Skip to content

[dev-v2] fix secrets #1509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sean-breen merged 4 commits into from
Feb 5, 2026
Merged

[dev-v2] fix secrets #1509

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b434b73
fix secrets
sean-breen Feb 5, 2026
5d6bd65
add custom github action
sean-breen Feb 5, 2026
d4b2eeb
fix permissions for id-token
sean-breen Feb 5, 2026
78f8926
remove key reference from bsd build
sean-breen Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions .github/actions/az-sync/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Sync Secrets from Azure Key Vault
author: s.breen
description: az-sync
inputs:
az_client_id:
description: 'Azure Client ID'
required: true
az_tenant_id:
description: 'Azure Tenant ID'
required: true
az_subscription_id:
description: 'Azure Subscription ID'
required: true
keyvault:
description: 'Azure Key Vault name'
required: true
secrets-filter:
description: 'Filter for secrets to sync (comma-separated patterns)'
required: true
default: '*'
runs:
using: "composite"
steps:
- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ inputs.az_client_id }}
tenant-id: ${{ inputs.az_tenant_id }}
subscription-id: ${{ inputs.az_subscription_id }}

- name: Sync
shell: bash
run: |
IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
for pattern in "${array[@]}"; do
echo "Processing pattern: $pattern"
for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
# check if value is multiline
if [[ "$secret_value" == *$'\n'* ]]; then
# Mask each line for multiline secrets
while IFS= read -r line; do
[[ -n "$line" ]] && echo "::add-mask::${line}"
done <<< "$secret_value"

# Use heredoc syntax for multiline environment variables
delimiter="EOF_${secret_name}_$(date +%s)"
{
echo "${secret_name}<<${delimiter}"
echo "$secret_value"
echo "$delimiter"
} >> $GITHUB_ENV
else
echo "::add-mask::${secret_value}"
echo "$secret_name=$secret_value" >> $GITHUB_ENV
fi
echo "Synced secret: env.$secret_name"
done
done

- name: Azure logout
shell: bash
run: |
az logout
4 changes: 0 additions & 4 deletions .github/workflows/azure-upload.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,7 @@ jobs:
build-args: |
package_type=signed-package
- name: Build Packages
env:
INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
NFPM_SIGNING_KEY_FILE: .key.asc
run: |
echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
make clean package
- name: Azure Login
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
Expand Down
50 changes: 39 additions & 11 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,8 @@ jobs:
name: Integration Tests - Official Plus Images
needs: build-unsigned-snapshot
runs-on: ubuntu-24.04
permissions:
id-token: write # for OIDC authentication
if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
strategy:
fail-fast: false
Expand Down Expand Up @@ -303,12 +305,32 @@ jobs:
with:
name: nginx-agent-unsigned-snapshots
path: build

- name: Get Secrets from Agent Key Vault
uses: ./.github/actions/az-sync
with:
az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
secrets-filter: 'artifactory'

- name: Sync Secrets from Common Key Vault
uses: ./.github/actions/az-sync
with:
az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
secrets-filter: 'docker,nginx-private-registry,nginx-pkg'

- name: Login to Docker Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ${{ secrets.TEST_REGISTRY_URL }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: ${{ env.nginx-private-registry-url }}
username: ${{ env.nginx-pkg-jwt }}
password: "none"

- name: Set Start Time
run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
- name: Create Directory
Expand All @@ -320,7 +342,7 @@ jobs:
- name: Run Integration Tests
run: |
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
CONTAINER_NGINX_IMAGE_REGISTRY="${{ secrets.TEST_REGISTRY_URL }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
- name: Generate Test Results
Expand All @@ -345,10 +367,20 @@ jobs:
name: Performance Tests
if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
runs-on: ubuntu-22.04
permissions:
id-token: write # for OIDC authentication
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Set up Docker Build
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Sync Secrets from Common Key Vault
uses: ./.github/actions/az-sync
with:
az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
secrets-filter: 'nginx-pkg'
- name: Build Docker Image
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
Expand All @@ -359,8 +391,8 @@ jobs:
load: true
no-cache: true
secrets: |
"nginx-crt=${{ secrets.NGINX_CRT }}"
"nginx-key=${{ secrets.NGINX_KEY }}"
"nginx-crt=${{ env.nginx-pkg-certificate}}"
"nginx-key=${{ env.nginx-pkg-key }}"
- name: Run Performance Tests
run: docker run -v ${GITHUB_WORKSPACE}:/home/nginx/ --rm nginx-agent-benchmark:1.0.0

Expand Down Expand Up @@ -394,11 +426,7 @@ jobs:
build-args: |
package_type=signed-package
- name: Build Packages
env:
INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
NFPM_SIGNING_KEY_FILE: .key.asc
run: |
echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
make clean package
- name: Upload Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/f5-cla.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,5 @@ jobs:
# Do not lock PRs after a merge.
lock-pullrequest-aftermerge: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ github.token }}
PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
2 changes: 1 addition & 1 deletion .github/workflows/label-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ jobs:
with:
disable-releaser: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ github.token }}
6 changes: 1 addition & 5 deletions .github/workflows/release-branch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,11 +165,7 @@ jobs:
package_type=signed-package
- name: Build Packages
env:
INDIGO_GPG_AGENT: ${{ secrets.INDIGO_GPG_AGENT }}
NFPM_SIGNING_KEY_FILE: .key.asc
run: |
echo "$INDIGO_GPG_AGENT" | base64 --decode > .key.asc
make clean package
- name: Get Id Token
Expand All @@ -184,7 +180,7 @@ jobs:
- name: Publish Release Packages
if: ${{ inputs.publishPackages == true }}
env:
TOKEN: ${{ steps.idtoken.outputs.id_token }}
TOKEN: ${{ github.token }}
UPLOAD_URL: "https://up-ap.nginx.com"
run: |
make release
Expand Down
7 changes: 0 additions & 7 deletions .nfpm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,8 @@ overrides:
depends:
- apt-transport-https
deb:
signature:
method: dpkg-sig
key_file: ".key.asc"
rpm:
signature:
key_file: ".key.asc"
apk:
signature:
key_file: ".key.rsa"
scripts:
postupgrade: "./scripts/packages/postupgrade.sh"
scripts:
Expand Down
2 changes: 1 addition & 1 deletion Makefile.packaging
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ $(GITHUB_PACKAGES_DIR):
$(AZURE_PACKAGES_DIR):
@mkdir -p $(AZURE_PACKAGES_DIR)

package: gpg-key $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
package: $(PACKAGES_DIR) $(GITHUB_PACKAGES_DIR) $(AZURE_PACKAGES_DIR) #### Create final packages for all supported distros
# Create deb packages

@for arch in $(DEB_ARCHS); do \
Expand Down
2 changes: 1 addition & 1 deletion scripts/packages/packager/signed-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ for freebsd_abi in $FREEBSD_DISTROS; do \
-p staging/plist \
-o ./build/packages/txz/"$freebsd_abi"; \
# create freebsd pkg repo layout
pkg repo ./build/packages/txz/"$freebsd_abi" .key.rsa; \
pkg repo ./build/packages/txz/"$freebsd_abi"; \
# Creating symbolic link from txz to pkg. In older versions of pkg the extension would represent the format of the file
# but since version 1.17.0 pkg will now always create a file with the extesion pkg no matter what the format is.
# See 1.17.0 release notes for more info: https://cgit.freebsd.org/ports/commit/?id=e497a16a286972bfcab908209b11ee6a13d99dc9
Expand Down
Loading