[CI/CD] Improve assertion doc generation (#1400)

* reduce packaging time by building only two binaries

* use pushd

* tidy up console output

* perform string substitution when creating files for release packaging

* remove docker build for FreeBSD packager

* perform string sub on architecture var

* update make target

* [skip ci] clean up log output

* add assertion step to release-branch, sha checksum and build times

* archive the binaries for generating assertion doc

* remove matrix from step

* fix ref

* use a relative path for reusable action

* add package version to call

* remove secrets

* [skip ci] swap runner for test

* [skip ci] fix flow

* [skip ci] fix flow

* update actions versions for artifacts

* [skip ci] more log output when archiving binaries

* [skip ci] run from this branch for test

* [skip ci] run from this branch for test

* [skip ci] run from this branch for test

* [skip ci] add back gpg key gen

* [skip ci] fix tarball path, use cd instead of popd

* [skip ci] move assertion doc gen into release-branch.yml

* [skip ci] install go for assertion doc job

* [skip ci] use go mod download

* [skip ci]

* [skip ci]

* [skip ci] add artifactory creds

* make assertion optional

* call reusable assertion workflow

* [skip ci] fix perms

* [skip ci] fix perms

* [skip ci] allow run via dispatch, artifact id as input

* [skip ci] add run id for downloading artifacts

* [skip ci] list artifacts and download by name

* make run id required

* remove ref from checkout, use current commit or default branch

* ensure checkout uses inputs.releaseBranch in release branch workflow

* use self-hosted runner for build

Author: sean-breen

.github/workflows/assertion.yml

@@ -1,73 +1,94 @@
-
 name: Generate and Sign Assertion Document
 
 on:
   workflow_dispatch:
     inputs:
-      branch:
+      packageVersion:
+        description: 'Agent version'
+        type: string
+        required: true
+      runId:
+        description: 'Run ID of the workflow that built the artifacts'
+        type: string
+        required: true
+      signAssertion:
+        description: 'Sign and store the assertion document'
+        type: boolean
+        required: false
+        default: false
+  workflow_call:
+    inputs:
+      packageVersion:
+        description: 'Agent version'
         type: string
-        description: "The branch to run the assertion workflow on"
+        required: true
+      runId:
+        description: 'Run ID of the workflow that built the artifacts'
+        type: string
+        required: false
+      signAssertion:
+        description: 'Sign and store the assertion document'
+        type: boolean
         required: false
-        default: main
+        default: false
+    secrets:
+      ARTIFACTORY_USER:
+        required: true
+      ARTIFACTORY_TOKEN:
+        required: true
+      ARTIFACTORY_URL:
+        required: true
 
 jobs:
   build-assertion-document:
-    name: Build and Generate Assertion Document
+    name: Create Assertion Document
     runs-on: ubuntu-22.04
     if: ${{ !github.event.pull_request.head.repo.fork }}
     permissions:
       id-token: write
       contents: read
     env:
-      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL_PROD }}"
-    outputs:
-      agent_binary: ${{ steps.check_binary.outputs.agent_binary }}
-      goversionm: ${{ steps.godeps.outputs.goversionm }}
-      assertion_document: ${{ steps.assertiondoc.outputs.assertion-document-path }}
+      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}"
     strategy:
-        matrix:
-            osarch: [amd64, arm64]
+      matrix:
+        osarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - name: Checkout Repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version-file: go.mod
+          go-version-file: 'go.mod'
           cache: false
 
+      - name: Download nginx-agent binary artifacts
+        if: ${{ inputs.runId != '' }}
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0
+        with:
+          name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }}
+          path: binaries
+          run-id: ${{ inputs.runId }}
+          github-token: ${{ github.token }}
+
       - name: Gather build dependencies
         id: godeps
         run: |
-          if [ -z ${{inputs.branch}} ]; then
-            echo "No branch input provided, using current branch: $GITHUB_REF_NAME"
-          else
-            echo "Checking out branch: ${{inputs.branch}}"
-            git checkout ${{inputs.branch}}
-          fi
-          echo "Current branch: $GITHUB_REF_NAME"
-          echo "branch_name=$GITHUB_REF_NAME" >> $GITHUB_ENV
-          GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//')
-          echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
-          echo "GO_VERSION=$GO_VERSION"
-          echo "time_start=$(date +%s)" >> $GITHUB_ENV
-          OSARCH=${{matrix.osarch}} make build
-          echo "time_end=$(date +%s)" >> $GITHUB_ENV
-          echo "Build time: $((time_end - time_start)) seconds"
-          
-          echo "Getting sha256sum of the built nginx-agent binary..."
-          echo "agent-digest=$(sha256sum build/nginx-agent | awk '{print $1}')" >> $GITHUB_ENV
-          
+          ls -la binaries
+          echo "agent_digest=$(cat binaries/nginx-agent.sha256)" >> $GITHUB_ENV
+          echo "agent_buildstart=$(cat binaries/nginx-agent.buildstart)" >> $GITHUB_ENV
+          echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV
+
           echo "Checking dependencies..."
-          go version -m build/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
+          go version -m binaries/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
           ls -l goversionm_*.txt
           echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV
 
