From ab4037d0accc162bde5a822f1b8097d55b0e2147 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 20 Feb 2024 12:20:48 +0000 Subject: [PATCH] add release marketplace flags (#5129) * extract marketplace publish logic to ci file * refactor forked workflow logic --- .github/actions/smoke-tests/action.yaml | 11 +++-- .github/workflows/build-oss.yml | 9 ++-- .github/workflows/build-plus.yml | 41 +++++++++++------- .github/workflows/ci.yml | 55 +++++++++++++++---------- 4 files changed, 73 insertions(+), 43 deletions(-) diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index 048c42d7bf..a3a538ef11 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -44,6 +44,9 @@ inputs: gcr-service-account-secret: description: Google Service Account secret required: false + forked-workflow: + description: Does this workflow full access to repo resources? + required: false outputs: test-results-name: @@ -77,7 +80,7 @@ runs: token_format: access_token workload_identity_provider: ${{ inputs.gcr-workload-identity-secret }} service_account: ${{ inputs.gcr-service-account-secret }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! inputs.forked-workflow }} - name: Login to GCR uses: docker/login-action@v3 @@ -85,7 +88,7 @@ runs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! inputs.forked-workflow }} - name: Build ${{ inputs.image }} Container uses: docker/build-push-action@v3 @@ -93,7 +96,7 @@ runs: file: build/Dockerfile context: "." cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }} - target: goreleaser${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }} + target: goreleaser${{ ! inputs.forked-workflow && '-prebuilt' || '' }} tags: "docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }}" load: true pull: true @@ -135,7 +138,7 @@ runs: tags: ${{ inputs.test-image }} pull: true load: true - if: github.event.pull_request.head.repo.full_name != github.repository + if: ${{ inputs.forked-workflow }} - name: Run Smoke Tests run: | diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 5acb092bf9..c3b961b5f3 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -21,6 +21,9 @@ on: publish-image: required: false type: boolean + forked-workflow: + required: false + type: boolean defaults: run: @@ -105,7 +108,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! inputs.forked-workflow }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -113,7 +116,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! inputs.forked-workflow }} - name: Get short tag id: tag @@ -163,7 +166,7 @@ jobs: context: "." cache-from: type=gha,scope=${{ inputs.image }} cache-to: type=gha,scope=${{ inputs.image }},mode=max - target: goreleaser${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }} + target: goreleaser${{ ! inputs.forked-workflow && '-prebuilt' || '' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 76bb0b30ed..e4f9f9ac19 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -27,6 +27,18 @@ on: publish-image: required: false type: boolean + publish-aws-market-place: + required: false + type: boolean + publish-gcp-market-place: + required: false + type: boolean + publish-nginx-reqistry: + required: false + type: boolean + forked-workflow: + required: false + type: boolean defaults: run: @@ -70,7 +82,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: ${{ inputs.publish-image || github.event.pull_request.head.repo.full_name == github.repository }} + if: ${{ inputs.publish-image || ! inputs.forked-workflow }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -78,7 +90,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: ${{ inputs.publish-image || github.event.pull_request.head.repo.full_name == github.repository }} + if: ${{ inputs.publish-image || ! inputs.forked-workflow }} - name: Authenticate to Google Cloud Marketplace id: auth-mktpl @@ -87,7 +99,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }} - if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws') + if: ${{ inputs.publish-gcp-market-place }} - name: Login to GCR for Marketplace uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -95,20 +107,19 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth-mktpl.outputs.access_token }} - if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws') + if: ${{ inputs.publish-gcp-market-place }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} - if: github.ref_type == 'tag' && contains(inputs.target, 'aws') - + if: ${{ inputs.publish-aws-market-place }} - name: Login to ECR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com - if: github.ref_type == 'tag' && contains(inputs.target, 'aws') + if: ${{ inputs.publish-aws-market-place }} - name: Get Id Token uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 @@ -117,7 +128,7 @@ jobs: script: | let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - if: ${{ inputs.publish-image }} + if: ${{ inputs.publish-nginx-reqistry }} - name: Login to NGINX Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -125,7 +136,7 @@ jobs: registry: docker-mgmt.nginx.com username: ${{ steps.idtoken.outputs.id_token }} password: ${{ github.actor }} - if: ${{ inputs.publish-image }} + if: ${{ inputs.publish-nginx-reqistry }} - name: Docker meta id: meta @@ -133,9 +144,9 @@ jobs: with: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress - name=gcr.io/f5-7626-networks-public/nginxinc/nginx-plus-ingress${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }},enable=${{ github.ref_type == 'tag' && ! contains(inputs.target, 'aws') && ! contains(inputs.image, 'alpine') && ! contains(inputs.image, 'ubi') }} - name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ github.ref_type != