From c8395293fbd026aa601cd3fa1acfe8e5ef058e7d Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 17 Sep 2025 12:31:41 +0100 Subject: [PATCH 01/21] Add assertion doc job --- .github/workflows/ci.yml | 80 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 154d2add59..50776279df 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -161,6 +161,9 @@ jobs: needs: [vars, unit-tests, njs-unit-tests] env: GOPROXY: ${{ needs.vars.outputs.goproxy }} + outputs: + json: ${{ steps.gateway_binaries.outputs.json }} + goversionm: ${{ steps.go_deps.outputs.goversionm }} permissions: contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases id-token: write # for goreleaser/goreleaser-action to sign artifacts @@ -205,6 +208,17 @@ jobs: if: ${{ inputs.is_production_release }} uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - name: Generate Module Dependencies Info + id: go_deps + if: inputs.is_production_release + run: | + # Generate module info before GoReleaser strips the binary + echo "Generating module dependencies info..." + cd cmd/gateway + go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}.txt + echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}.txt" + echo "goversionm=$(find . -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_OUTPUT + - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 with: @@ -220,12 +234,78 @@ jobs: TELEMETRY_ENDPOINT: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-') && 'oss-dev.edge.df.f5.com:443' || 'oss.edge.df.f5.com:443' }} TELEMETRY_ENDPOINT_INSECURE: "false" + - name: Extract gateway binaries info + if: inputs.is_production_release + id: gateway_binaries + run: | + set -e + binaries=() + for bin in $(find ${{ github.workspace }}/dist -type f -name "gateway"); do + dir=$(basename $(dirname "$bin")) + if [[ "$dir" =~ gateway_([a-zA-Z0-9]+)_([a-zA-Z0-9]+) ]]; then + os="${BASH_REMATCH[1]}" + arch="${BASH_REMATCH[2]}" + digest=$(sha256sum "$bin" | cut -d' ' -f1) + binaries+=("{\"path\":\"$bin\",\"os\":\"$os\",\"arch\":\"$arch\",\"digest\":\"$digest\"}") + fi + done + # Join array elements with commas + IFS=',' + json="[${binaries[*]}]" + echo "Generated JSON: $json" + echo "json=$json" >> $GITHUB_OUTPUT + - name: Cache Artifacts uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ github.workspace }}/dist key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} + assertion: + name: Generate and Sign Assertion Documents + needs: binary + if: inputs.is_production_release + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + matrix: + gateway: ${{ fromJson(needs.binary.outputs.json) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Restore Cached Artifacts + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + with: + path: ${{ github.workspace }}/dist + key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} + fail-on-cache-miss: true + + - name: Generate Assertion Document + id: assertiondoc + uses: nginxinc/compliance-rules/.github/actions/assertion@311fe9c56e981a5a1b805577746bbe66d59399ab + with: + artifact-name: ${{ github.event.repository.name }}_${{ github.ref_name }} + artifact-digest: ${{ matrix.gateway.digest }} + build-type: 'github' + builder-id: 'github.com' + builder-version: '0.1.0-xyz' + invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} + started-on: ${{ github.event.head_commit.timestamp || github.event.created_at }} + finished-on: ${{ github.event.head_commit.timestamp || github.event.created_at }} + artifactory-user: ${{ secrets.ARTIFACTORY_USER }} + artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} + artifactory-url: ${{ secrets.ARTIFACTORY_URL }} + artifactory-repo: 'f5-nginx-go-local-approved-dependency' + assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.ref_name }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json + build-content-path: ${{ needs.binary.outputs.goversionm }} + + - name: Sign and Store Assertion Document + id: sign + uses: nginxinc/compliance-rules/.github/actions/sign@311fe9c56e981a5a1b805577746bbe66d59399ab + with: + assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} + build-oss: name: Build OSS images needs: [vars, binary] From 2c764021ca3cf5a25f4993c7a53b100bc2192b12 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 17 Sep 2025 13:21:27 +0100 Subject: [PATCH 02/21] temp run assertion job on branch --- .github/workflows/ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50776279df..b6694463a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -210,7 +210,6 @@ jobs: - name: Generate Module Dependencies Info id: go_deps - if: inputs.is_production_release run: | # Generate module info before GoReleaser strips the binary echo "Generating module dependencies info..." @@ -235,7 +234,6 @@ jobs: TELEMETRY_ENDPOINT_INSECURE: "false" - name: Extract gateway binaries info - if: inputs.is_production_release id: gateway_binaries run: | set -e @@ -264,7 +262,6 @@ jobs: assertion: name: Generate and Sign Assertion Documents needs: binary - if: inputs.is_production_release runs-on: ubuntu-24.04 strategy: fail-fast: false From a0122a12644a249d726de600b565c37b61157322 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 17 Sep 2025 13:46:12 +0100 Subject: [PATCH 03/21] Fix cache restore, fix filename --- .github/workflows/ci.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6694463a3..21e23f331c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -216,7 +216,13 @@ jobs: cd cmd/gateway go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}.txt echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}.txt" - echo "goversionm=$(find . -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_OUTPUT + cd ../.. + # Move goversionm file to dist directory so it gets cached with binaries + mkdir -p dist + goversionm_file="goversionm_${{ github.run_id }}_${{ github.run_number }}.txt" + mv "$goversionm_file" "dist/$goversionm_file" + echo "Module dependencies saved to dist/$goversionm_file" + echo "goversionm=$goversionm_file" >> $GITHUB_OUTPUT - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 @@ -271,18 +277,17 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Restore Cached Artifacts + - name: Fetch Cached Artifacts uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ${{ github.workspace }}/dist key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} - fail-on-cache-miss: true - name: Generate Assertion Document id: assertiondoc uses: nginxinc/compliance-rules/.github/actions/assertion@311fe9c56e981a5a1b805577746bbe66d59399ab with: - artifact-name: ${{ github.event.repository.name }}_${{ github.ref_name }} + artifact-name: ${{ github.event.repository.name }}_${{ github.sha }} artifact-digest: ${{ matrix.gateway.digest }} build-type: 'github' builder-id: 'github.com' @@ -294,8 +299,8 @@ jobs: artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' - assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.ref_name }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json build-content-path: ${{ needs.binary.outputs.goversionm }} + assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json - name: Sign and Store Assertion Document id: sign From d2492be7d1312e40d79a677ee5dc5a23fc4c99b8 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 17 Sep 2025 17:59:04 +0100 Subject: [PATCH 04/21] Move module dependcy generation --- .github/workflows/ci.yml | 40 +++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 21e23f331c..a48c580b06 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -163,7 +163,6 @@ jobs: GOPROXY: ${{ needs.vars.outputs.goproxy }} outputs: json: ${{ steps.gateway_binaries.outputs.json }} - goversionm: ${{ steps.go_deps.outputs.goversionm }} permissions: contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases id-token: write # for goreleaser/goreleaser-action to sign artifacts @@ -208,22 +207,6 @@ jobs: if: ${{ inputs.is_production_release }} uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - - name: Generate Module Dependencies Info - id: go_deps - run: | - # Generate module info before GoReleaser strips the binary - echo "Generating module dependencies info..." - cd cmd/gateway - go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}.txt - echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}.txt" - cd ../.. - # Move goversionm file to dist directory so it gets cached with binaries - mkdir -p dist - goversionm_file="goversionm_${{ github.run_id }}_${{ github.run_number }}.txt" - mv "$goversionm_file" "dist/$goversionm_file" - echo "Module dependencies saved to dist/$goversionm_file" - echo "goversionm=$goversionm_file" >> $GITHUB_OUTPUT - - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 with: @@ -267,7 +250,9 @@ jobs: assertion: name: Generate and Sign Assertion Documents - needs: binary + needs: [vars, binary] + env: + GOPROXY: ${{ needs.vars.outputs.goproxy }} runs-on: ubuntu-24.04 strategy: fail-fast: false @@ -277,11 +262,20 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Fetch Cached Artifacts - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + - name: Setup Golang Environment + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - path: ${{ github.workspace }}/dist - key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} + go-version: stable + + - name: Generate Module Dependencies Info + id: go_deps + run: | + echo "Generating module dependencies info..." + cd cmd/gateway + go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ strategy.job-index }}.txt + echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ strategy.job-index }}.txt" + cd ../.. + echo "goversionm=goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ strategy.job-index }}.txt" >> $GITHUB_OUTPUT - name: Generate Assertion Document id: assertiondoc @@ -299,7 +293,7 @@ jobs: artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' - build-content-path: ${{ needs.binary.outputs.goversionm }} + build-content-path: ${{ steps.go_deps.outputs.goversionm }} assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json - name: Sign and Store Assertion Document From ece6173aa74183b7c1a738c7744e1cecf48b3ab4 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Thu, 18 Sep 2025 10:07:04 +0100 Subject: [PATCH 05/21] Add permissions --- .github/workflows/ci.