Workflow refactor (nginx#5766)

Author: pdabelf5

.github/scripts/copy-images.sh

@@ -42,7 +42,7 @@ SOURCE_NAP_WAF_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos
 
 TARGET_PLUS_IMAGE_PREFIX=${TARGET_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
 TARGET_NAP_WAF_IMAGE_PREFIX=${TARGET_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
-TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
+TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap-v5/nginx-plus-ingress"}
 TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
 TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
 

.github/scripts/variables.sh

@@ -30,7 +30,7 @@ get_chart_md5() {
 }
 
 get_actions_md5() {
-  find .github .github/data/version.txt -type f -exec md5sum {} + | LC_ALL=C sort  | md5sum | awk '{ print $1 }'
+  find .github -type f -exec md5sum {} + | LC_ALL=C sort  | md5sum | awk '{ print $1 }'
 }
 
 get_build_tag() {

.github/workflows/build-oss.yml

@@ -9,21 +9,29 @@ on:
       image:
         required: true
         type: string
+      tag:
+        required: false
+        type: string
       go-md5:
         required: true
         type: string
       base-image-md5:
-        required: false
+        required: true
         type: string
-      tag:
-        required: false
+      branch:
+        required: true
         type: string
-      publish-image:
-        required: false
+      authenticated:
+        required: true
         type: boolean
-      forked-workflow:
+      full-build:
+        description: Always build base image
         required: false
         type: boolean
+        default: false
+      ic-version:
+        required: false
+        type: string
 
 defaults:
   run:
@@ -38,85 +46,60 @@ jobs:
     permissions:
       contents: read # for docker/build-push-action to read repo content
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      id-token: write # for OIDC login to AWS ECR
+      id-token: write # for OIDC login to GCR
       packages: write # for docker/build-push-action to push to GHCR
-    outputs:
-      version: ${{ steps.meta.outputs.version }}
-      image_digest: ${{ steps.build-push.outputs.digest }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
-          ref: ${{ inputs.tag != '' && format('refs/tags/v{0}', inputs.tag) || github.ref }}
+          ref: ${{ inputs.branch }}
           fetch-depth: 0
 
-      - name: Fetch Cached Artifacts
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
-        with:
-          path: ${{ github.workspace }}/dist
-          key: nginx-ingress-${{ inputs.go-md5 }}
-
       - name: Setup QEMU
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
           platforms: arm,arm64,ppc64le,s390x
-        if: ${{ inputs.publish-image }}
 
       - name: Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
-      - name: DockerHub Login
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-        if: ${{ inputs.publish-image }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-        if: ${{ inputs.publish-image }}
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          aws-region: us-east-1
-          role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
-        if: ${{ inputs.publish-image }}
-
-      - name: Login to Public ECR
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
-        with:
-          registry: public.ecr.aws
-        if: ${{ inputs.publish-image }}
-
-      - name: Login to Quay.io
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-        if: ${{ inputs.publish-image }}
-
       - name: Authenticate to Google Cloud
         id: auth
         uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
           service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
-        if: ${{ ! inputs.forked-workflow }}
+        if: ${{ inputs.authenticated }}
 
       - name: Login to GCR
         uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: gcr.io
           username: oauth2accesstoken
           password: ${{ steps.auth.outputs.access_token }}
-        if: ${{ ! inputs.forked-workflow }}
+        if: ${{ inputs.authenticated }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          context: workflow
+          images: |
+            name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
+          flavor: |
+            suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}
+          tags: |
+            type=raw,value=${{ inputs.tag }}
+          labels: |
+            org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/README.md
+            io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg
+            io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"[email protected]"}]
+            io.artifacthub.package.license=Apache-2.0
+            io.artifacthub.package.keywords=kubernetes,ingress,nginx,controller
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
       - name: Check if base images exist
         id: base_exists
@@ -126,64 +109,48 @@ jobs:
           if docker manifest inspect ${base_image}; then
             echo "exists=true" >> $GITHUB_OUTPUT
           fi
-        if: ${{ ! inputs.forked-workflow }}
+        if: ${{ inputs.authenticated && ! inputs.full-build }}
 
       - name: Build Base Container
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
         with:
           file: build/Dockerfile
           context: "."
-          cache-from: type=gha,scope=${{ inputs.image }}
           cache-to: type=gha,scope=${{ inputs.image }},mode=max
           target: common
           tags: ${{ steps.base_exists.outputs.image }}
           platforms: ${{ inputs.platforms }}
           pull: true
           push: true
+          no-cache: true
           build-args: |
             BUILD_OS=${{ inputs.image }}
-            IC_VERSION=${{ inputs.tag }}
-        if: ${{ ! inputs.forked-workflow && steps.base_exists.outputs.exists != 'true' }}
+            IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
+        if: ${{ inputs.authenticated && steps.base_exists.outputs.exists != 'true' }}
+
+      - name: Check if target image exists
+        id: target_exists
+        run: |
+          if docker pull ${{ steps.meta.outputs.tags }}; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          fi
+        if: ${{ inputs.authenticated && ! inputs.full-build }}
 
