From fc81e3222654d547301187f3966b1050ccf8f29e Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Thu, 11 Jul 2024 10:56:02 +0100
Subject: [PATCH 1/5] workflow to build ppc64le binary for ubi

---
 .github/workflows/build-ubi-dependency.yml | 136 +++++++++++++++++++++
 build/dependencies/Dockerfile.ubi-ppc64le  |  33 +++++
 2 files changed, 169 insertions(+)
 create mode 100644 .github/workflows/build-ubi-dependency.yml
 create mode 100644 build/dependencies/Dockerfile.ubi-ppc64le

diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml
new file mode 100644
index 0000000000..8c451f54e1
--- /dev/null
+++ b/.github/workflows/build-ubi-dependency.yml
@@ -0,0 +1,136 @@
+name: Build UBI ppc64le Dependency
+
+on:
+  # TODO: remove push
+  push:
+  schedule:
+    - cron: "30 4 * * 1" # run Mon at 04:30 UTC
+  workflow_dispatch:
+    inputs:
+      nginx_version:
+        type: string
+        description: "NGINX Version to build for"
+        required: false
+      force:
+        type: boolean
+        description: "Force rebuild"
+        required: false
+        default: false
+
+env:
+  IMAGE_NAME: ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le
+
+concurrency:
+  group: ${{ github.ref_name }}-ubi-ppc64le-build
+  cancel-in-progress: true
+
+jobs:
+  checks:
+    name: Check versions
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: read
+      contents: read
+    strategy:
+      fail-fast: false
+    outputs:
+      nginx_version: ${{ steps.var.outputs.nginx_version }}
+      njs_version: ${{ steps.var.outputs.njs_version }}
+      target_exists: ${{ steps.var.outputs.target_image_exists }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Output Variables
+        id: var
+        run: |
+          if [ -n "${{ inputs.nginx_version }}" ]; then
+            nginx_v=${{ inputs.nginx_version }}
+          else
+            nginx_v=$(grep -m1 'FROM nginx:' <Dockerfile | cut -d '@' -f1 | awk -F'[: ]' '{print $3}')
+          fi
+          target_image=${{ env.IMAGE_NAME }}:nginx-${nginx_v}
+          if docker manifest inspect ${target_image}; then
+            target_image_exists=true
+          else
+            target_image_exists=false
+          fi
+          docker pull nginx:$nginx_v || exit 1
+          njs=$(docker run nginx:$nginx_v env | grep NJS_VERSION | cut -d= -f2)
+          echo "> Outputs -------------------------------"
+          echo "NJS_VERSION=$njs"
+          echo "nginx_version=${nginx_v}"
+          echo "njs_version=${njs}"
+          echo "target_image_exists=${target_image_exists}"
+          echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT
+          echo "njs_version=${njs}" >> $GITHUB_OUTPUT
+          echo "target_image_exists=${target_image_exists}" >> $GITHUB_OUTPUT
+
+  build-binaries:
+    name: Build Binary Container Image
+    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }}
+    needs: checks
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write
+      contents: read
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
+        with:
+          platforms: arm64,ppc64le,s390x
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: |
+            name=${{ env.IMAGE_NAME }},enable=true
+          tags: |
+            type=raw,value=nginx-${{ needs.checks.outputs.nginx_version }},enable=true
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Build and push
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+        with:
+          file: ./build/dependencies/Dockerfile.ubi-ppc64le
+          context: "."
+          pull: true
+          push: true
+          # build multi-arch so that it can be mounted from any image
+          # even though only ppc64le will contain binaries
+          platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha,scope=nginx-ubi-ppc64le
+          cache-to: type=gha,scope=nginx-ubi-ppc64le,mode=max
+          target: final
+          sbom: false
+          provenance: mode=max
+          build-args: |
+            NGINX=${{ needs.checks.outputs.nginx_version }}
+            NJS=${{ needs.checks.outputs.njs_version }}
diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le
new file mode 100644
index 0000000000..3d67db841d
--- /dev/null
+++ b/build/dependencies/Dockerfile.ubi-ppc64le
@@ -0,0 +1,33 @@
+# syntax=docker/dockerfile:1.8
+FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df AS nginx
+
+FROM redhat/ubi9:9.4@sha256:12417683f9fe6cd6b8cb58b293f174621886e5d68cf41066127d28e42424ad40 AS rpm-build
+ARG NGINX
+ARG NJS
+ENV NGINX_VERSION ${NGINX}
+ENV NJS_VERSION ${NJS}
+
+
+RUN mkdir -p /nginx/; \
+    # only build for ppc64le but make multiarch image for mounting
+    [ $(uname -p) != ppc64le ] && exit 0; \
+    rpm --import https://nginx.org/keys/nginx_signing.key \
+    && printf "%s\n" "[nginx]" "name=nginx src repo" \
+    "baseurl=https://nginx.org/packages/mainline/centos/9/SRPMS" \
+    "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \
+    && dnf install rpm-build gcc make dnf-plugins-core which -y \
+    && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
+    && nginxPackages=" \
+    nginx-${NGINX_VERSION} \
+    nginx-module-xslt-${NGINX_VERSION} \
+    nginx-module-image-filter-${NGINX_VERSION} \
+    nginx-module-njs-${NGINX_VERSION}+${NJS_VERSION} \
+    " \
+    && dnf config-manager --set-enabled ubi-9-codeready-builder \
+    && dnf download --source ${nginxPackages} \
+    && dnf builddep -y --srpm nginx*.rpm \
+    && rpmbuild --rebuild --nodebuginfo nginx*.rpm \
+    && cp /root/rpmbuild/RPMS/$(arch)/* /nginx/
+
+FROM scratch AS final
+COPY --link --from=rpm-build /nginx /

