1-
21name : Generate and Sign Assertion Document
32
43on :
54 workflow_dispatch :
65 inputs :
7- branch :
6+ packageVersion :
7+ description : ' Agent version'
8+ type : string
9+ required : true
10+ runId :
11+ description : ' Run ID of the workflow that built the artifacts'
12+ type : string
13+ required : true
14+ signAssertion :
15+ description : ' Sign and store the assertion document'
16+ type : boolean
17+ required : false
18+ default : false
19+ workflow_call :
20+ inputs :
21+ packageVersion :
22+ description : ' Agent version'
823 type : string
9- description : " The branch to run the assertion workflow on"
24+ required : true
25+ runId :
26+ description : ' Run ID of the workflow that built the artifacts'
27+ type : string
28+ required : false
29+ signAssertion :
30+ description : ' Sign and store the assertion document'
31+ type : boolean
1032 required : false
11- default : main
33+ default : false
34+ secrets :
35+ ARTIFACTORY_USER :
36+ required : true
37+ ARTIFACTORY_TOKEN :
38+ required : true
39+ ARTIFACTORY_URL :
40+ required : true
1241
1342jobs :
1443 build-assertion-document :
15- name : Build and Generate Assertion Document
44+ name : Create Assertion Document
1645 runs-on : ubuntu-22.04
1746 if : ${{ !github.event.pull_request.head.repo.fork }}
1847 permissions :
1948 id-token : write
2049 contents : read
2150 env :
22- GOPROXY : " https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
23- outputs :
24- agent_binary : ${{ steps.check_binary.outputs.agent_binary }}
25- goversionm : ${{ steps.godeps.outputs.goversionm }}
26- assertion_document : ${{ steps.assertiondoc.outputs.assertion-document-path }}
51+ GOPROXY : " https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}"
2752 strategy :
28- matrix :
29- osarch : [amd64, arm64]
53+ matrix :
54+ osarch : [amd64, arm64]
3055 steps :
31- - uses : actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
56+ - name : Checkout Repository
57+ uses : actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
3258
3359 - name : Set up Go
3460 uses : actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
3561 with :
36- go-version-file : go.mod
62+ go-version-file : ' go.mod'
3763 cache : false
3864
65+ - name : Download nginx-agent binary artifacts
66+ if : ${{ inputs.runId != '' }}
67+ uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0
68+ with :
69+ name : nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }}
70+ path : binaries
71+ run-id : ${{ inputs.runId }}
72+ github-token : ${{ github.token }}
73+
3974 - name : Gather build dependencies
4075 id : godeps
4176 run : |
42- if [ -z ${{inputs.branch}} ]; then
43- echo "No branch input provided, using current branch: $GITHUB_REF_NAME"
44- else
45- echo "Checking out branch: ${{inputs.branch}}"
46- git checkout ${{inputs.branch}}
47- fi
48- echo "Current branch: $GITHUB_REF_NAME"
49- echo "branch_name=$GITHUB_REF_NAME" >> $GITHUB_ENV
50- GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//')
51- echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
52- echo "GO_VERSION=$GO_VERSION"
53- echo "time_start=$(date +%s)" >> $GITHUB_ENV
54- OSARCH=${{matrix.osarch}} make build
55- echo "time_end=$(date +%s)" >> $GITHUB_ENV
56- echo "Build time: $((time_end - time_start)) seconds"
57-
58- echo "Getting sha256sum of the built nginx-agent binary..."
59- echo "agent-digest=$(sha256sum build/nginx-agent | awk '{print $1}')" >> $GITHUB_ENV
60-
77+ ls -la binaries
78+ echo "agent_digest=$(cat binaries/nginx-agent.sha256)" >> $GITHUB_ENV
79+ echo "agent_buildstart=$(cat binaries/nginx-agent.buildstart)" >> $GITHUB_ENV
80+ echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV
81+
6182 echo "Checking dependencies..."
62- go version -m build /nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
83+ go version -m binaries /nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
6384 ls -l goversionm_*.txt
6485 echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV
6586
6687name : Generate Assertion Document
6788 id : assertiondoc
6889 uses : nginxinc/compliance-rules/.github/actions/assertion@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
6990 with :
70- artifact-name : nginx-agent_${{ env.branch_name }}_${{ matrix.osarch }}
91+ artifact-name : nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}
7192 artifact-digest : ${{ env.agent-digest }}
7293 build-type : ' github'
7394 builder-id : ' github.com'
@@ -77,13 +98,14 @@ jobs:
7798 artifactory-api-token : ${{ secrets.ARTIFACTORY_TOKEN }}
7899 artifactory-url : ${{ secrets.ARTIFACTORY_URL }}
79100 artifactory-repo : ' f5-nginx-go-local-approved-dependency'
80- assertion-doc-file : assertion_nginx-agent_${{env.branch_name }}_${{matrix.osarch}}.json
101+ assertion-doc-file : assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json
81102 build-content-path : ${{ env.goversionm }}
82- started-on : ' ${{ env.time_start }}'
83- finished-on : ' ${{ env.time_end }}'
103+ started-on : ' ${{ env.agent_buildstart }}'
104+ finished-on : ' ${{ env.agent_buildend }}'
84105
85106 - name : Sign and Store Assertion Document
86107 id : sign
108+ if : ${{ inputs.signAssertion == true }}
87109 uses : nginxinc/compliance-rules/.github/actions/sign@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
88110 with :
89111 assertion-doc : ${{ steps.assertiondoc.outputs.assertion-document-path }}
0 commit comments