Docker image update 52a62c5c (#6747) #717

Workflow file for this run

.github/workflows/image-promotion.yml at 1498849

	name: Image Promotion
	# This workflow will:
	# - build images for forked workflows
	# - tag stable for forked workflows
	# - tag edge for main workflows
	# - tag release branch name for release branch workflows
	# - release edge images & helm charts for edge
	# - run Trivy & dockerscout scans for main & release branch images
	# & upload results to Github security & Github Artifacts

	on:
	push:
	branches:
	- main
	- release-*
	workflow_call:

	defaults:
	run:
	shell: bash

	concurrency:
	group: ${{ github.ref_name }}-image-promotion
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	checks:
	name: Checks and variables
	runs-on: ubuntu-24.04
	permissions:
	contents: read
	id-token: write
	outputs:
	go_path: ${{ steps.vars.outputs.go_path }}
	go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
	binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
	chart_version: ${{ steps.vars.outputs.chart_version }}
	ic_version: ${{ steps.vars.outputs.ic_version }}
	docker_md5: ${{ steps.vars.outputs.docker_md5 }}
	build_tag: ${{ steps.vars.outputs.build_tag }}
	stable_tag: ${{ steps.vars.outputs.stable_tag }}
	stable_image_exists: ${{ steps.stable_exists.outputs.exists }}
	image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }}
	image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }}
	image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Setup Golang Environment
	uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
	with:
	go-version-file: go.mod

	- name: Set Variables
	id: vars
	run: \|
	echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
	source .github/data/version.txt
	echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
	echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
	./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT
	./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT
	./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT
	./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT
	echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json \| jq -c)" >> $GITHUB_OUTPUT
	echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json \| jq -c)" >> $GITHUB_OUTPUT
	echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json \| jq -c)" >> $GITHUB_OUTPUT

	- name: Fetch Cached Binary Artifacts
	id: binary-cache
	uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
	with:
	path: ${{ github.workspace }}/dist
	key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }}
	lookup-only: true

	- name: Authenticate to Google Cloud
	id: auth
	uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
	with:
	token_format: access_token
	workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
	service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

	- name: Login to GCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: gcr.io
	username: oauth2accesstoken
	password: ${{ steps.auth.outputs.access_token }}

	- name: Check if stable image exists
	id: stable_exists
	run: \|
	if docker pull gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:${{ steps.vars.outputs.stable_tag }}; then
	echo "exists=true" >> $GITHUB_OUTPUT
	fi

	- name: Output variables
	run: \|
	echo go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
	echo go_path: ${{ steps.vars.outputs.go_path }}
	echo binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }}
	echo chart_version: ${{ steps.vars.outputs.chart_version }}
	echo ic_version: ${{ steps.vars.outputs.ic_version }}
	echo docker_md5: ${{ steps.vars.outputs.docker_md5 }}
	echo build_tag: ${{ steps.vars.outputs.build_tag }}
	echo stable_tag: ${{ steps.vars.outputs.stable_tag }}
	echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }}

	govulncheck:
	name: Run govulncheck
	runs-on: ubuntu-24.04
	permissions:
	contents: read
	security-events: write
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Setup Golang Environment
	uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
	with:
	go-version-file: go.mod

	- name: govulncheck
	uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
	with:
	output-format: sarif
	output-file: govulncheck.sarif

	- name: Check SARIF file
	id: check-sarif
	run: \|
	if [ -s govulncheck.sarif ] && grep -q '"results":' govulncheck.sarif; then
	echo "sarif_has_results=true" >> $GITHUB_OUTPUT
	else
	echo "sarif_has_results=false" >> $GITHUB_OUTPUT
	fi

	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
	if: steps.check-sarif.outputs.sarif_has_results == 'true'
	with:
	sarif_file: govulncheck.sarif

	binaries:
	name: Build Binaries
	runs-on: ubuntu-24.04
	needs: [checks]
	permissions:
	contents: read
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Setup Golang Environment
	uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
	with:
	go-version-file: go.mod
	if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}

