allow ci flow to be called from Actions tab

.github/workflows/build-oss.yml

@@ -15,7 +15,7 @@ on:
       tag:
         required: false
         type: string
-      build-cache:
+      publish-image:
         required: false
         type: boolean
 
@@ -54,7 +54,7 @@ jobs:
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
           platforms: arm,arm64,ppc64le,s390x
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
+        if: ${{ inputs.publish-image }}
 
       - name: Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
@@ -64,36 +64,36 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Login to Public ECR
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: public.ecr.aws
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Login to Quay.io
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Get short tag
         id: tag
@@ -149,10 +149,10 @@ jobs:
           annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
           platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }}
           load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }}
-          push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+          push: ${{ inputs.publish-image }}
           pull: true
-          no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
-          sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
+          no-cache: ${{ inputs.publish-image }}
+          sbom: ${{ inputs.publish-image }}
           provenance: false
           build-args: |
             BUILD_OS=${{ inputs.image }}

.github/workflows/build-plus.yml

@@ -21,7 +21,7 @@ on:
       release-url:
         required: false
         type: string
-      build-cache:
+      publish-image:
         required: false
         type: boolean
 
@@ -55,7 +55,7 @@ jobs:
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
           platforms: arm64,s390x
-        if: github.event_name != 'pull_request'
+        if: ${{ inputs.publish-image }}
 
       - name: Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
@@ -67,15 +67,15 @@ jobs:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
           service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
-        if: github.event_name != 'pull_request' && ! inputs.build-cache
+        if: ${{ inputs.publish-image }}
 
       - name: Login to GCR
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: gcr.io
           username: oauth2accesstoken
           password: ${{ steps.auth.outputs.access_token }}
-        if: github.event_name != 'pull_request' && ! inputs.build-cache
+        if: ${{ inputs.publish-image }}
 
       - name: Authenticate to Google Cloud Marketplace
         id: auth-mktpl
@@ -114,15 +114,15 @@ jobs:
           script: |
             let id_token = await core.getIDToken()
             core.setOutput('id_token', id_token)
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Login to NGINX Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: docker-mgmt.nginx.com
           username: ${{ steps.idtoken.outputs.id_token }}
           password: ${{ github.actor }}
-        if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Docker meta
         id: meta
@@ -165,13 +165,13 @@ jobs:
           target: ${{ inputs.target }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
-          platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }}
-          load: ${{ github.event_name == 'pull_request' }}
-          push: ${{ github.event_name != 'pull_request' && ! inputs.build-cache }}
+          annotations: ${{ inputs.publish-image && steps.meta.outputs.annotations || '' }}
+          platforms: ${{ inputs.publish-image && inputs.platforms || '' }}
+          load: ${{ ! inputs.publish-image }}
+          push: ${{ inputs.publish-image }}
           pull: true
-          no-cache: ${{ github.event_name != 'pull_request' }}
-          sbom: ${{ github.event_name != 'pull_request' }}
+          no-cache: ${{ inputs.publish-image }}
+          sbom: ${{ inputs.publish-image }}
           provenance: false
           build-args: |
             BUILD_OS=${{ inputs.image }}
@@ -236,7 +236,7 @@ jobs:
             "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
             "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
             ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
-        if: ${{ ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0
@@ -246,14 +246,14 @@ jobs:
           format: "sarif"
           output: "trivy-results-${{ inputs.image }}.sarif"
           ignore-unfixed: "true"
-        if: ${{ ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
         continue-on-error: true
         with:
           sarif_file: "trivy-results-${{ inputs.image }}.sarif"
-        if: ${{ ! inputs.build-cache }}
+        if: ${{ inputs.publish-image }}
 
       - name: Upload Scan Results
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1