From cdda7ef411a89dd828f95b0f1f8edb7cde55fd64 Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Thu, 11 Jul 2024 10:58:17 +0100
Subject: [PATCH 2/5] fix Dockerfile path

---
 .github/workflows/build-ubi-dependency.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml
index 8c451f54e1..72fa3b62cb 100644
--- a/.github/workflows/build-ubi-dependency.yml
+++ b/.github/workflows/build-ubi-dependency.yml
@@ -54,7 +54,7 @@ jobs:
           if [ -n "${{ inputs.nginx_version }}" ]; then
             nginx_v=${{ inputs.nginx_version }}
           else
-            nginx_v=$(grep -m1 'FROM nginx:' <Dockerfile | cut -d '@' -f1 | awk -F'[: ]' '{print $3}')
+            nginx_v=$(grep -m1 'FROM nginx:' <build/dependencies/Dockerfile.ubi-ppc64le | cut -d '@' -f1 | awk -F'[: ]' '{print $3}')
           fi
           target_image=${{ env.IMAGE_NAME }}:nginx-${nginx_v}
           if docker manifest inspect ${target_image}; then

From cc8762e0556b028c8bd0d16f1e8cbdd6d5baf81e Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Thu, 11 Jul 2024 11:01:56 +0100
Subject: [PATCH 3/5] fix ubi sha

---
 build/dependencies/Dockerfile.ubi-ppc64le | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le
index 3d67db841d..516ed19a1c 100644
--- a/build/dependencies/Dockerfile.ubi-ppc64le
+++ b/build/dependencies/Dockerfile.ubi-ppc64le
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.8
 FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df AS nginx
 
-FROM redhat/ubi9:9.4@sha256:12417683f9fe6cd6b8cb58b293f174621886e5d68cf41066127d28e42424ad40 AS rpm-build
+FROM redhat/ubi9:9.4@sha256:081c96d1b1c7cd1855722d01f1ca53360510443737b1eb33284c6c4c330e537c AS rpm-build
 ARG NGINX
 ARG NJS
 ENV NGINX_VERSION ${NGINX}

From 583167e1f8eed79fffd91501ff0264e702310587 Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Thu, 11 Jul 2024 11:03:29 +0100
Subject: [PATCH 4/5] force rebuild

---
 .github/workflows/build-ubi-dependency.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml
index 72fa3b62cb..8da6f64b17 100644
--- a/.github/workflows/build-ubi-dependency.yml
+++ b/.github/workflows/build-ubi-dependency.yml
@@ -75,7 +75,7 @@ jobs:
 
   build-binaries:
     name: Build Binary Container Image
-    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }}
+    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force || true }}
     needs: checks
     runs-on: ubuntu-22.04
     permissions:

From 5e86ecf79532d9462d16aefac0cb6da092ea4587 Mon Sep 17 00:00:00 2001
From: Eoin O'Shaughnessy <e.oshaughnessy@f5.com>
Date: Thu, 11 Jul 2024 13:29:58 +0100
Subject: [PATCH 5/5] finalise workflow trigger

---
 .github/workflows/build-ubi-dependency.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml
index 8da6f64b17..28f2895a8b 100644
--- a/.github/workflows/build-ubi-dependency.yml
+++ b/.github/workflows/build-ubi-dependency.yml
@@ -1,10 +1,11 @@
 name: Build UBI ppc64le Dependency
 
 on:
-  # TODO: remove push
   push:
-  schedule:
-    - cron: "30 4 * * 1" # run Mon at 04:30 UTC
+    branches:
+      - main
+    paths:
+      - build/dependencies/Dockerfile.ubi-ppc64le
   workflow_dispatch:
     inputs:
       nginx_version:
@@ -75,7 +76,7 @@ jobs:
 
   build-binaries:
     name: Build Binary Container Image
-    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force || true }}
+    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }}
     needs: checks
     runs-on: ubuntu-22.04
     permissions: