rancher · briandowns · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,9 +4,9 @@ on:
     - master
   pull_request:
 
-
 permissions:
   contents: read
+  id-token: write
   security-events: write # upload Sarif results
 
 name: Build
@@ -17,6 +17,21 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v4
 
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY
+
+    - name: Create App Token
+      uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        repositories: release-multus-cni
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+
     - name: Set the TAG value
       id: get-TAG
       run: |
@@ -32,6 +47,7 @@ jobs:
         target: multus-thin
         build-args: |
           TAG=${{ env.TAG }}
+          SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-multus-cni
 
     - name: Build thick plugin image
       uses: docker/build-push-action@v6
@@ -43,6 +59,7 @@ jobs:
         target: multus-thick
         build-args: |
           TAG=${{ env.TAG }}
+          SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-multus-cni
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/[email protected]
@@ -65,6 +82,21 @@ jobs:
     steps:
     - name: Check out code
       uses: actions/checkout@v4
+
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY
+
+    - name: Create App Token
+      uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        repositories: release-multus-cni
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
@@ -76,6 +108,7 @@ jobs:
       id: get-TAG
       run: |
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+
     - name: Build container image
       uses: docker/build-push-action@v6
       with:
@@ -88,6 +121,7 @@ jobs:
         platforms: linux/arm64
         build-args: |
           TAG=${{ env.TAG }}
+          SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-multus-cni
 
     - name: Build thick plugin image
       uses: docker/build-push-action@v6
@@ -101,3 +135,4 @@ jobs:
         platforms: linux/arm64
         build-args: |
           TAG=${{ env.TAG }}
+          SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-multus-cni
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,11 +27,11 @@ jobs:
       uses: rancher-eio/read-vault-secrets@main
       with:
         secrets: |
-          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
-          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
           secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
-          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
+          secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY
 
     - name: Build and push thin plugin image
       uses: rancher/ecm-distro-tools/actions/publish-image@master
@@ -50,6 +50,8 @@ jobs:
 
     - name: Build and push thick plugin image
       uses: rancher/ecm-distro-tools/actions/publish-image@master
+      env:
+        SRC: x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-multus-cni
       with:
         image: hardened-multus-thick
         tag: ${{ github.event.release.tag_name }}

diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,7 @@ RUN set -x && \
 # Build the multus project
 FROM base-builder AS multus-builder
 ARG TAG=v4.1.4
-ARG SRC=github.com/k8snetworkplumbingwg/multus-cni
+ARG SRC=github.com/rancher/release-multus-cni
 ARG PKG=github.com/k8snetworkplumbingwg/multus-cni
 RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG}
 WORKDIR $GOPATH/src/${PKG}
@@ -41,7 +41,7 @@ RUN strip /thin_entrypoint /multus /kubeconfig_generator /cert-approver /install
 
 # Create the multus image
 FROM scratch AS multus-thin
-COPY --from=strip_binary  /multus /usr/src/multus-cni/bin/multus
+COPY --from=strip_binary    /multus /usr/src/multus-cni/bin/multus
 COPY --from=multus-builder  /go/src/github.com/k8snetworkplumbingwg/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 COPY --from=strip_binary    /thin_entrypoint /
 COPY --from=strip_binary    /kubeconfig_generator /