Skip to content

[cherry-pick] chore(deps): bump the actions group across 1 directory … #797

[cherry-pick] chore(deps): bump the actions group across 1 directory …

[cherry-pick] chore(deps): bump the actions group across 1 directory … #797

name: Image Promotion
# This workflow will:
# - build images for forked workflows
# - tag stable for forked workflows
# - tag edge for main workflows
# - tag release branch name for release branch workflows
# - release edge images & helm charts for edge
# - run Trivy & dockerscout scans for main & release branch images
# & upload results to Github security & Github Artifacts
on:
push:
branches:
- main
- release-*
workflow_call:
defaults:
run:
shell: bash
concurrency:
group: ${{ github.ref_name }}-image-promotion
cancel-in-progress: true
permissions:
contents: read
jobs:
checks:
name: Checks and variables
runs-on: ubuntu-24.04
permissions:
contents: read
id-token: write
outputs:
go_path: ${{ steps.vars.outputs.go_path }}
go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
chart_version: ${{ steps.vars.outputs.chart_version }}
ic_version: ${{ steps.vars.outputs.ic_version }}
docker_md5: ${{ steps.vars.outputs.docker_md5 }}
build_tag: ${{ steps.vars.outputs.build_tag }}
stable_tag: ${{ steps.vars.outputs.stable_tag }}
stable_image_exists: ${{ steps.stable_exists.outputs.exists }}
image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }}
image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }}
image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }}
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Golang Environment
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: Set Variables
id: vars
run: |
echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
source .github/data/version.txt
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT
./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT
./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT
./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT
echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT
echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT
echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT
- name: Fetch Cached Binary Artifacts
id: binary-cache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
lookup-only: true
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Check if stable image exists
id: stable_exists
run: |
if docker pull gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:${{ steps.vars.outputs.stable_tag }}; then
echo "exists=true" >> $GITHUB_OUTPUT
fi
- name: Output variables
run: |
echo go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
echo go_path: ${{ steps.vars.outputs.go_path }}
echo binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
echo chart_version: ${{ steps.vars.outputs.chart_version }}
echo ic_version: ${{ steps.vars.outputs.ic_version }}
echo docker_md5: ${{ steps.vars.outputs.docker_md5 }}
echo build_tag: ${{ steps.vars.outputs.build_tag }}
echo stable_tag: ${{ steps.vars.outputs.stable_tag }}
echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }}
govulncheck:
name: Run govulncheck
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Golang Environment
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
- name: govulncheck
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
with:
output-format: sarif
output-file: govulncheck.sarif
- name: Check SARIF file
id: check-sarif
run: |
if [ -s govulncheck.sarif ] && grep -q '"results":' govulncheck.sarif; then
echo "sarif_has_results=true" >> $GITHUB_OUTPUT
else
echo "sarif_has_results=false" >> $GITHUB_OUTPUT
fi
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
if: steps.check-sarif.outputs.sarif_has_results == 'true'
with:
sarif_file: govulncheck.sarif
binaries:
name: Build Binaries
runs-on: ubuntu-24.04
needs: [checks]
permissions:
contents: read
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Golang Environment
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Build binaries
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
version: latest
args: build --snapshot --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPATH: ${{ needs.checks.outputs.go_path }}
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
GORELEASER_CURRENT_TAG: "v${{ needs.checks.outputs.ic_version }}"
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Store Artifacts in Cache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
build-docker:
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
name: Build Docker OSS
needs: [checks, binaries]
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
uses: ./.github/workflows/build-oss.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
authenticated: true
tag: ${{ needs.checks.outputs.build_tag }}
branch: ${{ github.ref }}
ic-version: ${{ needs.checks.outputs.ic_version }}
permissions:
contents: read
actions: read
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit
build-docker-plus:
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
name: Build Docker Plus
needs: [checks, binaries]
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
authenticated: true
tag: ${{ needs.checks.outputs.build_tag }}
branch: ${{ github.ref }}
ic-version: ${{ needs.checks.outputs.ic_version }}
permissions:
contents: read
actions: read
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit
build-docker-nap:
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
name: Build Docker NAP
needs: [checks, binaries]
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
nap-modules: ${{ matrix.nap_modules }}
authenticated: true
tag: ${{ needs.checks.outputs.build_tag }}
branch: ${{ github.ref }}
ic-version: ${{ needs.checks.outputs.ic_version }}
permissions:
contents: read
actions: read
security-events: write
id-token: write
packages: write
pull-requests: write # for scout report
secrets: inherit
tag-stable:
if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
name: Tag build image as stable
needs: [checks, build-docker, build-docker-plus, build-docker-nap]
permissions:
contents: read # To checkout repository
