Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CI for release-3.1 #3858

Merged
merged 2 commits into from
May 4, 2023
Merged

Update CI for release-3.1 #3858

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7eedee0
Update CI for release-3.1
lucacome May 4, 2023
1205e78
Merge branch 'release-3.1' into chore/update-ci-release
lucacome May 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 44 additions & 38 deletions .github/workflows/build-oss.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,6 @@ on:
tag:
required: false
type: string
sha_long:
required: false
type: string

defaults:
run:
Expand All @@ -23,12 +20,17 @@ defaults:
jobs:
build:
runs-on: ubuntu-22.04
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS ECR
packages: write # for docker/build-push-action to push to GHCR
outputs:
version: ${{ steps.meta.outputs.version }}
image_digest: ${{ steps.build-push.outputs.digest }}
steps:
- name: Checkout Repository
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
ref: ${{ inputs.tag != '' && format('refs/tags/v{0}', inputs.tag) || github.ref }}
fetch-depth: 0
Expand All @@ -43,7 +45,7 @@ jobs:
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
with:
platforms: arm,arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Docker Buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
Expand All @@ -53,31 +55,36 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Login to Public ECR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Login to Quay.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Get short tag
id: tag
Expand All @@ -89,8 +96,9 @@ jobs:

- name: Docker meta
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0
with:
context: ${{ inputs.tag != '' && 'git' || 'workflow' }}
images: |
name=nginx/nginx-ingress
name=ghcr.io/nginxinc/kubernetes-ingress
Expand All @@ -111,7 +119,6 @@ jobs:
org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes
org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
org.opencontainers.image.revision=${{ inputs.sha_long != '' && inputs.sha_long || github.sha }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/README.md
io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg
io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"kubernetes@nginx.com"}]
Expand All @@ -123,54 +130,53 @@ jobs:
id: build-push
with:
file: build/Dockerfile
context: '.'
context: "."
cache-from: type=gha,scope=${{ inputs.image }}
cache-to: type=gha,scope=${{ inputs.image }},mode=max
target: goreleaser
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }}
push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
sbom: ${{ github.event_name != 'pull_request' }}
no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
IC_VERSION=${{ github.event_name == 'pull_request' && 'CI' || steps.meta.outputs.version }}
IC_VERSION=${{ (github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-')) && 'CI' || steps.meta.outputs.version }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
continue-on-error: true
with:
image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results-${{ inputs.image }}.sarif'
ignore-unfixed: 'true'
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
ignore-unfixed: "true"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
continue-on-error: true
with:
sarif_file: 'trivy-results-${{ inputs.image }}.sarif'
sarif_file: "trivy-results-${{ inputs.image }}.sarif"

- name: Upload Scan Results
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
continue-on-error: true
with:
name: 'trivy-results-${{ inputs.image }}.sarif'
path: 'trivy-results-${{ inputs.image }}.sarif'
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()

send-notification:
name: Send Notification
needs: build
uses: ./.github/workflows/updates-notification.yml
with:
sha_long: ${{ inputs.sha_long }}
tag: ${{ inputs.tag }}
version: ${{ needs.build.outputs.version }}
image_digest: ${{ needs.build.outputs.image_digest }}
secrets: inherit
if: ${{ inputs.tag != '' }}
name: Send Notification
needs: build
uses: ./.github/workflows/updates-notification.yml
with:
tag: ${{ inputs.tag }}
version: ${{ needs.build.outputs.version }}
image_digest: ${{ needs.build.outputs.image_digest }}
secrets: inherit
if: ${{ inputs.tag != '' }}
36 changes: 26 additions & 10 deletions .github/workflows/build-plus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,11 @@ jobs:
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
fetch-depth: 0

Expand All @@ -50,25 +51,39 @@ jobs:
- name: Docker Buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

- name: GCR Login
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: github.event_name != 'pull_request'

- name: Login to GCR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GCR_JSON_KEY }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: github.event_name != 'pull_request'

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }}
if: startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws')

- name: Login to ECR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: startsWith(github.ref, 'refs/tags/')
if: startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws')

- name: Docker meta
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0
with:
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress
Expand All @@ -80,6 +95,7 @@ jobs:
tags: |
type=edge
type=ref,event=pr
type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release-') }}
type=schedule,pattern={{date 'YYYYMMDD'}}
type=semver,pattern={{version}}
labels: |
Expand Down Expand Up @@ -146,7 +162,7 @@ jobs:
${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
continue-on-error: true
with:
image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
Expand All @@ -155,7 +171,7 @@ jobs:
ignore-unfixed: 'true'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
continue-on-error: true
with:
sarif_file: 'trivy-results-${{ inputs.image }}.sarif'
Expand Down
Loading