From 2121f3bb191558a264ba06bbffea9de895a7f3ce Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 10:26:17 +0100 Subject: [PATCH 01/39] Add workflow to validate UBI images pass RedHat Certification --- .github/workflows/ci.yml | 15 +++++ .github/workflows/openshift-certification.yml | 61 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 .github/workflows/openshift-certification.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10b86dd949..2404fe9086 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -409,6 +409,21 @@ jobs: id-token: write # for docker/login to login to NGINX registry secrets: inherit + openshift-certification: + name: OpenShift Certification + needs: [vars, build-oss, build-plus, build-operator] + if: ${{ inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null) }} + uses: ./.github/workflows/openshift-certification.yml + with: + operator-version: ${{ inputs.operator_version || '' }} + build-os: "ubi" + dry_run: ${{ inputs.dry_run || false }} + runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} + permissions: + contents: read + packages: read + secrets: inherit + functional-tests: name: Functional tests needs: [vars, build-oss, build-plus] diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml new file mode 100644 index 0000000000..1ace221fb1 --- /dev/null +++ b/.github/workflows/openshift-certification.yml @@ -0,0 +1,61 @@ +name: OpenShift Certification + +on: + workflow_call: + inputs: + build-os: + required: true + type: string + default: 'ubi' + dry_run: + required: false + type: boolean + default: false + runner: + required: false + type: string + default: 'ubuntu-24.04' + +jobs: + preflight: + runs-on: ${{ inputs.runner }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Download preflight binary + run: | + curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64 + chmod +x preflight-linux-amd64 + sudo mv preflight-linux-amd64 /usr/local/bin/preflight + + - name: Run preflight for NGINX Gateway Fabric + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json + + - name: Run preflight for NGINX OSS + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json + + - name: Run preflight for NGINX Gateway Fabric Operator + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json + + - name: Aggregate preflight results and fail if any checks failed + run: | + total_failed=0 + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + failed_count=$(jq '.results.failed | length' "$result") + total_failed=$((total_failed + failed_count)) + done + if [ "$total_failed" -ne 0 ]; then + echo "Preflight checks failed: $total_failed failed checks across all images" + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + echo "Results for $result:" + jq '.results.failed' "$result" + done + exit 1 + fi \ No newline at end of file From d61c9f4fae6a64fc2024b8b5f261148d3b38fff0 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 10:35:45 +0100 Subject: [PATCH 02/39] Update args and fix pre-commit checks --- .github/workflows/ci.yml | 5 +- .github/workflows/openshift-certification.yml | 76 +++++++++---------- 2 files changed, 35 insertions(+), 46 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2404fe9086..33517fcc24 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -411,13 +411,10 @@ jobs: openshift-certification: name: OpenShift Certification - needs: [vars, build-oss, build-plus, build-operator] + needs: [build-oss, build-plus, build-operator] if: ${{ inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null) }} uses: ./.github/workflows/openshift-certification.yml with: - operator-version: ${{ inputs.operator_version || '' }} - build-os: "ubi" - dry_run: ${{ inputs.dry_run || false }} runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} permissions: contents: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 1ace221fb1..c6038e9893 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -3,14 +3,6 @@ name: OpenShift Certification on: workflow_call: inputs: - build-os: - required: true - type: string - default: 'ubi' - dry_run: - required: false - type: boolean - default: false runner: required: false type: string @@ -20,42 +12,42 @@ jobs: preflight: runs-on: ${{ inputs.runner }} steps: - - name: Checkout repository - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - - name: Download preflight binary - run: | - curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64 - chmod +x preflight-linux-amd64 - sudo mv preflight-linux-amd64 /usr/local/bin/preflight + - name: Download preflight binary + run: | + curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64 + chmod +x preflight-linux-amd64 + sudo mv preflight-linux-amd64 /usr/local/bin/preflight - - name: Run preflight for NGINX Gateway Fabric - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json + - name: Run preflight for NGINX Gateway Fabric + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json - - name: Run preflight for NGINX OSS - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json + - name: Run preflight for NGINX OSS + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json - - name: Run preflight for NGINX Gateway Fabric Operator - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json + - name: Run preflight for NGINX Gateway Fabric Operator + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json - - name: Aggregate preflight results and fail if any checks failed - run: | - total_failed=0 - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - failed_count=$(jq '.results.failed | length' "$result") - total_failed=$((total_failed + failed_count)) - done - if [ "$total_failed" -ne 0 ]; then - echo "Preflight checks failed: $total_failed failed checks across all images" - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - echo "Results for $result:" - jq '.results.failed' "$result" - done - exit 1 - fi \ No newline at end of file + - name: Aggregate preflight results and fail if any checks failed + run: | + total_failed=0 + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + failed_count=$(jq '.results.failed | length' "$result") + total_failed=$((total_failed + failed_count)) + done + if [ "$total_failed" -ne 0 ]; then + echo "Preflight checks failed: $total_failed failed checks across all images" + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + echo "Results for $result:" + jq '.results.failed' "$result" + done + exit 1 + fi From 2ffc89cbbee142d39bf02cefd7b03d9867c371db Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 10:37:53 +0100 Subject: [PATCH 03/39] Add premissions and default run env --- .github/workflows/openshift-certification.