From 0f935ebc6f713c598e107b8e9f04196926cb2315 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 21 Jul 2025 15:10:04 +0100 Subject: [PATCH 1/5] Add GOPROXY to binary builds --- .github/workflows/ci.yml | 16 +++++++++++++++- .github/workflows/image-promotion.yml | 5 ++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index efbb15fbce..b2644f1077 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,6 +43,7 @@ jobs: k8s_latest: ${{ steps.vars.outputs.k8s_latest }} go_path: ${{ steps.vars.outputs.go_path }} go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} + go_proxy: ${{ steps.vars.outputs.go_proxy }} binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} chart_version: ${{ steps.vars.outputs.chart_version }} ic_version: ${{ steps.vars.outputs.ic_version }} @@ -98,7 +99,13 @@ jobs: source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT - echo "forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || github.repository != 'nginx/kubernetes-ingress' }}" >> $GITHUB_OUTPUT + forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || github.repository != 'nginx/kubernetes-ingress' }} + echo "forked_workflow=${forked_workflow}" >> $GITHUB_OUTPUT + go_proxy="" + if [ "$forked_workflow" = "false" ]; then + go_proxy="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" + fi + echo "go_proxy=${go_proxy}" >> $GITHUB_OUTPUT ./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT ./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT @@ -113,6 +120,7 @@ jobs: echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT - name: Fetch Cached Binary Artifacts @@ -173,6 +181,8 @@ jobs: permissions: contents: read needs: checks + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -212,6 +222,8 @@ jobs: name: Unit Tests runs-on: ubuntu-22.04 needs: checks + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -244,6 +256,8 @@ jobs: name: Build Binaries runs-on: ubuntu-22.04 needs: [checks, unit-tests, verify-codegen] + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} permissions: contents: write # for goreleaser/goreleaser-action to manage releases id-token: write # for goreleaser/goreleaser-action to sign artifacts diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 3da7fbb35e..b8951b997f 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -36,6 +36,7 @@ jobs: outputs: go_path: ${{ steps.vars.outputs.go_path }} go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} + go_proxy: ${{ steps.vars.outputs.go_proxy }} binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} chart_version: ${{ steps.vars.outputs.chart_version }} ic_version: ${{ steps.vars.outputs.ic_version }} @@ -58,7 +59,7 @@ jobs: - name: Set Variables id: vars run: | - echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT + echo "go_proxy="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT @@ -154,6 +155,8 @@ jobs: needs: [checks] permissions: contents: read + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 4f3fec8f1d2c06b71c2b8a60045bb6e3b1a7ae4f Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 21 Jul 2025 17:21:00 +0100 Subject: [PATCH 2/5] move GOPROXY setting to each step --- .github/workflows/ci.yml | 12 ++++++++++-- .github/workflows/image-promotion.yml | 3 +-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b2644f1077..e96592cf07 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,8 +181,6 @@ jobs: permissions: contents: read needs: checks - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -195,10 +193,14 @@ jobs: - name: Check if go.mod and go.sum are up to date run: go mod tidy && git diff --exit-code -- go.mod go.sum + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Check if CRDs changed run: make update-crds && git diff --name-only --exit-code config/crd/bases + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Check if Codegen changed @@ -206,16 +208,22 @@ jobs: cd ../.. && mkdir -p github.com/nginx && mv kubernetes-ingress/kubernetes-ingress github.com/nginx/ && cd github.com/nginx/kubernetes-ingress make update-codegen && git diff --name-only --exit-code pkg/** cd ../../.. && mv github.com/nginx/kubernetes-ingress kubernetes-ingress/kubernetes-ingress + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Install gofumpt run: go install mvdan.cc/gofumpt@v0.8.0 + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Check if telemetry schema changed run: | export PATH=$PATH:$(go env GOPATH)/bin make telemetry-schema && git diff --name-only --exit-code internal/telemetry + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} unit-tests: diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index b8951b997f..f841ba06de 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -155,8 +155,6 @@ jobs: needs: [checks] permissions: contents: read - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -175,6 +173,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ needs.checks.outputs.go_path }} + GOPROXY: ${{ needs.checks.outputs.go_proxy }} AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} From 9fa9e3896a1dcc94da2e96423feab926709838f6 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 22 Jul 2025 12:49:42 +0100 Subject: [PATCH 3/5] add netrc file --- .github/workflows/ci.yml | 47 +++++++++++++++++++-------- .github/workflows/image-promotion.yml | 24 +++++++++++++- 2 files changed, 57 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e96592cf07..12c4085623 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -103,7 +103,7 @@ jobs: echo "forked_workflow=${forked_workflow}" >> $GITHUB_OUTPUT go_proxy="" if [ "$forked_workflow" = "false" ]; then - go_proxy="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" + go_proxy="https://azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" fi