Bump nginx from 1.25.2-alpine to 1.25.3-alpine in /build #9942
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- release-* | |
tags: | |
- "v[0-9]+.[0-9]+.[0-9]+" | |
pull_request: | |
branches: | |
- main | |
- release-* | |
schedule: | |
- cron: "0 4 * * *" # run every day at 04:00 UTC | |
defaults: | |
run: | |
shell: bash | |
concurrency: | |
group: ${{ github.ref_name }}-ci | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
jobs: | |
checks: | |
name: Checks and variables | |
runs-on: ubuntu-22.04 | |
outputs: | |
go_path: ${{ steps.vars.outputs.go_path }} | |
k8s_latest: ${{ steps.vars.outputs.k8s_latest }} | |
chart_version: ${{ steps.vars.outputs.chart_version }} | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Setup Golang Environment | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Output Variables | |
id: vars | |
run: | | |
echo "k8s_latest=$(grep -m1 'FROM kindest/node' <tests/Dockerfile | awk -F'[:v]' '{print $3}')" >> $GITHUB_OUTPUT | |
echo "chart_version=$(yq '.version' <charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT | |
echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT | |
- name: Check if go.mod and go.sum are up to date | |
run: go mod tidy && git diff --exit-code -- go.mod go.sum | |
- name: Check if CRDs changed | |
run: make update-crds && git diff --name-only --exit-code config/crd/bases | |
- name: Check if Codegen changed | |
run: | | |
cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress | |
make update-codegen && git diff --name-only --exit-code pkg/** | |
cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress | |
unit-tests: | |
name: Unit Tests | |
runs-on: ubuntu-22.04 | |
needs: checks | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Setup Golang Environment | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Run Tests | |
run: make cover | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 | |
with: | |
files: ./coverage.txt | |
binaries: | |
name: Build Binaries | |
runs-on: ubuntu-22.04 | |
needs: [checks, unit-tests] | |
outputs: | |
release-url: ${{ steps.release-notes.outputs.release-url }} | |
permissions: | |
contents: write # for lucacome/draft-release and goreleaser/goreleaser-action to manage releases | |
id-token: write # for goreleaser/goreleaser-action to sign artifacts | |
issues: write # for goreleaser/goreleaser-action to close milestone | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Setup Golang Environment | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version-file: go.mod | |
- name: Download Syft | |
uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
if: github.ref_type == 'tag' | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
if: github.ref_type == 'tag' | |
- name: Create/Update Draft | |
uses: lucacome/draft-release@785af55296512c907875513e397320ae3f1306bb # v1.0.1 | |
id: release-notes | |
with: | |
minor-label: "enhancement" | |
major-label: "change" | |
publish: ${{ github.ref_type == 'tag' }} | |
collapse-after: 50 | |
variables: | | |
helm-chart=${{ needs.checks.outputs.chart_version }} | |
notes-footer: | | |
## Upgrade | |
- For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). | |
- For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) or build your own image using the {{version}} source code. | |
- For Helm, use version {{helm-chart}} of the chart. | |
## Resources | |
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/ | |
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples | |
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/charts/nginx-ingress | |
- Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator | |
if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }} | |
- name: Build binaries | |
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 | |
with: | |
version: latest | |
args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} ${{ github.event_name == 'pull_request' && '--single-target' || '' }} --clean | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GOPATH: ${{ needs.checks.outputs.go_path }} | |
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }} | |
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }} | |
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }} | |
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }} | |
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }} | |
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }} | |
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }} | |
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }} | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }} | |
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }} | |
AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }} | |
AZURE_BUCKET_NAME: ${{ secrets.AZURE_BUCKET_NAME }} | |
- name: Store Artifacts in Cache | |
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
with: | |
path: ${{ github.workspace }}/dist | |
key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} | |
helm-tests: | |
name: Helm Tests | |
runs-on: ubuntu-22.04 | |
needs: [checks, binaries] | |
strategy: | |
matrix: | |
include: | |
- image: debian | |
type: oss | |
- image: debian-plus | |
type: plus | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Fetch Cached Artifacts | |
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
with: | |
path: ${{ github.workspace }}/dist | |
key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} | |
- name: Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Build Docker Image ${{ matrix.image }} | |
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | |
with: | |
file: build/Dockerfile | |
context: "." | |
cache-from: type=gha,scope=${{ matrix.image }} | |
target: goreleaser | |
tags: ${{ matrix.type }}:${{ github.sha }} | |
pull: true | |
load: true | |
build-args: | | |
BUILD_OS=${{ matrix.image }} | |
IC_VERSION=CI | |
secrets: | | |
${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} | |
${{ contains(matrix.type, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} | |
- name: Deploy Kubernetes | |
id: k8s | |
run: | | |
kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ needs.checks.outputs.k8s_latest }} --wait 75s | |
kind load docker-image ${{ matrix.type }}:${{ github.sha }} --name ${{ github.run_id }} | |
- name: Install Chart | |
run: > | |
helm install | |
${{ matrix.type }} | |
. | |
--set controller.image.repository=${{ matrix.type }} | |
--set controller.image.tag=${{ github.sha }} | |
--set controller.service.type=NodePort | |
--set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }} | |
--wait | |
working-directory: ${{ github.workspace }}/charts/nginx-ingress | |
- name: Expose Test Ingresses | |
run: | | |
kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 & | |
- name: Test HTTP | |
run: | | |
counter=0 | |
max_attempts=5 | |
until [ $(curl --write-out %{http_code} -s --output /dev/null http://localhost:8080) -eq 404 ]; do | |
if [ ${counter} -eq ${max_attempts} ]; then | |
exit 1 | |
fi | |
printf '.'; counter=$(($counter+1)); sleep 5; | |
done | |
- name: Test HTTPS | |
run: | | |
counter=0 | |
max_attempts=5 | |
until [ $(curl --write-out %{http_code} -ks --output /dev/null https://localhost:8443) -eq 000 ]; do | |
if [ ${counter} -eq ${max_attempts} ]; then | |
exit 1 | |
fi | |
printf '.'; counter=$(($counter+1)); sleep 5; | |
done | |
setup-matrix: | |
name: Setup Matrix for Smoke Tests | |
runs-on: ubuntu-22.04 | |
needs: [checks, binaries] | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- id: set-matrix | |
run: | | |
if [ "${{ github.event_name }}" != "schedule" ]; then | |
echo "matrix={\"images\": \ | |
[{\"image\": \"debian\", \"marker\": \"ingresses\"}, \ | |
{\"image\": \"alpine\", \"marker\":\"vsr\"}, \ | |
{\"image\": \"alpine\", \"marker\":\"policies\"}, \ | |
{\"image\": \"debian\", \"marker\": \"vs\"}, \ | |
{\"image\": \"ubi\", \"marker\": \"ts\"}, \ | |
{\"image\": \"debian-plus\", \"marker\": \"vs\"}, \ | |
{\"image\": \"debian-plus\", \"marker\": \"ts\"}, \ | |
{\"image\": \"alpine-plus\", \"marker\":\"ingresses\"}, \ | |
{\"image\": \"alpine-plus\", \"marker\": \"vsr\"}, \ | |
{\"image\": \"ubi-plus\", \"marker\": \"policies\"}, \ | |
{\"image\": \"debian-plus-nap\", \"marker\": \"appprotect\"}, \ | |
{\"image\": \"debian-plus-nap\", \"marker\": \"dos\"}], \ | |
\"k8s\": [\"${{ needs.checks.outputs.k8s_latest }}\"]}" >> $GITHUB_OUTPUT | |
else | |
echo "matrix={\"k8s\": [\"1.22.17\", \"1.23.17\", \"1.24.15\", \"1.25.11\", \"1.26.6\", \"1.27.3\", \"${{ needs.checks.outputs.k8s_latest }}\"], \ | |
\"images\": [{\"image\": \"debian\"}, {\"image\": \"debian-plus\"}]}" >> $GITHUB_OUTPUT | |
fi | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Build Test-Runner Container | |
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | |
with: | |
file: tests/Dockerfile | |
context: "." | |
cache-from: type=gha,scope=test-runner | |
cache-to: type=gha,scope=test-runner,mode=max | |
tags: test-runner:${{ github.sha }} | |
pull: true | |
load: true | |
smoke-tests: | |
name: Smoke Tests | |
runs-on: ubuntu-22.04 | |
needs: setup-matrix | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }} | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Run Smoke Tests | |
id: smoke-tests | |
uses: ./.github/actions/smoke-tests | |
with: | |
