From 5a4aac31dcf81d0aa9225bd9c035b163e83d813e Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 6 Nov 2025 12:00:01 +0000 Subject: [PATCH 1/6] Pull AWS secrets from Azure vault --- .github/workflows/build-artifacts.yml | 18 +++++++----------- Makefile | 2 +- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build-artifacts.yml index 74c43984af..27e4859215 100644 --- a/.github/workflows/build-artifacts.yml +++ b/.github/workflows/build-artifacts.yml @@ -91,14 +91,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ inputs.go-path }} GOPROXY: ${{ inputs.go-proxy }} - AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} - AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} - AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} - AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} - AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} - AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} - AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} - AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} GORELEASER_CURRENT_TAG: "v${{ inputs.ic-version }}" if: ${{ inputs.force }} @@ -115,6 +107,10 @@ jobs: key: nginx-ingress-${{ inputs.go-md5 }} if: ${{ inputs.force }} + - name: Cleanup netrc + run: rm -f $HOME/.netrc + if: ${{ always() }} + # generate-assertion-doc: # if: ${{ github.event_name != 'pull_request' }} # name: Assertion Doc ${{ matrix.nic.arch }} @@ -190,9 +186,9 @@ jobs: # with: # assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} - - name: Cleanup netrc - run: rm -f $HOME/.netrc - if: ${{ always() }} + #  - name: Cleanup netrc + # run: rm -f $HOME/.netrc + # if: ${{ always() }} build-docker: name: Build Docker OSS diff --git a/Makefile b/Makefile index 7d6164d8fd..d610d08818 100644 --- a/Makefile +++ b/Makefile @@ -140,7 +140,7 @@ endif .PHONY: build-goreleaser build-goreleaser: ## Build Ingress Controller binary using GoReleaser @goreleaser -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with GoReleaser. Follow the docs to install it https://goreleaser.com/install\n"; exit $$code) - GOOS=linux GOPATH=$(shell go env GOPATH) GOARCH=$(strip $(ARCH)) goreleaser build --clean --debug --snapshot --id kubernetes-ingress --single-target + GOOS=$(strip $(GOOS)) GOPATH=$(shell go env GOPATH) GOARCH=$(strip $(ARCH)) goreleaser build --clean --snapshot --id kubernetes-ingress --single-target .PHONY: debian-image debian-image: build ## Create Docker image for Ingress Controller (Debian) From ac10d3ca181b963c872a9991b234af143053d012 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 7 Nov 2025 15:43:23 +0000 Subject: [PATCH 2/6] Migrate openshift certification secrets to azure secret store --- .github/workflows/certify-ubi-image.yml | 26 +- .github/workflows/image-promotion.yml | 764 +++++++++++---------- .github/workflows/release.yml | 26 +- .github/workflows/update-docker-images.yml | 26 +- 4 files changed, 465 insertions(+), 377 deletions(-) diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index 7f26e16444..dd6f75629c 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -34,16 +34,38 @@ jobs: certify-ubi-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 + environment: access + permissions: + contents: read + id-token: write steps: - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: ${{ inputs.image }} - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} preflight_version: ${{ inputs.preflight_version }} submit: ${{ inputs.submit || true }} platforms: ${{ inputs.platforms }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 03f0a6381d..681ff442c5 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -178,392 +178,414 @@ jobs: pull-requests: write # for scout report tag-stable: - name: Tag build image as stable - needs: [checks, build-artifacts] - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.build_tag }} - target_tag: ${{ needs.checks.outputs.stable_tag }} - dry_run: false - secrets: inherit + name: Tag build image as stable + needs: [checks, build-artifacts] + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.build_tag }} + target_tag: ${{ needs.checks.outputs.stable_tag }} + dry_run: false + secrets: inherit tag-candidate: - # pushes edge or release images to gcr/dev - # for main: this keeps a copy of edge in gcr/dev - # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion - name: Tag tested image as stable - needs: - - checks - - build-artifacts - - tag-stable - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} - dry_run: false - secrets: inherit - if: ${{ !cancelled() && !failure() }} + # pushes edge or release images to gcr/dev + # for main: this keeps a copy of edge in gcr/dev + # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion + name: Tag tested image as stable + needs: + - checks + - build-artifacts + - tag-stable + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} + dry_run: false + secrets: inherit + if: ${{ !cancelled() && !failure() }} release-oss: - # pushes edge images to docker hub - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker OSS - needs: [checks, build-artifacts] - uses: ./.github/workflows/oss-release.yml - with: - gcr_release_registry: false - ecr_public_registry: true - dockerhub_public_registry: true - quay_public_registry: true - github_public_registry: true - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - packages: write - secrets: inherit + # pushes edge images to docker hub + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker OSS + needs: [checks, build-artifacts] + uses: ./.github/workflows/oss-release.yml + with: + gcr_release_registry: false + ecr_public_registry: true + dockerhub_public_registry: true + quay_public_registry: true + github_public_registry: true + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + packages: write + secrets: inherit release-plus: - # pushes plus edge images to nginx registry - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker Plus - needs: [checks, build-artifacts] - uses: ./.github/workflows/plus-release.yml - with: - nginx_registry: true - gcr_release_registry: false - gcr_mktpl_registry: false - ecr_mktpl_registry: false - az_mktpl_registry: false - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - secrets: inherit + # pushes plus edge images to nginx registry + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker Plus + needs: [checks, build-artifacts] + uses: ./.github/workflows/plus-release.yml + with: + nginx_registry: true + gcr_release_registry: false + gcr_mktpl_registry: false + ecr_mktpl_registry: false + az_mktpl_registry: false + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + secrets: inherit publish-helm-chart: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Publish Helm Chart - needs: [checks] - uses: ./.github/workflows/publish-helm.yml - with: - branch: ${{ github.ref_name }} - ic_version: edge - chart_version: 0.0.0-edge - nginx_helm_repo: false - runner: "ubuntu-24.04-amd64" - permissions: - contents: write # for pushing to Helm Charts repository - packages: write # for helm to push to GHCR - secrets: inherit + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Publish Helm Chart + needs: [checks] + uses: ./.github/workflows/publish-helm.yml + with: + branch: ${{ github.ref_name }} + ic_version: edge + chart_version: 0.0.0-edge + nginx_helm_repo: false + runner: "ubuntu-24.04-amd64" + permissions: + contents: write # for pushing to Helm Charts repository + packages: write # for helm to push to GHCR + secrets: inherit certify-openshift-images: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Certify OpenShift UBI images - runs-on: ubuntu-24.04 - needs: [release-oss] - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - preflight_version: 1.14.1 + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Certify OpenShift UBI images + runs-on: ubuntu-24.04 + environment: access + permissions: + contents: read + id-token: write + needs: [release-oss] + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + + - name: Certify UBI OSS images in quay + uses: ./.github/actions/certify-openshift-image + continue-on-error: true + with: + image: quay.io/nginx/nginx-ingress:edge-ubi + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + preflight_version: 1.14.1 scan-docker-oss: - name: Scan ${{ matrix.image }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + name: Scan ${{ matrix.image }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-plus: - name: Scan ${{ matrix.image }}-${{ matrix.target }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + name: Scan ${{ matrix.image }}-${{ matrix.target }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-nap: - name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: NAP modules - id: nap_modules - run: | - [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" - echo "name=${name}" >> $GITHUB_OUTPUT - if: ${{ matrix.nap_modules != '' }} - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" - continue-on-error: true + name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" + echo "name=${name}" >> $GITHUB_OUTPUT + if: ${{ matrix.nap_modules != '' }} + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" + continue-on-error: true update-release-draft: - name: Update Release Draft - runs-on: ubuntu-24.04 - needs: [checks] - permissions: - contents: write - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Create/Update Draft - uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 - id: release-notes - with: - minor-label: "enhancement" - major-label: "change" - publish: false - collapse-after: 50 - variables: | - helm-chart=${{ needs.checks.outputs.chart_version }} - notes-footer: | - ## Upgrade - - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). - - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. - - For Helm, use version {{helm-chart}} of the chart. - - ## Resources - - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ - - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples - - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart - - Operator -- https://github.com/nginx/nginx-ingress-helm-operator - if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} + name: Update Release Draft + runs-on: ubuntu-24.04 + needs: [checks] + permissions: + contents: write + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Create/Update Draft + uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 + id: release-notes + with: + minor-label: "enhancement" + major-label: "change" + publish: false + collapse-after: 50 + variables: | + helm-chart=${{ needs.checks.outputs.chart_version }} + notes-footer: | + ## Upgrade + - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. + - For Helm, use version {{helm-chart}} of the chart. + + ## Resources + - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ + - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples + - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart + - Operator -- https://github.com/nginx/nginx-ingress-helm-operator + if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88e2f3baa7..f2e68171e2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -324,6 +324,10 @@ jobs: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }} name: Certify OpenShift UBI images runs-on: ubuntu-24.04 + environment: access + permissions: + contents: read + id-token: write needs: [release-oss] steps: - name: Checkout Repository @@ -331,13 +335,31 @@ jobs: with: ref: ${{ inputs.release_branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image continue-on-error: true with: image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} preflight_version: 1.14.1 operator: diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index b8c8811543..2646bc034d 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -172,17 +172,39 @@ jobs: certify-openshift-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 + environment: access + permissions: + contents: read + id-token: write needs: [variables, release-oss-public] steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting PyAxis secrets for authenticated build" + PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_TOKEN" + echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT + PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" + echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} platforms: "" preflight_version: 1.14.1 submit: ${{ ! inputs.dry_run || true }} From d55afad7b8527fdd3601a9ceb6d58f06817ea209 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 7 Nov 2025 16:33:06 +0000 Subject: [PATCH 3/6] Add Plus JWT to secure secret store --- .github/workflows/ci.yml | 22 +++++++++- .github/workflows/regression.yml | 40 ++++++++++++++++++- .github/workflows/setup-smoke.yml | 22 +++++++++- .github/workflows/single-image-regression.yml | 18 +++++++++ 4 files changed, 98 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4cfdb0aa2..0e368d6ed4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -411,6 +411,7 @@ jobs: if: ${{ needs.checks.outputs.docs_only != 'true' && (inputs.run_tests && inputs.run_tests || true) }} name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 + environment: access needs: [checks, build-artifacts] strategy: fail-fast: false @@ -436,6 +437,25 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -505,7 +525,7 @@ jobs: if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Create Plus Secret - run: kubectl create secret generic license-token --from-literal=license.jwt="${{ secrets.PLUS_JWT }}" --type="nginx.com/license" + run: kubectl create secret generic license-token --from-literal=license.jwt="${{ steps.secrets.outputs.PLUS_JWT }}" --type="nginx.com/license" if: ${{ matrix.type == 'plus' && steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Install Chart diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 14724b4c88..33d10edc3d 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -112,6 +112,7 @@ jobs: helm-tests: name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 + environment: access needs: [checks] strategy: fail-fast: false @@ -139,6 +140,23 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -165,7 +183,7 @@ jobs: kind load docker-image "${{ matrix.image }}:${{ matrix.tag }}" --name ${{ github.run_id }} - name: Create Plus Secret - run: kubectl create secret generic license-token --from-literal=license.jwt="${{ secrets.PLUS_JWT }}" --type="nginx.com/license" + run: kubectl create secret generic license-token --from-literal=license.jwt="${{ steps.secrets.outputs.PLUS_JWT }}" --type="nginx.com/license" - name: Install Chart run: > @@ -228,6 +246,7 @@ jobs: regression-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} regression tests runs-on: ubuntu-24.04 + environment: access needs: [checks, setup-regression-matrix] strategy: fail-fast: false @@ -247,6 +266,23 @@ jobs: echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.images.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.images.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.images.image, 'v5') && '-v5' || '' }}/nginx${{ contains(matrix.images.