Skip to content

Bump actions/dependency-review-action from 3.1.1 to 3.1.3 #504

Bump actions/dependency-review-action from 3.1.1 to 3.1.3

Bump actions/dependency-review-action from 3.1.1 to 3.1.3 #504

Workflow file for this run

name: CI
on:
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
pull_request:
branches:
- main
env:
platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
permissions:
contents: read
jobs:
build:
name: Build Image
runs-on: ubuntu-22.04
outputs:
version: ${{ steps.vars.outputs.version }}
permissions:
contents: write # for lucacome/draft-release to create a draft release
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
packages: write # for docker/build-push-action to push to GHCR
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: DockerHub Login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Login to Quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
if: github.event_name != 'pull_request'
- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Output Variables
id: vars
run: |
echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT
echo "chart_version=$(yq '.appVersion' <helm-charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
echo "openshift_version=$(yq '.annotations["com.redhat.openshift.versions"]' <bundle/metadata/annotations.yaml | cut -dv -f2)" >> $GITHUB_OUTPUT
- name: Docker meta
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: |
nginx/nginx-ingress-operator
ghcr.io/nginxinc/nginx-ingress-operator
quay.io/nginx/nginx-ingress-operator
tags: |
type=edge
type=ref,event=pr
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
name="NGINX Ingress Operator"
maintainer="kubernetes@nginx.com"
vendor="NGINX Inc"
version=${{ steps.vars.outputs.version }}
release=1
summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
- name: Build Image
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: "."
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
no-cache: ${{ github.event_name != 'pull_request' }}
pull: true
sbom: ${{ github.event_name != 'pull_request' }}
provenance: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # 0.13.1
continue-on-error: true
with:
image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: "true"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
continue-on-error: true
with:
sarif_file: "trivy-results.sarif"
- name: Upload Scan Results
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
continue-on-error: true
with:
name: "trivy-results.sarif"
path: "trivy-results.sarif"
if: always()
- name: Create/Update Draft
uses: lucacome/draft-release@785af55296512c907875513e397320ae3f1306bb # v1.0.1
with:
minor-label: "enhancement"
major-label: "change"
publish: ${{ github.ref_type == 'tag' }}
variables: |
nic_version=${{ steps.vars.outputs.chart_version }}
openshift_version=${{ steps.vars.outputs.openshift_version }}
notes-footer: |
## Compatibility
- NGINX Ingress Controller {{nic_version}}
- OpenShift {{openshift_version}} or newer.
if: github.event_name != 'pull_request'
certify:
name: Certify for Red Hat OpenShift
runs-on: ubuntu-22.04
needs: build
if: ${{ github.ref_type == 'tag' }}
steps:
- name: Certify Images
continue-on-error: true
run: |
curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.7.0/preflight-linux-amd64 --output preflight
chmod +x preflight
IFS=',' read -ra arch_list <<< "${{ env.platforms }}"
for arch in "${arch_list[@]}"; do
architecture=("${arch#*/}")
./preflight check container quay.io/nginx/nginx-ingress-operator:${{ needs.build.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
done
- name: Make
run: |
make bundle USE_IMAGE_DIGESTS=true
- name: Checkout certified-operators repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
token: ${{ secrets.NGINX_PAT }}
repository: nginx-bot/certified-operators
path: certified-operators
- name: Update certified-operators repo
working-directory: certified-operators/operators/nginx-ingress-operator
run: |
mkdir v${{ needs.build.outputs.version }}
cp -R ../../../bundle/manifests v${{ needs.build.outputs.version }}/
cp -R ../../../bundle/metadata v${{ needs.build.outputs.version }}/
- name: Commit changes
uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0
with:
commit_message: operator nginx-ingress-operator (v${{ needs.build.outputs.version }})
commit_author: nginx-bot <integrations@nginx.com>
commit_user_name: nginx-bot
commit_user_email: integrations@nginx.com
create_branch: true
branch: update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }}
repository: certified-operators
- name: Create PR
working-directory: certified-operators
run: |
gh pr create --title "operator nginx-ingress-operator (v${{ needs.build.outputs.version }})" --body "Update nginx-ingress-operator to v${{ needs.build.outputs.version }}" --head nginx-bot:update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }} --base main --repo redhat-openshift-ecosystem/certified-operators
env:
GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}