From 2121f3bb191558a264ba06bbffea9de895a7f3ce Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 10:26:17 +0100 Subject: [PATCH 01/24] Add workflow to validate UBI images pass RedHat Certification --- .github/workflows/ci.yml | 15 +++++ .github/workflows/openshift-certification.yml | 61 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 .github/workflows/openshift-certification.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10b86dd949..2404fe9086 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -409,6 +409,21 @@ jobs: id-token: write # for docker/login to login to NGINX registry secrets: inherit + openshift-certification: + name: OpenShift Certification + needs: [vars, build-oss, build-plus, build-operator] + if: ${{ inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null) }} + uses: ./.github/workflows/openshift-certification.yml + with: + operator-version: ${{ inputs.operator_version || '' }} + build-os: "ubi" + dry_run: ${{ inputs.dry_run || false }} + runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} + permissions: + contents: read + packages: read + secrets: inherit + functional-tests: name: Functional tests needs: [vars, build-oss, build-plus] diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml new file mode 100644 index 0000000000..1ace221fb1 --- /dev/null +++ b/.github/workflows/openshift-certification.yml @@ -0,0 +1,61 @@ +name: OpenShift Certification + +on: + workflow_call: + inputs: + build-os: + required: true + type: string + default: 'ubi' + dry_run: + required: false + type: boolean + default: false + runner: + required: false + type: string + default: 'ubuntu-24.04' + +jobs: + preflight: + runs-on: ${{ inputs.runner }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Download preflight binary + run: | + curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64 + chmod +x preflight-linux-amd64 + sudo mv preflight-linux-amd64 /usr/local/bin/preflight + + - name: Run preflight for NGINX Gateway Fabric + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json + + - name: Run preflight for NGINX OSS + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json + + - name: Run preflight for NGINX Gateway Fabric Operator + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json + + - name: Aggregate preflight results and fail if any checks failed + run: | + total_failed=0 + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + failed_count=$(jq '.results.failed | length' "$result") + total_failed=$((total_failed + failed_count)) + done + if [ "$total_failed" -ne 0 ]; then + echo "Preflight checks failed: $total_failed failed checks across all images" + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + echo "Results for $result:" + jq '.results.failed' "$result" + done + exit 1 + fi \ No newline at end of file From d61c9f4fae6a64fc2024b8b5f261148d3b38fff0 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 10:35:45 +0100 Subject: [PATCH 02/24] Update args and fix pre-commit checks --- .github/workflows/ci.yml | 5 +- .github/workflows/openshift-certification.yml | 76 +++++++++---------- 2 files changed, 35 insertions(+), 46 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2404fe9086..33517fcc24 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -411,13 +411,10 @@ jobs: openshift-certification: name: OpenShift Certification - needs: [vars, build-oss, build-plus, build-operator] + needs: [build-oss, build-plus, build-operator] if: ${{ inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null) }} uses: ./.github/workflows/openshift-certification.yml with: - operator-version: ${{ inputs.operator_version || '' }} - build-os: "ubi" - dry_run: ${{ inputs.dry_run || false }} runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} permissions: contents: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 1ace221fb1..c6038e9893 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -3,14 +3,6 @@ name: OpenShift Certification on: workflow_call: inputs: - build-os: - required: true - type: string - default: 'ubi' - dry_run: - required: false - type: boolean - default: false runner: required: false type: string @@ -20,42 +12,42 @@ jobs: preflight: runs-on: ${{ inputs.runner }} steps: - - name: Checkout repository - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - - name: Download preflight binary - run: | - curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64 - chmod +x preflight-linux-amd64 - sudo mv preflight-linux-amd64 /usr/local/bin/preflight + - name: Download preflight binary + run: | + curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64 + chmod +x preflight-linux-amd64 + sudo mv preflight-linux-amd64 /usr/local/bin/preflight - - name: Run preflight for NGINX Gateway Fabric - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json + - name: Run preflight for NGINX Gateway Fabric + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json - - name: Run preflight for NGINX OSS - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json + - name: Run preflight for NGINX OSS + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json - - name: Run preflight for NGINX Gateway Fabric Operator - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json + - name: Run preflight for NGINX Gateway Fabric Operator + env: + PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} + run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json - - name: Aggregate preflight results and fail if any checks failed - run: | - total_failed=0 - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - failed_count=$(jq '.results.failed | length' "$result") - total_failed=$((total_failed + failed_count)) - done - if [ "$total_failed" -ne 0 ]; then - echo "Preflight checks failed: $total_failed failed checks across all images" - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - echo "Results for $result:" - jq '.results.failed' "$result" - done - exit 1 - fi \ No newline at end of file + - name: Aggregate preflight results and fail if any checks failed + run: | + total_failed=0 + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + failed_count=$(jq '.results.failed | length' "$result") + total_failed=$((total_failed + failed_count)) + done + if [ "$total_failed" -ne 0 ]; then + echo "Preflight checks failed: $total_failed failed checks across all images" + for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do + echo "Results for $result:" + jq '.results.failed' "$result" + done + exit 1 + fi From 2ffc89cbbee142d39bf02cefd7b03d9867c371db Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 10:37:53 +0100 Subject: [PATCH 03/24] Add premissions and default run env --- .github/workflows/openshift-certification.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index c6038e9893..0f618ab207 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -8,6 +8,13 @@ on: type: string default: 'ubuntu-24.04' +defaults: + run: + shell: bash + +permissions: + contents: read + jobs: preflight: runs-on: ${{ inputs.runner }} From 34d29e7e3fc3cab73d6a3a22037f050206fa62d1 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 12:12:37 +0100 Subject: [PATCH 04/24] Ensure Openshift ceritfication runs outside of prod release --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33517fcc24..04fab4db9d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,7 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ inputs.is_production_release && (inputs.dry_run == false || inputs.dry_run == null) }} + if: ${{ inputs.dry_run == false || inputs.dry_run == null) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} From 11cb2ecc3fbb4aa3e793d0ce2c2408ca516fc055 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 13:27:56 +0100 Subject: [PATCH 05/24] Update dry_run input --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04fab4db9d..49c1108a14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,7 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ inputs.dry_run == false || inputs.dry_run == null) }} + if: ${{ inputs.dry_run || false }} uses: ./.github/workflows/openshift-certification.yml with: runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} From c132f476678bf9b79c1ab968d395e3c2643d6d99 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 14:23:19 +0100 Subject: [PATCH 06/24] Ensure Openshift certification runs only on merges to main, and during releases --- .github/workflows/ci.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 49c1108a14..16ee428480 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,10 +412,15 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ inputs.dry_run || false }} + if: > + ${{ github.event_name == 'pull_request' + && github.event.pull_request.base.ref == 'main' + || (github.event_name == 'push' && github.ref == 'refs/heads/main') + || (inputs.is_production_release == true) + }} uses: ./.github/workflows/openshift-certification.yml with: - runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} + runner: ubuntu-24.04 permissions: contents: read packages: read From 7597193032b7567e524af0b72304b192945b6d01 Mon Sep 17 00:00:00 2001 From: Shaun Date: Tue, 7 Oct 2025 14:28:23 +0100 Subject: [PATCH 07/24] Potential fix for code scanning alert no. 542: If expression always true Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 16ee428480..ce5fd9fa89 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,12 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: > - ${{ github.event_name == 'pull_request' - && github.event.pull_request.base.ref == 'main' - || (github.event_name == 'push' && github.ref == 'refs/heads/main') - || (inputs.is_production_release == true) - }} + if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 From 96912088186a3ae479d6b80152946f51aed09693 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 15:39:33 +0100 Subject: [PATCH 08/24] tmp remove if check for certification job --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ce5fd9fa89..b0323e89ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,7 +412,7 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] - if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} + # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 From bb8a3495416c2bb86fb71834cf70c5993b0fa45d Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 15:52:50 +0100 Subject: [PATCH 09/24] Remove `--json` flag --- .github/workflows/openshift-certification.