diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c4cfdb0aa2..e8061ac455 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -248,6 +248,9 @@ jobs: unit-tests: name: Unit Tests runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write needs: checks env: GOPROXY: ${{ needs.checks.outputs.go_proxy }} @@ -260,6 +263,23 @@ jobs: with: version: 'v3.18.6' + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + if: ${{ inputs.force || (needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true') }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + CODECOV_TOKEN=$(az keyvault secret show --name code-cov --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$CODECOV_TOKEN" + echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> $GITHUB_OUTPUT + if: ${{ inputs.force || (needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true') }} + - name: Setup Golang Environment uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: @@ -284,7 +304,7 @@ jobs: uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: ./coverage.txt - token: ${{ secrets.CODECOV_TOKEN }} # required + token: ${{ steps.secrets.outputs.CODECOV_TOKEN }} # required if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && (inputs.run_tests && inputs.run_tests || true) }} - name: Run static check diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index 8fd0199743..a236f79c7f 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -26,6 +26,7 @@ jobs: permissions: contents: read actions: read # for 8398a7/action-slack + id-token: write # for Azure login steps: - name: Data uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -48,6 +49,21 @@ jobs: commit_message: message_sanitized, } + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + SLACK_WEBHOOK=$(az keyvault secret show --name slack-pipeline-webhook --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT + - name: Send Notification uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0 with: @@ -83,4 +99,4 @@ jobs: }] } env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + SLACK_WEBHOOK_URL: ${{ steps.secrets.outputs.SLACK_WEBHOOK }} diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index c746f482ee..364e25f197 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -121,6 +121,21 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + AWS_ROLE_PUBLIC_ECR=$(az keyvault secret show --name aws-public-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$AWS_ROLE_PUBLIC_ECR" + echo "AWS_ROLE_PUBLIC_ECR=$AWS_ROLE_PUBLIC_ECR" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -140,7 +155,7 @@ jobs: uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: aws-region: us-east-1 - role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} + role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_PUBLIC_ECR }} - name: Login to Public ECR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -214,6 +229,26 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + QUAY_CREDS=$(az keyvault secret show --name quay-creds --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$QUAY_CREDS" + QUAY_USERNAME=$(echo $QUAY_CREDS | jq -r '.username') + echo "::add-mask::$QUAY_USERNAME" + echo "QUAY_USERNAME=$QUAY_USERNAME" >> $GITHUB_OUTPUT + QUAY_ROBOT_TOKEN=$(echo $QUAY_CREDS | jq -r '.token') + echo "::add-mask::$QUAY_ROBOT_TOKEN" + echo "QUAY_ROBOT_TOKEN=$QUAY_ROBOT_TOKEN" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -233,8 +268,8 @@ jobs: uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_ROBOT_TOKEN }} + username: ${{ steps.secrets.outputs.QUAY_USERNAME }} + password: ${{ steps.secrets.outputs.QUAY_ROBOT_TOKEN }} - name: Publish images run: | diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml index 3509c33102..f621706016 100644 --- a/.github/workflows/plus-release.yml +++ b/.github/workflows/plus-release.yml @@ -215,6 +215,21 @@ jobs: with: ref: ${{ inputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + AWS_ROLE_MARKETPLACE=$(az keyvault secret show --name aws-mktpl-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$AWS_ROLE_MARKETPLACE" + echo "AWS_ROLE_MARKETPLACE=$AWS_ROLE_MARKETPLACE" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud id: gcr-auth uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 @@ -234,7 +249,7 @@ jobs: uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 with: aws-region: us-east-1 - role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} + role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_MARKETPLACE }} - name: Login to ECR uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index f85cac6e51..5505e5964f 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -83,6 +83,9 @@ jobs: unit-tests: name: Unit Tests runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write needs: [checks] steps: - name: Checkout Repository @@ -90,6 +93,21 @@ jobs: with: ref: ${{ needs.checks.outputs.branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + CODECOV_TOKEN=$(az keyvault secret show --name code-cov --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$CODECOV_TOKEN" + echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> $GITHUB_OUTPUT + - name: Setup Helm uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: @@ -107,7 +125,7 @@ jobs: uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: ./coverage.txt - token: ${{ secrets.CODECOV_TOKEN }} # required + token: ${{ steps.secrets.outputs.CODECOV_TOKEN }} # required helm-tests: name: Helm Tests ${{ matrix.base-os }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88e2f3baa7..d9c481a592 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -437,11 +437,26 @@ jobs: # with: # ref: ${{ inputs.release_branch }} + # - name: Azure login + # uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + # with: + # client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + # - name: Setup secrets + # id: secrets + # run: | + # echo "Setting secrets for job" + # AWS_ROLE_MARKETPLACE=$(az keyvault secret show --name aws-mktpl-role --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + # echo "::add-mask::$AWS_ROLE_MARKETPLACE" + # echo "AWS_ROLE_MARKETPLACE=$AWS_ROLE_MARKETPLACE" >> $GITHUB_OUTPUT + # - name: Configure AWS Credentials # uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 # with: # aws-region: us-east-1 - # role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} + # role-to-assume: ${{ steps.secrets.outputs.AWS_ROLE_MARKETPLACE }} # - name: Publish to AWS Marketplace # uses: nginx/aws-marketplace-publish@accf7b4c725796b744f2ee27acc2488d76f63d32 # v1.0.8 @@ -527,6 +542,19 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + AZURE_STORAGE=$(az keyvault secret show --name azure-storage --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$AZURE_STORAGE" + AZURE_STORAGE_ACCOUNT=$(echo $AZURE_STORAGE | jq -r '.account') + echo "::add-mask::$AZURE_STORAGE_ACCOUNT" + echo "AZURE_STORAGE_ACCOUNT=$AZURE_STORAGE_ACCOUNT" >> $GITHUB_OUTPUT + AZURE_BUCKET_NAME=$(echo $AZURE_STORAGE | jq -r '.bucket') + echo "::add-mask::$AZURE_BUCKET_NAME" + echo "AZURE_BUCKET_NAME=$AZURE_BUCKET_NAME" >> $GITHUB_OUTPUT + - name: Azure Upload Release Packages uses: azure/CLI@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0 with: @@ -534,8 +562,8 @@ jobs: for i in $(find tarballs -type f); do echo -n "Uploading ${i} to kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/} ... " if ${{ ! inputs.dry_run}}; then - az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_BUCKET_NAME }} \ - --account-name ${{ secrets.AZURE_STORAGE_ACCOUNT }} --overwrite -n kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/} + az storage blob upload --auth-mode=login -f "$i" -c ${{ steps.secrets.outputs.AZURE_BUCKET_NAME }} \ + --account-name ${{ steps.secrets.outputs.AZURE_STORAGE_ACCOUNT }} --overwrite -n kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/} echo "done" else echo "skipped, dry_run." @@ -635,6 +663,7 @@ jobs: permissions: contents: read actions: read + id-token: write strategy: fail-fast: false matrix: @@ -645,6 +674,21 @@ jobs: with: ref: ${{ inputs.release_branch }} + - name: Azure login + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + with: + client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} + + - name: Setup secrets + id: secrets + run: | + echo "Setting secrets for job" + SLACK_WEBHOOK=$(az keyvault secret show --name slack-pipeline-webhook --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) + echo "::add-mask::$SLACK_WEBHOOK" + echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT + - name: Get Image manifest digest id: digest run: | @@ -701,4 +745,4 @@ jobs: }] } env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + SLACK_WEBHOOK_URL: ${{ steps.secrets.outputs.SLACK_WEBHOOK }}