Update Docker Images #1190
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Docker Images | |
| on: | |
| schedule: | |
| - cron: "0 1 * * 0" # run every week at 01:00 UTC on Sunday | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: "Update images with tag" | |
| required: true | |
| dry_run: | |
| type: boolean | |
| default: false | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| group: ${{ github.ref_name }}-update | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| variables: | |
| name: Set variables for workflow | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| tag: ${{ steps.kic.outputs.tag }} | |
| short_tag: ${{ steps.kic.outputs.short }} | |
| date: ${{ steps.kic.outputs.date }} | |
| matrix: ${{ steps.kic.outputs.matrix }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set variables | |
| id: kic | |
| run: | | |
| tag="$(git tag --sort=-version:refname | head -n1)" | |
| if [ -n "${{ inputs.tag }}" ]; then | |
| tag=${{ inputs.tag }} | |
| else | |
| tag=${tag//v} | |
| fi | |
| echo "tag=${tag}" >> $GITHUB_OUTPUT | |
| date=$(date "+%Y%m%d") | |
| echo "date=${date}" >> $GITHUB_OUTPUT | |
| short="${tag%.*}" | |
| echo "short=$short" >> $GITHUB_OUTPUT | |
| echo "matrix=$(cat .github/data/patch-images.json | jq -c)" >> $GITHUB_OUTPUT | |
| cat $GITHUB_OUTPUT | |
| patch-images: | |
| name: Patch Images | |
| needs: [variables] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJSON( needs.variables.outputs.matrix ) }} | |
| uses: ./.github/workflows/patch-image.yml | |
| with: | |
| platforms: ${{ matrix.platforms }} | |
| image: ${{ matrix.source_image }} | |
| tag: ${{ matrix.source_os == 'debian' && needs.variables.outputs.tag || format('{0}-{1}', needs.variables.outputs.tag, matrix.source_os) }} | |
| ic_version: ${{ needs.variables.outputs.tag }} | |
| target_image: ${{ matrix.target_image }} | |
| target_tag: ${{ matrix.source_os == 'debian' && format('{0}-{1}', needs.variables.outputs.tag, needs.variables.outputs.date) || format('{0}-{1}-{2}', needs.variables.outputs.tag, needs.variables.outputs.date, matrix.source_os) }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| secrets: inherit | |
| release-oss-internal: | |
| name: "Publish Docker OSS ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to internal release Registries" | |
| needs: [variables, patch-images] | |
| uses: ./.github/workflows/oss-release.yml | |
| with: | |
| gcr_release_registry: true | |
| ecr_public_registry: false | |
| dockerhub_public_registry: false | |
| quay_public_registry: false | |
| github_public_registry: false | |
| source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| branch: "release-${{ needs.variables.outputs.short_tag }}" | |
| dry_run: ${{ inputs.dry_run || false }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| packages: write | |
| secrets: inherit | |
| release-oss-public: | |
| name: Publish Docker OSS ${{ matrix.tag }} to Public Registries | |
| needs: [variables, patch-images] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tag: | |
| - "${{ needs.variables.outputs.tag }}" | |
| - "${{ needs.variables.outputs.short_tag }}" | |
| - "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| - "latest" | |
| uses: ./.github/workflows/oss-release.yml | |
| with: | |
| gcr_release_registry: false | |
| ecr_public_registry: true | |
| dockerhub_public_registry: true | |
| quay_public_registry: true | |
| github_public_registry: true | |
| source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| target_tag: ${{ matrix.tag }} | |
| branch: "release-${{ needs.variables.outputs.short_tag }}" | |
| dry_run: ${{ inputs.dry_run || false }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| packages: write | |
| secrets: inherit | |
| release-plus-nginx: | |
| name: Publish Docker Plus ${{ matrix.tag }} to NGINX registry | |
| needs: [variables, patch-images] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tag: | |
| - "${{ needs.variables.outputs.tag }}" | |
| - "${{ needs.variables.outputs.short_tag }}" | |
| - "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| - "latest" | |
| uses: ./.github/workflows/plus-release.yml | |
| with: | |
| nginx_registry: true | |
| gcr_release_registry: false | |
| gcr_mktpl_registry: false | |
| ecr_mktpl_registry: false | |
| az_mktpl_registry: false | |
| source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| target_tag: ${{ matrix.tag }} | |
| branch: "release-${{ needs.variables.outputs.short_tag }}" | |
| dry_run: ${{ inputs.dry_run || false }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| secrets: inherit | |
| release-plus-internal: | |
| name: Publish Docker Plus ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to internal release Registries | |
| needs: [variables, patch-images] | |
| uses: ./.github/workflows/plus-release.yml | |
| with: | |
| nginx_registry: false | |
| gcr_release_registry: true | |
| gcr_mktpl_registry: false | |
| ecr_mktpl_registry: false | |
| az_mktpl_registry: false | |
| source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" | |
| branch: "release-${{ needs.variables.outputs.short_tag }}" | |
| dry_run: ${{ inputs.dry_run || false }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| secrets: inherit | |
| certify-openshift-images: | |
| name: Certify OpenShift UBI images | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| needs: [variables, release-oss-public] | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| - name: Azure login | |
| uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 | |
| with: | |
| client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }} | |
| - name: Setup secrets | |
| id: secrets | |
| run: | | |
| echo "Setting secrets for job" | |
| PYXIS_TOKEN=$(az keyvault secret show --name nic-pyxis-token --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$PYXIS_TOKEN" | |
| echo "PYXIS_TOKEN=$PYXIS_TOKEN" >> $GITHUB_OUTPUT | |
| PYXIS_CERTIFICATION_PROJECT_ID=$(az keyvault secret show --name nic-pyxis-certification-pid --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv) | |
| echo "::add-mask::$PYXIS_CERTIFICATION_PROJECT_ID" | |
| echo "PYXIS_CERTIFICATION_PROJECT_ID=$PYXIS_CERTIFICATION_PROJECT_ID" >> $GITHUB_OUTPUT | |
| - name: Certify UBI OSS images in quay | |
| uses: ./.github/actions/certify-openshift-image | |
| with: | |
| image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi | |
| project_id: ${{ steps.secrets.outputs.PYXIS_CERTIFICATION_PROJECT_ID }} | |
| pyxis_token: ${{ steps.secrets.outputs.PYXIS_TOKEN }} | |
| platforms: "" | |
| preflight_version: 1.14.1 | |
| submit: ${{ ! inputs.dry_run || true }} |