	- name: Build binaries
	uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
	with:
	version: latest
	args: build --snapshot --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GOPATH: ${{ needs.checks.outputs.go_path }}
	AWS_PRODUCT_CODE: ${{ secrets.AWS_PRODUCT_CODE }}
	AWS_PUB_KEY: ${{ secrets.AWS_PUB_KEY }}
	AWS_NAP_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_DOS_PRODUCT_CODE }}
	AWS_NAP_DOS_PUB_KEY: ${{ secrets.AWS_NAP_DOS_PUB_KEY }}
	AWS_NAP_WAF_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_PRODUCT_CODE }}
	AWS_NAP_WAF_PUB_KEY: ${{ secrets.AWS_NAP_WAF_PUB_KEY }}
	AWS_NAP_WAF_DOS_PRODUCT_CODE: ${{ secrets.AWS_NAP_WAF_DOS_PRODUCT_CODE }}
	AWS_NAP_WAF_DOS_PUB_KEY: ${{ secrets.AWS_NAP_WAF_DOS_PUB_KEY }}
	GORELEASER_CURRENT_TAG: "v${{ needs.checks.outputs.ic_version }}"
	if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}

	- name: Store Artifacts in Cache
	uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
	with:
	path: ${{ github.workspace }}/dist
	key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }}
	if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}

	build-docker:
	if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
	name: Build Docker OSS
	needs: [checks, binaries]
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
	uses: ./.github/workflows/build-oss.yml
	with:
	platforms: ${{ matrix.platforms }}
	image: ${{ matrix.image }}
	go-md5: ${{ needs.checks.outputs.go_code_md5 }}
	base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
	authenticated: true
	tag: ${{ needs.checks.outputs.build_tag }}
	branch: ${{ github.ref }}
	ic-version: ${{ needs.checks.outputs.ic_version }}
	permissions:
	contents: read
	actions: read
	security-events: write
	id-token: write
	packages: write
	pull-requests: write # for scout report
	secrets: inherit

	build-docker-plus:
	if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
	name: Build Docker Plus
	needs: [checks, binaries]
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
	uses: ./.github/workflows/build-plus.yml
	with:
	platforms: ${{ matrix.platforms }}
	image: ${{ matrix.image }}
	target: ${{ matrix.target }}
	go-md5: ${{ needs.checks.outputs.go_code_md5 }}
	base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
	authenticated: true
	tag: ${{ needs.checks.outputs.build_tag }}
	branch: ${{ github.ref }}
	ic-version: ${{ needs.checks.outputs.ic_version }}
	permissions:
	contents: read
	actions: read
	security-events: write
	id-token: write
	packages: write
	pull-requests: write # for scout report
	secrets: inherit

	build-docker-nap:
	if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
	name: Build Docker NAP
	needs: [checks, binaries]
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
	uses: ./.github/workflows/build-plus.yml
	with:
	platforms: ${{ matrix.platforms }}
	image: ${{ matrix.image }}
	target: ${{ matrix.target }}
	go-md5: ${{ needs.checks.outputs.go_code_md5 }}
	base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
	nap-modules: ${{ matrix.nap_modules }}
	authenticated: true
	tag: ${{ needs.checks.outputs.build_tag }}
	branch: ${{ github.ref }}
	ic-version: ${{ needs.checks.outputs.ic_version }}
	permissions:
	contents: read
	actions: read
	security-events: write
	id-token: write
	packages: write
	pull-requests: write # for scout report
	secrets: inherit

	tag-stable:
	if: ${{ needs.checks.outputs.stable_image_exists != 'true' }}
	name: Tag build image as stable
	needs: [checks, build-docker, build-docker-plus, build-docker-nap]
	permissions:
	contents: read # To checkout repository
	id-token: write # To sign into Google Container Registry
	uses: ./.github/workflows/retag-images.yml
	with:
	source_tag: ${{ needs.checks.outputs.build_tag }}
	target_tag: ${{ needs.checks.outputs.stable_tag }}
	dry_run: false
	secrets: inherit

	tag-candidate:
	# pushes edge or release images to gcr/dev
	# for main: this keeps a copy of edge in gcr/dev
	# for release-*: this stages a release candidate in gcr/dev which can be used for release promotion
	name: Tag tested image as stable
	needs:
	- checks
	- build-docker
	- build-docker-plus
	- build-docker-nap
	- tag-stable
	permissions:
	contents: read # To checkout repository
	id-token: write # To sign into Google Container Registry
	uses: ./.github/workflows/retag-images.yml
	with:
	source_tag: ${{ needs.checks.outputs.stable_tag }}
	target_tag: ${{ github.ref_name == github.event.repository.default_branch && 'edge' \|\| github.ref_name }}
	dry_run: false
	secrets: inherit
	if: ${{ !cancelled() && !failure() }}