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! contains(inputs.target, 'aws') }} - name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }} + name=gcr.io/f5-7626-networks-public/nginxinc/nginx-plus-ingress${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }},enable=${{ inputs.publish-gcp-market-place && ! contains(inputs.target, 'aws') && ! contains(inputs.image, 'alpine') && ! contains(inputs.image, 'ubi') }} + name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ inputs.publish-nginx-reqistry && ! contains(inputs.target, 'aws') }} + name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ inputs.publish-aws-market-place && contains(inputs.target, 'aws') }} flavor: | suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}},onlatest=true latest=${{ contains(inputs.target, 'aws') && 'false' || 'auto' }} @@ -165,7 +176,7 @@ jobs: context: "." cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }} cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},mode=max - target: ${{ inputs.target }}${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }} + target: ${{ inputs.target }}${{ ! inputs.forked-workflow && '-prebuilt' || '' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} annotations: ${{ inputs.publish-image && steps.meta.outputs.annotations || '' }} @@ -203,7 +214,7 @@ jobs: echo "version=$version" >> $GITHUB_OUTPUT echo "product_code=AWS${nap}_PRODUCT_ID" >> $GITHUB_OUTPUT echo "registry=${aws_registry}" >> $GITHUB_OUTPUT - if: github.ref_type == 'tag' && contains(inputs.target, 'aws') + if: ${{ inputs.publish-aws-market-place }} - name: Publish to AWS Marketplace uses: nginxinc/aws-marketplace-publish@be512a7ae9666098bc4429a1afa27a11be6a3995 # v1.0.3 @@ -220,7 +231,7 @@ jobs: This container requires Kubernetes and can be deployed to EKS. Review the installation instructions https://docs.nginx.com/nginx-ingress-controller/installation/ and utilize the deployment resources available https://github.com/nginxinc/kubernetes-ingress/tree/master/deployments Use this image instead of building your own. - if: ${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }} + if: ${{ inputs.publish-aws-market-place }} - name: Extract image name for Trivy id: trivy-tag diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c2d30d3920..bf3601880e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,15 +36,16 @@ jobs: name: Checks and variables runs-on: ubuntu-22.04 outputs: - go_path: ${{ steps.vars.outputs.go_path }} k8s_latest: ${{ steps.vars.outputs.k8s_latest }} latest_kindest_node_versions: ${{ steps.vars.outputs.latest_kindest_node_versions }} + go_path: ${{ steps.vars.outputs.go_path }} go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} - chart_version: ${{ steps.vars.outputs.chart_version }} binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} + chart_version: ${{ steps.vars.outputs.chart_version }} ic_version: ${{ steps.vars.outputs.ic_version }} - publish-images: ${{ steps.vars.outputs.publish }} + publish_images: ${{ steps.vars.outputs.publish }} docker_md5: ${{ steps.vars.outputs.docker_md5 }} + forked_workflow: ${{ github.event.pull_request.head.repo.full_name != github.repository }} steps: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -66,7 +67,6 @@ jobs: | sed 's/^.\{1\}//' \ | tr -d '\n') echo "k8s_latest=$kindest_latest" >> $GITHUB_OUTPUT - echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT kindest_versions=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags" \ | grep -o '"name": *"[^"]*' \ | grep -o '[^"]*$' \ @@ -80,6 +80,7 @@ jobs: | sed 's/, $//' \ | jq -R -s -c 'split("\n")[:-1]') echo "latest_kindest_node_versions=$kindest_versions" >> $GITHUB_OUTPUT + echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT echo go_code_md5=$(find . -type f \( -name "*.go" -o -name go.mod -o -name go.sum -o -name "*.tmpl" -o -name .goreleaser.yml -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT @@ -87,6 +88,8 @@ jobs: publish=false if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then publish=true + elif ${{ github.ref_type == 'tag' }}; then + publish=true elif ${{ github.event_name != 'workflow_dispatch' && github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }}; then publish=true fi @@ -244,7 +247,7 