Merge branch 'main' into workflow-release-updater

Author: sean-breen

.codecov.yml

@@ -0,0 +1,53 @@
+# Codecov configuration file
+# This file configures code coverage reporting and requirements for the project
+coverage:
+
+  # Coverage status configuration
+  status:
+
+    # Project-level coverage settings
+    project:
+
+      # Default status check configuration
+      default:
+
+        # The minimum required coverage value for the project
+        target: 80%
+
+        # The allowed coverage decrease before failing the status check
+        threshold: 0%
+
+        # Whether to run coverage checks only on pull requests
+        only_pulls: false
+
+    # Patch-level coverage settings
+    patch:
+      default:
+        informational: true
+        target: auto
+        threshold: 0%
+        only_pulls: false
+
+comment:
+  layout: "header,diff,files,footer"
+  behavior: default
+  require_changes: false
+  require_base: false
+  require_head: true
+
+
+# Ignore files or packages matching their paths
+ignore:
+  - '\.pb\.go$'       # Excludes all protobuf generated files
+  - '\.gen\.go'      # Excludes generated files
+  - '^fake_.*\.go'    # Excludes fakes
+  - '^test/.*$'
+  - 'app.go'          # app.go and main.go should be tested by integration tests.
+  - 'main.go'
+  # ignore metadata generated files
+  - 'metadata/generated_.*\.go'
+  # ignore wrappers around gopsutil
+  - 'internal/datasource/host'
+  - 'internal/watcher/process'
+  - 'pkg/nginxprocess'
+

.github/actions/configure-goproxy/action.yml

@@ -0,0 +1,36 @@
+name: configure-goproxy
+author: s.breen
+description: Sets the current Go module proxy based on the presence of a private proxy URL in secrets
+inputs:
+  user:
+    description: Artifactory username secret name
+    required: false
+    default: ""
+  token:
+    description: Artifactory token secret name
+    required: false
+    default: ""
+  url:
+    description: Artifactory URL
+    required: false
+    default: ""
+runs:
+  using: 'composite'
+  steps:
+    - name: Configure Go Proxy
+      id: configure-goproxy
+      shell: bash
+      run: |
+        if [[ -z "${{ inputs.user }}" ]] || \
+        [[ -z "${{ inputs.token }}" ]] || \
+        [[ -z "${{ inputs.url }}" ]] || \
+        [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] ||
+        [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then
+          echo "No Artifactory secrets available - using direct GOPROXY"
+          GOPROXY_VALUE="direct"
+        else
+          echo "Development mode - using dev Artifactory"
+          GOPROXY_VALUE="https://${{ inputs.user }}:${{ inputs.token }}@${{ inputs.url }}"
+        fi
+        echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
+    

.github/actions/start-promtail/action.yml

@@ -0,0 +1,30 @@
+name: Start Promtail
+description: Start promtail in a docker container to ship test results to Grafana Loki, then stop the container
+inputs:
+  loki_url:
+    description: URL endpoint of the Grafana Loki instance
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - name: Start promtail container
+      shell: bash
+      run: |
+        docker run -d \
+          --name=promtail \
+          -v ${{ github.workspace }}/test/dashboard/promtail/promtail-config.yaml:/etc/promtail/promtail-config.yaml \
+          -v ${{ github.workspace }}/test/dashboard/logs/:/var/log \
+          -e TEST_OUTDIR=test/dashboard/logs \
+          -e LOKI_URL=${{ inputs.loki_url }} \
+          -e GITHUB_RUN_ID="${{ github.run_id }}" \
+          -e GITHUB_WORKFLOW="${{ github.workflow }}" \
+          -e GITHUB_EVENT_NAME="${{ github.event_name }}" \
+          -e GITHUB_REPOSITORY="${{ github.repository }}" \
+          -e GITHUB_SERVER_URL="${{ github.server_url }}" \
+          -e GITHUB_JOB="${{ github.job }}" \
+          -e GITHUB_HEAD_REF="${{ github.head_ref }}" \
+          -e GITHUB_SHA="${{ github.sha }}" \
+          -e GITHUB_ACTOR="${{ github.actor }}" \
+          grafana/promtail:3.4.4 \
+          -config.file=/etc/promtail/promtail-config.yaml \
+          -config.expand-env=true

.github/workflows/assertion.yml

@@ -0,0 +1,89 @@
+
+name: Generate and Sign Assertion Document
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        type: string
+        description: "The branch to run the assertion workflow on"
+        required: false
+        default: main
+
+jobs:
+  build-assertion-document:
+    name: Build and Generate Assertion Document
+    runs-on: ubuntu-22.04
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
+    outputs:
+      agent_binary: ${{ steps.check_binary.outputs.agent_binary }}
+      goversionm: ${{ steps.godeps.outputs.goversionm }}
+      assertion_document: ${{ steps.assertiondoc.outputs.assertion-document-path }}
+    strategy:
+        matrix:
+            osarch: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Gather build dependencies
+        id: godeps
+        run: |
+          if [ -z ${{inputs.branch}} ]; then
+            echo "No branch input provided, using current branch: $GITHUB_REF_NAME"
+          else
+            echo "Checking out branch: ${{inputs.branch}}"
+            git checkout ${{inputs.branch}}
+          fi
+          echo "Current branch: $GITHUB_REF_NAME"
+          echo "branch_name=$GITHUB_REF_NAME" >> $GITHUB_ENV
+          GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//')
+          echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
+          echo "GO_VERSION=$GO_VERSION"
+          echo "time_start=$(date +%s)" >> $GITHUB_ENV
+          OSARCH=${{matrix.osarch}} make build
+          echo "time_end=$(date +%s)" >> $GITHUB_ENV
+          echo "Build time: $((time_end - time_start)) seconds"
+          
+          echo "Getting sha256sum of the built nginx-agent binary..."
+          echo "agent-digest=$(sha256sum build/nginx-agent | awk '{print $1}')" >> $GITHUB_ENV
+          
+          echo "Checking dependencies..."
+          go version -m build/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
+          ls -l goversionm_*.txt
+          echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV
+
+      - name: Generate Assertion Document
+        id: assertiondoc
+        uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          artifact-name: nginx-agent_${{ env.branch_name }}_${{ matrix.osarch }}
+          artifact-digest: ${{ env.agent-digest }}
+          build-type: 'github'
+          builder-id: 'github.com'
+          builder-version: '${{env.GO_VERSION}}_test'
+          invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
+          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-repo: 'f5-nginx-go-local-approved-dependency'
+          assertion-doc-file: assertion_nginx-agent_${{env.branch_name}}_${{matrix.osarch}}.json
+          build-content-path: ${{ env.goversionm }}
+          started-on: '${{ env.time_start }}'
+          finished-on: '${{ env.time_end }}'
+
+      - name: Sign and Store Assertion Document
+        id: sign
+        uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}