update clusterrole and roles #1173

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	tags:
	- "v[0-9]+.[0-9]+.[0-9]+"
	pull_request:
	branches:
	- main

	env:
	platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"

	concurrency:
	group: ${{ github.ref_name }}-ci
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	build:
	name: Build Image
	runs-on: ubuntu-22.04
	outputs:
	version: ${{ steps.meta.outputs.version }}
	permissions:
	contents: write # for lucacome/draft-release to create a draft release
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	packages: write # for docker/build-push-action to push to GHCR
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: DockerHub Login
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	if: github.event_name != 'pull_request'

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	if: github.event_name == 'pull_request'

	- name: Login to Quay.io
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME }}
	password: ${{ secrets.QUAY_ROBOT_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Setup QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
	with:
	platforms: arm64,ppc64le,s390x
	if: github.event_name != 'pull_request'

	- name: Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

	- name: Output Variables
	id: vars
	run: \|
	echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT
	echo "chart_version=$(yq '.appVersion' <helm-charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
	echo "openshift_version=$(yq '.annotations["com.redhat.openshift.versions"]' <bundle/metadata/annotations.yaml \| cut -dv -f2)" >> $GITHUB_OUTPUT

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
	with:
	images: \|
	ghcr.io/nginxinc/nginx-ingress-operator
	tags: \|
	type=ref,event=pr
	type=semver,pattern={{version}}
	labels: \|
	org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
	org.opencontainers.image.vendor=NGINX Inc <[email protected]>
	name="NGINX Ingress Operator"
	maintainer="[email protected]"
	vendor="NGINX Inc"
	version=${{ steps.vars.outputs.version }}
	release=1
	summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
	description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"

	- name: Build Image
	uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
	with:
	context: "."
	cache-from: type=gha
	cache-to: type=gha,mode=max
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	platforms: ${{ github.event_name != 'pull_request' && env.platforms \|\| '' }}
	load: ${{ github.event_name == 'pull_request' }}
	push: ${{ github.event_name == 'pull_request' }}
	no-cache: ${{ github.event_name != 'pull_request' }}
	pull: true
	sbom: ${{ github.event_name != 'pull_request' }}
	provenance: false

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
	continue-on-error: true
	with:
	image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
	format: "sarif"
	output: "trivy-results.sarif"
	ignore-unfixed: "true"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
	continue-on-error: true
	with:
	sarif_file: "trivy-results.sarif"

	- name: Upload Scan Results
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	continue-on-error: true
	with:
	name: "trivy-results.sarif"
	path: "trivy-results.sarif"
	if: always()

	- name: Create/Update Draft
	uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1
	with:
	minor-label: "enhancement"
	major-label: "change"
	publish: ${{ github.ref_type == 'tag' }}
	variables: \|
	nic_version=${{ steps.vars.outputs.chart_version }}
	openshift_version=${{ steps.vars.outputs.openshift_version }}
	notes-footer: \|
	## Compatibility

	- NGINX Ingress Controller {{nic_version}}
	- OpenShift {{openshift_version}} or newer.
	if: github.event_name != 'pull_request'

	certify:
	name: Certify for Red Hat OpenShift
	runs-on: ubuntu-22.04
	needs: build
	if: ${{ github.ref_type == 'tag' }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Certify Images
	continue-on-error: false
	run: \|
	curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.10.2/preflight-linux-amd64 --output preflight
	chmod +x preflight

	IFS=',' read -ra arch_list <<< "${{ env.platforms }}"

	for arch in "${arch_list[@]}"; do
	architecture=("${arch#*/}")
	./preflight check container quay.io/nginx/nginx-ingress-operator:${{ needs.build.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
	done

	- name: Make
	run: \|
	make bundle USE_IMAGE_DIGESTS=true

	- name: Checkout certified-operators repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	token: ${{ secrets.NGINX_PAT }}
	repository: nginx-bot/certified-operators
	path: certified-operators

	- name: Update certified-operators repo
	working-directory: certified-operators/operators/nginx-ingress-operator
	run: \|
	mkdir v${{ needs.build.outputs.version }}
	cp -R ../../../bundle/manifests v${{ needs.build.outputs.version }}/
	cp -R ../../../bundle/metadata v${{ needs.build.outputs.version }}/

	- name: Commit changes
	uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
	with:
	commit_message: operator nginx-ingress-operator (v${{ needs.build.outputs.version }})
	commit_author: nginx-bot <[email protected]>
	commit_user_name: nginx-bot
	commit_user_email: [email protected]
	create_branch: true
	branch: update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }}
	repository: certified-operators

	- name: Create PR
	working-directory: certified-operators
	run: \|
	gh pr create --title "operator nginx-ingress-operator (v${{ needs.build.outputs.version }})" --body "Update nginx-ingress-operator to v${{ needs.build.outputs.version }}" --head nginx-bot:update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }} --base main --repo redhat-openshift-ecosystem/certified-operators
	env:
	GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update clusterrole and roles #1173

Workflow file

update clusterrole and roles #1173

Jobs

Run details

Workflow file for this run