Skip to content

Commit 2cbcb28

Browse files
AlexFenlonAlexFenlon
committed
Merge remote-tracking branch 'origin/main' into chore/debian-trixie
# Conflicts: # build/Dockerfile # tests/Dockerfile
2 parents 185ad68 + 9badeb3 commit 2cbcb28

File tree

94 files changed

+1961
-774
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

94 files changed

+1961
-774
lines changed

.github/actions/certify-openshift-image/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ inputs:
2020
required: false
2121
default: "amd64,arm64"
2222
submit:
23-
description: Submit results to Redhat PYAXIS
23+
description: Submit results to Redhat PYXIS
2424
required: false
2525
default: true
2626

.github/scripts/requirements.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,9 @@
44
#
55
# pip-compile --generate-hashes --output-file=requirements.txt requirements.in
66
#
7-
certifi==2025.10.5 \
8-
--hash=sha256:0f212c2744a9bb6de0c56639a6f68afe01ecd92d91f14ae897c4fe7bbeeef0de \
9-
--hash=sha256:47c09d31ccf2acf0be3f701ea53595ee7e0b8fa08801c6624be771df09ae7b43
7+
certifi==2025.11.12 \
8+
--hash=sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b \
9+
--hash=sha256:d8ab5478f2ecd78af242878415affce761ca6bc54a22a27e026d7c25357c3316
1010
# via requests
1111
cffi==2.0.0 \
1212
--hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \

.github/workflows/build-artifacts.yml

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262
json: ${{ steps.nic_binaries.outputs.json }}
6363
steps:
6464
- name: Checkout Repository
65-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
65+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
6666
with:
6767
ref: ${{ inputs.branch }}
6868

@@ -91,14 +91,6 @@ jobs:
9191
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
9292
GOPATH: ${{ inputs.go-path }}
9393
GOPROXY: ${{ inputs.go-proxy }}
94-
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
95-
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
96-
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
97-
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
98-
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
99-
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
100-
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
101-
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
10294
GORELEASER_CURRENT_TAG: "v${{ inputs.ic-version }}"
10395
if: ${{ inputs.force }}
10496

@@ -115,6 +107,10 @@ jobs:
115107
key: nginx-ingress-${{ inputs.go-md5 }}
116108
if: ${{ inputs.force }}
117109

110+
- name: Cleanup netrc
111+
run: rm -f $HOME/.netrc
112+
if: ${{ always() }}
113+
118114
# generate-assertion-doc:
119115
# if: ${{ github.event_name != 'pull_request' }}
120116
# name: Assertion Doc ${{ matrix.nic.arch }}
@@ -190,9 +186,9 @@ jobs:
190186
# with:
191187
# assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}
192188

193-
- name: Cleanup netrc
194-
run: rm -f $HOME/.netrc
195-
if: ${{ always() }}
189+
#  - name: Cleanup netrc
190+
# run: rm -f $HOME/.netrc
191+
# if: ${{ always() }}
196192

197193
build-docker:
198194
name: Build Docker OSS

.github/workflows/build-base-images.yml

Lines changed: 110 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }}
3030
steps:
3131
- name: Checkout Repository
32-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
32+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
3333

3434
- name: Output Variables
3535
id: vars
@@ -55,7 +55,7 @@ jobs:
5555
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
5656
steps:
5757
- name: Checkout Repository
58-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
58+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
5959

6060
- name: Docker Buildx
6161
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -65,13 +65,31 @@ jobs:
6565
with:
6666
platforms: arm64
6767

68+
- name: Azure login
69+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
70+
with:
71+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
72+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
73+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
74+
75+
- name: Setup secrets
76+
id: secrets
77+
run: |
78+
echo "Setting secrets for job"
79+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
80+
echo "::add-mask::$GCR_WORKLOAD_ID"
81+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
82+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
83+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
84+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
85+
6886
- name: Authenticate to Google Cloud
6987
id: auth
7088
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
7189
with:
7290
token_format: access_token
73-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
74-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
91+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
92+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
7593

7694
- name: Login to GCR
7795
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -120,7 +138,37 @@ jobs:
120138
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
121139
steps:
122140
- name: Checkout Repository
123-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
141+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
142+
143+
- name: Azure login
144+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
145+
with:
146+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
147+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
148+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
149+
150+
- name: Setup secrets
151+
id: secrets
152+
run: |
153+
echo "Setting secrets for job"
154+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
155+
echo "::add-mask::$GCR_WORKLOAD_ID"
156+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
157+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
158+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
159+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
160+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
161+
echo "::add-mask::$PLUS_CREDS"
162+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
163+
while read -r line; do
164+
echo "::add-mask::${line}"
165+
done <<< "${CERT}"
166+
echo $CERT > nginx-repo.crt
167+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
168+
while read -r line; do
169+
echo "::add-mask::${line}"
170+
done <<< "${KEY}"
171+
echo $KEY > nginx-repo.key
124172
125173
- name: Docker Buildx
126174
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -135,8 +183,8 @@ jobs:
135183
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
136184
with:
137185
token_format: access_token
138-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
139-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
186+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
187+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
140188

141189
- name: Login to GCR
142190
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -171,9 +219,14 @@ jobs:
171219
build-args: |
172220
BUILD_OS=${{ matrix.image }}
173221
IC_VERSION=${{ needs.checks.outputs.ic_version }}
174-
secrets: |
175-
"nginx-repo.crt=${{ secrets.NGINX_CRT }}"
176-
"nginx-repo.key=${{ secrets.NGINX_KEY }}"
222+
secret-files: |
223+
nginx-repo.crt=nginx-repo.crt
224+
nginx-repo.key=nginx-repo.key
225+
226+
- name: Clean up secrets
227+
run: |
228+
rm -f nginx-repo.crt nginx-repo.key
229+
if: always()
177230

