Add build to ci for now

ciarams87 · ciarams87 · commit 7771c7812a4c · 2025-08-11T09:44:11.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -201,36 +201,282 @@ jobs:
 
   build-oss:
     name: Build OSS images
+    runs-on: ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline'))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
     needs: [vars, binary]
     strategy:
       fail-fast: false
       matrix:
         image: [ngf, nginx]
         platforms: ["linux/arm64, linux/amd64"]
-    uses: ./.github/workflows/build.yml
-    with:
-      image: ${{ matrix.image }}
-      platforms: ${{ matrix.platforms }}
     permissions:
       contents: read # for docker/build-push-action to read repo content
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       packages: write # for docker/build-push-action to push to GHCR
       id-token: write # for docker/login to login to NGINX registry
-    secrets: inherit
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Fetch Cached Artifacts
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ${{ github.workspace }}/dist
+          key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          driver-opts: network=host
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          platforms: arm64
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        if: ${{ github.event_name != 'pull_request' && ! contains(matrix.image, 'plus') }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          context: workflow
+          images: |
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric,enable=${{ matrix.image == 'ngf' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ matrix.image == 'nginx' && github.event_name != 'pull_request' }}
+            name=localhost:5000/nginx-gateway-fabric/${{ matrix.image }}
+          flavor: |
+            latest=auto
+          tags: |
+            type=semver,pattern={{version}}
+            type=edge
+            type=schedule
+            type=ref,event=pr
+            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+          labels: |
+            org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
+            org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
+          annotations: |
+            org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
+            org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/README.md
+            io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-gateway-fabric/images/icons/NGINX-product-icon.svg
+            io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"kubernetes@nginx.com"}]
+            io.artifacthub.package.license=Apache-2.0
+            io.artifacthub.package.keywords=kubernetes,gateway,nginx
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Debug Docker Meta Outputs
+        run: |
+          echo "Tags: ${{ steps.meta.outputs.tags }}"
+          echo "Labels: ${{ steps.meta.outputs.labels }}"
+          echo "Version: ${{ steps.meta.outputs.version }}"
+
+      - name: Build Docker Image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: build/Dockerfile${{ matrix.image == 'nginx' && '.nginx' || '' }}
+          context: "."
+          target: ${{ matrix.image == 'ngf' && 'goreleaser' || '' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          push: false
+          platforms: ${{ matrix.platforms }}
+          cache-from: type=gha,scope=${{ matrix.image }}
+          cache-to: type=gha,scope=${{ matrix.image }},mode=max
+          pull: true
+          no-cache: ${{ github.event_name != 'pull_request' }}
+          sbom: true
+          provenance: mode=max
+          build-args: |
+            NJS_DIR=internal/controller/nginx/modules/src
+            NGINX_CONF_DIR=internal/controller/nginx/conf
+            BUILD_AGENT=gha
+
+      - name: Inspect SBOM and output manifest
+        run: |
+          docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ matrix.image }}:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-${{ matrix.image }}.json
+          docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ matrix.image }}:${{ steps.meta.outputs.version }} --raw
+
+      - name: Scan SBOM
+        id: scan
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
+        with:
+          sbom: "sbom-${{ matrix.image }}.json"
+          only-fixed: true
+          add-cpes-if-none: true
+          fail-build: false
+
+      - name: Upload scan result to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        continue-on-error: true
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+          category: build-${{ matrix.image }}
+        if: always()
 
   build-plus:
     name: Build Plus images
+    runs-on: ${{ github.repository_owner == 'nginx' && (github.ref_type == 'tag' || (github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/chore/secure-build-pipeline'))) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
     needs: [vars, binary]
-    uses: ./.github/workflows/build.yml
-    with:
-      image: plus
-      platforms: "linux/arm64, linux/amd64"
     permissions:
       contents: read # for docker/build-push-action to read repo content
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       packages: write # for docker/build-push-action to push to GHCR
       id-token: write # for docker/login to login to NGINX registry
-    secrets: inherit
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Fetch Cached Artifacts
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ${{ github.workspace }}/dist
+          key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          driver-opts: network=host
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          platforms: arm64
+
+      - name: Get Id Token
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        id: idtoken
+        with:
+          script: |
+            let id_token = await core.getIDToken()
+            core.setOutput('id_token', id_token)
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Login to NGINX Registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: docker-mgmt.nginx.com
+          username: ${{ steps.idtoken.outputs.id_token }}
+          password: ${{ github.actor }}
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Login to GAR
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: us-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          context: workflow
+          images: |
+            name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ github.event_name != 'pull_request' }}
+            name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ github.event_name != 'pull_request' }}
+            name=localhost:5000/nginx-gateway-fabric/plus
+          flavor: |
+            latest=auto
+          tags: |
+            type=semver,pattern={{version}}
+            type=edge
+            type=schedule
+            type=ref,event=pr
+            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+          labels: |
+            org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
+            org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
+          annotations: |
+            org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
+            org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/README.md
+            io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-gateway-fabric/images/icons/NGINX-product-icon.svg
+            io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"kubernetes@nginx.com"}]
+            io.artifacthub.package.license=Apache-2.0
+            io.artifacthub.package.keywords=kubernetes,gateway,nginx
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Debug Docker Meta Outputs
+        run: |
+          echo "Tags: ${{ steps.meta.outputs.tags }}"
+          echo "Labels: ${{ steps.meta.outputs.labels }}"
+          echo "Version: ${{ steps.meta.outputs.version }}"
+
+      - name: Build Docker Image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: build/Dockerfile.nginxplus
+          context: "."
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          push: false
+          platforms: "linux/arm64, linux/amd64"
+          cache-from: type=gha,scope=plus
+          cache-to: type=gha,scope=plus,mode=max
+          pull: true
+          no-cache: ${{ github.event_name != 'pull_request' }}
+          sbom: true
+          provenance: mode=max
+          build-args: |
+            NJS_DIR=internal/controller/nginx/modules/src
+            NGINX_CONF_DIR=internal/controller/nginx/conf
+            BUILD_AGENT=gha
+          secrets: |
+            "nginx-repo.crt=${{ secrets.NGINX_CRT }}"
+            "nginx-repo.key=${{ secrets.NGINX_KEY }}"
+
+      - name: Inspect SBOM and output manifest
+        run: |
+          docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/plus:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-plus.json
+          docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/plus:${{ steps.meta.outputs.version }} --raw
+
+      - name: Scan SBOM
+        id: scan
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
+        with:
+          sbom: "sbom-plus.json"
+          only-fixed: true
+          add-cpes-if-none: true
+          fail-build: false
+
+      - name: Upload scan result to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        continue-on-error: true
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+          category: build-plus
+        if: always()
 
   functional-tests:
     name: Functional tests