echo "go_proxy=${go_proxy}" >> $GITHUB_OUTPUT ./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT @@ -181,6 +181,8 @@ jobs: permissions: contents: read needs: checks + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -191,16 +193,22 @@ jobs: go-version-file: go.mod if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} + - name: Setup netrc + run: | + cat < $HOME/.netrc + machine azr.artifactory.f5net.com + login ${{ secrets.ARTIFACTORY_USER }} + password ${{ secrets.ARTIFACTORY_TOKEN }} + EOF + chmod 600 $HOME/.netrc + if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true' }} + - name: Check if go.mod and go.sum are up to date run: go mod tidy && git diff --exit-code -- go.mod go.sum - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Check if CRDs changed run: make update-crds && git diff --name-only --exit-code config/crd/bases - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Check if Codegen changed @@ -208,22 +216,16 @@ jobs: cd ../.. && mkdir -p github.com/nginx && mv kubernetes-ingress/kubernetes-ingress github.com/nginx/ && cd github.com/nginx/kubernetes-ingress make update-codegen && git diff --name-only --exit-code pkg/** cd ../../.. && mv github.com/nginx/kubernetes-ingress kubernetes-ingress/kubernetes-ingress - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Install gofumpt run: go install mvdan.cc/gofumpt@v0.8.0 - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Check if telemetry schema changed run: | export PATH=$PATH:$(go env GOPATH)/bin make telemetry-schema && git diff --name-only --exit-code internal/telemetry - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} unit-tests: @@ -242,6 +244,16 @@ jobs: go-version-file: go.mod if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && (inputs.run_tests && inputs.run_tests || true) }} + - name: Setup netrc + run: | + cat < $HOME/.netrc + machine azr.artifactory.f5net.com + login ${{ secrets.ARTIFACTORY_USER }} + password ${{ secrets.ARTIFACTORY_TOKEN }} + EOF + chmod 600 $HOME/.netrc + if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true' }} + - name: Run Tests run: make cover if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && (inputs.run_tests && inputs.run_tests || true) }} @@ -264,8 +276,6 @@ jobs: name: Build Binaries runs-on: ubuntu-22.04 needs: [checks, unit-tests, verify-codegen] - env: - GOPROXY: ${{ needs.checks.outputs.go_proxy }} permissions: contents: write # for goreleaser/goreleaser-action to manage releases id-token: write # for goreleaser/goreleaser-action to sign artifacts @@ -282,6 +292,16 @@ jobs: go-version-file: go.mod if: ${{ (inputs.force && inputs.force || false) || needs.checks.outputs.binary_cache_hit != 'true' }} + - name: Setup netrc + run: | + cat < $HOME/.netrc + machine azr.artifactory.f5net.com + login ${{ secrets.ARTIFACTORY_USER }} + password ${{ secrets.ARTIFACTORY_TOKEN }} + EOF + chmod 600 $HOME/.netrc + if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true' }} + - name: Build binaries uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 with: @@ -290,6 +310,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ needs.checks.outputs.go_path }} + GOPROXY: ${{ needs.checks.outputs.go_proxy }} AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index f841ba06de..b8b805bc3b 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -59,7 +59,7 @@ jobs: - name: Set Variables id: vars run: | - echo "go_proxy="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" >> $GITHUB_OUTPUT + echo "go_proxy="https://azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT @@ -119,6 +119,9 @@ jobs: permissions: contents: read security-events: write + needs: [checks] + env: + GOPROXY: ${{ needs.checks.outputs.go_proxy }} steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -128,6 +131,15 @@ jobs: with: go-version-file: go.mod + - name: Setup netrc + run: | + cat < $HOME/.netrc + machine azr.artifactory.f5net.com + login ${{ secrets.ARTIFACTORY_USER }} + password ${{ secrets.ARTIFACTORY_TOKEN }} + EOF + chmod 600 $HOME/.netrc + - name: govulncheck uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 with: @@ -165,6 +177,16 @@ jobs: go-version-file: go.mod if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} + - name: Setup netrc + run: | + cat < $HOME/.netrc + machine azr.artifactory.f5net.com + login ${{ secrets.ARTIFACTORY_USER }} + password ${{ secrets.ARTIFACTORY_TOKEN }} + EOF + chmod 600 $HOME/.netrc + if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} + - name: Build binaries uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 with: From 19f93e831fdde52202022c469de8a9463c7c2761 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 22 Jul 2025 12:52:43 +0100 Subject: [PATCH 4/5] set default go proxy --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12c4085623..d60e911758 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,7 +101,7 @@ jobs: echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || github.repository != 'nginx/kubernetes-ingress' }} echo "forked_workflow=${forked_workflow}" >> $GITHUB_OUTPUT - go_proxy="" + go_proxy="https://proxy.golang.org,direct" if [ "$forked_workflow" = "false" ]; then go_proxy="https://azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev" fi From c571cc66a0389f8d5d681959fe014b161e11f32e Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 22 Jul 2025 14:12:31 +0100 Subject: [PATCH 5/5] remove extra space --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d60e911758..a643018581 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -120,7 +120,6 @@ jobs: echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT - cat $GITHUB_OUTPUT - name: Fetch Cached Binary Artifacts