Merge branch 'add-read-only-file-plugin' into allow-second-credential-watcher

Author: aphralG

.github/workflows/release-branch.yml

@@ -28,7 +28,7 @@ on:
         default: false
         type: boolean
       createPullRequest:
-        description: 'Create pull request back into v3'
+        description: 'Create pull request back into main'
         default: false
         type: boolean
       releaseBranch:
@@ -262,23 +262,6 @@ jobs:
           echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE}
           make package
 
-      - name: Azure Login
-        if: ${{ inputs.uploadAzure == true }}
-        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-
-      - name: Azure Upload Release Packages
-        if: ${{ inputs.uploadAzure == true }}
-        uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0
-        with:
-          inlineScript: |
-            for i in ./build/azure/packages/nginx-agent*; do
-              echo "Uploading ${i} to nginx-agent/${GITHUB_REF##*/}/${i##*/}"
-              az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
-              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/${GITHUB_REF##*/}/${i##*/}
-            done
-
       - name: Install GPG tools
         if: ${{ inputs.publishPackages == true }}
         run: |
@@ -302,34 +285,9 @@ jobs:
         run: |
           make release
 
-      - name: Upload Release Assets
-        if: ${{ needs.vars.outputs.github_release == 'true' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        # clobber overwrites existing assets of the same name
-        run: |
-          gh release upload --clobber v${{ inputs.packageVersion }} \
-            $(find ./build/github/packages -type f \( -name "*.deb" -o -name "*.rpm" -o -name "*.pkg" -o -name "*.apk" \))
-
-      - name: Publish Github Release
-        if: ${{ needs.vars.outputs.github_release == 'true' }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const {RELEASE_ID} = process.env
-            const release = (await github.rest.repos.updateRelease({
-              owner: context.payload.repository.owner.login,
-              repo: context.payload.repository.name,
-              release_id: `${RELEASE_ID}`,
-              draft: false,
-            }))
-            console.log(`Release published: ${release.data.html_url}`)
-        env:
-          RELEASE_ID: ${{ needs.release-draft.outputs.release_id }}
-
   merge-release:
     if: ${{ needs.vars.outputs.create_pull_request == 'true' }}
-    name: Merge release branch back into V3 branch
+    name: Merge release branch back into main branch
     runs-on: ubuntu-22.04
     needs: [vars,tag-release]
     permissions:
@@ -346,11 +304,11 @@ jobs:
           script: |
             const { repo, owner } = context.repo;
             const result = await github.rest.pulls.create({
-              title: 'Merge ${{ github.ref_name }} back into v3',
+              title: 'Merge ${{ github.ref_name }} back into main',
               owner,
               repo,
               head: '${{ github.ref_name }}',
-              base: 'v3',
+              base: 'main',
               body: [
                 'This PR is auto-generated by the release workflow.'
               ].join('\n')

