From 9cdc84fc46ec8edbb6b109c12856a67530ee9b91 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 Aug 2025 23:39:31 +0000 Subject: [PATCH 01/20] Initial plan From 9517e9b8f5ac1e8d8433a8d5a43d8a187e153235 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 Aug 2025 23:46:29 +0000 Subject: [PATCH 02/20] Enable Docker layer caching for PR pipeline image sharing Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-mainline.yml | 16 ++++++++-------- .github/workflows/alpine-stable.yml | 16 ++++++++-------- .github/workflows/debian-mainline.yml | 12 ++++++------ .github/workflows/debian-stable.yml | 12 ++++++------ 4 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index d3142cf2..6882bdf7 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -117,8 +117,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=alpine-slim - # cache-to: type=gha,mode=min,scope=alpine-slim + cache-from: type=gha,scope=alpine-slim + cache-to: type=gha,mode=min,scope=alpine-slim - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -235,8 +235,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=debian-perl - # cache-to: type=gha,mode=min,scope=debian-perl + cache-from: type=gha,scope=alpine + cache-to: type=gha,mode=min,scope=alpine - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -353,8 +353,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=alpine-perl - # cache-to: type=gha,mode=min,scope=alpine-perl + cache-from: type=gha,scope=alpine-perl + cache-to: type=gha,mode=min,scope=alpine-perl - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -471,8 +471,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=alpine-otel - # cache-to: type=gha,mode=min,scope=alpine-otel + cache-from: type=gha,scope=alpine-otel + cache-to: type=gha,mode=min,scope=alpine-otel - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml index 3f9db23c..3479eff0 100644 --- a/.github/workflows/alpine-stable.yml +++ b/.github/workflows/alpine-stable.yml @@ -113,8 +113,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-alpine-slim - # cache-to: type=gha,mode=min,scope=stable-alpine-slim + cache-from: type=gha,scope=stable-alpine-slim + cache-to: type=gha,mode=min,scope=stable-alpine-slim - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -223,8 +223,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-alpine - # cache-to: type=gha,mode=min,scope=stable-alpine + cache-from: type=gha,scope=stable-alpine + cache-to: type=gha,mode=min,scope=stable-alpine - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -333,8 +333,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-alpine-perl - # cache-to: type=gha,mode=min,scope=stable-alpine-perl + cache-from: type=gha,scope=stable-alpine-perl + cache-to: type=gha,mode=min,scope=stable-alpine-perl - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -442,8 +442,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-alpine-otel - # cache-to: type=gha,mode=min,scope=stable-alpine-otel + cache-from: type=gha,scope=stable-alpine-otel + cache-to: type=gha,mode=min,scope=stable-alpine-otel - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index 90a3dfa0..8a4d4538 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -118,8 +118,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=debian-perl - # cache-to: type=gha,mode=min,scope=debian-perl + cache-from: type=gha,scope=debian + cache-to: type=gha,mode=min,scope=debian - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -237,8 +237,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=debian-perl - # cache-to: type=gha,mode=min,scope=debian-perl + cache-from: type=gha,scope=debian-perl + cache-to: type=gha,mode=min,scope=debian-perl - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -355,8 +355,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=debian-otel - # cache-to: type=gha,mode=min,scope=debian-otel + cache-from: type=gha,scope=debian-otel + cache-to: type=gha,mode=min,scope=debian-otel - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml index 25081da4..9da5b6ba 100644 --- a/.github/workflows/debian-stable.yml +++ b/.github/workflows/debian-stable.yml @@ -114,8 +114,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-debian - # cache-to: type=gha,mode=min,scope=stable-debian + cache-from: type=gha,scope=stable-debian + cache-to: type=gha,mode=min,scope=stable-debian - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -225,8 +225,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-debian-perl - # cache-to: type=gha,mode=min,scope=stable-debian-perl + cache-from: type=gha,scope=stable-debian-perl + cache-to: type=gha,mode=min,scope=stable-debian-perl - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -335,8 +335,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-debian-otel - # cache-to: type=gha,mode=min,scope=stable-debian-otel + cache-from: type=gha,scope=stable-debian-otel + cache-to: type=gha,mode=min,scope=stable-debian-otel - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} From 53239549f16dfbeccc9d042a69aa8e2107d8ece6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 19 Aug 2025 23:59:02 +0000 Subject: [PATCH 03/20] Implement local registry image sharing for Alpine mainline PR builds Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-mainline.yml | 35 ++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 6882bdf7..56163091 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -37,6 +37,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -93,6 +98,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim @@ -116,7 +122,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=alpine-slim cache-to: type=gha,mode=min,scope=alpine-slim @@ -155,6 +161,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -211,6 +222,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} @@ -234,9 +246,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=alpine cache-to: type=gha,mode=min,scope=alpine + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:alpine-slim' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -273,6 +286,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -329,6 +347,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl @@ -352,9 +371,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=alpine-perl cache-to: type=gha,mode=min,scope=alpine-perl + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:alpine' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -391,6 +411,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -447,6 +472,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel @@ -470,9 +496,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=alpine-otel cache-to: type=gha,mode=min,scope=alpine-otel + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:alpine' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} From 6e4f6e14bac26c20a92114831a821fe90e4ebf87 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 00:03:20 +0000 Subject: [PATCH 04/20] Add local registry image sharing to Alpine stable workflow Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-stable.yml | 35 ++++++++++++++++++++++++--- .github/workflows/debian-mainline.yml | 8 +++++- 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml index 3479eff0..c24e1cd8 100644 --- a/.github/workflows/alpine-stable.yml +++ b/.github/workflows/alpine-stable.yml @@ -37,6 +37,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -93,6 +98,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim @@ -112,7 +118,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=stable-alpine-slim cache-to: type=gha,mode=min,scope=stable-alpine-slim @@ -147,6 +153,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -203,6 +214,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} @@ -222,9 +234,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=stable-alpine cache-to: type=gha,mode=min,scope=stable-alpine + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable-alpine-slim' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -257,6 +270,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -313,6 +331,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl @@ -332,9 +351,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=stable-alpine-perl cache-to: type=gha,mode=min,scope=stable-alpine-perl + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable-alpine' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -366,6 +386,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -422,6 +447,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel @@ -441,9 +467,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=stable-alpine-otel cache-to: type=gha,mode=min,scope=stable-alpine-otel + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable-alpine' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index 8a4d4538..e2fea577 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -37,6 +37,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -93,6 +98,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} @@ -117,7 +123,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=debian cache-to: type=gha,mode=min,scope=debian From 31b608672ed5e261b08ea0b1c3a707f3e8cf3c1c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 00:04:39 +0000 Subject: [PATCH 05/20] Complete local registry image sharing implementation for all workflows Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/debian-mainline.yml | 29 +++++++++++++++++++++++++-- .github/workflows/debian-stable.yml | 26 +++++++++++++++++++++--- 2 files changed, 50 insertions(+), 5 deletions(-) diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index e2fea577..4617dffa 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -42,6 +42,11 @@ jobs: image: registry:2 ports: - 5000:5000 + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -99,6 +104,7 @@ jobs: public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} @@ -162,6 +168,16 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -218,6 +234,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl @@ -242,9 +259,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=debian-perl cache-to: type=gha,mode=min,scope=debian-perl + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:latest' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -281,6 +299,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -337,6 +360,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel @@ -360,9 +384,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=debian-otel cache-to: type=gha,mode=min,scope=debian-otel + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:latest' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml index 9da5b6ba..ee20da7e 100644 --- a/.github/workflows/debian-stable.yml +++ b/.github/workflows/debian-stable.yml @@ -37,6 +37,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -93,6 +98,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} @@ -113,7 +119,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=stable-debian cache-to: type=gha,mode=min,scope=stable-debian @@ -148,6 +154,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -204,6 +215,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl @@ -224,9 +236,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=stable-debian-perl cache-to: type=gha,mode=min,scope=stable-debian-perl + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -259,6 +272,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -315,6 +333,7 @@ jobs: ghcr.io/nginx/nginx-unprivileged public.ecr.aws/nginx/nginx-unprivileged quay.io/nginx/nginx-unprivileged + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel @@ -334,9 +353,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + push: true cache-from: type=gha,scope=stable-debian-otel cache-to: type=gha,mode=min,scope=stable-debian-otel + build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} From e4e0829bb835bf3d4131c17af6e2196ab457aaad Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 11:29:58 +0000 Subject: [PATCH 06/20] Implement revised local registry approach for PR builds - Build all images locally using registry during PR builds - Only push to external registries when running from main branch - For PR builds: All jobs push to localhost:5000 registry only - For main builds: All jobs push to external registries only - Remove simultaneous push approach, use conditional registry targets - Add build-args for dependent jobs to use local registry images during PRs Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-mainline.yml | 36 ++++++++--------- .github/workflows/alpine-stable.yml | 57 ++++++++++++--------------- .github/workflows/debian-mainline.yml | 50 ++++++++--------------- .github/workflows/debian-stable.yml | 41 +++++++++---------- 4 files changed, 76 insertions(+), 108 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 56163091..8aa1fd46 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -94,11 +94,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim @@ -218,11 +217,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} @@ -343,11 +341,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl @@ -468,11 +465,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml index c24e1cd8..6d33ce4f 100644 --- a/.github/workflows/alpine-stable.yml +++ b/.github/workflows/alpine-stable.yml @@ -94,11 +94,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim @@ -118,9 +117,9 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=stable-alpine-slim - cache-to: type=gha,mode=min,scope=stable-alpine-slim + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-alpine-slim + # cache-to: type=gha,mode=min,scope=stable-alpine-slim - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -210,11 +209,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} @@ -237,7 +235,6 @@ jobs: push: true cache-from: type=gha,scope=stable-alpine cache-to: type=gha,mode=min,scope=stable-alpine - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable-alpine-slim' || '' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -327,11 +324,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl @@ -351,10 +347,9 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=stable-alpine-perl - cache-to: type=gha,mode=min,scope=stable-alpine-perl - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable-alpine' || '' }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-alpine-perl + # cache-to: type=gha,mode=min,scope=stable-alpine-perl - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -443,11 +438,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel @@ -467,10 +461,9 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=stable-alpine-otel - cache-to: type=gha,mode=min,scope=stable-alpine-otel - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable-alpine' || '' }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-alpine-otel + # cache-to: type=gha,mode=min,scope=stable-alpine-otel - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index 4617dffa..d888f12d 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -42,11 +42,6 @@ jobs: image: registry:2 ports: - 5000:5000 - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -99,12 +94,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} @@ -130,9 +123,9 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: true - cache-from: type=gha,scope=debian - cache-to: type=gha,mode=min,scope=debian - + cache-from: type=gha,scope=debian-perl + cache-to: type=gha,mode=min,scope=debian-perl + build-args: ${{ github.event_name == \'pull_request\' && \'IMAGE=localhost:5000/nginx-unprivileged:latest\' || \'\' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | @@ -173,11 +166,6 @@ jobs: image: registry:2 ports: - 5000:5000 - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -230,11 +218,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl @@ -262,8 +249,7 @@ jobs: push: true cache-from: type=gha,scope=debian-perl cache-to: type=gha,mode=min,scope=debian-perl - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:latest' || '' }} - + build-args: ${{ github.event_name == \'pull_request\' && \'IMAGE=localhost:5000/nginx-unprivileged:latest\' || \'\' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | @@ -356,11 +342,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel @@ -387,8 +372,7 @@ jobs: push: true cache-from: type=gha,scope=debian-otel cache-to: type=gha,mode=min,scope=debian-otel - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:latest' || '' }} - + build-args: ${{ github.event_name == \'pull_request\' && \'IMAGE=localhost:5000/nginx-unprivileged:latest\' || \'\' }} - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml index ee20da7e..0ad359e5 100644 --- a/.github/workflows/debian-stable.yml +++ b/.github/workflows/debian-stable.yml @@ -94,11 +94,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} @@ -211,11 +210,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl @@ -236,10 +234,9 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=stable-debian-perl - cache-to: type=gha,mode=min,scope=stable-debian-perl - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable' || '' }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-debian-perl + # cache-to: type=gha,mode=min,scope=stable-debian-perl - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -329,11 +326,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || '' }} + ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} + ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} + ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel @@ -353,10 +349,9 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=stable-debian-otel - cache-to: type=gha,mode=min,scope=stable-debian-otel - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:stable' || '' }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-debian-otel + # cache-to: type=gha,mode=min,scope=stable-debian-otel - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} From 2a098040f90c7e241a1cdf5e92d44572056eec86 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 13:14:59 +0000 Subject: [PATCH 07/20] Revert all workflow changes and implement new local registry architecture for Alpine mainline Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-mainline.yml | 504 ++++++++++++-------------- .github/workflows/alpine-stable.yml | 491 ------------------------- .github/workflows/debian-mainline.yml | 63 ++-- .github/workflows/debian-stable.yml | 45 +-- .github/workflows/ossf_scorecard.yml | 2 +- 5 files changed, 264 insertions(+), 841 deletions(-) delete mode 100644 .github/workflows/alpine-stable.yml diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 8aa1fd46..fdfac27a 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -52,107 +52,26 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + localhost:5000/nginx-unprivileged tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=mainline-alpine-slim - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim type=raw,value=alpine-slim - type=raw,value=alpine${{ needs.version.outputs.distro }}-slim - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build and push NGINX mainline slim Alpine image to local registry id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-slim" labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: true - cache-from: type=gha,scope=alpine-slim - cache-to: type=gha,mode=min,scope=alpine-slim - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + # cache-from: type=gha,scope=alpine-slim + # cache-to: type=gha,mode=min,scope=alpine-slim core: name: Build Alpine NGINX mainline Docker image @@ -175,108 +94,28 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + localhost:5000/nginx-unprivileged tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}-alpine - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=mainline-alpine - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }} type=raw,value=alpine - type=raw,value=alpine${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build and push NGINX mainline Alpine image to local registry id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine" labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:alpine-slim push: true - cache-from: type=gha,scope=alpine - cache-to: type=gha,mode=min,scope=alpine - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:alpine-slim' || '' }} - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + # cache-from: type=gha,scope=debian-perl + # cache-to: type=gha,mode=min,scope=debian-perl perl: name: Build Alpine NGINX mainline perl Docker image @@ -299,108 +138,28 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + localhost:5000/nginx-unprivileged tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=mainline-alpine-perl - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl type=raw,value=alpine-perl - type=raw,value=alpine${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build and push NGINX mainline perl Alpine image to local registry id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-perl" labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:alpine push: true - cache-from: type=gha,scope=alpine-perl - cache-to: type=gha,mode=min,scope=alpine-perl - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:alpine' || '' }} - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + # cache-from: type=gha,scope=alpine-perl + # cache-to: type=gha,mode=min,scope=alpine-perl otel: name: Build Alpine NGINX mainline otel Docker image @@ -408,6 +167,49 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + localhost:5000/nginx-unprivileged + tags: | + type=raw,value=alpine-otel + + - name: Build and push NGINX mainline otel Alpine image to local registry + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm64 + context: "{{ defaultContext }}:mainline/alpine-otel" + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:alpine + push: true + # cache-from: type=gha,scope=alpine-otel + # cache-to: type=gha,mode=min,scope=alpine-otel + + publish: + name: Publish images to external registries + needs: [version, slim, core, perl, otel] + runs-on: ubuntu-24.04 + if: ${{ github.event_name != 'pull_request' }} services: registry: image: registry:2 @@ -424,7 +226,6 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -432,20 +233,17 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -453,22 +251,127 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta + # Publish Alpine slim image + - name: Extract metadata for Alpine slim image + id: meta-slim + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=mainline-alpine-slim + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=alpine-slim + type=raw,value=alpine${{ needs.version.outputs.distro }}-slim + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Alpine slim image to external registries + id: build-slim + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/alpine-slim" + labels: ${{ steps.meta-slim.outputs.labels }} + annotations: ${{ steps.meta-slim.outputs.annotations }} + tags: ${{ steps.meta-slim.outputs.tags }} + push: true + + # Publish Alpine core image + - name: Extract metadata for Alpine core image + id: meta-core uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}-alpine + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=mainline-alpine + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }} + type=raw,value=alpine + type=raw,value=alpine${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Alpine core image to external registries + id: build-core + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/alpine" + labels: ${{ steps.meta-core.outputs.labels }} + annotations: ${{ steps.meta-core.outputs.annotations }} + tags: ${{ steps.meta-core.outputs.tags }} + push: true + + # Publish Alpine perl image + - name: Extract metadata for Alpine perl image + id: meta-perl + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=mainline-alpine-perl + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=alpine-perl + type=raw,value=alpine${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Alpine perl image to external registries + id: build-perl + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/alpine-perl" + labels: ${{ steps.meta-perl.outputs.labels }} + annotations: ${{ steps.meta-perl.outputs.annotations }} + tags: ${{ steps.meta-perl.outputs.tags }} + push: true + + # Publish Alpine otel image + - name: Extract metadata for Alpine otel image + id: meta-otel + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel @@ -483,22 +386,19 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build + - name: Re-tag and push Alpine otel image to external registries + id: build-otel uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/alpine-otel" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta-otel.outputs.labels }} + annotations: ${{ steps.meta-otel.outputs.annotations }} + tags: ${{ steps.meta-otel.outputs.tags }} push: true - cache-from: type=gha,scope=alpine-otel - cache-to: type=gha,mode=min,scope=alpine-otel - build-args: ${{ github.event_name == 'pull_request' && 'IMAGE=localhost:5000/nginx-unprivileged:alpine' || '' }} - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} + # Docker Hub signing for all images + - name: Sign Docker Hub Manifests run: | set -ex sudo apt update @@ -507,9 +407,53 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + + # Sign Alpine slim image + DIGEST=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Alpine core image + DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Alpine perl image + DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Alpine otel image + DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml deleted file mode 100644 index 6d33ce4f..00000000 --- a/.github/workflows/alpine-stable.yml +++ /dev/null @@ -1,491 +0,0 @@ ---- -name: Alpine Stable -on: - pull_request: - merge_group: - schedule: - - cron: "0 0 * * 1" - workflow_dispatch: -jobs: - version: - name: Fetch NGINX stable version - runs-on: ubuntu-24.04 - outputs: - major: ${{ steps.nginx_version.outputs.major }} - minor: ${{ steps.nginx_version.outputs.minor }} - patch: ${{ steps.nginx_version.outputs.patch }} - distro: ${{ steps.distro_version.outputs.release }} - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Parse NGINX stable version - id: nginx_version - run: | - echo "major=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f1)" >> "$GITHUB_OUTPUT" - echo "minor=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f2)" >> "$GITHUB_OUTPUT" - echo "patch=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f3)" >> "$GITHUB_OUTPUT" - - - name: Parse Alpine version - id: distro_version - run: | - echo "release=$(cat update.sh | grep -m8 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" - - slim: - name: Build Alpine NGINX stable slim Docker image - needs: version - runs-on: ubuntu-24.04 - strategy: - fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=stable-alpine-slim - type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-slim - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Build and push NGINX stable slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/alpine-slim" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-alpine-slim - # cache-to: type=gha,mode=min,scope=stable-alpine-slim - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - core: - name: Build Alpine NGINX stable Docker image - needs: [version, slim] - runs-on: ubuntu-24.04 - strategy: - fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=stable-alpine - type=raw,value=stable-alpine${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Build and push NGINX stable Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/alpine" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=stable-alpine - cache-to: type=gha,mode=min,scope=stable-alpine - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - perl: - name: Build Alpine NGINX stable perl Docker image - needs: [version, core] - runs-on: ubuntu-24.04 - strategy: - fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=stable-alpine-perl - type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Build and push NGINX stable perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/alpine-perl" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-alpine-perl - # cache-to: type=gha,mode=min,scope=stable-alpine-perl - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - otel: - name: Build Alpine NGINX stable otel Docker image - needs: [version, core] - runs-on: ubuntu-24.04 - strategy: - fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel - type=raw,value=stable-alpine-otel - type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-otel - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Build and push NGINX stable otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm64 - context: "{{ defaultContext }}:stable/alpine-otel" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-alpine-otel - # cache-to: type=gha,mode=min,scope=stable-alpine-otel - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index d888f12d..90a3dfa0 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -37,11 +37,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -94,10 +89,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} @@ -122,10 +117,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=debian-perl - cache-to: type=gha,mode=min,scope=debian-perl - build-args: ${{ github.event_name == \'pull_request\' && \'IMAGE=localhost:5000/nginx-unprivileged:latest\' || \'\' }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=debian-perl + # cache-to: type=gha,mode=min,scope=debian-perl + - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | @@ -161,11 +156,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -218,10 +208,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl @@ -246,10 +236,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=debian-perl - cache-to: type=gha,mode=min,scope=debian-perl - build-args: ${{ github.event_name == \'pull_request\' && \'IMAGE=localhost:5000/nginx-unprivileged:latest\' || \'\' }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=debian-perl + # cache-to: type=gha,mode=min,scope=debian-perl + - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | @@ -285,11 +275,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -342,10 +327,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel @@ -369,10 +354,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=debian-otel - cache-to: type=gha,mode=min,scope=debian-otel - build-args: ${{ github.event_name == \'pull_request\' && \'IMAGE=localhost:5000/nginx-unprivileged:latest\' || \'\' }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=debian-otel + # cache-to: type=gha,mode=min,scope=debian-otel + - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml index 0ad359e5..25081da4 100644 --- a/.github/workflows/debian-stable.yml +++ b/.github/workflows/debian-stable.yml @@ -37,11 +37,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -94,10 +89,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} @@ -118,9 +113,9 @@ jobs: labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - cache-from: type=gha,scope=stable-debian - cache-to: type=gha,mode=min,scope=stable-debian + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-debian + # cache-to: type=gha,mode=min,scope=stable-debian - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} @@ -153,11 +148,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -210,10 +200,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl @@ -269,11 +259,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -326,10 +311,10 @@ jobs: uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - ${{ github.event_name == 'pull_request' && 'localhost:5000/nginx-unprivileged' || 'docker.io/nginxinc/nginx-unprivileged' }} - ${{ github.event_name != 'pull_request' && 'ghcr.io/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'public.ecr.aws/nginx/nginx-unprivileged' || '' }} - ${{ github.event_name != 'pull_request' && 'quay.io/nginx/nginx-unprivileged' || '' }} + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml index 22c97d0f..014a036e 100644 --- a/.github/workflows/ossf_scorecard.yml +++ b/.github/workflows/ossf_scorecard.yml @@ -47,6 +47,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: Upload SARIF results to code scanning - uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.5 + uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.5 with: sarif_file: results.sarif From 1bc9e592b1eac7cfabe1b3b4733dc96c723c5cdd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 13:25:04 +0000 Subject: [PATCH 08/20] Complete local registry implementation for all workflows with revised architecture Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-stable.yml | 439 ++++++++++++++++++++++++++ .github/workflows/debian-mainline.yml | 384 +++++++++++----------- .github/workflows/debian-stable.yml | 354 ++++++++++----------- 3 files changed, 798 insertions(+), 379 deletions(-) create mode 100644 .github/workflows/alpine-stable.yml diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml new file mode 100644 index 00000000..519bf260 --- /dev/null +++ b/.github/workflows/alpine-stable.yml @@ -0,0 +1,439 @@ +--- +name: Alpine Stable +on: + pull_request: + merge_group: + schedule: + - cron: "0 0 * * 1" + workflow_dispatch: +jobs: + version: + name: Fetch NGINX stable version + runs-on: ubuntu-24.04 + outputs: + major: ${{ steps.nginx_version.outputs.major }} + minor: ${{ steps.nginx_version.outputs.minor }} + patch: ${{ steps.nginx_version.outputs.patch }} + distro: ${{ steps.distro_version.outputs.release }} + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Parse NGINX stable version + id: nginx_version + run: | + echo "major=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f1)" >> "$GITHUB_OUTPUT" + echo "minor=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f2)" >> "$GITHUB_OUTPUT" + echo "patch=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f3)" >> "$GITHUB_OUTPUT" + + - name: Parse Alpine version + id: distro_version + run: | + echo "release=$(cat update.sh | grep -m8 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" + + slim: + name: Build Alpine NGINX stable slim Docker image + needs: version + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + localhost:5000/nginx-unprivileged + tags: | + type=raw,value=alpine-slim + + - name: Build and push NGINX stable slim Alpine image to local registry + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/alpine-slim" + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + push: true + # cache-from: type=gha,scope=stable-alpine-slim + # cache-to: type=gha,mode=min,scope=stable-alpine-slim + + core: + name: Build Alpine NGINX stable Docker image + needs: [version, slim] + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + localhost:5000/nginx-unprivileged + tags: | + type=raw,value=alpine + + - name: Build and push NGINX stable Alpine image to local registry + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/alpine" + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:alpine-slim + push: true + # cache-from: type=gha,scope=stable-alpine + # cache-to: type=gha,mode=min,scope=stable-alpine + + perl: + name: Build Alpine NGINX stable perl Docker image + needs: [version, core] + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + localhost:5000/nginx-unprivileged + tags: | + type=raw,value=alpine-perl + + - name: Build and push NGINX stable perl Alpine image to local registry + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/alpine-perl" + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:alpine + push: true + # cache-from: type=gha,scope=stable-alpine-perl + # cache-to: type=gha,mode=min,scope=stable-alpine-perl + + otel: + name: Build Alpine NGINX stable otel Docker image + needs: [version, core] + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + localhost:5000/nginx-unprivileged + tags: | + type=raw,value=alpine-otel + + - name: Build and push NGINX stable otel Alpine image to local registry + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm64 + context: "{{ defaultContext }}:stable/alpine-otel" + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:alpine + push: true + # cache-from: type=gha,scope=stable-alpine-otel + # cache-to: type=gha,mode=min,scope=stable-alpine-otel + + publish: + name: Publish images to external registries + needs: [version, slim, core, perl, otel] + runs-on: ubuntu-24.04 + if: ${{ github.event_name != 'pull_request' }} + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + + # Publish Alpine slim image + - name: Extract metadata for Alpine slim image + id: meta-slim + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=stable-alpine-slim + type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-slim + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Alpine slim image to external registries + id: build-slim + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/alpine-slim" + labels: ${{ steps.meta-slim.outputs.labels }} + annotations: ${{ steps.meta-slim.outputs.annotations }} + tags: ${{ steps.meta-slim.outputs.tags }} + push: true + + # Publish Alpine core image + - name: Extract metadata for Alpine core image + id: meta-core + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=stable-alpine + type=raw,value=stable-alpine${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Alpine core image to external registries + id: build-core + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/alpine" + labels: ${{ steps.meta-core.outputs.labels }} + annotations: ${{ steps.meta-core.outputs.annotations }} + tags: ${{ steps.meta-core.outputs.tags }} + push: true + + # Publish Alpine perl image + - name: Extract metadata for Alpine perl image + id: meta-perl + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=stable-alpine-perl + type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Alpine perl image to external registries + id: build-perl + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/alpine-perl" + labels: ${{ steps.meta-perl.outputs.labels }} + annotations: ${{ steps.meta-perl.outputs.annotations }} + tags: ${{ steps.meta-perl.outputs.tags }} + push: true + + # Publish Alpine otel image + - name: Extract metadata for Alpine otel image + id: meta-otel + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel + type=raw,value=stable-alpine-otel + type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-otel + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Alpine otel image to external registries + id: build-otel + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm64 + context: "{{ defaultContext }}:stable/alpine-otel" + labels: ${{ steps.meta-otel.outputs.labels }} + annotations: ${{ steps.meta-otel.outputs.annotations }} + tags: ${{ steps.meta-otel.outputs.tags }} + push: true + + # Docker Hub signing for all images + - name: Sign Docker Hub Manifests + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + + # Sign Alpine slim image + DIGEST=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Alpine core image + DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Alpine perl image + DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Alpine otel image + DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} \ No newline at end of file diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index 90a3dfa0..e83d282a 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -37,6 +37,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -47,108 +52,26 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged + localhost:5000/nginx-unprivileged tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }} - type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} - type=raw,value=mainline - type=raw,value=mainline-${{ needs.version.outputs.distro }} type=raw,value=latest - type=raw,value=${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build and push NGINX mainline Debian image to local registry id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x - # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/debian" labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=debian-perl - # cache-to: type=gha,mode=min,scope=debian-perl - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged latest $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + push: true + # cache-from: type=gha,scope=debian + # cache-to: type=gha,mode=min,scope=debian perl: name: Build Debian NGINX mainline perl Docker image @@ -156,6 +79,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -166,115 +94,83 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged + localhost:5000/nginx-unprivileged tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}-perl - type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=mainline-perl - type=raw,value=mainline-${{ needs.version.outputs.distro }}-perl - type=raw,value=perl - type=raw,value=${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + type=raw,value=latest-perl - - name: Build and push NGINX mainline perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build and push NGINX mainline perl Debian image to local registry id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x - # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/debian-perl" labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:latest + push: true # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - otel: name: Build Debian NGINX mainline otel Docker image needs: [version, core] runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + localhost:5000/nginx-unprivileged + tags: | + type=raw,value=latest-otel + + - name: Build and push NGINX mainline otel Debian image to local registry + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm64 + context: "{{ defaultContext }}:mainline/debian-otel" + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:latest + push: true + # cache-from: type=gha,scope=debian-otel + # cache-to: type=gha,mode=min,scope=debian-otel + + publish: + name: Publish images to external registries + needs: [version, core, perl, otel] + runs-on: ubuntu-24.04 + if: ${{ github.event_name != 'pull_request' }} + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -286,7 +182,6 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -294,20 +189,17 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -315,15 +207,85 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta + # Publish Debian core image + - name: Extract metadata for Debian core image + id: meta-core + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }} + type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} + type=raw,value=mainline + type=raw,value=mainline-${{ needs.version.outputs.distro }} + type=raw,value=latest + type=raw,value=${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Debian core image to external registries + id: build-core + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/debian" + labels: ${{ steps.meta-core.outputs.labels }} + annotations: ${{ steps.meta-core.outputs.annotations }} + tags: ${{ steps.meta-core.outputs.tags }} + push: true + + # Publish Debian perl image + - name: Extract metadata for Debian perl image + id: meta-perl + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}-perl + type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=mainline-perl + type=raw,value=mainline-${{ needs.version.outputs.distro }}-perl + type=raw,value=perl + type=raw,value=${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Debian perl image to external registries + id: build-perl + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/debian-perl" + labels: ${{ steps.meta-perl.outputs.labels }} + annotations: ${{ steps.meta-perl.outputs.annotations }} + tags: ${{ steps.meta-perl.outputs.tags }} + push: true + + # Publish Debian otel image + - name: Extract metadata for Debian otel image + id: meta-otel uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | @@ -345,21 +307,19 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline otel Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build + - name: Re-tag and push Debian otel image to external registries + id: build-otel uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/debian-otel" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=debian-otel - # cache-to: type=gha,mode=min,scope=debian-otel + labels: ${{ steps.meta-otel.outputs.labels }} + annotations: ${{ steps.meta-otel.outputs.annotations }} + tags: ${{ steps.meta-otel.outputs.tags }} + push: true - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} + # Docker Hub signing for all images + - name: Sign Docker Hub Manifests run: | set -ex sudo apt update @@ -368,15 +328,45 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + + # Sign Debian core image + DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged latest $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Debian perl image + DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Debian otel image + DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged otel $SIZE --sha256 $DIGEST --publish --verbose @@ -385,4 +375,4 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} \ No newline at end of file diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml index 25081da4..63e03011 100644 --- a/.github/workflows/debian-stable.yml +++ b/.github/workflows/debian-stable.yml @@ -37,6 +37,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -47,100 +52,26 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged + localhost:5000/nginx-unprivileged tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} - type=raw,value=stable - type=raw,value=stable-${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + type=raw,value=latest - - name: Build and push NGINX stable Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build and push NGINX stable Debian image to local registry id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x - # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/debian" labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-debian - # cache-to: type=gha,mode=min,scope=stable-debian - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + push: true + # cache-from: type=gha,scope=debian + # cache-to: type=gha,mode=min,scope=debian perl: name: Build Debian NGINX stable perl Docker image @@ -148,6 +79,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -158,100 +94,28 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged + localhost:5000/nginx-unprivileged tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=stable-perl - type=raw,value=stable-${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + type=raw,value=latest-perl - - name: Build and push NGINX stable perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build and push NGINX stable perl Debian image to local registry id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x - # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/debian-perl" labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-debian-perl - # cache-to: type=gha,mode=min,scope=stable-debian-perl - - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable--${{ needs.version.outputs.distro }}perl $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:latest + push: true + # cache-from: type=gha,scope=debian-perl + # cache-to: type=gha,mode=min,scope=debian-perl otel: name: Build Debian NGINX stable otel Docker image @@ -259,6 +123,54 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + localhost:5000/nginx-unprivileged + tags: | + type=raw,value=latest-otel + + - name: Build and push NGINX stable otel Debian image to local registry + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm64 + context: "{{ defaultContext }}:stable/debian-otel" + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + build-args: | + IMAGE=localhost:5000/nginx-unprivileged:latest + push: true + # cache-from: type=gha,scope=debian-otel + # cache-to: type=gha,mode=min,scope=debian-otel + + publish: + name: Publish images to external registries + needs: [version, core, perl, otel] + runs-on: ubuntu-24.04 + if: ${{ github.event_name != 'pull_request' }} + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -270,7 +182,6 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -278,20 +189,17 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -299,15 +207,77 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta + # Publish Debian core image + - name: Extract metadata for Debian core image + id: meta-core + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} + type=raw,value=stable + type=raw,value=stable-${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Debian core image to external registries + id: build-core + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/debian" + labels: ${{ steps.meta-core.outputs.labels }} + annotations: ${{ steps.meta-core.outputs.annotations }} + tags: ${{ steps.meta-core.outputs.tags }} + push: true + + # Publish Debian perl image + - name: Extract metadata for Debian perl image + id: meta-perl + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=stable-perl + type=raw,value=stable-${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Re-tag and push Debian perl image to external registries + id: build-perl + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:stable/debian-perl" + labels: ${{ steps.meta-perl.outputs.labels }} + annotations: ${{ steps.meta-perl.outputs.annotations }} + tags: ${{ steps.meta-perl.outputs.tags }} + push: true + + # Publish Debian otel image + - name: Extract metadata for Debian otel image + id: meta-otel uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | @@ -325,21 +295,19 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX stable otel Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build + - name: Re-tag and push Debian otel image to external registries + id: build-otel uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:stable/debian-otel" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=stable-debian-otel - # cache-to: type=gha,mode=min,scope=stable-debian-otel + labels: ${{ steps.meta-otel.outputs.labels }} + annotations: ${{ steps.meta-otel.outputs.annotations }} + tags: ${{ steps.meta-otel.outputs.tags }} + push: true - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} + # Docker Hub signing for all images + - name: Sign Docker Hub Manifests run: | set -ex sudo apt update @@ -348,9 +316,31 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + + # Sign Debian core image + DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Debian perl image + DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + + # Sign Debian otel image + DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel $SIZE --sha256 $DIGEST --publish --verbose @@ -361,4 +351,4 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} \ No newline at end of file From a6b77f0919e1c6033d755f2e5ea8294f217b7f6b Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 21 Aug 2025 15:04:34 +0200 Subject: [PATCH 09/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index fdfac27a..f53738b1 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -65,7 +65,8 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: linux/amd64 + # platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-slim" context: "{{ defaultContext }}:mainline/alpine-slim" labels: ${{ steps.meta.outputs.labels }} tags: ${{ steps.meta.outputs.tags }} @@ -107,7 +108,8 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: linux/amd64 + # platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine" labels: ${{ steps.meta.outputs.labels }} tags: ${{ steps.meta.outputs.tags }} @@ -151,7 +153,8 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: linux/amd64 + # platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-perl" context: "{{ defaultContext }}:mainline/alpine-perl" labels: ${{ steps.meta.outputs.labels }} tags: ${{ steps.meta.outputs.tags }} @@ -195,7 +198,8 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm64 + platforms: linux/amd64 + # platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/alpine-otel" labels: ${{ steps.meta.outputs.labels }} tags: ${{ steps.meta.outputs.tags }} @@ -408,7 +412,7 @@ jobs: chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - + # Sign Alpine slim image DIGEST=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) SIZE=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') @@ -422,7 +426,7 @@ jobs: notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - + # Sign Alpine core image DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') @@ -436,7 +440,7 @@ jobs: notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - + # Sign Alpine perl image DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') @@ -450,7 +454,7 @@ jobs: notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - + # Sign Alpine otel image DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') From d6ce6eafe194ef0bd602dc4df90d311e32ec4f68 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 21 Aug 2025 15:10:39 +0200 Subject: [PATCH 10/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index f53738b1..4ca06bf3 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -51,6 +51,8 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + with: + driver-opts: network=host - name: Extract metadata (annotations, labels, tags) for Docker id: meta @@ -94,6 +96,8 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + with: + driver-opts: network=host - name: Extract metadata (annotations, labels, tags) for Docker id: meta @@ -139,6 +143,8 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + with: + driver-opts: network=host - name: Extract metadata (annotations, labels, tags) for Docker id: meta @@ -184,6 +190,8 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + with: + driver-opts: network=host - name: Extract metadata (annotations, labels, tags) for Docker id: meta From 4355c8991f429af63fbb2f966a2d01aec87ad930 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 13:46:09 +0000 Subject: [PATCH 11/20] Revert workflow changes and prepare for artifact-based image sharing implementation Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-mainline.yml | 521 ++++++++++++++------------ .github/workflows/alpine-stable.yml | 468 ++++++++++++----------- .github/workflows/debian-mainline.yml | 384 ++++++++++--------- .github/workflows/debian-stable.yml | 354 ++++++++--------- 4 files changed, 900 insertions(+), 827 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 4ca06bf3..d3142cf2 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -37,11 +37,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -51,42 +46,115 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: - driver-opts: network=host + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=mainline-alpine-slim + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim type=raw,value=alpine-slim + type=raw,value=alpine${{ needs.version.outputs.distro }}-slim + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline slim Alpine image to local registry + - name: Build and push NGINX mainline slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64 - # platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-slim" + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-slim" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true + push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=alpine-slim # cache-to: type=gha,mode=min,scope=alpine-slim + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + core: name: Build Alpine NGINX mainline Docker image needs: [version, slim] runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -96,44 +164,115 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: - driver-opts: network=host + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}-alpine + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=mainline-alpine + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }} type=raw,value=alpine + type=raw,value=alpine${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline Alpine image to local registry + - name: Build and push NGINX mainline Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64 - # platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:alpine-slim - push: true + push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + perl: name: Build Alpine NGINX mainline perl Docker image needs: [version, core] runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -143,90 +282,115 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: - driver-opts: network=host + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=mainline-alpine-perl + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl type=raw,value=alpine-perl + type=raw,value=alpine${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline perl Alpine image to local registry + - name: Build and push NGINX mainline perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64 - # platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-perl" + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-perl" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:alpine - push: true + push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=alpine-perl # cache-to: type=gha,mode=min,scope=alpine-perl + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + otel: name: Build Alpine NGINX mainline otel Docker image needs: [version, core] runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - with: - driver-opts: network=host - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - localhost:5000/nginx-unprivileged - tags: | - type=raw,value=alpine-otel - - - name: Build and push NGINX mainline otel Alpine image to local registry - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64 - # platforms: linux/amd64, linux/arm64 - context: "{{ defaultContext }}:mainline/alpine-otel" - labels: ${{ steps.meta.outputs.labels }} - tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:alpine - push: true - # cache-from: type=gha,scope=alpine-otel - # cache-to: type=gha,mode=min,scope=alpine-otel - - publish: - name: Publish images to external registries - needs: [version, slim, core, perl, otel] - runs-on: ubuntu-24.04 - if: ${{ github.event_name != 'pull_request' }} - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -238,6 +402,7 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -245,17 +410,20 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -263,120 +431,15 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - # Publish Alpine slim image - - name: Extract metadata for Alpine slim image - id: meta-slim - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=mainline-alpine-slim - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=alpine-slim - type=raw,value=alpine${{ needs.version.outputs.distro }}-slim - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Alpine slim image to external registries - id: build-slim - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:mainline/alpine-slim" - labels: ${{ steps.meta-slim.outputs.labels }} - annotations: ${{ steps.meta-slim.outputs.annotations }} - tags: ${{ steps.meta-slim.outputs.tags }} - push: true - - # Publish Alpine core image - - name: Extract metadata for Alpine core image - id: meta-core - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}-alpine - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=mainline-alpine - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }} - type=raw,value=alpine - type=raw,value=alpine${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Alpine core image to external registries - id: build-core - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:mainline/alpine" - labels: ${{ steps.meta-core.outputs.labels }} - annotations: ${{ steps.meta-core.outputs.annotations }} - tags: ${{ steps.meta-core.outputs.tags }} - push: true - - # Publish Alpine perl image - - name: Extract metadata for Alpine perl image - id: meta-perl - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=mainline-alpine-perl - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=alpine-perl - type=raw,value=alpine${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Alpine perl image to external registries - id: build-perl - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:mainline/alpine-perl" - labels: ${{ steps.meta-perl.outputs.labels }} - annotations: ${{ steps.meta-perl.outputs.annotations }} - tags: ${{ steps.meta-perl.outputs.tags }} - push: true - - # Publish Alpine otel image - - name: Extract metadata for Alpine otel image - id: meta-otel + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | @@ -398,19 +461,21 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Re-tag and push Alpine otel image to external registries - id: build-otel + - name: Build and push NGINX mainline otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/alpine-otel" - labels: ${{ steps.meta-otel.outputs.labels }} - annotations: ${{ steps.meta-otel.outputs.annotations }} - tags: ${{ steps.meta-otel.outputs.tags }} - push: true + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=alpine-otel + # cache-to: type=gha,mode=min,scope=alpine-otel - # Docker Hub signing for all images - - name: Sign Docker Hub Manifests + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} run: | set -ex sudo apt update @@ -419,53 +484,9 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - - # Sign Alpine slim image - DIGEST=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Alpine core image - DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Alpine perl image - DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Alpine otel image - DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml index 519bf260..3f9db23c 100644 --- a/.github/workflows/alpine-stable.yml +++ b/.github/workflows/alpine-stable.yml @@ -37,11 +37,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -52,38 +47,106 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | - type=raw,value=alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=stable-alpine-slim + type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-slim + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX stable slim Alpine image to local registry + - name: Build and push NGINX stable slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/alpine-slim" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true + push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-alpine-slim # cache-to: type=gha,mode=min,scope=stable-alpine-slim + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + core: name: Build Alpine NGINX stable Docker image needs: [version, slim] runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -94,40 +157,106 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | - type=raw,value=alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=stable-alpine + type=raw,value=stable-alpine${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX stable Alpine image to local registry + - name: Build and push NGINX stable Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/alpine" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:alpine-slim - push: true + push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-alpine # cache-to: type=gha,mode=min,scope=stable-alpine + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + perl: name: Build Alpine NGINX stable perl Docker image needs: [version, core] runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -138,83 +267,105 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | - type=raw,value=alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=stable-alpine-perl + type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX stable perl Alpine image to local registry + - name: Build and push NGINX stable perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/alpine-perl" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:alpine - push: true + push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-alpine-perl # cache-to: type=gha,mode=min,scope=stable-alpine-perl + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} otel: name: Build Alpine NGINX stable otel Docker image needs: [version, core] runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - localhost:5000/nginx-unprivileged - tags: | - type=raw,value=alpine-otel - - - name: Build and push NGINX stable otel Alpine image to local registry - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm64 - context: "{{ defaultContext }}:stable/alpine-otel" - labels: ${{ steps.meta.outputs.labels }} - tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:alpine - push: true - # cache-from: type=gha,scope=stable-alpine-otel - # cache-to: type=gha,mode=min,scope=stable-alpine-otel - - publish: - name: Publish images to external registries - needs: [version, slim, core, perl, otel] - runs-on: ubuntu-24.04 - if: ${{ github.event_name != 'pull_request' }} - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -226,6 +377,7 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -233,17 +385,20 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -251,108 +406,15 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - # Publish Alpine slim image - - name: Extract metadata for Alpine slim image - id: meta-slim - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=stable-alpine-slim - type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-slim - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Alpine slim image to external registries - id: build-slim - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/alpine-slim" - labels: ${{ steps.meta-slim.outputs.labels }} - annotations: ${{ steps.meta-slim.outputs.annotations }} - tags: ${{ steps.meta-slim.outputs.tags }} - push: true - - # Publish Alpine core image - - name: Extract metadata for Alpine core image - id: meta-core - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=stable-alpine - type=raw,value=stable-alpine${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Alpine core image to external registries - id: build-core - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/alpine" - labels: ${{ steps.meta-core.outputs.labels }} - annotations: ${{ steps.meta-core.outputs.annotations }} - tags: ${{ steps.meta-core.outputs.tags }} - push: true - - # Publish Alpine perl image - - name: Extract metadata for Alpine perl image - id: meta-perl - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=stable-alpine-perl - type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Alpine perl image to external registries - id: build-perl - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/alpine-perl" - labels: ${{ steps.meta-perl.outputs.labels }} - annotations: ${{ steps.meta-perl.outputs.annotations }} - tags: ${{ steps.meta-perl.outputs.tags }} - push: true - - # Publish Alpine otel image - - name: Extract metadata for Alpine otel image - id: meta-otel + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | @@ -370,19 +432,21 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Re-tag and push Alpine otel image to external registries - id: build-otel + - name: Build and push NGINX stable otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:stable/alpine-otel" - labels: ${{ steps.meta-otel.outputs.labels }} - annotations: ${{ steps.meta-otel.outputs.annotations }} - tags: ${{ steps.meta-otel.outputs.tags }} - push: true + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-alpine-otel + # cache-to: type=gha,mode=min,scope=stable-alpine-otel - # Docker Hub signing for all images - - name: Sign Docker Hub Manifests + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} run: | set -ex sudo apt update @@ -391,41 +455,9 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - - # Sign Alpine slim image - DIGEST=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Alpine core image - DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Alpine perl image - DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Alpine otel image - DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose @@ -436,4 +468,4 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} \ No newline at end of file + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index e83d282a..90a3dfa0 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -37,11 +37,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -52,26 +47,108 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }} + type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} + type=raw,value=mainline + type=raw,value=mainline-${{ needs.version.outputs.distro }} type=raw,value=latest + type=raw,value=${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline Debian image to local registry + - name: Build and push NGINX mainline Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x context: "{{ defaultContext }}:mainline/debian" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - # cache-from: type=gha,scope=debian - # cache-to: type=gha,mode=min,scope=debian + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=debian-perl + # cache-to: type=gha,mode=min,scope=debian-perl + + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged latest $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} perl: name: Build Debian NGINX mainline perl Docker image @@ -79,11 +156,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -94,83 +166,115 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | - type=raw,value=latest-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}-perl + type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=mainline-perl + type=raw,value=mainline-${{ needs.version.outputs.distro }}-perl + type=raw,value=perl + type=raw,value=${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline perl Debian image to local registry + - name: Build and push NGINX mainline perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x context: "{{ defaultContext }}:mainline/debian-perl" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:latest - push: true + push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + otel: name: Build Debian NGINX mainline otel Docker image needs: [version, core] runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - localhost:5000/nginx-unprivileged - tags: | - type=raw,value=latest-otel - - - name: Build and push NGINX mainline otel Debian image to local registry - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm64 - context: "{{ defaultContext }}:mainline/debian-otel" - labels: ${{ steps.meta.outputs.labels }} - tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:latest - push: true - # cache-from: type=gha,scope=debian-otel - # cache-to: type=gha,mode=min,scope=debian-otel - - publish: - name: Publish images to external registries - needs: [version, core, perl, otel] - runs-on: ubuntu-24.04 - if: ${{ github.event_name != 'pull_request' }} - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -182,6 +286,7 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -189,17 +294,20 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -207,85 +315,15 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - # Publish Debian core image - - name: Extract metadata for Debian core image - id: meta-core - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }} - type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} - type=raw,value=mainline - type=raw,value=mainline-${{ needs.version.outputs.distro }} - type=raw,value=latest - type=raw,value=${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Debian core image to external registries - id: build-core - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:mainline/debian" - labels: ${{ steps.meta-core.outputs.labels }} - annotations: ${{ steps.meta-core.outputs.annotations }} - tags: ${{ steps.meta-core.outputs.tags }} - push: true - - # Publish Debian perl image - - name: Extract metadata for Debian perl image - id: meta-perl - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}-perl - type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=mainline-perl - type=raw,value=mainline-${{ needs.version.outputs.distro }}-perl - type=raw,value=perl - type=raw,value=${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Debian perl image to external registries - id: build-perl - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:mainline/debian-perl" - labels: ${{ steps.meta-perl.outputs.labels }} - annotations: ${{ steps.meta-perl.outputs.annotations }} - tags: ${{ steps.meta-perl.outputs.tags }} - push: true - - # Publish Debian otel image - - name: Extract metadata for Debian otel image - id: meta-otel + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | @@ -307,19 +345,21 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Re-tag and push Debian otel image to external registries - id: build-otel + - name: Build and push NGINX mainline otel Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/debian-otel" - labels: ${{ steps.meta-otel.outputs.labels }} - annotations: ${{ steps.meta-otel.outputs.annotations }} - tags: ${{ steps.meta-otel.outputs.tags }} - push: true + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=debian-otel + # cache-to: type=gha,mode=min,scope=debian-otel - # Docker Hub signing for all images - - name: Sign Docker Hub Manifests + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} run: | set -ex sudo apt update @@ -328,45 +368,15 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - - # Sign Debian core image - DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged latest $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Debian perl image - DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Debian otel image - DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged otel $SIZE --sha256 $DIGEST --publish --verbose @@ -375,4 +385,4 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} \ No newline at end of file + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml index 63e03011..25081da4 100644 --- a/.github/workflows/debian-stable.yml +++ b/.github/workflows/debian-stable.yml @@ -37,11 +37,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -52,26 +47,100 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: public.ecr.aws + + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} + - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | - type=raw,value=latest + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} + type=raw,value=stable + type=raw,value=stable-${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX stable Debian image to local registry + - name: Build and push NGINX stable Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x context: "{{ defaultContext }}:stable/debian" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - push: true - # cache-from: type=gha,scope=debian - # cache-to: type=gha,mode=min,scope=debian + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-debian + # cache-to: type=gha,mode=min,scope=stable-debian + + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} perl: name: Build Debian NGINX stable perl Docker image @@ -79,11 +148,6 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -94,83 +158,107 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: - images: | - localhost:5000/nginx-unprivileged - tags: | - type=raw,value=latest-perl + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - name: Build and push NGINX stable perl Debian image to local registry - id: build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/debian-perl" - labels: ${{ steps.meta.outputs.labels }} - tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:latest - push: true - # cache-from: type=gha,scope=debian-perl - # cache-to: type=gha,mode=min,scope=debian-perl + registry: public.ecr.aws - otel: - name: Build Debian NGINX stable otel Docker image - needs: [version, core] - runs-on: ubuntu-24.04 - strategy: - fail-fast: false - services: - registry: - image: registry:2 - ports: - - 5000:5000 - steps: - - name: Check out the codebase - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_TOKEN }} - name: Extract metadata (annotations, labels, tags) for Docker id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | - localhost:5000/nginx-unprivileged + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged tags: | - type=raw,value=latest-otel + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl + type=raw,value=stable-perl + type=raw,value=stable-${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX stable otel Debian image to local registry + - name: Build and push NGINX stable perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm64 - context: "{{ defaultContext }}:stable/debian-otel" + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + context: "{{ defaultContext }}:stable/debian-perl" labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} - build-args: | - IMAGE=localhost:5000/nginx-unprivileged:latest - push: true - # cache-from: type=gha,scope=debian-otel - # cache-to: type=gha,mode=min,scope=debian-otel - - publish: - name: Publish images to external registries - needs: [version, core, perl, otel] + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-debian-perl + # cache-to: type=gha,mode=min,scope=stable-debian-perl + + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} + run: | + set -ex + sudo apt update + sudo apt install -y notary + mkdir -p ~/.docker/trust/private + echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key + docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable--${{ needs.version.outputs.distro }}perl $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + + otel: + name: Build Debian NGINX stable otel Docker image + needs: [version, core] runs-on: ubuntu-24.04 - if: ${{ github.event_name != 'pull_request' }} - services: - registry: - image: registry:2 - ports: - - 5000:5000 + strategy: + fail-fast: false steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -182,6 +270,7 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Configure AWS credentials + if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -189,17 +278,20 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -207,77 +299,15 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - # Publish Debian core image - - name: Extract metadata for Debian core image - id: meta-core - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} - type=raw,value=stable - type=raw,value=stable-${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Debian core image to external registries - id: build-core - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/debian" - labels: ${{ steps.meta-core.outputs.labels }} - annotations: ${{ steps.meta-core.outputs.annotations }} - tags: ${{ steps.meta-core.outputs.tags }} - push: true - - # Publish Debian perl image - - name: Extract metadata for Debian perl image - id: meta-perl - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl - type=raw,value=stable-perl - type=raw,value=stable-${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Re-tag and push Debian perl image to external registries - id: build-perl - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x - context: "{{ defaultContext }}:stable/debian-perl" - labels: ${{ steps.meta-perl.outputs.labels }} - annotations: ${{ steps.meta-perl.outputs.annotations }} - tags: ${{ steps.meta-perl.outputs.tags }} - push: true - - # Publish Debian otel image - - name: Extract metadata for Debian otel image - id: meta-otel + - name: Extract metadata (annotations, labels, tags) for Docker + id: meta uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | @@ -295,19 +325,21 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Re-tag and push Debian otel image to external registries - id: build-otel + - name: Build and push NGINX stable otel Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:stable/debian-otel" - labels: ${{ steps.meta-otel.outputs.labels }} - annotations: ${{ steps.meta-otel.outputs.annotations }} - tags: ${{ steps.meta-otel.outputs.tags }} - push: true + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} + push: ${{ github.event_name != 'pull_request' }} + # cache-from: type=gha,scope=stable-debian-otel + # cache-to: type=gha,mode=min,scope=stable-debian-otel - # Docker Hub signing for all images - - name: Sign Docker Hub Manifests + - name: Sign Docker Hub Manifest + if: ${{ github.event_name != 'pull_request' }} run: | set -ex sudo apt update @@ -316,31 +348,9 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx + DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - - # Sign Debian core image - DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Debian perl image - DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - - # Sign Debian otel image - DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel $SIZE --sha256 $DIGEST --publish --verbose @@ -351,4 +361,4 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} \ No newline at end of file + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} From d53b8ac81835dfb71020e98dced4572b7ee104c1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 13:50:00 +0000 Subject: [PATCH 12/20] Implement artifact-based Docker image sharing for Alpine mainline workflow Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-mainline.yml | 95 +++++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 4 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index d3142cf2..148221fa 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -111,15 +111,24 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x' }} context: "{{ defaultContext }}:mainline/alpine-slim" labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} + outputs: ${{ github.event_name == 'pull_request' && 'type=docker,dest=/tmp/alpine-slim.tar' || '' }} # cache-from: type=gha,scope=alpine-slim # cache-to: type=gha,mode=min,scope=alpine-slim + - name: Upload Alpine slim image artifact + if: ${{ github.event_name == 'pull_request' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: alpine-slim-image + path: /tmp/alpine-slim.tar + retention-days: 1 + - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | @@ -159,6 +168,28 @@ jobs: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Download Alpine slim image artifact + if: ${{ github.event_name == 'pull_request' }} + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: alpine-slim-image + path: /tmp + + - name: Load Alpine slim image + if: ${{ github.event_name == 'pull_request' }} + run: | + docker load --input /tmp/alpine-slim.tar + docker image ls -a + + - name: Generate slim image tag for PR builds + if: ${{ github.event_name == 'pull_request' }} + id: slim-tag + run: | + # Get the tag that was loaded from the artifact + SLIM_TAG=$(docker image ls --format "table {{.Repository}}:{{.Tag}}" | grep -v REPOSITORY | grep slim | head -1) + echo "tag=${SLIM_TAG}" >> "$GITHUB_OUTPUT" + echo "Using slim image: ${SLIM_TAG}" + - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -229,15 +260,25 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x' }} context: "{{ defaultContext }}:mainline/alpine" labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} + build-args: ${{ github.event_name == 'pull_request' && format('IMAGE={0}', steps.slim-tag.outputs.tag) || '' }} push: ${{ github.event_name != 'pull_request' }} + outputs: ${{ github.event_name == 'pull_request' && 'type=docker,dest=/tmp/alpine.tar' || '' }} # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl + - name: Upload Alpine image artifact + if: ${{ github.event_name == 'pull_request' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: alpine-image + path: /tmp/alpine.tar + retention-days: 1 + - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | @@ -277,6 +318,28 @@ jobs: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Download Alpine