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 0f618ab207..307e63c878 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -31,17 +31,17 @@ jobs: - name: Run preflight for NGINX Gateway Fabric env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json - name: Run preflight for NGINX OSS env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi > ngf-oss-preflight-result.json - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json + run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From f164607b2f2524779d59fcda129769acb412ce89 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 16:35:03 +0100 Subject: [PATCH 10/24] Use check container instead of check operator --- .github/workflows/openshift-certification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 307e63c878..98c66a1b16 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -41,7 +41,7 @@ jobs: - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json + run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From 8d908cfa2117f1874d43cad3a903320e57a8283e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 17:11:10 +0100 Subject: [PATCH 11/24] Add steps to save and tag docker images for use by preflight checks --- .github/workflows/build.yml | 24 +++++++++++ .github/workflows/ci.yml | 9 ++++ .github/workflows/openshift-certification.yml | 42 +++++++++++++++++-- 3 files changed, 72 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cdd3dc2ae0..54c15beda5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,3 +193,27 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} + + - name: Save NGINX OSS image as tarball + if: ${{ inputs.image == 'nginx' }} + run: | + docker save -o nginx-oss-image.tar localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload NGINX OSS image artifact + if: ${{ inputs.image == 'nginx' }} + uses: actions/upload-artifact@v4 + with: + name: nginx-oss-image + path: nginx-oss-image.tar + + - name: Save Operator image as tarball + if: ${{ inputs.image == 'operator' }} + run: | + docker save -o operator-image.tar localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload Operator image artifact + if: ${{ inputs.image == 'operator' }} + uses: actions/upload-artifact@v4 + with: + name: operator-image + path: operator-image.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b0323e89ce..b369a32404 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -271,6 +271,15 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} + - name: Save NGINX Gateway Fabric image + run: docker save -o ngf-image.tar localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} + + - name: Upload NGINX Gateway Fabric image artifact + uses: actions/upload-artifact@v4 + with: + name: ngf-image + path: ngf-image.tar + assertion: name: Generate and Sign Assertion Documents needs: [vars, binary] diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 98c66a1b16..f5ba2b1177 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -28,20 +28,56 @@ jobs: chmod +x preflight-linux-amd64 sudo mv preflight-linux-amd64 /usr/local/bin/preflight + - name: Download NGINX Gateway Fabric image artifact + uses: actions/download-artifact@v4 + with: + name: ngf-image + + - name: Load NGINX Gateway Fabric image into Docker + run: docker load -i ngf-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} nginx-gateway-fabric:edge-ubi + - name: Run preflight for NGINX Gateway Fabric env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json + run: preflight check container nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json + + - name: Download NGINX NGINX OSS image artifact + uses: actions/download-artifact@v4 + with: + name: nginx-oss-image + + - name: Load NGINX OSS image into Docker + run: docker load -i nginx-oss-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }}nginx-oss:edge-ubi - name: Run preflight for NGINX OSS env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi > ngf-oss-preflight-result.json + run: preflight check container nginx:edge-ubi > ngf-oss-preflight-result.json + + - name: Download NGINX Gateway Fabric Operator image artifact + uses: actions/download-artifact@v4 + with: + name: operator-image + + - name: Load NGINX Gateway Fabric Operator image into Docker + run: docker load -i operator-image.tar + + - name: Tag image for preflight + run: | + docker tag localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} ngf-operator:edge - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/operator:edge > ngf-operator-preflight-result.json + run: preflight check