Skip to content

Commit b434b73

Browse files
sean-breensean-breen
committed
fix secrets
1 parent 2a390ac commit b434b73

File tree

7 files changed

+39
-29
lines changed

7 files changed

+39
-29
lines changed

.github/workflows/azure-upload.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,9 +51,6 @@ jobs:
5151
build-args: |
5252
package_type=signed-package
5353
- name: Build Packages
54-
env:
55-
INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
56-
NFPM_SIGNING_KEY_FILE: .key.asc
5754
run: |
5855
echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
5956
make clean package

.github/workflows/ci.yml

Lines changed: 35 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -303,12 +303,32 @@ jobs:
303303
with:
304304
name: nginx-agent-unsigned-snapshots
305305
path: build
306+
307+
- name: Get Secrets from Agent Key Vault
308+
uses: ./.github/actions/az-sync
309+
with:
310+
az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
311+
az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
312+
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
313+
keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
314+
secrets-filter: 'artifactory'
315+
316+
- name: Sync Secrets from Common Key Vault
317+
uses: ./.github/actions/az-sync
318+
with:
319+
az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
320+
az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
321+
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
322+
keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
323+
secrets-filter: 'docker,nginx-private-registry,nginx-pkg'
324+
306325
- name: Login to Docker Registry
307-
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
326+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
308327
with:
309-
registry: ${{ secrets.TEST_REGISTRY_URL }}
310-
username: ${{ secrets.REGISTRY_USERNAME }}
311-
password: ${{ secrets.REGISTRY_PASSWORD }}
328+
registry: ${{ env.nginx-private-registry-url }}
329+
username: ${{ env.nginx-pkg-jwt }}
330+
password: "none"
331+
312332
- name: Set Start Time
313333
run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
314334
- name: Create Directory
@@ -320,7 +340,7 @@ jobs:
320340
- name: Run Integration Tests
321341
run: |
322342
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
323-
CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
343+
CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
324344
OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
325345
make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
326346
- name: Generate Test Results
@@ -349,6 +369,14 @@ jobs:
349369
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
350370
- name: Set up Docker Build
351371
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
372+
- name: Sync Secrets from Common Key Vault
373+
uses: ./.github/actions/az-sync
374+
with:
375+
az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
376+
az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
377+
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
378+
keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
379+
secrets-filter: 'nginx-pkg'
352380
- name: Build Docker Image
353381
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
354382
with:
@@ -359,8 +387,8 @@ jobs:
359387
load: true
360388
no-cache: true
361389
secrets: |
362-
"nginx-crt=${{ secrets.NGINX_CRT }}"
363-
"nginx-key=${{ secrets.NGINX_KEY }}"
390+
"nginx-crt=${{ env.nginx-pkg-certificate}}"
391+
"nginx-key=${{ env.nginx-pkg-key }}"
364392
- name: Run Performance Tests
365393
run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0
366394

@@ -394,11 +422,7 @@ jobs:
394422
build-args: |
395423
package_type=signed-package
396424
- name: Build Packages
397-
env:
398-
INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
399-
NFPM_SIGNING_KEY_FILE: .key.asc
400425
run: |
401-
echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
402426
make clean package
403427
- name: Upload Artifacts
404428
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3

.github/workflows/f5-cla.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,5 +47,5 @@ jobs:
4747
# Do not lock PRs after a merge.
4848
lock-pullrequest-aftermerge: false
4949
env:
50-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
50+
GITHUB_TOKEN: ${{ github.token }}
5151
PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}

.github/workflows/label-pr.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,4 +18,4 @@ jobs:
1818
with:
1919
disable-releaser: true
2020
env:
21-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
21+
GITHUB_TOKEN: ${{ github.token }}

.github/workflows/release-branch.yml

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -165,11 +165,7 @@ jobs:
165165
package_type=signed-package
166166
167167
- name: Build Packages
168-
env:
169-
INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
170-
NFPM_SIGNING_KEY_FILE: .key.asc
171168
run: |
172-
echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
173169
make clean package
174170
175171
- name: Get Id Token
@@ -184,7 +180,7 @@ jobs:
184180
- name: Publish Release Packages
185181
if: ${{ inputs.publishPackages == true }}
186182
env:
187-
TOKEN: ${{ steps.idtoken.outputs.id_token }}
183+
TOKEN: ${{ github.token }}
188184
UPLOAD_URL: "https://up-ap.nginx.com"
189185
run: |
190186
make release

.nfpm.yaml

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -39,15 +39,8 @@ overrides:
3939
depends:
4040
- apt-transport-https
4141
deb:
42-
signature:
43-
method: dpkg-sig
44-
key_file: ".key.asc"
4542
rpm:
46-
signature:
47-
key_file: ".key.asc"
4843
apk:
49-
signature:
50-
key_file: ".key.rsa"
5144
scripts:
5245
postupgrade: "./scripts/packages/postupgrade.sh"
5346
scripts:

Makefile.packaging

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR):
4141
$(AZURE_PACKAGES_DIR):
4242
@mkdir -p $(AZURE_PACKAGES_DIR)
4343

44-
package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
44+
package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
4545
# Create deb packages
4646

4747
@for arch in $(DEB_ARCHS); do \

0 commit comments

Comments
 (0)