Remove index annotations from AWS marketplace images (#7060) #922
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image Promotion | |
# This workflow will: | |
# - build images for forked workflows | |
# - tag stable for forked workflows | |
# - tag edge for main workflows | |
# - tag release branch name for release branch workflows | |
# - release edge images & helm charts for edge | |
# - run Trivy & dockerscout scans for main & release branch images | |
# & upload results to Github security & Github Artifacts | |
on: | |
push: | |
branches: | |
- main | |
- release-* | |
workflow_call: | |
defaults: | |
run: | |
shell: bash | |
concurrency: | |
group: ${{ github.ref_name }}-image-promotion | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
jobs: | |
checks: | |
name: Checks and variables | |
runs-on: ubuntu-24.04 | |
permissions: | |
contents: read | |
id-token: write | |
outputs: | |
go_path: ${{ steps.vars.outputs.go_path }} | |
go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} | |
binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} | |
chart_version: ${{ steps.vars.outputs.chart_version }} | |
ic_version: ${{ steps.vars.outputs.ic_version }} | |
docker_md5: ${{ steps.vars.outputs.docker_md5 }} | |
build_tag: ${{ steps.vars.outputs.build_tag }} | |
stable_tag: ${{ steps.vars.outputs.stable_tag }} | |
stable_image_exists: ${{ steps.stable_exists.outputs.exists }} | |
image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }} | |
image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }} | |
image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }} | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Golang Environment | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: go.mod | |
- name: Set Variables | |
id: vars | |
run: | | |
echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT | |
source .github/data/version.txt | |
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT | |
echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT | |
./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT | |
./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT | |
./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT | |
./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT | |
echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT | |
echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT | |
echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT | |
- name: Fetch Cached Binary Artifacts | |
id: binary-cache | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: ${{ github.workspace }}/dist | |
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }} | |
lookup-only: true | |
- name: Authenticate to Google Cloud | |
id: auth | |
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
token_format: access_token | |
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
- name: Login to GCR | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: gcr.io | |
username: oauth2accesstoken | |
password: ${{ steps.auth.outputs.access_token }} | |
- name: Check if stable image exists | |
id: stable_exists | |
run: | | |
if docker pull gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:${{ steps.vars.outputs.stable_tag }}; then | |
echo "exists=true" >> $GITHUB_OUTPUT | |
fi | |
- name: Output variables | |
run: | | |
echo go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} | |
echo go_path: ${{ steps.vars.outputs.go_path }} | |
echo binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} | |
echo chart_version: ${{ steps.vars.outputs.chart_version }} | |
echo ic_version: ${{ steps.vars.outputs.ic_version }} | |
echo docker_md5: ${{ steps.vars.outputs.docker_md5 }} | |
echo build_tag: ${{ steps.vars.outputs.build_tag }} | |
echo stable_tag: ${{ steps.vars.outputs.stable_tag }} | |
echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }} | |
govulncheck: | |
name: Run govulncheck | |
runs-on: ubuntu-24.04 | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Golang Environment | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: go.mod | |
- name: govulncheck | |
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 | |
with: | |
output-format: sarif | |
output-file: govulncheck.sarif | |
- name: Check SARIF file | |
id: check-sarif | |
run: | | |
if [ -s govulncheck.sarif ] && grep -q '"results":' govulncheck.sarif; then | |
echo "sarif_has_results=true" >> $GITHUB_OUTPUT | |
else | |
echo "sarif_has_results=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | |
if: steps.check-sarif.outputs.sarif_has_results == 'true' | |
with: | |
sarif_file: govulncheck.sarif | |
binaries: | |
name: Build Binaries | |
runs-on: ubuntu-24.04 | |
needs: [checks] | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Golang Environment | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: go.mod | |
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} | |
- name: Build binaries | |
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 | |
with: | |
version: latest | |
args: build --snapshot --clean | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GOPATH: ${{ needs.checks.outputs.go_path }} | |