operator ngf-operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From afc676e94a1896796af4cc6fae311d957f1ed893 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 7 Oct 2025 17:13:29 +0100 Subject: [PATCH 12/24] change operator to container --- .github/workflows/openshift-certification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index f5ba2b1177..81289bb93a 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -77,7 +77,7 @@ jobs: - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check operator ngf-operator:edge > ngf-operator-preflight-result.json + run: preflight check container ngf-operator:edge > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From 8ef4adbc51c77d0cc1be701c96d30ac433cdcea3 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 09:25:13 +0100 Subject: [PATCH 13/24] Move image save and upload to build.yaml. Add debug echo for tags --- .github/workflows/build.yml | 21 +++++++++++++++++++-- .github/workflows/ci.yml | 9 --------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 54c15beda5..640c46d806 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,11 +193,27 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} + + - name: Save NGINX Gateway Fabric image + if: ${{ inputs.image == 'ngf' }} + run: | + IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) + docker save -o ngf-image.tar $IMAGE_TAG + + - name: Upload NGINX Gateway Fabric image artifact + uses: actions/upload-artifact@v4 + with: + name: ngf-image + path: ngf-image.tar + + - name: Show all image tags for debugging + run: echo "${{ steps.meta.outputs.tags }}" - name: Save NGINX OSS image as tarball if: ${{ inputs.image == 'nginx' }} run: | - docker save -o nginx-oss-image.tar localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }} + IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) + docker save -o nginx-oss-image.tar $IMAGE_TAG - name: Upload NGINX OSS image artifact if: ${{ inputs.image == 'nginx' }} @@ -209,7 +225,8 @@ jobs: - name: Save Operator image as tarball if: ${{ inputs.image == 'operator' }} run: | - docker save -o operator-image.tar localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} + IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) + docker save -o operator-image.tar $IMAGE_TAG - name: Upload Operator image artifact if: ${{ inputs.image == 'operator' }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b369a32404..b0323e89ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -271,15 +271,6 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} - - name: Save NGINX Gateway Fabric image - run: docker save -o ngf-image.tar localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} - - - name: Upload NGINX Gateway Fabric image artifact - uses: actions/upload-artifact@v4 - with: - name: ngf-image - path: ngf-image.tar - assertion: name: Generate and Sign Assertion Documents needs: [vars, binary] From 118145bffde4b31001b1863e70dd4748260c168e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 09:28:57 +0100 Subject: [PATCH 14/24] Update openshift certification job with new image tags --- .github/workflows/openshift-certification.yml | 27 ++++++++++++------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 81289bb93a..049203dbca 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -36,14 +36,19 @@ jobs: - name: Load NGINX Gateway Fabric image into Docker run: docker load -i ngf-image.tar - - name: Tag image for preflight + - name: Load NGINX Gateway Fabric image into Docker + run: docker load -i ngf-image.tar + + - name: Retag image for preflight run: | - docker tag localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} nginx-gateway-fabric:edge-ubi + IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) + docker tag $IMAGE_ID nginx-gateway-fabric:ubi + - name: Run preflight for NGINX Gateway Fabric env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx-gateway-fabric:edge-ubi > ngf-preflight-result.json + run: preflight check container nginx-gateway-fabric:ubi > ngf-preflight-result.json - name: Download NGINX NGINX OSS image artifact uses: actions/download-artifact@v4 @@ -53,14 +58,16 @@ jobs: - name: Load NGINX OSS image into Docker run: docker load -i nginx-oss-image.tar - - name: Tag image for preflight + - name: Retag image for preflight run: | - docker tag localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }}nginx-oss:edge-ubi + IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) + docker tag $IMAGE_ID nginx-oss:ubi + - name: Run preflight for NGINX OSS env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx:edge-ubi > ngf-oss-preflight-result.json + run: preflight check container nginx:ubi > ngf-oss-preflight-result.json - name: Download NGINX Gateway Fabric Operator image artifact uses: actions/download-artifact@v4 @@ -70,14 +77,16 @@ jobs: - name: Load NGINX Gateway Fabric Operator image into Docker run: docker load -i operator-image.tar - - name: Tag image for preflight + - name: Retag image for preflight run: | - docker tag localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} ngf-operator:edge + IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) + docker tag $IMAGE_ID ngf-operator:ubi + - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ngf-operator:edge > ngf-operator-preflight-result.json + run: preflight check container ngf-operator:ubi > ngf-operator-preflight-result.json - name: Aggregate preflight results and fail if any checks failed run: | From aafd707ecd606b1b830b5173b5513a3ec9144857 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 09:37:01 +0100 Subject: [PATCH 15/24] Fix pre-commit errors --- .github/workflows/build.yml | 2 +- .github/workflows/openshift-certification.