id-token: write # To sign into Google Container Registry
uses: ./.github/workflows/retag-images.yml
with:
source_tag: ${{ needs.checks.outputs.build_tag }}
target_tag: ${{ needs.checks.outputs.stable_tag }}
dry_run: false
secrets: inherit
tag-candidate:
# pushes edge or release images to gcr/dev
# for main: this keeps a copy of edge in gcr/dev
# for release-*: this stages a release candidate in gcr/dev which can be used for release promotion
name: Tag tested image as stable
needs:
- checks
- build-docker
- build-docker-plus
- build-docker-nap
- tag-stable
permissions:
contents: read # To checkout repository
id-token: write # To sign into Google Container Registry
uses: ./.github/workflows/retag-images.yml
with:
source_tag: ${{ needs.checks.outputs.stable_tag }}
target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
dry_run: false
secrets: inherit
if: ${{ !cancelled() && !failure() }}
release-oss:
# pushes edge images to docker hub
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
name: Release Docker OSS
needs: [checks, build-docker]
uses: ./.github/workflows/oss-release.yml
with:
gcr_release_registry: false
ecr_public_registry: true
dockerhub_public_registry: true
quay_public_registry: true
github_public_registry: true
source_tag: ${{ needs.checks.outputs.stable_tag }}
target_tag: "edge"
branch: ${{ github.ref_name }}
dry_run: false
permissions:
contents: read
id-token: write
packages: write
secrets: inherit
release-plus:
# pushes plus edge images to nginx registry
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
name: Release Docker Plus
needs: [checks, build-docker-plus, build-docker-nap]
uses: ./.github/workflows/plus-release.yml
with:
nginx_registry: true
gcr_release_registry: false
gcr_mktpl_registry: false
ecr_mktpl_registry: false
az_mktpl_registry: false
source_tag: ${{ needs.checks.outputs.stable_tag }}
target_tag: "edge"
branch: ${{ github.ref_name }}
dry_run: false
permissions:
contents: read
id-token: write
secrets: inherit
publish-helm-chart:
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
name: Publish Helm Chart
needs: [checks]
uses: ./.github/workflows/publish-helm.yml
with:
branch: ${{ github.ref_name }}
ic_version: edge
chart_version: 0.0.0-edge
nginx_helm_repo: false
permissions:
contents: write # for pushing to Helm Charts repository
packages: write # for helm to push to GHCR
secrets: inherit
certify-openshift-images:
if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
name: Certify OpenShift UBI images
runs-on: ubuntu-24.04
needs: [release-oss]
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Certify UBI OSS images in quay
uses: ./.github/actions/certify-openshift-image
continue-on-error: true
with:
image: quay.io/nginx/nginx-ingress:edge-ubi
project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
scan-docker-oss:
name: Scan ${{ matrix.image }}-${{ matrix.target }}
runs-on: ubuntu-24.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# - name: Run Trivy vulnerability scanner
# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
# continue-on-error: true
# with:
# image-ref: ${{ steps.meta.outputs.tags }}
# format: "sarif"
# output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
# ignore-unfixed: "true"
- name: DockerHub Login for Docker Scout
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@6ac950eb733f8b2811f25c05d97bfb3d181b8026 # v1.15.1
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true
- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"
scan-docker-plus:
name: Scan ${{ matrix.image }}-${{ matrix.target }}
runs-on: ubuntu-24.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# - name: Run Trivy vulnerability scanner
# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
# continue-on-error: true
# with:
# image-ref: ${{ steps.meta.outputs.tags }}
# format: "sarif"
# output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
# ignore-unfixed: "true"
- name: DockerHub Login for Docker Scout
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@6ac950eb733f8b2811f25c05d97bfb3d181b8026 # v1.15.1
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true
- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"
scan-docker-nap:
name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }}
runs-on: ubuntu-24.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: NAP modules
id: nap_modules
run: |
[[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || name="${{ matrix.nap_modules }}"
echo "name=${name}" >> $GITHUB_OUTPUT
if: ${{ matrix.nap_modules != '' }}
- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
# - name: Run Trivy vulnerability scanner
# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
# continue-on-error: true
# with:
# image-ref: ${{ steps.meta.outputs.tags }}
# format: "sarif"
# output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
# ignore-unfixed: "true"
- name: DockerHub Login for Docker Scout
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@6ac950eb733f8b2811f25c05d97bfb3d181b8026 # v1.15.1
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true
- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true
- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"
update-release-draft:
name: Update Release Draft
runs-on: ubuntu-24.04
needs: [checks]
permissions:
contents: write
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Create/Update Draft
uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1
id: release-notes
with:
minor-label: "enhancement"
major-label: "change"
publish: false
collapse-after: 50
variables: |
helm-chart=${{ needs.checks.outputs.chart_version }}
notes-footer: |
## Upgrade
- For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking), [Azure Marketplace](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/category/containers?page=1&search=f5&subcategories=container-apps) or build your own image using the {{version}} source code.
- For Helm, use version {{helm-chart}} of the chart.
## Resources
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator
if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }}