Bump the actions group across 1 directory with 12 updates (#5798) #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image Promotion | |
| # This workflow will: | |
| # - build images for forked workflows | |
| # - tag stable for forked workflows | |
| # - tag edge for main workflows | |
| # - tag release branch name for release branch workflows | |
| # - release edge images & helm charts for edge | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| workflow_call: | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| group: ${{ github.ref_name }}-image-promotion | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| checks: | |
| name: Checks and variables | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| outputs: | |
| go_path: ${{ steps.vars.outputs.go_path }} | |
| go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} | |
| binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} | |
| chart_version: ${{ steps.vars.outputs.chart_version }} | |
| ic_version: ${{ steps.vars.outputs.ic_version }} | |
| docker_md5: ${{ steps.vars.outputs.docker_md5 }} | |
| build_tag: ${{ steps.vars.outputs.build_tag }} | |
| stable_tag: ${{ steps.vars.outputs.stable_tag }} | |
| stable_image_exists: ${{ steps.stable_exists.outputs.exists }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version-file: go.mod | |
| - name: Set Variables | |
| id: vars | |
| run: | | |
| echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT | |
| source .github/data/version.txt | |
| echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT | |
| echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT | |
| ./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT | |
| ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT | |
| ./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT | |
| ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT | |
| - name: Fetch Cached Binary Artifacts | |
| id: binary-cache | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }} | |
| lookup-only: true | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} | |
| service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} | |
| - name: Login to GCR | |
| uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
| with: | |
| registry: gcr.io | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Check if stable image exists | |
| id: stable_exists | |
| run: | | |
| if docker pull gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:${{ steps.vars.outputs.stable_tag }}; then | |
| echo "exists=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Output variables | |
| run: | | |
| echo go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} | |
| echo go_path: ${{ steps.vars.outputs.go_path }} | |
| echo binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} | |
| echo chart_version: ${{ steps.vars.outputs.chart_version }} | |
| echo ic_version: ${{ steps.vars.outputs.ic_version }} | |
| echo docker_md5: ${{ steps.vars.outputs.docker_md5 }} | |
| echo build_tag: ${{ steps.vars.outputs.build_tag }} | |
| echo stable_tag: ${{ steps.vars.outputs.stable_tag }} | |
| echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }} | |
| binaries: | |
| name: Build Binaries | |
| runs-on: ubuntu-22.04 | |
| needs: [checks] | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
| with: | |
| go-version-file: go.mod | |
| if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} | |
| - name: Build binaries | |
| uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 | |
| with: | |
| version: latest | |
| args: build --snapshot --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GOPATH: ${{ needs.checks.outputs.go_path }} | |
| AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} | |
| AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} | |
| AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} | |
| AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} | |
| AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} | |
| AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} | |
| AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} | |
| AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} | |
| GORELEASER_CURRENT_TAG: "v${{ needs.checks.outputs.ic_version }}" | |
| if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} | |
| - name: Store Artifacts in Cache | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }} | |
| if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} | |
| build-docker: | |
| if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
| name: Build Docker OSS | |
| needs: [checks, binaries] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: [debian, alpine] | |
| platforms: | |
| ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] | |
| include: | |
| - image: ubi | |
| platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" | |
| uses: ./.github/workflows/build-oss.yml | |
| with: | |
| platforms: ${{ matrix.platforms }} | |
| image: ${{ matrix.image }} | |
| go-md5: ${{ needs.checks.outputs.go_code_md5 }} | |
| base-image-md5: ${{ needs.checks.outputs.docker_md5 }} | |
| authenticated: true | |
| tag: ${{ needs.checks.outputs.build_tag }} | |
| branch: ${{ github.ref }} | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| id-token: write | |
| packages: write | |
| pull-requests: write # for scout report | |
| secrets: inherit | |
| build-docker-plus: | |
| if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
| name: Build Docker Plus | |
| needs: [checks, binaries] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: [debian-plus, alpine-plus, alpine-plus-fips] | |
| platforms: ["linux/arm64, linux/amd64"] | |
| target: [goreleaser, aws] | |
| include: | |
| - image: ubi-plus | |
| platforms: "linux/arm64, linux/amd64, linux/s390x" | |
| target: goreleaser | |
| uses: ./.github/workflows/build-plus.yml | |
| with: | |
| platforms: ${{ matrix.platforms }} | |
| image: ${{ matrix.image }} | |
| target: ${{ matrix.target }} | |
