Skip to content

Bump the actions group with 4 updates #11117

Bump the actions group with 4 updates

Bump the actions group with 4 updates #11117

Workflow file for this run

name: CI
on:
push:
branches:
- main
- release-*
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
pull_request:
branches:
- main
- release-*
schedule:
- cron: "0 4 * * *" # run every day at 04:00 UTC
defaults:
run:
shell: bash
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
permissions:
contents: read
jobs:
checks:
name: Checks and variables
runs-on: ubuntu-22.04
outputs:
go_path: ${{ steps.vars.outputs.go_path }}
k8s_latest: ${{ steps.vars.outputs.k8s_latest }}
latest_kindest_node_versions: ${{ steps.vars.outputs.latest_kindest_node_versions }}
go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
chart_version: ${{ steps.vars.outputs.chart_version }}
binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Golang Environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: go.mod
- name: Output Variables
id: vars
run: |
kindest_latest=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags" \
| grep -o '"name": *"[^"]*' \
| grep -o '[^"]*$' \
| grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
| sort -rV \
| head -n 1 \
| sed 's/^.\{1\}//' \
| tr -d '\n')
echo "k8s_latest=$kindest_latest" >> $GITHUB_OUTPUT
echo "chart_version=$(yq '.version' <charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
kindest_versions=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags" \
| grep -o '"name": *"[^"]*' \
| grep -o '[^"]*$' \
| grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
| sort -rV \
| awk -F. '!seen[$1"."$2]++' \
| head -n 7 \
| sort -V \
| sed 's/v//g' \
| sed 's/$//' \
| sed 's/, $//' \
| jq -R -s -c 'split("\n")[:-1]')
echo "latest_kindest_node_versions=$kindest_versions" >> $GITHUB_OUTPUT
echo go_code_md5=$(find . -type f \( -name "*.go" -o -name go.mod -o -name go.sum -o -name "*.tmpl" \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Fetch Cached Binary Artifacts
id: binary-cache
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
lookup-only: true
- name: Check if go.mod and go.sum are up to date
run: go mod tidy && git diff --exit-code -- go.mod go.sum
- name: Check if CRDs changed
run: make update-crds && git diff --name-only --exit-code config/crd/bases
- name: Check if Codegen changed
run: |
cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress
make update-codegen && git diff --name-only --exit-code pkg/**
cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress
unit-tests:
name: Unit Tests
runs-on: ubuntu-22.04
needs: checks
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Golang Environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: go.mod
- name: Run Tests
run: make cover
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Upload coverage to Codecov
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
files: ./coverage.txt
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
release-notes:
name: Release Notes
runs-on: ubuntu-22.04
needs: [checks, unit-tests]
outputs:
release-url: ${{ steps.release-notes.outputs.release-url }}
permissions:
contents: write # for lucacome/draft-release
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Setup Golang Environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: go.mod
- name: Download Syft
uses: anchore/sbom-action/download-syft@c7f031d9249a826a082ea14c79d3b686a51d485a # v0.15.3
if: github.ref_type == 'tag'
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
if: github.ref_type == 'tag'
- name: Create/Update Draft
uses: lucacome/draft-release@52f02d1a69b61568e54ab5cf86ce91503bac4066 # v1.0.2
id: release-notes
with:
minor-label: "enhancement"
major-label: "change"
publish: ${{ github.ref_type == 'tag' }}
collapse-after: 50
variables: |
helm-chart=${{ needs.checks.outputs.chart_version }}
notes-footer: |
## Upgrade
- For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) or build your own image using the {{version}} source code.
- For Helm, use version {{helm-chart}} of the chart.
## Resources
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/charts/nginx-ingress
- Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator
if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
binaries:
name: Build Binaries
runs-on: ubuntu-22.04
needs: [checks, unit-tests]
permissions:
contents: write # for goreleaser/goreleaser-action to manage releases
id-token: write # for goreleaser/goreleaser-action to sign artifacts
issues: write # for goreleaser/goreleaser-action to close milestone
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Setup Golang Environment