.github/workflows/upload-release-assets.yml

@@ -0,0 +1,102 @@
+name: Publish Release packages
+
+on:
+  workflow_dispatch:
+    inputs:
+      pkgRepo:
+        description: "Source repository to pull packages from"
+        type: string
+        default: ""
+      pkgVersion:
+        description: 'Agent version'
+        type: string
+        default: ""
+      uploadAzure:
+        description: 'Publish packages Azure storage'
+        type: boolean
+        default: false
+      uploadGithub:
+        description: 'Publish packages to GitHub release'
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  vars:
+    name: Set workflow variables
+    runs-on: ubuntu-22.04
+    outputs:
+      github_release: ${{steps.vars.outputs.github_release }}
+      upload_azure: ${{steps.vars.outputs.upload_azure }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ inputs.releaseBranch }}
+
+      - name: Set variables
+        id: vars
+        run: |
+          echo "github_release=${{ inputs.uploadGithub }}" >> $GITHUB_OUTPUT
+          echo "upload_azure=${{ inputs.uploadAzure }}" >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+  upload-release-assets:
+    name: Upload assets
+    runs-on: ubuntu-22.04
+    needs: [vars]
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ inputs.releaseBranch }}
+
+      - name: Azure Login
+        if: ${{ inputs.uploadAzure == true }}
+        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Download Packages
+        run:
+          |
+          echo "Checking Packages in ${{inputs.pkgRepo}}/nginx-agent"
+          PKG_REPO=${{inputs.pkgRepo}} CERT=${{secrets.PUBTEST_CERT}} KEY=${{secrets.PUBTEST_KEY}} DL=1 scripts/packages/package-check.sh ${{inputs.pkgVersion}}
+          find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"
+
+      - name: Azure Upload Release Packages
+        if: ${{ inputs.uploadAzure == true }}
+        uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0
+        with:
+          inlineScript: |
+            for i in $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"); do
+              dest="nginx-agent/${GITHUB_REF##*/}/${i##*/}"
+              if [[ "$i" == *.apk ]]; then
+                ver=$(echo "$i" | grep -o -e "v[0-9]*\.[0-9]*")
+                arch=$(echo "$i" | grep -o -F -e "x86_64" -e "aarch64")
+                dest="nginx-agent/${GITHUB_REF##*/}/nginx-agent-$VER-$ver-$arch.apk"
+              fi
+              echo "Uploading ${i} to ${dest}"
+              az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
+              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest}
+            done
+
+      - name: Azure Logout
+        run: |
+          az logout
+        if: always()
+
+      - name: GitHub Upload Release Assets
+        if: ${{ needs.vars.outputs.github_release == 'true' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # clobber overwrites existing assets of the same name
+        run: |
+          gh release upload --clobber v${{ inputs.pkgVersion }} \
+            $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}")

go.mod

@@ -2,7 +2,7 @@ module github.com/nginx/agent/v3
 
 go 1.23.7
 
-toolchain go1.23.8
+toolchain go1.23.10
 
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.4-20250130201111-63bb56e20495.1

internal/command/command_plugin.go

@@ -10,6 +10,8 @@ import (
 	"log/slog"
 	"sync"
 
+	"github.com/nginx/agent/v3/internal/model"
+
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	mpi "github.com/nginx/agent/v3/api/grpc/mpi/v1"
@@ -25,17 +27,6 @@ var _ bus.Plugin = (*CommandPlugin)(nil)
 
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6@v6.8.1 -generate
 //counterfeiter:generate . commandService
-type ServerType int
-
-const (
-	Command ServerType = iota
-	Auxiliary
-)
-
-var serverType = map[ServerType]string{
-	Command:   "command",
-	Auxiliary: "auxiliary",
-}
 
 type (
 	commandService interface {
@@ -55,13 +46,13 @@ type (
 		conn              grpc.GrpcConnectionInterface
 		commandService    commandService
 		subscribeChannel  chan *mpi.ManagementPlaneRequest
-		commandServerType ServerType
+		commandServerType model.ServerType
 		subscribeMutex    sync.Mutex
 	}
 )
 
 func NewCommandPlugin(agentConfig *config.Config, grpcConnection grpc.GrpcConnectionInterface,
-	commandServerType ServerType,
+	commandServerType model.ServerType,
 ) *CommandPlugin {
 	return &CommandPlugin{
 		config:            agentConfig,
@@ -256,7 +247,7 @@ func (cp *CommandPlugin) monitorSubscribeChannel(ctx context.Context) {
 				slog.InfoContext(ctx, "Received management plane config upload request")
 				cp.handleConfigUploadRequest(newCtx, message)
 			case *mpi.ManagementPlaneRequest_ConfigApplyRequest:
-				if cp.commandServerType != Command {
+				if cp.commandServerType != model.Command {
 					slog.WarnContext(newCtx, "Auxiliary command server can not perform config apply",
 						"command_server_type", cp.commandServerType.String())
 					cp.handleInvalidRequest(newCtx, message)
@@ -269,7 +260,7 @@ func (cp *CommandPlugin) monitorSubscribeChannel(ctx context.Context) {
 				slog.InfoContext(ctx, "Received management plane health request")
 				cp.handleHealthRequest(newCtx)
 			case *mpi.ManagementPlaneRequest_ActionRequest:
-				if cp.commandServerType != Command {
+				if cp.commandServerType != model.Command {
 					slog.WarnContext(newCtx, "Auxiliary command server can not perform api action",
 						"command_server_type", cp.commandServerType.String())
 					cp.handleInvalidRequest(newCtx, message)
@@ -395,7 +386,3 @@ func (cp *CommandPlugin) createDataPlaneResponse(correlationID string, status mp
 		},
 	}
 }
-
-func (s ServerType) String() string {
-	return serverType[s]
-}