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Authenticate to Google Cloud id: auth @@ -253,7 +256,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -261,18 +264,18 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Check if base images exist id: base_exists run: | docker manifest inspect gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ needs.checks.outputs.docker_md5 }}-debian echo "exists=$?" >> $GITHUB_OUTPUT - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Rebuild base images uses: ./.github/workflows/build-base-images.yml - if: github.event.pull_request.head.repo.full_name == github.repository && steps.base_exists.outputs.exists != 0 + if: ${{ ! needs.checks.outputs.forked_workflow && steps.base_exists.outputs.exists != 0 }} helm-tests: name: Helm Tests @@ -308,7 +311,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -316,7 +319,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Build Docker Image ${{ matrix.image }} uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 @@ -324,7 +327,7 @@ jobs: file: build/Dockerfile context: "." cache-from: type=gha,scope=${{ matrix.image }} - target: goreleaser${{ github.event.pull_request.head.repo.full_name == github.repository && '-prebuilt' || '' }} + target: goreleaser${{ ! needs.checks.outputs.forked_workflow && '-prebuilt' || '' }} tags: ${{ matrix.type }}:${{ github.sha }} pull: true load: true @@ -411,7 +414,7 @@ jobs: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Login to GCR uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -419,7 +422,7 @@ jobs: registry: gcr.io username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Check if image exists id: check-image @@ -427,7 +430,7 @@ jobs: docker manifest inspect "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" shell: bash continue-on-error: true - if: github.event.pull_request.head.repo.full_name == github.repository + if: ${{ ! needs.checks.outputs.forked_workflow }} - name: Build Test-Runner Container uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 @@ -437,9 +440,9 @@ jobs: cache-from: type=gha,scope=test-runner tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" pull: true - push: ${{ github.event.pull_request.head.repo.full_name == github.repository }} - load: ${{ github.event.pull_request.head.repo.full_name != github.repository }} - if: ${{ steps.check-image.outcome == 'failure' || github.event.pull_request.head.repo.full_name != github.repository }} + push: ${{ ! needs.checks.outputs.forked_workflow }} + load: ${{ needs.checks.outputs.forked_workflow }} + if: ${{ steps.check-image.outcome == 'failure' || needs.checks.outputs.forked_workflow }} smoke-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} smoke tests @@ -471,6 +474,7 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} base-image-md5: ${{ needs.checks.outputs.docker_md5 }} test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + forked-workflow: ${{ needs.checks.outputs.forked_workflow }} - name: Upload Test Results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -510,8 +514,9 @@ jobs: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} go-md5: ${{ needs.checks.outputs.go_code_md5 }} - publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} + publish-image: ${{ needs.checks.outputs.publish_images == 'true' }} base-image-md5: ${{ needs.checks.outputs.docker_md5 }} + forked-workflow: ${{ needs.checks.outputs.forked_workflow }} permissions: contents: read actions: read @@ -541,7 +546,11 @@ jobs: go-md5: ${{ needs.checks.outputs.go_code_md5 }} base-image-md5: ${{ needs.checks.outputs.docker_md5 }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} + publish-image: ${{ needs.checks.outputs.publish_images == 'true' }} + publish-aws-market-place: ${{ needs.checks.outputs.publish_images == 'true' && contains(matrix.target, 'aws') }} + publish-gcp-market-place: ${{ needs.checks.outputs.publish_images == 'true' && ! contains(matrix.target, 'aws') }} + publish-nginx-reqistry: ${{ needs.checks.outputs.publish_images == 'true' && ! contains(matrix.target, 'aws') }} + forked-workflow: ${{ needs.checks.outputs.forked_workflow }} permissions: contents: read security-events: write @@ -596,7 +605,11 @@ jobs: base-image-md5: ${{ needs.checks.outputs.docker_md5 }} nap_modules: ${{ matrix.nap_modules }} release-url: ${{ needs.release-notes.outputs.release-url }} - publish-image: ${{ needs.checks.outputs.publish-images == 'true' }} + publish-image: ${{ needs.checks.outputs.publish_images == 'true' }} + publish-aws-market-place: ${{ github.ref_type == 'tag' && contains(matrix.target, 'aws') }} + publish-gcp-market-place: ${{ github.ref_type == 'tag' && ! contains(matrix.target, 'aws') }} + publish-nginx-reqistry: ${{ github.ref_type != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! contains(matrix.target, 'aws') }} + forked-workflow: ${{ needs.checks.outputs.forked_workflow }} permissions: contents: read security-events: write