-      - name: Get short tag
-        id: tag
+      - name: Debug values
         run: |
-          version="${{ inputs.tag }}"
-          short="${version%.*}"
-          echo "short=$short" >> $GITHUB_OUTPUT
-        if: ${{ inputs.tag != '' }}
+          echo "authenticated: ${{ inputs.authenticated }}"
+          echo "base_exists: ${{ steps.base_exists.outputs.exists }}"
+          echo "target_exists: ${{ steps.target_exists.outputs.exists }}"
+          echo "full-build: ${{ inputs.full-build }}"
+          echo "all: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}"
 
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+      - name: Fetch Cached Artifacts
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
-          context: ${{ inputs.tag != '' && 'git' || 'workflow' }}
-          images: |
-            name=nginx/nginx-ingress
-            name=ghcr.io/nginxinc/kubernetes-ingress
-            name=public.ecr.aws/nginx/nginx-ingress
-            name=quay.io/nginx/nginx-ingress
-          flavor: |
-            latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
-            suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }},onlatest=true
-          tags: |
-            type=edge
-            type=ref,event=pr
-            type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release-') }}
-            type=schedule,enable=${{ inputs.tag == '' }}
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
-            type=raw,value=${{ steps.tag.outputs.short }},enable=${{ inputs.tag != '' }}
-          labels: |
-            org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes
-            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/README.md
-            io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg
-            io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"[email protected]"}]
-            io.artifacthub.package.license=Apache-2.0
-            io.artifacthub.package.keywords=kubernetes,ingress,nginx,controller
-        env:
-          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+          path: ${{ github.workspace }}/dist
+          key: nginx-ingress-${{ inputs.go-md5 }}
+          fail-on-cache-miss: true
+        if: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
 
       - name: Build Docker image
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
@@ -193,35 +160,21 @@ jobs:
           context: "."
           cache-from: type=gha,scope=${{ inputs.image }}
           cache-to: type=gha,scope=${{ inputs.image }},mode=max
-          target: goreleaser${{ ! inputs.forked-workflow && '-prebuilt' || '' }}
+          target: goreleaser${{ inputs.authenticated && '-prebuilt' || '' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          annotations: ${{ github.event_name != 'pull_request' && steps.meta.outputs.annotations || '' }}
-          platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }}
-          load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }}
-          push: ${{ inputs.publish-image }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          platforms: ${{ inputs.platforms }}
+          load: false
+          push: ${{ inputs.authenticated }}
           pull: true
-          no-cache: ${{ inputs.publish-image }}
-          sbom: ${{ inputs.publish-image }}
+          sbom: ${{ inputs.authenticated }}
           provenance: false
           build-args: |
             BUILD_OS=${{ inputs.image }}
-            ${{ ! inputs.forked-workflow && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image) || '' }}
-            IC_VERSION=${{ (github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-')) && 'CI' || steps.meta.outputs.version }}
-
-      - name: Certify Images
-        continue-on-error: true
-        run: |
-          curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.6.11/preflight-linux-amd64 --output preflight
-          chmod +x preflight
-
-          IFS=',' read -ra arch_list <<< "${{ inputs.platforms }}"
-
-          for arch in "${arch_list[@]}"; do
-              architecture=("${arch#*/}")
-              ./preflight check container quay.io/nginx/nginx-ingress:${{ steps.meta.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
-          done
-        if: ${{ (github.ref_type == 'tag' && vars.OLD_RELEASE_FLOW == 'true') && contains(inputs.image, 'ubi') }}
+            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image) }}
+            IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
+        if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
@@ -231,12 +184,14 @@ jobs:
           format: "sarif"
           output: "trivy-results-${{ inputs.image }}.sarif"
           ignore-unfixed: "true"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
         continue-on-error: true
         with:
           sarif_file: "trivy-results-${{ inputs.image }}.sarif"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Upload Scan Results
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
@@ -245,17 +200,3 @@ jobs:
           name: "trivy-results-${{ inputs.image }}.sarif"
           path: "trivy-results-${{ inputs.image }}.sarif"
         if: always()
-
-  send-notification:
-    name: Send Notification
-    needs: build
-    uses: ./.github/workflows/updates-notification.yml
-    with:
-      tag: ${{ inputs.tag }}
-      version: ${{ needs.build.outputs.version }}
-      image_digest: ${{ needs.build.outputs.image_digest }}
-    permissions:
-      contents: read
-      actions: read
-    secrets: inherit
-    if: ${{ inputs.tag != '' }}