From 8a5a7100fc0a5d9796eda56ecbb90bc8fcda6e24 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Mon, 10 Nov 2025 14:30:46 +0000 Subject: [PATCH 1/3] Update CRT and KEY to use az --- .github/workflows/build-base-images.yml | 57 +++++++++++++++++++++--- .github/workflows/build-plus.yml | 40 +++++++++++++---- .github/workflows/build-single-image.yml | 39 ++++++++-------- .github/workflows/ci.yml | 29 ++++++++++-- .github/workflows/setup-smoke.yml | 32 +++++++++++-- 5 files changed, 157 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 067fca7ad4..3e0fdb17f6 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -122,6 +122,22 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt + echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -171,9 +187,14 @@ jobs: build-args: | BUILD_OS=${{ matrix.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} - secrets: | - "nginx-repo.crt=${{ secrets.NGINX_CRT }}" - "nginx-repo.key=${{ secrets.NGINX_KEY }}" + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key + if: always() build-plus-nap: name: Build Plus NAP base images @@ -190,6 +211,23 @@ jobs: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt + echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license + - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -242,7 +280,12 @@ jobs: BUILD_OS=${{ matrix.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} NAP_MODULES=${{ matrix.nap_modules }} - secrets: | - "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}" - "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}" - ${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ contains(matrix.image, 'ubi') && 'rhel_license=rhel_license' || '' }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always() diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 025340a5d0..12ac02aa47 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -63,6 +63,25 @@ jobs: ref: ${{ inputs.branch }} fetch-depth: 0 + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt + echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -154,10 +173,10 @@ jobs: BUILD_OS=${{ inputs.image }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} - secrets: | - "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" - "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" - ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }} if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }} - name: Debug values @@ -199,10 +218,10 @@ jobs: IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} - secrets: | - "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" - "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" - ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }} if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Make directory for security scan results @@ -222,3 +241,8 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment summary: true if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always() diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index 7c389619dc..c19fd370a1 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -79,17 +79,23 @@ jobs: username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - - name: Setup plus credentials + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ contains(inputs.target, 'plus') }} + + - name: Setup secrets + id: secrets run: | - printf '%s\n' "${CERT}" > nginx-repo.crt - printf '%s\n' "${KEY}" > nginx-repo.key - if [[ "${{ inputs.target }}" =~ ubi ]]; then - printf '%s\n' "${RHEL}" > rhel_license - fi - env: - CERT: ${{ secrets.NGINX_CRT }} - KEY: ${{ secrets.NGINX_KEY }} - RHEL: ${{ secrets.RHEL_LICENSE }} + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt + echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license if: ${{ contains(inputs.target, 'plus') }} - name: Fetch Cached Binary Artifacts @@ -107,14 +113,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ steps.vars.outputs.go_path }} - AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} - AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} - AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} - AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} - AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} - AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} - AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} - AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} GORELEASER_CURRENT_TAG: "v${{ steps.vars.outputs.ic_version }}" if: ${{ steps.binary-cache.outputs.binary_cache_hit != 'true' }} @@ -142,3 +140,8 @@ jobs: REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev PREFIX: ${{ inputs.prefix }} TAG: ${{ inputs.tag }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always() diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4cfdb0aa2..bc3ed8bb53 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -436,6 +436,24 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt + echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + if: ${{ needs.checks.outputs.forked_workflow != 'true' }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -490,9 +508,9 @@ jobs: build-args: | BUILD_OS=${{ matrix.base-os }} IC_VERSION=CI - secrets: | - ${{ matrix.type == 'plus' && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} - ${{ matrix.type == 'plus' && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} + secret-files: | + ${{ matrix.type == 'plus' && 'nginx-repo.crt=nginx-repo.crt' || '' }} + ${{ matrix.type == 'plus' && 'nginx-repo.key=nginx-repo.key' || '' }} if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Deploy Kubernetes @@ -551,6 +569,11 @@ jobs: done if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key + if: always() + setup-matrix: if: ${{ inputs.force || (inputs.run_tests && inputs.run_tests || true) || needs.checks.outputs.docs_only != 'true' }} name: Setup Matrix for Smoke Tests diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index a54ba7265e..14fef2ea94 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -61,6 +61,25 @@ jobs: echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi-9') && '-ubi' || '' }}${{ contains(inputs.image, 'ubi-8') && '-ubi8' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.authenticated }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$PLUS_CREDS" + echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt + echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license + if: ${{ inputs.authenticated }} + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -144,10 +163,10 @@ jobs: IC_VERSION=CI ${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} - secrets: | - ${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} - ${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }} - ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + secret-files: | + nginx-repo.crt=nginx-repo.crt + nginx-repo.key=nginx-repo.key + ${{ contains(inputs.image, 'ubi') && 'rhel_license=rhel_license' || '' }} if: ${{ !inputs.authenticated }} - name: Generate WAF v5 tgz from JSON @@ -177,3 +196,8 @@ jobs: name: ${{ steps.smoke-tests.outputs.test-results-name }} path: ${{ steps.smoke-tests.outputs.test-results-path }} if: ${{ !cancelled() && steps.stable_exists.outputs.exists != 'true' }} + + - name: Clean up secrets + run: | + rm -f nginx-repo.crt nginx-repo.key rhel_license + if: always() From 8e36d741192dc531baad80118fb7581c2b29f1e7 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 13 Nov 2025 16:32:11 +0000 Subject: [PATCH 2/3] Mask file contents --- .github/workflows/build-base-images.yml | 30 ++++++++++++++++++++---- .github/workflows/build-plus.yml | 18 +++++++++++--- .github/workflows/build-single-image.yml | 18 +++++++++++--- .github/workflows/ci.yml | 12 ++++++++-- .github/workflows/setup-smoke.yml | 18 +++++++++++--- 5 files changed, 80 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 3e0fdb17f6..168071fc4b 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -135,8 +135,16 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt - echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -224,9 +232,21 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt - echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key - az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license + CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 12ac02aa47..8242d61d2f 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -77,9 +77,21 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt - echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key - az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license + CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license if: ${{ inputs.authenticated }} - name: Authenticate to Google Cloud diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index c19fd370a1..2c1d181b17 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -93,9 +93,21 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt - echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key - az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license + CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license if: ${{ contains(inputs.target, 'plus') }} - name: Fetch Cached Binary Artifacts diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc3ed8bb53..b6e6c7ad70 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -450,8 +450,16 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt - echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key + CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key if: ${{ needs.checks.outputs.forked_workflow != 'true' }} - name: Authenticate to Google Cloud diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 14fef2ea94..3fa66b2f6b 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -75,9 +75,21 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - echo $PLUS_CREDS | jq -r '.crt' > nginx-repo.crt - echo $PLUS_CREDS | jq -r '.key' > nginx-repo.key - az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv > rhel_license + CERT=$(echo $PLUS_CREDS | jq -r '.crt') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${CERT}" + echo $CERT > nginx-repo.crt + KEY=$(echo $PLUS_CREDS | jq -r '.key') + while read -r line; do + echo "::add-mask::${line}" + done <<< "${KEY}" + echo $KEY > nginx-repo.key + RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + while read -r line; do + echo "::add-mask::${line}" + done <<< "${RHEL_CREDS}" + echo $RHEL_CREDS > rhel_license if: ${{ inputs.authenticated }} - name: Authenticate to Google Cloud From 314ac6616e3eb7f03f646a4d837369f028c85a91 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 13 Nov 2025 16:54:57 +0000 Subject: [PATCH 3/3] change line break symbol --- .github/workflows/build-base-images.yml | 10 +++++----- .github/workflows/build-plus.yml | 6 +++--- .github/workflows/build-single-image.yml | 6 +++--- .github/workflows/ci.yml | 4 ++-- .github/workflows/setup-smoke.yml | 6 +++--- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 168071fc4b..eb2a96551a 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -135,12 +135,12 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - CERT=$(echo $PLUS_CREDS | jq -r '.crt') + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') while read -r line; do echo "::add-mask::${line}" done <<< "${CERT}" echo $CERT > nginx-repo.crt - KEY=$(echo $PLUS_CREDS | jq -r '.key') + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') while read -r line; do echo "::add-mask::${line}" done <<< "${KEY}" @@ -232,17 +232,17 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - CERT=$(echo $PLUS_CREDS | jq -r '.crt') + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') while read -r line; do echo "::add-mask::${line}" done <<< "${CERT}" echo $CERT > nginx-repo.crt - KEY=$(echo $PLUS_CREDS | jq -r '.key') + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') while read -r line; do echo "::add-mask::${line}" done <<< "${KEY}" echo $KEY > nginx-repo.key - RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) while read -r line; do echo "::add-mask::${line}" done <<< "${RHEL_CREDS}" diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 8242d61d2f..36bc23aa2c 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -77,17 +77,17 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - CERT=$(echo $PLUS_CREDS | jq -r '.crt') + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') while read -r line; do echo "::add-mask::${line}" done <<< "${CERT}" echo $CERT > nginx-repo.crt - KEY=$(echo $PLUS_CREDS | jq -r '.key') + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') while read -r line; do echo "::add-mask::${line}" done <<< "${KEY}" echo $KEY > nginx-repo.key - RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) while read -r line; do echo "::add-mask::${line}" done <<< "${RHEL_CREDS}" diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index 2c1d181b17..ad3bc59fcd 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -93,17 +93,17 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - CERT=$(echo $PLUS_CREDS | jq -r '.crt') + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') while read -r line; do echo "::add-mask::${line}" done <<< "${CERT}" echo $CERT > nginx-repo.crt - KEY=$(echo $PLUS_CREDS | jq -r '.key') + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') while read -r line; do echo "::add-mask::${line}" done <<< "${KEY}" echo $KEY > nginx-repo.key - RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) while read -r line; do echo "::add-mask::${line}" done <<< "${RHEL_CREDS}" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6e6c7ad70..a7e6cb9442 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -450,12 +450,12 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - CERT=$(echo $PLUS_CREDS | jq -r '.crt') + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') while read -r line; do echo "::add-mask::${line}" done <<< "${CERT}" echo $CERT > nginx-repo.crt - KEY=$(echo $PLUS_CREDS | jq -r '.key') + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') while read -r line; do echo "::add-mask::${line}" done <<< "${KEY}" diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 3fa66b2f6b..67c52f922d 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -75,17 +75,17 @@ jobs: echo "Setting secrets for job" PLUS_CREDS=$(az keyvault secret show --name plus-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) echo "::add-mask::$PLUS_CREDS" - CERT=$(echo $PLUS_CREDS | jq -r '.crt') + IFS=@ CERT=$(echo $PLUS_CREDS | jq -r '.crt') while read -r line; do echo "::add-mask::${line}" done <<< "${CERT}" echo $CERT > nginx-repo.crt - KEY=$(echo $PLUS_CREDS | jq -r '.key') + IFS=@ KEY=$(echo $PLUS_CREDS | jq -r '.key') while read -r line; do echo "::add-mask::${line}" done <<< "${KEY}" echo $KEY > nginx-repo.key - RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + IFS=@ RHEL_CREDS=$(az keyvault secret show --name rhel-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) while read -r line; do echo "::add-mask::${line}" done <<< "${RHEL_CREDS}"