Merge branch 'main' into feat/pipeline-certfication-testing

Author: shaun-nx

.github/workflows/build.yml

@@ -55,7 +55,7 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          ref: ${{ (inputs.tag != '' && !inputs.dry_run ) && format('refs/tags/v{0}', inputs.tag) || github.ref }}
+          ref: ${{ (inputs.tag != '' && !inputs.dry_run && inputs.image != 'operator') && format('refs/tags/{0}', inputs.tag) || github.ref }}
 
       - name: Download Artifacts
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
@@ -73,6 +73,13 @@ jobs:
         with:
           platforms: arm64
 
+      - name: Login to Docker Hub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: ${{ inputs.runner == 'ubuntu-24.04-amd64' }}
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         if: ${{ github.event_name != 'pull_request' && ! contains(inputs.image, 'plus') }}
@@ -128,14 +135,13 @@ jobs:
             name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/operator,enable=${{ inputs.image == 'operator' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}
           flavor: |
-            latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
+            latest=${{ inputs.build-os != '' && 'false' || (inputs.tag != '' && 'true') || 'auto' }}
           tags: |
-            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=semver,pattern={{version}},value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
-            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           labels: |
             org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
             org.opencontainers.image.vendor=NGINX Inc <[email protected]>
@@ -184,15 +190,15 @@ jobs:
       - name: Scan SBOM
         id: scan
         if: ${{ !inputs.dry_run }}
-        uses: anchore/scan-action@a5605eb0943e46279cb4fbd9d44297355d3520ab # v7.0.2
+        uses: anchore/scan-action@568b89d27fc18c60e56937bff480c91c772cd993 # v7.1.0
         with:
           sbom: "sbom-${{ inputs.image }}.json"
           only-fixed: true
           add-cpes-if-none: true
           fail-build: false
 
       - name: Upload scan result to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
         if: ${{ !inputs.dry_run }}
         continue-on-error: true
         with:

.github/workflows/ci.yml

@@ -10,21 +10,25 @@ on:
       - "**"
   schedule:
     - cron: "0 3 * * *" # run every day at 3am UTC (nightly builds)
-  workflow_call:
+  workflow_dispatch:
     inputs:
       is_production_release:
+        description: 'Is this a production release?'
         required: false
         type: boolean
         default: false
       release_version:
+        description: 'Release version (e.g., v2.0.3)'
         required: false
         type: string
         default: ''
       operator_version:
+        description: 'Operator release version (e.g., v1.0.0). Optional'
         required: false
         type: string
         default: ''
       dry_run:
+        description: 'If true, does a dry run of the production workflow'
         required: false
         type: boolean
         default: false
@@ -34,13 +38,70 @@ defaults:
     shell: bash
 
 concurrency:
-  group: ${{ github.ref_name }}-ci
-  cancel-in-progress: true
+  group: ${{ inputs.is_production_release && format('prod-{0}', inputs.release_version) || format('{0}-ci', github.ref_name) }}
+  cancel-in-progress: ${{ !inputs.is_production_release }}
 
 permissions:
   contents: read
 
 jobs:
+  create-tag-and-release:
+    runs-on: ubuntu-24.04
+    if: github.event_name == 'workflow_dispatch' && inputs.release_version != '' && startsWith(github.ref, 'refs/heads/release-')
+    permissions:
+      contents: write
+    steps:
+      - name: Validate Release Branch and Version
+        run: |
+          echo "Validating release from: ${GITHUB_REF}"
+
+          INPUT_VERSION="${{ inputs.release_version }}"
+          INPUT_OPERATOR_VERSION="${{ inputs.operator_version }}"
+
+          # Validate version format
+          if [[ ! "${INPUT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "❌ Invalid version format: ${INPUT_VERSION}"
+          echo "Expected format: v1.2.3"
+          exit 1
+          fi
+
+          # Validate version format if operator version is provided
+          if [[ -n "${INPUT_OPERATOR_VERSION}" && ! "${INPUT_OPERATOR_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "❌ Invalid operator version format: ${INPUT_OPERATOR_VERSION}"
+          echo "Expected format: v1.2.3"
+          exit 1
+          fi
+
+          echo "✅ Valid release branch: ${GITHUB_REF}"
+          echo "✅ Valid version format: ${INPUT_VERSION}"
+          [[ -n "${INPUT_OPERATOR_VERSION}" ]] && echo "✅ Valid operator version format: ${INPUT_OPERATOR_VERSION}"
+
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Create Release Tag
+        run: |
+          VERSION="${{ inputs.release_version }}"
+          git config user.name "NGF Release Bot"
+          git config user.email "[email protected]"
+
+          if git rev-parse --verify "refs/tags/${VERSION}" >/dev/null 2>&1; then
+          echo "Tag ${VERSION} already exists - skipping tag creation"
+          else
+          echo "Creating annotated tag ${VERSION}"
+          git tag -a "${VERSION}" -m "Release ${VERSION}"
+
+          if [[ "${{ inputs.dry_run }}" == "true" ]]; then
+          echo "DRY RUN: Would push tag ${VERSION} and operator tag ${{ inputs.operator_version || '' }}"
+          git push --dry-run origin "${VERSION}"
+          else
+          git push origin "${VERSION}"
+          echo "Created and pushed tag: ${VERSION}"
+          fi
+          fi
+
   vars:
     name: Checks and variables
     runs-on: ubuntu-24.04
@@ -224,7 +285,7 @@ jobs:
 