	release-oss:
	# pushes edge images to docker hub
	if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
	name: Release Docker OSS
	needs: [checks, build-docker]
	uses: ./.github/workflows/oss-release.yml
	with:
	gcr_release_registry: false
	ecr_public_registry: true
	dockerhub_public_registry: true
	quay_public_registry: true
	github_public_registry: true
	source_tag: ${{ needs.checks.outputs.stable_tag }}
	target_tag: "edge"
	branch: ${{ github.ref_name }}
	dry_run: false
	permissions:
	contents: read
	id-token: write
	packages: write
	secrets: inherit

	release-plus:
	# pushes plus edge images to nginx registry
	if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
	name: Release Docker Plus
	needs: [checks, build-docker-plus, build-docker-nap]
	uses: ./.github/workflows/plus-release.yml
	with:
	nginx_registry: true
	gcr_release_registry: false
	gcr_mktpl_registry: false
	ecr_mktpl_registry: false
	az_mktpl_registry: false
	source_tag: ${{ needs.checks.outputs.stable_tag }}
	target_tag: "edge"
	branch: ${{ github.ref_name }}
	dry_run: false
	permissions:
	contents: read
	id-token: write
	secrets: inherit

	publish-helm-chart:
	if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
	name: Publish Helm Chart
	needs: [checks]
	uses: ./.github/workflows/publish-helm.yml
	with:
	branch: ${{ github.ref_name }}
	ic_version: edge
	chart_version: 0.0.0-edge
	nginx_helm_repo: false
	permissions:
	contents: write # for pushing to Helm Charts repository
	packages: write # for helm to push to GHCR
	secrets: inherit

	certify-openshift-images:
	if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }}
	name: Certify OpenShift UBI images
	runs-on: ubuntu-24.04
	needs: [release-oss]
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Certify UBI OSS images in quay
	uses: ./.github/actions/certify-openshift-image
	continue-on-error: true
	with:
	image: quay.io/nginx/nginx-ingress:edge-ubi
	project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
	pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}

	scan-docker-oss:
	name: Scan ${{ matrix.image }}-${{ matrix.target }}
	runs-on: ubuntu-24.04
	needs: [checks]
	permissions:
	contents: read
	id-token: write
	security-events: write
	if: ${{ !cancelled() && !failure() }}
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Make directory for security scan results
	id: directory
	run: \|
	directory=${{ matrix.image }}-${{ matrix.target }}-results
	echo "directory=${directory}" >> $GITHUB_OUTPUT
	mkdir -p "${directory}"

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	context: workflow
	images: \|
	name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
	flavor: \|
	suffix=${{ contains(matrix.image, 'ubi') && '-ubi' \|\| '' }}${{ contains(matrix.image, 'alpine') && '-alpine' \|\| '' }}
	tags: \|
	type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' \|\| github.ref_name }}

	- name: Authenticate to Google Cloud
	id: auth
	uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
	with:
	token_format: access_token
	workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
	service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

	- name: Login to GCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: gcr.io
	username: oauth2accesstoken
	password: ${{ steps.auth.outputs.access_token }}

	# - name: Run Trivy vulnerability scanner
	# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
	# continue-on-error: true
	# with:
	# image-ref: ${{ steps.meta.outputs.tags }}
	# format: "sarif"
	# output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
	# ignore-unfixed: "true"

	- name: DockerHub Login for Docker Scout
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Run Docker Scout vulnerability scanner
	id: docker-scout
	uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
	with:
	command: cves,recommendations
	image: ${{ steps.meta.outputs.tags }}
	ignore-base: true
	only-fixed: true
	sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
	write-comment: false
	github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
	summary: true

	- name: Upload Scan Results to Github Artifacts
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
	path: "${{ steps.directory.outputs.directory }}/"
	overwrite: true

	- name: Upload Scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
	with:
	sarif_file: "${{ steps.directory.outputs.directory }}/"

	scan-docker-plus:
	name: Scan ${{ matrix.image }}-${{ matrix.target }}
	runs-on: ubuntu-24.04
	needs: [checks]
	permissions:
	contents: read
	id-token: write
	security-events: write
	if: ${{ !cancelled() && !failure() }}
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Make directory for security scan results
	id: directory
	run: \|
	directory=${{ matrix.image }}-${{ matrix.target }}-results
	echo "directory=${directory}" >> $GITHUB_OUTPUT
	mkdir -p "${directory}"

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	context: workflow
	images: \|
	name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
	flavor: \|
	suffix=${{ contains(matrix.image, 'ubi') && '-ubi' \|\| '' }}${{ contains(matrix.image, 'alpine') && '-alpine' \|\| '' }}${{ contains(matrix.target, 'aws') && '-mktpl' \|\| '' }}${{ contains(matrix.image, 'fips') && '-fips' \|\| ''}}
	tags: \|
	type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' \|\| github.ref_name }}