       - name: Generate Assertion Document
         id: assertiondoc
         uses: nginxinc/compliance-rules/.github/actions/assertion@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
         with:
-          artifact-name: nginx-agent_${{ env.branch_name }}_${{ matrix.osarch }}
+          artifact-name: nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}
           artifact-digest: ${{ env.agent-digest }}
           build-type: 'github'
           builder-id: 'github.com'
@@ -77,13 +98,14 @@ jobs:
           artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
           artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
           artifactory-repo: 'f5-nginx-go-local-approved-dependency'
-          assertion-doc-file: assertion_nginx-agent_${{env.branch_name}}_${{matrix.osarch}}.json
+          assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json
           build-content-path: ${{ env.goversionm }}
-          started-on: '${{ env.time_start }}'
-          finished-on: '${{ env.time_end }}'
+          started-on: '${{ env.agent_buildstart }}'
+          finished-on: '${{ env.agent_buildend }}'
 
       - name: Sign and Store Assertion Document
         id: sign
+        if: ${{ inputs.signAssertion == true }}
         uses: nginxinc/compliance-rules/.github/actions/sign@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
         with:
           assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}

.github/workflows/release-branch.yml

@@ -37,6 +37,11 @@ on:
         description: 'Location to publish packages to'
         required: false
         default: "https://up-ap.nginx.com"
+        type: string
+      assertionDoc:
+        description: 'Generate assertion document'
+        default: false
+        type: boolean
 
 env:
   NFPM_VERSION: 'v2.35.3'
@@ -88,15 +93,13 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        if: ${{ needs.vars.outputs.github_release == 'true' }}
         with:
           ref: ${{ inputs.releaseBranch }}
 
-      - name: Setup Node Environment
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
-
       - name: Create Draft Release
-        if: ${{ needs.vars.outputs.github_release == 'true' }}
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        if: ${{ needs.vars.outputs.github_release == 'true' }}
         id: release
         env:
           version: ${{ inputs.packageVersion }}
@@ -172,6 +175,7 @@ jobs:
 
       - name: Set Environment Variables
         id: vars
+        if: ${{ needs.vars.outputs.github_release == 'true' }}
         run: |
           echo "RELEASE_ID=$(echo '${{steps.release.outputs.result}}' | jq -r '.release_id')" >> $GITHUB_OUTPUT
           cat $GITHUB_OUTPUT
@@ -185,6 +189,7 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        if: ${{ needs.vars.outputs.tag_release == 'true' }}
         with:
           ref: ${{ inputs.releaseBranch }}
 
@@ -193,16 +198,11 @@ jobs:
         run: |
           git config --global user.name 'github-actions'
           git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
-
           git tag -a "v${{ inputs.packageVersion }}" -m "CI Autogenerated"
-
-      - name: Push Tags
-        if: ${{ needs.vars.outputs.tag_release == 'true' }}
-        run: |
           git push origin "v${{ inputs.packageVersion }}"
 
-  upload-packages:
-    name: Upload packages
+  build-and-upload-packages:
+    name: Build and upload release packages
     runs-on: ubuntu-22.04-amd64
     needs: [vars,release-draft,tag-release]
     permissions:
@@ -222,6 +222,7 @@ jobs:
 