image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }} | |
marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} | |
k8s-version: ${{ matrix.k8s }} | |
nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} | |
nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} | |
azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} | |
- name: Upload Test Results | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: ${{ steps.smoke-tests.outputs.test-results-name }} | |
path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html | |
if: always() | |
build-docker: | |
name: Build Docker OSS | |
needs: smoke-tests | |
strategy: | |
fail-fast: false | |
matrix: | |
image: [debian, alpine] | |
platforms: | |
["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] | |
include: | |
- image: ubi | |
platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" | |
uses: ./.github/workflows/build-oss.yml | |
with: | |
platforms: ${{ matrix.platforms }} | |
image: ${{ matrix.image }} | |
permissions: | |
contents: read | |
actions: read | |
security-events: write | |
id-token: write | |
packages: write | |
secrets: inherit | |
build-docker-plus: | |
name: Build Docker Plus | |
needs: [binaries, build-docker] | |
strategy: | |
fail-fast: false | |
matrix: | |
image: [debian-plus, alpine-plus, alpine-plus-fips] | |
platforms: ["linux/arm64, linux/amd64"] | |
target: [goreleaser, aws] | |
include: | |
- image: ubi-plus | |
platforms: "linux/arm64, linux/amd64, linux/s390x" | |
target: goreleaser | |
uses: ./.github/workflows/build-plus.yml | |
with: | |
platforms: ${{ matrix.platforms }} | |
image: ${{ matrix.image }} | |
target: ${{ matrix.target }} | |
release-url: ${{ needs.binaries.outputs.release-url }} | |
permissions: | |
contents: read | |
security-events: write | |
id-token: write | |
secrets: inherit | |
build-docker-nap: | |
name: Build Docker NAP | |
needs: [binaries, build-docker-plus] | |
strategy: | |
fail-fast: false | |
matrix: | |
image: [debian-plus-nap, ubi-plus-nap] | |
platforms: ["linux/amd64"] | |
target: [goreleaser, aws] | |
nap_modules: [dos, waf, "waf,dos"] | |
uses: ./.github/workflows/build-plus.yml | |
with: | |
platforms: ${{ matrix.platforms }} | |
image: ${{ matrix.image }} | |
target: ${{ matrix.target }} | |
nap_modules: ${{ matrix.nap_modules }} | |
release-url: ${{ needs.binaries.outputs.release-url }} | |
permissions: | |
contents: read | |
security-events: write | |
id-token: write | |
secrets: inherit | |
publish-helm: | |
name: Package and Publish Helm Chart | |
runs-on: ubuntu-22.04 | |
needs: [checks, helm-tests] | |
if: ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') }} | |
permissions: | |
contents: write # for pushing to Helm Charts repository | |
packages: write # for helm to push to GHCR | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
path: kic | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: DockerHub Login | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Package | |
id: package | |
run: | | |
output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} kic/charts/nginx-ingress) | |
echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT | |
- name: Push to OCI registries | |
run: | | |
helm push ${{ steps.package.outputs.path }} oci://ghcr.io/nginxinc/charts | |
helm push ${{ steps.package.outputs.path }} oci://registry-1.docker.io/nginxcharts | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
repository: nginxinc/helm-charts | |
fetch-depth: 1 | |
token: ${{ secrets.NGINX_PAT }} | |
path: helm-charts | |
if: github.ref_type == 'tag' | |
- name: Push Helm Chart to Helm Charts Repository | |
run: | | |
mv ${{ steps.package.outputs.path }} ${{ github.workspace }}/helm-charts/stable/ | |
cd ${{ github.workspace }}/helm-charts | |
helm repo index stable --url https://helm.nginx.com/stable | |
git add -A | |
git -c user.name='NGINX Kubernetes Team' -c user.email='[email protected]' \ | |
commit -m "NGINX Ingress Controller - Release ${{ needs.checks.outputs.chart_version }}" | |
git push -u origin master | |
if: github.ref_type == 'tag' | |
operator: | |
name: Trigger PR for Operator | |
runs-on: ubuntu-22.04 | |
needs: [checks, publish-helm] | |
steps: | |
- name: | |
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 | |
with: | |
github-token: ${{ secrets.NGINX_PAT }} | |
script: | | |
await github.rest.actions.createWorkflowDispatch({ | |
owner: context.repo.owner, | |
repo: 'nginx-ingress-helm-operator', | |
workflow_id: 'sync-chart.yml', | |
ref: 'main', | |
inputs: { | |
chart_version: '${{ needs.checks.outputs.chart_version }}' | |
}, | |
}) | |
if: github.ref_type == 'tag' |