From b9b71df76848fba9ef5bcf55d7d0bfdd17908051 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 11:34:59 +0000 Subject: [PATCH 1/3] Migrate docker credentials to Azure Vault --- .github/workflows/build-oss.yml | 24 +- .github/workflows/build-plus.yml | 24 +- .github/workflows/dockerhub-description.yml | 25 +- .github/workflows/image-promotion.yml | 796 +++++++++++--------- .github/workflows/oss-release.yml | 22 +- .github/workflows/publish-helm.yml | 23 +- 6 files changed, 533 insertions(+), 381 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 27db030757..dc8b10f910 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -61,6 +61,26 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -81,8 +101,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} if: ${{ inputs.authenticated }} - name: Docker meta diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 025340a5d0..331eaf91f6 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -63,6 +63,26 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -83,8 +103,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} if: ${{ inputs.authenticated }} - name: NAP modules diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index 737cec7d67..33660ff111 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -17,6 +17,9 @@ permissions: jobs: dockerHubDescription: runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write if: ${{ github.event.repository.fork == false }} steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -25,10 +28,28 @@ jobs: run: | sed -i '3,4d' README.md + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Docker Hub Description uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} repository: nginx/nginx-ingress short-description: ${{ github.event.repository.description }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 03f0a6381d..ce923b41a5 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -178,392 +178,446 @@ jobs: pull-requests: write # for scout report tag-stable: - name: Tag build image as stable - needs: [checks, build-artifacts] - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.build_tag }} - target_tag: ${{ needs.checks.outputs.stable_tag }} - dry_run: false - secrets: inherit + name: Tag build image as stable + needs: [checks, build-artifacts] + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.build_tag }} + target_tag: ${{ needs.checks.outputs.stable_tag }} + dry_run: false + secrets: inherit tag-candidate: - # pushes edge or release images to gcr/dev - # for main: this keeps a copy of edge in gcr/dev - # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion - name: Tag tested image as stable - needs: - - checks - - build-artifacts - - tag-stable - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} - dry_run: false - secrets: inherit - if: ${{ !cancelled() && !failure() }} + # pushes edge or release images to gcr/dev + # for main: this keeps a copy of edge in gcr/dev + # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion + name: Tag tested image as stable + needs: + - checks + - build-artifacts + - tag-stable + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} + dry_run: false + secrets: inherit + if: ${{ !cancelled() && !failure() }} release-oss: - # pushes edge images to docker hub - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker OSS - needs: [checks, build-artifacts] - uses: ./.github/workflows/oss-release.yml - with: - gcr_release_registry: false - ecr_public_registry: true - dockerhub_public_registry: true - quay_public_registry: true - github_public_registry: true - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - packages: write - secrets: inherit + # pushes edge images to docker hub + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker OSS + needs: [checks, build-artifacts] + uses: ./.github/workflows/oss-release.yml + with: + gcr_release_registry: false + ecr_public_registry: true + dockerhub_public_registry: true + quay_public_registry: true + github_public_registry: true + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + packages: write + secrets: inherit release-plus: - # pushes plus edge images to nginx registry - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker Plus - needs: [checks, build-artifacts] - uses: ./.github/workflows/plus-release.yml - with: - nginx_registry: true - gcr_release_registry: false - gcr_mktpl_registry: false - ecr_mktpl_registry: false - az_mktpl_registry: false - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - secrets: inherit + # pushes plus edge images to nginx registry + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker Plus + needs: [checks, build-artifacts] + uses: ./.github/workflows/plus-release.yml + with: + nginx_registry: true + gcr_release_registry: false + gcr_mktpl_registry: false + ecr_mktpl_registry: false + az_mktpl_registry: false + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + secrets: inherit publish-helm-chart: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Publish Helm Chart - needs: [checks] - uses: ./.github/workflows/publish-helm.yml - with: - branch: ${{ github.ref_name }} - ic_version: edge - chart_version: 0.0.0-edge - nginx_helm_repo: false - runner: "ubuntu-24.04-amd64" - permissions: - contents: write # for pushing to Helm Charts repository - packages: write # for helm to push to GHCR - secrets: inherit + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Publish Helm Chart + needs: [checks] + uses: ./.github/workflows/publish-helm.yml + with: + branch: ${{ github.ref_name }} + ic_version: edge + chart_version: 0.0.0-edge + nginx_helm_repo: false + runner: "ubuntu-24.04-amd64" + permissions: + contents: write # for pushing to Helm Charts repository + packages: write # for helm to push to GHCR + secrets: inherit certify-openshift-images: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Certify OpenShift UBI images - runs-on: ubuntu-24.04 - needs: [release-oss] - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - preflight_version: 1.14.1 + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Certify OpenShift UBI images + runs-on: ubuntu-24.04 + needs: [release-oss] + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Certify UBI OSS images in quay + uses: ./.github/actions/certify-openshift-image + continue-on-error: true + with: + image: quay.io/nginx/nginx-ingress:edge-ubi + project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + preflight_version: 1.14.1 scan-docker-oss: - name: Scan ${{ matrix.image }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + name: Scan ${{ matrix.image }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-plus: - name: Scan ${{ matrix.image }}-${{ matrix.target }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + name: Scan ${{ matrix.image }}-${{ matrix.target }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-nap: - name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: NAP modules - id: nap_modules - run: | - [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" - echo "name=${name}" >> $GITHUB_OUTPUT - if: ${{ matrix.nap_modules != '' }} - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" - continue-on-error: true + name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" + echo "name=${name}" >> $GITHUB_OUTPUT + if: ${{ matrix.nap_modules != '' }} + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" + continue-on-error: true update-release-draft: - name: Update Release Draft - runs-on: ubuntu-24.04 - needs: [checks] - permissions: - contents: write - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Create/Update Draft - uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 - id: release-notes - with: - minor-label: "enhancement" - major-label: "change" - publish: false - collapse-after: 50 - variables: | - helm-chart=${{ needs.checks.outputs.chart_version }} - notes-footer: | - ## Upgrade - - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). - - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. - - For Helm, use version {{helm-chart}} of the chart. - - ## Resources - - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ - - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples - - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart - - Operator -- https://github.com/nginx/nginx-ingress-helm-operator - if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} + name: Update Release Draft + runs-on: ubuntu-24.04 + needs: [checks] + permissions: + contents: write + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Create/Update Draft + uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 + id: release-notes + with: + minor-label: "enhancement" + major-label: "change" + publish: false + collapse-after: 50 + variables: | + helm-chart=${{ needs.checks.outputs.chart_version }} + notes-footer: | + ## Upgrade + - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. + - For Helm, use version {{helm-chart}} of the chart. + + ## Resources + - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ + - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples + - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart + - Operator -- https://github.com/nginx/nginx-ingress-helm-operator + if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index c746f482ee..84601496d0 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -170,6 +170,24 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -188,8 +206,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} - name: Publish images run: | diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 53e83d9453..0e610badb9 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -64,6 +64,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write # for OIDC login steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -71,6 +72,24 @@ jobs: ref: refs/heads/${{ inputs.branch }} path: kic + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_USERNAME" + echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT + DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$DOCKER_PASSWORD" + echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: @@ -81,8 +100,8 @@ jobs: - name: DockerHub Login uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + username: ${{ steps.secrets.outputs.DOCKER_USERNAME }} + password: ${{ steps.secrets.outputs.DOCKER_PASSWORD }} - name: Setup Helm uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 From 8f3e1bf92900d35f4bd247968cdcc2d3f633e372 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 11:35:21 +0000 Subject: [PATCH 2/3] Migrate nginx pat to Azure Vault --- .github/workflows/cherry-pick.yml | 18 ++++++- .github/workflows/create-release-branch.yml | 18 ++++++- .github/workflows/publish-helm.yml | 5 +- .github/workflows/release-pr.yml | 20 ++++++- .github/workflows/release.yml | 59 +++++++++++++++++++-- .github/workflows/update-docker-sha.yml | 18 ++++++- .github/workflows/version-bump.yml | 18 ++++++- 7 files changed, 146 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index fff5f97929..40965728a1 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 name: Cherry pick into release branch if: ${{ contains(github.event.pull_request.labels.