178231
build-plus-nap:
179232
name: Build Plus NAP base images
@@ -188,7 +241,42 @@ jobs:
188241
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
189242
steps:
190243
- name: Checkout Repository
191-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
244+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
245+
246+
- name: Azure login
247+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
248+
with:
249+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
250+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
251+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
252+
253+
- name: Setup secrets
254+
id: secrets
255+
run: |
256+
echo "Setting secrets for job"
257+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
258+
echo "::add-mask::$GCR_WORKLOAD_ID"
259+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
260+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
261+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
262+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
263+
PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
264+
echo "::add-mask::$PLUS_CREDS"
265+
IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt')
266+
while read -r line; do
267+
echo "::add-mask::${line}"
268+
done <<< "${CERT}"
269+
echo $CERT > nginx-repo.crt
270+
IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key')
271+
while read -r line; do
272+
echo "::add-mask::${line}"
273+
done <<< "${KEY}"
274+
echo $KEY > nginx-repo.key
275+
IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
276+
while read -r line; do
277+
echo "::add-mask::${line}"
278+
done <<< "${RHEL_CREDS}"
279+
echo $RHEL_CREDS > rhel_license
192280
193281
- name: Docker Buildx
194282
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -198,8 +286,8 @@ jobs:
198286
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
199287
with:
200288
token_format: access_token
201-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
202-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
289+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
290+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
203291

204292
- name: Login to GCR
205293
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -242,7 +330,12 @@ jobs:
242330
BUILD_OS=${{ matrix.image }}
243331
IC_VERSION=${{ needs.checks.outputs.ic_version }}
244332
NAP_MODULES=${{ matrix.nap_modules }}
245-
secrets: |
246-
"nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}"
247-
"nginx-repo.key=${{ secrets.NGINX_AP_KEY }}"
248-
${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
333+
secret-files: |
334+
nginx-repo.crt=nginx-repo.crt
335+
nginx-repo.key=nginx-repo.key
336+
${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }}
337+
338+
- name: Clean up secrets
339+
run: |
340+
rm -f nginx-repo.crt nginx-repo.key rhel_license
341+
if: always()

.github/workflows/build-oss.yml

Lines changed: 44 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -56,18 +56,57 @@ jobs:
5656
image_digest: ${{ steps.build-push.outputs.digest }}
5757
steps:
5858
- name: Checkout Repository
59-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
59+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
6060
with:
6161
ref: ${{ inputs.branch }}
6262
fetch-depth: 0
6363

64+
- name: Azure login
65+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
66+
with:
67+
client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
68+
tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
69+
subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
70+
if: ${{ inputs.authenticated }}
71+
72+
- name: Setup secrets
73+
id: secrets
74+
run: |
75+
echo "Setting secrets for job"
76+
GCR_WORKLOAD_ID=$(az keyvault secret show --name gcr-workload-identity --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
77+
echo "::add-mask::$GCR_WORKLOAD_ID"
78+
echo "GCR_WORKLOAD_ID=$GCR_WORKLOAD_ID" >> $GITHUB_OUTPUT
79+
GCR_SERVICE_ACCOUNT=$(az keyvault secret show --name kic-pipeline-gcr-sa --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
80+
echo "::add-mask::$GCR_SERVICE_ACCOUNT"
81+
echo "GCR_SERVICE_ACCOUNT=$GCR_SERVICE_ACCOUNT" >> $GITHUB_OUTPUT
82+
83+
- name: Azure login Common Vault
84+
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
85+
with:
86+
client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
87+
tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
88+
subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
89+
if: ${{ inputs.authenticated }}
90+
91+
- name: Setup secrets Common Vault
92+
id: secrets-common
93+
run: |
94+
echo "Setting secrets for job"
95+
DOCKER_USERNAME=$(az keyvault secret show --name docker-username --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
96+
echo "::add-mask::$DOCKER_USERNAME"
97+
echo "DOCKER_USERNAME=$DOCKER_USERNAME" >> $GITHUB_OUTPUT
98+
DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
99+
echo "::add-mask::$DOCKER_PASSWORD"
100+
echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT
101+
if: ${{ inputs.authenticated }}
102+
64103
- name: Authenticate to Google Cloud
65104
id: auth
66105
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
67106
with:
68107
token_format: access_token
69-
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
70-
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
108+
workload_identity_provider: ${{ steps.secrets.outputs.GCR_WORKLOAD_ID }}
109+
service_account: ${{ steps.secrets.outputs.GCR_SERVICE_ACCOUNT }}
71110
if: ${{ inputs.authenticated }}
72111

73112
- name: Login to GCR
@@ -81,8 +120,8 @@ jobs:
81120
- name: DockerHub Login
82121
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
83122
with:
84-
username: ${{ secrets.DOCKER_USERNAME }}
85-
password: ${{ secrets.DOCKER_PASSWORD }}
123+
username: ${{ steps.secrets-common.outputs.DOCKER_USERNAME }}
124+
password: ${{ steps.secrets-common.outputs.DOCKER_PASSWORD }}
86125
if: ${{ inputs.authenticated }}
87126

88127
- name: Docker meta

0 commit comments

Comments
 (0)