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index c6038e9893..0f618ab207 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -8,6 +8,13 @@ on: type: string default: 'ubuntu-24.04' +defaults: + run: + shell: bash + +permissions: + contents: read + jobs: preflight: runs-on: ${{ inputs.runner }} From 34d29e7e3fc3cab73d6a3a22037f050206fa62d1 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 12:12:37 +0100 Subject: [PATCH 04/39] Ensure Openshift ceritfication runs outside of prod release --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33517fcc24..04fab4db9d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,7 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null) }} + if: ${{ inputs.dry_run == false || inputs.dry_run == null) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} From 11cb2ecc3fbb4aa3e793d0ce2c2408ca516fc055 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 13:27:56 +0100 Subject: [PATCH 05/39] Update dry_run input --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04fab4db9d..49c1108a14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,7 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ inputs.dry_run == false || inputs.dry_run == null) }} + if: ${{ inputs.dry_run || false }} uses: ./.github/workflows/openshift-certification.yml with: runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} From c132f476678bf9b79c1ab968d395e3c2643d6d99 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 14:23:19 +0100 Subject: [PATCH 06/39] Ensure Openshift certification runs only on merges to main, and during releases --- .github/workflows/ci.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 49c1108a14..16ee428480 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,10 +412,15 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ inputs.dry_run || false }} + if: > + ${{ github.event_name == 'pull_request' + && github.event.pull_request.base.ref == 'main' + || (github.event_name == 'push' && github.ref == 'refs/heads/main') + || (inputs.is_production_release == true) + }} uses: ./.github/workflows/openshift-certification.yml with: - runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} + runner: ubuntu-24.04 permissions: contents: read packages: read From 7597193032b7567e524af0b72304b192945b6d01 Mon Sep 17 00:00:00 2001 From: Shaun Date: Tue, 7 Oct 2025 14:28:23 +0100 Subject: [PATCH 07/39] Potential fix for code scanning alert no. 542: If expression always true Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 16ee428480..ce5fd9fa89 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,12 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: > - ${{ github.event_name == 'pull_request' - && github.event.pull_request.base.ref == 'main' - || (github.event_name == 'push' && github.ref == 'refs/heads/main') - || (inputs.is_production_release == true) - }} + if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 From 96912088186a3ae479d6b80152946f51aed09693 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 15:39:33 +0100 Subject: [PATCH 08/39] tmp remove if check for certification job --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ce5fd9fa89..b0323e89ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,7 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} + # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 From bb8a3495416c2bb86fb71834cf70c5993b0fa45d Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 15:52:50 +0100 Subject: [PATCH 09/39] Remove `--json` flag --- .github/workflows/openshift-certification.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 0f618ab207..307e63c878 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -31,17 +31,17 @@ jobs: - name: Run preflight for NGINX Gateway Fabric env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json - name: Run preflight for NGINX OSS env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi > ngf-oss-preflight-result.json - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json + run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From f164607b2f2524779d59fcda129769acb412ce89 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 16:35:03 +0100 Subject: [PATCH 10/39] Use check container instead of check operator --- .github/workflows/openshift-certification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 307e63c878..98c66a1b16 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -41,7 +41,7 @@ jobs: - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From 8d908cfa2117f1874d43cad3a903320e57a8283e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 17:11:10 +0100 Subject: [PATCH 11/39] Add steps to save and tag docker images for use by preflight checks --- .github/workflows/build.yml | 24 +++++++++++ .github/workflows/ci.yml | 9 ++++ .github/workflows/openshift-certification.yml | 42 +++++++++++++++++-- 3 files changed, 72 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cdd3dc2ae0..54c15beda5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,3 +193,27 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} + + - name: Save NGINX OSS image as tarball + if: ${{ inputs.image == 'nginx' }} + run: | + docker save -o nginx-oss-image.tar localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload NGINX OSS image artifact + if: ${{ inputs.image == 'nginx' }} + uses: actions/upload-artifact@v4 + with: + name: nginx-oss-image + path: nginx-oss-image.tar + + - name: Save Operator image as tarball + if: ${{ inputs.image == 'operator' }} + run: | + docker save -o operator-image.tar localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload Operator image artifact + if: ${{ inputs.image == 'operator' }} + uses: actions/upload-artifact@v4 + with: + name: operator-image + path: operator-image.