nginx · shaun-nx · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -193,3 +193,22 @@ jobs:
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
           category: build-${{ inputs.image }}
+
+      - name: Export and upload images for all platforms
+        run: |
+          # Remove spaces and split platforms by comma
+          platforms=$(echo "${{ inputs.platforms }}" | tr -d ' ' | tr ',' ' ')
+          for platform in $platforms; do
+          # Replace / with - for tarball name (e.g., linux/amd64 -> linux-amd64)
+          plat_tag=$(echo "$platform" | tr '/' '-')
+          # Create a local reference for the platform
+          docker buildx imagetools create --tag tempimg-$plat_tag ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --platform $platform
+          # Export the image as a tarball
+          docker buildx imagetools export tempimg-$plat_tag > ${{ inputs.image }}-$plat_tag.tar
+          done
+
+      - name: Upload all image artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.image }}-images
+          path: ${{ inputs.image }}-*.tar
@@ -409,6 +409,25 @@ jobs:
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
 
+  openshift-certification:
+    name: OpenShift Certification
+    needs: [build-oss, build-plus, build-operator]
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [ngf, nginx, operator]
+        platform: ["linux/amd64", "linux/arm64"]
+    # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }}
+    uses: ./.github/workflows/openshift-certification.yml
+    with:
+      runner: ubuntu-24.04
+      image: ${{ matrix.image }}
+      platform: ${{ matrix.platform }}
+    permissions:
+      contents: read
+      packages: read
+    secrets: inherit
+
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]

@@ -0,0 +1,64 @@
+name: OpenShift Certification
+
+on:
+  workflow_call:
+    inputs:
+      runner:
+        required: false
+        type: string
+        default: 'ubuntu-24.04'
+      image:
+        required: true
+        type: string
+      platform:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  preflight:
+    runs-on: ${{ inputs.runner }}
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Download preflight binary
+      run: |
+        curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64
+        chmod +x preflight-linux-amd64
+        sudo mv preflight-linux-amd64 /usr/local/bin/preflight
+
+    - name: Download image artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ inputs.image }}-images  # or ${{ inputs.image }}-linux-${{ inputs.platform | tr '/' '-' }}
+
+    - name: Load image into Docker
+      run: docker load -i ${{ inputs.image }}-${{ inputs.platform | tr '/' '-' }}.tar
+
+    - name: Retag image for preflight
+      run: |
+        loaded_tag="ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}"
+        preflight_tag="${{ inputs.image }}:ubi"
+        docker tag "$loaded_tag" "$preflight_tag"
+
+    - name: Run preflight
+      env:
+        PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
+      run: preflight check container ${{ inputs.image }}:ubi > preflight-result.json
+
+    - name: Check preflight results
+      run: |
+        failed_count=$(jq '.results.failed | length' preflight-result.json)
+        if [ "$failed_count" -ne 0 ]; then
+        echo "Preflight checks failed: $failed_count failed checks"
+        echo "Results for preflight-result.json:"
+        jq '.results.failed' preflight-result.json
+        exit 1
+        fi