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} | |
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} | |
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} | |
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} | |
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} | |
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} | |
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} | |
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} | |
GORELEASER_CURRENT_TAG: "v${{ needs.checks.outputs.ic_version }}" | |
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} | |
- name: Store Artifacts in Cache | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: ${{ github.workspace }}/dist | |
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }} | |
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} | |
build-docker: | |
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
name: Build Docker OSS | |
needs: [checks, binaries] | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} | |
uses: ./.github/workflows/build-oss.yml | |
with: | |
platforms: ${{ matrix.platforms }} | |
image: ${{ matrix.image }} | |
go-md5: ${{ needs.checks.outputs.go_code_md5 }} | |
base-image-md5: ${{ needs.checks.outputs.docker_md5 }} | |
authenticated: true | |
tag: ${{ needs.checks.outputs.build_tag }} | |
branch: ${{ github.ref }} | |
ic-version: ${{ needs.checks.outputs.ic_version }} | |
permissions: | |
contents: read | |
actions: read | |
security-events: write | |
id-token: write | |
packages: write | |
pull-requests: write # for scout report | |
secrets: inherit | |
build-docker-plus: | |
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
name: Build Docker Plus | |
needs: [checks, binaries] | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} | |
uses: ./.github/workflows/build-plus.yml | |
with: | |
platforms: ${{ matrix.platforms }} | |
image: ${{ matrix.image }} | |
target: ${{ matrix.target }} | |
go-md5: ${{ needs.checks.outputs.go_code_md5 }} | |
base-image-md5: ${{ needs.checks.outputs.docker_md5 }} | |
authenticated: true | |
tag: ${{ needs.checks.outputs.build_tag }} | |
branch: ${{ github.ref }} | |
ic-version: ${{ needs.checks.outputs.ic_version }} | |
permissions: | |
contents: read | |
actions: read | |
security-events: write | |
id-token: write | |
packages: write | |
pull-requests: write # for scout report | |
secrets: inherit | |
build-docker-nap: | |
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
name: Build Docker NAP | |
needs: [checks, binaries] | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} | |
uses: ./.github/workflows/build-plus.yml | |
with: | |
platforms: ${{ matrix.platforms }} | |
image: ${{ matrix.image }} | |
target: ${{ matrix.target }} | |
go-md5: ${{ needs.checks.outputs.go_code_md5 }} | |
base-image-md5: ${{ needs.checks.outputs.docker_md5 }} | |
nap-modules: ${{ matrix.nap_modules }} | |
authenticated: true | |
tag: ${{ needs.checks.outputs.build_tag }} | |
branch: ${{ github.ref }} | |
ic-version: ${{ needs.checks.outputs.ic_version }} | |
permissions: | |
contents: read | |
actions: read | |
security-events: write | |
id-token: write | |
packages: write | |
pull-requests: write # for scout report | |
secrets: inherit | |
tag-stable: | |
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
name: Tag build image as stable | |
needs: [checks, build-docker, build-docker-plus, build-docker-nap] | |
permissions: | |
contents: read # To checkout repository | |
id-token: write # To sign into Google Container Registry | |
uses: ./.github/workflows/retag-images.yml | |
with: | |
source_tag: ${{ needs.checks.outputs.build_tag }} | |
target_tag: ${{ needs.checks.outputs.stable_tag }} | |
dry_run: false | |
secrets: inherit | |
tag-candidate: | |
# pushes edge or release images to gcr/dev | |
# for main: this keeps a copy of edge in gcr/dev | |
# for release-*: this stages a release candidate in gcr/dev which can be used for release promotion | |
name: Tag tested image as stable | |
needs: | |
- checks | |
- build-docker | |
- build-docker-plus | |
- build-docker-nap | |
- tag-stable | |
permissions: | |
contents: read # To checkout repository | |
id-token: write # To sign into Google Container Registry | |
uses: ./.github/workflows/retag-images.yml | |
with: | |
source_tag: ${{ needs.checks.outputs.stable_tag }} | |
target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} | |
dry_run: false | |
secrets: inherit | |
if: ${{ !cancelled() && !failure() }} | |
release-oss: | |
# pushes edge images to docker hub | |
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
name: Release Docker OSS | |
needs: [checks, build-docker] | |
uses: ./.github/workflows/oss-release.yml | |
with: | |
gcr_release_registry: false | |
ecr_public_registry: true | |
dockerhub_public_registry: true | |
quay_public_registry: true | |
github_public_registry: true | |
source_tag: ${{ needs.checks.outputs.stable_tag }} | |
target_tag: "edge" | |
branch: ${{ github.ref_name }} | |
dry_run: false | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
secrets: inherit | |
release-plus: | |