internal/command/command_plugin_test.go

@@ -11,6 +11,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/nginx/agent/v3/internal/model"
+
 	pkg "github.com/nginx/agent/v3/pkg/config"
 	"github.com/nginx/agent/v3/pkg/id"
 
@@ -32,14 +34,14 @@ import (
 )
 
 func TestCommandPlugin_Info(t *testing.T) {
-	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 	info := commandPlugin.Info()
 
 	assert.Equal(t, "command", info.Name)
 }
 
 func TestCommandPlugin_Subscriptions(t *testing.T) {
-	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 	subscriptions := commandPlugin.Subscriptions()
 
 	assert.Equal(
@@ -60,7 +62,7 @@ func TestCommandPlugin_Init(t *testing.T) {
 	messagePipe := busfakes.NewFakeMessagePipe()
 	fakeCommandService := &commandfakes.FakeCommandService{}
 
-	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 	err := commandPlugin.Init(ctx, messagePipe)
 	require.NoError(t, err)
 
@@ -79,7 +81,7 @@ func TestCommandPlugin_createConnection(t *testing.T) {
 	commandService.CreateConnectionReturns(&mpi.CreateConnectionResponse{}, nil)
 	messagePipe := busfakes.NewFakeMessagePipe()
 
-	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 	err := commandPlugin.Init(ctx, messagePipe)
 	commandPlugin.commandService = commandService
 	require.NoError(t, err)
@@ -111,7 +113,7 @@ func TestCommandPlugin_Process(t *testing.T) {
 	messagePipe := busfakes.NewFakeMessagePipe()
 	fakeCommandService := &commandfakes.FakeCommandService{}
 
-	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 	err := commandPlugin.Init(ctx, messagePipe)
 	require.NoError(t, err)
 	defer commandPlugin.Close(ctx)
@@ -219,7 +221,7 @@ func TestCommandPlugin_monitorSubscribeChannel(t *testing.T) {
 
 			agentConfig := types.AgentConfig()
 			agentConfig.Features = test.configFeatures
-			commandPlugin := NewCommandPlugin(agentConfig, &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+			commandPlugin := NewCommandPlugin(agentConfig, &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 			err := commandPlugin.Init(ctx, messagePipe)
 			require.NoError(tt, err)
 			defer commandPlugin.Close(ctx)
@@ -319,7 +321,7 @@ func TestCommandPlugin_FeatureDisabled(t *testing.T) {
 
 			agentConfig.Features = test.configFeatures
 
-			commandPlugin := NewCommandPlugin(agentConfig, &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+			commandPlugin := NewCommandPlugin(agentConfig, &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 			err := commandPlugin.Init(ctx, messagePipe)
 			commandPlugin.commandService = fakeCommandService
 			require.NoError(tt, err)
@@ -344,7 +346,7 @@ func TestMonitorSubscribeChannel(t *testing.T) {
 	logBuf := &bytes.Buffer{}
 	stub.StubLoggerWith(logBuf)
 
-	cp := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+	cp := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 	cp.subscribeCancel = cncl
 
 	message := protos.CreateManagementPlaneRequest()
@@ -383,7 +385,7 @@ func Test_createDataPlaneResponse(t *testing.T) {
 			Error:   "",
 		},
 	}
-	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, Command)
+	commandPlugin := NewCommandPlugin(types.AgentConfig(), &grpcfakes.FakeGrpcConnectionInterface{}, model.Command)
 	result := commandPlugin.createDataPlaneResponse(expected.GetMessageMeta().GetCorrelationId(),
 		expected.GetCommandResponse().GetStatus(),
 		expected.GetCommandResponse().GetMessage(), expected.GetCommandResponse().GetError())