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a48c580b06..448f91e237 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -251,6 +251,9 @@ jobs: assertion: name: Generate and Sign Assertion Documents needs: [vars, binary] + permissions: + contents: read + id-token: write # for compliance-rules action to sign assertion doc env: GOPROXY: ${{ needs.vars.outputs.goproxy }} runs-on: ubuntu-24.04 @@ -272,10 +275,11 @@ jobs: run: | echo "Generating module dependencies info..." cd cmd/gateway - go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ strategy.job-index }}.txt - echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ strategy.job-index }}.txt" + goversionm=goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt + go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt + echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt" cd ../.. - echo "goversionm=goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ strategy.job-index }}.txt" >> $GITHUB_OUTPUT + echo "goversionm=goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt" >> $GITHUB_OUTPUT - name: Generate Assertion Document id: assertiondoc @@ -294,7 +298,7 @@ jobs: artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' build-content-path: ${{ steps.go_deps.outputs.goversionm }} - assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json + assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json - name: Sign and Store Assertion Document id: sign From 9856aedd911cef025bb246e4fd36cbbd33f46ca5 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Thu, 18 Sep 2025 14:35:53 +0100 Subject: [PATCH 06/21] Make other names unique --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 448f91e237..2f7d7cd220 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -285,12 +285,12 @@ jobs: id: assertiondoc uses: nginxinc/compliance-rules/.github/actions/assertion@311fe9c56e981a5a1b805577746bbe66d59399ab with: - artifact-name: ${{ github.event.repository.name }}_${{ github.sha }} + artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} build-type: 'github' builder-id: 'github.com' builder-version: '0.1.0-xyz' - invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} + invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ strategy.job-index }} started-on: ${{ github.event.head_commit.timestamp || github.event.created_at }} finished-on: ${{ github.event.head_commit.timestamp || github.event.created_at }} artifactory-user: ${{ secrets.ARTIFACTORY_USER }} From 3ff35517cf3859441a5d4fb30e84a809fa314ee8 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Mon, 22 Sep 2025 11:40:18 +0100 Subject: [PATCH 07/21] Update commit sha --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f7d7cd220..91d86705ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -283,7 +283,7 @@ jobs: - name: Generate Assertion Document id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@311fe9c56e981a5a1b805577746bbe66d59399ab + uses: nginxinc/compliance-rules/.github/actions/assertion@8cc3e2d960f32aa4b77c1e719adb92228132b11b with: artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} @@ -302,7 +302,7 @@ jobs: - name: Sign and Store Assertion Document id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@311fe9c56e981a5a1b805577746bbe66d59399ab + uses: nginxinc/compliance-rules/.github/actions/sign@8cc3e2d960f32aa4b77c1e719adb92228132b11b with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} From 598d20bb40e45fcbfb717fbf33f266cdac108c6b Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Mon, 22 Sep 2025 13:04:21 +0100 Subject: [PATCH 08/21] Try go version -m again --- .github/workflows/ci.yml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 91d86705ac..d73cd9c763 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -270,16 +270,18 @@ jobs: with: go-version: stable - - name: Generate Module Dependencies Info - id: go_deps + - name: Fetch Cached Artifacts + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + with: + path: ${{ github.workspace }}/dist + key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} + + - name: List Dependencies in Go Binary + id: godeps run: | - echo "Generating module dependencies info..." - cd cmd/gateway - goversionm=goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt - go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt - echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt" - cd ../.. - echo "goversionm=goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt" >> $GITHUB_OUTPUT + go version -m dist/gateway_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}*/gateway > goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt + echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT - name: Generate Assertion Document id: assertiondoc @@ -297,7 +299,7 @@ jobs: artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' - build-content-path: ${{ steps.go_deps.outputs.goversionm }} + build-content-path: ${{ steps.godeps.outputs.goversionm }} assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json - name: Sign and Store Assertion Document From 892716778ed9443dc11f03487459fe04ce53cc66 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Mon, 22 Sep 2025 13:47:02 +0100 Subject: [PATCH 09/21] TEMP: change to prod artificatory for now --- .github/workflows/ci.