Add assertions document to binary build workflow (#8336)

pdabelf5 · web-flow · commit 223bc069036e · 2025-10-02T15:42:39.000Z
diff --git a/.github/scripts/binary-json.sh b/.github/scripts/binary-json.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+path=${1:-dist/}
+project=${2:-kubernetes-ingress}
+binary_name=${3:-nginx-ingress}
+
+if [ -z "$path" ] || [ -z "$project" ]; then
+  echo "Usage: $0 <path> <project>"
+  exit 1
+fi
+
+
+json='[]'
+for bin in $(find "$path" -type f -name "$binary_name"); do
+  dir=$(basename "$(dirname $bin)")
+  if [[ "$dir" =~ ${project}_([a-zA-Z0-9]+)_([a-zA-Z0-9]+) ]]; then
+    os="${BASH_REMATCH[1]}"
+    arch="${BASH_REMATCH[2]}"
+    digest=$(sha256sum "$bin" | cut -d' ' -f1)
+    json=$(echo "$json" | jq -c --arg path "$bin" --arg os "$os" --arg arch "$arch" --arg digest "$digest" '. += [{"path": $path, "os": $os, "arch": $arch, "digest": $digest}]')
+  fi
+done
+echo "$json"
diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build-artifacts.yml
@@ -58,6 +58,8 @@ jobs:
     permissions:
       contents: read
       id-token: write
+    outputs:
+      json: ${{ steps.nic_binaries.outputs.json }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -100,13 +102,94 @@ jobs:
           GORELEASER_CURRENT_TAG: "v${{ inputs.ic-version }}"
         if: ${{ inputs.force }}
 
+      - name: Extract NGINX Ingress Controller binary info
+        id: nic_binaries
+        run: |
+          echo "json=$(.github/scripts/binary-json.sh ${{ github.workspace }}/dist ${{ github.event.repository.name }} "nginx-ingress")" >> $GITHUB_OUTPUT
+        if: ${{ inputs.force }}
+
       - name: Store Artifacts in Cache
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ${{ github.workspace }}/dist
           key: nginx-ingress-${{ inputs.go-md5 }}
         if: ${{ inputs.force }}
 
+  generate-assertion-doc:
+    if: ${{ inputs.force }}
+    name: Assertion Doc ${{ matrix.nic.arch }}
+    needs: [binaries]
+    runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: read
+      id-token: write # for compliance-rules action to sign assertion doc
+    strategy:
+      fail-fast: false
+      matrix:
+        nic: ${{ fromJSON( needs.binaries.outputs.json ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ inputs.branch }}
+
+      - name: Setup Golang Environment
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+
+      - name: Setup netrc
+        run: |
+          cat <<EOF > $HOME/.netrc
+          machine azr.artifactory.f5net.com
+              login ${{ secrets.ARTIFACTORY_USER }}
+              password ${{ secrets.ARTIFACTORY_TOKEN }}
+          EOF
+          chmod 600 $HOME/.netrc
+
+      - name: Fetch Cached Artifacts
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: ${{ github.workspace }}/dist
+          key: nginx-ingress-${{ inputs.go-md5 }}
+          fail-on-cache-miss: true
+
+      - name: List packages in Go binary
+        id: godeps
+        env:
+          GOPATH: ${{ inputs.go-path }}
+          GOPROXY: ${{ inputs.go-proxy }}
+        run: |
+          go version -m ${{ matrix.nic.path }} > go_version_out_${{ github.run_id }}_${{ github.run_number }}.txt
+          echo "go_version_out=$(find -type f -name "go_version_out*.txt" | head -n 1)" >> $GITHUB_OUTPUT
+          echo "artifact_digest=$(openssl dgst -sha256 -r ${{ matrix.nic.path }} | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+      - name: Generate Assertion Document
+        id: assertiondoc
+        uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          artifact-name: "${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.nic.os }}_${{ matrix.nic.arch }}"
+          artifact-digest: ${{ steps.godeps.outputs.artifact_digest }}
+          build-type: "github.com"
+          builder-id: "github"
+          builder-version: v0.1.0
+          started-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
+          finished-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
+          invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
+          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-repo: 'f5-nginx-go-local-approved-dependency'
+          assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.nic.os }}_${{ matrix.nic.arch }}.json
+          build-content-path: ${{ steps.godeps.outputs.go_version_out }}
+
+      - name: Sign and Store Assertion Document
+        id: sign
+        uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}
+
   build-docker:
     name: Build Docker OSS
     needs: [binaries]
