nginxinc · pdabelf5 · Jan 22, 2024 · Jan 19, 2024 · Jan 19, 2024 · Jan 19, 2024
@@ -16,6 +16,10 @@ inputs:
     description: Docker image to use
     default: debian
     required: false
+  test-image:
+    description: Test Docker image to use
+    default: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:latest
+    required: false
   marker:
     description: Marker to use
     required: false
@@ -31,6 +35,12 @@ inputs:
   rhel-license:
     description: RHEL license for UBI builds
     required: false
+  gcr-workload-identity-secret:
+    description: Google Workflow Identity secret
+    required: false
+  gcr-service-account-secret:
+    description: Google Service Account secret
+    required: false
 
 outputs:
   test-results-name:
@@ -77,16 +87,6 @@ runs:
           ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', inputs.nginx-key) || '' }}
           ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', inputs.rhel-license) || '' }}
 
-    - name: Build Test-Runner Container
-      uses: docker/build-push-action@v3
-      with:
-        file: tests/Dockerfile
-        context: "."
-        cache-from: type=gha,scope=test-runner
-        tags: test-runner:${{ github.sha }}
-        pull: true
-        load: true
-
     - name: Deploy Kubernetes
       id: k8s
       run: |
@@ -105,14 +105,47 @@ runs:
         sed -i 's|server:.*|server: https://${{ steps.k8s.outputs.cluster_ip }}:6443|' ~/.kube/kind/config
       shell: bash
 
+    - name: Authenticate to Google Cloud
+      id: auth
+      uses: google-github-actions/auth@v2
+      with:
+        token_format: access_token
+        workload_identity_provider: ${{ inputs.gcr-workload-identity-secret }}
+        service_account: ${{ inputs.gcr-service-account-secret }}
+
+    - name: Login to GCR
+      uses: docker/login-action@v3
+      with:
+        registry: gcr.io
+        username: oauth2accesstoken
+        password: ${{ steps.auth.outputs.access_token }}
+
+    - name: Check if image exists
+      id: check-image
+      run: |
+        docker manifest inspect ${{ inputs.test-image }}
+      shell: bash
+      continue-on-error: true
+
+    - name: Build Test-Runner Container
+      uses: docker/build-push-action@v3
+      with:
+        file: tests/Dockerfile
+        context: "."
+        cache-from: type=gha,scope=test-runner
+        tags: ${{ inputs.test-image }}
+        pull: true
+        push: true
+      if: steps.check-image.outcome == 'failure'
+
     - name: Run Smoke Tests
       run: |
         touch tests-${{ steps.k8s.outputs.cluster }}.html
         docker run --rm \
         --name test-runner-${{ github.run_id }} \
         --network=kind \
-        -v ${{ github.workspace }}/tests/tests-${{ steps.k8s.outputs.cluster }}.html:/workspace/tests/tests-${{ steps.k8s.outputs.cluster }}.html \
-        -v ~/.kube/kind/config:/root/.kube/config test-runner:${{ github.sha }} \
+        -v ${{ github.workspace }}/tests:/workspace/tests \
+        -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \
         --context=kind-${{ github.run_id }} \
         --image=docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }} \
         --image-pull-policy=Never \

@@ -0,0 +1,59 @@
+name: Build Test Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      force:
+        description: "Force rebuild of test image"
+        required: false
+        default: "false"
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.ref_name }}-ci
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  build:
+    name: Build test image
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Build Test-Runner Container
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          file: tests/Dockerfile
+          context: "."
+          cache-from: type=gha,scope=test-runner
+          tags: |
+            gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') }}
+            gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:latest
+          pull: true
+          push: true
@@ -345,6 +345,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }}
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -359,8 +362,11 @@ jobs:
           nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}
           nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}
           azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
+          gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }}
           rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }}
           go-md5: ${{ needs.checks.outputs.go_code_md5 }}
+          test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}"
 
       - name: Upload Test Results
         uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0