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 640c46d806..e90c09be51 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,7 +193,7 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - + - name: Save NGINX Gateway Fabric image if: ${{ inputs.image == 'ngf' }} run: | diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 049203dbca..c488d5bf48 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -82,7 +82,6 @@ jobs: IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) docker tag $IMAGE_ID ngf-operator:ubi - - name: Run preflight for NGINX Gateway Fabric Operator env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} From 893fdb1e2863c4f43aefadf3afa42f6300c4c92f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 10:17:18 +0100 Subject: [PATCH 16/24] Load images to Docker Daemon in build step. Run Openshift certification in matrix of images --- .github/workflows/build.yml | 41 ++-------- .github/workflows/ci.yml | 5 ++ .github/workflows/openshift-certification.yml | 82 +++++-------------- 3 files changed, 34 insertions(+), 94 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e90c09be51..831716bd0f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,6 +46,8 @@ jobs: image: registry:3 ports: - 5000:5000 + outputs: + image_version: ${{ steps.meta.outputs.version }} steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -155,6 +157,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} push: ${{ !inputs.dry_run }} + load: true platforms: ${{ inputs.platforms }} cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max @@ -194,43 +197,15 @@ jobs: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - - name: Save NGINX Gateway Fabric image - if: ${{ inputs.image == 'ngf' }} - run: | - IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) - docker save -o ngf-image.tar $IMAGE_TAG - - - name: Upload NGINX Gateway Fabric image artifact - uses: actions/upload-artifact@v4 - with: - name: ngf-image - path: ngf-image.tar - - name: Show all image tags for debugging run: echo "${{ steps.meta.outputs.tags }}" - - name: Save NGINX OSS image as tarball - if: ${{ inputs.image == 'nginx' }} - run: | - IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) - docker save -o nginx-oss-image.tar $IMAGE_TAG - - - name: Upload NGINX OSS image artifact - if: ${{ inputs.image == 'nginx' }} - uses: actions/upload-artifact@v4 - with: - name: nginx-oss-image - path: nginx-oss-image.tar - - - name: Save Operator image as tarball - if: ${{ inputs.image == 'operator' }} + - name: Save the image as tarball run: | - IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) - docker save -o operator-image.tar $IMAGE_TAG + docker save -o ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} - - name: Upload Operator image artifact - if: ${{ inputs.image == 'operator' }} + - name: Upload the image artifact uses: actions/upload-artifact@v4 with: - name: operator-image - path: operator-image.tar + name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} + path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b0323e89ce..1fad62b06d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -412,10 +412,15 @@ jobs: openshift-certification: name: OpenShift Certification needs: [build-oss, build-plus, build-operator] + strategy: + fail-fast: false + matrix: + image: [ngf, nginx, operator] # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 + image_version: ${{ jobs.build.outputs.image_version }} permissions: contents: read packages: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index c488d5bf48..88d46d7169 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -7,6 +7,12 @@ on: required: false type: string default: 'ubuntu-24.04' + image_version: + required: true + type: string + image: + required: true + type: string defaults: run: @@ -28,77 +34,31 @@ jobs: chmod +x preflight-linux-amd64 sudo mv preflight-linux-amd64 /usr/local/bin/preflight - - name: Download NGINX Gateway Fabric image artifact - uses: actions/download-artifact@v4 - with: - name: ngf-image - - - name: Load NGINX Gateway Fabric image into Docker - run: docker load -i ngf-image.tar - - - name: Load NGINX Gateway Fabric image into Docker - run: docker load -i ngf-image.tar - - - name: Retag image for preflight - run: | - IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/ngf:' | head -n 1) - docker tag $IMAGE_ID nginx-gateway-fabric:ubi - - - - name: Run preflight for NGINX Gateway Fabric - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx-gateway-fabric:ubi > ngf-preflight-result.json - - - name: Download NGINX NGINX OSS image artifact - uses: actions/download-artifact@v4 - with: - name: nginx-oss-image - - - name: Load NGINX OSS image into Docker - run: docker load -i nginx-oss-image.tar - - - name: Retag image for preflight - run: | - IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/nginx:' | head -n 1) - docker tag $IMAGE_ID nginx-oss:ubi - - - - name: Run preflight for NGINX OSS - env: - PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container nginx:ubi > ngf-oss-preflight-result.json - - - name: Download NGINX Gateway Fabric Operator image artifact + - name: Download image artifact uses: actions/download-artifact@v4 with: - name: operator-image + name: ${{ inputs.image }}-${{ inputs.image_version }} - - name: Load NGINX Gateway Fabric Operator image into Docker - run: docker load -i operator-image.tar + - name: Load image into Docker + run: docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Retag image for preflight run: | - IMAGE_ID=$(docker images --format '{{.Repository}}:{{.Tag}}' | grep '^localhost:5000/nginx-gateway-fabric/operator:' | head -n 1) - docker tag $IMAGE_ID ngf-operator:ubi + loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" + preflight_tag="${{ inputs.image }}:ubi" + docker tag "$loaded_tag" "$preflight_tag" - - name: Run preflight for NGINX Gateway Fabric Operator + - name: Run preflight env: PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }} - run: preflight check container ngf-operator:ubi > ngf-operator-preflight-result.json + run: preflight check container ${{ inputs.image }}:ubi > preflight-result.json - - name: Aggregate preflight results and fail if any checks failed + - name: Check preflight results run: | - total_failed=0 - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - failed_count=$(jq '.results.failed | length' "$result") - total_failed=$((total_failed + failed_count)) - done - if [ "$total_failed" -ne 0 ]; then - echo "Preflight checks failed: $total_failed failed checks across all images" - for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do - echo "Results for $result:" - jq '.results.failed' "$result" - done + failed_count=$(jq '.results.failed | length' preflight-result.json) + if [ "$failed_count" -ne 0 ]; then + echo "Preflight checks failed: $failed_count failed checks" + echo "Results for preflight-result.json:" + jq '.results.failed' preflight-result.json exit 1 fi From 9a16ec5b132acd9a7621623cd314b088456044e6 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 10:36:11 +0100 Subject: [PATCH 17/24] Add image to input --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1fad62b06d..f812f840fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -421,6 +421,7 @@ jobs: with: runner: ubuntu-24.04 image_version: ${{ jobs.build.outputs.image_version }} + image: ${{ matrix.image }} permissions: contents: read packages: read From 90f1618c2026faf25004c710358082197f61549a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 11:02:08 +0100 Subject: [PATCH 18/24] Remove image version output --- .github/workflows/build.yml | 8 +++----- .github/workflows/ci.yml | 1 - .github/workflows/openshift-certification.yml | 9 +++------ 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 831716bd0f..f497989b48 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,8 +46,6 @@ jobs: image: registry:3 ports: - 5000:5000 - outputs: - image_version: ${{ steps.meta.outputs.version }} steps: - name: Checkout Repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -202,10 +200,10 @@ jobs: - name: Save the image as tarball run: | - docker save -o ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} + docker save -o ${{ inputs.image }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} - name: Upload the image artifact uses: actions/upload-artifact@v4 with: - name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} - path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar + name: ${{ inputs.image }} + path: ${{ inputs.image }}.