nginx · aphralG · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
@@ -0,0 +1,64 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+    az_client_id:
+        description: 'Azure Client ID'
+        required: true
+    az_tenant_id:
+        description: 'Azure Tenant ID'
+        required: true
+    az_subscription_id:
+        description: 'Azure Subscription ID'
+        required: true
+    keyvault:
+        description: 'Azure Key Vault name'
+        required: true
+    secrets-filter:
+        description: 'Filter for secrets to sync (comma-separated patterns)'
+        required: true
+        default: '*'
+runs:
+    using: "composite"
+    steps:
+        - name: Azure login
+          uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+          with:
+              client-id: ${{ inputs.az_client_id }}
+              tenant-id: ${{ inputs.az_tenant_id }}
+              subscription-id: ${{ inputs.az_subscription_id }}
+
+        - name: Sync
+          shell: bash
+          run: |
+              IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+                for pattern in "${array[@]}"; do
+                  echo "Processing pattern: $pattern"
+                  for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
+                    secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
+                    # check if value is multiline
+                    if [[ "$secret_value" == *$'\n'* ]]; then
+                      # Mask each line for multiline secrets
+                      while IFS= read -r line; do
+                      [[ -n "$line" ]] && echo "::add-mask::${line}"
+                      done <<< "$secret_value"
+
+                      # Use heredoc syntax for multiline environment variables
+                      delimiter="EOF_${secret_name}_$(date +%s)"
+                      {
+                        echo "${secret_name}<<${delimiter}"
+                        echo "$secret_value"
+                        echo "$delimiter"
+                      } >> $GITHUB_ENV
+                    else
+                      echo "::add-mask::${secret_value}"
+                      echo "$secret_name=$secret_value" >> $GITHUB_ENV
+                    fi
+                    echo "Synced secret: env.$secret_name"
+                  done
+                done
+
+        - name: Azure logout
+          shell: bash
+          run: |
+              az logout
@@ -21,6 +21,14 @@ jobs:
           go-version-file: 'go.mod'
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       - run: npm install semver@7.6.2
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+            keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+            secrets-filter: 'artifactory'
       - name: Setup build environment
         run: |
           if [ "${{ env.ACT }}" = "true" ]; then
@@ -51,11 +59,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Azure Login
         uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0

@@ -298,6 +298,14 @@ jobs:
           - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
             with:
                 go-version-file: 'go.mod'
+          - name: Get Secrets from Azure Key Vault
+            uses: ./.github/actions/az-sync
+            with:
+                  az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+                  az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+                  az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+                  keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+                  secrets-filter: 'artifactory'
           - name: Download Packages
             uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
             with:
@@ -306,9 +314,9 @@ jobs:
           - name: Login to Docker Registry
             uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
             with:
-                registry: ${{ secrets.TEST_REGISTRY_URL }}
-                username: ${{ secrets.REGISTRY_USERNAME }}
-                password: ${{ secrets.REGISTRY_PASSWORD }}
+                registry: ${{ env.nginx-private-registry-url }}
+                username: ${{ env.nginx-pkg-jwt }}
+                password: "none"
           - name: Set Start Time
             run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
           - name: Create Directory
@@ -320,8 +328,9 @@ jobs:
           - name: Run Integration Tests
             run: |
                 go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
-                CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
+                CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
                 OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
+                 NGINX_LICENSE_JWT='${{ env.nginx-pkg-jwt }}' \
                   make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
           - name: Generate Test Results
             if: always()
@@ -349,6 +358,14 @@ jobs:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Docker Build
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+              az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+              az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+              az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+              keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+              secrets-filter: 'artifactory'
       - name: Build Docker Image
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
@@ -359,8 +376,8 @@ jobs:
           load: true
           no-cache: true
           secrets: |
-            "nginx-crt=${{ secrets.NGINX_CRT }}"
-            "nginx-key=${{ secrets.NGINX_KEY }}"
+            "nginx-crt=${{ env.nginx-pkg-certificate }}"
+            "nginx-key=${{ env.nginx-pkg-key }}"
       - name: Run Performance Tests
         run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0
 
@@ -375,6 +392,14 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: 'go.mod'
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+            keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+            secrets-filter: 'artifactory'
       - name: Setup build environment
         run: |
           sudo apt-get update
@@ -394,11 +419,7 @@ jobs:
           build-args: |
             package_type=signed-package
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
       - name: Upload Artifacts
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3

@@ -47,5 +47,5 @@ jobs:
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
@@ -18,4 +18,4 @@ jobs:
         with:
           disable-releaser: true
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
@@ -47,7 +47,14 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: 'go.mod'
-
+      - name: Get Secrets from Azure Key Vault
+        uses: ./.github/actions/az-sync
+        with:
+            az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+            az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+            az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+            keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+            secrets-filter: 'artifactory'
       - name: Create Draft Release
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: release
@@ -165,11 +172,7 @@ jobs:
             package_type=signed-package
 
