Skip to content

Commit cf38a6f

Browse files
authored
Add assertion doc job (#3929)
Use the actions provided by compliance-rules to generate and sign an assertion document
1 parent a2ee4c4 commit cf38a6f

File tree

1 file changed

+132
-8
lines changed

1 file changed

+132
-8
lines changed

.github/workflows/ci.yml

Lines changed: 132 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,6 @@ jobs:
4545
min_k8s_version: ${{ steps.vars.outputs.min_k8s_version }}
4646
k8s_latest: ${{ steps.vars.outputs.k8s_latest }}
4747
helm_changes: ${{ steps.filter.outputs.charts }}
48-
goproxy: ${{ steps.goproxy.outputs.goproxy }}
4948
steps:
5049
- name: Checkout Repository
5150
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -64,7 +63,6 @@ jobs:
6463
echo "Development mode - using dev Artifactory"
6564
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
6665
fi
67-
echo "goproxy=${GOPROXY_VALUE}" >> $GITHUB_OUTPUT
6866
echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
6967
7068
- name: Setup Golang Environment
@@ -105,12 +103,20 @@ jobs:
105103
name: Unit Tests
106104
runs-on: ubuntu-24.04
107105
needs: vars
108-
env:
109-
GOPROXY: ${{ needs.vars.outputs.goproxy }}
110106
steps:
111107
- name: Checkout Repository
112108
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
113109

110+
- name: Configure GOPROXY
111+
id: goproxy
112+
run: |
113+
if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then
114+
GOPROXY_VALUE="direct"
115+
else
116+
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
117+
fi
118+
echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
119+
114120
- name: Setup Golang Environment
115121
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
116122
with:
@@ -159,8 +165,8 @@ jobs:
159165
name: Build Binary
160166
runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
161167
needs: [vars, unit-tests, njs-unit-tests]
162-
env:
163-
GOPROXY: ${{ needs.vars.outputs.goproxy }}
168+
outputs:
169+
json: ${{ steps.gateway_binaries.outputs.json }}
164170
permissions:
165171
contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases
166172
id-token: write # for goreleaser/goreleaser-action to sign artifacts
@@ -171,6 +177,21 @@ jobs:
171177
with:
172178
fetch-depth: 0
173179

180+
- name: Configure GOPROXY
181+
id: goproxy
182+
run: |
183+
if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then
184+
echo "No Artifactory secrets available - using direct GOPROXY"
185+
GOPROXY_VALUE="direct"
186+
elif [[ "${{ inputs.is_production_release }}" == "true" ]] || [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
187+
echo "Production mode - using production Artifactory"
188+
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}"
189+
else
190+
echo "Development mode - using dev Artifactory"
191+
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
192+
fi
193+
echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
194+
174195
- name: Setup Golang Environment
175196
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
176197
with:
@@ -220,12 +241,107 @@ jobs:
220241
TELEMETRY_ENDPOINT: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-') && 'oss-dev.edge.df.f5.com:443' || 'oss.edge.df.f5.com:443' }}
221242
TELEMETRY_ENDPOINT_INSECURE: "false"
222243

244+
- name: Extract gateway binaries info
245+
id: gateway_binaries
246+
run: |
247+
set -e
248+
binaries=()
249+
for bin in $(find ${{ github.workspace }}/dist -type f -name "gateway"); do
250+
dir=$(basename $(dirname "$bin"))
251+
if [[ "$dir" =~ gateway_([a-zA-Z0-9]+)_([a-zA-Z0-9]+) ]]; then
252+
os="${BASH_REMATCH[1]}"
253+
arch="${BASH_REMATCH[2]}"
254+
digest=$(sha256sum "$bin" | cut -d' ' -f1)
255+
binaries+=("{\"path\":\"$bin\",\"os\":\"$os\",\"arch\":\"$arch\",\"digest\":\"$digest\"}")
256+
fi
257+
done
258+
# Join array elements with commas
259+
IFS=','
260+
json="[${binaries[*]}]"
261+
echo "Generated JSON: $json"
262+
echo "json=$json" >> $GITHUB_OUTPUT
263+
223264
- name: Cache Artifacts
224265
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
225266
with:
226267
path: ${{ github.workspace }}/dist
227268
key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
228269

270+
assertion:
271+
name: Generate and Sign Assertion Documents
272+
needs: [vars, binary]
273+
if: ${{ inputs.is_production_release }}
274+
permissions:
275+
contents: read
276+
id-token: write # for compliance-rules action to sign assertion doc
277+
runs-on: ubuntu-24.04
278+
strategy:
279+
fail-fast: false
280+
matrix:
281+
gateway: ${{ fromJson(needs.binary.outputs.json) }}
282+
steps:
283+
- name: Checkout Repository
284+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
285+
286+
- name: Configure GOPROXY
287+
id: goproxy
288+
run: |
289+
if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then
290+
echo "No Artifactory secrets available - using direct GOPROXY"
291+
GOPROXY_VALUE="direct"
292+
elif [[ "${{ inputs.is_production_release }}" == "true" ]] || [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
293+
echo "Production mode - using production Artifactory"
294+
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}"
295+
else
296+
echo "Development mode - using dev Artifactory"
297+
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
298+
fi
299+
echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
300+
301+
- name: Setup Golang Environment
302+
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
303+
with:
304+
go-version: stable
305+
306+
- name: Fetch Cached Artifacts
307+
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
308+
with:
309+
path: ${{ github.workspace }}/dist
310+
key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
311+
312+
- name: List Dependencies in Go Binary
313+
id: godeps
314+
run: |
315+
go version -m dist/gateway_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}*/gateway > goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.txt
316+
echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_OUTPUT
317+
goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)
318+
cat $goversionm
319+
320+
- name: Generate Assertion Document
321+
id: assertiondoc
322+
uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6
323+
with:
324+
artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}
325+
artifact-digest: ${{ matrix.gateway.digest }}
326+
build-type: 'github'
327+
builder-id: 'github.com'
328+
builder-version: '0.1.0-xyz'
329+
invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ strategy.job-index }}
330+
started-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
331+
finished-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
332+
artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
333+
artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
334+
artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
335+
artifactory-repo: 'f5-nginx-go-local-approved-dependency'
336+
build-content-path: ${{ steps.godeps.outputs.goversionm }}
337+
assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json
338+
339+
- name: Sign and Store Assertion Document
340+
id: sign
341+
uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6
342+
with:
343+
assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}
344+
229345
build-oss:
230346
name: Build OSS images
231347
needs: [vars, binary]
@@ -362,12 +478,20 @@ jobs:
362478
name: CEL Tests
363479
runs-on: ubuntu-24.04
364480
needs: vars
365-
env:
366-
GOPROXY: ${{ needs.vars.outputs.goproxy }}
367481
steps:
368482
- name: Checkout Repository
369483
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
370484

485+
- name: Configure GOPROXY
486+
id: goproxy
487+
run: |
488+
if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then
489+
GOPROXY_VALUE="direct"
490+
else
491+
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
492+
fi
493+
echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
494+
371495
- name: Setup Golang Environment
372496
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
373497
with:

0 commit comments

Comments
 (0)