simplify az-sync action

sean-breen · sean-breen · commit 5726f23cfa9a · 2025-12-15T15:33:01.000Z
diff --git a/.github/actions/az-sync/action.yml b/.github/actions/az-sync/action.yml
@@ -2,15 +2,6 @@ name: Sync Secrets from Azure Key Vault
 author: s.breen
 description: az-sync
 inputs:
-  az_client_id:
-    description: 'Azure Client ID'
-    required: true
-  az_tenant_id:
-    description: 'Azure Tenant ID'
-    required: true
-  az_subscription_id:
-    description: 'Azure Subscription ID'
-    required: true
   keyvault:
     description: 'Azure Key Vault name'
     required: true
@@ -24,9 +15,9 @@ runs:
     - name: Azure login
       uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
       with:
-        client-id: ${{ inputs.az_client_id }}
-        tenant-id: ${{ inputs.az_tenant_id }}
-        subscription-id: ${{ inputs.az_subscription_id }}
+        client-id: ${{ env.AZ_KEYVAULT_CLIENT_ID }}
+        tenant-id: ${{ env.AZ_KEYVAULT_TENANT_ID }}
+        subscription-id: ${{ env.AZ_SUBSCRIPTION_ID }}
 
     - name: Sync
       shell: bash
diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml
@@ -16,28 +16,6 @@ on:
         type: boolean
         required: false
         default: false
-  workflow_call:
-    inputs:
-      packageVersion:
-        description: 'Agent version'
-        type: string
-        required: true
-      runId:
-        description: 'Run ID of the workflow that built the artifacts'
-        type: string
-        required: false
-      signAssertion:
-        description: 'Sign and store the assertion document'
-        type: boolean
-        required: false
-        default: false
-    secrets:
-      ARTIFACTORY_USER:
-        required: true
-      ARTIFACTORY_TOKEN:
-        required: true
-      ARTIFACTORY_URL:
-        required: true
 
 jobs:
   build-assertion-document:
@@ -94,9 +72,9 @@ jobs:
           builder-id: 'github.com'
           builder-version: '${{env.GO_VERSION}}_test'
           invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
-          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
-          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
-          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-user: ${{ env.artifactory-user }}
+          artifactory-api-token: ${{ env.artifactory-token }}
+          artifactory-url: ${{ env.artifactory-url }}
           artifactory-repo: 'f5-nginx-go-local-approved-dependency'
           assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json
           build-content-path: ${{ env.goversionm }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -35,9 +35,6 @@ jobs:
         - name: Get Secrets from Azure Key Vault
           uses: ./.github/actions/az-sync
           with:
-            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
             keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
             secrets-filter: 'artifactory'
         - name: Configure Go Proxy
@@ -71,9 +68,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -112,9 +106,6 @@ jobs:
         - name: Get Secrets from Azure Key Vault
           uses: ./.github/actions/az-sync
           with:
-            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
             keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
             secrets-filter: 'artifactory'
         - name: Configure Go Proxy
@@ -147,9 +138,6 @@ jobs:
         - name: Get Secrets from Azure Key Vault
           uses: ./.github/actions/az-sync
           with:
-            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
             keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
             secrets-filter: 'artifactory'
         - name: Configure Go Proxy
@@ -179,9 +167,6 @@ jobs:
         - name: Get Secrets from Azure Key Vault
           uses: ./.github/actions/az-sync
           with:
-            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
             keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
             secrets-filter: 'artifactory'
         - name: Configure Go Proxy
@@ -232,9 +217,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -294,9 +276,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -363,9 +342,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -442,9 +418,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -520,9 +493,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -599,9 +569,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -662,9 +629,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'artifactory'
       - name: Configure Go Proxy
@@ -735,9 +699,6 @@ jobs:
       - name: Get Secrets from Azure Key Vault
         uses: ./.github/actions/az-sync
         with:
-          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
-          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
-          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
           keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
           secrets-filter: 'nginx-crt,nginx-key'
 
@@ -787,4 +748,4 @@ jobs:
 
       - name: Push load test result
         if:  ${{ success() && github.ref_name == 'main' }}
-        run: git push 'https://github-actions:${{ secrets.GITHUB_TOKEN }}@github.com/nginx/agent.git' benchmark-results:benchmark-results
+        run: git push 'https://github-actions:${{ github.token }}@github.com/nginx/agent.git' benchmark-results:benchmark-results
diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml
@@ -47,5 +47,5 @@ jobs:
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
@@ -18,4 +18,4 @@ jobs:
         with:
           disable-releaser: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
@@ -291,23 +291,6 @@ jobs:
         run: |
           make release
 
-  assertion-document:
-    name: Build and Generate Assertion Document
-    needs: [build-and-upload-packages]
-    if : ${{ inputs.assertionDoc == true }}
-    uses: ./.github/workflows/assertion.yml
-    permissions:
-      id-token: write
-      contents: read
-    with:
-      packageVersion: ${{ inputs.packageVersion }}
-      runId: ${{ github.run_id }}
-    secrets:
-      ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
-      ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
-      ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }}
-
-
   merge-release:
     if: ${{ needs.vars.outputs.create_pull_request == 'true' }}
     name: Merge release branch back into main branch
diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
@@ -5,13 +5,13 @@ on:
       target-branch:
         description: 'Target branch to run govulncheck against'
         type: string
-        required: false
+        required: true
         default: 'main'
   workflow_dispatch:
     inputs:
       target-branch:
         description: 'Target branch to run govulncheck against'
-        required: false
+        required: true
         default: 'main'
 
 jobs:
@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
             fetch-depth: 0
-            ref: ${{ inputs.targetBranch || 'main' }}
+            ref: ${{ inputs.targetBranch || github.event.inputs.target-branch }}
 
       - name: Check Go version
         id: get-go-version
