From 24da73929ce18d7e5bca7bcc6022cbff80f7b894 Mon Sep 17 00:00:00 2001 From: oxpa Date: Tue, 16 Jun 2026 12:54:47 +0100 Subject: [PATCH] Get rid of all but Azure related secrets. --- .github/workflows/build-push.yml | 14 +++++++--- .github/workflows/coveo.yml | 44 ++++++++++++++---------------- .github/workflows/linkchecker.yml | 26 +++++------------- .github/workflows/mend.yml | 38 -------------------------- .github/workflows/notification.yml | 10 +++++-- 5 files changed, 45 insertions(+), 87 deletions(-) delete mode 100644 .github/workflows/mend.yml diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index fb3d6e08fa..1f0269a025 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -43,8 +43,6 @@ on: - "main" env: - FRONT_DOOR_USERNAME: ${{ secrets.FRONT_DOOR_USERNAME }} - FRONT_DOOR_PASSWORD: ${{ secrets.FRONT_DOOR_PASSWORD }} GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} jobs: prod-check-branch: @@ -85,6 +83,15 @@ jobs: runs-on: ubuntu-latest permissions: read-all steps: + - name: Get secrets + uses: nginx/ci-self-hosted/.github/actions/get-from-vault@refs/heads/main + with: + client-id: ${{secrets.DOCS_OIDC_CLIENT}} + tenant-id: ${{secrets.DOCS_OIDC_TENANT}} + vault-name: ${{secrets.AZURE_KEY_VAULT_DOCS}} + secret-names: "slack_webhook_url_friends_of_docs" + env-names: "SLACK_WEBHOOK_URL" + - name: Send notification uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0 with: @@ -120,5 +127,4 @@ jobs: }] } env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_FRIENDS_OF_DOCS }} - PREVIEW_URL: ${{ needs.call-docs-build-push.outputs.PREVIEW_URL }} \ No newline at end of file + PREVIEW_URL: ${{ needs.call-docs-build-push.outputs.PREVIEW_URL }} diff --git a/.github/workflows/coveo.yml b/.github/workflows/coveo.yml index f90ac1b849..6485152846 100644 --- a/.github/workflows/coveo.yml +++ b/.github/workflows/coveo.yml @@ -28,12 +28,19 @@ jobs: - name: Install jq run: sudo apt-get install jq + - name: Get secrets + uses: nginx/ci-self-hosted/.github/actions/get-from-vault@refs/heads/main + with: + client-id: ${{secrets.DOCS_OIDC_CLIENT}} + tenant-id: ${{secrets.DOCS_OIDC_TENANT}} + vault-name: ${{secrets.AZURE_KEY_VAULT_DOCS}} + secret-names: "${{matrix.env_api_key}}, ${{matrix.env_sphinx_api_key}}, slack_webhook_url_docs_incident" + env-names: "COVEO_API_KEY, COVEO_SPHINX_API_KEY, SLACK_WEBHOOK_URL" + - name: Generating token for ${{matrix.env_name}} ... id: generate-token continue-on-error: true env: - COVEO_API_KEY: ${{secrets[matrix.env_api_key]}} - COVEO_SPHINX_API_KEY: ${{secrets[matrix.env_sphinx_api_key]}} COVEO_SEARCH_HUB: "HUB_ES_Nginx_Docs_And_Org" run: | RESPONSE=$(curl -w "\nHTTP_CODE: %{http_code}" -s -X POST "https://platform.cloud.coveo.com/rest/search/v2/token?organizationId=${{matrix.env_coveo_org_id}}" \ @@ -128,8 +135,6 @@ jobs: }] }] } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DOCS_INCIDENT }} push-tokens-to-azure: @@ -143,37 +148,28 @@ jobs: - name: View files run: ls -R - - name: Login to Azure - uses: azure/login@v2 - with: - creds: ${{secrets.AZURE_CREDENTIALS_DOCS}} - - - name: Retrieve secrets from Keyvault - id: keyvault - uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 + - name: Get secrets + uses: nginx/ci-self-hosted/.github/actions/get-from-vault@refs/heads/main with: - inlineScript: | - secrets_get=(productionHostname previewHostname resourceGroupName cdnProfileName cdnName accountName) - for secret_get in ${secrets_get[@]} - do - value=$(az keyvault secret show --name $secret_get --vault-name ${{ secrets.AZURE_KEY_VAULT_DOCS }} --query value --output tsv) - echo "::add-mask::$value" - echo "$secret_get=$value" >> $GITHUB_OUTPUT - done + client-id: ${{secrets.DOCS_OIDC_CLIENT}} + tenant-id: ${{secrets.DOCS_OIDC_TENANT}} + vault-name: ${{secrets.AZURE_KEY_VAULT_DOCS}} + secret-names: "resourceGroupName, cdnProfileName, cdnName, accountName" + env-names: "resourceGroupName, cdnProfileName, cdnName, accountName" - name: Push to Azure container storage run: | az storage blob upload-batch \ -s ./ \ -d '$web' \ - --account-name ${{steps.keyvault.outputs.accountName}} \ + --account-name ${{env.accountName}} \ --overwrite \ --content-cache-control "no-store" \ --auth-mode login az afd endpoint purge \ - --resource-group ${{steps.keyvault.outputs.resourceGroupName}} \ - --profile-name ${{steps.keyvault.outputs.cdnProfileName}} \ - --endpoint-name ${{steps.keyvault.outputs.cdnName}} \ + --resource-group ${{env.resourceGroupName}} \ + --profile-name ${{env.cdnProfileName}} \ + --endpoint-name ${{env.cdnName}} \ --domains docs.nginx.com docs-dev.nginx.com docs-staging.nginx.com \ --content-paths '/.netlify/functions/*' diff --git a/.github/workflows/linkchecker.yml b/.github/workflows/linkchecker.yml index 99c6c0ffb4..784d21df6b 100644 --- a/.github/workflows/linkchecker.yml +++ b/.github/workflows/linkchecker.yml @@ -75,31 +75,19 @@ jobs: echo "isProduction=true" >> $GITHUB_ENV fi - - name: Login to Azure - if: env.isProduction != 'true' - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 + - name: Get secrets + uses: nginx/ci-self-hosted/.github/actions/get-from-vault@refs/heads/main with: - creds: ${{secrets.AZURE_CREDENTIALS_DOCS}} - - - name: Retrieve secrets from Keyvault - if: env.isProduction != 'true' - id: keyvault - uses: azure/cli@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 - with: - inlineScript: | - secrets_get=(frontdoorUsername frontdoorPassword) - for secret_get in ${secrets_get[@]} - do - value=$(az keyvault secret show --name $secret_get --vault-name ${{ secrets.AZURE_KEY_VAULT_DOCS }} --query value --output tsv) - echo "::add-mask::$value" - echo "$secret_get=$value" >> $GITHUB_OUTPUT - done + client-id: ${{secrets.DOCS_OIDC_CLIENT}} + tenant-id: ${{secrets.DOCS_OIDC_TENANT}} + vault-name: ${{secrets.AZURE_KEY_VAULT_DOCS}} + secret-names: "frontdoorPassword,frontdoorUsername" # Setup linkchecker command with optional password - name: Setup LinkChecker Command run: | if [ "${{env.isProduction}}" != "true" ]; then - echo "cmd=echo '${{steps.keyvault.outputs.frontdoorPassword}}' | linkchecker -u '${{steps.keyvault.outputs.frontdoorUsername}}' ${{ env.basepath }}/${{ matrix.doc_paths }}/ ${{ env.defaults }} ${{ env.ignore }}" >> $GITHUB_ENV + echo "cmd=echo '${{env.FRONTDOORPASSWORD}}' | linkchecker -u '${{env.FRONTDOORUSERNAME}}' ${{ env.basepath }}/${{ matrix.doc_paths }}/ ${{ env.defaults }} ${{ env.ignore }}" >> $GITHUB_ENV else echo "cmd=linkchecker ${{ env.basepath }}/${{ matrix.doc_paths }}/ ${{ env.defaults }} ${{ env.ignore }}" >> $GITHUB_ENV fi diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml deleted file mode 100644 index 30c0547b40..0000000000 --- a/.github/workflows/mend.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Mend - -on: - workflow_dispatch: - inputs: - branch: - type: string - required: false - default: main - -concurrency: - group: ${{ github.ref_name }}-mend - cancel-in-progress: true - -permissions: - contents: read - -jobs: - scan: - name: Mend - runs-on: ubuntu-24.04 - steps: - - name: Checkout Repository - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2 - with: - ref: ${{ inputs.branch && inputs.branch || github.ref }} - - - name: Download agent - run: curl -fsSLJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar - - - name: Verify JAR - run: jarsigner -verify wss-unified-agent.jar - - - name: Scan and upload - env: - PRODUCT_NAME: nginx_documentation_${{ inputs.branch && inputs.branch || github.ref_name }} - PROJECT_NAME: nic - run: java -jar wss-unified-agent.jar -noConfig true -wss.url ${{ secrets.WSS_URL }} -apiKey ${{ secrets.WS_APIKEY_NGINX }} -product ${{ secrets.WS_PRODUCT }} -project ${{ secrets.WS_PROJECT }} -d . \ No newline at end of file diff --git a/.github/workflows/notification.yml b/.github/workflows/notification.yml index a01c098805..1f16a65eb7 100644 --- a/.github/workflows/notification.yml +++ b/.github/workflows/notification.yml @@ -39,6 +39,14 @@ jobs: job_url: check_data.html_url, commit_message: message_sanitized, } + - name: Get secrets + uses: nginx/ci-self-hosted/.github/actions/get-from-vault@refs/heads/main + with: + client-id: ${{secrets.DOCS_OIDC_CLIENT}} + tenant-id: ${{secrets.DOCS_OIDC_TENANT}} + vault-name: ${{secrets.AZURE_KEY_VAULT_DOCS}} + secret-names: "slack_webhook_url_docs_incident" + env-names: "SLACK_WEBHOOK_URL" - name: Send notification uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0 @@ -73,5 +81,3 @@ jobs: }] }] } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DOCS_INCIDENT }} \ No newline at end of file