nginx · sean-breen · Sep 29, 2025 · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025
@@ -0,0 +1,89 @@
+
+name: Generate and Sign Assertion Document
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        type: string
+        description: "The branch to run the assertion workflow on"
+        required: false
+        default: main
+
+jobs:
+  build-assertion-document:
+    name: Build and Generate Assertion Document
+    runs-on: ubuntu-22.04
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
+    outputs:
+      agent_binary: ${{ steps.check_binary.outputs.agent_binary }}
+      goversionm: ${{ steps.godeps.outputs.goversionm }}
+      assertion_document: ${{ steps.assertiondoc.outputs.assertion-document-path }}
+    strategy:
+        matrix:
+            osarch: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Gather build dependencies
+        id: godeps
+        run: |
+          if [ -z ${{inputs.branch}} ]; then
+            echo "No branch input provided, using current branch: $GITHUB_REF_NAME"
+          else
+            echo "Checking out branch: ${{inputs.branch}}"
+            git checkout ${{inputs.branch}}
+          fi
+          echo "Current branch: $GITHUB_REF_NAME"
+          echo "branch_name=$GITHUB_REF_NAME" >> $GITHUB_ENV
+          GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//')
+          echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
+          echo "GO_VERSION=$GO_VERSION"
+          echo "time_start=$(date +%s)" >> $GITHUB_ENV
+          OSARCH=${{matrix.osarch}} make build
+          echo "time_end=$(date +%s)" >> $GITHUB_ENV
+          echo "Build time: $((time_end - time_start)) seconds"
+
+          echo "Getting sha256sum of the built nginx-agent binary..."
+          echo "agent-digest=$(sha256sum build/nginx-agent | awk '{print $1}')" >> $GITHUB_ENV
+
+          echo "Checking dependencies..."
+          go version -m build/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
+          ls -l goversionm_*.txt
+          echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV
+
+      - name: Generate Assertion Document
+        id: assertiondoc
+        uses: nginxinc/compliance-rules/.github/actions/assertion@main
+        with:
+          artifact-name: nginx-agent_${{ env.branch_name }}_${{ matrix.osarch }}
+          artifact-digest: ${{ env.agent-digest }}
+          build-type: 'github'
+          builder-id: 'github.com'
+          builder-version: '${{env.GO_VERSION}}_test'
+          invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
+          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-repo: 'f5-nginx-go-local-approved-dependency'
+          assertion-doc-file: assertion_nginx-agent_${{env.branch_name}}_${{matrix.osarch}}.json
+          build-content-path: ${{ env.goversionm }}
+          started-on: '${{ env.time_start }}'
+          finished-on: '${{ env.time_end }}'
+
+      - name: Sign and Store Assertion Document
+        id: sign
+        uses: nginxinc/compliance-rules/.github/actions/sign@main
+        with:
+          assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}