From f24725522a624a34b3520fed5d488a247dc3dac2 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 11:34:59 +0000 Subject: [PATCH 1/5] Migrate docker credentials to Azure Vault --- .github/workflows/build-oss.yml | 24 ++- .github/workflows/build-plus.yml | 24 ++- .github/workflows/dockerhub-description.yml | 25 ++- .github/workflows/image-promotion.yml | 218 ++++++++++++-------- .github/workflows/oss-release.yml | 22 +- .github/workflows/publish-helm.yml | 23 ++- 6 files changed, 244 insertions(+), 92 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 97adb8bedb..d1a8bf8506 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -61,6 +61,26 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -81,8 +101,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} if: ${{ inputs.authenticated }} - name: Docker meta diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 97b87ec114..3f77380566 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -94,6 +94,26 @@ jobs: echo $RHEL_CREDS > rhel_license if: ${{ inputs.authenticated }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets - Common Vault + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -114,8 +134,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} if: ${{ inputs.authenticated }} - name: NAP modules diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index d73f39a392..8a3c4e0e84 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -17,6 +17,9 @@ permissions: jobs: dockerHubDescription: runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write if: ${{ github.event.repository.fork == false }} steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -25,10 +28,28 @@ jobs: run: | sed -i '3,4d' README.md + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Docker Hub Description uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} repository: nginx/nginx-ingress short-description: ${{ github.event.repository.description }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index fb0a4a30db..c05d41b7c5 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -270,54 +270,54 @@ jobs: secrets: inherit certify-openshift-images: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Certify OpenShift UBI images - runs-on: ubuntu-24.04 - needs: [release-oss] - steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - - name: Azure login - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 - with: - client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} - - - name: Setup secrets - id: secrets - run: | - echo "Setting secrets for job" - PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYXIS_TOKEN" - echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT - PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" - echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} - preflight_version: 1.14.1 + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Certify OpenShift UBI images + runs-on: ubuntu-24.04 + needs: [release-oss] + steps: + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + + - name: Certify UBI OSS images in quay + uses: ./.github/actions/certify-openshift-image + continue-on-error: true + with: + image: quay.io/nginx/nginx-ingress:edge-ubi + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} + preflight_version: 1.14.1 scan-docker-oss: - name: Scan ${{ matrix.image }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} - steps: + name: Scan ${{ matrix.image }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -340,6 +340,24 @@ jobs: tags: | type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -358,8 +376,8 @@ jobs: - name: DockerHub Login for Docker Scout uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Run Docker Scout vulnerability scanner id: docker-scout @@ -386,18 +404,18 @@ jobs: sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-plus: - name: Scan ${{ matrix.image }}-${{ matrix.target }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} - steps: + name: Scan ${{ matrix.image }}-${{ matrix.target }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -420,6 +438,24 @@ jobs: tags: | type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets - Common Vault + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -438,8 +474,8 @@ jobs: - name: DockerHub Login for Docker Scout uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Run Docker Scout vulnerability scanner id: docker-scout @@ -466,18 +502,18 @@ jobs: sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-nap: - name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} - steps: + name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -507,6 +543,24 @@ jobs: tags: | type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + - name: Azure login Common Vault + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets-common + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -525,8 +579,8 @@ jobs: - name: DockerHub Login for Docker Scout uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Run Docker Scout vulnerability scanner id: docker-scout @@ -554,12 +608,12 @@ jobs: continue-on-error: true update-release-draft: - name: Update Release Draft - runs-on: ubuntu-24.04 - needs: [checks] - permissions: - contents: write - steps: + name: Update Release Draft + runs-on: ubuntu-24.04 + needs: [checks] + permissions: + contents: write + steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 44dd24a693..9d42cbe7a5 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -185,6 +185,24 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -203,8 +221,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} - name: Publish images run: | diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 22a26c505c..2058a35c6c 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -64,6 +64,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write # for OIDC login steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 @@ -71,6 +72,24 @@ jobs: ref: refs/heads/${{ inputs.branch }} path: kic + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: @@ -81,8 +100,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} - name: Setup Helm uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 From 65e389ab9bf478f9ef3e08f93d9863934e45b942 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 11:35:21 +0000 Subject: [PATCH 2/5] Migrate nginx pat to Azure Vault --- .github/workflows/cherry-pick.yml | 18 ++++++- .github/workflows/create-release-branch.yml | 18 ++++++- .github/workflows/publish-helm.yml | 5 +- .github/workflows/release-pr.yml | 20 ++++++- .github/workflows/release.yml | 59 +++++++++++++++++++-- .github/workflows/update-docker-sha.yml | 18 ++++++- .github/workflows/version-bump.yml | 18 ++++++- 7 files changed, 146 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index b7e08b4558..09d7cc34be 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 name: Cherry pick into release branch if: ${{ contains(github.event.pull_request.labels.