diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 97adb8bedb..cfd9c83f79 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -61,6 +61,26 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets Common Vault + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -81,8 +101,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} if: ${{ inputs.authenticated }} - name: Docker meta diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 97b87ec114..3f77380566 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -94,6 +94,26 @@ jobs: echo $RHEL_CREDS > rhel_license if: ${{ inputs.authenticated }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets - Common Vault + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -114,8 +134,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} if: ${{ inputs.authenticated }} - name: NAP modules diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index b7e08b4558..09d7cc34be 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 name: Cherry pick into release branch if: ${{ contains(github.event.pull_request.labels.*.name, 'needs cherry pick') && github.event.pull_request.merged == true }} @@ -31,10 +32,25 @@ jobs: echo "branch=${release_branch}" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Cherry pick into ${{ steps.branch.outputs.branch }} uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10 with: branch: ${{ steps.branch.outputs.branch }} - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> title: "[cherry-pick] {old_title}" diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index b69f32e96b..7f96f9b914 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -36,12 +36,28 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write steps: - name: Checkout NIC repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{ inputs.source_branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create new release branch run: | branch="${{ inputs.branch_prefix }}${{ inputs.release_version }}" @@ -66,4 +82,4 @@ jobs: git push --dry-run origin "${branch}" fi env: - GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} + GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }} diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index d73f39a392..8a3c4e0e84 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -17,6 +17,9 @@ permissions: jobs: dockerHubDescription: runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write if: ${{ github.event.repository.fork == false }} steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -25,10 +28,28 @@ jobs: run: | sed -i '3,4d' README.md + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Docker Hub Description uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} repository: nginx/nginx-ingress short-description: ${{ github.event.repository.description }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index fb0a4a30db..0d86402d45 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -267,14 +267,15 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write secrets: inherit certify-openshift-images: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Certify OpenShift UBI images - runs-on: ubuntu-24.04 - needs: [release-oss] - steps: + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Certify OpenShift UBI images + runs-on: ubuntu-24.04 + needs: [release-oss] + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -306,18 +307,18 @@ jobs: preflight_version: 1.14.1 scan-docker-oss: - name: Scan ${{ matrix.image }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} - steps: + name: Scan ${{ matrix.image }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -340,6 +341,24 @@ jobs: tags: | type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -358,8 +377,8 @@ jobs: - name: DockerHub Login for Docker Scout uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Run Docker Scout vulnerability scanner id: docker-scout @@ -386,18 +405,18 @@ jobs: sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-plus: - name: Scan ${{ matrix.image }}-${{ matrix.target }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} - steps: + name: Scan ${{ matrix.image }}-${{ matrix.target }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -420,6 +439,24 @@ jobs: tags: | type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets - Common Vault + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -438,8 +475,8 @@ jobs: - name: DockerHub Login for Docker Scout uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Run Docker Scout vulnerability scanner id: docker-scout @@ -466,18 +503,18 @@ jobs: sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-nap: - name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} - steps: + name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -507,6 +544,24 @@ jobs: tags: | type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -525,8 +580,8 @@ jobs: - name: DockerHub Login for Docker Scout uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Run Docker Scout vulnerability scanner id: docker-scout @@ -554,12 +609,12 @@ jobs: continue-on-error: true update-release-draft: - name: Update Release Draft - runs-on: ubuntu-24.04 - needs: [checks] - permissions: - contents: write - steps: + name: Update Release Draft + runs-on: ubuntu-24.04 + needs: [checks] + permissions: + contents: write + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 44dd24a693..235be3817b 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -185,6 +185,24 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets Common Vault + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -203,8 +221,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Publish images run: | diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 22a26c505c..2023b63c4e 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -64,6 +64,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write # for OIDC login steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -71,6 +72,27 @@ jobs: ref: refs/heads/${{ inputs.branch }} path: kic + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: @@ -81,8 +103,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} - name: Setup Helm uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 @@ -106,7 +128,7 @@ jobs: with: repository: nginxinc/helm-charts fetch-depth: 1 - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} path: helm-charts if: ${{ inputs.nginx_helm_repo }} diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index c4556a0fc2..16003edbca 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -57,6 +57,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 steps: - name: Branch @@ -72,6 +73,21 @@ jobs: ref: ${{ steps.branch.outputs.branch }} token: ${{ secrets.GITHUB_TOKEN }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Replace run: | .github/scripts/release-version-update.sh \ @@ -91,14 +107,14 @@ jobs: env: GITHUB_USERNAME: ${{ github.actor }} GITHUB_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com - GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} + GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }} DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }} DEBUG: ${{ inputs.debug && 'true' || 'false' }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Release ${{ github.event.inputs.new_version }} title: Release ${{ github.event.inputs.new_version }} branch: docs/release-${{ github.event.inputs.new_version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 65a9be1afa..c43a001a3d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -318,6 +318,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write secrets: inherit certify-openshift-images: @@ -366,11 +367,29 @@ jobs: name: Trigger PR for Operator runs-on: ubuntu-24.04 needs: [variables,publish-helm-chart] + permissions: + contents: read + id-token: write steps: + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: - github-token: ${{ secrets.NGINX_PAT }} + github-token: ${{ steps.secrets.outputs.NGINX_PAT }} script: | await github.rest.actions.createWorkflowDispatch({ owner: context.repo.owner, @@ -391,11 +410,29 @@ jobs: # name: Trigger PR for GCP Marketplace # runs-on: ubuntu-24.04 # needs: [publish-helm-chart,release-plus-gcr-mktpl] + # permissions: + # contents: read + # id-token: write # steps: + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$NGINX_PAT" + # echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + # - name: # uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 # with: - # github-token: ${{ secrets.NGINX_PAT }} + # github-token: ${{ steps.secrets.outputs.NGINX_PAT }} # script: | # await github.rest.actions.createWorkflowDispatch({ # owner: context.repo.owner, @@ -412,12 +449,29 @@ jobs: # if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }} # name: Trigger CNAB Build for Azure Marketplace # runs-on: ubuntu-24.04 + # permissions: + # contents: read + # id-token: write # needs: [publish-helm-chart,release-plus-azure-mktpl] # steps: + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$NGINX_PAT" + # echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT # - name: # uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 # with: - # github-token: ${{ secrets.NGINX_PAT }} + # github-token: ${{ steps.secrets.outputs.NGINX_PAT }} # script: | # await github.rest.actions.createWorkflowDispatch({ # owner: context.repo.owner, diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index bcb16a16f4..92dc0c4f43 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -45,6 +45,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 needs: [vars] steps: @@ -74,11 +75,26 @@ jobs: echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT echo $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 id: pr with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }} title: Docker image update ${{ steps.update_images.outputs.docker_md5 }} branch: deps/image-update-${{ needs.vars.outputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }} diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index e83e800982..0214f8d68d 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 steps: - name: Checkout Repository @@ -52,10 +53,25 @@ jobs: run: | make test-update-snaps + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Version Bump for ${{ github.event.inputs.ic_version }} title: Version Bump for ${{ github.event.inputs.ic_version }} branch: chore/version-bump-${{ github.event.inputs.ic_version }}