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f812f840fb..e1781707eb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -420,7 +420,6 @@ jobs: uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 - image_version: ${{ jobs.build.outputs.image_version }} image: ${{ matrix.image }} permissions: contents: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 88d46d7169..278aed7eaf 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -7,9 +7,6 @@ on: required: false type: string default: 'ubuntu-24.04' - image_version: - required: true - type: string image: required: true type: string @@ -37,14 +34,14 @@ jobs: - name: Download image artifact uses: actions/download-artifact@v4 with: - name: ${{ inputs.image }}-${{ inputs.image_version }} + name: ${{ inputs.image }} - name: Load image into Docker - run: docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar + run: docker load -i ${{ inputs.image }}.tar - name: Retag image for preflight run: | - loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" + loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}" preflight_tag="${{ inputs.image }}:ubi" docker tag "$loaded_tag" "$preflight_tag" From ff72dc3d64255c52e1d05e488505e424c6f989d8 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 11:26:55 +0100 Subject: [PATCH 19/24] Use docker buildx to ensure images for multi platforms are saved --- .github/workflows/build.yml | 26 ++++++++++++------- .github/workflows/ci.yml | 2 ++ .github/workflows/openshift-certification.yml | 9 ++++--- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f497989b48..cc840cb401 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -155,7 +155,6 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} push: ${{ !inputs.dry_run }} - load: true platforms: ${{ inputs.platforms }} cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max @@ -195,15 +194,22 @@ jobs: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - - name: Show all image tags for debugging - run: echo "${{ steps.meta.outputs.tags }}" - - - name: Save the image as tarball + - name: Export and upload images for all platforms run: | - docker save -o ${{ inputs.image }}.tar localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} - - - name: Upload the image artifact + # Remove spaces and split platforms by comma + platforms=$(echo "${{ inputs.platforms }}" | tr -d ' ' | tr ',' ' ') + for platform in $platforms; do + # Replace / with - for tarball name (e.g., linux/amd64 -> linux-amd64) + plat_tag=$(echo "$platform" | tr '/' '-') + # Create a local reference for the platform + docker buildx imagetools create --tag tempimg-$plat_tag ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --platform $platform + # Export the image as a tarball + docker buildx imagetools export tempimg-$plat_tag > ${{ inputs.image }}-$plat_tag.tar + done + + - name: Upload all image artifacts uses: actions/upload-artifact@v4 with: - name: ${{ inputs.image }} - path: ${{ inputs.image }}.tar + name: ${{ inputs.image }}-images + path: ${{ inputs.image }}-*.tar + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e1781707eb..12354ca2ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -416,11 +416,13 @@ jobs: fail-fast: false matrix: image: [ngf, nginx, operator] + platform: ["linux/amd64", "linux/arm64"] # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: runner: ubuntu-24.04 image: ${{ matrix.image }} + platform: ${{ matrix.platform }} permissions: contents: read packages: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 278aed7eaf..37286cbde6 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -10,6 +10,9 @@ on: image: required: true type: string + platform: + required: true + type: string defaults: run: @@ -34,14 +37,14 @@ jobs: - name: Download image artifact uses: actions/download-artifact@v4 with: - name: ${{ inputs.image }} + name: ${{ inputs.image }}-images # or ${{ inputs.image }}-linux-${{ inputs.platform | tr '/' '-' }} - name: Load image into Docker - run: docker load -i ${{ inputs.image }}.tar + run: docker load -i ${{ inputs.image }}-${{ inputs.platform | tr '/' '-' }}.tar - name: Retag image for preflight run: | - loaded_tag="localhost:5000/nginx-gateway-fabric/${{ inputs.image }}" + loaded_tag="ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}" preflight_tag="${{ inputs.image }}:ubi" docker tag "$loaded_tag" "$preflight_tag" From ff3b9599695473dd4c588ef874b7662100fd225c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 11:29:10 +0100 Subject: [PATCH 20/24] Fix pre-commit errors --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc840cb401..418bbb24ef 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -212,4 +212,3 @@ jobs: with: name: ${{ inputs.image }}-images path: ${{ inputs.image }}-*.tar - From e76b660ad9a8cd1a51524ed9f350cc9256f7ffa0 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 13:59:34 +0100 Subject: [PATCH 21/24] Ensure image_version is passed to opernshift certification --- .github/workflows/build.yml | 5 +++++ .github/workflows/ci.yml | 4 ++++ .github/workflows/openshift-certification.yml | 4 +++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 418bbb24ef..6b91f069b8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,9 @@ on: required: false type: string default: 'ubuntu-24.04' + outputs: + image_version: + value: ${{ jobs.build.outputs.image_version }} defaults: run: @@ -41,6 +44,8 @@ jobs: packages: write # for docker/build-push-action to push to GHCR id-token: write # for docker/login to login to NGINX registry runs-on: ${{ inputs.runner }} + outputs: + image_version: ${{ steps.meta.outputs.version }} services: registry: image: registry:3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12354ca2ee..dba3de6621 