Certify UBI images for Redhat catalog (#7011)

pdabelf5 · web-flow · commit 92039ad319ad · 2024-12-18T14:19:54.000Z
diff --git a/.github/actions/certify-openshift-image/action.yml b/.github/actions/certify-openshift-image/action.yml
@@ -18,7 +18,11 @@ inputs:
   platforms:
     description: A comma separated list of architectures in the image manifest to certify
     required: false
-    default: ""
+    default: "amd64,arm64,ppc64le,s390x"
+  submit:
+    description: Submit results to Redhat PYAXIS
+    required: false
+    default: true
 
 outputs:
   result:
@@ -43,14 +47,14 @@ runs:
           IFS=',' read -ra arch_list <<< "${{ inputs.platforms }}"
           for arch in "${arch_list[@]}"; do
               architecture=("${arch#*/}")
-              ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --platform $architecture --submit
+              ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --platform $architecture ${{ inputs.submit && '--submit' || '' }}
               if [ $? -ne 0 ]; then
                 result=1
               fi
           done
         else
           # no platforms passed, this is either a manifest or a single platform image
-          ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --submit
+          ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} ${{ inputs.submit && '--submit' || '' }}
           result=$?
         fi
         echo "result=$result" >> $GITHUB_OUTPUT
diff --git a/.github/scripts/exclude_ci_files.txt b/.github/scripts/exclude_ci_files.txt
@@ -18,6 +18,7 @@
 .github/workflows/build-ubi-dependency.yml
 .github/workflows/build-single-image.yml
 .github/workflows/cache-update.yml
+.github/workflows/certify-ubi-image.yml
 .github/workflows/cherry-pick.yml
 .github/workflows/codeql-analysis.yml
 .github/workflows/create-release-branch.yml
diff --git a/.github/workflows/certify-ubi-image.yml b/.github/workflows/certify-ubi-image.yml
@@ -0,0 +1,49 @@
+name: Certify UBI image
+run-name: Certify UBI image ${{ inputs.image }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      image:
+        description: "Image to certify"
+        required: true
+        type: string
+      submit:
+        description: "Submit results to Redhat"
+        required: false
+        type: boolean
+        default: false
+      preflight_version:
+        description: "Preflight version to use"
+        required: false
+        type: string
+        default: "1.11.1"
+      platforms:
+        description: A comma separated list of architectures in the image manifest to certify
+        required: false
+        default: "amd64,arm64,ppc64le,s390x"
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  certify-ubi-images:
+    name: Certify OpenShift UBI images
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Certify UBI OSS images in quay
+        uses: ./.github/actions/certify-openshift-image
+        with:
+          image: ${{ inputs.image }}
+          project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
+          pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
+          preflight_version: ${{ inputs.preflight_version }}
+          submit: ${{ inputs.submit || true }}
+          platforms: ${{ inputs.platforms }}
diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml
@@ -381,6 +381,7 @@ jobs:
           image: quay.io/nginx/nginx-ingress:edge-ubi
           project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
           pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
+          preflight_version: 1.11.1
 
   scan-docker-oss:
     name: Scan ${{ matrix.image }}-${{ matrix.target }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -301,6 +301,7 @@ jobs:
           image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi
           project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
           pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
+          preflight_version: 1.11.1
 
   operator:
     if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }}
diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml
@@ -184,4 +184,5 @@ jobs:
           project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
           pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
           platforms: ""
-        if: ${{ ! inputs.dry_run || false }}
+          preflight_version: 1.11.1
+          submit: ${{ ! inputs.dry_run || true }}
