From f47129d64b9949ba188d77671864aa4839c38176 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 15 Feb 2024 14:39:38 +0000 Subject: [PATCH 01/10] allow ci flow to be called from Actions tab --- .github/workflows/build-oss.yml | 14 +++++++------- .github/workflows/build-plus.yml | 18 +++++++++--------- .github/workflows/cache-update.yml | 6 +++--- .github/workflows/ci.yml | 9 +++++++++ 4 files changed, 28 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index b7ae80bc7d..9796208d8c 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -15,7 +15,7 @@ on: tag: required: false type: string - build-cache: + skip-publish: required: false type: boolean @@ -64,7 +64,7 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} - name: Login to GitHub Container Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -72,20 +72,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} - name: Login to Public ECR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: public.ecr.aws - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} - name: Login to Quay.io uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -93,7 +93,7 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} - name: Get short tag id: tag @@ -149,7 +149,7 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }} - push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} pull: true no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 58499a953f..37e1965257 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -21,7 +21,7 @@ on: release-url: required: false type: string - build-cache: + skip-publish: required: false type: boolean @@ -67,7 +67,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event_name != 'pull_request' && ! inputs.build-cache + if: github.event_name != 'pull_request' && ! inputs.skip-publish - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -75,7 +75,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event_name != 'pull_request' && ! inputs.build-cache + if: github.event_name != 'pull_request' && ! inputs.skip-publish - name: Authenticate to Google Cloud Marketplace id: auth-mktpl @@ -114,7 +114,7 @@ jobs: script: | let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} - name: Login to NGINX Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -122,7 +122,7 @@ jobs: registry: docker-mgmt.nginx.com username: ${{ steps.idtoken.outputs.id_token }} password: ${{ github.actor }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }} + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} - name: Docker meta id: meta @@ -168,7 +168,7 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' && ! inputs.build-cache }} + push: ${{ github.event_name != 'pull_request' && ! inputs.skip-publish }} pull: true no-cache: ${{ github.event_name != 'pull_request' }} sbom: ${{ github.event_name != 'pull_request' }} @@ -236,7 +236,7 @@ jobs: "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ ! inputs.build-cache }} + if: ${{ ! inputs.skip-publish }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0 @@ -246,14 +246,14 @@ jobs: format: "sarif" output: "trivy-results-${{ inputs.image }}.sarif" ignore-unfixed: "true" - if: ${{ ! inputs.build-cache }} + if: ${{ ! inputs.skip-publish }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 continue-on-error: true with: sarif_file: "trivy-results-${{ inputs.image }}.sarif" - if: ${{ ! inputs.build-cache }} + if: ${{ ! inputs.skip-publish }} - name: Upload Scan Results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml index ea36974cb0..13851be0bd 100644 --- a/.github/workflows/cache-update.yml +++ b/.github/workflows/cache-update.yml @@ -87,7 +87,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - build-cache: true + skip-publish: true permissions: contents: read actions: read @@ -116,7 +116,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - build-cache: true + skip-publish: true permissions: contents: read security-events: write @@ -170,7 +170,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - build-cache: true + skip-publish: true permissions: contents: read security-events: write diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ed685091fe..a59b364f3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,12 @@ on: - release-* schedule: - cron: "0 4 * * *" # run every day at 04:00 UTC + workflow_dispatch: + inputs: + skip-publish: + description: Skip the publish of the generated images + type: boolean + default: true defaults: run: @@ -428,6 +434,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} + skip-publish: ${{ inputs.skip-publish }} permissions: contents: read actions: read @@ -456,6 +463,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} + skip-publish: ${{ inputs.skip-publish }} permissions: contents: read security-events: write @@ -510,6 +518,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} + skip-publish: ${{ inputs.skip-publish }} permissions: contents: read security-events: write From ec83ba741aa8eed679c68c46897ff817f66246bc Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 