.github/workflows/cache-update.yml

@@ -87,7 +87,7 @@ jobs:
       platforms: ${{ matrix.platforms }}
       image: ${{ matrix.image }}
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
-      build-cache: true
+      publish-image: false
     permissions:
       contents: read
       actions: read
@@ -116,7 +116,7 @@ jobs:
       target: ${{ matrix.target }}
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       release-url: ${{ needs.release-notes.outputs.release-url }}
-      build-cache: true
+      publish-image: false
     permissions:
       contents: read
       security-events: write
@@ -170,7 +170,7 @@ jobs:
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       nap_modules: ${{ matrix.nap_modules }}
       release-url: ${{ needs.release-notes.outputs.release-url }}
-      build-cache: true
+      publish-image: false
     permissions:
       contents: read
       security-events: write

.github/workflows/ci.yml

@@ -13,6 +13,12 @@ on:
       - release-*
   schedule:
     - cron: "0 4 * * *" # run every day at 04:00 UTC
+  workflow_dispatch:
+    inputs:
+      publish-image:
+        description: Publish of the generated images
+        type: boolean
+        default: false
 
 defaults:
   run:
@@ -37,6 +43,7 @@ jobs:
       chart_version: ${{ steps.vars.outputs.chart_version }}
       binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
       ic_version: ${{ steps.vars.outputs.ic_version }}
+      publish-images: ${{ steps.vars.outputs.publish }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -76,6 +83,13 @@ jobs:
           source .github/data/version.txt
           echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
           echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
+          publish=false
+          if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then
+            publish=true
+          elif ${{ github.event_name != 'workflow_dispatch' && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then
+            publish=true
+          fi
+          echo "publish=$publish" >> $GITHUB_OUTPUT
           cat $GITHUB_OUTPUT
 
       - name: Fetch Cached Binary Artifacts
@@ -413,13 +427,13 @@ jobs:
 
   build-docker:
     name: Build Docker OSS
-    needs: [checks, smoke-tests]
+    needs: [checks, smoke-results]
     strategy:
       fail-fast: false
       matrix:
         image: [debian, alpine]
         platforms:
-          ["linux/arm", "linux/arm64, linux/amd64, linux/ppc64le", "linux/s390x"]
+          ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"]
         include:
           - image: ubi
             platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
@@ -428,6 +442,7 @@ jobs:
       platforms: ${{ matrix.platforms }}
       image: ${{ matrix.image }}
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
+      publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
     permissions:
       contents: read
       actions: read
@@ -438,7 +453,7 @@ jobs:
 
   build-docker-plus:
     name: Build Docker Plus
-    needs: [checks, build-docker, release-notes]
+    needs: [checks, smoke-results, release-notes]
     strategy:
       fail-fast: false
       matrix:
@@ -456,6 +471,7 @@ jobs:
       target: ${{ matrix.target }}
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       release-url: ${{ needs.release-notes.outputs.release-url }}
+      publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
     permissions:
       contents: read
       security-events: write
@@ -464,7 +480,7 @@ jobs:
 
   build-docker-nap:
     name: Build Docker NAP
-    needs: [checks, build-docker-plus, release-notes]
+    needs: [checks, smoke-results, release-notes]
     strategy:
       fail-fast: false
       matrix:
@@ -501,7 +517,6 @@ jobs:
             target: goreleaser
             platforms: "linux/amd64"
             nap_modules: waf
-
     uses: ./.github/workflows/build-plus.yml
     with:
       platforms: ${{ matrix.platforms }}
@@ -510,6 +525,7 @@ jobs:
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       nap_modules: ${{ matrix.nap_modules }}
       release-url: ${{ needs.release-notes.outputs.release-url }}
+      publish-image: ${{ needs.checks.outputs.publish-images == 'true' }}
     permissions:
       contents: read
       security-events: write
@@ -604,7 +620,7 @@ jobs:
   gcp-marketplace:
     name: Trigger PR for GCP Marketplace
     runs-on: ubuntu-22.04
-    needs: [checks, publish-helm]
+    needs: [checks, build-docker-plus, build-docker-nap]
     steps:
       - name:
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1