nginx · shaun-nx · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -25,6 +25,9 @@ on:
         required: false
         type: string
         default: 'ubuntu-24.04'
+    outputs:
+      image_version:
+        value: ${{ jobs.build.outputs.image_version }}
 
 defaults:
   run:
@@ -41,6 +44,8 @@ jobs:
       packages: write # for docker/build-push-action to push to GHCR
       id-token: write # for docker/login to login to NGINX registry
     runs-on: ${{ inputs.runner }}
+    outputs:
+      image_version: ${{ steps.meta.outputs.version }}
     services:
       registry:
         image: registry:3
@@ -110,6 +115,14 @@ jobs:
           password: ${{ steps.auth.outputs.access_token }}
         if: ${{ github.event_name != 'pull_request' && contains(inputs.image, 'plus') }}
 
+      - name: Login to Quay.io
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+        if: ${{ ! inputs.dry_run }}
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -122,6 +135,9 @@ jobs:
             name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/operator,enable=${{ inputs.image == 'operator' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}
+            name=quay.io/${{ github.repository_owner }}/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && inputs.build-os == 'ubi'}}
+            name=quay.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && inputs.build-os == 'ubi' }}
+            name=quay.io/${{ github.repository_owner }}/nginx-gateway-fabric/operator,enable=${{ inputs.image == 'operator' && inputs.build-os == 'ubi'}}
           flavor: |
             latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
           tags: |

@@ -271,6 +271,12 @@
           path: ${{ github.workspace }}/dist
           key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
 
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: dist-${{ github.run_id }}
+          path: ${{ github.workspace }}/dist
+
   assertion:
     name: Generate and Sign Assertion Documents
     needs: [vars, binary]
@@ -409,6 +415,32 @@
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
 
+  openshift-certification:
+    name: OpenShift Certification
+    needs: [build-oss, build-plus, build-operator]
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [ngf, nginx, operator]
+    # if: ${{ github.event_name == 'pull_request' && github.event_pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }}
+    if: |
+      ${{ matrix.image == 'operator' || (
+      (matrix.image == 'ngf' || matrix.image == 'nginx') &&
+      contains(
+      (matrix.image == 'ngf' && needs.build-oss.outputs.image_version || matrix.image == 'nginx' && needs.build-oss.outputs.image_version),
+      '-ubi'
+      )
+      ) }}
+    uses: ./.github/workflows/openshift-certification.yml
+    with:
+      image: ${{ matrix.image }}
+      tag: ${{ inputs.release_version || '' }}
+      dry_run: ${{ inputs.dry_run || false }}
+    permissions:
+      contents: read
+      packages: read
+    secrets: inherit
+
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]

@@ -0,0 +1,70 @@
+name: OpenShift Certification
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        required: true
+        type: string
+      image_version:
+        required: true
+        type: string
+      tag:
+        required: false
+        type: string
+        default: ''
+      dry_run:
+        required: false
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  preflight:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        ref: ${{ (inputs.tag != '' && !inputs.dry_run ) && format('refs/tags/v{0}', inputs.tag) || github.ref }}
+
+    - name: Login to Quay.io
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_USERNAME }}
+        password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+      if: ${{ ! inputs.dry_run }}
+
+    - name: Download preflight binary
+      run: |
+        curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64
+        chmod +x preflight-linux-amd64
+        sudo mv preflight-linux-amd64 /usr/local/bin/preflight
+
+    - name: Run preflight
+      env:
+        PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
+      run: |
+        if [[ "${{ inputs.image }}" == "ngf" ]]; then
+        IMAGE_PATH="quay.io/${{ github.repository_owner }}/nginx-gateway-fabric:${{ inputs.image_version }}"
+        else
+        IMAGE_PATH="quay.io/${{ github.repository_owner }}/nginx-gateway-fabric/${{ inputs.image }}:${{ inputs.image_version }}"
+        fi
+        preflight check container "$IMAGE_PATH" > preflight-result.json
+
+    - name: Check preflight results
+      run: |
+        failed_count=$(jq '.results.failed | length' preflight-result.json)
+        if [ "$failed_count" -ne 0 ]; then
+        echo "Preflight checks failed: $failed_count failed checks"
+        echo "Results for preflight-result.json:"
+        jq '.results.failed' preflight-result.json
+        exit 1
+        fi