Add build to ci for now #14574
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| - chore/secure-build-pipeline | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+*" | |
| pull_request: | |
| branches: | |
| - "**" | |
| schedule: | |
| - cron: "0 4 * * *" # run every day at 4am UTC | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| GOPROXY: ${{ github.repository_owner == 'nginx' && format('https://{0}:{1}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev', secrets.ARTIFACTORY_USER, secrets.ARTIFACTORY_TOKEN) || 'direct' }} | |
| concurrency: | |
| group: ${{ github.ref_name }}-ci | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| vars: | |
| name: Checks and variables | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| go_path: ${{ steps.vars.outputs.go_path }} | |
| min_k8s_version: ${{ steps.vars.outputs.min_k8s_version }} | |
| k8s_latest: ${{ steps.vars.outputs.k8s_latest }} | |
| helm_changes: ${{ steps.filter.outputs.charts }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ github.actor == 'renovate[bot]' && secrets.NGINX_PAT || github.token }} | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: stable | |
| cache-dependency-path: | | |
| go.sum | |
| .github/.cache/buster-for-vars | |
| - name: Check for changes | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| id: filter | |
| with: | |
| filters: | | |
| charts: | |
| - charts/nginx-gateway-fabric/**/* | |
| - name: Output Variables | |
| id: vars | |
| run: | | |
| K8S_KIND_VERSION=v1.33.2 # renovate: datasource=docker depName=kindest/node | |
| echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT | |
| echo "min_k8s_version=v1.25.16" >> $GITHUB_OUTPUT | |
| echo "k8s_latest=${K8S_KIND_VERSION}" >> $GITHUB_OUTPUT | |
| - name: Check if go.mod and go.sum are up to date | |
| run: go mod tidy && git diff --exit-code -- go.mod go.sum | |
| - name: Check if go.mod and go.sum are up to date in tests | |
| run: go mod tidy && git diff --exit-code -- go.mod go.sum | |
| working-directory: tests | |
| - name: Check if all the generated files are up to date | |
| run: make generate-all && git diff --exit-code | |
| unit-tests: | |
| name: Unit Tests | |
| runs-on: ubuntu-24.04 | |
| needs: vars | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: stable | |
| cache-dependency-path: | | |
| go.sum | |
| .github/.cache/buster-for-unit-tests | |
| - name: Run Tests | |
| run: make unit-test | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Upload Coverage Report | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: cover-${{ github.run_id }}.html | |
| path: ${{ github.workspace }}/cover.html | |
| if: always() | |
| njs-unit-tests: | |
| name: NJS Unit Tests | |
| runs-on: ubuntu-24.04 | |
| needs: vars | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Node.js Environment | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| - name: Run tests | |
| run: npm --prefix ${{ github.workspace }}/internal/controller/nginx/modules install-ci-test | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| binary: | |
| name: Build Binary | |
| runs-on: ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline'))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} | |
| needs: [vars, unit-tests, njs-unit-tests] | |
| permissions: | |
| contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases | |
| id-token: write # for goreleaser/goreleaser-action to sign artifacts | |
| issues: write # for goreleaser/goreleaser-action to close milestone | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: stable | |
| cache-dependency-path: | | |
| go.sum | |
| .github/.cache/buster-for-binary | |
| - name: Set Go module cache | |
| run: | | |
| mkdir -p ${{ github.workspace }}/.gocache | |
| echo "GOMODCACHE=${{ github.workspace }}/.gocache" >> $GITHUB_ENV | |
| echo "GOCACHE=${{ github.workspace }}/.gocache" >> $GITHUB_ENV | |
| - name: Create/Update Draft | |
| uses: lucacome/draft-release@00f74370c044c322da6cb52acc707d62c7762c71 # v1.2.4 | |
| with: | |
| minor-label: "enhancement" | |
| major-label: "change" | |
| publish: ${{ github.ref_type == 'tag' }} | |
| collapse-after: 20 | |
| notes-header: | | |
| *Below is the auto-generated changelog, which includes all PRs that went into the release. | |
| For a shorter version that highlights only important changes, see [CHANGELOG.md](https://github.com/nginx/nginx-gateway-fabric/blob/{{version}}/CHANGELOG.md).* | |