       - name: Download Syft
         if: ${{ inputs.is_production_release }}
-        uses: anchore/sbom-action/download-syft@aa0e114b2e19480f157109b9922bda359bd98b90 # v0.20.8
+        uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
 
       - name: Install Cosign
         if: ${{ inputs.is_production_release }}
@@ -233,7 +294,7 @@ jobs:
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
+          version: v2.12.6 # renovate: datasource=github-tags depName=goreleaser/goreleaser
           args: ${{ (inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null)) && 'release' || 'build --snapshot' }} --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -485,21 +546,25 @@ jobs:
     with:
       image: ${{ matrix.image }}
       k8s-version: ${{ matrix.k8s-version }}
+      tag: ${{ inputs.release_version || '' }}
     secrets: inherit
     if: ${{ needs.vars.outputs.helm_changes == 'true' || github.event_name == 'schedule' }}
 
   publish-helm:
     name: Package and Publish Helm Chart
-    runs-on: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || ((github.event_name == 'push' || github.event_name == 'schedule') && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-')))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
+    runs-on: ${{ github.repository_owner == 'nginx' && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
     needs: [vars, helm-tests]
-    if: ${{ (inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null)) || (github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-')) }}
+    if: ${{ inputs.is_production_release || github.ref == 'refs/heads/main' }}
     permissions:
       contents: read
       packages: write # for helm to push to GHCR
     steps:
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
+      - name: Setup Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:

.github/workflows/conformance.yml

@@ -88,7 +88,7 @@ jobs:
             type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
-            type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=raw,value=${{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
 
       - name: NGINX Docker meta
         id: nginx-meta
@@ -102,12 +102,12 @@ jobs:
             type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
             type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
-            type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=raw,value=${{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
 
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
+          version: v2.12.6 # renovate: datasource=github-tags depName=goreleaser/goreleaser
           args: build --single-target --snapshot --clean
         env:
           TELEMETRY_ENDPOINT: "" # disables sending telemetry

.github/workflows/functional.yml

@@ -87,7 +87,7 @@ jobs:
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
+          version: v2.12.6 # renovate: datasource=github-tags depName=goreleaser/goreleaser
           args: build --single-target --snapshot --clean
         env:
           TELEMETRY_ENDPOINT: otel-collector-opentelemetry-collector.collector.svc.cluster.local:4317

.github/workflows/helm.yml

@@ -9,6 +9,10 @@ on:
       k8s-version:
         required: true
         type: string
+      tag:
+        required: false
+        type: string
+        default: ''
 
 permissions:
   contents: read
@@ -40,10 +44,11 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
           tags: |
-            type=semver,pattern={{version}}
+            type=semver,pattern={{version}},value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
             type=edge
             type=schedule
             type=ref,event=pr
+            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
 
       - name: NGINX Docker meta
         id: nginx-meta
@@ -52,10 +57,11 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
           tags: |
-            type=semver,pattern={{version}}
+            type=semver,pattern={{version}},value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
             type=edge
             type=schedule
             type=ref,event=pr
+            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
 
       - name: Build NGF Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0

.github/workflows/nfr.yml

@@ -149,6 +149,7 @@ jobs:
         run: make create-gke-router || true
 
       - name: Run Tests
+        continue-on-error: true
         working-directory: ./tests
         run: |
           if ${{ needs.vars.outputs.test_label != 'all' }}; then

.github/workflows/production-release.yml

@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
         with:
           sarif_file: results.sarif