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT echo "tag=${{ needs.checks.outputs.stable_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -291,7 +327,7 @@ jobs: azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} registry-token: ${{ steps.auth.outputs.access_token }} test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt', './tests/Dockerfile') || 'latest' }}" - plus-jwt: ${{ secrets.PLUS_JWT }} + plus-jwt: ${{ steps.secrets.outputs.PLUS_JWT }} - name: Upload Test Results uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index a54ba7265e..04f647fbcb 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -46,6 +46,7 @@ permissions: jobs: setup-smoke: + environment: access permissions: contents: read # for docker/build-push-action to read repo content id-token: write # for OIDC login to GCR @@ -61,6 +62,25 @@ jobs: echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -168,7 +188,7 @@ jobs: azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} registry-token: ${{ steps.auth.outputs.access_token }} test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt', './tests/Dockerfile') || 'latest' }}" - plus-jwt: ${{ secrets.PLUS_JWT }} + plus-jwt: ${{ steps.secrets.outputs.PLUS_JWT }} if: ${{ steps.stable_exists.outputs.exists != 'true' }} - name: Upload Test Results diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index b1a34a53a8..a471ee9927 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -66,6 +66,7 @@ jobs: checks: name: Run regression runs-on: ubuntu-24.04 + environment: access permissions: contents: read id-token: write @@ -73,6 +74,23 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for authenticated build" + PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') + echo "::add-mask::$PLUS_JWT" + echo "PLUS_JWT=$PLUS_JWT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 From dc3c8191a658df4c33f93b445321e2da444d9231 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 7 Nov 2025 16:40:31 +0000 Subject: [PATCH 4/6] Adjust wording --- .github/workflows/certify-ubi-image.yml | 2 +- .github/workflows/ci.yml | 2 +- .github/workflows/image-promotion.yml | 2 +- .github/workflows/regression.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- .github/workflows/single-image-regression.yml | 2 +- .github/workflows/update-docker-images.yml | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index dd6f75629c..42626e6746 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -52,7 +52,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e368d6ed4..50a0451ab8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -448,7 +448,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 681ff442c5..568ab6ef65 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -292,7 +292,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 33d10edc3d..32a6c8ad1d 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -150,7 +150,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') @@ -276,7 +276,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f2e68171e2..7069cb766b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -345,7 +345,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 04f647fbcb..0c25f2f637 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -73,7 +73,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index a471ee9927..f0a0e4baf0 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -84,7 +84,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting secrets for authenticated build" + echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 2646bc034d..95b2d88e92 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -191,7 +191,7 @@ jobs: - name: Setup secrets id: secrets run: | - echo "Setting PyAxis secrets for authenticated build" + echo "Setting secrets for job" PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PYAXIS_TOKEN" echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT From 98ceb2d6222ce6fbd4c86cf3c6658b1665d82803 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 10 Nov 2025 09:14:04 +0000 Subject: [PATCH 5/6] Address copilot feedback --- .../actions/certify-openshift-image/action.yml | 2 +- .github/workflows/certify-ubi-image.yml | 16 ++++++++-------- .github/workflows/ci.yml | 2 +- .github/workflows/image-promotion.yml | 16 ++++++++-------- .github/workflows/regression.yml | 4 ++-- .github/workflows/release.yml | 16 ++++++++-------- .github/workflows/setup-smoke.yml | 2 +- .github/workflows/single-image-regression.yml | 2 +- .github/workflows/update-docker-images.yml | 16 ++++++++-------- 9 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.github/actions/certify-openshift-image/action.yml b/.github/actions/certify-openshift-image/action.yml index f7faa8849b..1c337a237a 100644 --- a/.github/actions/certify-openshift-image/action.yml +++ b/.github/actions/certify-openshift-image/action.yml @@ -20,7 +20,7 @@ inputs: required: false default: "amd64,arm64" submit: - description: Submit results to Redhat PYAXIS + description: Submit results to Redhat PYXIS required: false default: true diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index 42626e6746..9d7bf59c2a 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -53,19 +53,19 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: ${{ inputs.image }} - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} preflight_version: ${{ inputs.preflight_version }} submit: ${{ inputs.submit || true }} platforms: ${{ inputs.platforms }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50a0451ab8..f2b5a4e336 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -449,7 +449,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 568ab6ef65..c10beda8de 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -293,20 +293,20 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image continue-on-error: true with: image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} preflight_version: 1.14.1 scan-docker-oss: diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 