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: go.mod
- name: Download Syft
uses: anchore/sbom-action/download-syft@c7f031d9249a826a082ea14c79d3b686a51d485a # v0.15.3
if: github.ref_type == 'tag'
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
if: github.ref_type == 'tag'
- name: Build binaries
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
version: latest
args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} ${{ github.event_name == 'pull_request' && '--single-target' || '' }} --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOPATH: ${{ needs.checks.outputs.go_path }}
AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }}
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
AZURE_BUCKET_NAME: ${{ secrets.AZURE_BUCKET_NAME }}
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
- name: Store Artifacts in Cache
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
helm-tests:
name: Helm Tests
runs-on: ubuntu-22.04
needs: [checks, binaries]
strategy:
matrix:
include:
- image: debian
type: oss
- image: debian-plus
type: plus
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Fetch Cached Artifacts
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ${{ github.workspace }}/dist
key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build Docker Image ${{ matrix.image }}
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
file: build/Dockerfile
context: "."
cache-from: type=gha,scope=${{ matrix.image }}
target: goreleaser
tags: ${{ matrix.type }}:${{ github.sha }}
pull: true
load: true
build-args: |
BUILD_OS=${{ matrix.image }}
IC_VERSION=CI
secrets: |
${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
${{ contains(matrix.type, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
- name: Deploy Kubernetes
id: k8s
run: |
kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ needs.checks.outputs.k8s_latest }} --wait 75s
kind load docker-image ${{ matrix.type }}:${{ github.sha }} --name ${{ github.run_id }}
- name: Install Chart
run: >
helm install
${{ matrix.type }}
.
--set controller.image.repository=${{ matrix.type }}
--set controller.image.tag=${{ github.sha }}
--set controller.service.type=NodePort
--set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }}
--wait
working-directory: ${{ github.workspace }}/charts/nginx-ingress
- name: Expose Test Ingresses
run: |
kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 &
- name: Test HTTP
run: |
counter=0
max_attempts=5
until [ $(curl --write-out %{http_code} -s --output /dev/null http://localhost:8080) -eq 404 ]; do
if [ ${counter} -eq ${max_attempts} ]; then
exit 1
fi
printf '.'; counter=$(($counter+1)); sleep 5;
done
- name: Test HTTPS
run: |
counter=0
max_attempts=5
until [ $(curl --write-out %{http_code} -ks --output /dev/null https://localhost:8443) -eq 000 ]; do
if [ ${counter} -eq ${max_attempts} ]; then
exit 1
fi
printf '.'; counter=$(($counter+1)); sleep 5;
done
setup-matrix:
name: Setup Matrix for Smoke Tests
runs-on: ubuntu-22.04
needs: [binaries, checks]
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: set-matrix
run: |
if [ "${{ github.event_name }}" == "schedule" ]; then
echo "matrix=$(cat .github/data/matrix-regression.json | jq -c --argjson latest '${{ needs.checks.outputs.latest_kindest_node_versions }}' '.k8s += $latest')" >> $GITHUB_OUTPUT
else
echo "matrix=$(cat .github/data/matrix-smoke.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT
fi
- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build Test-Runner Container
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
file: tests/Dockerfile
context: "."
cache-from: type=gha,scope=test-runner
cache-to: type=gha,scope=test-runner,mode=max
tags: test-runner:${{ github.sha }}
pull: true
load: true
smoke-tests:
name: ${{ matrix.images.label }} ${{ matrix.images.image }} smoke tests
runs-on: ubuntu-22.04
needs: [checks, setup-matrix]
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }}
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Smoke Tests
id: smoke-tests
uses: ./.github/actions/smoke-tests
with:
image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }}
marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }}
k8s-version: ${{ matrix.k8s }}
nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}
nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}
azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
rhel-license: ${{ contains(matrix.images.image, 'ubi') && secrets.RHEL_LICENSE || '' }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
- name: Upload Test Results
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
with:
name: ${{ steps.smoke-tests.outputs.test-results-name }}
