diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index b3035340b0..f530cf3f0e 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -15,6 +15,9 @@ on: tag: required: false type: string + build-cache: + required: false + type: boolean defaults: run: @@ -61,7 +64,7 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} - name: Login to GitHub Container Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -69,20 +72,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} - name: Login to Public ECR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: public.ecr.aws - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} - name: Login to Quay.io uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -90,7 +93,7 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} - name: Get short tag id: tag @@ -146,7 +149,7 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }} - push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} pull: true no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 2cafd3a58e..9c845fbdc9 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -21,6 +21,9 @@ on: release-url: required: false type: string + build-cache: + required: false + type: boolean defaults: run: @@ -64,7 +67,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && ! inputs.build-cache - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -72,7 +75,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event_name != 'pull_request' + if: github.event_name != 'pull_request' && ! inputs.build-cache - name: Authenticate to Google Cloud Marketplace id: auth-mktpl @@ -111,7 +114,7 @@ jobs: script: | let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} - name: Login to NGINX Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -119,7 +122,7 @@ jobs: registry: docker-mgmt.nginx.com username: ${{ steps.idtoken.outputs.id_token }} password: ${{ github.actor }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} - name: Docker meta id: meta @@ -165,7 +168,7 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' }} + push: ${{ github.event_name != 'pull_request' && ! inputs.build-cache }} pull: true no-cache: ${{ github.event_name != 'pull_request' }} sbom: ${{ github.event_name != 'pull_request' }} @@ -233,6 +236,7 @@ jobs: "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + if: ${{ ! inputs.build-cache }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0 @@ -242,12 +246,14 @@ jobs: format: "sarif" output: "trivy-results-${{ inputs.image }}.sarif" ignore-unfixed: "true" + if: ${{ ! inputs.build-cache }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 continue-on-error: true with: sarif_file: "trivy-results-${{ inputs.image }}.sarif" + if: ${{ ! inputs.build-cache }} - name: Upload Scan Results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml new file mode 100644 index 0000000000..3331196c23 --- /dev/null +++ b/.github/workflows/cache-update.yml @@ -0,0 +1,178 @@ +name: Cache Update + +on: + workflow_dispatch: + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.ref_name }}-cache-update + cancel-in-progress: true + +permissions: + contents: read + +jobs: + checks: + name: Checks and variables + runs-on: ubuntu-22.04 + outputs: + go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} + chart_version: ${{ steps.vars.outputs.chart_version }} + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Output Variables + id: vars + run: | + echo go_code_md5=$(find . -type f \( -name "*.go" -o -name go.mod -o -name go.sum -o -name "*.tmpl" -o -name .goreleaser.yml -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') >> $GITHUB_OUTPUT + source .github/data/version.txt + echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT + + release-notes: + name: Release Notes + runs-on: ubuntu-22.04 + needs: checks + outputs: + release-url: ${{ steps.release-notes.outputs.release-url }} + permissions: + contents: write # for lucacome/draft-release + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Create/Update Draft + uses: lucacome/draft-release@52f02d1a69b61568e54ab5cf86ce91503bac4066 # v1.0.2 + id: release-notes + with: + minor-label: "enhancement" + major-label: "change" + publish: ${{ github.ref_type == 'tag' }} + collapse-after: 50 + variables: | + helm-chart=${{ needs.checks.outputs.chart_version }} + notes-footer: | + ## Upgrade + - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) or build your own image using the {{version}} source code. + - For Helm, use version {{helm-chart}} of the chart. + + ## Resources + - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ + - Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples + - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/charts/nginx-ingress + - Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator + if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }} + + build-docker: + name: Build Docker OSS + needs: [checks] + strategy: + fail-fast: false + matrix: + image: [debian, alpine] + platforms: + ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] + include: + - image: ubi + platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + uses: ./.github/workflows/build-oss.yml + with: + platforms: ${{ matrix.platforms }} + image: ${{ matrix.image }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + build-cache: true + permissions: + contents: read + actions: read + security-events: write + id-token: write + packages: write + secrets: inherit + + build-docker-plus: + name: Build Docker Plus + needs: [checks, release-notes] + strategy: + fail-fast: false + matrix: + image: [debian-plus, alpine-plus, alpine-plus-fips] + platforms: ["linux/arm64, linux/amd64"] + target: [goreleaser, aws] + include: + - image: ubi-plus + platforms: "linux/arm64, linux/amd64, linux/s390x" + target: goreleaser + uses: ./.github/workflows/build-plus.yml + with: + platforms: ${{ matrix.platforms }} + image: ${{ matrix.image }} + target: ${{ matrix.target }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + release-url: ${{ needs.release-notes.outputs.release-url }} + build-cache: true + permissions: + contents: read + security-events: write + id-token: write + secrets: inherit + + build-docker-nap: + name: Build Docker NAP + needs: [checks, release-notes] + strategy: + fail-fast: false + matrix: + image: [debian-plus-nap] + platforms: ["linux/amd64"] + target: [goreleaser, aws] + nap_modules: [dos, waf, "waf,dos"] + include: + - image: ubi-9-plus-nap + target: goreleaser + platforms: "linux/amd64" + nap_modules: waf + - image: ubi-8-plus-nap + target: goreleaser + platforms: "linux/amd64" + nap_modules: dos + - image: ubi-8-plus-nap + target: goreleaser + platforms: "linux/amd64" + nap_modules: "waf,dos" + - image: ubi-9-plus-nap + target: aws + platforms: "linux/amd64" + nap_modules: waf + - image: ubi-8-plus-nap + target: aws + platforms: "linux/amd64" + nap_modules: dos + - image: ubi-8-plus-nap + target: aws + platforms: "linux/amd64" + nap_modules: "waf,dos" + - image: alpine-plus-nap-fips + target: goreleaser + platforms: "linux/amd64" + nap_modules: waf + uses: ./.github/workflows/build-plus.yml + with: + platforms: ${{ matrix.platforms }} + image: ${{ matrix.image }} + target: ${{ matrix.target }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + nap_modules: ${{ matrix.nap_modules }} + release-url: ${{ needs.release-notes.outputs.release-url }} + build-cache: true + permissions: + contents: read + security-events: write + id-token: write + secrets: inherit