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d73cd9c763..fe0bf2b514 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,16 +54,8 @@ jobs: - name: Configure GOPROXY id: goproxy run: | - if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then - echo "No Artifactory secrets available - using direct GOPROXY" - GOPROXY_VALUE="direct" - elif [[ "${{ inputs.is_production_release }}" == "true" ]] || [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then - echo "Production mode - using production Artifactory" + echo "Temp use prod artifactory" GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}" - else - echo "Development mode - using dev Artifactory" - GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}" - fi echo "goproxy=${GOPROXY_VALUE}" >> $GITHUB_OUTPUT echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV From 0e247d0243a06fbbef08c526f2921bfdde6c9f6a Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Mon, 22 Sep 2025 15:34:16 +0100 Subject: [PATCH 10/21] Remove goreleaser stripping flags --- .goreleaser.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 31d20c536c..1ddd30e64d 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -11,10 +11,10 @@ builds: - arm64 flags: - -trimpath - gcflags: - - all=-trimpath={{.Env.GOPATH}} - asmflags: - - all=-trimpath={{.Env.GOPATH}} + # gcflags: + # - all=-trimpath={{.Env.GOPATH}} + # asmflags: + # - all=-trimpath={{.Env.GOPATH}} ldflags: - -s -w - -X main.version={{.Version}} From 4a40b752c436e28eed69fa346df06d927ab6c285 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Tue, 23 Sep 2025 11:58:22 +0100 Subject: [PATCH 11/21] Hard code goproxy --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fe0bf2b514..7d44784469 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,7 +55,7 @@ jobs: id: goproxy run: | echo "Temp use prod artifactory" - GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}" + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" echo "goproxy=${GOPROXY_VALUE}" >> $GITHUB_OUTPUT echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV From 1a5621b72321cf88e6dda61708e131be4621dd72 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Tue, 23 Sep 2025 13:05:19 +0100 Subject: [PATCH 12/21] hardcode goproxy in each job --- .github/workflows/ci.yml | 9 +++++---- .goreleaser.yml | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d44784469..a69f1a2931 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -152,7 +152,7 @@ jobs: runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} needs: [vars, unit-tests, njs-unit-tests] env: - GOPROXY: ${{ needs.vars.outputs.goproxy }} + GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency" outputs: json: ${{ steps.gateway_binaries.outputs.json }} permissions: @@ -247,7 +247,8 @@ jobs: contents: read id-token: write # for compliance-rules action to sign assertion doc env: - GOPROXY: ${{ needs.vars.outputs.goproxy }} + GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency" + runs-on: ubuntu-24.04 strategy: fail-fast: false @@ -277,7 +278,7 @@ jobs: - name: Generate Assertion Document id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@8cc3e2d960f32aa4b77c1e719adb92228132b11b + uses: nginxinc/compliance-rules/.github/actions/assertion@main with: artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} @@ -296,7 +297,7 @@ jobs: - name: Sign and Store Assertion Document id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@8cc3e2d960f32aa4b77c1e719adb92228132b11b + uses: nginxinc/compliance-rules/.github/actions/sign@main with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} diff --git a/.goreleaser.yml b/.goreleaser.yml index 1ddd30e64d..31d20c536c 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -11,10 +11,10 @@ builds: - arm64 flags: - -trimpath - # gcflags: - # - all=-trimpath={{.Env.GOPATH}} - # asmflags: - # - all=-trimpath={{.Env.GOPATH}} + gcflags: + - all=-trimpath={{.Env.GOPATH}} + asmflags: + - all=-trimpath={{.Env.GOPATH}} ldflags: - -s -w - -X main.version={{.Version}} From 78f2f56f050652129f66eee515a6179a906302da Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Tue, 23 Sep 2025 14:14:31 +0100 Subject: [PATCH 13/21] Output goversionm --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a69f1a2931..324acf2af4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -274,7 +274,8 @@ jobs: run: | go version -m dist/gateway_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}*/gateway > goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_OUTPUT - cat $GITHUB_OUTPUT + goversionm=$(find -type f -name "goversionm*.txt" | head -n 1) + cat $goversionm - name: Generate Assertion Document id: assertiondoc From 0e8bdebd4527e47a0b38b13a0f0d9dc0c99fd7ec Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Tue, 23 Sep 2025 16:44:18 +0100 Subject: [PATCH 14/21] switch branch --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 324acf2af4..17aeecdd50 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,7 +279,7 @@ jobs: - name: Generate Assertion Document id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@main + uses: nginxinc/compliance-rules/.github/actions/assertion@debug-log with: artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} @@ -298,7 +298,7 @@ jobs: - name: Sign and Store Assertion Document id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@main + uses: nginxinc/compliance-rules/.github/actions/sign@debug-log with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} From 7828f7528670bdcfd5e16d94ee122ede90632d8a Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Tue, 23 Sep 2025 17:15:02 +0100 Subject: [PATCH 15/21] switch branch again --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 17aeecdd50..f964a2ea65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,7 +279,7 @@ jobs: - name: Generate Assertion Document id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@debug-log + uses: nginxinc/compliance-rules/.github/actions/assertion@debug2 with: artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} @@ -298,7 +298,7 @@ jobs: - name: Sign and Store Assertion Document id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@debug-log + uses: nginxinc/compliance-rules/.github/actions/sign@debug2 with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} From dcbdc50cccee4b034fe0aac9428798d018dd91ad Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 24 Sep 2025 13:59:22 +0100 Subject: [PATCH 16/21] update branch again --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f964a2ea65..1bb628fbe7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,7 +279,7 @@ jobs: - name: Generate Assertion Document id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@debug2 + uses: nginxinc/compliance-rules/.github/actions/assertion@test/debug-level with: artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} @@ -298,7 +298,7 @@ jobs: - name: Sign and Store Assertion Document id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@debug2 + uses: nginxinc/compliance-rules/.github/actions/sign@test/debug-level with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} From f61cb91555ef8f4a5bb91e8e76ef25ff2c77f6fe Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 24 Sep 2025 14:38:29 +0100 Subject: [PATCH 17/21] add debug --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1bb628fbe7..6f9fe5fc37 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -294,6 +294,7 @@ jobs: artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' build-content-path: ${{ steps.godeps.outputs.goversionm }} + log-level: DEBUG assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json - name: Sign and Store Assertion Document From a97414fb49da4201988115e08a92f05f7448127d Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Thu, 25 Sep 2025 10:31:21 +0100 Subject: [PATCH 18/21] update branch to main --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f9fe5fc37..0068e889d5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,7 +279,7 @@ jobs: - name: Generate Assertion Document id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@test/debug-level + uses: nginxinc/compliance-rules/.github/actions/assertion@main with: artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} @@ -299,7 +299,7 @@ jobs: - name: Sign and Store Assertion Document id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@test/debug-level + uses: nginxinc/compliance-rules/.github/actions/sign@main with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} From 7830e906330367b70f4c7c27554e475a8498158c Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Mon, 29 Sep 2025 10:57:27 +0100 Subject: [PATCH 19/21] Restore goproxy and use tagged version --- .github/workflows/ci.yml | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0068e889d5..e70d3c2336 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,8 +54,16 @@ jobs: - name: Configure GOPROXY id: goproxy run: | - echo "Temp use prod artifactory" - GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" + if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then + echo "No Artifactory secrets available - using direct GOPROXY" + GOPROXY_VALUE="direct" + elif [[ "${{ inputs.is_production_release }}" == "true" ]] || [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then + echo "Production mode - using production Artifactory" + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}" + else + echo "Development mode - using dev Artifactory" + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}" + fi echo "goproxy=${GOPROXY_VALUE}" >> $GITHUB_OUTPUT echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV @@ -152,7 +160,7 @@ jobs: runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} needs: [vars, unit-tests, njs-unit-tests] env: - GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency" + GOPROXY: ${{ needs.vars.outputs.goproxy }} outputs: json: ${{ steps.gateway_binaries.outputs.json }} permissions: @@ -247,8 +255,7 @@ jobs: contents: read id-token: write # for compliance-rules action to sign assertion doc env: - GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency" - + GOPROXY: ${{ needs.vars.outputs.goproxy }} runs-on: ubuntu-24.04 strategy: fail-fast: false @@ -279,7 +286,7 @@ jobs: - name: Generate Assertion Document