Merge branch 'main' into improve-assertion-doc-generation

Author: sean-breen

.github/workflows/assertion.yml

@@ -56,8 +56,8 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
-      - name: Setup go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - name: Set up Go
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -86,7 +86,7 @@ jobs:
 
       - name: Generate Assertion Document
         id: assertiondoc
-        uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        uses: nginxinc/compliance-rules/.github/actions/assertion@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
         with:
           artifact-name: nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}
           artifact-digest: ${{ env.agent-digest }}
@@ -106,6 +106,6 @@ jobs:
       - name: Sign and Store Assertion Document
         id: sign
         if: ${{ inputs.signAssertion == true }}
-        uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        uses: nginxinc/compliance-rules/.github/actions/sign@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
         with:
           assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
             user: ${{ secrets.ARTIFACTORY_USER }}
             token: ${{ secrets.ARTIFACTORY_TOKEN }}
             url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-        - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
           with:
             go-version-file: 'go.mod'
             cache: false
@@ -67,7 +67,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -95,7 +95,7 @@ jobs:
             user: ${{ secrets.ARTIFACTORY_USER }}
             token: ${{ secrets.ARTIFACTORY_TOKEN }}
             url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-        - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
           with:
             go-version-file: 'go.mod'
             cache: false
@@ -124,7 +124,7 @@ jobs:
             user: ${{ secrets.ARTIFACTORY_USER }}
             token: ${{ secrets.ARTIFACTORY_TOKEN }}
             url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-        - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
           with:
             go-version-file: 'go.mod'
             cache: false
@@ -150,7 +150,7 @@ jobs:
             user: ${{ secrets.ARTIFACTORY_USER }}
             token: ${{ secrets.ARTIFACTORY_TOKEN }}
             url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-        - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
           with:
             go-version-file: 'go.mod'
             cache: false
@@ -197,7 +197,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -253,7 +253,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -316,7 +316,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -389,7 +389,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -461,7 +461,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -534,7 +534,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -592,7 +592,7 @@ jobs:
           user: ${{ secrets.ARTIFACTORY_USER }}
           token: ${{ secrets.ARTIFACTORY_TOKEN }}
           url: ${{ secrets.ARTIFACTORY_URL_DEV }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -630,7 +630,7 @@ jobs:
     needs: build-unsigned-snapshot
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
           cache: false

.github/workflows/dependency-review.yml

@@ -25,6 +25,6 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
         with:
           config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"

.github/workflows/release-branch.yml

@@ -3,38 +3,36 @@ name: Release Agent
 on:
   workflow_dispatch:
     inputs:
-      githubRelease:
-        description: 'Setup release in github'
-        type: boolean
-        default: false
       packageVersion:
-        description: 'Package version number'
-        default: "3.0.0"
+        required: true
+        description: 'Package version number (3.x.x)'
+        default: ""
         type: string
       packageBuildNo:
-        description: 'Package Build number'
+        required: true
+        description: 'Package build number'
         default: "1"
         type: string
-      uploadAzure:
-        description: 'Publish packages Azure storage'
+      releaseBranch:
+        description: 'Release branch to build from (release-3.x.x)'
+        required: true
+        type: string
+      tagRelease:
+        description: 'Add tag for release (v3.x.x)'
         default: false
         type: boolean
-      publishPackages:
-        description: 'Publish packages to nginx repo'
-        default: false
+      githubRelease:
+        description: 'Draft release (v3.x.x) on GitHub'
         type: boolean
-      tagRelease:
-        description: 'Add tag to release branch'
         default: false
-        type: boolean
       createPullRequest:
-        description: 'Create pull request back into main'
+        description: 'Create pull request into main (required if release branch has diverged from main)'
+        default: false
+        type: boolean
+      publishPackages:
+        description: 'Publish packages to nginx repo'
         default: false
         type: boolean
-      releaseBranch:
-        description: 'Release branch to build & publish from'
-        required: true
-        type: string
       uploadUrl:
         description: 'Location to publish packages to'
         required: false
@@ -47,7 +45,7 @@ on:
 
 env:
   NFPM_VERSION: 'v2.35.3'
-  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
+  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL_PROD }}"
 
 defaults:
   run:
@@ -65,10 +63,9 @@ jobs:
     name: Set workflow variables
     runs-on: ubuntu-22.04
     outputs:
+      tag_release: ${{steps.vars.outputs.tag_release }}
       github_release: ${{steps.vars.outputs.github_release }}
-      upload_azure: ${{steps.vars.outputs.upload_azure }}
       publish_packages: ${{steps.vars.outputs.publish_packages }}
-      tag_release: ${{steps.vars.outputs.tag_release }}
       create_pull_request: ${{steps.vars.outputs.create_pull_request }}
     steps:
       - name: Checkout Repository
@@ -79,10 +76,9 @@ jobs:
       - name: Set variables
         id: vars
         run: |
+          echo "tag_release=${{ inputs.tagRelease }}" >> $GITHUB_OUTPUT
           echo "github_release=${{ inputs.githubRelease }}" >> $GITHUB_OUTPUT
-          echo "upload_azure=${{ inputs.uploadAzure }}" >> $GITHUB_OUTPUT
           echo "publish_packages=${{ inputs.publishPackages }}" >> $GITHUB_OUTPUT
-          echo "tag_release=${{ inputs.tagRelease }}" >> $GITHUB_OUTPUT
           echo "create_pull_request=${{ inputs.createPullRequest }}" >> $GITHUB_OUTPUT
           cat $GITHUB_OUTPUT
 
