Add workflow to validate UBI images pass RedHat Certification

.github/workflows/build.yml

@@ -193,3 +193,27 @@ jobs:
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
           category: build-${{ inputs.image }}
+
+      - name: Save NGINX OSS image as tarball
+        if: ${{ inputs.image == 'nginx' }}
+        run: |
+          docker save -o nginx-oss-image.tar localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }}
+
+      - name: Upload NGINX OSS image artifact
+        if: ${{ inputs.image == 'nginx' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: nginx-oss-image
+          path: nginx-oss-image.tar
+
+      - name: Save Operator image as tarball
+        if: ${{ inputs.image == 'operator' }}
+        run: |
+          docker save -o operator-image.tar localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }}
+
+      - name: Upload Operator image artifact
+        if: ${{ inputs.image == 'operator' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: operator-image
+          path: operator-image.tar

.github/workflows/ci.yml

@@ -271,6 +271,15 @@ jobs:
           path: ${{ github.workspace }}/dist
           key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
 
+      - name: Save NGINX Gateway Fabric image
+        run: docker save -o ngf-image.tar localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }}
+
+      - name: Upload NGINX Gateway Fabric image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ngf-image
+          path: ngf-image.tar
+
   assertion:
     name: Generate and Sign Assertion Documents
     needs: [vars, binary]
@@ -409,6 +418,18 @@ jobs:
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
 
+  openshift-certification:
+    name: OpenShift Certification
+    needs: [build-oss, build-plus, build-operator]
+    # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }}
+    uses: ./.github/workflows/openshift-certification.yml
+    with:
+      runner: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+    secrets: inherit
+
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]

.github/workflows/openshift-certification.yml

@@ -0,0 +1,96 @@
+name: OpenShift Certification
+
+on:
+  workflow_call:
+    inputs:
+      runner:
+        required: false
+        type: string
+        default: 'ubuntu-24.04'
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  preflight:
+    runs-on: ${{ inputs.runner }}
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Download preflight binary
+      run: |
+        curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64
+        chmod +x preflight-linux-amd64
+        sudo mv preflight-linux-amd64 /usr/local/bin/preflight
+
+    - name: Download NGINX Gateway Fabric image artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: ngf-image
+
+    - name: Load NGINX Gateway Fabric image into Docker
+      run: docker load -i ngf-image.tar
+
+    - name: Tag image for preflight
+      run: |
+        docker tag localhost:5000/nginx/nginx-gateway-fabric:${{ github.run_id }}-${{ github.run_number }} nginx-gateway-fabric:edge-ubi
+
+    - name: Run preflight for NGINX Gateway Fabric
+      env:
+        PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
+      run: preflight check container nginx-gateway-fabric:edge-ubi  > ngf-preflight-result.json
+
+    - name: Download NGINX NGINX OSS image artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: nginx-oss-image
+
+    - name: Load NGINX OSS image into Docker
+      run: docker load -i nginx-oss-image.tar
+
+    - name: Tag image for preflight
+      run: |
+        docker tag localhost:5000/nginx-gateway-fabric/nginx:${{ github.run_id }}-${{ github.run_number }}nginx-oss:edge-ubi
+
+    - name: Run preflight for NGINX OSS
+      env:
+        PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
+      run: preflight check container nginx:edge-ubi > ngf-oss-preflight-result.json
+
+    - name: Download NGINX Gateway Fabric Operator image artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: operator-image
+
+    - name: Load NGINX Gateway Fabric Operator image into Docker
+      run: docker load -i operator-image.tar
+
+    - name: Tag image for preflight
+      run: |
+        docker tag localhost:5000/nginx-gateway-fabric/operator:${{ github.run_id }}-${{ github.run_number }} ngf-operator:edge
+
+    - name: Run preflight for NGINX Gateway Fabric Operator
+      env:
+        PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
+      run: preflight check container ngf-operator:edge > ngf-operator-preflight-result.json
+
+    - name: Aggregate preflight results and fail if any checks failed
+      run: |
+        total_failed=0
+        for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do
+        failed_count=$(jq '.results.failed | length' "$result")
+        total_failed=$((total_failed + failed_count))
+        done
+        if [ "$total_failed" -ne 0 ]; then
+        echo "Preflight checks failed: $total_failed failed checks across all images"
+        for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do
+        echo "Results for $result:"
+        jq '.results.failed' "$result"
+        done
+        exit 1
+        fi