*.name, 'needs cherry pick') && github.event.pull_request.merged == true }} @@ -31,10 +32,25 @@ jobs: echo "branch=${release_branch}" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Cherry pick into ${{ steps.branch.outputs.branch }} uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10 with: branch: ${{ steps.branch.outputs.branch }} - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> title: "[cherry-pick] {old_title}" diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index b69f32e96b..7f96f9b914 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -36,12 +36,28 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write steps: - name: Checkout NIC repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{ inputs.source_branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create new release branch run: | branch="${{ inputs.branch_prefix }}${{ inputs.release_version }}" @@ -66,4 +82,4 @@ jobs: git push --dry-run origin "${branch}" fi env: - GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} + GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }} diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 2058a35c6c..2023b63c4e 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -89,6 +89,9 @@ jobs: DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$DOCKER_PASSWORD" echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -125,7 +128,7 @@ jobs: with: repository: nginxinc/helm-charts fetch-depth: 1 - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} path: helm-charts if: ${{ inputs.nginx_helm_repo }} diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index c4556a0fc2..16003edbca 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -57,6 +57,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 steps: - name: Branch @@ -72,6 +73,21 @@ jobs: ref: ${{ steps.branch.outputs.branch }} token: ${{ secrets.GITHUB_TOKEN }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Replace run: | .github/scripts/release-version-update.sh \ @@ -91,14 +107,14 @@ jobs: env: GITHUB_USERNAME: ${{ github.actor }} GITHUB_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com - GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} + GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }} DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }} DEBUG: ${{ inputs.debug && 'true' || 'false' }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Release ${{ github.event.inputs.new_version }} title: Release ${{ github.event.inputs.new_version }} branch: docs/release-${{ github.event.inputs.new_version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 65a9be1afa..a35fd428ed 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -366,11 +366,29 @@ jobs: name: Trigger PR for Operator runs-on: ubuntu-24.04 needs: [variables,publish-helm-chart] + permissions: + contents: read + id-token: write steps: + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: - github-token: ${{ secrets.NGINX_PAT }} + github-token: ${{ steps.secrets.outputs.NGINX_PAT }} script: | await github.rest.actions.createWorkflowDispatch({ owner: context.repo.owner, @@ -391,11 +409,29 @@ jobs: # name: Trigger PR for GCP Marketplace # runs-on: ubuntu-24.04 # needs: [publish-helm-chart,release-plus-gcr-mktpl] + # permissions: + # contents: read + # id-token: write # steps: + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$NGINX_PAT" + # echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + # - name: # uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 # with: - # github-token: ${{ secrets.NGINX_PAT }} + # github-token: ${{ steps.secrets.outputs.NGINX_PAT }} # script: | # await github.rest.actions.createWorkflowDispatch({ # owner: context.repo.owner, @@ -412,12 +448,29 @@ jobs: # if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }} # name: Trigger CNAB Build for Azure Marketplace # runs-on: ubuntu-24.04 + # permissions: + # contents: read + # id-token: write # needs: [publish-helm-chart,release-plus-azure-mktpl] # steps: + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$NGINX_PAT" + # echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT # - name: # uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 # with: - # github-token: ${{ secrets.NGINX_PAT }} + # github-token: ${{ steps.secrets.outputs.NGINX_PAT }} # script: | # await github.rest.actions.createWorkflowDispatch({ # owner: context.repo.owner, diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index bcb16a16f4..92dc0c4f43 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -45,6 +45,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 needs: [vars] steps: @@ -74,11 +75,26 @@ jobs: echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT echo $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 id: pr with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }} title: Docker image update ${{ steps.update_images.outputs.docker_md5 }} branch: deps/image-update-${{ needs.vars.outputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }} diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index e83e800982..0214f8d68d 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 steps: - name: Checkout Repository @@ -52,10 +53,25 @@ jobs: run: | make test-update-snaps + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Version Bump for ${{ github.event.inputs.ic_version }} title: Version Bump for ${{ github.event.inputs.ic_version }} branch: chore/version-bump-${{ github.event.inputs.ic_version }} From 3ce44fc26bd647081582fbafcca06da06b2a7508 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 14:28:57 +0000 Subject: [PATCH 3/5] helm publish needs id-token permissions --- .github/workflows/image-promotion.yml | 1 + .github/workflows/release.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index c05d41b7c5..06dd57336f 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -267,6 +267,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write secrets: inherit certify-openshift-images: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a35fd428ed..c43a001a3d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -318,6 +318,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write secrets: inherit certify-openshift-images: From f4d331edac960f3c580c97e8afea3e7aa0706cd0 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 21 Nov 2025 15:13:25 +0000 Subject: [PATCH 4/5] update OSS build --- .github/workflows/build-oss.yml | 10 ++--- .github/workflows/image-promotion.yml | 58 +++++++++++++-------------- 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index d1a8bf8506..cfd9c83f79 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -61,7 +61,7 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 - - name: Azure login + - name: Azure login Common Vault uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} @@ -69,8 +69,8 @@ jobs: subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} if: ${{ inputs.authenticated }} - - name: Setup secrets - id: secrets + - name: Setup secrets Common Vault + id: secrets-common run: | echo "Setting secrets for job" DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) @@ -101,8 +101,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} - password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} if: ${{ inputs.authenticated }} - name: Docker meta diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 06dd57336f..0d86402d45 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -276,35 +276,35 @@ jobs: runs-on: ubuntu-24.04 needs: [release-oss] steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - - name: Azure login - uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 - with: - client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} - - - name: Setup secrets - id: secrets - run: | - echo "Setting secrets for job" - PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYXIS_TOKEN" - echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT - PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" - echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} - preflight_version: 1.14.1 + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + + - name: Certify UBI OSS images in quay + uses: ./.github/actions/certify-openshift-image + continue-on-error: true + with: + image: quay.io/nginx/nginx-ingress:edge-ubi + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} + preflight_version: 1.14.1 scan-docker-oss: name: Scan ${{ matrix.image }} From d6737c64ae6b62fd1222fc820ac9b2d8c1762db8 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 21 Nov 2025 15:23:09 +0000 Subject: [PATCH 5/5] Avoid conflict in vault --- .github/workflows/oss-release.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 9d42cbe7a5..235be3817b 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -185,15 +185,15 @@ jobs: with: ref: ${{ inputs.branch }} - - name: Azure login + - name: Azure login Common Vault uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} - - name: Setup secrets - id: secrets + - name: Setup secrets Common Vault + id: secrets-common run: | echo "Setting secrets for job" DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) @@ -221,8 +221,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} - password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} + username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }} - name: Publish images run: |