# pushes plus edge images to nginx registry | |
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
name: Release Docker Plus | |
needs: [checks, build-docker-plus, build-docker-nap] | |
uses: ./.github/workflows/plus-release.yml | |
with: | |
nginx_registry: true | |
gcr_release_registry: false | |
gcr_mktpl_registry: false | |
ecr_mktpl_registry: false | |
az_mktpl_registry: false | |
source_tag: ${{ needs.checks.outputs.stable_tag }} | |
target_tag: "edge" | |
branch: ${{ github.ref_name }} | |
dry_run: false | |
permissions: | |
contents: read | |
id-token: write | |
secrets: inherit | |
publish-helm-chart: | |
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
name: Publish Helm Chart | |
needs: [checks] | |
uses: ./.github/workflows/publish-helm.yml | |
with: | |
branch: ${{ github.ref_name }} | |
ic_version: edge | |
chart_version: 0.0.0-edge | |
nginx_helm_repo: false | |
permissions: | |
contents: write # for pushing to Helm Charts repository | |
packages: write # for helm to push to GHCR | |
secrets: inherit | |
certify-openshift-images: | |
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
name: Certify OpenShift UBI images | |
runs-on: ubuntu-24.04 | |
needs: [release-oss] | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Certify UBI OSS images in quay | |
uses: ./.github/actions/certify-openshift-image | |
continue-on-error: true | |
with: | |
image: quay.io/nginx/nginx-ingress:edge-ubi | |
project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} | |
pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} | |
preflight_version: 1.11.1 | |
scan-docker-oss: | |
name: Scan ${{ matrix.image }}-${{ matrix.target }} | |
runs-on: ubuntu-24.04 | |
needs: [checks, tag-candidate] | |
permissions: | |
contents: read | |
id-token: write | |
security-events: write | |
if: ${{ !cancelled() && !failure() }} | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Make directory for security scan results | |
id: directory | |
run: | | |
directory=${{ matrix.image }}-${{ matrix.target }}-results | |
echo "directory=${directory}" >> $GITHUB_OUTPUT | |
mkdir -p "${directory}" | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
with: | |
context: workflow | |
images: | | |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress | |
flavor: | | |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} | |
tags: | | |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} | |
- name: Authenticate to Google Cloud | |
id: auth | |
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
token_format: access_token | |
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
- name: Login to GCR | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: gcr.io | |
username: oauth2accesstoken | |
password: ${{ steps.auth.outputs.access_token }} | |
# - name: Run Trivy vulnerability scanner | |
# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
# continue-on-error: true | |
# with: | |
# image-ref: ${{ steps.meta.outputs.tags }} | |
# format: "sarif" | |
# output: "${{ steps.directory.outputs.directory }}/trivy.sarif" | |
# ignore-unfixed: "true" | |
- name: DockerHub Login for Docker Scout | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Run Docker Scout vulnerability scanner | |
id: docker-scout | |
uses: docker/scout-action@6ac950eb733f8b2811f25c05d97bfb3d181b8026 # v1.15.1 | |
with: | |
command: cves | |
image: ${{ steps.meta.outputs.tags }} | |
ignore-base: true | |
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" | |
write-comment: false | |
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment | |
summary: true | |
- name: Upload Scan Results to Github Artifacts | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
with: | |
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" | |
path: "${{ steps.directory.outputs.directory }}/" | |
overwrite: true | |
- name: Upload Scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | |
with: | |
sarif_file: "${{ steps.directory.outputs.directory }}/" | |
scan-docker-plus: | |
name: Scan ${{ matrix.image }}-${{ matrix.target }} | |
runs-on: ubuntu-24.04 | |
needs: [checks, tag-candidate] | |
permissions: | |
contents: read | |
id-token: write | |
security-events: write | |
if: ${{ !cancelled() && !failure() }} | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Make directory for security scan results | |
id: directory | |
run: | | |
directory=${{ matrix.image }}-${{ matrix.target }}-results | |
echo "directory=${directory}" >> $GITHUB_OUTPUT | |
mkdir -p "${directory}" | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
with: | |
context: workflow | |
images: | | |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress | |
flavor: | | |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} | |
tags: | | |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} | |
- name: Authenticate to Google Cloud | |
id: auth | |
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
token_format: access_token | |
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
- name: Login to GCR | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: gcr.io | |
username: oauth2accesstoken | |
