull AWS secrets from Azure vault --- .github/workflows/build-artifacts.yml | 18 +++++++----------- Makefile | 2 +- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build-artifacts.yml index 8dd6b57ecd..7383b8a9e1 100644 --- a/.github/workflows/build-artifacts.yml +++ b/.github/workflows/build-artifacts.yml @@ -91,14 +91,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ inputs.go-path }} GOPROXY: ${{ inputs.go-proxy }} - AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} - AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} - AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} - AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} - AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} - AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} - AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} - AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} GORELEASER_CURRENT_TAG: "v${{ inputs.ic-version }}" if: ${{ inputs.force }} @@ -115,6 +107,10 @@ jobs: key: nginx-ingress-${{ inputs.go-md5 }} if: ${{ inputs.force }} + - name: Cleanup netrc + run: rm -f $HOME/.netrc + if: ${{ always() }} + # generate-assertion-doc: # if: ${{ github.event_name != 'pull_request' }} # name: Assertion Doc ${{ matrix.nic.arch }} @@ -190,9 +186,9 @@ jobs: # with: # assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} - - name: Cleanup netrc - run: rm -f $HOME/.netrc - if: ${{ always() }} + #  - name: Cleanup netrc + # run: rm -f $HOME/.netrc + # if: ${{ always() }} build-docker: name: Build Docker OSS diff --git a/Makefile b/Makefile index 7d6164d8fd..d610d08818 100644 --- a/Makefile +++ b/Makefile @@ -140,7 +140,7 @@ endif .PHONY: build-goreleaser build-goreleaser: ## Build Ingress Controller binary using GoReleaser @goreleaser -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with GoReleaser. Follow the docs to install it https://goreleaser.com/install\n"; exit $$code) - GOOS=linux GOPATH=$(shell go env GOPATH) GOARCH=$(strip $(ARCH)) goreleaser build --clean --debug --snapshot --id kubernetes-ingress --single-target + GOOS=$(strip $(GOOS)) GOPATH=$(shell go env GOPATH) GOARCH=$(strip $(ARCH)) goreleaser build --clean --snapshot --id kubernetes-ingress --single-target .PHONY: debian-image debian-image: build ## Create Docker image for Ingress Controller (Debian) From 67e9fb7568143f845aa414ead7bb4b17463f2205 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 7 Nov 2025 15:43:23 +0000 Subject: [PATCH 2/9] Migrate openshift certification secrets to azure secret store --- .github/workflows/certify-ubi-image.yml | 26 +- .github/workflows/image-promotion.yml | 582 +++++++++++---------- .github/workflows/release.yml | 26 +- .github/workflows/update-docker-images.yml | 26 +- 4 files changed, 372 insertions(+), 288 deletions(-) diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index 1e2d1ae945..9fe0e3c3f8 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -34,16 +34,38 @@ jobs: certify-ubi-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 + environment: access + permissions: + contents: read + id-token: write steps: - name: Checkout uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: ${{ inputs.image }} - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} preflight_version: ${{ inputs.preflight_version }} submit: ${{ inputs.submit || true }} platforms: ${{ inputs.platforms }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 4dc5d58148..200d9b8b8f 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -178,96 +178,96 @@ jobs: pull-requests: write # for scout report tag-stable: - name: Tag build image as stable - needs: [checks, build-artifacts] - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.build_tag }} - target_tag: ${{ needs.checks.outputs.stable_tag }} - dry_run: false - secrets: inherit + name: Tag build image as stable + needs: [checks, build-artifacts] + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.build_tag }} + target_tag: ${{ needs.checks.outputs.stable_tag }} + dry_run: false + secrets: inherit tag-candidate: - # pushes edge or release images to gcr/dev - # for main: this keeps a copy of edge in gcr/dev - # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion - name: Tag tested image as stable - needs: - - checks - - build-artifacts - - tag-stable - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} - dry_run: false - secrets: inherit - if: ${{ !cancelled() && !failure() }} + # pushes edge or release images to gcr/dev + # for main: this keeps a copy of edge in gcr/dev + # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion + name: Tag tested image as stable + needs: + - checks + - build-artifacts + - tag-stable + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} + dry_run: false + secrets: inherit + if: ${{ !cancelled() && !failure() }} release-oss: - # pushes edge images to docker hub - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker OSS - needs: [checks, build-artifacts] - uses: ./.github/workflows/oss-release.yml - with: - gcr_release_registry: false - ecr_public_registry: true - dockerhub_public_registry: true - quay_public_registry: true - github_public_registry: true - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - packages: write - secrets: inherit + # pushes edge images to docker hub + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker OSS + needs: [checks, build-artifacts] + uses: ./.github/workflows/oss-release.yml + with: + gcr_release_registry: false + ecr_public_registry: true + dockerhub_public_registry: true + quay_public_registry: true + github_public_registry: true + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + packages: write + secrets: inherit release-plus: - # pushes plus edge images to nginx registry - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker Plus - needs: [checks, build-artifacts] - uses: ./.github/workflows/plus-release.yml - with: - nginx_registry: true - gcr_release_registry: false - gcr_mktpl_registry: false - ecr_mktpl_registry: false - az_mktpl_registry: false - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - secrets: inherit + # pushes plus edge images to nginx registry + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker Plus + needs: [checks, build-artifacts] + uses: ./.github/workflows/plus-release.yml + with: + nginx_registry: true + gcr_release_registry: false + gcr_mktpl_registry: false + ecr_mktpl_registry: false + az_mktpl_registry: false + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + secrets: inherit publish-helm-chart: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Publish Helm Chart - needs: [checks] - uses: ./.github/workflows/publish-helm.yml - with: - branch: ${{ github.ref_name }} - ic_version: edge - chart_version: 0.0.0-edge - nginx_helm_repo: false - runner: "ubuntu-24.04-amd64" - permissions: - contents: write # for pushing to Helm Charts repository - packages: write # for helm to push to GHCR - secrets: inherit + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Publish Helm Chart + needs: [checks] + uses: ./.github/workflows/publish-helm.yml + with: + branch: ${{ github.ref_name }} + ic_version: edge + chart_version: 0.0.0-edge + nginx_helm_repo: false + runner: "ubuntu-24.04-amd64" + permissions: + contents: write # for pushing to Helm Charts repository + packages: write # for helm to push to GHCR + secrets: inherit certify-openshift-images: if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} @@ -278,14 +278,32 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - preflight_version: 1.14.1 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + + - name: Certify UBI OSS images in quay + uses: ./.github/actions/certify-openshift-image + continue-on-error: true + with: + image: quay.io/nginx/nginx-ingress:edge-ubi + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + preflight_version: 1.14.1 scan-docker-oss: name: Scan ${{ matrix.image }} @@ -303,64 +321,64 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true - name: Upload Scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 @@ -383,64 +401,64 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true - name: Upload Scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 @@ -463,71 +481,71 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - name: NAP modules - id: nap_modules - run: | - [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" - echo "name=${name}" >> $GITHUB_OUTPUT - if: ${{ matrix.nap_modules != '' }} - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" + echo "name=${name}" >> $GITHUB_OUTPUT + if: ${{ matrix.nap_modules != '' }} - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true - name: Upload Scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 @@ -545,25 +563,25 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - name: Create/Update Draft - uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 - id: release-notes - with: - minor-label: "enhancement" - major-label: "change" - publish: false - collapse-after: 50 - variables: | - helm-chart=${{ needs.checks.outputs.chart_version }} - notes-footer: | - ## Upgrade - - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). - - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. - - For Helm, use version {{helm-chart}} of the chart. - - ## Resources - - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ - - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples - - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart - - Operator -- https://github.com/nginx/nginx-ingress-helm-operator - if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} + - name: Create/Update Draft + uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 + id: release-notes + with: + minor-label: "enhancement" + major-label: "change" + publish: false + collapse-after: 50 + variables: | + helm-chart=${{ needs.checks.outputs.chart_version }} + notes-footer: | + ## Upgrade + - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. + - For Helm, use version {{helm-chart}} of the chart. + + ## Resources + - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ + - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples + - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart + - Operator -- https://github.com/nginx/nginx-ingress-helm-operator + if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23d9dceaa9..1a7aaf21ee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -324,6 +324,10 @@ jobs: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }} name: Certify OpenShift UBI images runs-on: ubuntu-24.04 + environment: access + permissions: + contents: read + id-token: write needs: [release-oss] steps: - name: Checkout