[CI] add az-sync github action to handle secrets

.github/actions/az-sync/action.yml

@@ -0,0 +1,64 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+  az_client_id:
+    description: 'Azure Client ID'
+    required: true
+  az_tenant_id:
+    description: 'Azure Tenant ID'
+    required: true
+  az_subscription_id:
+    description: 'Azure Subscription ID'
+    required: true
+  keyvault:
+    description: 'Azure Key Vault name'
+    required: true
+  secrets-filter:
+    description: 'Filter for secrets to sync (comma-separated patterns)'
+    required: true
+    default: '*'
+runs:
+  using: "composite"
+  steps:
+    - name: Azure login
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      with:
+        client-id: ${{ inputs.az_client_id }}
+        tenant-id: ${{ inputs.az_tenant_id }}
+        subscription-id: ${{ inputs.az_subscription_id }}
+
+    - name: Sync
+      shell: bash
+      run: |
+        IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+          for pattern in "${array[@]}"; do
+            echo "Processing pattern: $pattern"
+            for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
+              secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
+              # check if value is multiline
+              if [[ "$secret_value" == *$'\n'* ]]; then
+                # Mask each line for multiline secrets
+                while IFS= read -r line; do
+                [[ -n "$line" ]] && echo "::add-mask::${line}"
+                done <<< "$secret_value"
+
+                # Use heredoc syntax for multiline environment variables
+                delimiter="EOF_${secret_name}_$(date +%s)"
+                {
+                  echo "${secret_name}<<${delimiter}"
+                  echo "$secret_value"
+                  echo "$delimiter"
+                } >> $GITHUB_ENV
+              else
+                echo "::add-mask::${secret_value}"
+                echo "$secret_name=$secret_value" >> $GITHUB_ENV
+              fi
+              echo "Synced secret: env.$secret_name"
+            done
+          done
+
+    - name: Azure logout
+      shell: bash
+      run: |
+        az logout

.github/actions/configure-goproxy/action.yml

@@ -1,36 +1,23 @@
 name: configure-goproxy
 author: s.breen
-description: Sets the current Go module proxy based on the presence of a private proxy URL in secrets
-inputs:
-  user:
-    description: Artifactory username secret name
-    required: false
-    default: ""
-  token:
-    description: Artifactory token secret name
-    required: false
-    default: ""
-  url:
-    description: Artifactory URL
-    required: false
-    default: ""
+description: Sets the current Go module proxy based on the presence of a private proxy URL in environment variables.
 runs:
   using: 'composite'
   steps:
     - name: Configure Go Proxy
       id: configure-goproxy
       shell: bash
       run: |
-        if [[ -z "${{ inputs.user }}" ]] || \
-        [[ -z "${{ inputs.token }}" ]] || \
-        [[ -z "${{ inputs.url }}" ]] || \
+        if [[ -z "${{ env.artifactory-user }}" ]] || \
+        [[ -z "${{ env.artifactory-token }}" ]] || \
+        [[ -z "${{ env.artifactory-url-dev }}" ]] || \
         [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] ||
         [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then
           echo "No Artifactory secrets available - using direct GOPROXY"
           GOPROXY_VALUE="direct"
         else
           echo "Development mode - using dev Artifactory"
-          GOPROXY_VALUE="https://${{ inputs.user }}:${{ inputs.token }}@${{ inputs.url }}"
+          GOPROXY_VALUE="https://${{ env.artifactory-user }}:${{ env.artifactory-token }}@${{ env.artifactory-url-dev }}"
         fi
         echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
 

.github/workflows/assertion.yml

@@ -16,28 +16,6 @@ on:
         type: boolean
         required: false
         default: false
-  workflow_call:
-    inputs:
-      packageVersion:
-        description: 'Agent version'
-        type: string
-        required: true
-      runId:
-        description: 'Run ID of the workflow that built the artifacts'
-        type: string
-        required: false
-      signAssertion:
-        description: 'Sign and store the assertion document'
-        type: boolean
-        required: false
-        default: false
-    secrets:
-      ARTIFACTORY_USER:
-        required: true
-      ARTIFACTORY_TOKEN:
-        required: true
-      ARTIFACTORY_URL:
-        required: true
 
 permissions:
   contents: read
@@ -48,23 +26,15 @@ jobs:
     runs-on: ubuntu-22.04
     if: ${{ !github.event.pull_request.head.repo.fork }}
     permissions:
-      id-token: write
-      contents: read
-    env:
-      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}"
+      id-token: write # for OIDC authentication
+      contents: read # Needed to download artifacts
     strategy:
       matrix:
         osarch: [amd64, arm64]
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-      - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-        with:
-          go-version-file: 'go.mod'
-          cache: false
-
       - name: Download nginx-agent binary artifacts
         if: ${{ inputs.runId != '' }}
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # 7.0.0
@@ -97,9 +67,9 @@ jobs:
           builder-id: 'github.com'
           builder-version: '${{env.GO_VERSION}}_test'
           invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
-          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
-          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
-          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-user: ${{ env.artifactory-user }}
+          artifactory-api-token: ${{ env.artifactory-token }}
+          artifactory-url: ${{ env.artifactory-url }}
           artifactory-repo: 'f5-nginx-go-local-approved-dependency'
           assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json
           build-content-path: ${{ env.goversionm }}