Bump jacobtomlinson/gha-find-replace from 1dcd8b008d15ef0862ae785c76d1419cca930e15 to 863001a682308a0a2405e69e645cb0899b5ee64b #1048

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	tags:
	- "v[0-9]+.[0-9]+.[0-9]+"
	pull_request:
	branches:
	- main

	env:
	platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"

	concurrency:
	group: ${{ github.ref_name }}-ci
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	build:
	name: Build Image
	runs-on: ubuntu-22.04
	outputs:
	version: ${{ steps.meta.outputs.version }}
	permissions:
	contents: write # for lucacome/draft-release to create a draft release
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	packages: write # for docker/build-push-action to push to GHCR
	steps:
	- name: Checkout Repository
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: DockerHub Login
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	if: github.event_name != 'pull_request'

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Login to Quay.io
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME }}
	password: ${{ secrets.QUAY_ROBOT_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Setup QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
	with:
	platforms: arm64,ppc64le,s390x
	if: github.event_name != 'pull_request'

	- name: Docker Buildx
	uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

	- name: Output Variables
	id: vars
	run: \|
	echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT
	echo "chart_version=$(yq '.appVersion' <helm-charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
	echo "openshift_version=$(yq '.annotations["com.redhat.openshift.versions"]' <bundle/metadata/annotations.yaml \| cut -dv -f2)" >> $GITHUB_OUTPUT

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	nginx/nginx-ingress-operator
	ghcr.io/nginxinc/nginx-ingress-operator
	quay.io/nginx/nginx-ingress-operator
	tags: \|
	type=edge
	type=ref,event=pr
	type=semver,pattern={{version}}
	labels: \|
	org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
	org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
	name="NGINX Ingress Operator"
	maintainer="kubernetes@nginx.com"
	vendor="NGINX Inc"
	version=${{ steps.vars.outputs.version }}
	release=1
	summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
	description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"

	- name: Build Image
	uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
	with:
	context: "."
	cache-from: type=gha
	cache-to: type=gha,mode=max
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	platforms: ${{ github.event_name != 'pull_request' && env.platforms \|\| '' }}
	load: ${{ github.event_name == 'pull_request' }}
	push: ${{ github.event_name != 'pull_request' }}
	no-cache: ${{ github.event_name != 'pull_request' }}
	pull: true
	sbom: ${{ github.event_name != 'pull_request' }}
	provenance: false

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
	continue-on-error: true
	with:
	image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
	format: "sarif"
	output: "trivy-results.sarif"
	ignore-unfixed: "true"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
	continue-on-error: true
	with:
	sarif_file: "trivy-results.sarif"

	- name: Upload Scan Results
	uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
	continue-on-error: true
	with:
	name: "trivy-results.sarif"
	path: "trivy-results.sarif"
	if: always()

	- name: Create/Update Draft
	uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1
	with:
	minor-label: "enhancement"
	major-label: "change"
	publish: ${{ github.ref_type == 'tag' }}
	variables: \|
	nic_version=${{ steps.vars.outputs.chart_version }}
	openshift_version=${{ steps.vars.outputs.openshift_version }}
	notes-footer: \|
	## Compatibility

	- NGINX Ingress Controller {{nic_version}}
	- OpenShift {{openshift_version}} or newer.
	if: github.event_name != 'pull_request'

	certify:
	name: Certify for Red Hat OpenShift
	runs-on: ubuntu-22.04
	needs: build
	if: ${{ github.ref_type == 'tag' }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Certify Images
	continue-on-error: false
	run: \|
	curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.9.4/preflight-linux-amd64 --output preflight
	chmod +x preflight

	IFS=',' read -ra arch_list <<< "${{ env.platforms }}"

	for arch in "${arch_list[@]}"; do
	architecture=("${arch#*/}")
	./preflight check container quay.io/nginx/nginx-ingress-operator:${{ needs.build.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
	done

	- name: Make
	run: \|
	make bundle USE_IMAGE_DIGESTS=true

	- name: Checkout certified-operators repo
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	token: ${{ secrets.NGINX_PAT }}
	repository: nginx-bot/certified-operators
	path: certified-operators

	- name: Update certified-operators repo
	working-directory: certified-operators/operators/nginx-ingress-operator
	run: \|
	mkdir v${{ needs.build.outputs.version }}
	cp -R ../../../bundle/manifests v${{ needs.build.outputs.version }}/
	cp -R ../../../bundle/metadata v${{ needs.build.outputs.version }}/

	- name: Commit changes
	uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
	with:
	commit_message: operator nginx-ingress-operator (v${{ needs.build.outputs.version }})
	commit_author: nginx-bot <integrations@nginx.com>
	commit_user_name: nginx-bot
	commit_user_email: integrations@nginx.com
	create_branch: true
	branch: update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }}
	repository: certified-operators

	- name: Create PR
	working-directory: certified-operators
	run: \|
	gh pr create --title "operator nginx-ingress-operator (v${{ needs.build.outputs.version }})" --body "Update nginx-ingress-operator to v${{ needs.build.outputs.version }}" --head nginx-bot:update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }} --base main --repo redhat-openshift-ecosystem/certified-operators
	env:
	GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump jacobtomlinson/gha-find-replace from 1dcd8b008d15ef0862ae785c76d1419cca930e15 to 863001a682308a0a2405e69e645cb0899b5ee64b #1048

Workflow file

Bump jacobtomlinson/gha-find-replace from 1dcd8b008d15ef0862ae785c76d1419cca930e15 to 863001a682308a0a2405e69e645cb0899b5ee64b #1048

Jobs

Run details

Workflow file for this run