| go-md5: ${{ needs.checks.outputs.go_code_md5 }} | |
| base-image-md5: ${{ needs.checks.outputs.docker_md5 }} | |
| authenticated: true | |
| tag: ${{ needs.checks.outputs.build_tag }} | |
| branch: ${{ github.ref }} | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| id-token: write | |
| packages: write | |
| pull-requests: write # for scout report | |
| secrets: inherit | |
| build-docker-nap: | |
| if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
| name: Build Docker NAP | |
| needs: [checks, binaries] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: [debian-plus-nap] | |
| platforms: ["linux/amd64"] | |
| target: [goreleaser, aws] | |
| nap_modules: [dos, waf, "waf,dos"] | |
| include: | |
| - image: ubi-9-plus-nap | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: waf | |
| - image: ubi-8-plus-nap | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: dos | |
| - image: ubi-8-plus-nap | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: "waf,dos" | |
| - image: ubi-9-plus-nap | |
| target: aws | |
| platforms: "linux/amd64" | |
| nap_modules: waf | |
| - image: ubi-8-plus-nap | |
| target: aws | |
| platforms: "linux/amd64" | |
| nap_modules: dos | |
| - image: ubi-8-plus-nap | |
| target: aws | |
| platforms: "linux/amd64" | |
| nap_modules: "waf,dos" | |
| - image: alpine-plus-nap-fips | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: waf | |
| - image: alpine-plus-nap-v5-fips | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: waf | |
| - image: debian-plus-nap-v5 | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: waf | |
| - image: ubi-9-plus-nap-v5 | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: waf | |
| - image: ubi-8-plus-nap-v5 | |
| target: goreleaser | |
| platforms: "linux/amd64" | |
| nap_modules: waf | |
| uses: ./.github/workflows/build-plus.yml | |
| with: | |
| platforms: ${{ matrix.platforms }} | |
| image: ${{ matrix.image }} | |
| target: ${{ matrix.target }} | |
| go-md5: ${{ needs.checks.outputs.go_code_md5 }} | |
| base-image-md5: ${{ needs.checks.outputs.docker_md5 }} | |
| nap-modules: ${{ matrix.nap_modules }} | |
| authenticated: true | |
| tag: ${{ needs.checks.outputs.build_tag }} | |
| branch: ${{ github.ref }} | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| id-token: write | |
| packages: write | |
| pull-requests: write # for scout report | |
| secrets: inherit | |
| tag-stable: | |
| if: ${{ needs.checks.outputs.stable_image_exists != 'true' }} | |
| name: Tag build image as stable | |
| needs: [checks, build-docker, build-docker-plus, build-docker-nap] | |
| permissions: | |
| contents: read # To checkout repository | |
| id-token: write # To sign into Google Container Registry | |
| uses: ./.github/workflows/retag-images.yml | |
| with: | |
| source_tag: ${{ needs.checks.outputs.build_tag }} | |
| target_tag: ${{ needs.checks.outputs.stable_tag }} | |
| dry_run: false | |
| secrets: inherit | |
| tag-candidate: | |
| # pushes edge or release images to gcr/dev | |
| # for main: this keeps a copy of edge in gcr/dev | |
| # for release-*: this stages a release candidate in gcr/dev which can be used for release promotion | |
| name: Tag tested image as stable | |
| needs: | |
| - checks | |
| - build-docker | |
| - build-docker-plus | |
| - build-docker-nap | |
| - tag-stable | |
| permissions: | |
| contents: read # To checkout repository | |
| id-token: write # To sign into Google Container Registry | |
| uses: ./.github/workflows/retag-images.yml | |
| with: | |
| source_tag: ${{ needs.checks.outputs.stable_tag }} | |
| target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} | |
| dry_run: false | |
| secrets: inherit | |
| if: ${{ !cancelled() && !failure() }} | |
| release-oss: | |
| # pushes edge images to docker hub | |
| if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
| name: Release Docker OSS | |
| needs: [checks, build-docker] | |
| uses: ./.github/workflows/oss-release.yml | |
| with: | |
| gcr_release_registry: false | |
| ecr_public_registry: true | |
| dockerhub_public_registry: true | |
| quay_public_registry: true | |
| github_public_registry: true | |
| source_tag: ${{ needs.checks.outputs.stable_tag }} | |
| target_tag: "edge" | |
| dry_run: false | |
| permissions: | |
| contents: read | |
| id-token: write | |
| packages: write | |
| secrets: inherit | |
| release-plus: | |
| # pushes plus edge images to nginx registry | |
| if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
| name: Release Docker Plus | |
| needs: [checks, build-docker-plus, build-docker-nap] | |
| uses: ./.github/workflows/plus-release.yml | |
| with: | |
| nginx_registry: true | |
| gcr_release_registry: false | |
| gcr_mktpl_registry: false | |
| ecr_mktpl_registry: false | |
| az_mktpl_registry: false | |
| source_tag: ${{ needs.checks.outputs.stable_tag }} | |
| target_tag: "edge" | |
| dry_run: false | |
| permissions: | |
| contents: read | |
| id-token: write | |
| secrets: inherit | |
| publish-helm-chart: | |
| if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
| name: Publish Helm Chart | |
| needs: [checks] | |
| uses: ./.github/workflows/publish-helm.yml | |
| with: | |
| branch: ${{ github.ref_name }} | |
| ic_version: edge | |
| chart_version: 0.0.0-edge | |
| nginx_helm_repo: false | |
| permissions: | |
| contents: write # for pushing to Helm Charts repository | |
| packages: write # for helm to push to GHCR | |
| secrets: inherit | |
| certify-openshift-images: | |
| if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} | |
| name: Certify OpenShift UBI images | |
| runs-on: ubuntu-22.04 | |
| needs: [release-oss] | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Certify UBI OSS images in quay | |
| uses: ./.github/actions/certify-openshift-image | |
| continue-on-error: true | |
| with: | |
| image: quay.io/nginx/nginx-ingress:edge-ubi | |
| project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} | |
| pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} |