| if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' && github.ref != 'refs/heads/chore/secure-build-pipeline' }} | |
| - name: Download Syft | |
| uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4 | |
| if: github.ref_type == 'tag' | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 | |
| if: github.ref_type == 'tag' | |
| - name: Build binary | |
| uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 | |
| with: | |
| version: v2.11.2 # renovate: datasource=github-tags depName=goreleaser/goreleaser | |
| args: ${{ github.ref_type == 'tag' && github.ref != 'refs/heads/chore/secure-build-pipeline' && 'release' || 'build --snapshot' }} --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GOPATH: ${{ needs.vars.outputs.go_path }} | |
| AZURE_STORAGE_ACCOUNT: ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.AZURE_STORAGE_ACCOUNT || '' }} | |
| AZURE_STORAGE_KEY: ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.AZURE_STORAGE_KEY || '' }} | |
| AZURE_BUCKET_NAME: ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.AZURE_BUCKET_NAME || '' }} | |
| SLACK_WEBHOOK: ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.SLACK_WEBHOOK_COMMUNITY || '' }} | |
| TELEMETRY_ENDPOINT: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-') && 'oss-dev.edge.df.f5.com:443' || 'oss.edge.df.f5.com:443' }} | |
| TELEMETRY_ENDPOINT_INSECURE: "false" | |
| - name: Cache Artifacts | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} | |
| build-oss: | |
| name: Build OSS images | |
| runs-on: ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline'))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} | |
| needs: [vars, binary] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: [ngf, nginx] | |
| platforms: ["linux/arm64, linux/amd64"] | |
| permissions: | |
| contents: read # for docker/build-push-action to read repo content | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| packages: write # for docker/build-push-action to push to GHCR | |
| id-token: write # for docker/login to login to NGINX registry | |
| services: | |
| registry: | |
| image: registry:3 | |
| ports: | |
| - 5000:5000 | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Fetch Cached Artifacts | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| with: | |
| driver-opts: network=host | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| with: | |
| platforms: arm64 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 | |
| if: ${{ github.event_name != 'pull_request' && ! contains(matrix.image, 'plus') }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 | |
| with: | |
| context: workflow | |
| images: | | |
| name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric,enable=${{ matrix.image == 'ngf' && github.event_name != 'pull_request' }} | |
| name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ matrix.image == 'nginx' && github.event_name != 'pull_request' }} | |
| name=localhost:5000/nginx-gateway-fabric/${{ matrix.image }} | |
| flavor: | | |
| latest=auto | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=edge,branch=main | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=raw,value={{branch}}-{{sha}} | |
| labels: | | |
| org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric | |
| org.opencontainers.image.vendor=NGINX Inc <[email protected]> | |
| annotations: | | |
| org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric | |
| org.opencontainers.image.vendor=NGINX Inc <[email protected]> | |
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/README.md | |
| io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-gateway-fabric/images/icons/NGINX-product-icon.svg | |
| io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"[email protected]"}] | |
| io.artifacthub.package.license=Apache-2.0 | |
| io.artifacthub.package.keywords=kubernetes,gateway,nginx | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| - name: Debug Docker Meta Outputs | |
| run: | | |
| echo "Tags: ${{ steps.meta.outputs.tags }}" | |
| echo "Labels: ${{ steps.meta.outputs.labels }}" | |
| echo "Version: ${{ steps.meta.outputs.version }}" | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile${{ matrix.image == 'nginx' && '.nginx' || '' }} | |
| context: "." | |
| target: ${{ matrix.image == 'ngf' && 'goreleaser' || '' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| push: false | |
| platforms: ${{ matrix.platforms }} | |
| cache-from: type=gha,scope=${{ matrix.image }} | |