15 Feb 2024 16:34:30 +0000 Subject: [PATCH 02/10] renamed input from skip-publish to publish-image --- .github/workflows/build-oss.yml | 14 +++++++------- .github/workflows/build-plus.yml | 18 +++++++++--------- .github/workflows/cache-update.yml | 6 +++--- .github/workflows/ci.yml | 8 ++++---- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 9796208d8c..60d711b290 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -15,7 +15,7 @@ on: tag: required: false type: string - skip-publish: + publish-image: required: false type: boolean @@ -64,7 +64,7 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Login to GitHub Container Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -72,20 +72,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Login to Public ECR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: public.ecr.aws - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Login to Quay.io uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -93,7 +93,7 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Get short tag id: tag @@ -149,7 +149,7 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }} - push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + push: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} pull: true no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 37e1965257..723cf43279 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -21,7 +21,7 @@ on: release-url: required: false type: string - skip-publish: + publish-image: required: false type: boolean @@ -67,7 +67,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event_name != 'pull_request' && ! inputs.skip-publish + if: ${{ inputs.publish-image && github.event_name != 'pull_request' }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -75,7 +75,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event_name != 'pull_request' && ! inputs.skip-publish + if: ${{ inputs.publish-image && github.event_name != 'pull_request' }} - name: Authenticate to Google Cloud Marketplace id: auth-mktpl @@ -114,7 +114,7 @@ jobs: script: | let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Login to NGINX Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -122,7 +122,7 @@ jobs: registry: docker-mgmt.nginx.com username: ${{ steps.idtoken.outputs.id_token }} password: ${{ github.actor }} - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.skip-publish }} + if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Docker meta id: meta @@ -168,7 +168,7 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' && ! inputs.skip-publish }} + push: ${{ inputs.publish-image && github.event_name != 'pull_request' }} pull: true no-cache: ${{ github.event_name != 'pull_request' }} sbom: ${{ github.event_name != 'pull_request' }} @@ -236,7 +236,7 @@ jobs: "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ ! inputs.skip-publish }} + if: ${{ inputs.publish-image }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0 @@ -246,14 +246,14 @@ jobs: format: "sarif" output: "trivy-results-${{ inputs.image }}.sarif" ignore-unfixed: "true" - if: ${{ ! inputs.skip-publish }} + if: ${{ inputs.publish-image }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 continue-on-error: true with: sarif_file: "trivy-results-${{ inputs.image }}.sarif" - if: ${{ ! inputs.skip-publish }} + if: ${{ inputs.publish-image }} - name: Upload Scan Results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml index 13851be0bd..139d09f67f 100644 --- a/.github/workflows/cache-update.yml +++ b/.github/workflows/cache-update.yml @@ -87,7 +87,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - skip-publish: true + publish-image: true permissions: contents: read actions: read @@ -116,7 +116,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - skip-publish: true + publish-image: true permissions: contents: read security-events: write @@ -170,7 +170,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - skip-publish: true + publish-image: true permissions: contents: read security-events: write diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7cd42cf103..cc4e42d045 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ on: - cron: "0 4 * * *" # run every day at 04:00 UTC workflow_dispatch: inputs: - skip-publish: + publish-image: description: Skip the publish of the generated images type: boolean default: true @@ -434,7 +434,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - skip-publish: ${{ inputs.skip-publish }} + publish-image: ${{ inputs.publish-image }} permissions: contents: read actions: read @@ -463,7 +463,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - skip-publish: ${{ inputs.skip-publish }} + publish-image: ${{ inputs.publish-image }} permissions: contents: read security-events: write @@ -518,7 +518,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - skip-publish: ${{ inputs.skip-publish }} + publish-image: ${{ inputs.publish-image }} permissions: contents: read security-events: write From