Load images to Docker Daemon in build step. Run Openshift certification in matrix of images

shaun-nx · shaun-nx · commit 893fdb1e2863 · 2025-10-08T10:17:18.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -46,6 +46,8 @@ jobs:
         image: registry:3
         ports:
           - 5000:5000
+    outputs:
+      image_version: ${{ steps.meta.outputs.version }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -155,6 +157,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
           push: ${{ !inputs.dry_run }}
+          load: true
           platforms: ${{ inputs.platforms }}
           cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max
@@ -194,43 +197,15 @@ jobs:
           sarif_file: ${{ steps.scan.outputs.sarif }}
           category: build-${{ inputs.image }}
 
-      - name: Save NGINX Gateway Fabric image
-        if: ${{ inputs.image == 'ngf' }}
-        run: |
-          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1)
-          docker save -o ngf-image.tar $IMAGE_TAG
-
-      - name: Upload NGINX Gateway Fabric image artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ngf-image
-          path: ngf-image.tar
-
       - name: Show all image tags for debugging
         run: echo "${{ steps.meta.outputs.tags }}"
 
-      - name: Save NGINX OSS image as tarball
-        if: ${{ inputs.image == 'nginx' }}
-        run: |
-          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1)
-          docker save -o nginx-oss-image.tar $IMAGE_TAG
-
-      - name: Upload NGINX OSS image artifact
-        if: ${{ inputs.image == 'nginx' }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: nginx-oss-image
-          path: nginx-oss-image.tar
-
-      - name: Save Operator image as tarball
-        if: ${{ inputs.image == 'operator' }}
+      - name: Save the image as tarball
         run: |
-          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1)
-          docker save -o operator-image.tar $IMAGE_TAG
+          docker save -o ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }}
 
-      - name: Upload Operator image artifact
-        if: ${{ inputs.image == 'operator' }}
+      - name: Upload the image artifact
         uses: actions/upload-artifact@v4
         with:
-          name: operator-image
-          path: operator-image.tar
+          name: ${{ inputs.image }}-${{ steps.meta.outputs.version }}
+          path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -412,10 +412,15 @@ jobs:
   openshift-certification:
     name: OpenShift Certification
     needs: [build-oss, build-plus, build-operator]
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [ngf, nginx, operator]
     # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }}
     uses: ./.github/workflows/openshift-certification.yml
     with:
       runner: ubuntu-24.04
+      image_version: ${{ jobs.build.outputs.image_version }}
     permissions:
       contents: read
       packages: read
diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml
@@ -7,6 +7,12 @@ on:
         required: false
         type: string
         default: 'ubuntu-24.04'
+      image_version:
+        required: true
+        type: string
+      image:
+        required: true
+        type: string
 
 defaults:
   run:
@@ -28,77 +34,31 @@ jobs:
         chmod +x preflight-linux-amd64
         sudo mv preflight-linux-amd64 /usr/local/bin/preflight
 
-    - name: Download NGINX Gateway Fabric image artifact
-      uses: actions/download-artifact@v4
-      with:
-        name: ngf-image
-
-    - name: Load NGINX Gateway Fabric image into Docker
-      run: docker load -i ngf-image.tar
-
-    - name: Load NGINX Gateway Fabric image into Docker
-      run: docker load -i ngf-image.tar
-
-    - name: Retag image for preflight
-      run: |
-        IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1)
-        docker tag $IMAGE_ID nginx-gateway-fabric:ubi
-
-
-    - name: Run preflight for NGINX Gateway Fabric
-      env:
-        PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
-      run: preflight check container nginx-gateway-fabric:ubi > ngf-preflight-result.json
-
-    - name: Download NGINX NGINX OSS image artifact
-      uses: actions/download-artifact@v4
-      with:
-        name: nginx-oss-image
-
-    - name: Load NGINX OSS image into Docker
-      run: docker load -i nginx-oss-image.tar
-
-    - name: Retag image for preflight
-      run: |
-        IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1)
-        docker tag $IMAGE_ID nginx-oss:ubi
-
-
-    - name: Run preflight for NGINX OSS
-      env:
-        PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
-      run: preflight check container nginx:ubi > ngf-oss-preflight-result.json
-
-    - name: Download NGINX Gateway Fabric Operator image artifact
+    - name: Download image artifact
       uses: actions/download-artifact@v4
       with:
-        name: operator-image
+        name: ${{ inputs.image }}-${{ inputs.image_version }}
 
-    - name: Load NGINX Gateway Fabric Operator image into Docker
-      run: docker load -i operator-image.tar
+    - name: Load image into Docker
+      run: docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar
 
     - name: Retag image for preflight
       run: |
-        IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1)
-        docker tag $IMAGE_ID ngf-operator:ubi
+        loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}"
+        preflight_tag="${{ inputs.image }}:ubi"
+        docker tag "$loaded_tag" "$preflight_tag"
 
-    - name: Run preflight for NGINX Gateway Fabric Operator
+    - name: Run preflight
       env:
         PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
-      run: preflight check container ngf-operator:ubi > ngf-operator-preflight-result.json
+      run: preflight check container ${{ inputs.image }}:ubi > preflight-result.json
 
-    - name: Aggregate preflight results and fail if any checks failed
+    - name: Check preflight results
       run: |
-        total_failed=0
-        for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do
-        failed_count=$(jq '.results.failed | length' "$result")
-        total_failed=$((total_failed + failed_count))
-        done
-        if [ "$total_failed" -ne 0 ]; then
-        echo "Preflight checks failed: $total_failed failed checks across all images"
-        for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do
-        echo "Results for $result:"
-        jq '.results.failed' "$result"
-        done
+        failed_count=$(jq '.results.failed | length' preflight-result.json)
+        if [ "$failed_count" -ne 0 ]; then
+        echo "Preflight checks failed: $failed_count failed checks"
+        echo "Results for preflight-result.json:"
+        jq '.results.failed' preflight-result.json
         exit 1
         fi
