diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cdd3dc2ae0..54c15beda5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,3 +193,27 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} + + - name: Save NGINX OSS image as tarball + if: ${{ inputs.image == 'nginx' }} + run: | + docker save -o nginx-oss-image.tar localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload NGINX OSS image artifact + if: ${{ inputs.image == 'nginx' }} + uses: actions/upload-artifact@v4 + with: + name: nginx-oss-image + path: nginx-oss-image.tar + + - name: Save Operator image as tarball + if: ${{ inputs.image == 'operator' }} + run: | + docker save -o operator-image.tar localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload Operator image artifact + if: ${{ inputs.image == 'operator' }} + uses: actions/upload-artifact@v4 + with: + name: operator-image + path: operator-image.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10b86dd949..b369a32404 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -271,6 +271,15 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} + - name: Save NGINX Gateway Fabric image + run: docker save -o ngf-image.tar localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload NGINX Gateway Fabric image artifact + uses: actions/upload-artifact@v4 + with: + name: ngf-image + path: ngf-image.tar + assertion: name: Generate and Sign Assertion Documents needs: [vars, binary] @@ -409,6 +418,18 @@ jobs: id-token: write # for docker/login to login to NGINX registry secrets: inherit + openshift-certification: + name: OpenShift Certification + needs: [build-oss, build-plus, build-operator] + # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} + uses: ./.github/workflows/openshift-certification.yml + with: + runner: ubuntu-24.04 + permissions: + contents: read + packages: read + secrets: inherit + functional-tests: name: Functional tests needs: [vars, build-oss, build-plus] diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml new file mode 100644 index 0000000000..81289bb93a --- /dev/null +++ b/.github/workflows/openshift-certification.yml @@ -0,0 +1,96 @@ +name: OpenShift Certification + +on: + workflow_call: + inputs: + runner: + required: false + type: string + default: 'ubuntu-24.04' + +defaults: + run: + shell: bash + +permissions: + contents: read + +jobs: + preflight: + runs-on: ${{ inputs.runner }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Download preflight binary + run: | + curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64 + chmod +x preflight-linux-amd64 + sudo mv preflight-linux-amd64 /usr/local/bin/preflight + + - name: Download NGINX Gateway Fabric image artifact + uses: actions/download-artifact@v4 + with: + name: ngf-image + + - name: Load NGINX Gateway Fabric image into Docker + run: docker load -i ngf-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} nginx-gateway-fabric:edge-ubi + + - name: Run preflight for NGINX Gateway Fabric + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json + + - name: Download NGINX NGINX OSS image artifact + uses: actions/download-artifact@v4 + with: + name: nginx-oss-image + + - name: Load NGINX OSS image into Docker + run: docker load -i nginx-oss-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }}nginx-oss:edge-ubi + + - name: Run preflight for NGINX OSS + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container nginx:edge-ubi > ngf-oss-preflight-result.json + + - name: Download NGINX Gateway Fabric Operator image artifact + uses: actions/download-artifact@v4 + with: + name: operator-image + + - name: Load NGINX Gateway Fabric Operator image into Docker + run: docker load -i operator-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} ngf-operator:edge + + - name: Run preflight for NGINX Gateway Fabric Operator + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ngf-operator:edge > ngf-operator-preflight-result.json + + - name: Aggregate preflight results and fail if any checks failed + run: | + total_failed=0 + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + failed_count=$(jq '.results.failed | length' "$result") + total_failed=$((total_failed + failed_count)) + done + if [ "$total_failed" -ne 0 ]; then + echo "Preflight checks failed: $total_failed failed checks across all images" + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + echo "Results for $result:" + jq '.results.failed' "$result" + done + exit 1 + fi