Skip to content

Commit 6135194

Browse files
AlexFenlonpdabelf5
AlexFenlon
and
pdabelf5
authored
Change to F5 runners for release builds (#1162)
Co-authored-by: Paul Abel <[email protected]>
1 parent 5755c79 commit 6135194

File tree

3 files changed

+540
-115
lines changed

3 files changed

+540
-115
lines changed

.github/workflows/ci.yml

Lines changed: 142 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,6 @@ on:
44
push:
55
branches:
66
- main
7-
tags:
8-
- "v[0-9]+.[0-9]+.[0-9]+"
97
pull_request:
108
branches:
119
- main
@@ -21,6 +19,33 @@ permissions:
2119
contents: read
2220

2321
jobs:
22+
variables:
23+
name: Variables
24+
runs-on: ubuntu-24.04
25+
permissions:
26+
contents: read
27+
outputs:
28+
go_proxy: ${{ steps.vars.outputs.go_proxy }}
29+
forked_workflow: ${{ steps.vars.outputs.forked_workflow }}
30+
31+
steps:
32+
- name: Checkout Repository
33+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
34+
- name: Configure pipeline Variables
35+
id: vars
36+
run: |
37+
forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || github.repository != 'nginx/nginx-prometheus-exporter' }}
38+
echo "forked_workflow=${forked_workflow}" >> $GITHUB_OUTPUT
39+
if [ "$forked_workflow" = "false" ] && [ "${{ github.ref_name }}" != "${{ github.event.repository.default_branch }}" ]; then
40+
go_proxy="${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
41+
elif [ "${{ github.ref_name }}" = "${{ github.event.repository.default_branch }}" ]; then
42+
go_proxy="${{ secrets.ARTIFACTORY_ENDPOINT }}"
43+
else
44+
go_proxy="https://proxy.golang.org,direct"
45+
fi
46+
echo "go_proxy=${go_proxy}" >> $GITHUB_OUTPUT
47+
cat $GITHUB_OUTPUT
48+
2449
unit-tests:
2550
name: Unit Tests
2651
runs-on: ubuntu-24.04
@@ -43,14 +68,18 @@ jobs:
4368

4469
build-docker:
4570
name: Build Docker Image
46-
runs-on: ubuntu-24.04
71+
runs-on: ${{ github.event_name == 'pull_request' && 'ubuntu-24.04' || 'ubuntu-24.04-amd64' }}
4772
permissions:
4873
contents: write # for lucacome/draft-release to create/update release draft
4974
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
5075
id-token: write # for OIDC login to AWS ECR and goreleaser/goreleaser-action to sign artifacts
5176
packages: write # for docker/build-push-action to push to GHCR
5277
issues: write # for goreleaser/goreleaser-action to close milestones
53-
needs: unit-tests
78+
needs: [unit-tests, variables]
79+
env:
80+
GOPROXY: ${{ needs.variables.outputs.go_proxy }}
81+
outputs:
82+
binaries: ${{ steps.prom_binaries.outputs.json }}
5483
services:
5584
registry:
5685
image: registry:3
@@ -59,14 +88,22 @@ jobs:
5988
steps:
6089
- name: Checkout Repository
6190
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
62-
with:
63-
fetch-depth: 0
6491

6592
- name: Setup Golang Environment
6693
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
6794
with:
6895
go-version: stable
6996

97+
- name: Setup netrc
98+
run: |
99+
cat <<EOF > $HOME/.netrc
100+
machine azr.artifactory.f5net.com
101+
login ${{ secrets.ARTIFACTORY_USER }}
102+
password ${{ secrets.ARTIFACTORY_TOKEN }}
103+
EOF
104+
chmod 600 $HOME/.netrc
105+
if: needs.variables.outputs.forked_workflow == 'false'
106+
70107
- name: Setup QEMU
71108
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
72109

@@ -125,10 +162,6 @@ jobs:
125162
tags: |
126163
type=edge
127164
type=ref,event=pr
128-
type=schedule
129-
type=semver,pattern={{version}}
130-
type=semver,pattern={{major}}
131-
type=semver,pattern={{major}}.{{minor}}
132165
labels: |
133166
org.opencontainers.image.vendor=NGINX Inc <[email protected]>
134167
env:
@@ -139,51 +172,47 @@ jobs:
139172
with:
140173
minor-label: "enhancement"
141174
major-label: "change"
142-
publish: ${{ github.ref_type == 'tag' }}
175+
publish: false
143176
collapse-after: 30
144177
notes-footer: |
145178
## Upgrade
146179
147180
- Use the {{version}} image from our [DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) or [Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter/tag/{{version-number}}?tab=tags).
148181
- Download the latest binaries from the [GitHub releases page](https://github.com/nginx/nginx-prometheus-exporter/releases/tag/{{version}}).
149-
- Update to the latest version with `brew upgrade nginx-prometheus-exporter`, `snap refresh nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
182+
- Update to the latest version with `brew upgrade nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
150183
151184
## Compatibility
152185
153186
- NGINX 0.1.18 or newer.
154187
- NGINX Plus R19 or newer.
155188
if: github.event_name != 'pull_request'
156189

190+
157191
- name: Download Syft
158192
uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
159-
if: github.ref_type == 'tag'
160-
161-
- name: Install Cosign
162-
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
163-
if: github.ref_type == 'tag'
164-
165-
- name: Setup Snapcraft
166-
run: |
167-
sudo snap install snapcraft --classic
168-
mkdir -p $HOME/.cache/snapcraft/download
169-
mkdir -p $HOME/.cache/snapcraft/stage-packages
170-
if: github.ref_type == 'tag'
171-
172-
- name: Install Nix
173-
uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
174-
with:
175-
github_access_token: ${{ secrets.GITHUB_TOKEN }}
176-
if: github.ref_type == 'tag'
193+
if: github.event_name != 'pull_request'
177194