Repository @@ -331,13 +335,31 @@ jobs: with: ref: ${{ inputs.release_branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image continue-on-error: true with: image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} preflight_version: 1.14.1 operator: diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 7087250626..2b668c50d4 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -172,17 +172,39 @@ jobs: certify-openshift-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 + environment: access + permissions: + contents: read + id-token: write needs: [variables, release-oss-public] steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} platforms: "" preflight_version: 1.14.1 submit: ${{ ! inputs.dry_run || true }} From 85b18d5eb5b67e6fd5d1eef6f2d9a459698a4f38 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 7 Nov 2025 16:33:06 +0000 Subject: [PATCH 3/9] Add Plus JWT to secure secret store --- .github/workflows/ci.yml | 22 +++++++++- .github/workflows/regression.yml | 40 ++++++++++++++++++- .github/workflows/setup-smoke.yml | 22 +++++++++- .github/workflows/single-image-regression.yml | 18 +++++++++ 4 files changed, 98 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 99be88341a..963230aa84 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -431,6 +431,7 @@ jobs: if: ${{ needs.checks.outputs.docs_only != 'true' && (inputs.run_tests && inputs.run_tests || true) }} name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 + environment: access needs: [checks, build-artifacts] strategy: fail-fast: false @@ -456,6 +457,25 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -525,7 +545,7 @@ jobs: if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Create Plus Secret - run: kubectl create secret generic license-token --from-literal=license.jwt="${{ secrets.PLUS_JWT }}" --type="nginx.com/license" + run: kubectl create secret generic license-token --from-literal=license.jwt="${{ steps.secrets.outputs.PLUS_JWT }}" --type="nginx.com/license" if: ${{ matrix.type == 'plus' && steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Install Chart diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index bbf824f140..3eb52716d0 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -130,6 +130,7 @@ jobs: helm-tests: name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 + environment: access needs: [checks] strategy: fail-fast: false @@ -157,6 +158,23 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -183,7 +201,7 @@ jobs: kind load docker-image "${{ matrix.image }}:${{ matrix.tag }}" --name ${{ github.run_id }} - name: Create Plus Secret - run: kubectl create secret generic license-token --from-literal=license.jwt="${{ secrets.PLUS_JWT }}" --type="nginx.com/license" + run: kubectl create secret generic license-token --from-literal=license.jwt="${{ steps.secrets.outputs.PLUS_JWT }}" --type="nginx.com/license" - name: Install Chart run: > @@ -246,6 +264,7 @@ jobs: regression-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} regression tests runs-on: ubuntu-24.04 + environment: access needs: [checks, setup-regression-matrix] strategy: fail-fast: false @@ -265,6 +284,23 @@ jobs: echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.images.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.images.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.images.image, 'v5') && '-v5' || '' }}/nginx${{ contains(matrix.images.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT echo "tag=${{ needs.checks.outputs.stable_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -308,7 +344,7 @@ jobs: label: ${{ matrix.images.label }} registry-token: ${{ steps.auth.outputs.access_token }} test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt', './tests/Dockerfile') || 'latest' }}" - plus-jwt: ${{ secrets.PLUS_JWT }} + plus-jwt: ${{ steps.secrets.outputs.PLUS_JWT }} - name: Upload Test Results uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 7f4deec436..dfcd54b416 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -46,6 +46,7 @@ permissions: jobs: setup-smoke: + environment: access permissions: contents: read # for docker/build-push-action to read repo content id-token: write # for OIDC login to GCR @@ -61,6 +62,25 @@ jobs: echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -167,7 +187,7 @@ jobs: k8s-version: ${{ inputs.k8s-version }} registry-token: ${{ steps.auth.outputs.access_token }} test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt', './tests/Dockerfile') || 'latest' }}" - plus-jwt: ${{ secrets.PLUS_JWT }} + plus-jwt: ${{ steps.secrets.outputs.PLUS_JWT }} if: ${{ steps.stable_exists.outputs.exists != 'true' }} - name: Upload Test Results diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index 58d9d233e9..69fbc42538 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -66,6 +66,7 @@ jobs: checks: name: Run regression runs-on: ubuntu-24.04 + environment: access permissions: contents: read id-token: write @@ -73,6 +74,23 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 From ff9237f65106e0d0b9bc73db555b9cc3336de366 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 7 Nov 2025 16:40:31 +0000 Subject: [PATCH 4/9] Adjust wording --- .github/workflows/certify-ubi-image.yml | 2 +- .github/workflows/ci.yml | 2 +- .github/workflows/image-promotion.yml | 2 +- .github/workflows/regression.