Add steps to submit images for certification (#142)

lucacome · web-flow · commit d2d176a03e7f · 2023-06-30T13:11:17.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,7 +5,7 @@ on:
     branches:
       - main
     tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - "v[0-9]+.[0-9]+.[0-9]+"
   pull_request:
     branches:
       - main
@@ -97,7 +97,7 @@ jobs:
       - name: Build Image
         uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
         with:
-          context: '.'
+          context: "."
           cache-from: type=gha
           cache-to: type=gha,mode=max
           tags: ${{ steps.meta.outputs.tags }}
@@ -115,29 +115,29 @@ jobs:
         continue-on-error: true
         with:
           image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          ignore-unfixed: 'true'
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: "true"
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         continue-on-error: true
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
 
       - name: Upload Scan Results
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         continue-on-error: true
         with:
-          name: 'trivy-results.sarif'
-          path: 'trivy-results.sarif'
+          name: "trivy-results.sarif"
+          path: "trivy-results.sarif"
         if: always()
 
       - name: Create/Update Draft
         uses: lucacome/draft-release@d13ccde6350706e32f451566ee5cd4bf5a27de3d # v0.2.1
         with:
-          minor-label: 'enhancement'
-          major-label: 'change'
+          minor-label: "enhancement"
+          major-label: "change"
           variables: |
             nic_version=${{ steps.vars.outputs.chart_version }}
             openshift_version=${{ steps.vars.outputs.openshift_version }}
@@ -147,3 +147,17 @@ jobs:
             - NGINX Ingress Controller {{nic_version}}
             - OpenShift {{openshift_version}} or newer.
         if: github.event_name != 'pull_request'
+
+      - name: Certify Images
+        continue-on-error: true
+        run: |
+          curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.6.9/preflight-linux-amd64 --output preflight
+          chmod +x preflight
+
+          IFS=',' read -ra arch_list <<< "${{ env.platforms }}"
+
+          for arch in "${arch_list[@]}"; do
+              architecture=("${arch#*/}")
+              ./preflight check container quay.io/nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
+          done
+        if: ${{ startsWith(github.ref, 'refs/tags') }}