password: ${{ steps.auth.outputs.access_token }} | |
# - name: Run Trivy vulnerability scanner | |
# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
# continue-on-error: true | |
# with: | |
# image-ref: ${{ steps.meta.outputs.tags }} | |
# format: "sarif" | |
# output: "${{ steps.directory.outputs.directory }}/trivy.sarif" | |
# ignore-unfixed: "true" | |
- name: DockerHub Login for Docker Scout | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Run Docker Scout vulnerability scanner | |
id: docker-scout | |
uses: docker/scout-action@6ac950eb733f8b2811f25c05d97bfb3d181b8026 # v1.15.1 | |
with: | |
command: cves | |
image: ${{ steps.meta.outputs.tags }} | |
ignore-base: true | |
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" | |
write-comment: false | |
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment | |
summary: true | |
- name: Upload Scan Results to Github Artifacts | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
with: | |
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" | |
path: "${{ steps.directory.outputs.directory }}/" | |
overwrite: true | |
- name: Upload Scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | |
with: | |
sarif_file: "${{ steps.directory.outputs.directory }}/" | |
scan-docker-nap: | |
name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} | |
runs-on: ubuntu-24.04 | |
needs: [checks, tag-candidate] | |
permissions: | |
contents: read | |
id-token: write | |
security-events: write | |
if: ${{ !cancelled() && !failure() }} | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: NAP modules | |
id: nap_modules | |
run: | | |
[[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}" | |
echo "name=${name}" >> $GITHUB_OUTPUT | |
if: ${{ matrix.nap_modules != '' }} | |
- name: Make directory for security scan results | |
id: directory | |
run: | | |
directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results | |
echo "directory=${directory}" >> $GITHUB_OUTPUT | |
mkdir -p "${directory}" | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
with: | |
context: workflow | |
images: | | |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress | |
flavor: | | |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} | |
tags: | | |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} | |
- name: Authenticate to Google Cloud | |
id: auth | |
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
token_format: access_token | |
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
- name: Login to GCR | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: gcr.io | |
username: oauth2accesstoken | |
password: ${{ steps.auth.outputs.access_token }} | |
# - name: Run Trivy vulnerability scanner | |
# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
# continue-on-error: true | |
# with: | |
# image-ref: ${{ steps.meta.outputs.tags }} | |
# format: "sarif" | |
# output: "${{ steps.directory.outputs.directory }}/trivy.sarif" | |
# ignore-unfixed: "true" | |
- name: DockerHub Login for Docker Scout | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Run Docker Scout vulnerability scanner | |
id: docker-scout | |
uses: docker/scout-action@6ac950eb733f8b2811f25c05d97bfb3d181b8026 # v1.15.1 | |
with: | |
command: cves | |
image: ${{ steps.meta.outputs.tags }} | |
ignore-base: true | |
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" | |
write-comment: false | |
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment | |
summary: true | |
- name: Upload Scan Results to Github Artifacts | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
with: | |
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" | |
path: "${{ steps.directory.outputs.directory }}/" | |
overwrite: true | |
- name: Upload Scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | |
with: | |
sarif_file: "${{ steps.directory.outputs.directory }}/" | |
continue-on-error: true | |
update-release-draft: | |
name: Update Release Draft | |
runs-on: ubuntu-24.04 | |
needs: [checks] | |
permissions: | |
contents: write | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Create/Update Draft | |
uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1 | |
id: release-notes | |
with: | |
minor-label: "enhancement" | |
major-label: "change" | |
publish: false | |
collapse-after: 50 | |
variables: | | |
helm-chart=${{ needs.checks.outputs.chart_version }} | |
notes-footer: | | |
## Upgrade | |
- For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). | |
- For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking), [Azure Marketplace](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/category/containers?page=1&search=f5&subcategories=container-apps) or build your own image using the {{version}} source code. | |
- For Helm, use version {{helm-chart}} of the chart. | |
## Resources | |
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/ | |
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples | |
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart | |
- Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator | |
if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} |