diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 2028cfc48..8c9c536fb 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -1,65 +1,86 @@ - name: Generate and Sign Assertion Document on: workflow_dispatch: inputs: - branch: + packageVersion: + description: 'Agent version' + type: string + required: true + runId: + description: 'Run ID of the workflow that built the artifacts' + type: string + required: true + signAssertion: + description: 'Sign and store the assertion document' + type: boolean + required: false + default: false + workflow_call: + inputs: + packageVersion: + description: 'Agent version' type: string - description: "The branch to run the assertion workflow on" + required: true + runId: + description: 'Run ID of the workflow that built the artifacts' + type: string + required: false + signAssertion: + description: 'Sign and store the assertion document' + type: boolean required: false - default: main + default: false + secrets: + ARTIFACTORY_USER: + required: true + ARTIFACTORY_TOKEN: + required: true + ARTIFACTORY_URL: + required: true jobs: build-assertion-document: - name: Build and Generate Assertion Document + name: Create Assertion Document runs-on: ubuntu-22.04 if: ${{ !github.event.pull_request.head.repo.fork }} permissions: id-token: write contents: read env: - GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency" - outputs: - agent_binary: ${{ steps.check_binary.outputs.agent_binary }} - goversionm: ${{ steps.godeps.outputs.goversionm }} - assertion_document: ${{ steps.assertiondoc.outputs.assertion-document-path }} + GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}" strategy: - matrix: - osarch: [amd64, arm64] + matrix: + osarch: [amd64, arm64] steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + - name: Setup go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: - go-version-file: go.mod + go-version-file: 'go.mod' cache: false + - name: Download nginx-agent binary artifacts + if: ${{ inputs.runId != '' }} + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 + with: + name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} + path: binaries + run-id: ${{ inputs.runId }} + github-token: ${{ github.token }} + - name: Gather build dependencies id: godeps run: | - if [ -z ${{inputs.branch}} ]; then - echo "No branch input provided, using current branch: $GITHUB_REF_NAME" - else - echo "Checking out branch: ${{inputs.branch}}" - git checkout ${{inputs.branch}} - fi - echo "Current branch: $GITHUB_REF_NAME" - echo "branch_name=$GITHUB_REF_NAME" >> $GITHUB_ENV - GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//') - echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV - echo "GO_VERSION=$GO_VERSION" - echo "time_start=$(date +%s)" >> $GITHUB_ENV - OSARCH=${{matrix.osarch}} make build - echo "time_end=$(date +%s)" >> $GITHUB_ENV - echo "Build time: $((time_end - time_start)) seconds" - - echo "Getting sha256sum of the built nginx-agent binary..." - echo "agent-digest=$(sha256sum build/nginx-agent | awk '{print $1}')" >> $GITHUB_ENV - + ls -la binaries + echo "agent_digest=$(cat binaries/nginx-agent.sha256)" >> $GITHUB_ENV + echo "agent_buildstart=$(cat binaries/nginx-agent.buildstart)" >> $GITHUB_ENV + echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV + echo "Checking dependencies..." - go version -m build/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt + go version -m binaries/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt ls -l goversionm_*.txt echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV @@ -67,7 +88,7 @@ jobs: id: assertiondoc uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 with: - artifact-name: nginx-agent_${{ env.branch_name }}_${{ matrix.osarch }} + artifact-name: nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }} artifact-digest: ${{ env.agent-digest }} build-type: 'github' builder-id: 'github.com' @@ -77,13 +98,14 @@ jobs: artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' - assertion-doc-file: assertion_nginx-agent_${{env.branch_name}}_${{matrix.osarch}}.json + assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json build-content-path: ${{ env.goversionm }} - started-on: '${{ env.time_start }}' - finished-on: '${{ env.time_end }}' + started-on: '${{ env.agent_buildstart }}' + finished-on: '${{ env.agent_buildend }}' - name: Sign and Store Assertion Document id: sign + if: ${{ inputs.signAssertion == true }} uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index bb883bc3f..64398769e 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -17,11 +17,11 @@ on: type: string uploadAzure: description: 'Publish packages Azure storage' - default: true + default: false type: boolean publishPackages: description: 'Publish packages to nginx repo' - default: true + default: false type: boolean tagRelease: description: 'Add tag to release branch' @@ -39,6 +39,11 @@ on: description: 'Location to publish packages to' required: false default: "https://up-ap.nginx.com" + type: string + assertionDoc: + description: 'Generate assertion document' + default: false + type: boolean env: NFPM_VERSION: 'v2.35.3' @@ -49,7 +54,7 @@ defaults: shell: bash concurrency: - group: ${{ github.ref_name }}-v3-release + group: ${{ github.ref_name }}-release cancel-in-progress: true permissions: @@ -92,15 +97,13 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + if: ${{ needs.vars.outputs.github_release == 'true' }} with: ref: ${{ inputs.releaseBranch }} - - name: Setup Node Environment - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 - - name: Create