addressing feeback around token permissions

Author: sean-breen

.github/workflows/assertion.yml

@@ -26,23 +26,14 @@ jobs:
     runs-on: ubuntu-22.04
     if: ${{ !github.event.pull_request.head.repo.fork }}
     permissions:
-      id-token: write
-      contents: read
-    env:
-      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}"
+      contents: read # Needed to download artifacts
     strategy:
       matrix:
         osarch: [amd64, arm64]
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-      - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-        with:
-          go-version-file: 'go.mod'
-          cache: false
-
       - name: Download nginx-agent binary artifacts
         if: ${{ inputs.runId != '' }}
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0

.github/workflows/ci.yml

@@ -106,9 +106,6 @@ jobs:
   unit-test:
     name: Unit Tests
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
-      contents: write
     steps:
         - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         - name: Get Secrets from Azure Key Vault
@@ -142,8 +139,6 @@ jobs:
   race-condition-test:
     name: Unit tests with race condition detection
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     steps:
         - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         - name: Get Secrets from Azure Key Vault
@@ -172,8 +167,6 @@ jobs:
   build-unsigned-snapshot:
     name: Build Unsigned Snapshot
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     steps:
         - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
           with:
@@ -219,7 +212,7 @@ jobs:
     needs: build-unsigned-snapshot
     runs-on: ubuntu-22.04
     permissions:
-      id-token: write
+      id-token: write # for OIDC authentication
     strategy:
       matrix:
         container:
@@ -280,8 +273,6 @@ jobs:
     name: Upgrade Tests
     needs: build-unsigned-snapshot
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     strategy:
       matrix:
         container:
@@ -343,8 +334,6 @@ jobs:
     needs: build-unsigned-snapshot
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     strategy:
       matrix:
         container:
@@ -414,8 +403,6 @@ jobs:
     needs: build-unsigned-snapshot
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     strategy:
       matrix:
         container:
@@ -512,8 +499,6 @@ jobs:
     needs: build-unsigned-snapshot
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     strategy:
       matrix:
         container:
@@ -583,8 +568,6 @@ jobs:
     needs: build-unsigned-snapshot
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
     strategy:
       matrix:
         container:
@@ -678,7 +661,6 @@ jobs:
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot
     permissions:
-      id-token: write
       contents: write # Needed for pushing benchmark results to github branch
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -725,7 +707,6 @@ jobs:
     name: Load Tests
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     permissions:
-      id-token: write
       contents: write # Needed for pushing benchmark results to github branch
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot

.github/workflows/release-branch.yml

@@ -45,7 +45,6 @@ on:
 
 env:
   NFPM_VERSION: 'v2.35.3'
-  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL_PROD }}"
 
 defaults:
   run:
@@ -213,6 +212,15 @@ jobs:
         with:
           ref: ${{ inputs.releaseBranch }}
 
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+          secrets-filter: 'artifactory'
+
       - name: Setup go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:

.github/workflows/upload-release-assets.yml

@@ -59,12 +59,21 @@ jobs:
         with:
           ref: ${{ inputs.releaseBranch }}
 
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+          az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+          az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+          az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
+          secrets-filter: 'nginx-pkg'
+
       - name: Download Packages
         run:
           |
           echo "Checking Packages in ${{inputs.pkgRepo}}/nginx-agent"
-          echo "${{secrets.PUBTEST_CERT}}" > pubtest.crt
-          echo "${{secrets.PUBTEST_KEY}}" > pubtest.key
+          echo "${{ env.nginx-pkg-certificate }}" > pubtest.crt
+          echo "${{ env.nginx-pkg-key }}" > pubtest.key
 
           DL=1 PKG_REPO=${{inputs.pkgRepo}} \
           CERT=pubtest.crt KEY=pubtest.key \
@@ -73,7 +82,7 @@ jobs:
       - name: GitHub Upload
         if: ${{ needs.vars.outputs.github_release == 'true' }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
         # clobber overwrites existing assets of the same name
         run: |
           gh release list
@@ -92,16 +101,18 @@ jobs:
         with:
           inlineScript: |
             echo "Uploading tarball... nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz"
-            az storage blob upload --auth-mode=login -f "${{ inputs.pkgRepo }}/nginx-agent/nginx-agent.tar.gz" \
+            az storage blob upload --auth-mode=login \
+              -f "${{ inputs.pkgRepo }}/nginx-agent/nginx-agent.tar.gz" \
               -c ${{ secrets.AZURE_CONTAINER_NAME }} \
-              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz
+              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} \
+              --overwrite -n nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz
             
             echo "Uploading packages..."
             for i in $(find ${{ inputs.pkgRepo }}/nginx-agent | grep -e "nginx-agent[_-]${{ inputs.pkgVersion }}"); do
               dest="nginx-agent/release-${{ inputs.pkgVersion }}/${i##*/}"
               echo "Uploading ${i} to ${dest}"
               az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
-              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest}
+                --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest}
             done
 
       - name: Azure Logout

.github/workflows/vulncheck.yml

@@ -28,7 +28,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
             fetch-depth: 0
-            ref: ${{ inputs.targetBranch || 'main' }}
+            ref: ${{ inputs.target-branch || 'main' }}
 
       - name: Check Go version
         id: get-go-version