*.name, 'needs cherry pick') && github.event.pull_request.merged == true }} @@ -31,10 +32,25 @@ jobs: echo "branch=${release_branch}" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Cherry pick into ${{ steps.branch.outputs.branch }} uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10 with: branch: ${{ steps.branch.outputs.branch }} - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com> title: "[cherry-pick] {old_title}" diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index 374fbbfc1b..375a58eccf 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -36,12 +36,28 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write steps: - name: Checkout NIC repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ inputs.source_branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create new release branch run: | branch="${{ inputs.branch_prefix }}${{ inputs.release_version }}" @@ -66,4 +82,4 @@ jobs: git push --dry-run origin "${branch}" fi env: - GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} + GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }} diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 0e610badb9..2c5a9e153a 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -89,6 +89,9 @@ jobs: DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$DOCKER_PASSWORD" echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -125,7 +128,7 @@ jobs: with: repository: nginxinc/helm-charts fetch-depth: 1 - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} path: helm-charts if: ${{ inputs.nginx_helm_repo }} diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 0c2dc3a708..ba47a1252e 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -57,6 +57,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 steps: - name: Branch @@ -72,6 +73,21 @@ jobs: ref: ${{ steps.branch.outputs.branch }} token: ${{ secrets.GITHUB_TOKEN }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Replace run: | .github/scripts/release-version-update.sh \ @@ -91,14 +107,14 @@ jobs: env: GITHUB_USERNAME: ${{ github.actor }} GITHUB_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com - GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} + GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }} DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }} DEBUG: ${{ inputs.debug && 'true' || 'false' }} - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Release ${{ github.event.inputs.new_version }} title: Release ${{ github.event.inputs.new_version }} branch: docs/release-${{ github.event.inputs.new_version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88e2f3baa7..4f77d9c5a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -345,11 +345,29 @@ jobs: name: Trigger PR for Operator runs-on: ubuntu-24.04 needs: [variables,publish-helm-chart] + permissions: + contents: read + id-token: write steps: + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: - github-token: ${{ secrets.NGINX_PAT }} + github-token: ${{ steps.secrets.outputs.NGINX_PAT }} script: | await github.rest.actions.createWorkflowDispatch({ owner: context.repo.owner, @@ -370,11 +388,29 @@ jobs: # name: Trigger PR for GCP Marketplace # runs-on: ubuntu-24.04 # needs: [publish-helm-chart,release-plus-gcr-mktpl] + # permissions: + # contents: read + # id-token: write # steps: + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$NGINX_PAT" + # echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + # - name: # uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 # with: - # github-token: ${{ secrets.NGINX_PAT }} + # github-token: ${{ steps.secrets.outputs.NGINX_PAT }} # script: | # await github.rest.actions.createWorkflowDispatch({ # owner: context.repo.owner, @@ -391,12 +427,29 @@ jobs: # if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }} # name: Trigger CNAB Build for Azure Marketplace # runs-on: ubuntu-24.04 + # permissions: + # contents: read + # id-token: write # needs: [publish-helm-chart,release-plus-azure-mktpl] # steps: + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$NGINX_PAT" + # echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT # - name: # uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 # with: - # github-token: ${{ secrets.NGINX_PAT }} + # github-token: ${{ steps.secrets.outputs.NGINX_PAT }} # script: | # await github.rest.actions.createWorkflowDispatch({ # owner: context.repo.owner, diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index e75ef9d6c7..2dbb45388a 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -45,6 +45,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 needs: [vars] steps: @@ -74,11 +75,26 @@ jobs: echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT echo $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 id: pr with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }} title: Docker image update ${{ steps.update_images.outputs.docker_md5 }} branch: deps/image-update-${{ needs.vars.outputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }} diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index a412766868..8118bb8674 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write runs-on: ubuntu-24.04 steps: - name: Checkout Repository @@ -52,10 +53,25 @@ jobs: run: | make test-update-snaps + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$NGINX_PAT" + echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT + - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ secrets.NGINX_PAT }} + token: ${{ steps.secrets.outputs.NGINX_PAT }} commit-message: Version Bump for ${{ github.event.inputs.ic_version }} title: Version Bump for ${{ github.event.inputs.ic_version }} branch: chore/version-bump-${{ github.event.inputs.ic_version }} From ba13ff977e3e785ed0a65097dbc58e06bd2d3cd3 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 14:28:57 +0000 Subject: [PATCH 3/3] helm publish needs id-token permissions --- .github/workflows/image-promotion.yml | 1 + .github/workflows/release.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index ce923b41a5..c4f08f999c 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -267,6 +267,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write secrets: inherit certify-openshift-images: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f77d9c5a2..40975876ac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -318,6 +318,7 @@ jobs: permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR + id-token: write secrets: inherit certify-openshift-images: