55 branches :
66 - main
77 - release-*
8+ - chore/secure-build-pipeline
89 tags :
910 - " v[0-9]+.[0-9]+.[0-9]+*"
1011 pull_request :
@@ -18,7 +19,7 @@ defaults:
1819 shell : bash
1920
2021env :
21- GOPROXY : ${{ github.repository_owner == 'nginx' && ((github.event_name == 'push' && github.ref == 'refs/heads/main') || github.ref_type == 'tag') && format('https://{0}:{1}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency', secrets.ARTIFACTORY_USER, secrets.ARTIFACTORY_TOKEN) || github.repository_owner == 'nginx' && format('https://{0}:{1}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev', secrets.ARTIFACTORY_USER, secrets.ARTIFACTORY_TOKEN) || 'direct' }}
22+ GOPROXY : ${{ github.repository_owner == 'nginx' && format('https://{0}:{1}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev', secrets.ARTIFACTORY_USER, secrets.ARTIFACTORY_TOKEN) || 'direct' }}
2223
2324concurrency :
2425 group : ${{ github.ref_name }}-ci
@@ -131,7 +132,7 @@ jobs:
131132
132133 binary :
133134 name : Build Binary
134- runs-on : ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
135+ runs-on : ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && ( github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline') )) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
135136 needs : [vars, unit-tests, njs-unit-tests]
136137 permissions :
137138 contents : write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases
@@ -151,6 +152,12 @@ jobs:
151152 go.sum
152153 .github/.cache/buster-for-binary
153154
155+ name : Set Go module cache
156+ run : |
157+ mkdir -p ${{ github.workspace }}/.gocache
158+ echo "GOMODCACHE=${{ github.workspace }}/.gocache" >> $GITHUB_ENV
159+ echo "GOCACHE=${{ github.workspace }}/.gocache" >> $GITHUB_ENV
160+
154161name : Create/Update Draft
155162 uses : lucacome/draft-release@00f74370c044c322da6cb52acc707d62c7762c71 # v1.2.4
156163 with :
@@ -161,7 +168,7 @@ jobs:
161168 notes-header : |
162169 *Below is the auto-generated changelog, which includes all PRs that went into the release.
163170 For a shorter version that highlights only important changes, see [CHANGELOG.md](https://github.com/nginx/nginx-gateway-fabric/blob/{{version}}/CHANGELOG.md).*
164- if : ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
171+ if : ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' && github.ref != 'refs/heads/chore/secure-build-pipeline' }}
165172
166173 - name : Download Syft
167174 uses : anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
@@ -175,14 +182,14 @@ jobs:
175182 uses : goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
176183 with :
177184 version : v2.11.2 # renovate: datasource=github-tags depName=goreleaser/goreleaser
178- args : ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean
185+ args : ${{ github.ref_type == 'tag' && github.ref != 'refs/heads/chore/secure-build-pipeline' && 'release' || 'build --snapshot' }} --clean
179186 env :
180187 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
181188 GOPATH : ${{ needs.vars.outputs.go_path }}
182- AZURE_STORAGE_ACCOUNT : ${{ secrets.AZURE_STORAGE_ACCOUNT }}
183- AZURE_STORAGE_KEY : ${{ secrets.AZURE_STORAGE_KEY }}
184- AZURE_BUCKET_NAME : ${{ secrets.AZURE_BUCKET_NAME }}
185- SLACK_WEBHOOK : ${{ secrets.SLACK_WEBHOOK_COMMUNITY }}
189+ AZURE_STORAGE_ACCOUNT : ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.AZURE_STORAGE_ACCOUNT || '' }}
190+ AZURE_STORAGE_KEY : ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.AZURE_STORAGE_KEY || '' }}
191+ AZURE_BUCKET_NAME : ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.AZURE_BUCKET_NAME || '' }}
192+ SLACK_WEBHOOK : ${{ github.ref != 'refs/heads/chore/secure-build-pipeline' && secrets.SLACK_WEBHOOK_COMMUNITY || '' }}
186193 TELEMETRY_ENDPOINT : ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-') && 'oss-dev.edge.df.f5.com:443' || 'oss.edge.df.f5.com:443' }}
187194 TELEMETRY_ENDPOINT_INSECURE : " false"
188195
@@ -288,9 +295,9 @@ jobs:
288295
289296 publish-helm :
290297 name : Package and Publish Helm Chart
291- runs-on : ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
298+ runs-on : ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && ( github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline') )) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
292299 needs : [vars, helm-tests]
293- if : ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') }}
300+ if : ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') && github.ref != 'refs/heads/chore/secure-build-pipeline' }}
294301 permissions :
295302 contents : read
296303 packages : write # for helm to push to GHCR
0 commit comments