d18aacde9ff55ccca01882ac02b5f0665c0decee Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 15 Feb 2024 17:53:30 +0000 Subject: [PATCH 03/10] move publish-image logic to checks job --- .github/workflows/cache-update.yml | 6 +++--- .github/workflows/ci.yml | 19 +++++++++++++------ 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml index 139d09f67f..8800fca156 100644 --- a/.github/workflows/cache-update.yml +++ b/.github/workflows/cache-update.yml @@ -87,7 +87,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - publish-image: true + publish-image: false permissions: contents: read actions: read @@ -116,7 +116,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: true + publish-image: false permissions: contents: read security-events: write @@ -170,7 +170,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: true + publish-image: false permissions: contents: read security-events: write diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc4e42d045..ee728109ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,9 +16,9 @@ on: workflow_dispatch: inputs: publish-image: - description: Skip the publish of the generated images + description: Publish of the generated images type: boolean - default: true + default: false defaults: run: @@ -43,6 +43,7 @@ jobs: chart_version: ${{ steps.vars.outputs.chart_version }} binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} ic_version: ${{ steps.vars.outputs.ic_version }} + publish-images: ${{ steps.vars.outputs.publish }} steps: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -82,6 +83,13 @@ jobs: source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT + publish=false + if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then + publish=true + elif ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then + publish=true + fi + echo "publish=$publish" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT - name: Fetch Cached Binary Artifacts @@ -434,7 +442,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - publish-image: ${{ inputs.publish-image }} + publish-image: ${{ needs.checks.outputs.publish-images }} permissions: contents: read actions: read @@ -463,7 +471,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ inputs.publish-image }} + publish-image: ${{ needs.checks.outputs.publish-images }} permissions: contents: read security-events: write @@ -509,7 +517,6 @@ jobs: target: goreleaser platforms: "linux/amd64" nap_modules: waf - uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} @@ -518,7 +525,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ inputs.publish-image }} + publish-image: ${{ needs.checks.outputs.publish-images }} permissions: contents: read security-events: write From d6a28f3f89d99572c8e424d79df0c5070ae12d67 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Feb 2024 09:39:26 +0000 Subject: [PATCH 04/10] only use publish-image to drive publish --- .github/workflows/build-oss.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 60d711b290..4bb1a9088f 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -54,7 +54,7 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm,arm64,ppc64le,s390x - if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 @@ -64,7 +64,7 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Login to GitHub Container Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -72,20 +72,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} - if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Login to Public ECR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: public.ecr.aws - if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Login to Quay.io uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -93,7 +93,7 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} - if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Get short tag id: tag @@ -149,7 +149,7 @@ jobs: annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }} load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }} - push: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + push: ${{ inputs.publish-image }} pull: true no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} From 242e428689019903dbd9bdaa7a943acbd12057e4 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Feb 2024 11:30:21 +0000 Subject: [PATCH 05/10] utilise publish-image flag --- .github/workflows/build-oss.yml | 4 ++-- .github/workflows/build-plus.yml | 22 +++++++++++----------- .github/workflows/ci.yml | 6 +++--- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 4bb1a9088f..20b8fdccf9 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -151,8 +151,8 @@ jobs: load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }} push: ${{ inputs.publish-image }} pull: true - no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + no-cache: ${{ inputs.publish-image }} + sbom: ${{ inputs.publish-image }} provenance: false build-args: | BUILD_OS=${{ inputs.image }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 723cf43279..5d546bb8f5 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -55,7 +55,7 