From 17eebf23b27026afa12860ecee3d79c3a1ea0378 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 31 Jul 2024 11:19:19 +0100 Subject: [PATCH 1/3] ensure nginx-agent is installed on WAF images --- .github/workflows/build-base-images.yml | 3 +++ .github/workflows/build-plus.yml | 6 +++++- .github/workflows/ci.yml | 3 +++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 5e1312990c..acb49511f6 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -213,6 +213,8 @@ jobs: run: | [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT + [[ "${{ matrix.nap_modules }}" =~ waf ]] && agent="true" || agent="false" + echo "agent=${agent}" >> $GITHUB_OUTPUT if: ${{ matrix.nap_modules != '' }} - name: Docker meta @@ -242,6 +244,7 @@ jobs: BUILD_OS=${{ matrix.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} NAP_MODULES=${{ matrix.nap_modules }} + ${{ contains(matrix.nap_modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} secrets: | "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}" "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}" diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index c2f9c376bc..024744aaa2 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -89,9 +89,11 @@ jobs: id: nap_modules run: | [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ inputs.nap-modules }}" + echo "name=${name}" >> $GITHUB_OUTPUT [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="both" || modules="${{ inputs.nap-modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT - echo "name=${name}" >> $GITHUB_OUTPUT + [[ "${{ inputs.nap-modules }}" =~ waf ]] && agent="true" || agent="false" + echo "agent=${agent}" >> $GITHUB_OUTPUT if: ${{ inputs.nap-modules != '' }} - name: Docker meta @@ -149,6 +151,7 @@ jobs: BUILD_OS=${{ inputs.image }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} + ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} secrets: | "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" @@ -202,6 +205,7 @@ jobs: ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_name.outputs.image ) }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} + ${{ contains(inputs.nap-modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} ${{ contains(inputs.image, 'v5') && 'WAF_VERSION=v5' || '' }} secrets: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4670ca5b04..347e24ad1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -614,6 +614,8 @@ jobs: run: | [[ "${{ matrix.images.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.images.nap_modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT + [[ "${{ matrix.images.nap_modules }}" =~ waf ]] && agent="true" || agent="false" + echo "agent=${agent}" >> $GITHUB_OUTPUT if: ${{ matrix.images.nap_modules }} - name: Pull build image @@ -664,6 +666,7 @@ jobs: BUILD_OS=${{ matrix.images.image }} IC_VERSION=CI ${{ contains(matrix.images.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} + ${{ contains(matrix.images.nap_modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }} ${{ contains(matrix.images.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} secrets: | ${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} From 5876ce361136fe870d13350fa53890cd22693d33 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 31 Jul 2024 11:36:21 +0100 Subject: [PATCH 2/3] inherit secrets on force image promotion call --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 347e24ad1a..2f902966c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -739,4 +739,5 @@ jobs: security-events: write pull-requests: write # for scout report uses: ./.github/workflows/image-promotion.yml + secrets: inherit if: ${{ inputs.force && inputs.force || false }} From 1f0f624c7f717f5a31bd4654af63a81040df1214 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:02:33 +0100 Subject: [PATCH 3/3] set ic-version parameter when building images (#6075) --- .github/workflows/ci.yml | 5 ++++- .github/workflows/image-promotion.yml | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f902966c6..0e7b21b1f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -293,7 +293,8 @@ jobs: authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} full-build: ${{ inputs.force && inputs.force || false }} tag: ${{ needs.checks.outputs.build_tag }} - branch: ${{ github.head_ref && github.head_ref || github.ref }} + branch: ${{ (github.head_ref && needs.checks.outputs.forked_workflow != 'true') && github.head_ref || github.ref }} + ic-version: ${{ needs.checks.outputs.ic_version }} permissions: contents: read actions: read @@ -320,6 +321,7 @@ jobs: tag: ${{ needs.checks.outputs.build_tag }} authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} full-build: ${{ inputs.force && inputs.force || false }} + ic-version: ${{ needs.checks.outputs.ic_version }} permissions: contents: read security-events: write @@ -345,6 +347,7 @@ jobs: nap-modules: ${{ matrix.nap_modules }} authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} full-build: ${{ inputs.force && inputs.force || false }} + ic-version: ${{ needs.checks.outputs.ic_version }} permissions: contents: read security-events: write diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index bf8c9d9002..59716791b1 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -168,6 +168,7 @@ jobs: authenticated: true tag: ${{ needs.checks.outputs.build_tag }} branch: ${{ github.ref }} + ic-version: ${{ needs.checks.outputs.ic_version }} permissions: contents: read actions: read @@ -194,6 +195,7 @@ jobs: authenticated: true tag: ${{ needs.checks.outputs.build_tag }} branch: ${{ github.ref }} + ic-version: ${{ needs.checks.outputs.ic_version }} permissions: contents: read actions: read @@ -221,6 +223,7 @@ jobs: authenticated: true tag: ${{ needs.checks.outputs.build_tag }} branch: ${{ github.ref }} + ic-version: ${{ needs.checks.outputs.ic_version }} permissions: contents: read actions: read