agent/.github/workflows/assertion.yml at main · nginx/agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Generate and Sign Assertion Document

on:
  workflow_dispatch:
    inputs:
      packageVersion:
        description: 'Agent version'
        type: string
        required: true
      runId:
        description: 'Run ID of the workflow that built the artifacts'
        type: string
        required: true
      signAssertion:
        description: 'Sign and store the assertion document'
        type: boolean
        required: false
        default: false

permissions:
  contents: read

jobs:
  build-assertion-document:
    name: Create Assertion Document
    runs-on: ubuntu-22.04
    if: ${{ !github.event.pull_request.head.repo.fork }}
    permissions:
      id-token: write # for OIDC authentication
      contents: read # Needed to download artifacts
    strategy:
      matrix:
        osarch: [amd64, arm64]
    steps:
      - name: Checkout Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Download nginx-agent binary artifacts
        if: ${{ inputs.runId != '' }}
        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # 8.0.0
        with:
          name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }}
          path: binaries
          run-id: ${{ inputs.runId }}
          github-token: ${{ github.token }}

      - name: Gather build dependencies
        id: godeps
        run: |
          ls -la binaries
          echo "agent_digest=$(cat binaries/nginx-agent.sha256)" >> $GITHUB_ENV
          echo "agent_buildstart=$(cat binaries/nginx-agent.buildstart)" >> $GITHUB_ENV
          echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV

          echo "Checking dependencies..."
          go version -m binaries/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
          ls -l goversionm_*.txt
          echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV

      - name: Generate Assertion Document
        id: assertiondoc
        uses: nginxinc/compliance-rules/.github/actions/assertion@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
        with:
          artifact-name: nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}
          artifact-digest: ${{ env.agent-digest }}
          build-type: 'github'
          builder-id: 'github.com'
          builder-version: '${{env.GO_VERSION}}_test'
          invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
          artifactory-user: ${{ env.artifactory-user }}
          artifactory-api-token: ${{ env.artifactory-token }}
          artifactory-url: ${{ env.artifactory-url }}
          artifactory-repo: 'f5-nginx-go-local-approved-dependency'
          assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json
          build-content-path: ${{ env.goversionm }}
          started-on: '${{ env.agent_buildstart }}'
          finished-on: '${{ env.agent_buildend }}'

      - name: Sign and Store Assertion Document
        id: sign
        if: ${{ inputs.signAssertion == true }}
        uses: nginxinc/compliance-rules/.github/actions/sign@0aab935582c35a00e2c671d8fe25b7fdd72a927b # v0.3.1
        with:
          assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}