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b0323e89ce..b369a32404 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -271,6 +271,15 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} + - name: Save NGINX Gateway Fabric image + run: docker save -o ngf-image.tar localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload NGINX Gateway Fabric image artifact + uses: actions/upload-artifact@v4 + with: + name: ngf-image + path: ngf-image.tar + assertion: name: Generate and Sign Assertion Documents needs: [vars, binary] diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 98c66a1b16..f5ba2b1177 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -28,20 +28,56 @@ jobs: chmod +x preflight-linux-amd64 sudo mv preflight-linux-amd64 /usr/local/bin/preflight + - name: Download NGINX Gateway Fabric image artifact + uses: actions/download-artifact@v4 + with: + name: ngf-image + + - name: Load NGINX Gateway Fabric image into Docker + run: docker load -i ngf-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} nginx-gateway-fabric:edge-ubi + - name: Run preflight for NGINX Gateway Fabric env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json + run: preflight check container nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json + + - name: Download NGINX NGINX OSS image artifact + uses: actions/download-artifact@v4 + with: + name: nginx-oss-image + + - name: Load NGINX OSS image into Docker + run: docker load -i nginx-oss-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }}nginx-oss:edge-ubi - name: Run preflight for NGINX OSS env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi > ngf-oss-preflight-result.json + run: preflight check container nginx:edge-ubi > ngf-oss-preflight-result.json + + - name: Download NGINX Gateway Fabric Operator image artifact + uses: actions/download-artifact@v4 + with: + name: operator-image + + - name: Load NGINX Gateway Fabric Operator image into Docker + run: docker load -i operator-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} ngf-operator:edge - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json + run: preflight check operator ngf-operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From afc676e94a1896796af4cc6fae311d957f1ed893 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 17:13:29 +0100 Subject: [PATCH 12/39] change operator to container --- .github/workflows/openshift-certification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index f5ba2b1177..81289bb93a 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -77,7 +77,7 @@ jobs: - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ngf-operator:edge > ngf-operator-preflight-result.json + run: preflight check container ngf-operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From 8ef4adbc51c77d0cc1be701c96d30ac433cdcea3 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 09:25:13 +0100 Subject: [PATCH 13/39] Move image save and upload to build.yaml. Add debug echo for tags --- .github/workflows/build.yml | 21 +++++++++++++++++++-- .github/workflows/ci.yml | 9 --------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 54c15beda5..640c46d806 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,11 +193,27 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} + + - name: Save NGINX Gateway Fabric image + if: ${{ inputs.image == 'ngf' }} + run: | + IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) + docker save -o ngf-image.tar $IMAGE_TAG + + - name: Upload NGINX Gateway Fabric image artifact + uses: actions/upload-artifact@v4 + with: + name: ngf-image + path: ngf-image.tar + + - name: Show all image tags for debugging + run: echo "${{ steps.meta.outputs.tags }}" - name: Save NGINX OSS image as tarball if: ${{ inputs.image == 'nginx' }} run: | - docker save -o nginx-oss-image.tar localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }} + IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) + docker save -o nginx-oss-image.tar $IMAGE_TAG - name: Upload NGINX OSS image artifact if: ${{ inputs.image == 'nginx' }} @@ -209,7 +225,8 @@ jobs: - name: Save Operator image as tarball if: ${{ inputs.image == 'operator' }} run: | - docker save -o operator-image.tar localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} + IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) + docker save -o operator-image.tar $IMAGE_TAG - name: Upload Operator image artifact if: ${{ inputs.image == 'operator' }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b369a32404..b0323e89ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -271,15 +271,6 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} - - name: Save NGINX Gateway Fabric image - run: docker save -o ngf-image.tar localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} - - - name: Upload NGINX Gateway Fabric image artifact - uses: actions/upload-artifact@v4 - with: - name: ngf-image - path: ngf-image.tar - assertion: name: Generate and Sign Assertion Documents needs: [vars, binary] From 118145bffde4b31001b1863e70dd4748260c168e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 09:28:57 +0100 Subject: [PATCH 14/39] Update openshift certification job with new image tags --- .github/workflows/openshift-certification.yml | 27 ++++++++++++------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 81289bb93a..049203dbca 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -36,14 +36,19 @@ jobs: - name: Load NGINX Gateway Fabric image into Docker run: docker load -i ngf-image.tar - - name: Tag image for preflight + - name: Load NGINX Gateway Fabric image into Docker + run: docker load -i ngf-image.tar + + - name: Retag image for preflight run: | - docker tag localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} nginx-gateway-fabric:edge-ubi + IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) + docker tag $IMAGE_ID nginx-gateway-fabric:ubi + - name: Run preflight for NGINX Gateway Fabric env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json + run: preflight check container nginx-gateway-fabric:ubi > ngf-preflight-result.json - name: Download NGINX NGINX OSS image artifact uses: actions/download-artifact@v4 @@ -53,14 +58,16 @@ jobs: - name: Load NGINX OSS image into Docker run: docker load -i nginx-oss-image.tar - - name: Tag image for preflight + - name: Retag image for preflight run: | - docker tag localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }}nginx-oss:edge-ubi + IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) + docker tag $IMAGE_ID nginx-oss:ubi + - name: Run preflight for NGINX OSS env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx:edge-ubi > ngf-oss-preflight-result.json + run: preflight check container nginx:ubi > ngf-oss-preflight-result.json - name: Download NGINX Gateway Fabric Operator image artifact uses: actions/download-artifact@v4 @@ -70,14 +77,16 @@ jobs: - name: Load NGINX Gateway Fabric Operator image into Docker run: docker load -i operator-image.tar - - name: Tag image for preflight + - name: Retag image for preflight run: | - docker tag localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} ngf-operator:edge + IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) + docker tag $IMAGE_ID ngf-operator:ubi + - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ngf-operator:edge > ngf-operator-preflight-result.json + run: preflight check container ngf-operator:ubi > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From aafd707ecd606b1b830b5173b5513a3ec9144857 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 09:37:01 +0100 Subject: [PATCH 15/39] Fix pre-commit errors --- .github/workflows/build.yml | 2 +- .github/workflows/openshift-certification.