       - name: Build Packages
-        env:
-          INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
-          NFPM_SIGNING_KEY_FILE: .key.asc
         run: |
-          echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
           make clean package
 
       - name: Get Id Token

@@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR):
 $(AZURE_PACKAGES_DIR):
 	@mkdir -p $(AZURE_PACKAGES_DIR)
 
-package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
+package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
 	# Create deb packages
 
 	@for arch in $(DEB_ARCHS); do \

@@ -18,9 +18,6 @@
     - [AgentConnectStatus.StatusCode](#f5-nginx-agent-sdk-AgentConnectStatus-StatusCode)
     - [AgentLogging.Level](#f5-nginx-agent-sdk-AgentLogging-Level)
 
-- [command_svc.proto](#command_svc-proto)
-    - [Commander](#f5-nginx-agent-sdk-Commander)
-
 - [command.proto](#command-proto)
     - [AgentActivityStatus](#f5-nginx-agent-sdk-AgentActivityStatus)
     - [ChunkedResourceChunk](#f5-nginx-agent-sdk-ChunkedResourceChunk)
@@ -42,6 +39,9 @@
     - [NginxConfigStatus.Status](#f5-nginx-agent-sdk-NginxConfigStatus-Status)
     - [UploadStatus.TransferStatus](#f5-nginx-agent-sdk-UploadStatus-TransferStatus)
 
+- [command_svc.proto](#command_svc-proto)
+    - [Commander](#f5-nginx-agent-sdk-Commander)
+
 - [common.proto](#common-proto)
     - [CertificateDates](#f5-nginx-agent-sdk-CertificateDates)
     - [CertificateName](#f5-nginx-agent-sdk-CertificateName)
@@ -341,34 +341,6 @@ Log level enum
 
 
 
-<a name="command_svc-proto"></a>
-<p align="right"><a href="#top">Top</a></p>
-
-## command_svc.proto
-
-
-
-
-
-
-
-
-
-<a name="f5-nginx-agent-sdk-Commander"></a>
-
-### Commander
-Represents a service used to sent command messages between the management server and the agent.
-
-| Method Name | Request Type | Response Type | Description |
-| ----------- | ------------ | ------------- | ------------|
-| CommandChannel | [Command](#f5-nginx-agent-sdk-Command) stream | [Command](#f5-nginx-agent-sdk-Command) stream | A Bidirectional streaming RPC established by the agent and is kept open |
-| Download | [DownloadRequest](#f5-nginx-agent-sdk-DownloadRequest) | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | A streaming RPC established by the agent and is used to download resources associated with commands The download stream will be kept open for the duration of the data transfer and will be closed when its done. The transfer is a stream of chunks as follows: header -&gt; data chunk 1 -&gt; data chunk N. Each data chunk is of a size smaller than the maximum gRPC payload |
-| Upload | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | [UploadStatus](#f5-nginx-agent-sdk-UploadStatus) | A streaming RPC established by the agent and is used to upload resources associated with commands |
-
-
-
-
-
 <a name="command-proto"></a>
 <p align="right"><a href="#top">Top</a></p>
 
@@ -680,6 +652,34 @@ Transfer status enum
 
 
 
+<a name="command_svc-proto"></a>
+<p align="right"><a href="#top">Top</a></p>
+
+## command_svc.proto
+
+
+
+
+
+
+
+
+
+<a name="f5-nginx-agent-sdk-Commander"></a>
+
+### Commander
+Represents a service used to sent command messages between the management server and the agent.
+
+| Method Name | Request Type | Response Type | Description |
+| ----------- | ------------ | ------------- | ------------|
+| CommandChannel | [Command](#f5-nginx-agent-sdk-Command) stream | [Command](#f5-nginx-agent-sdk-Command) stream | A Bidirectional streaming RPC established by the agent and is kept open |
+| Download | [DownloadRequest](#f5-nginx-agent-sdk-DownloadRequest) | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | A streaming RPC established by the agent and is used to download resources associated with commands The download stream will be kept open for the duration of the data transfer and will be closed when its done. The transfer is a stream of chunks as follows: header -&gt; data chunk 1 -&gt; data chunk N. Each data chunk is of a size smaller than the maximum gRPC payload |
+| Upload | [DataChunk](#f5-nginx-agent-sdk-DataChunk) stream | [UploadStatus](#f5-nginx-agent-sdk-UploadStatus) | A streaming RPC established by the agent and is used to upload resources associated with commands |
+
+
+
+
+
 <a name="common-proto"></a>
 <p align="right"><a href="#top">Top</a></p>