path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html
if: always()
smoke-results:
if: ${{ always() }}
runs-on: ubuntu-22.04
name: Final Smoke Test Results
needs: [smoke-tests]
steps:
- run: |
result="${{ needs.smoke-tests.result }}"
if [[ $result == "success" || $result == "skipped" ]]; then
exit 0
else
exit 1
fi
build-docker:
name: Build Docker OSS
needs: [checks, smoke-tests]
strategy:
fail-fast: false
matrix:
image: [debian, alpine]
platforms:
["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"]
include:
- image: ubi
platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
uses: ./.github/workflows/build-oss.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
permissions:
contents: read
actions: read
security-events: write
id-token: write
packages: write
secrets: inherit
build-docker-plus:
name: Build Docker Plus
needs: [checks, build-docker, release-notes]
strategy:
fail-fast: false
matrix:
image: [debian-plus, alpine-plus, alpine-plus-fips]
platforms: ["linux/arm64, linux/amd64"]
target: [goreleaser, aws]
include:
- image: ubi-plus
platforms: "linux/arm64, linux/amd64, linux/s390x"
target: goreleaser
uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
release-url: ${{ needs.release-notes.outputs.release-url }}
permissions:
contents: read
security-events: write
id-token: write
secrets: inherit
build-docker-nap:
name: Build Docker NAP
needs: [checks, build-docker-plus, release-notes]
strategy:
fail-fast: false
matrix:
image: [debian-plus-nap]
platforms: ["linux/amd64"]
target: [goreleaser, aws]
nap_modules: [dos, waf, "waf,dos"]
include:
- image: ubi-9-plus-nap
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-8-plus-nap
target: goreleaser
platforms: "linux/amd64"
nap_modules: dos
- image: ubi-8-plus-nap
target: goreleaser
platforms: "linux/amd64"
nap_modules: "waf,dos"
- image: ubi-9-plus-nap
target: aws
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-8-plus-nap
target: aws
platforms: "linux/amd64"
nap_modules: dos
- image: ubi-8-plus-nap
target: aws
platforms: "linux/amd64"
nap_modules: "waf,dos"
uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.image }}
target: ${{ matrix.target }}
go-md5: ${{ needs.checks.outputs.go_code_md5 }}
nap_modules: ${{ matrix.nap_modules }}
release-url: ${{ needs.release-notes.outputs.release-url }}
permissions:
contents: read
security-events: write
id-token: write
secrets: inherit
publish-helm:
name: Package and Publish Helm Chart
runs-on: ubuntu-22.04
needs: [checks, helm-tests]
if: ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') }}
permissions:
contents: write # for pushing to Helm Charts repository
packages: write # for helm to push to GHCR
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
path: kic
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: DockerHub Login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Package
id: package
run: |
output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} kic/charts/nginx-ingress)
echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT
- name: Push to OCI registries
run: |
helm push ${{ steps.package.outputs.path }} oci://ghcr.io/nginxinc/charts
helm push ${{ steps.package.outputs.path }} oci://registry-1.docker.io/nginxcharts
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: nginxinc/helm-charts
fetch-depth: 1
token: ${{ secrets.NGINX_PAT }}
path: helm-charts
if: github.ref_type == 'tag'
- name: Push Helm Chart to Helm Charts Repository
run: |
mv ${{ steps.package.outputs.path }} ${{ github.workspace }}/helm-charts/stable/
cd ${{ github.workspace }}/helm-charts
helm repo index stable --url https://helm.nginx.com/stable
git add -A
git -c user.name='NGINX Kubernetes Team' -c user.email='kubernetes@nginx.com' \
commit -m "NGINX Ingress Controller - Release ${{ needs.checks.outputs.chart_version }}"
git push -u origin master
if: github.ref_type == 'tag'
operator:
name: Trigger PR for Operator
runs-on: ubuntu-22.04
needs: [checks, publish-helm]
steps:
- name:
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.NGINX_PAT }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: 'nginx-ingress-helm-operator',
workflow_id: 'sync-chart.yml',
ref: 'main',
inputs: {
chart_version: '${{ needs.checks.outputs.chart_version }}'
},
})
if: github.ref_type == 'tag'
gcp-marketplace:
name: Trigger PR for GCP Marketplace
runs-on: ubuntu-22.04
needs: [checks, publish-helm]
steps:
- name:
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.NGINX_PAT }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: 'kubernetes-ingress-gcp',
workflow_id: 'sync-chart.yml',
ref: 'main',
inputs: {
chart_version: '${{ needs.checks.outputs.chart_version }}'
},
})
if: github.ref_type == 'tag'