Skip to content

Commit

Permalink
Update CI for release-3.1 (#3858)
Browse files Browse the repository at this point in the history
  • Loading branch information
lucacome authored May 4, 2023
1 parent be8ff16 commit bb573c1
Show file tree
Hide file tree
Showing 14 changed files with 220 additions and 189 deletions.
82 changes: 44 additions & 38 deletions .github/workflows/build-oss.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,6 @@ on:
tag:
required: false
type: string
sha_long:
required: false
type: string

defaults:
run:
Expand All @@ -23,12 +20,17 @@ defaults:
jobs:
build:
runs-on: ubuntu-22.04
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS ECR
packages: write # for docker/build-push-action to push to GHCR
outputs:
version: ${{ steps.meta.outputs.version }}
image_digest: ${{ steps.build-push.outputs.digest }}
steps:
- name: Checkout Repository
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
ref: ${{ inputs.tag != '' && format('refs/tags/v{0}', inputs.tag) || github.ref }}
fetch-depth: 0
Expand All @@ -43,7 +45,7 @@ jobs:
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
with:
platforms: arm,arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Docker Buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
Expand All @@ -53,31 +55,36 @@ jobs:
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Login to GitHub Container Registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Login to Public ECR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Login to Quay.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
if: github.event_name != 'pull_request'
if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}

- name: Get short tag
id: tag
Expand All @@ -89,8 +96,9 @@ jobs:

- name: Docker meta
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0
with:
context: ${{ inputs.tag != '' && 'git' || 'workflow' }}
images: |
name=nginx/nginx-ingress
name=ghcr.io/nginxinc/kubernetes-ingress
Expand All @@ -111,7 +119,6 @@ jobs:
org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes
org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
org.opencontainers.image.revision=${{ inputs.sha_long != '' && inputs.sha_long || github.sha }}
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/README.md
io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg
io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"kubernetes@nginx.com"}]
Expand All @@ -123,54 +130,53 @@ jobs:
id: build-push
with:
file: build/Dockerfile
context: '.'
context: "."
cache-from: type=gha,scope=${{ inputs.image }}
cache-to: type=gha,scope=${{ inputs.image }},mode=max
target: goreleaser
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }}
load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }}
push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
sbom: ${{ github.event_name != 'pull_request' }}
no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}
provenance: false
build-args: |
BUILD_OS=${{ inputs.image }}
IC_VERSION=${{ github.event_name == 'pull_request' && 'CI' || steps.meta.outputs.version }}
IC_VERSION=${{ (github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-')) && 'CI' || steps.meta.outputs.version }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
continue-on-error: true
with:
image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results-${{ inputs.image }}.sarif'
ignore-unfixed: 'true'
format: "sarif"
output: "trivy-results-${{ inputs.image }}.sarif"
ignore-unfixed: "true"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
continue-on-error: true
with:
sarif_file: 'trivy-results-${{ inputs.image }}.sarif'
sarif_file: "trivy-results-${{ inputs.image }}.sarif"

- name: Upload Scan Results
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
continue-on-error: true
with:
name: 'trivy-results-${{ inputs.image }}.sarif'
path: 'trivy-results-${{ inputs.image }}.sarif'
name: "trivy-results-${{ inputs.image }}.sarif"
path: "trivy-results-${{ inputs.image }}.sarif"
if: always()

send-notification:
name: Send Notification
needs: build
uses: ./.github/workflows/updates-notification.yml
with:
sha_long: ${{ inputs.sha_long }}
tag: ${{ inputs.tag }}
version: ${{ needs.build.outputs.version }}
image_digest: ${{ needs.build.outputs.image_digest }}
secrets: inherit
if: ${{ inputs.tag != '' }}
name: Send Notification
needs: build
uses: ./.github/workflows/updates-notification.yml
with:
tag: ${{ inputs.tag }}
version: ${{ needs.build.outputs.version }}
image_digest: ${{ needs.build.outputs.image_digest }}
secrets: inherit
if: ${{ inputs.tag != '' }}
36 changes: 26 additions & 10 deletions .github/workflows/build-plus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,11 @@ jobs:
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with:
fetch-depth: 0

Expand All @@ -50,25 +51,39 @@ jobs:
- name: Docker Buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

- name: GCR Login
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
if: github.event_name != 'pull_request'

- name: Login to GCR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GCR_JSON_KEY }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
if: github.event_name != 'pull_request'

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }}
if: startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws')

- name: Login to ECR
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: startsWith(github.ref, 'refs/tags/')
if: startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws')

- name: Docker meta
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0
with:
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress
Expand All @@ -80,6 +95,7 @@ jobs:
tags: |
type=edge
type=ref,event=pr
type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release-') }}
type=schedule,pattern={{date 'YYYYMMDD'}}
type=semver,pattern={{version}}
labels: |
Expand Down Expand Up @@ -146,7 +162,7 @@ jobs:
${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
continue-on-error: true
with:
image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
Expand All @@ -155,7 +171,7 @@ jobs:
ignore-unfixed: 'true'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
continue-on-error: true
with:
sarif_file: 'trivy-results-${{ inputs.image }}.sarif'
Expand Down
Loading

0 comments on commit bb573c1

Please sign in to comment.