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm64,s390x - if: github.event_name != 'pull_request' + if: ${{ inputs.publish-image }} - name: Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 @@ -67,7 +67,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: ${{ inputs.publish-image && github.event_name != 'pull_request' }} + if: ${{ inputs.publish-image }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -75,7 +75,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: ${{ inputs.publish-image && github.event_name != 'pull_request' }} + if: ${{ inputs.publish-image }} - name: Authenticate to Google Cloud Marketplace id: auth-mktpl @@ -114,7 +114,7 @@ jobs: script: | let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Login to NGINX Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -122,7 +122,7 @@ jobs: registry: docker-mgmt.nginx.com username: ${{ steps.idtoken.outputs.id_token }} password: ${{ github.actor }} - if: ${{ inputs.publish-image && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + if: ${{ inputs.publish-image }} - name: Docker meta id: meta @@ -165,13 +165,13 @@ jobs: target: ${{ inputs.target }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} - platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }} - load: ${{ github.event_name == 'pull_request' }} - push: ${{ inputs.publish-image && github.event_name != 'pull_request' }} + annotations: ${{ inputs.publish-image && steps.meta.outputs.annotations || '' }} + platforms: ${{ inputs.publish-image && inputs.platforms || '' }} + load: ${{ ! inputs.publish-image }} + push: ${{ inputs.publish-image }} pull: true - no-cache: ${{ github.event_name != 'pull_request' }} - sbom: ${{ github.event_name != 'pull_request' }} + no-cache: ${{ inputs.publish-image }} + sbom: ${{ inputs.publish-image }} provenance: false build-args: | BUILD_OS=${{ inputs.image }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee728109ce..be8193881c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -86,7 +86,7 @@ jobs: publish=false if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then publish=true - elif ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then + elif ${{ github.event_name != 'workflow_dispatch' && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then publish=true fi echo "publish=$publish" >> $GITHUB_OUTPUT @@ -453,7 +453,7 @@ jobs: build-docker-plus: name: Build Docker Plus - needs: [checks, build-docker, release-notes] + needs: [checks, smoke-tests, release-notes] strategy: fail-fast: false matrix: @@ -480,7 +480,7 @@ jobs: build-docker-nap: name: Build Docker NAP - needs: [checks, build-docker-plus, release-notes] + needs: [checks, smoke-tests, release-notes] strategy: fail-fast: false matrix: From dec156082e671f8a4c6640f65775ffd06ee93485 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Feb 2024 12:24:08 +0000 Subject: [PATCH 06/10] adjust CI job dependencies --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index be8193881c..33113245e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -427,7 +427,7 @@ jobs: build-docker: name: Build Docker OSS - needs: [checks, smoke-tests] + needs: [checks, smoke-results] strategy: fail-fast: false matrix: @@ -453,7 +453,7 @@ jobs: build-docker-plus: name: Build Docker Plus - needs: [checks, smoke-tests, release-notes] + needs: [checks, smoke-results, release-notes] strategy: fail-fast: false matrix: @@ -480,7 +480,7 @@ jobs: build-docker-nap: name: Build Docker NAP - needs: [checks, smoke-tests, release-notes] + needs: [checks, smoke-results, release-notes] strategy: fail-fast: false matrix: @@ -620,7 +620,7 @@ jobs: gcp-marketplace: name: Trigger PR for GCP Marketplace runs-on: ubuntu-22.04 - needs: [checks, publish-helm] + needs: [checks, build-docker-plus, build-docker-nap] steps: - name: uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 From 5029e42d4f462725453ff57875926c2e5ad73d06 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Feb 2024 14:04:52 +0000 Subject: [PATCH 07/10] skip smoke tests while troubleshooting --- .github/workflows/ci.yml | 244 +++++++++++++++++++-------------------- 1 file changed, 122 insertions(+), 122 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a064694810..e592fe72dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -388,28 +388,28 @@ jobs: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run Smoke Tests - id: smoke-tests - uses: ./.github/actions/smoke-tests - with: - image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} - marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} - k8s-version: ${{ matrix.k8s }} - nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} - nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} - azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} - gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} - rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} - go-md5: ${{ needs.checks.outputs.go_code_md5 }} - test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - - - name: Upload Test Results - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: ${{ steps.smoke-tests.outputs.test-results-name }} - path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html - if: always() + # - name: Run Smoke Tests + # id: smoke-tests + # uses: ./.github/actions/smoke-tests + # with: + # image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} + # marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} + # k8s-version: ${{ matrix.k8s }} + # nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} + # nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} + # azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + # gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + # gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} + # rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} + # go-md5: ${{ needs.checks.outputs.go_code_md5 }} + # test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + + # - name: Upload Test Results + # uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + # with: + # name: ${{ steps.smoke-tests.outputs.test-results-name }} + # path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html + # if: always() smoke-results: if: ${{ always() }} @@ -451,86 +451,86 @@ jobs: packages: write secrets: inherit - build-docker-plus: - name: Build Docker Plus - needs: [checks, smoke-results, release-notes] - strategy: - fail-fast: false - matrix: - image: [debian-plus, alpine-plus, alpine-plus-fips] - platforms: ["linux/arm64, linux/amd64"] - target: [goreleaser, aws] - include: - - image: ubi-plus - platforms: "linux/arm64, linux/amd64, linux/s390x" - target: goreleaser - uses: ./.github/workflows/build-plus.yml - with: - platforms: ${{ matrix.platforms }} - image: ${{ matrix.image }} - target: ${{ matrix.target }} - go-md5: ${{ needs.checks.outputs.go_code_md5 }} - release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ needs.checks.outputs.publish-images }} - permissions: - contents: read - security-events: write - id-token: write - secrets: inherit - - build-docker-nap: - name: Build Docker NAP - needs: [checks, smoke-results, release-notes] - strategy: - fail-fast: false - matrix: - image: [debian-plus-nap] - platforms: ["linux/amd64"] - target: [goreleaser, aws] - nap_modules: [dos, waf, "waf,dos"] - include: - - image: ubi-9-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: ubi-9-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: alpine-plus-nap-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - uses: ./.github/workflows/build-plus.yml - with: - platforms: ${{ matrix.platforms }} - image: ${{ matrix.image }} - target: ${{ matrix.target }} - go-md5: ${{ needs.checks.outputs.go_code_md5 }} - nap_modules: ${{ matrix.nap_modules }} - release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ needs.checks.outputs.publish-images }} - permissions: - contents: read - security-events: write - id-token: write - secrets: inherit + # build-docker-plus: + # name: Build Docker Plus + # needs: [checks, smoke-results, release-notes] + # strategy: + # fail-fast: false + # matrix: + # image: [debian-plus, alpine-plus, alpine-plus-fips] + # platforms: ["linux/arm64, linux/amd64"] + # target: [goreleaser, aws] + # include: + # - image: ubi-plus + # platforms: "linux/arm64, linux/amd64, linux/s390x" + # target: goreleaser + # uses: ./.github/workflows/build-plus.yml + # with: + # platforms: ${{ matrix.platforms }} + # image: ${{ matrix.image }} + # target: ${{ matrix.target }} + # go-md5: ${{ needs.checks.outputs.go_code_md5 }} + # release-url: ${{ needs.release-notes.outputs.release-url }} + # publish-image: ${{ needs.checks.outputs.publish-images }} + # permissions: + # contents: read + # security-events: write + # id-token: write + # secrets: inherit + + # build-docker-nap: + # name: Build Docker NAP + # needs: [checks, smoke-results, release-notes] + # strategy: + # fail-fast: false + # matrix: + # image: [debian-plus-nap] + # platforms: ["linux/amd64"] + # target: [goreleaser, aws] + # nap_modules: [dos, waf, "waf,dos"] + # include: + # - image: ubi-9-plus-nap + # target: goreleaser + # platforms: "linux/amd64" + # nap_modules: waf + # - image: ubi-8-plus-nap + # target: goreleaser + # platforms: "linux/amd64" + # nap_modules: dos + # - image: ubi-8-plus-nap + # target: goreleaser + # platforms: "linux/amd64" + # nap_modules: "waf,dos" + # - image: ubi-9-plus-nap + # target: aws + # platforms: "linux/amd64" + # nap_modules: waf + # - image: ubi-8-plus-nap + # target: aws + # platforms: "linux/amd64" + # nap_modules: dos + # - image: ubi-8-plus-nap + # target: aws + # platforms: "linux/amd64" + # nap_modules: "waf,dos" + # - image: alpine-plus-nap-fips + # target: goreleaser + # platforms: "linux/amd64" + # nap_modules: waf + # uses: ./.github/workflows/build-plus.yml + # with: + # platforms: ${{ matrix.platforms }} + # image: ${{ matrix.image }} + # target: ${{ matrix.target }} + # go-md5: ${{ needs.checks.outputs.go_code_md5 }} + # nap_modules: ${{ matrix.nap_modules }} + # release-url: ${{ needs.release-notes.outputs.release-url }} + # publish-image: ${{ needs.checks.outputs.publish-images }} + # permissions: + # contents: read + # security-events: write + # id-token: write + # secrets: inherit publish-helm: name: Package and Publish Helm Chart @@ -617,23 +617,23 @@ jobs: }) if: github.ref_type == 'tag' - gcp-marketplace: - name: Trigger PR for GCP Marketplace - runs-on: ubuntu-22.04 - needs: [checks, build-docker-plus, build-docker-nap] - steps: - - name: - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.NGINX_PAT }} - script: | - await github.rest.actions.createWorkflowDispatch({ - owner: context.repo.owner, - repo: 'kubernetes-ingress-gcp', - workflow_id: 'sync-chart.yml', - ref: 'main', - inputs: { - chart_version: '${{ needs.checks.outputs.chart_version }}' - }, - }) - if: github.ref_type == 'tag' + # gcp-marketplace: + # name: Trigger PR for GCP Marketplace + # runs-on: ubuntu-22.04 + # needs: [checks, build-docker-plus, build-docker-nap] + # steps: + # - name: + # uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + # with: + # github-token: ${{ secrets.NGINX_PAT }} + # script: | + # await github.rest.actions.createWorkflowDispatch({ + # owner: context.repo.owner, + # repo: 'kubernetes-ingress-gcp', + # workflow_id: 'sync-chart.yml', + # ref: 'main', + # inputs: { + # chart_version: '${{ needs.checks.outputs.chart_version }}' + # }, + # }) + # if: github.ref_type == 'tag' From 8f376306920391b9da46882ae3fbb4f0c59ccda4 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Feb 2024 14:45:53 +0000 Subject: [PATCH 08/10] cast to boolean for publish-images value --- .github/workflows/ci.yml | 246 +++++++++++++++++++-------------------- 1 file changed, 123 insertions(+), 123 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e592fe72dc..2680581af9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -388,28 +388,28 @@ jobs: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - # - name: Run Smoke Tests - # id: smoke-tests - # uses: ./.github/actions/smoke-tests - # with: - # image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} - # marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} - # k8s-version: ${{ matrix.k8s }} - # nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} - # nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} - # azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} - # gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - # gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} - # rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} - # go-md5: ${{ needs.checks.outputs.go_code_md5 }} - # test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - - # - name: Upload Test Results - # uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - # with: - # name: ${{ steps.smoke-tests.outputs.test-results-name }} - # path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html - # if: always() + - name: Run Smoke Tests + id: smoke-tests + uses: ./.github/actions/smoke-tests + with: + image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} + marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} + k8s-version: ${{ matrix.k8s }} + nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} + nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} + azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} + rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + + - name: Upload Test Results + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: ${{ steps.smoke-tests.outputs.test-results-name }} + path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html + if: always() smoke-results: if: ${{ always() }} @@ -442,7 +442,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - publish-image: ${{ needs.checks.outputs.publish-images }} + publish-image: ${{ !! needs.checks.outputs.publish-images }} permissions: contents: read actions: read @@ -451,86 +451,86 @@ jobs: packages: write secrets: inherit - # build-docker-plus: - # name: Build Docker Plus - # needs: [checks, smoke-results, release-notes] - # strategy: - # fail-fast: false - # matrix: - # image: [debian-plus, alpine-plus, alpine-plus-fips] - # platforms: ["linux/arm64, linux/amd64"] - # target: [goreleaser, aws] - # include: - # - image: ubi-plus - # platforms: "linux/arm64, linux/amd64, linux/s390x" - # target: goreleaser - # uses: ./.github/workflows/build-plus.yml - # with: - # platforms: ${{ matrix.platforms }} - # image: ${{ matrix.image }} - # target: ${{ matrix.target }} - # go-md5: ${{ needs.checks.outputs.go_code_md5 }} - # release-url: ${{ needs.release-notes.outputs.release-url }} - # publish-image: ${{ needs.checks.outputs.publish-images }} - # permissions: - # contents: read - # security-events: write - # id-token: write - # secrets: inherit - - # build-docker-nap: - # name: Build Docker NAP - # needs: [checks, smoke-results, release-notes] - # strategy: - # fail-fast: false - # matrix: - # image: [debian-plus-nap] - # platforms: ["linux/amd64"] - # target: [goreleaser, aws] - # nap_modules: [dos, waf, "waf,dos"] - # include: - # - image: ubi-9-plus-nap - # target: goreleaser - # platforms: "linux/amd64" - # nap_modules: waf - # - image: ubi-8-plus-nap - # target: goreleaser - # platforms: "linux/amd64" - # nap_modules: dos - # - image: ubi-8-plus-nap - # target: goreleaser - # platforms: "linux/amd64" - # nap_modules: "waf,dos" - # - image: ubi-9-plus-nap - # target: aws - # platforms: "linux/amd64" - # nap_modules: waf - # - image: ubi-8-plus-nap - # target: aws - # platforms: "linux/amd64" - # nap_modules: dos - # - image: ubi-8-plus-nap - # target: aws - # platforms: "linux/amd64" - # nap_modules: "waf,dos" - # - image: alpine-plus-nap-fips - # target: goreleaser - # platforms: "linux/amd64" - # nap_modules: waf - # uses: ./.github/workflows/build-plus.yml - # with: - # platforms: ${{ matrix.platforms }} - # image: ${{ matrix.image }} - # target: ${{ matrix.target }} - # go-md5: ${{ needs.checks.outputs.go_code_md5 }} - # nap_modules: ${{ matrix.nap_modules }} - # release-url: ${{ needs.release-notes.outputs.release-url }} - # publish-image: ${{ needs.checks.outputs.publish-images }} - # permissions: - # contents: read - # security-events: write - # id-token: write - # secrets: inherit + build-docker-plus: + name: Build Docker Plus + needs: [checks, smoke-results, release-notes] + strategy: + fail-fast: false + matrix: + image: [debian-plus, alpine-plus, alpine-plus-fips] + platforms: ["linux/arm64, linux/amd64"] + target: [goreleaser, aws] + include: + - image: ubi-plus + platforms: "linux/arm64, linux/amd64, linux/s390x" + target: goreleaser + uses: ./.github/workflows/build-plus.yml + with: + platforms: ${{ matrix.platforms }} + image: ${{ matrix.image }} + target: ${{ matrix.target }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + release-url: ${{ needs.release-notes.outputs.release-url }} + publish-image: ${{ !! needs.checks.outputs.publish-images }} + permissions: + contents: read + security-events: write + id-token: write + secrets: inherit + + build-docker-nap: + name: Build Docker NAP + needs: [checks, smoke-results, release-notes] + strategy: + fail-fast: false + matrix: + image: [debian-plus-nap] + platforms: ["linux/amd64"] + target: [goreleaser, aws] + nap_modules: [dos, waf, "waf,dos"] + include: + - image: ubi-9-plus-nap + target: goreleaser + platforms: "linux/amd64" + nap_modules: waf + - image: ubi-8-plus-nap + target: goreleaser + platforms: "linux/amd64" + nap_modules: dos + - image: ubi-8-plus-nap + target: goreleaser + platforms: "linux/amd64" + nap_modules: "waf,dos" + - image: ubi-9-plus-nap + target: aws + platforms: "linux/amd64" + nap_modules: waf + - image: ubi-8-plus-nap + target: aws + platforms: "linux/amd64" + nap_modules: dos + - image: ubi-8-plus-nap + target: aws + platforms: "linux/amd64" + nap_modules: "waf,dos" + - image: alpine-plus-nap-fips + target: goreleaser + platforms: "linux/amd64" + nap_modules: waf + uses: ./.github/workflows/build-plus.yml + with: + platforms: ${{ matrix.platforms }} + image: ${{ matrix.image }} + target: ${{ matrix.target }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + nap_modules: ${{ matrix.nap_modules }} + release-url: ${{ needs.release-notes.outputs.release-url }} + publish-image: ${{ !! needs.checks.outputs.publish-images }} + permissions: + contents: read + security-events: write + id-token: write + secrets: inherit publish-helm: name: Package and Publish Helm Chart @@ -617,23 +617,23 @@ jobs: }) if: github.ref_type == 'tag' - # gcp-marketplace: - # name: Trigger PR for GCP Marketplace - # runs-on: ubuntu-22.04 - # needs: [checks, build-docker-plus, build-docker-nap] - # steps: - # - name: - # uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - # with: - # github-token: ${{ secrets.NGINX_PAT }} - # script: | - # await github.rest.actions.createWorkflowDispatch({ - # owner: context.repo.owner, - # repo: 'kubernetes-ingress-gcp', - # workflow_id: 'sync-chart.yml', - # ref: 'main', - # inputs: { - # chart_version: '${{ needs.checks.outputs.chart_version }}' - # }, - # }) - # if: github.ref_type == 'tag' + gcp-marketplace: + name: Trigger PR for GCP Marketplace + runs-on: ubuntu-22.04 + needs: [checks, build-docker-plus, build-docker-nap] + steps: + - name: + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ secrets.NGINX_PAT }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: context.repo.owner, + repo: 'kubernetes-ingress-gcp', + workflow_id: 'sync-chart.yml', + ref: 'main', + inputs: { + chart_version: '${{ needs.checks.outputs.chart_version }}' + }, + }) + if: github.ref_type == 'tag' From 2acc275f639e0598235ebe6ad09eda6243111957 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Feb 2024 15:24:18 +0000 Subject: [PATCH 09/10] validation speedup --- .github/workflows/ci.yml | 52 ++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2680581af9..64ae5d5e99 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -388,28 +388,28 @@ jobs: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run Smoke Tests - id: smoke-tests - uses: ./.github/actions/smoke-tests - with: - image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} - marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} - k8s-version: ${{ matrix.k8s }} - nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} - nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} - azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} - gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} - rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} - go-md5: ${{ needs.checks.outputs.go_code_md5 }} - test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - - - name: Upload Test Results - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: ${{ steps.smoke-tests.outputs.test-results-name }} - path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html - if: always() + # - name: Run Smoke Tests + # id: smoke-tests + # uses: ./.github/actions/smoke-tests + # with: + # image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} + # marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} + # k8s-version: ${{ matrix.k8s }} + # nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} + # nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} + # azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + # gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + # gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} + # rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} + # go-md5: ${{ needs.checks.outputs.go_code_md5 }} + # test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + + # - name: Upload Test Results + # uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + # with: + # name: ${{ steps.smoke-tests.outputs.test-results-name }} + # path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html + # if: always() smoke-results: if: ${{ always() }} @@ -433,7 +433,7 @@ jobs: matrix: image: [debian, alpine] platforms: - ["linux/arm", "linux/arm64, linux/amd64, linux/ppc64le", "linux/s390x"] + ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] include: - image: ubi platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" @@ -442,7 +442,7 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - publish-image: ${{ !! needs.checks.outputs.publish-images }} + publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} permissions: contents: read actions: read @@ -471,7 +471,7 @@ jobs: target: ${{ matrix.target }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ !! needs.checks.outputs.publish-images }} + publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} permissions: contents: read security-events: write @@ -525,7 +525,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ !! needs.checks.outputs.publish-images }} + publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} permissions: contents: read security-events: write From 582fd50f928070559551f9288d297a5acd41af36 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Feb 2024 15:31:49 +0000 Subject: [PATCH 10/10] re-add testing --- .github/workflows/ci.yml | 44 ++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64ae5d5e99..d613a644d5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -388,28 +388,28 @@ jobs: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - # - name: Run Smoke Tests - # id: smoke-tests - # uses: ./.github/actions/smoke-tests - # with: - # image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} - # marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} - # k8s-version: ${{ matrix.k8s }} - # nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} - # nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} - # azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} - # gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - # gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} - # rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} - # go-md5: ${{ needs.checks.outputs.go_code_md5 }} - # test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - - # - name: Upload Test Results - # uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - # with: - # name: ${{ steps.smoke-tests.outputs.test-results-name }} - # path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html - # if: always() + - name: Run Smoke Tests + id: smoke-tests + uses: ./.github/actions/smoke-tests + with: + image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} + marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} + k8s-version: ${{ matrix.k8s }} + nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} + nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} + azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }} + rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + + - name: Upload Test Results + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: ${{ steps.smoke-tests.outputs.test-results-name }} + path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html + if: always() smoke-results: if: ${{ always() }}