F5 github runners

Author: pdabelf5

.github/workflows/ci.yml

@@ -4,8 +4,6 @@ on:
   push:
     branches:
       - main
-    tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"
   pull_request:
     branches:
       - main
@@ -43,7 +41,7 @@ jobs:
 
   build-docker:
     name: Build Docker Image
-    runs-on: ubuntu-24.04
+    runs-on: ${{ github.event_name == 'pull_request' && 'ubuntu-24.04' || 'ubuntu-24.04-amd64' }}
     permissions:
       contents: write # for lucacome/draft-release to create/update release draft
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -59,8 +57,6 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          fetch-depth: 0
 
       - name: Setup Golang Environment
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
@@ -125,10 +121,6 @@ jobs:
           tags: |
             type=edge
             type=ref,event=pr
-            type=schedule
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
           labels: |
             org.opencontainers.image.vendor=NGINX Inc <[email protected]>
         env:
@@ -139,51 +131,29 @@ jobs:
         with:
           minor-label: "enhancement"
           major-label: "change"
-          publish: ${{ github.ref_type == 'tag' }}
+          publish: false
           collapse-after: 30
           notes-footer: |
             ## Upgrade
 
             - Use the {{version}} image from our [DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) or [Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter/tag/{{version-number}}?tab=tags).
             - Download the latest binaries from the [GitHub releases page](https://github.com/nginx/nginx-prometheus-exporter/releases/tag/{{version}}).
-            - Update to the latest version with `brew upgrade nginx-prometheus-exporter`, `snap refresh nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
+            - Update to the latest version with `brew upgrade nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
 
             ## Compatibility
 
             - NGINX 0.1.18 or newer.
             - NGINX Plus R19 or newer.
         if: github.event_name != 'pull_request'
 
-      - name: Download Syft
-        uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
-        if: github.ref_type == 'tag'
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
-        if: github.ref_type == 'tag'
-
-      - name: Setup Snapcraft
-        run: |
-          sudo snap install snapcraft --classic
-          mkdir -p $HOME/.cache/snapcraft/download
-          mkdir -p $HOME/.cache/snapcraft/stage-packages
-        if: github.ref_type == 'tag'
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
-        with:
-          github_access_token: ${{ secrets.GITHUB_TOKEN }}
-        if: github.ref_type == 'tag'
-
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
-          args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean
+          args: build --snapshot --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NGINX_GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
-          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN }}
 
       - name: Print NGINX Prometheus Exporter info
         run: ./dist/nginx-prometheus-exporter_linux_amd64_v1/nginx-prometheus-exporter --version
@@ -199,7 +169,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           cache-from: type=gha,scope=exporter
           cache-to: type=gha,scope=exporter,mode=max
           no-cache: ${{ github.event_name != 'pull_request' }}
@@ -211,12 +181,14 @@ jobs:
         id: scan
         continue-on-error: true
         with:
-          image: localhost:5000/nginx/nginx-prometheus-exporter:${{ steps.meta.outputs.version }}
+          image: localhost:5000/nginx/nginx-prometheus-exporter:edge
           only-fixed: true
           add-cpes-if-none: true
+        if: github.event_name != 'pull_request'
 
       - name: Upload scan result to GitHub Security tab
         uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+        if: github.event_name != 'pull_request'

.github/workflows/release.yml

@@ -0,0 +1,199 @@
+name: Release NGINX Prometheus Exporter
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g. 1.0.0)'
+        required: true
+      dry_run:
+        description: 'Dry run'
+        required: false
+        default: false
+        type: boolean
+
+env:
+  DOCKER_PLATFORMS: "linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x,linux/mips64le,linux/386,linux/riscv64"
+
+concurrency:
+  group: ${{ github.ref_name }}-release
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  variables:
+    name: Setup variables
+    runs-on: ubuntu-24.04
+    outputs:
+      tag: ${{ steps.vars.outputs.tag }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set up Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - name: Get version
+        id: vars
+        run: echo "tag=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+
+  build-docker:
+    name: Build Docker Image
+    runs-on: ubuntu-24.04-amd64
+    permissions:
+      contents: write # for lucacome/draft-release to create/update release draft
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      id-token: write # for OIDC login to AWS ECR and goreleaser/goreleaser-action to sign artifacts
+      packages: write # for docker/build-push-action to push to GHCR
+      issues: write # for goreleaser/goreleaser-action to close milestones
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Setup Golang Environment
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          version: latest
+          driver-opts: network=host
+
+      - name: DockerHub Login
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
+
+      - name: Login to Public ECR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: public.ecr.aws
+
+      - name: Login to Quay.io
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: |
+            name=nginx/nginx-prometheus-exporter,enable=true
+            name=ghcr.io/nginx/nginx-prometheus-exporter,enable=true
+            name=public.ecr.aws/nginx/nginx-prometheus-exporter,enable=true
+            name=quay.io/nginx/nginx-prometheus-exporter,enable=true
+            name=localhost:5000/nginx/nginx-prometheus-exporter
+          tags: |
+            type=raw,value=${{ github.event.inputs.version }}
+          labels: |
+            org.opencontainers.image.vendor=NGINX Inc <[email protected]>
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Create/Update Draft
+        uses: lucacome/draft-release@fd099feb33710d1fa27b915a08a7acd6a1fb7fd2 # v2.0.0
+        with:
+          minor-label: "enhancement"
+          major-label: "change"
+          publish: ${{ !github.event.inputs.dry_run }}
+          collapse-after: 30
+          notes-footer: |
+            ## Upgrade
+
+            - Use the {{version}} image from our [DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) or [Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter/tag/{{version-number}}?tab=tags).
+            - Download the latest binaries from the [GitHub releases page](https://github.com/nginx/nginx-prometheus-exporter/releases/tag/{{version}}).
+            - Update to the latest version with `brew upgrade nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
+
+            ## Compatibility
+
+            - NGINX 0.1.18 or newer.
+            - NGINX Plus R19 or newer.
+
+      - name: Download Syft
+        uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
+          args: ${{ github.event.inputs.dry_run && 'build --snapshot' || 'release' }} --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NGINX_GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
+
+      - name: Print NGINX Prometheus Exporter info
+        run: ./dist/nginx-prometheus-exporter_linux_amd64_v1/nginx-prometheus-exporter --version
+        continue-on-error: false
+
+      - name: Build and Push Docker Image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: build/Dockerfile
+          context: "."
+          target: goreleaser
+          platforms: ${{ env.DOCKER_PLATFORMS }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          push: ${{ !github.event.inputs.dry_run }}
+          cache-from: type=gha,scope=exporter
+          cache-to: type=gha,scope=exporter,mode=max
+          no-cache: true
+          provenance: mode=max
+          sbom: true
+
+      - name: Scan image
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
+        id: scan
+        continue-on-error: true
+        with:
+          image: localhost:5000/nginx/nginx-prometheus-exporter:${{ steps.meta.outputs.version }}
+          only-fixed: true
+          add-cpes-if-none: true
+
+      - name: Upload scan result to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
+        continue-on-error: true
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}