| cache-to: type=gha,scope=${{ matrix.image }},mode=max | |
| pull: true | |
| no-cache: ${{ github.event_name != 'pull_request' }} | |
| sbom: true | |
| provenance: mode=max | |
| build-args: | | |
| NJS_DIR=internal/controller/nginx/modules/src | |
| NGINX_CONF_DIR=internal/controller/nginx/conf | |
| BUILD_AGENT=gha | |
| - name: Inspect SBOM and output manifest | |
| run: | | |
| docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ matrix.image }}:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-${{ matrix.image }}.json | |
| docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ matrix.image }}:${{ steps.meta.outputs.version }} --raw | |
| - name: Scan SBOM | |
| id: scan | |
| uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 | |
| with: | |
| sbom: "sbom-${{ matrix.image }}.json" | |
| only-fixed: true | |
| add-cpes-if-none: true | |
| fail-build: false | |
| - name: Upload scan result to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 | |
| continue-on-error: true | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| category: build-${{ matrix.image }} | |
| if: always() | |
| build-plus: | |
| name: Build Plus images | |
| runs-on: ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline'))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} | |
| needs: [vars, binary] | |
| permissions: | |
| contents: read # for docker/build-push-action to read repo content | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| packages: write # for docker/build-push-action to push to GHCR | |
| id-token: write # for docker/login to login to NGINX registry | |
| services: | |
| registry: | |
| image: registry:3 | |
| ports: | |
| - 5000:5000 | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Fetch Cached Artifacts | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| with: | |
| driver-opts: network=host | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| with: | |
| platforms: arm64 | |
| - name: Get Id Token | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| id: idtoken | |
| with: | |
| script: | | |
| let id_token = await core.getIDToken() | |
| core.setOutput('id_token', id_token) | |
| if: ${{ github.event_name != 'pull_request' }} | |
| - name: Login to NGINX Registry | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 | |
| with: | |
| registry: docker-mgmt.nginx.com | |
| username: ${{ steps.idtoken.outputs.id_token }} | |
| password: ${{ github.actor }} | |
| if: ${{ github.event_name != 'pull_request' }} | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12 | |
| with: | |
| token_format: access_token | |
| workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| if: ${{ github.event_name != 'pull_request' }} | |
| - name: Login to GAR | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 | |
| with: | |
| registry: us-docker.pkg.dev | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| if: ${{ github.event_name != 'pull_request' }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 | |
| with: | |
| context: workflow | |
| images: | | |
| name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ github.event_name != 'pull_request' }} | |
| name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ github.event_name != 'pull_request' }} | |
| name=localhost:5000/nginx-gateway-fabric/plus | |
| flavor: | | |
| latest=auto | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=edge,branch=main | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=raw,value={{branch}}-{{sha}} | |
| labels: | | |
| org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric | |
| org.opencontainers.image.vendor=NGINX Inc <[email protected]> | |
| annotations: | | |
| org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric | |
| org.opencontainers.image.vendor=NGINX Inc <[email protected]> | |
| io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/README.md | |
| io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-gateway-fabric/images/icons/NGINX-product-icon.svg | |
| io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"[email protected]"}] | |
| io.artifacthub.package.license=Apache-2.0 | |
| io.artifacthub.package.keywords=kubernetes,gateway,nginx | |
| env: | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| - name: Debug Docker Meta Outputs | |
| run: | | |
| echo "Tags: ${{ steps.meta.outputs.tags }}" | |
| echo "Labels: ${{ steps.meta.outputs.labels }}" | |
| echo "Version: ${{ steps.meta.outputs.version }}" | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| file: build/Dockerfile.nginxplus | |