	- name: Authenticate to Google Cloud
	id: auth
	uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
	with:
	token_format: access_token
	workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
	service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

	- name: Login to GCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: gcr.io
	username: oauth2accesstoken
	password: ${{ steps.auth.outputs.access_token }}

	# - name: Run Trivy vulnerability scanner
	# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
	# continue-on-error: true
	# with:
	# image-ref: ${{ steps.meta.outputs.tags }}
	# format: "sarif"
	# output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
	# ignore-unfixed: "true"

	- name: DockerHub Login for Docker Scout
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Run Docker Scout vulnerability scanner
	id: docker-scout
	uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
	with:
	command: cves,recommendations
	image: ${{ steps.meta.outputs.tags }}
	ignore-base: true
	only-fixed: true
	sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
	write-comment: false
	github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
	summary: true

	- name: Upload Scan Results to Github Artifacts
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
	path: "${{ steps.directory.outputs.directory }}/"
	overwrite: true

	- name: Upload Scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
	with:
	sarif_file: "${{ steps.directory.outputs.directory }}/"

	scan-docker-nap:
	name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }}
	runs-on: ubuntu-24.04
	needs: [checks]
	permissions:
	contents: read
	id-token: write
	security-events: write
	if: ${{ !cancelled() && !failure() }}
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: NAP modules
	id: nap_modules
	run: \|
	[[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" \|\| name="${{ matrix.nap_modules }}"
	echo "name=${name}" >> $GITHUB_OUTPUT
	if: ${{ matrix.nap_modules != '' }}

	- name: Make directory for security scan results
	id: directory
	run: \|
	directory=${{ matrix.image }}-${{ matrix.target }}-${{ steps.nap_modules.outputs.name }}-results
	echo "directory=${directory}" >> $GITHUB_OUTPUT
	mkdir -p "${directory}"

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	context: workflow
	images: \|
	name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' \|\| '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' \|\| '' }}${{ contains(matrix.image, 'v5') && '-v5' \|\| '' }}/nginx-plus-ingress
	flavor: \|
	suffix=${{ contains(matrix.image, 'ubi') && '-ubi' \|\| '' }}${{ contains(matrix.image, 'alpine') && '-alpine' \|\| '' }}${{ contains(matrix.target, 'aws') && '-mktpl' \|\| '' }}${{ contains(matrix.image, 'fips') && '-fips' \|\| ''}}
	tags: \|
	type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' \|\| github.ref_name }}

	- name: Authenticate to Google Cloud
	id: auth
	uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
	with:
	token_format: access_token
	workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
	service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

	- name: Login to GCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: gcr.io
	username: oauth2accesstoken
	password: ${{ steps.auth.outputs.access_token }}

	# - name: Run Trivy vulnerability scanner
	# uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
	# continue-on-error: true
	# with:
	# image-ref: ${{ steps.meta.outputs.tags }}
	# format: "sarif"
	# output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
	# ignore-unfixed: "true"

	- name: DockerHub Login for Docker Scout
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Run Docker Scout vulnerability scanner
	id: docker-scout
	uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
	with:
	command: cves,recommendations
	image: ${{ steps.meta.outputs.tags }}
	ignore-base: true
	only-fixed: true
	sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
	write-comment: false
	github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
	summary: true

	- name: Upload Scan Results to Github Artifacts
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
	path: "${{ steps.directory.outputs.directory }}/"
	overwrite: true

	- name: Upload Scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
	with:
	sarif_file: "${{ steps.directory.outputs.directory }}/"

	update-release-draft:
	name: Update Release Draft
	runs-on: ubuntu-24.04
	needs: [checks]
	permissions:
	contents: write
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Create/Update Draft
	uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1
	id: release-notes
	with:
	minor-label: "enhancement"
	major-label: "change"
	publish: false
	collapse-after: 50
	variables: \|
	helm-chart=${{ needs.checks.outputs.chart_version }}
	notes-footer: \|
	## Upgrade
	- For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
	- For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking), [Azure Marketplace](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/category/containers?page=1&search=f5&subcategories=container-apps) or build your own image using the {{version}} source code.
	- For Helm, use version {{helm-chart}} of the chart.

	## Resources
	- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
	- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples
	- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart
	- Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator
	if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker image update 52a62c5c (#6747) #717

Workflow file

Docker image update 52a62c5c (#6747) #717

Jobs

Run details

Workflow file for this run