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 640c46d806..e90c09be51 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,7 +193,7 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - + - name: Save NGINX Gateway Fabric image if: ${{ inputs.image == 'ngf' }} run: | diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 049203dbca..c488d5bf48 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -82,7 +82,6 @@ jobs: IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) docker tag $IMAGE_ID ngf-operator:ubi - - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} From 893fdb1e2863c4f43aefadf3afa42f6300c4c92f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 10:17:18 +0100 Subject: [PATCH 16/39] Load images to Docker Daemon in build step. Run Openshift certification in matrix of images --- .github/workflows/build.yml | 41 ++-------- .github/workflows/ci.yml | 5 ++ .github/workflows/openshift-certification.yml | 82 +++++-------------- 3 files changed, 34 insertions(+), 94 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e90c09be51..831716bd0f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,6 +46,8 @@ jobs: image: registry:3 ports: - 5000:5000 + outputs: + image_version: ${{ steps.meta.outputs.version }} steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -155,6 +157,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} push: ${{ !inputs.dry_run }} + load: true platforms: ${{ inputs.platforms }} cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max @@ -194,43 +197,15 @@ jobs: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - - name: Save NGINX Gateway Fabric image - if: ${{ inputs.image == 'ngf' }} - run: | - IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) - docker save -o ngf-image.tar $IMAGE_TAG - - - name: Upload NGINX Gateway Fabric image artifact - uses: actions/upload-artifact@v4 - with: - name: ngf-image - path: ngf-image.tar - - name: Show all image tags for debugging run: echo "${{ steps.meta.outputs.tags }}" - - name: Save NGINX OSS image as tarball - if: ${{ inputs.image == 'nginx' }} - run: | - IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) - docker save -o nginx-oss-image.tar $IMAGE_TAG - - - name: Upload NGINX OSS image artifact - if: ${{ inputs.image == 'nginx' }} - uses: actions/upload-artifact@v4 - with: - name: nginx-oss-image - path: nginx-oss-image.tar - - - name: Save Operator image as tarball - if: ${{ inputs.image == 'operator' }} + - name: Save the image as tarball run: | - IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) - docker save -o operator-image.tar $IMAGE_TAG + docker save -o ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} - - name: Upload Operator image artifact - if: ${{ inputs.image == 'operator' }} + - name: Upload the image artifact uses: actions/upload-artifact@v4 with: - name: operator-image - path: operator-image.tar + name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} + path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b0323e89ce..1fad62b06d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,10 +412,15 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] + strategy: + fail-fast: false + matrix: + image: [ngf, nginx, operator] # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 + image_version: ${{ jobs.build.outputs.image_version }} permissions: contents: read packages: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index c488d5bf48..88d46d7169 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -7,6 +7,12 @@ on: required: false type: string default: 'ubuntu-24.04' + image_version: + required: true + type: string + image: + required: true + type: string defaults: run: @@ -28,77 +34,31 @@ jobs: chmod +x preflight-linux-amd64 sudo mv preflight-linux-amd64 /usr/local/bin/preflight - - name: Download NGINX Gateway Fabric image artifact - uses: actions/download-artifact@v4 - with: - name: ngf-image - - - name: Load NGINX Gateway Fabric image into Docker - run: docker load -i ngf-image.tar - - - name: Load NGINX Gateway Fabric image into Docker - run: docker load -i ngf-image.tar - - - name: Retag image for preflight - run: | - IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) - docker tag $IMAGE_ID nginx-gateway-fabric:ubi - - - - name: Run preflight for NGINX Gateway Fabric - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx-gateway-fabric:ubi > ngf-preflight-result.json - - - name: Download NGINX NGINX OSS image artifact - uses: actions/download-artifact@v4 - with: - name: nginx-oss-image - - - name: Load NGINX OSS image into Docker - run: docker load -i nginx-oss-image.tar - - - name: Retag image for preflight - run: | - IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) - docker tag $IMAGE_ID nginx-oss:ubi - - - - name: Run preflight for NGINX OSS - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx:ubi > ngf-oss-preflight-result.json - - - name: Download NGINX Gateway Fabric Operator image artifact + - name: Download image artifact uses: actions/download-artifact@v4 with: - name: operator-image + name: ${{ inputs.image }}-${{ inputs.image_version }} - - name: Load NGINX Gateway Fabric Operator image into Docker - run: docker load -i operator-image.tar + - name: Load image into Docker + run: docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Retag image for preflight run: | - IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) - docker tag $IMAGE_ID ngf-operator:ubi + loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" + preflight_tag="${{ inputs.image }}:ubi" + docker tag "$loaded_tag" "$preflight_tag" - - name: Run preflight for NGINX Gateway Fabric Operator + - name: Run preflight env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ngf-operator:ubi > ngf-operator-preflight-result.json + run: preflight check container ${{ inputs.image }}:ubi > preflight-result.json - - name: Aggregate preflight results and fail if any checks failed + - name: Check preflight results run: | - total_failed=0 - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - failed_count=$(jq '.results.failed | length' "$result") - total_failed=$((total_failed + failed_count)) - done - if [ "$total_failed" -ne 0 ]; then - echo "Preflight checks failed: $total_failed failed checks across all images" - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - echo "Results for $result:" - jq '.results.failed' "$result" - done + failed_count=$(jq '.results.failed | length' preflight-result.json) + if [ "$failed_count" -ne 0 ]; then + echo "Preflight checks failed: $failed_count failed checks" + echo "Results for preflight-result.json:" + jq '.results.failed' preflight-result.json exit 1 fi From 9a16ec5b132acd9a7621623cd314b088456044e6 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 10:36:11 +0100 Subject: [PATCH 17/39] Add image to input --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1fad62b06d..f812f840fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -421,6 +421,7 @@ jobs: with: runner: ubuntu-24.04 image_version: ${{ jobs.build.outputs.image_version }} + image: ${{ matrix.image }} permissions: contents: read packages: read From 90f1618c2026faf25004c710358082197f61549a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 11:02:08 +0100 Subject: [PATCH 18/39] Remove image version output --- .github/workflows/build.yml | 8 +++----- .github/workflows/ci.yml | 1 - .github/workflows/openshift-certification.yml | 9 +++------ 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 831716bd0f..f497989b48 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,8 +46,6 @@ jobs: image: registry:3 ports: - 5000:5000 - outputs: - image_version: ${{ steps.meta.outputs.version }} steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -202,10 +200,10 @@ jobs: - name: Save the image as tarball run: | - docker save -o ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} + docker save -o ${{ inputs.image }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} - name: Upload the image artifact uses: actions/upload-artifact@v4 with: - name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} - path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar + name: ${{ inputs.image }} + path: ${{ inputs.image }}.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f812f840fb..e1781707eb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -420,7 +420,6 @@ jobs: uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 - image_version: ${{ jobs.build.outputs.image_version }} image: ${{ matrix.image }} permissions: contents: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 88d46d7169..278aed7eaf 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -7,9 +7,6 @@ on: required: false type: string default: 'ubuntu-24.04' - image_version: - required: true - type: string image: required: true type: string @@ -37,14 +34,14 @@ jobs: - name: Download image artifact uses: actions/download-artifact@v4 with: - name: ${{ inputs.image }}-${{ inputs.image_version }} + name: ${{ inputs.image }} - name: Load image into Docker - run: docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar + run: docker load -i ${{ inputs.image }}.tar - name: Retag image for preflight run: | - loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" + loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}" preflight_tag="${{ inputs.image }}:ubi" docker tag "$loaded_tag" "$preflight_tag" From ff72dc3d64255c52e1d05e488505e424c6f989d8 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 11:26:55 +0100 Subject: [PATCH 19/39] Use docker buildx to ensure images for multi platforms are saved --- .github/workflows/build.yml | 26 ++++++++++++------- .github/workflows/ci.yml | 2 ++ .github/workflows/openshift-certification.yml | 9 ++++--- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f497989b48..cc840cb401 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -155,7 +155,6 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} push: ${{ !inputs.dry_run }} - load: true platforms: ${{ inputs.platforms }} cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max @@ -195,15 +194,22 @@ jobs: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - - name: Show all image tags for debugging - run: echo "${{ steps.meta.outputs.tags }}" - - - name: Save the image as tarball + - name: Export and upload images for all platforms run: | - docker save -o ${{ inputs.image }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} - - - name: Upload the image artifact + # Remove spaces and split platforms by comma + platforms=$(echo "${{ inputs.platforms }}" | tr -d ' ' | tr ',' ' ') + for platform in $platforms; do + # Replace / with - for tarball name (e.g., linux/amd64 -> linux-amd64) + plat_tag=$(echo "$platform" | tr '/' '-') + # Create a local reference for the platform + docker buildx imagetools create --tag tempimg-$plat_tag ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --platform $platform + # Export the image as a tarball + docker buildx imagetools export tempimg-$plat_tag > ${{ inputs.image }}-$plat_tag.tar + done + + - name: Upload all image artifacts uses: actions/upload-artifact@v4 with: - name: ${{ inputs.image }} - path: ${{ inputs.image }}.tar + name: ${{ inputs.image }}-images + path: ${{ inputs.image }}-*.tar + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e1781707eb..12354ca2ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -416,11 +416,13 @@ jobs: fail-fast: false matrix: image: [ngf, nginx, operator] + platform: ["linux/amd64", "linux/arm64"] # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 image: ${{ matrix.image }} + platform: ${{ matrix.platform }} permissions: contents: read packages: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 278aed7eaf..37286cbde6 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -10,6 +10,9 @@ on: image: required: true type: string + platform: + required: true + type: string defaults: run: @@ -34,14 +37,14 @@ jobs: - name: Download image artifact uses: actions/download-artifact@v4 with: - name: ${{ inputs.image }} + name: ${{ inputs.image }}-images # or ${{ inputs.image }}-linux-${{ inputs.platform | tr '/' '-' }} - name: Load image into Docker - run: docker load -i ${{ inputs.image }}.tar + run: docker load -i ${{ inputs.image }}-${{ inputs.platform | tr '/' '-' }}.tar - name: Retag image for preflight run: | - loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}" + loaded_tag="ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" preflight_tag="${{ inputs.image }}:ubi" docker tag "$loaded_tag" "$preflight_tag" From ff3b9599695473dd4c588ef874b7662100fd225c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 11:29:10 +0100 Subject: [PATCH 20/39] Fix pre-commit errors --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc840cb401..418bbb24ef 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -212,4 +212,3 @@ jobs: with: name: ${{ inputs.image }}-images path: ${{ inputs.image }}-*.tar - From e76b660ad9a8cd1a51524ed9f350cc9256f7ffa0 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 13:59:34 +0100 Subject: [PATCH 