image artifact + if: ${{ github.event_name == 'pull_request' }} + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: alpine-image + path: /tmp + + - name: Load Alpine image + if: ${{ github.event_name == 'pull_request' }} + run: | + docker load --input /tmp/alpine.tar + docker image ls -a + + - name: Generate alpine image tag for PR builds + if: ${{ github.event_name == 'pull_request' }} + id: alpine-tag + run: | + # Get the tag that was loaded from the artifact (should be alpine, not alpine-slim) + ALPINE_TAG=$(docker image ls --format "table {{.Repository}}:{{.Tag}}" | grep -v REPOSITORY | grep -E "alpine$|alpine3" | head -1) + echo "tag=${ALPINE_TAG}" >> "$GITHUB_OUTPUT" + echo "Using alpine image: ${ALPINE_TAG}" + - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -347,11 +410,12 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x' }} context: "{{ defaultContext }}:mainline/alpine-perl" labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} + build-args: ${{ github.event_name == 'pull_request' && format('IMAGE={0}', steps.alpine-tag.outputs.tag) || '' }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=alpine-perl # cache-to: type=gha,mode=min,scope=alpine-perl @@ -395,6 +459,28 @@ jobs: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Download Alpine image artifact + if: ${{ github.event_name == 'pull_request' }} + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: alpine-image + path: /tmp + + - name: Load Alpine image + if: ${{ github.event_name == 'pull_request' }} + run: | + docker load --input /tmp/alpine.tar + docker image ls -a + + - name: Generate alpine image tag for PR builds + if: ${{ github.event_name == 'pull_request' }} + id: alpine-tag + run: | + # Get the tag that was loaded from the artifact (should be alpine, not alpine-slim) + ALPINE_TAG=$(docker image ls --format "table {{.Repository}}:{{.Tag}}" | grep -v REPOSITORY | grep -E "alpine$|alpine3" | head -1) + echo "tag=${ALPINE_TAG}" >> "$GITHUB_OUTPUT" + echo "Using alpine image: ${ALPINE_TAG}" + - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -465,11 +551,12 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm64 + platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm64' }} context: "{{ defaultContext }}:mainline/alpine-otel" labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} + build-args: ${{ github.event_name == 'pull_request' && format('IMAGE={0}', steps.alpine-tag.outputs.tag) || '' }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=alpine-otel # cache-to: type=gha,mode=min,scope=alpine-otel From 2a193af245c13b0a303df40a2a664c87cb6be5cd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 13:52:51 +0000 Subject: [PATCH 13/20] Start implementing artifact-based image sharing for Alpine stable workflow Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-stable.yml | 33 ++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml index 3f9db23c..d8630b73 100644 --- a/.github/workflows/alpine-stable.yml +++ b/.github/workflows/alpine-stable.yml @@ -107,15 +107,24 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x' }} context: "{{ defaultContext }}:stable/alpine-slim" labels: ${{ steps.meta.outputs.labels }} annotations: ${{ steps.meta.outputs.annotations }} tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} + outputs: ${{ github.event_name == 'pull_request' && 'type=docker,dest=/tmp/alpine-slim.tar' || '' }} # cache-from: type=gha,scope=stable-alpine-slim # cache-to: type=gha,mode=min,scope=stable-alpine-slim + - name: Upload Alpine slim image artifact + if: ${{ github.event_name == 'pull_request' }} + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: alpine-slim-image + path: /tmp/alpine-slim.tar + retention-days: 1 + - name: Sign Docker Hub Manifest if: ${{ github.event_name != 'pull_request' }} run: | @@ -151,6 +160,28 @@ jobs: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Download Alpine slim image artifact + if: ${{ github.event_name == 'pull_request' }} + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: alpine-slim-image + path: /tmp + + - name: Load Alpine slim image + if: ${{ github.event_name == 'pull_request' }} + run: | + docker load --input /tmp/alpine-slim.tar + docker image ls -a + + - name: Generate slim image tag for PR builds + if: ${{ github.event_name == 'pull_request' }} + id: slim-tag + run: | + # Get the tag that was loaded from the artifact + SLIM_TAG=$(docker image ls --format "table {{.Repository}}:{{.Tag}}" | grep -v REPOSITORY | grep slim | head -1) + echo "tag=${SLIM_TAG}" >> "$GITHUB_OUTPUT" + echo "Using slim image: ${SLIM_TAG}" + - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 From da932f791f135bf4c54e3b471821ee986dfee99f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 14:12:04 +0000 Subject: [PATCH 14/20] Implement artifact-based image sharing with final publish job for Alpine mainline workflow Co-authored-by: alessfg <15654525+alessfg@users.noreply.github.com> --- .github/workflows/alpine-mainline.yml | 553 +++++++++++--------------- 1 file changed, 229 insertions(+), 324 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 148221fa..c9dee78f 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -47,117 +47,24 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=${{ needs.version.outputs.major }}-alpine-slim - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=mainline-alpine-slim - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim - type=raw,value=alpine-slim - type=raw,value=alpine${{ needs.version.outputs.distro }}-slim - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Build and push NGINX mainline slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build NGINX mainline slim Alpine image locally id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x' }} + platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine-slim" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - push: ${{ github.event_name != 'pull_request' }} - outputs: ${{ github.event_name == 'pull_request' && 'type=docker,dest=/tmp/alpine-slim.tar' || '' }} + push: false + outputs: type=docker,dest=/tmp/alpine-slim.tar # cache-from: type=gha,scope=alpine-slim # cache-to: type=gha,mode=min,scope=alpine-slim - name: Upload Alpine slim image artifact - if: ${{ github.event_name == 'pull_request' }} uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: alpine-slim-image path: /tmp/alpine-slim.tar retention-days: 1 - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - core: name: Build Alpine NGINX mainline Docker image needs: [version, slim] @@ -169,20 +76,17 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Download Alpine slim image artifact - if: ${{ github.event_name == 'pull_request' }} uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: alpine-slim-image path: /tmp - name: Load Alpine slim image - if: ${{ github.event_name == 'pull_request' }} run: | docker load --input /tmp/alpine-slim.tar docker image ls -a - - name: Generate slim image tag for PR builds - if: ${{ github.event_name == 'pull_request' }} + - name: Generate slim image tag for builds id: slim-tag run: | # Get the tag that was loaded from the artifact @@ -196,118 +100,25 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=${{ needs.version.outputs.major }}-alpine - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} - type=raw,value=mainline-alpine - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }} - type=raw,value=alpine - type=raw,value=alpine${{ needs.version.outputs.distro }} - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Build and push NGINX mainline Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build NGINX mainline Alpine image locally id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x' }} + platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - build-args: ${{ github.event_name == 'pull_request' && format('IMAGE={0}', steps.slim-tag.outputs.tag) || '' }} - push: ${{ github.event_name != 'pull_request' }} - outputs: ${{ github.event_name == 'pull_request' && 'type=docker,dest=/tmp/alpine.tar' || '' }} + build-args: IMAGE=${{ steps.slim-tag.outputs.tag }} + push: false + outputs: type=docker,dest=/tmp/alpine.tar # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl - name: Upload Alpine image artifact - if: ${{ github.event_name == 'pull_request' }} uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: alpine-image path: /tmp/alpine.tar retention-days: 1 - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - perl: name: Build Alpine NGINX mainline perl Docker image needs: [version, core] @@ -319,20 +130,17 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Download Alpine image artifact - if: ${{ github.event_name == 'pull_request' }} uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: alpine-image path: /tmp - name: Load Alpine image - if: ${{ github.event_name == 'pull_request' }} run: | docker load --input /tmp/alpine.tar docker image ls -a - - name: Generate alpine image tag for PR builds - if: ${{ github.event_name == 'pull_request' }} + - name: Generate alpine image tag for builds id: alpine-tag run: | # Get the tag that was loaded from the artifact (should be alpine, not alpine-slim) @@ -346,109 +154,17 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: public.ecr.aws - - - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - docker.io/nginxinc/nginx-unprivileged - ghcr.io/nginx/nginx-unprivileged - public.ecr.aws/nginx/nginx-unprivileged - quay.io/nginx/nginx-unprivileged - tags: | - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=${{ needs.version.outputs.major }}-alpine-perl - type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=mainline-alpine-perl - type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl - type=raw,value=alpine-perl - type=raw,value=alpine${{ needs.version.outputs.distro }}-perl - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Build and push NGINX mainline perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay + - name: Build NGINX mainline perl Alpine image locally id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x' }} + platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine-perl" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - build-args: ${{ github.event_name == 'pull_request' && format('IMAGE={0}', steps.alpine-tag.outputs.tag) || '' }} - push: ${{ github.event_name != 'pull_request' }} + build-args: IMAGE=${{ steps.alpine-tag.outputs.tag }} + push: false # cache-from: type=gha,scope=alpine-perl # cache-to: type=gha,mode=min,scope=alpine-perl - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - otel: name: Build Alpine NGINX mainline otel Docker image needs: [version, core] @@ -460,20 +176,17 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Download Alpine image artifact - if: ${{ github.event_name == 'pull_request' }} uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: alpine-image path: /tmp - name: Load Alpine image - if: ${{ github.event_name == 'pull_request' }} run: | docker load --input /tmp/alpine.tar docker image ls -a - - name: Generate alpine image tag for PR builds - if: ${{ github.event_name == 'pull_request' }} + - name: Generate alpine image tag for builds id: alpine-tag run: | # Get the tag that was loaded from the artifact (should be alpine, not alpine-slim) @@ -487,8 +200,35 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Build NGINX mainline otel Alpine image locally + id: build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64 + context: "{{ defaultContext }}:mainline/alpine-otel" + build-args: IMAGE=${{ steps.alpine-tag.outputs.tag }} + push: false + # cache-from: type=gha,scope=alpine-otel + # cache-to: type=gha,mode=min,scope=alpine-otel + + publish: + name: Publish Alpine NGINX mainline images to external registries + if: ${{ github.event_name != 'pull_request' }} + needs: [version, slim, core, perl, otel] + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + steps: + - name: Check out the codebase + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Configure AWS credentials - if: ${{ github.event_name != 'pull_request' }} uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: ${{ secrets.AWS_REGION }} @@ -496,20 +236,17 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Login to Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: public.ecr.aws - name: Login to Docker Hub - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io @@ -517,15 +254,120 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Quay - if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (annotations, labels, tags) for Docker - id: meta + # Build and push slim image + - name: Extract metadata for slim image + id: meta-slim + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=${{ needs.version.outputs.major }}-alpine-slim + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=mainline-alpine-slim + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim + type=raw,value=alpine-slim + type=raw,value=alpine${{ needs.version.outputs.distro }}-slim + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Build and push NGINX mainline slim Alpine image + id: build-slim + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/alpine-slim" + labels: ${{ steps.meta-slim.outputs.labels }} + annotations: ${{ steps.meta-slim.outputs.annotations }} + tags: ${{ steps.meta-slim.outputs.tags }} + push: true + + # Build and push core image + - name: Extract metadata for core image + id: meta-core + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=${{ needs.version.outputs.major }}-alpine + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} + type=raw,value=mainline-alpine + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }} + type=raw,value=alpine + type=raw,value=alpine${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Build and push NGINX mainline Alpine image + id: build-core + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/alpine" + labels: ${{ steps.meta-core.outputs.labels }} + annotations: ${{ steps.meta-core.outputs.annotations }} + tags: ${{ steps.meta-core.outputs.tags }} + push: true + + # Build and push perl image + - name: Extract metadata for perl image + id: meta-perl + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 + with: + images: | + docker.io/nginxinc/nginx-unprivileged + ghcr.io/nginx/nginx-unprivileged + public.ecr.aws/nginx/nginx-unprivileged + quay.io/nginx/nginx-unprivileged + tags: | + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=${{ needs.version.outputs.major }}-alpine-perl + type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=mainline-alpine-perl + type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl + type=raw,value=alpine-perl + type=raw,value=alpine${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Build and push NGINX mainline perl Alpine image + id: build-perl + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x + context: "{{ defaultContext }}:mainline/alpine-perl" + labels: ${{ steps.meta-perl.outputs.labels }} + annotations: ${{ steps.meta-perl.outputs.annotations }} + tags: ${{ steps.meta-perl.outputs.tags }} + push: true + + # Build and push otel image + - name: Extract metadata for otel image + id: meta-otel uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | @@ -547,22 +389,19 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build and push NGINX mainline otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay - id: build + - name: Build and push NGINX mainline otel Alpine image + id: build-otel uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64, linux/arm64' }} + platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/alpine-otel" - labels: ${{ steps.meta.outputs.labels }} - annotations: ${{ steps.meta.outputs.annotations }} - tags: ${{ steps.meta.outputs.tags }} - build-args: ${{ github.event_name == 'pull_request' && format('IMAGE={0}', steps.alpine-tag.outputs.tag) || '' }} - push: ${{ github.event_name != 'pull_request' }} - # cache-from: type=gha,scope=alpine-otel - # cache-to: type=gha,mode=min,scope=alpine-otel + labels: ${{ steps.meta-otel.outputs.labels }} + annotations: ${{ steps.meta-otel.outputs.annotations }} + tags: ${{ steps.meta-otel.outputs.tags }} + push: true - - name: Sign Docker Hub Manifest - if: ${{ github.event_name != 'pull_request' }} + # Docker Hub signing for all images + - name: Sign Docker Hub Manifest for slim image run: | set -ex sudo apt update @@ -571,8 +410,74 @@ jobs: echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + DIGEST=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + + - name: Sign Docker Hub Manifest for core image + run: | + set -ex + DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + + - name: Sign Docker Hub Manifest for perl image + run: | + set -ex + DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') + export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose + notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose + env: + DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} + DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} + DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} + + - name: Sign Docker Hub Manifest for otel image + run: | + set -ex + DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) + SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose From 63f0b0f781508062bd9db68431b1c87e66dac613 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 21 Aug 2025 18:04:15 +0200 Subject: [PATCH 15/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 141 ++------------------------ 1 file changed, 11 insertions(+), 130 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index c9dee78f..f6798305 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -53,10 +53,9 @@ jobs: with: platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine-slim" + tags: nginx-unprivileged:alpine-slim push: false outputs: type=docker,dest=/tmp/alpine-slim.tar - # cache-from: type=gha,scope=alpine-slim - # cache-to: type=gha,mode=min,scope=alpine-slim - name: Upload Alpine slim image artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 @@ -86,14 +85,6 @@ jobs: docker load --input /tmp/alpine-slim.tar docker image ls -a - - name: Generate slim image tag for builds - id: slim-tag - run: | - # Get the tag that was loaded from the artifact - SLIM_TAG=$(docker image ls --format "table {{.Repository}}:{{.Tag}}" | grep -v REPOSITORY | grep slim | head -1) - echo "tag=${SLIM_TAG}" >> "$GITHUB_OUTPUT" - echo "Using slim image: ${SLIM_TAG}" - - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -106,11 +97,10 @@ jobs: with: platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine" - build-args: IMAGE=${{ steps.slim-tag.outputs.tag }} + tags: nginx-unprivileged:alpine + build-args: IMAGE=nginx-unprivileged:alpine-slim push: false outputs: type=docker,dest=/tmp/alpine.tar - # cache-from: type=gha,scope=debian-perl - # cache-to: type=gha,mode=min,scope=debian-perl - name: Upload Alpine image artifact uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 @@ -140,14 +130,6 @@ jobs: docker load --input /tmp/alpine.tar docker image ls -a - - name: Generate alpine image tag for builds - id: alpine-tag - run: | - # Get the tag that was loaded from the artifact (should be alpine, not alpine-slim) - ALPINE_TAG=$(docker image ls --format "table {{.Repository}}:{{.Tag}}" | grep -v REPOSITORY | grep -E "alpine$|alpine3" | head -1) - echo "tag=${ALPINE_TAG}" >> "$GITHUB_OUTPUT" - echo "Using alpine image: ${ALPINE_TAG}" - - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -160,10 +142,9 @@ jobs: with: platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine-perl" - build-args: IMAGE=${{ steps.alpine-tag.outputs.tag }} + tags: nginx-unprivileged:alpine-perl + build-args: IMAGE=nginx-unprivileged:alpine push: false - # cache-from: type=gha,scope=alpine-perl - # cache-to: type=gha,mode=min,scope=alpine-perl otel: name: Build Alpine NGINX mainline otel Docker image @@ -186,14 +167,6 @@ jobs: docker load --input /tmp/alpine.tar docker image ls -a - - name: Generate alpine image tag for builds - id: alpine-tag - run: | - # Get the tag that was loaded from the artifact (should be alpine, not alpine-slim) - ALPINE_TAG=$(docker image ls --format "table {{.Repository}}:{{.Tag}}" | grep -v REPOSITORY | grep -E "alpine$|alpine3" | head -1) - echo "tag=${ALPINE_TAG}" >> "$GITHUB_OUTPUT" - echo "Using alpine image: ${ALPINE_TAG}" - - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 @@ -206,10 +179,9 @@ jobs: with: platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine-otel" - build-args: IMAGE=${{ steps.alpine-tag.outputs.tag }} + tags: nginx-unprivileged:alpine-otel + build-args: IMAGE=nginx-unprivileged:alpine push: false - # cache-from: type=gha,scope=alpine-otel - # cache-to: type=gha,mode=min,scope=alpine-otel publish: name: Publish Alpine NGINX mainline images to external registries @@ -295,7 +267,7 @@ jobs: tags: ${{ steps.meta-slim.outputs.tags }} push: true - # Build and push core image + # Build and push core image (needs slim image reference) - name: Extract metadata for core image id: meta-core uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 @@ -325,6 +297,7 @@ jobs: with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine" + build-args: IMAGE=docker.io/nginxinc/nginx-unprivileged:${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim labels: ${{ steps.meta-core.outputs.labels }} annotations: ${{ steps.meta-core.outputs.annotations }} tags: ${{ steps.meta-core.outputs.tags }} @@ -360,6 +333,7 @@ jobs: with: platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-perl" + build-args: IMAGE=docker.io/nginxinc/nginx-unprivileged:${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine labels: ${{ steps.meta-perl.outputs.labels }} annotations: ${{ steps.meta-perl.outputs.annotations }} tags: ${{ steps.meta-perl.outputs.tags }} @@ -395,102 +369,9 @@ jobs: with: platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/alpine-otel" + build-args: IMAGE=docker.io/nginxinc/nginx-unprivileged:${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine labels: ${{ steps.meta-otel.outputs.labels }} annotations: ${{ steps.meta-otel.outputs.annotations }} tags: ${{ steps.meta-otel.outputs.tags }} push: true - # Docker Hub signing for all images - - name: Sign Docker Hub Manifest for slim image - run: | - set -ex - sudo apt update - sudo apt install -y notary - mkdir -p ~/.docker/trust/private - echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key - docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx - DIGEST=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-slim.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-slim $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-slim $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - - name: Sign Docker Hub Manifest for core image - run: | - set -ex - DIGEST=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-core.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }} $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - - name: Sign Docker Hub Manifest for perl image - run: | - set -ex - DIGEST=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-perl.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-perl $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-perl $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - - name: Sign Docker Hub Manifest for otel image - run: | - set -ex - DIGEST=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2) - SIZE=$(printf '${{ steps.build-otel.outputs.metadata }}' | jq -r '."containerimage.descriptor".size') - export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0) - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-otel $SIZE --sha256 $DIGEST --publish --verbose - notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose - env: - DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }} - DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} From 80905372548f0a3b3266cc5066cb92087f4f9d99 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 21 Aug 2025 23:44:39 +0200 Subject: [PATCH 16/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index f6798305..10d01be5 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -74,6 +74,12 @@ jobs: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - name: Download Alpine slim image artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: @@ -85,12 +91,6 @@ jobs: docker load --input /tmp/alpine-slim.tar docker image ls -a - - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Build NGINX mainline Alpine image locally id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 From 49372eb6600c675fd35278112a5377e56df76c63 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 22 Aug 2025 14:52:00 +0200 Subject: [PATCH 17/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 10d01be5..3a8f65a1 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -70,6 +70,11 @@ jobs: runs-on: ubuntu-24.04 strategy: fail-fast: false + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Check out the codebase uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -90,6 +95,8 @@ jobs: run: | docker load --input /tmp/alpine-slim.tar docker image ls -a + docker tag nginx-unprivileged:alpine-slim localhost:5000/nginx-unprivileged:alpine-slim + docker push localhost:5000/nginx-unprivileged:alpine-slim - name: Build NGINX mainline Alpine image locally id: build @@ -97,8 +104,8 @@ jobs: with: platforms: linux/amd64 context: "{{ defaultContext }}:mainline/alpine" - tags: nginx-unprivileged:alpine - build-args: IMAGE=nginx-unprivileged:alpine-slim + tags: localhost:5000/nginx-unprivileged:alpine + build-args: IMAGE=localhost:5000/nginx-unprivileged:alpine-slim push: false outputs: type=docker,dest=/tmp/alpine.tar From 9c2d75cb1498b67279323f5f96b1cb18b43007c6 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 22 Aug 2025 15:19:36 +0200 Subject: [PATCH 18/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 3a8f65a1..152ae871 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -94,10 +94,17 @@ jobs: - name: Load Alpine slim image run: | docker load --input /tmp/alpine-slim.tar - docker image ls -a docker tag nginx-unprivileged:alpine-slim localhost:5000/nginx-unprivileged:alpine-slim + docker image ls -a + + - name: Push Alpine slim image + run: | docker push localhost:5000/nginx-unprivileged:alpine-slim + - name: Pull Alpine slim image + run: | + docker pull localhost:5000/nginx-unprivileged:alpine-slim + - name: Build NGINX mainline Alpine image locally id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 From 64c4c5b5f268dc3a1d0009f046acf10b0a7df114 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 22 Aug 2025 15:23:35 +0200 Subject: [PATCH 19/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 152ae871..96910f4e 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -84,6 +84,8 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + with: + driver-opts: network=host - name: Download Alpine slim image artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 From 421dbddd73a80002846988ce5cf1adc2e3a8d29b Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Tue, 14 Oct 2025 15:39:40 +0200 Subject: [PATCH 20/20] Update alpine-mainline.yml --- .github/workflows/alpine-mainline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index 96910f4e..cd368a02 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -51,7 +51,7 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64 + platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/alpine-slim" tags: nginx-unprivileged:alpine-slim push: false @@ -111,7 +111,7 @@ jobs: id: build uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - platforms: linux/amd64 + platforms: linux/amd64, linux/arm64 context: "{{ defaultContext }}:mainline/alpine" tags: localhost:5000/nginx-unprivileged:alpine build-args: IMAGE=localhost:5000/nginx-unprivileged:alpine-slim