32a6c8ad1d..6058dedf4c 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -151,7 +151,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" @@ -277,7 +277,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7069cb766b..0cc3e81035 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -346,20 +346,20 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image continue-on-error: true with: image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} preflight_version: 1.14.1 operator: diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 0c25f2f637..701f951704 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -74,7 +74,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index f0a0e4baf0..e0feafd6d9 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -85,7 +85,7 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PLUS_CREDS=$(az keyvault secret show --name plus-cred --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" PLUS_JWT=$(echo $PLUS_CREDS | jq -r '.jwt') echo "::add-mask::$PLUS_JWT" diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 95b2d88e92..e39afb1838 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -192,19 +192,19 @@ jobs: id: secrets run: | echo "Setting secrets for job" - PYAXIS_TOKEN=$(az keyvault secret show --name nic-pyaxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_TOKEN" - echo "PYAXIS_TOKEN=$PYAXIS_TOKEN" >> $GITHUB_OUTPUT - PYAXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyaxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) - echo "::add-mask::$PYAXIS_CERTIFICATION_PROJECT_ID" - echo "PYAXIS_CERTIFICATION_PROJECT_ID=$PYAXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT + PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_TOKEN" + echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT + PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" + echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image with: image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi - project_id: ${{ steps.secrets.outputs.PYAXIS_CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ steps.secrets.outputs.PYAXIS_TOKEN }} + project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} platforms: "" preflight_version: 1.14.1 submit: ${{ ! inputs.dry_run || true }} From 4746e3cd48560acefb70e2c44bcedcaa7cb19dfc Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 10 Nov 2025 10:49:40 +0000 Subject: [PATCH 6/6] Remove access environment --- .github/workflows/certify-ubi-image.yml | 1 - .github/workflows/ci.yml | 1 - .github/workflows/image-promotion.yml | 1 - .github/workflows/regression.yml | 2 -- .github/workflows/release.yml | 1 - .github/workflows/setup-smoke.yml | 1 - .github/workflows/single-image-regression.yml | 1 - .github/workflows/update-docker-images.yml | 1 - 8 files changed, 9 deletions(-) diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml index 9d7bf59c2a..e3ea9c121a 100644 --- a/.github/workflows/certify-ubi-image.yml +++ b/.github/workflows/certify-ubi-image.yml @@ -34,7 +34,6 @@ jobs: certify-ubi-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f2b5a4e336..e60ca96741 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -411,7 +411,6 @@ jobs: if: ${{ needs.checks.outputs.docs_only != 'true' && (inputs.run_tests && inputs.run_tests || true) }} name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 - environment: access needs: [checks, build-artifacts] strategy: fail-fast: false diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index c10beda8de..7ae0a64961 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -273,7 +273,6 @@ jobs: if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} name: Certify OpenShift UBI images runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 6058dedf4c..448052bbd6 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -112,7 +112,6 @@ jobs: helm-tests: name: Helm Tests ${{ matrix.base-os }} runs-on: ubuntu-24.04 - environment: access needs: [checks] strategy: fail-fast: false @@ -246,7 +245,6 @@ jobs: regression-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} regression tests runs-on: ubuntu-24.04 - environment: access needs: [checks, setup-regression-matrix] strategy: fail-fast: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0cc3e81035..005a5dcefe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -324,7 +324,6 @@ jobs: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }} name: Certify OpenShift UBI images runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 701f951704..f9ae884afd 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -46,7 +46,6 @@ permissions: jobs: setup-smoke: - environment: access permissions: contents: read # for docker/build-push-action to read repo content id-token: write # for OIDC login to GCR diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index e0feafd6d9..db3d52305b 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -66,7 +66,6 @@ jobs: checks: name: Run regression runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index e39afb1838..64660a79ee 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -172,7 +172,6 @@ jobs: certify-openshift-images: name: Certify OpenShift UBI images runs-on: ubuntu-24.04 - environment: access permissions: contents: read id-token: write