id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@main + uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 with: artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }} artifact-digest: ${{ matrix.gateway.digest }} @@ -294,12 +301,11 @@ jobs: artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' build-content-path: ${{ steps.godeps.outputs.goversionm }} - log-level: DEBUG assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json - name: Sign and Store Assertion Document id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@main + uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} From 989a02b5c353f6d36cdfe1dc6040ffd35c3fdd03 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Mon, 29 Sep 2025 11:18:09 +0100 Subject: [PATCH 20/21] Configure goproxy in each step --- .github/workflows/ci.yml | 60 +++++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e70d3c2336..f4972bddc5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,7 +45,6 @@ jobs: min_k8s_version: ${{ steps.vars.outputs.min_k8s_version }} k8s_latest: ${{ steps.vars.outputs.k8s_latest }} helm_changes: ${{ steps.filter.outputs.charts }} - goproxy: ${{ steps.goproxy.outputs.goproxy }} steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -64,7 +63,6 @@ jobs: echo "Development mode - using dev Artifactory" GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}" fi - echo "goproxy=${GOPROXY_VALUE}" >> $GITHUB_OUTPUT echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV - name: Setup Golang Environment @@ -105,12 +103,20 @@ jobs: name: Unit Tests runs-on: ubuntu-24.04 needs: vars - env: - GOPROXY: ${{ needs.vars.outputs.goproxy }} steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Configure GOPROXY + id: goproxy + run: | + if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then + GOPROXY_VALUE="direct" + else + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}" + fi + echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV + - name: Setup Golang Environment uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: @@ -159,8 +165,6 @@ jobs: name: Build Binary runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} needs: [vars, unit-tests, njs-unit-tests] - env: - GOPROXY: ${{ needs.vars.outputs.goproxy }} outputs: json: ${{ steps.gateway_binaries.outputs.json }} permissions: @@ -173,6 +177,21 @@ jobs: with: fetch-depth: 0 + - name: Configure GOPROXY + id: goproxy + run: | + if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then + echo "No Artifactory secrets available - using direct GOPROXY" + GOPROXY_VALUE="direct" + elif [[ "${{ inputs.is_production_release }}" == "true" ]] || [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then + echo "Production mode - using production Artifactory" + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}" + else + echo "Development mode - using dev Artifactory" + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}" + fi + echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV + - name: Setup Golang Environment uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: @@ -254,8 +273,6 @@ jobs: permissions: contents: read id-token: write # for compliance-rules action to sign assertion doc - env: - GOPROXY: ${{ needs.vars.outputs.goproxy }} runs-on: ubuntu-24.04 strategy: fail-fast: false @@ -265,6 +282,21 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Configure GOPROXY + id: goproxy + run: | + if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then + echo "No Artifactory secrets available - using direct GOPROXY" + GOPROXY_VALUE="direct" + elif [[ "${{ inputs.is_production_release }}" == "true" ]] || [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then + echo "Production mode - using production Artifactory" + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}" + else + echo "Development mode - using dev Artifactory" + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}" + fi + echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV + - name: Setup Golang Environment uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: @@ -445,12 +477,20 @@ jobs: name: CEL Tests runs-on: ubuntu-24.04 needs: vars - env: - GOPROXY: ${{ needs.vars.outputs.goproxy }} steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Configure GOPROXY + id: goproxy + run: | + if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then + GOPROXY_VALUE="direct" + else + GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}" + fi + echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV + - name: Setup Golang Environment uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: From bd529ba01614a48e5fe7444aef7e5f5f0a69bc93 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Mon, 29 Sep 2025 12:38:43 +0100 Subject: [PATCH 21/21] Only run on production release --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4972bddc5..fa06955e13 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -270,6 +270,7 @@ jobs: assertion: name: Generate and Sign Assertion Documents needs: [vars, binary] + if: ${{ inputs.is_production_release }} permissions: contents: read id-token: write # for compliance-rules action to sign assertion doc