Draft Release - if: ${{ needs.vars.outputs.github_release == 'true' }} uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + if: ${{ needs.vars.outputs.github_release == 'true' }} id: release env: version: ${{ inputs.packageVersion }} @@ -176,6 +179,7 @@ jobs: - name: Set Environment Variables id: vars + if: ${{ needs.vars.outputs.github_release == 'true' }} run: | echo "RELEASE_ID=$(echo '${{steps.release.outputs.result}}' | jq -r '.release_id')" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT @@ -189,23 +193,20 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + if: ${{ needs.vars.outputs.tag_release == 'true' }} with: ref: ${{ inputs.releaseBranch }} - name: Tag release + if: ${{ needs.vars.outputs.tag_release == 'true' }} run: | git config --global user.name 'github-actions' git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com' - git tag -a "v${{ inputs.packageVersion }}" -m "CI Autogenerated" - - - name: Push Tags - if: ${{ needs.vars.outputs.tag_release == 'true' }} - run: | git push origin "v${{ inputs.packageVersion }}" - upload-packages: - name: Upload packages + build-and-upload-packages: + name: Build and upload release packages runs-on: ubuntu-22.04-amd64 needs: [vars,release-draft,tag-release] permissions: @@ -225,6 +226,7 @@ jobs: - name: Setup package build environment run: | + go mod download go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }} sudo apt-get update sudo apt-get install -y gpgv1 monkeysphere @@ -245,6 +247,36 @@ jobs: export PATH=$PATH:~/go/bin echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE} make package + find build/ -type f -name "nginx-agent*" + + - name: Archive AMD64 Binaries + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: nginx-agent-binaries-${{ inputs.packageVersion }}-amd64 + path: | + build/amd64/nginx-agent + build/amd64/nginx-agent.sha256 + build/amd64/nginx-agent.buildstart + build/amd64/nginx-agent.buildend + + - name: Archive ARM64 Binaries + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: nginx-agent-binaries-${{ inputs.packageVersion }}-arm64 + path: | + build/arm64/nginx-agent + build/arm64/nginx-agent.sha256 + build/arm64/nginx-agent.buildstart + build/arm64/nginx-agent.buildend + + - name: List artifacts + run: | + echo "Run ID: ${{ github.run_id }}" + echo "Run Number: ${{ github.run_number }}" + echo "nginx-agent-binaries-${{ inputs.packageVersion }}-arm64" + find build/arm64 -type f -name "nginx-agent*" + echo "nginx-agent-binaries-${{ inputs.packageVersion }}-amd64" + find build/amd64 -type f -name "nginx-agent*" - name: Install GPG tools if: ${{ inputs.publishPackages == true }} @@ -261,7 +293,7 @@ jobs: let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - - name: Publish Release Packages + - name: Upload Release Packages to NGINX repo if: ${{ inputs.publishPackages == true }} env: TOKEN: ${{ steps.idtoken.outputs.id_token }} @@ -269,6 +301,23 @@ jobs: run: | make release + assertion-document: + name: Build and Generate Assertion Document + needs: [build-and-upload-packages] + if : ${{ inputs.assertionDoc == true }} + uses: ./.github/workflows/assertion.yml + permissions: + id-token: write + contents: read + with: + packageVersion: ${{ inputs.packageVersion }} + runId: ${{ github.run_id }} + secrets: + ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} + ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} + ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }} + + merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} name: Merge release branch back into main branch diff --git a/Makefile.packaging b/Makefile.packaging index fb33ff86a..09b018083 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -35,8 +35,7 @@ $(PACKAGES_DIR): @mkdir -p $(PACKAGES_DIR)/deb && mkdir -p $(PACKAGES_DIR)/rpm && mkdir -p $(PACKAGES_DIR)/apk .PHONY: package -package: $(PACKAGES_DIR) #### Create final packages for all supported distros - +package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported distros # Build binaries for all supported architectures @for arch in $(DEB_ARCHS); do \ mkdir -p $(BUILD_DIR)/$${arch}; \ @@ -44,12 +43,20 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros sed -i.bak "s/\^ARCH\^/$${arch}/g" ".nfpm.$${arch}.yaml"; \ sed -i.bak "s/\^BUILD_PATH\^/\.\/build\/$${arch}/g" ".nfpm.$${arch}.yaml"; \ echo "Building linux/$${arch}"; \ + start_time=$$(date +%s); \ GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux \ go build -pgo=auto -ldflags=${LDFLAGS} \ -o $(BUILD_DIR)/$${arch}/$(BINARY_NAME) \ $(PROJECT_DIR)/$(PROJECT_FILE); \ - rm -f .nfpm.$$arch.yaml.bak; \ + end_time=$$(date +%s); \ + rm -f .nfpm.$${arch}.yaml.bak; \ + sha256sum build/$${arch}/nginx-agent | awk '{print $$1}' > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).sha256; \ + echo $${start_time} > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).buildstart; \ + echo $${end_time} > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).buildend; \ + echo "Built binary:"; \ ls -la "$(BUILD_DIR)/$${arch}/$(BINARY_NAME)"; \ + cat $(BUILD_DIR)/$${arch}/$(BINARY_NAME).sha256; \ + echo "Built took "$$((end_time - start_time))" seconds"; \ done; \ # Create deb packages @@ -138,9 +145,9 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros # Create tarball containing all packages @echo "Creating tarball: $(TARBALL_NAME)"; \ rm -f $(PACKAGES_DIR)/$(TARBALL_NAME); \ - pushd $(PACKAGES_DIR) > /dev/null; \ + cd $(PACKAGES_DIR); \ tar -czvf "./$(TARBALL_NAME)" *; \ - popd > /dev/null; \ + cd ../.. \ ls -la $(PACKAGES_DIR)/$(TARBALL_NAME); .PHONY: gpg-key