| context: "." | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| push: false | |
| platforms: "linux/arm64, linux/amd64" | |
| cache-from: type=gha,scope=plus | |
| cache-to: type=gha,scope=plus,mode=max | |
| pull: true | |
| no-cache: ${{ github.event_name != 'pull_request' }} | |
| sbom: true | |
| provenance: mode=max | |
| build-args: | | |
| NJS_DIR=internal/controller/nginx/modules/src | |
| NGINX_CONF_DIR=internal/controller/nginx/conf | |
| BUILD_AGENT=gha | |
| secrets: | | |
| "nginx-repo.crt=${{ secrets.NGINX_CRT }}" | |
| "nginx-repo.key=${{ secrets.NGINX_KEY }}" | |
| - name: Inspect SBOM and output manifest | |
| run: | | |
| docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/plus:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-plus.json | |
| docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/plus:${{ steps.meta.outputs.version }} --raw | |
| - name: Scan SBOM | |
| id: scan | |
| uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 | |
| with: | |
| sbom: "sbom-plus.json" | |
| only-fixed: true | |
| add-cpes-if-none: true | |
| fail-build: false | |
| - name: Upload scan result to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 | |
| continue-on-error: true | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| category: build-plus | |
| if: always() | |
| functional-tests: | |
| name: Functional tests | |
| needs: [vars, build-oss, build-plus] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: [nginx, plus] | |
| k8s-version: | |
| [ | |
| "${{ needs.vars.outputs.min_k8s_version }}", | |
| "${{ needs.vars.outputs.k8s_latest }}", | |
| ] | |
| uses: ./.github/workflows/functional.yml | |
| with: | |
| image: ${{ matrix.image }} | |
| k8s-version: ${{ matrix.k8s-version }} | |
| secrets: inherit | |
| permissions: | |
| contents: read | |
| conformance-tests: | |
| name: Conformance tests | |
| needs: [vars, build-oss, build-plus] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: [nginx, plus] | |
| k8s-version: | |
| [ | |
| "${{ needs.vars.outputs.min_k8s_version }}", | |
| "${{ needs.vars.outputs.k8s_latest }}", | |
| ] | |
| enable-experimental: [true, false] | |
| uses: ./.github/workflows/conformance.yml | |
| with: | |
| image: ${{ matrix.image }} | |
| k8s-version: ${{ matrix.k8s-version }} | |
| enable-experimental: ${{ matrix.enable-experimental }} | |
| secrets: inherit | |
| permissions: | |
| contents: write | |
| helm-tests: | |
| name: Helm Tests | |
| needs: [vars, build-oss, build-plus] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: [nginx, plus] | |
| k8s-version: | |
| [ | |
| "${{ needs.vars.outputs.min_k8s_version }}", | |
| "${{ needs.vars.outputs.k8s_latest }}", | |
| ] | |
| uses: ./.github/workflows/helm.yml | |
| with: | |
| image: ${{ matrix.image }} | |
| k8s-version: ${{ matrix.k8s-version }} | |
| secrets: inherit | |
| if: ${{ needs.vars.outputs.helm_changes == 'true' || github.event_name == 'schedule' }} | |
| publish-helm: | |
| name: Package and Publish Helm Chart | |
| runs-on: ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline'))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} | |
| needs: [vars, helm-tests] | |
| if: ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') && github.ref != 'refs/heads/chore/secure-build-pipeline' }} | |
| permissions: | |
| contents: read | |
| packages: write # for helm to push to GHCR | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Package | |
| id: package | |
| run: | | |
| output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} charts/nginx-gateway-fabric) | |
| echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT | |
| - name: Push to GitHub Container Registry | |
| run: | | |
| helm push ${{ steps.package.outputs.path }} oci://ghcr.io/nginx/charts | |
| cel-tests: | |
| name: CEL Tests | |
| runs-on: ubuntu-24.04 | |
| needs: vars | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: stable | |
| cache-dependency-path: | | |
| go.sum | |
| .github/.cache/buster-for-unit-tests | |
| - name: Deploy Kubernetes | |
| id: k8s | |
| run: | | |
| kind create cluster --name ${{ github.run_id }} --image=kindest/node:${{ needs.vars.outputs.k8s_latest }} | |
| - name: Apply CustomResourceDefinition | |
| run: | | |
| kubectl kustomize config/crd | kubectl apply --server-side -f - | |
| - name: Run Tests | |
| run: make test-cel-validation | |
| working-directory: ./tests |