       - name: Setup package build environment
         run: |
+          go mod download
           go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
           sudo apt-get update
           sudo apt-get install -y gpgv1 monkeysphere
@@ -242,6 +243,36 @@ jobs:
           export PATH=$PATH:~/go/bin
           echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE}
           make package
+          find build/ -type f -name "nginx-agent*"
+
+      - name: Archive AMD64 Binaries
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: nginx-agent-binaries-${{ inputs.packageVersion }}-amd64
+          path: |
+            build/amd64/nginx-agent
+            build/amd64/nginx-agent.sha256
+            build/amd64/nginx-agent.buildstart
+            build/amd64/nginx-agent.buildend
+
+      - name: Archive ARM64 Binaries
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: nginx-agent-binaries-${{ inputs.packageVersion }}-arm64
+          path: |
+            build/arm64/nginx-agent
+            build/arm64/nginx-agent.sha256
+            build/arm64/nginx-agent.buildstart
+            build/arm64/nginx-agent.buildend
+
+      - name: List artifacts
+        run: |
+          echo "Run ID: ${{ github.run_id }}"
+          echo "Run Number: ${{ github.run_number }}"
+          echo "nginx-agent-binaries-${{ inputs.packageVersion }}-arm64"
+          find build/arm64 -type f -name "nginx-agent*"
+          echo "nginx-agent-binaries-${{ inputs.packageVersion }}-amd64"
+          find build/amd64 -type f -name "nginx-agent*"
 
       - name: Get Id Token
         if: ${{ inputs.publishPackages == true }}
@@ -252,14 +283,31 @@ jobs:
             let id_token = await core.getIDToken()
             core.setOutput('id_token', id_token)
 
-      - name: Publish Release Packages
+      - name: Upload Release Packages to NGINX repo
         if: ${{ inputs.publishPackages == true }}
         env:
           TOKEN: ${{ steps.idtoken.outputs.id_token }}
           UPLOAD_URL: ${{ inputs.uploadUrl }}
         run: |
           make release
 
+  assertion-document:
+    name: Build and Generate Assertion Document
+    needs: [build-and-upload-packages]
+    if : ${{ inputs.assertionDoc == true }}
+    uses: ./.github/workflows/assertion.yml
+    permissions:
+      id-token: write
+      contents: read
+    with:
+      packageVersion: ${{ inputs.packageVersion }}
+      runId: ${{ github.run_id }}
+    secrets:
+      ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
+      ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
+      ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }}
+
+
   merge-release:
     if: ${{ needs.vars.outputs.create_pull_request == 'true' }}
     name: Merge release branch back into main branch
@@ -286,6 +334,6 @@ jobs:
               base: 'main',
               body: [
                 'This PR was auto-generated by the release workflow.',
-                'NOTE: DO NOT squash commits when merging!!',
+                'NOTE: DO NOT squash commits when merging!',
               ].join('\n')
             });

Makefile.packaging

@@ -36,20 +36,27 @@ $(PACKAGES_DIR):
 
 .PHONY: package
 package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported distros
-
 # Build binaries for all supported architectures
 	@for arch in $(DEB_ARCHS); do \
 		mkdir -p $(BUILD_DIR)/$${arch}; \
 		cp .nfpm.yaml .nfpm.$${arch}.yaml; \
 		sed -i.bak "s/\^ARCH\^/$${arch}/g" ".nfpm.$${arch}.yaml"; \
 		sed -i.bak "s/\^BUILD_PATH\^/\.\/build\/$${arch}/g" ".nfpm.$${arch}.yaml"; \
 		echo "Building linux/$${arch}"; \
+		start_time=$$(date +%s); \
 		GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux \
 			go build -pgo=auto -ldflags=${LDFLAGS} \
 			-o $(BUILD_DIR)/$${arch}/$(BINARY_NAME) \
 			$(PROJECT_DIR)/$(PROJECT_FILE); \
-		rm -f .nfpm.$$arch.yaml.bak; \
+		end_time=$$(date +%s); \
+		rm -f .nfpm.$${arch}.yaml.bak; \
+		sha256sum build/$${arch}/nginx-agent | awk '{print $$1}' > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).sha256; \
+		echo $${start_time} > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).buildstart; \
+		echo $${end_time} > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).buildend; \
+		echo "Built binary:"; \
 		ls -la "$(BUILD_DIR)/$${arch}/$(BINARY_NAME)"; \
+		cat $(BUILD_DIR)/$${arch}/$(BINARY_NAME).sha256; \
+		echo "Built took "$$((end_time - start_time))" seconds"; \
 	done; \
 
 # Create deb packages
@@ -138,9 +145,9 @@ package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported di
 # Create tarball containing all packages
 	@echo "Creating tarball: $(TARBALL_NAME)"; \
 	rm -f $(PACKAGES_DIR)/$(TARBALL_NAME); \
-	pushd $(PACKAGES_DIR) > /dev/null; \
+	cd $(PACKAGES_DIR); \
 	tar -czvf "./$(TARBALL_NAME)" *; \
-	popd > /dev/null; \
+	cd ../.. \
 	ls -la $(PACKAGES_DIR)/$(TARBALL_NAME);
 
 .PHONY: gpg-key