Skip to content

Add assertion doc job #15543

Add assertion doc job

Add assertion doc job #15543

Workflow file for this run

name: CI
on:
push:
branches:
- main
- release-*
pull_request:
branches:
- "**"
schedule:
- cron: "0 4 * * *" # run every day at 4am UTC
workflow_call:
inputs:
is_production_release:
required: false
type: boolean
default: false
release_version:
required: false
type: string
default: ''
dry_run:
required: false
type: boolean
default: false
defaults:
run:
shell: bash
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
permissions:
contents: read
jobs:
vars:
name: Checks and variables
runs-on: ubuntu-24.04
outputs:
go_path: ${{ steps.vars.outputs.go_path }}
min_k8s_version: ${{ steps.vars.outputs.min_k8s_version }}
k8s_latest: ${{ steps.vars.outputs.k8s_latest }}
helm_changes: ${{ steps.filter.outputs.charts }}
goproxy: ${{ steps.goproxy.outputs.goproxy }}
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Configure GOPROXY
id: goproxy
run: |
if [[ "${{ secrets.ARTIFACTORY_USER }}" == "" ]]; then
echo "No Artifactory secrets available - using direct GOPROXY"
GOPROXY_VALUE="direct"
elif [[ "${{ inputs.is_production_release }}" == "true" ]] || [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
echo "Production mode - using production Artifactory"
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_ENDPOINT }}"
else
echo "Development mode - using dev Artifactory"
GOPROXY_VALUE="https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
fi
echo "goproxy=${GOPROXY_VALUE}" >> $GITHUB_OUTPUT
echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: stable
cache-dependency-path: |
go.sum
.github/.cache/buster-for-vars
- name: Check for changes
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
filters: |
charts:
- charts/nginx-gateway-fabric/**/*
- name: Output Variables
id: vars
run: |
K8S_KIND_VERSION=v1.34.0 # renovate: datasource=docker depName=kindest/node
echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
echo "min_k8s_version=v1.25.16" >> $GITHUB_OUTPUT
echo "k8s_latest=${K8S_KIND_VERSION}" >> $GITHUB_OUTPUT
- name: Check if go.mod and go.sum are up to date
run: go mod tidy && git diff --exit-code -- go.mod go.sum
- name: Check if go.mod and go.sum are up to date in tests
run: go mod tidy && git diff --exit-code -- go.mod go.sum
working-directory: tests
- name: Check if all the generated files are up to date
run: make generate-all && git diff --exit-code
unit-tests:
name: Unit Tests
runs-on: ubuntu-24.04
needs: vars
env:
GOPROXY: ${{ needs.vars.outputs.goproxy }}
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: stable
cache-dependency-path: |
go.sum
.github/.cache/buster-for-unit-tests
- name: Run Tests
run: make unit-test
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload Coverage Report
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: cover-${{ github.run_id }}.html
path: ${{ github.workspace }}/cover.html
if: always()
njs-unit-tests:
name: NJS Unit Tests
runs-on: ubuntu-24.04
needs: vars
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Node.js Environment
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: .nvmrc
- name: Run tests
run: npm --prefix ${{ github.workspace }}/internal/controller/nginx/modules install-ci-test
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
binary:
name: Build Binary
runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
needs: [vars, unit-tests, njs-unit-tests]
env:
GOPROXY: ${{ needs.vars.outputs.goproxy }}
outputs:
json: ${{ steps.gateway_binaries.outputs.json }}
permissions:
contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases
id-token: write # for goreleaser/goreleaser-action to sign artifacts
issues: write # for goreleaser/goreleaser-action to close milestone
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: stable
cache-dependency-path: |
go.sum
.github/.cache/buster-for-binary
- name: Set Go module cache
run: |
mkdir -p ${{ github.workspace }}/.gocache
