Skip to content

Add workflow to validate UBI images pass RedHat Certification #4035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 12 commits into
base: main
Choose a base branch
from
+141 −0
Draft

Add workflow to validate UBI images pass RedHat Certification #4035

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
2121f3b
Add workflow to validate UBI images pass RedHat Certification
shaun-nx Oct 7, 2025
d61c9f4
Update args and fix pre-commit checks
shaun-nx Oct 7, 2025
2ffc89c
Add premissions and default run env
shaun-nx Oct 7, 2025
34d29e7
Ensure Openshift ceritfication runs outside of prod release
shaun-nx Oct 7, 2025
11cb2ec
Update dry_run input
shaun-nx Oct 7, 2025
c132f47
Ensure Openshift certification runs only on merges to main, and durin…
shaun-nx Oct 7, 2025
7597193
Potential fix for code scanning alert no. 542: If expression always true
shaun-nx Oct 7, 2025
9691208
tmp remove if check for certification job
shaun-nx Oct 7, 2025
bb8a349
Remove `--json` flag
shaun-nx Oct 7, 2025
f164607
Use check container instead of check operator
shaun-nx Oct 7, 2025
8d908cf
Add steps to save and tag docker images for use by preflight checks
shaun-nx Oct 7, 2025
afc676e
change operator to container
shaun-nx Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -409,6 +409,23 @@
id-token: write # for docker/login to login to NGINX registry
secrets: inherit

openshift-certification:
name: OpenShift Certification
needs: [build-oss, build-plus, build-operator]
if: >

Check failure on line 415 in .github/workflows/ci.yml

View workflow job for this annotation

GitHub Actions / Actionlint 

[actionlint] reported by reviewdog 🐶
if: condition "${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }}\n" is always evaluated to true because extra characters are around ${{ }} [if-cond]

Raw Output:
e:.github/workflows/ci.yml:415:9: if: condition "${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (inputs.is_production_release == true) }}\n" is always evaluated to true because extra characters are around ${{ }} [if-cond]
${{ github.event_name == 'pull_request'
&& github.event.pull_request.base.ref == 'main'
|| (github.event_name == 'push' && github.ref == 'refs/heads/main')
|| (inputs.is_production_release == true)
}}
uses: ./.github/workflows/openshift-certification.yml
with:
runner: ubuntu-24.04
permissions:
contents: read
packages: read
secrets: inherit

functional-tests:
name: Functional tests
needs: [vars, build-oss, build-plus]
Expand Down
60 changes: 60 additions & 0 deletions .github/workflows/openshift-certification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: OpenShift Certification

on:
workflow_call:
inputs:
runner:
required: false
type: string
default: 'ubuntu-24.04'

defaults:
run:
shell: bash

permissions:
contents: read

jobs:
preflight:
runs-on: ${{ inputs.runner }}
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Download preflight binary
run: |
curl -LO https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/latest/download/preflight-linux-amd64
chmod +x preflight-linux-amd64
sudo mv preflight-linux-amd64 /usr/local/bin/preflight
- name: Run preflight for NGINX Gateway Fabric
env:
PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
run: preflight check container ghcr.io/nginx/nginx-gateway-fabric:edge-ubi --json > ngf-preflight-result.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the images being tested reflect what was built in this run instead of hardcoding to edge?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, I added these more to test the pipeline in general. I'll make sure those get updated


- name: Run preflight for NGINX OSS
env:
PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
run: preflight check container ghcr.io/nginx/nginx-gateway-fabric/nginx:edge-ubi --json > ngf-oss-preflight-result.json

- name: Run preflight for NGINX Gateway Fabric Operator
env:
PYXIS_API_TOKEN: ${{ secrets.PYXIS_API_TOKEN }}
run: preflight check operator ghcr.io/nginx/nginx-gateway-fabric/operator:edge --json > ngf-operator-preflight-result.json

- name: Aggregate preflight results and fail if any checks failed
run: |
total_failed=0
for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do
failed_count=$(jq '.results.failed | length' "$result")
total_failed=$((total_failed + failed_count))
done
if [ "$total_failed" -ne 0 ]; then
echo "Preflight checks failed: $total_failed failed checks across all images"
for result in ngf-preflight-result.json ngf-oss-preflight-result.json ngf-operator-preflight-result.json; do
echo "Results for $result:"
jq '.results.failed' "$result"
done
exit 1
fi
Loading