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- .github/workflows/single-image-regression.yml | 2 +- .github/workflows/update-docker-images.yml | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index 9fe0e3c3f8..c28d1cc803 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -52,7 +52,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 963230aa84..6612a8c899 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -468,7 +468,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 200d9b8b8f..9f764bc811 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -288,7 +288,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 3eb52716d0..2ce31f1b93 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -168,7 +168,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') @@ -294,7 +294,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a7aaf21ee..7c4bc419a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -345,7 +345,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index dfcd54b416..4db61ebfb9 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -73,7 +73,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index 69fbc42538..15aac53458 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -84,7 +84,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 2b668c50d4..83f8b1a047 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -191,7 +191,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT From 972a957338e454a0b3edb4e64f5a062ee6d94469 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 10 Nov 2025 09:14:04 +0000 Subject: [PATCH 5/9] Address copilot feedback --- .../actions/certify-openshift-image/action.yml | 2 +- .github/workflows/certify-ubi-image.yml | 16 ++++++++-------- .github/workflows/ci.yml | 2 +- .github/workflows/image-promotion.yml | 16 ++++++++-------- .github/workflows/regression.yml | 4 ++-- .github/workflows/release.yml | 16 ++++++++-------- .github/workflows/setup-smoke.yml | 2 +- .github/workflows/single-image-regression.yml | 2 +- .github/workflows/update-docker-images.yml | 16 ++++++++-------- 9 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.github/actions/certify-openshift-image/action.yml b/.github/actions/certify-openshift-image/action.yml index f7faa8849b..1c337a237a 100644 --- a/.github/actions/certify-openshift-image/action.yml +++ b/.github/actions/certify-openshift-image/action.yml @@ -20,7 +20,7 @@ inputs: required: false default: "amd64,arm64" submit: - description: Submit results to Redhat PYAXIS + description: Submit results to Redhat PYXIS required: false default: true diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index c28d1cc803..e346fc1bc5 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -53,19 +53,19 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: ${{ inputs.image }} - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} preflight_version: ${{ inputs.preflight_version }} submit: ${{ inputs.submit || true }} platforms: ${{ inputs.platforms }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6612a8c899..6fbba7fdc0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -469,7 +469,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 9f764bc811..fc4c0b478a 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -289,20 +289,20 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image continue-on-error: true with: image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} preflight_version: 1.14.1 scan-docker-oss: diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 2ce31f1b93..cabda23ae3 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -169,7 +169,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" @@ -295,7 +295,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7c4bc419a7..6cc1a7b8a6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -346,20 +346,20 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image continue-on-error: true with: image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} preflight_version: 1.14.1 operator: diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 4db61ebfb9..43d3ae460a 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -74,7 +74,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index 15aac53458..3b48742aa8 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -85,7 +85,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 83f8b1a047..07c04b059d 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -192,19 +192,19 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} platforms: "" preflight_version: 1.14.1 submit: ${{ ! inputs.dry_run || true }} From 1e6820c90ca111da68f80685b2bba3f1979fdb9a Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 10 Nov 2025 10:49:40 +0000 Subject: [PATCH 6/9] Remove access environment --- .github/workflows/certify-ubi-image.yml | 1 - .github/workflows/ci.yml | 1 - .github/workflows/regression.yml | 2 -- .github/workflows/release.yml | 1 - .github/workflows/setup-smoke.yml | 1 - .github/workflows/single-image-regression.yml | 1 - .github/workflows/update-docker-images.yml | 1 - 7 files changed, 8 deletions(-) diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index e346fc1bc5..81bd2154f5 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -34,7 +34,6 @@ jobs: certify-ubi-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6fbba7fdc0..f768653ab5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -431,7 +431,6 @@ jobs: if: ${{ needs.checks.outputs.docs_only != 'true' && (inputs.run_tests && inputs.run_tests || true) }} name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 - environment: access needs: [checks, build-artifacts] strategy: fail-fast: false diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index cabda23ae3..646a6b8685 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -130,7 +130,6 @@ jobs: helm-tests: name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 - environment: access needs: [checks] strategy: fail-fast: false @@ -264,7 +263,6 @@ jobs: regression-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} regression tests runs-on: ubuntu-24.04 - environment: access needs: [checks, setup-regression-matrix] strategy: fail-fast: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6cc1a7b8a6..65a9be1afa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -324,7 +324,6 @@ jobs: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }} name: Certify OpenShift UBI images runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 43d3ae460a..17cb53f0e8 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -46,7 +46,6 @@ permissions: jobs: setup-smoke: - environment: access permissions: contents: read # for docker/build-push-action to read repo content id-token: write # for OIDC login to GCR diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index 3b48742aa8..5bf1d5126a 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -66,7 +66,6 @@ jobs: checks: name: Run regression runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 07c04b059d..be441304ab 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -172,7 +172,6 @@ jobs: certify-openshift-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write From 6f21586222f321ba175953de2e6204977b3938e9 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 11 Nov 2025 14:22:52 +0000 Subject: [PATCH 7/9] Update plus jwt in single regression --- .github/workflows/single-image-regression.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index 5bf1d5126a..f5ddc4f947 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -139,4 +139,4 @@ jobs: k8s-version: ${{ inputs.k8s-version }} registry-token: ${{ steps.auth.outputs.access_token }} test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt', './tests/Dockerfile') }}" - plus-jwt: ${{ secrets.PLUS_JWT }} + plus-jwt: ${{ steps.secrets.outputs.PLUS_JWT }} From e59ef542abc70d3270de09c385fbba4dc1b55df0 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 14:16:45 +0000 Subject: [PATCH 8/9] remove more aws variables --- .github/workflows/build-single-image.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index db2705dd26..c015e987cc 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -107,14 +107,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ steps.vars.outputs.go_path }} - AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} - AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} - AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} - AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} - AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} - AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} - AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} - AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}" if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }} From 0550590f01350840cd186016436d5422724938d2 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 19 Nov 2025 14:59:23 +0000 Subject: [PATCH 9/9] Correct indentiation --- .github/workflows/image-promotion.yml | 46 +++++++++++++-------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index fc4c0b478a..fb0a4a30db 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -275,8 +275,8 @@ jobs: runs-on: ubuntu-24.04 needs: [release-oss] steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Azure login uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 @@ -318,8 +318,8 @@ jobs: fail-fast: false matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Make directory for security scan results id: directory @@ -380,10 +380,10 @@ jobs: path: "${{ steps.directory.outputs.directory }}/" overwrite: true - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-plus: name: Scan ${{ matrix.image }}-${{ matrix.target }} @@ -398,8 +398,8 @@ jobs: fail-fast: false matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Make directory for security scan results id: directory @@ -460,10 +460,10 @@ jobs: path: "${{ steps.directory.outputs.directory }}/" overwrite: true - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-nap: name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} @@ -478,8 +478,8 @@ jobs: fail-fast: false matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: NAP modules id: nap_modules @@ -547,11 +547,11 @@ jobs: path: "${{ steps.directory.outputs.directory }}/" overwrite: true - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" - continue-on-error: true + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" + continue-on-error: true update-release-draft: name: Update Release Draft @@ -560,8 +560,8 @@ jobs: permissions: contents: write steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Create/Update Draft uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1