@@ -211,15 +207,15 @@ jobs:
     needs: [vars,release-draft,tag-release]
     permissions:
       id-token: write
-      contents: write # Needed to update a github release
+      contents: write # Needed to update a release
     steps:
       - name: Checkout Repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: ${{ inputs.releaseBranch }}
 
       - name: Setup go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
             go-version-file: 'go.mod'
             cache: false
@@ -278,12 +274,6 @@ jobs:
           echo "nginx-agent-binaries-${{ inputs.packageVersion }}-amd64"
           find build/amd64 -type f -name "nginx-agent*"
 
-      - name: Install GPG tools
-        if: ${{ inputs.publishPackages == true }}
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y gpgv1 monkeysphere
-
       - name: Get Id Token
         if: ${{ inputs.publishPackages == true }}
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -343,6 +333,7 @@ jobs:
               head: '${{ inputs.releaseBranch }}',
               base: 'main',
               body: [
-                'This PR is auto-generated by the release workflow.'
+                'This PR was auto-generated by the release workflow.',
+                'NOTE: DO NOT squash commits when merging!',
               ].join('\n')
             });

.github/workflows/scorecards.yml

@@ -55,6 +55,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           sarif_file: results.sarif

.github/workflows/upload-release-assets.yml

@@ -12,7 +12,7 @@ on:
         type: string
         default: ""
       uploadAzure:
-        description: 'Publish packages Azure storage'
+        description: 'Publish packages to Azure blob storage'
         type: boolean
         default: false
       uploadGithub:
@@ -25,7 +25,7 @@ defaults:
     shell: bash
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   vars:
@@ -63,31 +63,20 @@ jobs:
           echo "Checking Packages in ${{inputs.pkgRepo}}/nginx-agent"
           echo "${{secrets.PUBTEST_CERT}}" > pubtest.crt
           echo "${{secrets.PUBTEST_KEY}}" > pubtest.key
-          PKG_REPO=${{inputs.pkgRepo}} CERT=pubtest.crt KEY=pubtest.key DL=1 scripts/packages/package-check.sh ${{inputs.pkgVersion}}
-          for i in $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"); do
-            if [[ "$i" == *.deb ]]; then
-              echo "Renaming ${i} to ${i/_/-}"
-              mv "${i}" "${i/_/-}"
-            fi 
-            if [[ "$i" == *.apk ]]; then
-              ver=$(echo "$i" | grep -o -e "v[0-9]*\.[0-9]*")
-              arch=$(echo "$i" | grep -o -F -e "x86_64" -e "aarch64")
-              dest="$(dirname "$i")/nginx-agent-${{inputs.pkgVersion}}-$ver-$arch.apk"
-              echo "Renaming ${i} to ${dest}"
-              mv "${i}" "${dest}"
-            fi
-          done
-          find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"
+          
+          DL=1 PKG_REPO=${{inputs.pkgRepo}} \
+          CERT=pubtest.crt KEY=pubtest.key \
+            scripts/packages/package-check.sh ${{inputs.pkgVersion}}
 
       - name: GitHub Upload
-        continue-on-error: true
         if: ${{ needs.vars.outputs.github_release == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # clobber overwrites existing assets of the same name
         run: |
+          gh release list
           gh release upload --clobber v${{ inputs.pkgVersion }} \
-            $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}")
+            $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}" | grep -v "azure")
 
       - name: Azure Login
         if: ${{ inputs.uploadAzure == true }}
@@ -100,8 +89,14 @@ jobs:
         uses: azure/CLI@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
-            for i in $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"); do
-              dest="nginx-agent/${GITHUB_REF##*/}/${i##*/}"
+            echo "Uploading tarball... nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz"
+            az storage blob upload --auth-mode=login -f "${{ inputs.pkgRepo }}/nginx-agent/nginx-agent.tar.gz" \
+              -c ${{ secrets.AZURE_CONTAINER_NAME }} \
+              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz
+            
+            echo "Uploading packages..."
+            for i in $(find ${{ inputs.pkgRepo }}/nginx-agent | grep -e "nginx-agent[_-]${{ inputs.pkgVersion }}"); do
+              dest="nginx-agent/release-${{ inputs.pkgVersion }}/${i##*/}"
               echo "Uploading ${i} to ${dest}"
               az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
               --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest}

Makefile.packaging

@@ -152,7 +152,12 @@ package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported di
 
 .PHONY: gpg-key
 gpg-key: ## Generate GPG public key
-	$$(gpg --import $(NFPM_SIGNING_KEY_FILE)); \
+	@if [ -z "$(NFPM_SIGNING_KEY_FILE)" ]; then \
+		echo "NFPM_SIGNING_KEY_FILE is not set. Exiting..."; \
+		exit 1; \
+	fi
+	@echo "Generating GPG public key for package signing...";
+	@$$(gpg --import $(NFPM_SIGNING_KEY_FILE)); \
 	keyid=$$(gpg --list-keys NGINX | egrep -A1 "^pub" | egrep -v "^pub" | tr -d '[:space:]'); \
 	if [ -z "$$keyid" ]; then echo "Error: GPG key not found."; exit 1; fi; \
 	# Check if the key is expired \