178195
- name: Run GoReleaser
179196
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
180197
with:
181198
version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
182-
args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean
199+
args: build --snapshot --clean
183200
env:
184201
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
185202
NGINX_GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
186-
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN }}
203+
204+
- name: Extract NGINX Prometheus Exporter binary info
205+
id: prom_binaries
206+
run: |
207+
curl -sSL https://raw.githubusercontent.com/nginx/k8s-common/main/files/binary-json.sh -o binary-json.sh
208+
chmod +x binary-json.sh
209+
echo "json=$(./binary-json.sh ${{ github.workspace }}/dist ${{ github.event.repository.name }} "nginx-prometheus-exporter")" >> $GITHUB_OUTPUT
210+
211+
- name: Store Artifacts in Cache
212+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
213+
with:
214+
path: ${{ github.workspace }}/dist
215+
key: nginx-prometheus-exporter-${{ github.sha }}
187216

188217
- name: Print NGINX Prometheus Exporter info
189218
run: ./dist/nginx-prometheus-exporter_linux_amd64_v1/nginx-prometheus-exporter --version
@@ -199,7 +228,7 @@ jobs:
199228
tags: ${{ steps.meta.outputs.tags }}
200229
labels: ${{ steps.meta.outputs.labels }}
201230
annotations: ${{ steps.meta.outputs.annotations }}
202-
push: true
231+
push: ${{ github.event_name != 'pull_request' }}
203232
cache-from: type=gha,scope=exporter
204233
cache-to: type=gha,scope=exporter,mode=max
205234
no-cache: ${{ github.event_name != 'pull_request' }}
@@ -211,12 +240,91 @@ jobs:
211240
id: scan
212241
continue-on-error: true
213242
with:
214-
image: localhost:5000/nginx/nginx-prometheus-exporter:${{ steps.meta.outputs.version }}
243+
image: localhost:5000/nginx/nginx-prometheus-exporter:edge
215244
only-fixed: true
216245
add-cpes-if-none: true
246+
if: github.event_name != 'pull_request'
217247

218248
- name: Upload scan result to GitHub Security tab
219249
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
220250
continue-on-error: true
221251
with:
222252
sarif_file: ${{ steps.scan.outputs.sarif }}
253+
if: github.event_name != 'pull_request'
254+
255+
- name: Clean up NETRC
256+
run: |
257+
rm -f $HOME/.netrc
258+
if: ${{ always() }}
259+
260+
generate-assertion-doc:
261+
if: ${{ github.event_name != 'pull_request' }}
262+
name: Assertion Doc ${{ matrix.prometheus.arch }}
263+
needs: [build-docker, variables]
264+
runs-on: ubuntu-24.04-amd64
265+
permissions:
266+
contents: read
267+
id-token: write # for compliance-rules action to sign assertion doc
268+
strategy:
269+
fail-fast: false
270+
matrix:
271+
prometheus: ${{ fromJSON( needs.build-docker.outputs.binaries ) }}
272+
steps:
273+
- name: Checkout Repository
274+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
275+
276+
- name: Setup Golang Environment
277+
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
278+
with:
279+
go-version-file: go.mod
280+
281+
- name: Setup netrc
282+
run: |
283+
cat <<EOF > $HOME/.netrc
284+
machine azr.artifactory.f5net.com
285+
login ${{ secrets.ARTIFACTORY_USER }}
286+
password ${{ secrets.ARTIFACTORY_TOKEN }}
287+
EOF
288+
chmod 600 $HOME/.netrc
289+
290+
- name: Fetch Cached Artifacts
291+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
292+
with:
293+
path: ${{ github.workspace }}/dist
294+
key: nginx-prometheus-exporter-${{ github.sha }}
295+
fail-on-cache-miss: true
296+
297+
- name: List packages in Go binary
298+
id: godeps
299+
env:
300+
GOPROXY: ${{ needs.variables.outputs.go_proxy }}
301+
run: |
302+
go version -m ${{ matrix.prometheus.path }} > go_version_out_${{ github.run_id }}_${{ github.run_number }}.txt
303+
echo "go_version_out=$(find -type f -name "go_version_out*.txt" | head -n 1)" >> $GITHUB_OUTPUT
304+
echo "artifact_digest=$(openssl dgst -sha256 -r ${{ matrix.prometheus.path }} | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
305+
cat $GITHUB_OUTPUT
306+
307+
- name: Generate Assertion Document
308+
id: assertiondoc
309+
uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
310+
with:
311+
artifact-name: "${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.prometheus.os }}_${{ matrix.prometheus.arch }}"
312+
artifact-digest: ${{ steps.godeps.outputs.artifact_digest }}
313+
build-type: "github.com"
314+
builder-id: "github"
315+
builder-version: v0.1.0
316+
started-on: ${{ github.event.head_commit.timestamp }}
317+
finished-on: ${{ github.event.head_commit.timestamp }}
318+
invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
319+
artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
320+
artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
321+
artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
322+
artifactory-repo: 'f5-nginx-go-local-approved-dependency'
323+
assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.prometheus.os }}_${{ matrix.prometheus.arch }}.json
324+
build-content-path: ${{ steps.godeps.outputs.go_version_out }}
325+
326+
- name: Sign and Store Assertion Document
327+
id: sign
328+
uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
329+
with:
330+
assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}

0 commit comments

Comments
 (0)