21/39] Ensure image_version is passed to opernshift certification --- .github/workflows/build.yml | 5 +++++ .github/workflows/ci.yml | 4 ++++ .github/workflows/openshift-certification.yml | 4 +++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 418bbb24ef..6b91f069b8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,9 @@ on: required: false type: string default: 'ubuntu-24.04' + outputs: + image_version: + value: ${{ jobs.build.outputs.image_version }} defaults: run: @@ -41,6 +44,8 @@ jobs: packages: write # for docker/build-push-action to push to GHCR id-token: write # for docker/login to login to NGINX registry runs-on: ${{ inputs.runner }} + outputs: + image_version: ${{ steps.meta.outputs.version }} services: registry: image: registry:3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12354ca2ee..dba3de6621 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -423,6 +423,10 @@ jobs: runner: ubuntu-24.04 image: ${{ matrix.image }} platform: ${{ matrix.platform }} + image_version: > + ${{ matrix.image == 'ngf' && needs.build-oss.outputs.image_version + || matrix.image == 'nginx' && needs.build-oss.outputs.image_version + || matrix.image == 'operator' && needs.build-operator.outputs.image_version }} permissions: contents: read packages: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 37286cbde6..1c66873847 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -40,7 +40,9 @@ jobs: name: ${{ inputs.image }}-images # or ${{ inputs.image }}-linux-${{ inputs.platform | tr '/' '-' }} - name: Load image into Docker - run: docker load -i ${{ inputs.image }}-${{ inputs.platform | tr '/' '-' }}.tar + run: | + plat_tag=$(echo "${{ inputs.platform }}" | tr '/' '-') + docker load -i ${{ inputs.image }}-$plat_tag.tar - name: Retag image for preflight run: | From cb8d8f90e9d096d6732db48395be96f62b5a9404 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:07:53 +0100 Subject: [PATCH 22/39] Add image_version to inputs --- .github/workflows/openshift-certification.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 1c66873847..4f428b1c10 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -13,6 +13,9 @@ on: platform: required: true type: string + image_version: + required: true + type: string defaults: run: From a9d3eb918e44a9ee3d149acefe56055ae59345f2 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:24:48 +0100 Subject: [PATCH 23/39] Remove platform option --- .github/workflows/build.yml | 15 +++++---------- .github/workflows/ci.yml | 1 - .github/workflows/openshift-certification.yml | 8 ++------ 3 files changed, 7 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6b91f069b8..4ee716f4fe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -199,21 +199,16 @@ jobs: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - - name: Export and upload images for all platforms + - name: Export and upload images run: | - # Remove spaces and split platforms by comma - platforms=$(echo "${{ inputs.platforms }}" | tr -d ' ' | tr ',' ' ') - for platform in $platforms; do - # Replace / with - for tarball name (e.g., linux/amd64 -> linux-amd64) - plat_tag=$(echo "$platform" | tr '/' '-') # Create a local reference for the platform - docker buildx imagetools create --tag tempimg-$plat_tag ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --platform $platform + docker buildx imagetools create --tag temp ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} # Export the image as a tarball - docker buildx imagetools export tempimg-$plat_tag > ${{ inputs.image }}-$plat_tag.tar + docker buildx imagetools export temp > ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar done - name: Upload all image artifacts uses: actions/upload-artifact@v4 with: - name: ${{ inputs.image }}-images - path: ${{ inputs.image }}-*.tar + name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} + path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dba3de6621..03b2bbbd11 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -416,7 +416,6 @@ jobs: fail-fast: false matrix: image: [ngf, nginx, operator] - platform: ["linux/amd64", "linux/arm64"] # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 4f428b1c10..dd5b6a2d1d 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -10,9 +10,6 @@ on: image: required: true type: string - platform: - required: true - type: string image_version: required: true type: string @@ -40,12 +37,11 @@ jobs: - name: Download image artifact uses: actions/download-artifact@v4 with: - name: ${{ inputs.image }}-images # or ${{ inputs.image }}-linux-${{ inputs.platform | tr '/' '-' }} + name: ${{ inputs.image }}-images - name: Load image into Docker run: | - plat_tag=$(echo "${{ inputs.platform }}" | tr '/' '-') - docker load -i ${{ inputs.image }}-$plat_tag.tar + docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Retag image for preflight run: | From 7d185bffb9e342dc163cace46e3e4ca007951ba8 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:28:32 +0100 Subject: [PATCH 24/39] Remove platform from `with` --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 03b2bbbd11..b9f904fa39 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -421,7 +421,6 @@ jobs: with: runner: ubuntu-24.04 image: ${{ matrix.image }} - platform: ${{ matrix.platform }} image_version: > ${{ matrix.image == 'ngf' && needs.build-oss.outputs.image_version || matrix.image == 'nginx' && needs.build-oss.outputs.image_version From 4fbeed65e1fe871778a6e5cff09c2d01138db5fb Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:41:10 +0100 Subject: [PATCH 25/39] Log into container reg to upload images --- .github/workflows/build.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4ee716f4fe..55172440c3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -199,6 +199,13 @@ jobs: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} + - name: Login to GitHub Container Registry + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Export and upload images run: | # Create a local reference for the platform From 6f9f14b0e58a782245f27ceda6fa9a202b9ec059 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:59:40 +0100 Subject: [PATCH 26/39] Add debugging echo for tags --- .github/workflows/build.yml | 5 ++++- .github/workflows/openshift-certification.yml | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 55172440c3..4e4d672cfc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -198,6 +198,9 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} + + - name: Show all image tags for debugging + run: echo "${{ steps.meta.outputs.tags }}" - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -218,4 +221,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} - path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar + path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar \ No newline at end of file diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index dd5b6a2d1d..2dc24891d0 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -63,3 +63,12 @@ jobs: jq '.results.failed' preflight-result.json exit 1 fi + + cleanup: + runs-on: ubuntu-24.04 + if: always() + steps: + - name: Delete image from registry + run: | + curl -X DELETE "https://ghcr.io/v2/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" \ + -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file From 912a3ff259ec1032c27e79a6f936bf53b765af7d Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 15:14:51 +0100 Subject: [PATCH 27/39] Only export and upload UBI images --- .github/workflows/build.yml | 3 ++- .github/workflows/openshift-certification.yml | 18 +++++++++--------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4e4d672cfc..962e864335 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -210,9 +210,10 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Export and upload images + if: ${{ build-os == 'ubi' && !inputs.dry_run }} run: | # Create a local reference for the platform - docker buildx imagetools create --tag temp ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} + docker buildx imagetools create --tag temp localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} # Export the image as a tarball docker buildx imagetools export temp > ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar done diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 2dc24891d0..002fea60c8 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -45,7 +45,7 @@ jobs: - name: Retag image for preflight run: | - loaded_tag="ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" + loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" preflight_tag="${{ inputs.image }}:ubi" docker tag "$loaded_tag" "$preflight_tag" @@ -64,11 +64,11 @@ jobs: exit 1 fi - cleanup: - runs-on: ubuntu-24.04 - if: always() - steps: - - name: Delete image from registry - run: | - curl -X DELETE "https://ghcr.io/v2/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + # cleanup: + # runs-on: ubuntu-24.04 + # if: always() + # steps: + # - name: Delete image from registry + # run: | + # curl -X DELETE "https://ghcr.io/v2/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" \ + # -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file From 5064ef62da9c4c29d1f42063119d74d3044fe201 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 15:19:08 +0100 Subject: [PATCH 28/39] Fix inputs --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 962e864335..7e23995ed9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -210,7 +210,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Export and upload images - if: ${{ build-os == 'ubi' && !inputs.dry_run }} + if: ${{ inputs.build-os == 'ubi' && !inputs.dry_run }} run: | # Create a local reference for the platform docker buildx imagetools create --tag temp localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} From a219d77e56f02ae77bc90aee1a67da2ec93c8d7d Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 15:31:47 +0100 Subject: [PATCH 29/39] Fix export step --- .github/workflows/build.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7e23995ed9..5967da3d29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -212,11 +212,7 @@ jobs: - name: Export and upload images if: ${{ inputs.build-os == 'ubi' && !inputs.dry_run }} run: | - # Create a local reference for the platform - docker buildx imagetools create --tag temp localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} - # Export the image as a tarball - docker buildx imagetools export temp > ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar - done + docker buildx imagetools export localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} > ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar - name: Upload all image artifacts uses: actions/upload-artifact@v4 From afc4c36f9de460aa3e71f80bc414c2d88c767e82 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 15:51:20 +0100 Subject: [PATCH 30/39] Debug docker buildx --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5967da3d29..88bf8de632 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,6 +68,9 @@ jobs: with: driver-opts: network=host + - name: Show Buildx version + run: docker buildx version + - name: Setup QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: From e0b7b9a3a036d9221adf02218344a637a8115fd6 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 16:03:50 +0100 Subject: [PATCH 31/39] Update Buildx step --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 88bf8de632..c7c5ab4366 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -66,6 +66,8 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: + install: true + version: latest driver-opts: network=host - name: Show Buildx version From fd02d1213b88ed712a7f191011aa85b00204ba1f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 16:04:57 +0100 Subject: [PATCH 32/39] Debug export command --- .github/workflows/build.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c7c5ab4366..24250b4a24 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -69,10 +69,16 @@ jobs: install: true version: latest driver-opts: network=host - + - name: Show Buildx version run: docker buildx version + - name: Show Buildx help + run: docker buildx --help + + - name: Show Buildx export help + run: docker buildx imagetools export --help + - name: Setup QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: From ce3f4c675f56015c6dea86136e8394e8f6110d58 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 16:26:39 +0100 Subject: [PATCH 33/39] Use docker save instead of buildx --- .github/workflows/build.yml | 23 +++---------------- .github/workflows/openshift-certification.yml | 13 ++--------- 2 files changed, 5 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 24250b4a24..2fbc93e309 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -66,18 +66,7 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 with: - install: true - version: latest driver-opts: network=host - - - name: Show Buildx version - run: docker buildx version - - - name: Show Buildx help - run: docker buildx --help - - - name: Show Buildx export help - run: docker buildx imagetools export --help - name: Setup QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -213,17 +202,11 @@ jobs: - name: Show all image tags for debugging run: echo "${{ steps.meta.outputs.tags }}" - - name: Login to GitHub Container Registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Export and upload images + - name: Pull and save image artifact for linux/amd64 if: ${{ inputs.build-os == 'ubi' && !inputs.dry_run }} run: | - docker buildx imagetools export localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} > ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar + docker pull --platform=linux/amd64 localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} + docker save localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} -o ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar - name: Upload all image artifacts uses: actions/upload-artifact@v4 diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 002fea60c8..8ac950b675 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -37,7 +37,7 @@ jobs: - name: Download image artifact uses: actions/download-artifact@v4 with: - name: ${{ inputs.image }}-images + name: ${{ inputs.image }}-${{ inputs.image_version }} - name: Load image into Docker run: | @@ -62,13 +62,4 @@ jobs: echo "Results for preflight-result.json:" jq '.results.failed' preflight-result.json exit 1 - fi - - # cleanup: - # runs-on: ubuntu-24.04 - # if: always() - # steps: - # - name: Delete image from registry - # run: | - # curl -X DELETE "https://ghcr.io/v2/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" \ - # -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + fi \ No newline at end of file From f5adba0c2d31bcba1006142063b904dc9849b304 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 17:10:04 +0100 Subject: [PATCH 34/39] Change load command and if check for saving --- .github/workflows/build.yml | 2 +- .github/workflows/openshift-certification.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fbc93e309..9a17a3f02d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -203,7 +203,7 @@ jobs: run: echo "${{ steps.meta.outputs.tags }}" - name: Pull and save image artifact for linux/amd64 - if: ${{ inputs.build-os == 'ubi' && !inputs.dry_run }} + if: ${{ (inputs.build-os == 'ubi'|| inputs.image == 'operator') && !inputs.dry_run }} run: | docker pull --platform=linux/amd64 localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} docker save localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} -o ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 8ac950b675..4435073cd7 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -41,7 +41,7 @@ jobs: - name: Load image into Docker run: | - docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar + docker load -i ${{ inputs.image }}-${{ inputs.image_version }}/${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Retag image for preflight run: | From 9cbee5310b303f1c8006a0868af3e15186d76f92 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 17:35:30 +0100 Subject: [PATCH 35/39] Fix yamllint errors --- .github/workflows/build.yml | 4 ++-- .github/workflows/openshift-certification.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9a17a3f02d..63c2ea5c55 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -198,7 +198,7 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - + - name: Show all image tags for debugging run: echo "${{ steps.meta.outputs.tags }}" @@ -212,4 +212,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} - path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar \ No newline at end of file + path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 4435073cd7..ae9bab54ec 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -62,4 +62,4 @@ jobs: echo "Results for preflight-result.json:" jq '.results.failed' preflight-result.json exit 1 - fi \ No newline at end of file + fi From d75ade3e45f71155ca5122de487ec1c196514124 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 17:49:41 +0100 Subject: [PATCH 36/39] Move tarball to workspace root --- .github/workflows/openshift-certification.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index ae9bab54ec..1c1dafba55 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -39,9 +39,12 @@ jobs: with: name: ${{ inputs.image }}-${{ inputs.image_version }} + - name: Move tarball to workspace root + run: mv ${{ inputs.image }}-${{ inputs.image_version }}/*.tar . + - name: Load image into Docker run: | - docker load -i ${{ inputs.image }}-${{ inputs.image_version }}/${{ inputs.image }}-${{ inputs.image_version }}.tar + docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Retag image for preflight run: | From 4fad4136f2dbd81619eeb2555d3ec0203a581643 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 18:06:47 +0100 Subject: [PATCH 37/39] Update mv command --- .github/workflows/openshift-certification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 1c1dafba55..59b3486f57 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -40,7 +40,7 @@ jobs: name: ${{ inputs.image }}-${{ inputs.image_version }} - name: Move tarball to workspace root - run: mv ${{ inputs.image }}-${{ inputs.image_version }}/*.tar . + run: mv ${{ inputs.image }}-${{ inputs.image_version }}/*.tar ${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Load image into Docker run: | From aeb55e6126d587bd46eac241913d034138215aea Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 18:47:32 +0100 Subject: [PATCH 38/39] Debug downloaded artifacts --- .github/workflows/openshift-certification.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 59b3486f57..2d2ac1f0c2 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -38,6 +38,10 @@ jobs: uses: actions/download-artifact@v4 with: name: ${{ inputs.image }}-${{ inputs.image_version }} + + - name: List files after artifact download + run: ls -lR ${{ inputs.image }}-${{ inputs.image_version }} + - name: Move tarball to workspace root run: mv ${{ inputs.image }}-${{ inputs.image_version }}/*.tar ${{ inputs.image }}-${{ inputs.image_version }}.tar From decd459c6990a607cabdaf10b4a8820303c13082 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 19:03:32 +0100 Subject: [PATCH 39/39] Remove mv step --- .github/workflows/openshift-certification.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 2d2ac1f0c2..dd8303585b 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -40,11 +40,7 @@ jobs: name: ${{ inputs.image }}-${{ inputs.image_version }} - name: List files after artifact download - run: ls -lR ${{ inputs.image }}-${{ inputs.image_version }} - - - - name: Move tarball to workspace root - run: mv ${{ inputs.image }}-${{ inputs.image_version }}/*.tar ${{ inputs.image }}-${{ inputs.image_version }}.tar + run: ls -l ${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Load image into Docker run: |