echo "GOMODCACHE=${{ github.workspace }}/.gocache" >> $GITHUB_ENV
echo "GOCACHE=${{ github.workspace }}/.gocache" >> $GITHUB_ENV
- name: Create/Update Draft
uses: lucacome/draft-release@00f74370c044c322da6cb52acc707d62c7762c71 # v1.2.4
with:
minor-label: "enhancement"
major-label: "change"
publish: ${{ inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null) }}
collapse-after: 20
notes-header: |
*Below is the auto-generated changelog, which includes all PRs that went into the release.
For a shorter version that highlights only important changes, see [CHANGELOG.md](https://github.com/nginx/nginx-gateway-fabric/blob/{{version}}/CHANGELOG.md).*
if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
- name: Download Syft
if: ${{ inputs.is_production_release }}
uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
- name: Install Cosign
if: ${{ inputs.is_production_release }}
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
- name: Build binary
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
version: v2.12.1 # renovate: datasource=github-tags depName=goreleaser/goreleaser
args: ${{ (inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null)) && 'release' || 'build --snapshot' }} --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPATH: ${{ needs.vars.outputs.go_path }}
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
AZURE_BUCKET_NAME: ${{ secrets.AZURE_BUCKET_NAME }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }}
TELEMETRY_ENDPOINT: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-') && 'oss-dev.edge.df.f5.com:443' || 'oss.edge.df.f5.com:443' }}
TELEMETRY_ENDPOINT_INSECURE: "false"
- name: Extract gateway binaries info
id: gateway_binaries
run: |
set -e
binaries=()
for bin in $(find ${{ github.workspace }}/dist -type f -name "gateway"); do
dir=$(basename $(dirname "$bin"))
if [[ "$dir" =~ gateway_([a-zA-Z0-9]+)_([a-zA-Z0-9]+) ]]; then
os="${BASH_REMATCH[1]}"
arch="${BASH_REMATCH[2]}"
digest=$(sha256sum "$bin" | cut -d' ' -f1)
binaries+=("{\"path\":\"$bin\",\"os\":\"$os\",\"arch\":\"$arch\",\"digest\":\"$digest\"}")
fi
done
# Join array elements with commas
IFS=','
json="[${binaries[*]}]"
echo "Generated JSON: $json"
echo "json=$json" >> $GITHUB_OUTPUT
- name: Cache Artifacts
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
path: ${{ github.workspace }}/dist
key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
assertion:
name: Generate and Sign Assertion Documents
needs: [vars, binary]
env:
GOPROXY: ${{ needs.vars.outputs.goproxy }}
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
gateway: ${{ fromJson(needs.binary.outputs.json) }}
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: stable
- name: Generate Module Dependencies Info
id: go_deps
run: |
echo "Generating module dependencies info..."
cd cmd/gateway
go list -m all > ../../goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
echo "Module dependencies saved to goversionm_${{ github.run_id }}_${{ github.run_number }}.txt"
cd ../..
echo "goversionm=goversionm_${{ github.run_id }}_${{ github.run_number }}_${{ strategy.job-index }}.txt" >> $GITHUB_OUTPUT
- name: Generate Assertion Document
id: assertiondoc
uses: nginxinc/compliance-rules/.github/actions/assertion@311fe9c56e981a5a1b805577746bbe66d59399ab
with:
artifact-name: ${{ github.event.repository.name }}_${{ github.sha }}
artifact-digest: ${{ matrix.gateway.digest }}
build-type: 'github'
builder-id: 'github.com'
builder-version: '0.1.0-xyz'
invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
started-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
finished-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
artifactory-repo: 'f5-nginx-go-local-approved-dependency'
build-content-path: ${{ steps.go_deps.outputs.goversionm }}
assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ matrix.gateway.os }}_${{ matrix.gateway.arch }}.json
- name: Sign and Store Assertion Document
id: sign
uses: nginxinc/compliance-rules/.github/actions/sign@311fe9c56e981a5a1b805577746bbe66d59399ab
