Skip to content

feat: switch to OIDC auth for go proxy#135

Merged
maze88 merged 1 commit intoMellanox:network-operator-26.1.xfrom
rollandf:bp-goproxy
Jan 19, 2026
Merged

feat: switch to OIDC auth for go proxy#135
maze88 merged 1 commit intoMellanox:network-operator-26.1.xfrom
rollandf:bp-goproxy

Conversation

@rollandf
Copy link
Member

@rollandf rollandf commented Jan 19, 2026

No description provided.

@maze88 @rollandf
feat: switch to OIDC auth for go proxy
0b7e364 
Signed-off-by: Michael Zeevi <mzeevi@nvidia.com>
@github-actions
Copy link

github-actions bot commented Jan 19, 2026

Thanks for your PR,
To run vendors CIs, Maintainers can use one of:

  • /test-all: To run all tests for all vendors.
  • /test-e2e-all: To run all E2E tests for all vendors.
  • /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:

  • /skip-all: To skip all tests for all vendors.
  • /skip-e2e-all: To skip all E2E tests for all vendors.
  • /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
    Best regards.

@github-actions github-actions bot added the ci label Jan 19, 2026
@rollandf rollandf requested a review from maze88 January 19, 2026 09:50
@greptile-apps
Copy link

greptile-apps bot commented Jan 19, 2026

Greptile Summary

This PR modernizes authentication for the Go proxy from secret-based to OIDC-based authentication, and updates component field naming to align with the reusable workflow's schema.

Changes made:

  • Removed goproxy secret parameter - authentication now handled via OIDC by the reusable workflow
  • Updated Dockerfile to dockerfile (lowercase) in all three component definitions to match the reusable workflow's expected schema

Notes:

  • Depends on updated fork-ci-reusable.yml workflow that implements OIDC authentication
  • Security improvement: eliminates the need to manage and rotate GO_PROXY_URL secret

Confidence Score: 4/5

  • This PR is safe to merge with minimal risk, assuming the reusable workflow has been updated to support these changes
  • The changes are straightforward configuration updates to align with an updated reusable workflow. The field name change from Dockerfile to dockerfile is cosmetic but critical for compatibility. The removal of the goproxy secret modernizes authentication. The main risk is if the reusable workflow hasn't been updated to support OIDC authentication yet, which would cause the workflow to fail.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/fork-ci.yaml Switches from secret-based go proxy auth to OIDC and updates component field naming from Dockerfile to dockerfile

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant Workflow as fork-ci.yaml
    participant Reusable as fork-ci-reusable.yml
    participant OIDC as OIDC Provider
    participant GoProxy as Go Proxy Server
    participant Registry as nvcr.io

    GHA->>Workflow: Push to network-operator-* branch/tag
    Workflow->>Reusable: Call reusable workflow
    Note over Workflow,Reusable: Pass registry-username, registry-token,<br/>cicd-gh-token secrets
    Note over Workflow,Reusable: Pass components with lowercase 'dockerfile' field
    Reusable->>OIDC: Request OIDC token
    OIDC-->>Reusable: Return JWT token
    Reusable->>GoProxy: Authenticate with OIDC token
    GoProxy-->>Reusable: Grant access
    Reusable->>Reusable: Build Docker images<br/>(Dockerfile.nvidia, etc.)
    Reusable->>Registry: Push images to nvcr.io/nvstaging/mellanox
Loading

@maze88 maze88 merged commit 17247a9 into Mellanox:network-operator-26.1.x Jan 19, 2026
11 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maze88 maze88 maze88 approved these changes

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rollandf @maze88