From 83d018c65a7741afbb48fa76109572598396c0e3 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 10 Nov 2025 16:36:43 +0000 Subject: [PATCH 1/2] Migrate GCR secrets to Azure vault --- .github/workflows/build-base-images.yml | 66 +- .github/workflows/build-oss.yml | 22 +- .github/workflows/build-plus.yml | 24 +- .github/workflows/build-single-image.yml | 22 +- .github/workflows/build-test-image.yml | 22 +- .github/workflows/ci.yml | 96 +- .github/workflows/image-promotion.yml | 818 ++++++++++-------- .github/workflows/oss-release.yml | 110 ++- .github/workflows/patch-image.yml | 22 +- .github/workflows/plus-release.yml | 120 ++- .github/workflows/regression.yml | 44 +- .github/workflows/retag-images.yml | 22 +- .github/workflows/setup-smoke.yml | 24 +- .github/workflows/single-image-regression.yml | 22 +- 14 files changed, 1005 insertions(+), 429 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 067fca7ad4..3ed58bc7a1 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -65,13 +65,31 @@ jobs: with: platforms: arm64 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -122,6 +140,24 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -135,8 +171,8 @@ jobs: uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -190,6 +226,24 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -198,8 +252,8 @@ jobs: uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 27db030757..c93d766e74 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -61,13 +61,31 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} if: ${{ inputs.authenticated }} - name: Login to GCR diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 025340a5d0..32f298b42d 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -63,13 +63,33 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} if: ${{ inputs.authenticated }} - name: Login to GCR diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index 7c389619dc..2fd26e9e3d 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -64,13 +64,31 @@ jobs: echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml index cbc8271487..3d177c6a7f 100644 --- a/.github/workflows/build-test-image.yml +++ b/.github/workflows/build-test-image.yml @@ -33,13 +33,31 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4cfdb0aa2..e783e7d19c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -127,13 +127,33 @@ jobs: key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }} lookup-only: true + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ steps.vars.outputs.forked_workflow == 'false' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + if: ${{ steps.vars.outputs.forked_workflow == 'false' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} if: ${{ steps.vars.outputs.forked_workflow == 'false' }} - name: Login to GCR @@ -366,13 +386,33 @@ jobs: platforms: arm64 if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }} - name: Login to GCR @@ -436,13 +476,33 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }} - name: Login to GCR @@ -576,13 +636,33 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + if: ${{ needs.checks.outputs.forked_workflow == 'false' || needs.checks.outputs.docs_only == 'false' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - name: Login to GCR diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 03f0a6381d..8d3156d487 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -72,13 +72,31 @@ jobs: echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT REF=${{ github.ref_name }} ./.github/scripts/variables.sh additional_tag >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -178,392 +196,446 @@ jobs: pull-requests: write # for scout report tag-stable: - name: Tag build image as stable - needs: [checks, build-artifacts] - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.build_tag }} - target_tag: ${{ needs.checks.outputs.stable_tag }} - dry_run: false - secrets: inherit + name: Tag build image as stable + needs: [checks, build-artifacts] + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.build_tag }} + target_tag: ${{ needs.checks.outputs.stable_tag }} + dry_run: false + secrets: inherit tag-candidate: - # pushes edge or release images to gcr/dev - # for main: this keeps a copy of edge in gcr/dev - # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion - name: Tag tested image as stable - needs: - - checks - - build-artifacts - - tag-stable - permissions: - contents: read # To checkout repository - id-token: write # To sign into Google Container Registry - uses: ./.github/workflows/retag-images.yml - with: - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} - dry_run: false - secrets: inherit - if: ${{ !cancelled() && !failure() }} + # pushes edge or release images to gcr/dev + # for main: this keeps a copy of edge in gcr/dev + # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion + name: Tag tested image as stable + needs: + - checks + - build-artifacts + - tag-stable + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || needs.checks.outputs.additional_tag }} + dry_run: false + secrets: inherit + if: ${{ !cancelled() && !failure() }} release-oss: - # pushes edge images to docker hub - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker OSS - needs: [checks, build-artifacts] - uses: ./.github/workflows/oss-release.yml - with: - gcr_release_registry: false - ecr_public_registry: true - dockerhub_public_registry: true - quay_public_registry: true - github_public_registry: true - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - packages: write - secrets: inherit + # pushes edge images to docker hub + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker OSS + needs: [checks, build-artifacts] + uses: ./.github/workflows/oss-release.yml + with: + gcr_release_registry: false + ecr_public_registry: true + dockerhub_public_registry: true + quay_public_registry: true + github_public_registry: true + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + packages: write + secrets: inherit release-plus: - # pushes plus edge images to nginx registry - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Release Docker Plus - needs: [checks, build-artifacts] - uses: ./.github/workflows/plus-release.yml - with: - nginx_registry: true - gcr_release_registry: false - gcr_mktpl_registry: false - ecr_mktpl_registry: false - az_mktpl_registry: false - source_tag: ${{ needs.checks.outputs.stable_tag }} - target_tag: "edge" - branch: ${{ github.ref_name }} - dry_run: false - permissions: - contents: read - id-token: write - secrets: inherit + # pushes plus edge images to nginx registry + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Release Docker Plus + needs: [checks, build-artifacts] + uses: ./.github/workflows/plus-release.yml + with: + nginx_registry: true + gcr_release_registry: false + gcr_mktpl_registry: false + ecr_mktpl_registry: false + az_mktpl_registry: false + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "edge" + branch: ${{ github.ref_name }} + dry_run: false + permissions: + contents: read + id-token: write + secrets: inherit publish-helm-chart: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Publish Helm Chart - needs: [checks] - uses: ./.github/workflows/publish-helm.yml - with: - branch: ${{ github.ref_name }} - ic_version: edge - chart_version: 0.0.0-edge - nginx_helm_repo: false - runner: "ubuntu-24.04-amd64" - permissions: - contents: write # for pushing to Helm Charts repository - packages: write # for helm to push to GHCR - secrets: inherit + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Publish Helm Chart + needs: [checks] + uses: ./.github/workflows/publish-helm.yml + with: + branch: ${{ github.ref_name }} + ic_version: edge + chart_version: 0.0.0-edge + nginx_helm_repo: false + runner: "ubuntu-24.04-amd64" + permissions: + contents: write # for pushing to Helm Charts repository + packages: write # for helm to push to GHCR + secrets: inherit certify-openshift-images: - if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} - name: Certify OpenShift UBI images - runs-on: ubuntu-24.04 - needs: [release-oss] - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:edge-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - preflight_version: 1.14.1 + if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} + name: Certify OpenShift UBI images + runs-on: ubuntu-24.04 + needs: [release-oss] + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Certify UBI OSS images in quay + uses: ./.github/actions/certify-openshift-image + continue-on-error: true + with: + image: quay.io/nginx/nginx-ingress:edge-ubi + project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} + pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + preflight_version: 1.14.1 scan-docker-oss: - name: Scan ${{ matrix.image }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + name: Scan ${{ matrix.image }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-plus: - name: Scan ${{ matrix.image }}-${{ matrix.target }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" + name: Scan ${{ matrix.image }}-${{ matrix.target }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" scan-docker-nap: - name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} - runs-on: ubuntu-24.04 - needs: [checks, tag-candidate] - permissions: - contents: read - id-token: write - security-events: write - if: ${{ !cancelled() && !failure() }} - strategy: - fail-fast: false - matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: NAP modules - id: nap_modules - run: | - [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" - echo "name=${name}" >> $GITHUB_OUTPUT - if: ${{ matrix.nap_modules != '' }} - - - name: Make directory for security scan results - id: directory - run: | - directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results - echo "directory=${directory}" >> $GITHUB_OUTPUT - mkdir -p "${directory}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 - with: - context: workflow - images: | - name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress - flavor: | - suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} - tags: | - type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - - - name: Login to GCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: DockerHub Login for Docker Scout - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Run Docker Scout vulnerability scanner - id: docker-scout - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 - with: - command: cves - image: ${{ steps.meta.outputs.tags }} - ignore-base: true - sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" - write-comment: false - github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment - summary: true - - - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" - path: "${{ steps.directory.outputs.directory }}/" - overwrite: true - - - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 - with: - sarif_file: "${{ steps.directory.outputs.directory }}/" - continue-on-error: true + name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} + runs-on: ubuntu-24.04 + needs: [checks, tag-candidate] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" + echo "name=${name}" >> $GITHUB_OUTPUT + if: ${{ matrix.nap_modules != '' }} + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: DockerHub Login for Docker Scout + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" + continue-on-error: true update-release-draft: - name: Update Release Draft - runs-on: ubuntu-24.04 - needs: [checks] - permissions: - contents: write - steps: - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Create/Update Draft - uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 - id: release-notes - with: - minor-label: "enhancement" - major-label: "change" - publish: false - collapse-after: 50 - variables: | - helm-chart=${{ needs.checks.outputs.chart_version }} - notes-footer: | - ## Upgrade - - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). - - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. - - For Helm, use version {{helm-chart}} of the chart. - - ## Resources - - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ - - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples - - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart - - Operator -- https://github.com/nginx/nginx-ingress-helm-operator - if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} + name: Update Release Draft + runs-on: ubuntu-24.04 + needs: [checks] + permissions: + contents: write + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Create/Update Draft + uses: lucacome/draft-release@45e4395a3d8463abdb1747b20445b9be16ef6409 # v2.0.1 + id: release-notes + with: + minor-label: "enhancement" + major-label: "change" + publish: false + collapse-after: 50 + variables: | + helm-chart=${{ needs.checks.outputs.chart_version }} + notes-footer: | + ## Upgrade + - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus, use the {{version}} images from the F5 Container registry or build your own image using the {{version}} source code. + - For Helm, use version {{helm-chart}} of the chart. + + ## Resources + - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ + - Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/examples + - Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/{{version}}/deployments/helm-chart + - Operator -- https://github.com/nginx/nginx-ingress-helm-operator + if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index c746f482ee..e4dfd9e380 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -83,13 +83,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -121,13 +139,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -170,13 +206,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -214,13 +268,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -260,13 +332,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml index 040d29bb68..f760d31c01 100644 --- a/.github/workflows/patch-image.yml +++ b/.github/workflows/patch-image.yml @@ -54,13 +54,31 @@ jobs: with: platforms: arm64 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml index 47fbde482f..8b85207ab5 100644 --- a/.github/workflows/plus-release.yml +++ b/.github/workflows/plus-release.yml @@ -83,13 +83,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -121,13 +139,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -174,21 +210,45 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + GCR_MKPL_WORKLOAD_ID=$(az keyvault secret show --name gcr-mkpl-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_MKPL_WORKLOAD_ID" + echo "GCR_MKPL_WORKLOAD_ID=$GCR_MKPL_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_MKPL_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-mkpl-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_MKPL_SERVICE_ACCOUNT" + echo "GCR_MKPL_SERVICE_ACCOUNT=$GCR_MKPL_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-priv-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Authenticate to Google Cloud Marketplace id: gcr-mktpl-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_MKPL_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_MKPL_SERVICE_ACCOUNT }} - name: Publish Plus images run: | @@ -215,13 +275,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -264,13 +342,31 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 14724b4c88..a09e477803 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -139,13 +139,31 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -247,13 +265,31 @@ jobs: echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.images.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.images.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.images.image, 'v5') && '-v5' || '' }}/nginx${{ contains(matrix.images.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT echo "tag=${{ needs.checks.outputs.stable_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/retag-images.yml b/.github/workflows/retag-images.yml index 7f381116d9..6e8963a050 100644 --- a/.github/workflows/retag-images.yml +++ b/.github/workflows/retag-images.yml @@ -42,13 +42,31 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index a54ba7265e..34d03a443e 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -61,13 +61,33 @@ jobs: echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} if: ${{ inputs.authenticated }} - name: Login to GCR diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index b1a34a53a8..5cc8e4654e 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -73,13 +73,31 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_WORKLOAD_ID" + echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT + GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$GCR_SERVICE_ACCOUNT" + echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }} + service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }} - name: Login to GCR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 From 7ac0885ec6b680dd5771c608c044981dab9b8925 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 12 Nov 2025 13:45:52 +0000 Subject: [PATCH 2/2] add auth check --- .github/workflows/build-oss.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index c93d766e74..85a160ebcf 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -67,6 +67,7 @@ jobs: client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} - name: Setup secrets id: secrets @@ -78,6 +79,7 @@ jobs: GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$GCR_SERVICE_ACCOUNT" echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT + if: ${{ inputs.authenticated }} - name: Authenticate to Google Cloud id: auth