with:
assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}
build-oss:
name: Build OSS images
needs: [vars, binary]
strategy:
fail-fast: false
matrix:
image: [ngf, nginx]
platforms: ["linux/arm64, linux/amd64"]
uses: ./.github/workflows/build.yml
with:
image: ${{ matrix.image }}
platforms: ${{ matrix.platforms }}
tag: ${{ inputs.release_version || '' }}
dry_run: ${{ inputs.dry_run || false}}
runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
packages: write # for docker/build-push-action to push to GHCR
id-token: write # for docker/login to login to NGINX registry
secrets: inherit
build-plus:
name: Build Plus images
needs: [vars, binary]
uses: ./.github/workflows/build.yml
with:
image: plus
platforms: "linux/arm64, linux/amd64"
tag: ${{ inputs.release_version || '' }}
dry_run: ${{ inputs.dry_run || false }}
runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
packages: write # for docker/build-push-action to push to GHCR
id-token: write # for docker/login to login to NGINX registry
secrets: inherit
functional-tests:
name: Functional tests
needs: [vars, build-oss, build-plus]
strategy:
fail-fast: false
matrix:
image: [nginx, plus]
k8s-version:
[
"${{ needs.vars.outputs.min_k8s_version }}",
"${{ needs.vars.outputs.k8s_latest }}",
]
uses: ./.github/workflows/functional.yml
with:
image: ${{ matrix.image }}
k8s-version: ${{ matrix.k8s-version }}
secrets: inherit
permissions:
contents: read
conformance-tests:
name: Conformance tests
needs: [vars, build-oss, build-plus]
strategy:
fail-fast: false
matrix:
image: [nginx, plus]
k8s-version:
[
"${{ needs.vars.outputs.min_k8s_version }}",
"${{ needs.vars.outputs.k8s_latest }}",
]
enable-experimental: [true, false]
uses: ./.github/workflows/conformance.yml
with:
image: ${{ matrix.image }}
k8s-version: ${{ matrix.k8s-version }}
enable-experimental: ${{ matrix.enable-experimental }}
production-release: ${{ inputs.is_production_release == true && (inputs.dry_run == false || inputs.dry_run == null) }}
release_version: ${{ inputs.release_version }}
secrets: inherit
permissions:
contents: write
helm-tests:
name: Helm Tests
needs: [vars, build-oss, build-plus]
strategy:
fail-fast: false
matrix:
image: [nginx, plus]
k8s-version:
[
"${{ needs.vars.outputs.min_k8s_version }}",
"${{ needs.vars.outputs.k8s_latest }}",
]
uses: ./.github/workflows/helm.yml
with:
image: ${{ matrix.image }}
k8s-version: ${{ matrix.k8s-version }}
secrets: inherit
if: ${{ needs.vars.outputs.helm_changes == 'true' || github.event_name == 'schedule' }}
publish-helm:
name: Package and Publish Helm Chart
runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
needs: [vars, helm-tests]
if: ${{ (inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null)) || (github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-')) }}
permissions:
contents: read
packages: write # for helm to push to GHCR
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Login to GitHub Container Registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Package
id: package
run: |
output=$(helm package ${{ !inputs.is_production_release && '--app-version edge --version 0.0.0-edge' || '' }} charts/nginx-gateway-fabric)
echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT
- name: Push to GitHub Container Registry
if: ${{ inputs.dry_run == false || inputs.dry_run == null }}
run: |
helm push ${{ steps.package.outputs.path }} oci://ghcr.io/nginx/charts
cel-tests:
name: CEL Tests
runs-on: ubuntu-24.04
needs: vars
env:
GOPROXY: ${{ needs.vars.outputs.goproxy }}
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: stable
cache-dependency-path: |
go.sum
.github/.cache/buster-for-unit-tests
- name: Deploy Kubernetes
id: k8s
run: |
kind create cluster --name ${{ github.run_id }} --image=kindest/node:${{ needs.vars.outputs.k8s_latest }}
- name: Apply CustomResourceDefinition
run: |
kubectl kustomize config/crd | kubectl apply --server-side -f -
- name: Run Tests
run: make test-cel-validation
working-directory: ./tests