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -423,6 +423,10 @@ jobs: runner: ubuntu-24.04 image: ${{ matrix.image }} platform: ${{ matrix.platform }} + image_version: > + ${{ matrix.image == 'ngf' && needs.build-oss.outputs.image_version + || matrix.image == 'nginx' && needs.build-oss.outputs.image_version + || matrix.image == 'operator' && needs.build-operator.outputs.image_version }} permissions: contents: read packages: read diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 37286cbde6..1c66873847 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -40,7 +40,9 @@ jobs: name: ${{ inputs.image }}-images # or ${{ inputs.image }}-linux-${{ inputs.platform | tr '/' '-' }} - name: Load image into Docker - run: docker load -i ${{ inputs.image }}-${{ inputs.platform | tr '/' '-' }}.tar + run: | + plat_tag=$(echo "${{ inputs.platform }}" | tr '/' '-') + docker load -i ${{ inputs.image }}-$plat_tag.tar - name: Retag image for preflight run: | From cb8d8f90e9d096d6732db48395be96f62b5a9404 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:07:53 +0100 Subject: [PATCH 22/24] Add image_version to inputs --- .github/workflows/openshift-certification.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 1c66873847..4f428b1c10 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -13,6 +13,9 @@ on: platform: required: true type: string + image_version: + required: true + type: string defaults: run: From a9d3eb918e44a9ee3d149acefe56055ae59345f2 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:24:48 +0100 Subject: [PATCH 23/24] Remove platform option --- .github/workflows/build.yml | 15 +++++---------- .github/workflows/ci.yml | 1 - .github/workflows/openshift-certification.yml | 8 ++------ 3 files changed, 7 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6b91f069b8..4ee716f4fe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -199,21 +199,16 @@ jobs: sarif_file: ${{ steps.scan.outputs.sarif }} category: build-${{ inputs.image }} - - name: Export and upload images for all platforms + - name: Export and upload images run: | - # Remove spaces and split platforms by comma - platforms=$(echo "${{ inputs.platforms }}" | tr -d ' ' | tr ',' ' ') - for platform in $platforms; do - # Replace / with - for tarball name (e.g., linux/amd64 -> linux-amd64) - plat_tag=$(echo "$platform" | tr '/' '-') # Create a local reference for the platform - docker buildx imagetools create --tag tempimg-$plat_tag ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --platform $platform + docker buildx imagetools create --tag temp ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} # Export the image as a tarball - docker buildx imagetools export tempimg-$plat_tag > ${{ inputs.image }}-$plat_tag.tar + docker buildx imagetools export temp > ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar done - name: Upload all image artifacts uses: actions/upload-artifact@v4 with: - name: ${{ inputs.image }}-images - path: ${{ inputs.image }}-*.tar + name: ${{ inputs.image }}-${{ steps.meta.outputs.version }} + path: ${{ inputs.image }}-${{ steps.meta.outputs.version }}.tar diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dba3de6621..03b2bbbd11 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -416,7 +416,6 @@ jobs: fail-fast: false matrix: image: [ngf, nginx, operator] - platform: ["linux/amd64", "linux/arm64"] # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }} uses: ./.github/workflows/openshift-certification.yml with: diff --git a/.github/workflows/openshift-certification.yml b/.github/workflows/openshift-certification.yml index 4f428b1c10..dd5b6a2d1d 100644 --- a/.github/workflows/openshift-certification.yml +++ b/.github/workflows/openshift-certification.yml @@ -10,9 +10,6 @@ on: image: required: true type: string - platform: - required: true - type: string image_version: required: true type: string @@ -40,12 +37,11 @@ jobs: - name: Download image artifact uses: actions/download-artifact@v4 with: - name: ${{ inputs.image }}-images # or ${{ inputs.image }}-linux-${{ inputs.platform | tr '/' '-' }} + name: ${{ inputs.image }}-images - name: Load image into Docker run: | - plat_tag=$(echo "${{ inputs.platform }}" | tr '/' '-') - docker load -i ${{ inputs.image }}-$plat_tag.tar + docker load -i ${{ inputs.image }}-${{ inputs.image_version }}.tar - name: Retag image for preflight run: | From 7d185bffb9e342dc163cace46e3e4ca007951ba8 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 8 Oct 2025 14:28:32 +0100 Subject: [PATCH 24/24] Remove platform from `with` --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 03b2bbbd11..b9f904fa39 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -421,7 +421,6 @@ jobs: with: runner: ubuntu-24.04 image: ${{ matrix.image }} - platform: ${{ matrix.platform }} image_version: > ${{ matrix.image == 'ngf' && needs.build-oss.outputs.image_version || matrix.image == 'nginx' && needs.build-oss.outputs.image_version