Skip to content

ci: address OSSF Scorecard warnings #488

ci: address OSSF Scorecard warnings

ci: address OSSF Scorecard warnings #488

Workflow file for this run

---
name: NGINX S3 Gateway CI/CD
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
CI: true
permissions: read-all
# Job progression. We make sure that the base image [oss] builds and passes tests before kicking off the other builds
# ┌──────────────────┐ ┌────────────────┐ ┌────────────────┐
# ┌─────────┐ ┌─────────┬────► Build Latest NJS ├────────►Test Latest NJS ├─────►│Push Latest NJS │
# │Build OSS├────►│Test OSS │ └──────────────────┘ └────────────────┘ └────────────────┘
# └─────────┘ └──┬──────┤
# │ │ ┌──────────────────┐ ┌──────────────────┐ ┌─────────────────┐
# │ └────►Build Unprivileged├───────►Test Unprivileged ├────►│Push Unprivileged│
# │ └──────────────────┘ └──────────────────┘ ├────────┬────────┘
# │ ├────────┤
# └──────────────────────────────────────────────────────────────►│Push OSS│
# └────────┘
# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry
jobs:
build-oss-for-test:
runs-on: ubuntu-22.04
steps:
- name: Check out the codebase
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
- name: Build and export
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: Dockerfile.oss
context: .
tags: nginx-s3-gateway , nginx-s3-gateway:oss
outputs: type=docker,dest=${{ runner.temp }}/oss.tar
- name: Upload artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: oss
path: ${{ runner.temp }}/oss.tar
retention-days: 1
if-no-files-found: error
test-oss:
runs-on: ubuntu-22.04
needs: build-oss-for-test
strategy:
matrix:
path_style: [virtual, virtual-v2]
steps:
- name: Check out the codebase
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Install dependencies
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it
- name: Restore cached binaries
id: cache-binaries-restore
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: .bin
key: ${{ runner.os }}-binaries
- name: Install MinIO Client
run: |
mkdir .bin || exit 0
cd .bin
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z"
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check -
mv mc.RELEASE.2023-06-19T19-31-19Z mc
chmod +x mc
- name: Download artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: oss
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/oss.tar
- name: Run tests - stable njs version
run: S3_STYLE=${{ matrix.path_style }} ./test.sh --type oss
build-latest-njs-for-test:
runs-on: ubuntu-22.04
needs: test-oss
steps:
- name: Check out the codebase
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
with:
driver: docker
- name: Download artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: oss
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/oss.tar
- name: Build and load oss image
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: Dockerfile.latest-njs
context: .
tags: nginx-s3-gateway:latest-njs-oss
load: true
# Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes.
- name: Export image to a tar
run: |
docker save nginx-s3-gateway:latest-njs-oss > ${{ runner.temp }}/latest-njs.tar
- name: Upload artifact - latest-njs
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: latest-njs
path: ${{ runner.temp }}/latest-njs.tar
retention-days: 1
if-no-files-found: error
test-latest-njs:
runs-on: ubuntu-22.04
needs: build-latest-njs-for-test
steps:
- name: Check out the codebase
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Install dependencies
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it
- name: Restore cached binaries
id: cache-binaries-restore
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: .bin
key: ${{ runner.os }}-binaries
- name: Install MinIO Client
run: |
mkdir .bin || exit 0
cd .bin
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z"
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check -
mv mc.RELEASE.2023-06-19T19-31-19Z mc
chmod +x mc
- name: Download artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: latest-njs
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/latest-njs.tar
docker tag nginx-s3-gateway:latest-njs-oss nginx-s3-gateway
- name: Run tests - latest njs version
run: ./test.sh --latest-njs --type oss
build-unprivileged-for-test:
runs-on: ubuntu-22.04
needs: test-oss
steps:
- name: Check out the codebase
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
with:
driver: docker
- name: Download artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: oss
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/oss.tar
- name: Build and load oss image
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: Dockerfile.unprivileged
context: .
tags: nginx-s3-gateway:unprivileged-oss
load: true
# Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes.
- name: Export image to a tar
run: |
docker save nginx-s3-gateway:unprivileged-oss > ${{ runner.temp }}/unprivileged.tar
- name: Upload artifact - unprivileged
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: unprivileged
path: ${{ runner.temp }}/unprivileged.tar
retention-days: 1
if-no-files-found: error
test-unprivileged:
runs-on: ubuntu-22.04
needs: build-unprivileged-for-test
steps:
- name: Check out the codebase
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Install dependencies
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it
- name: Restore cached binaries
id: cache-binaries-restore
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: .bin
key: ${{ runner.os }}-binaries
- name: Install MinIO Client
run: |
mkdir .bin || exit 0
cd .bin
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z"
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check -
mv mc.RELEASE.2023-06-19T19-31-19Z mc
chmod +x mc
- name: Download artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: unprivileged
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/unprivileged.tar
docker tag nginx-s3-gateway:unprivileged-oss nginx-s3-gateway
- name: Run tests - unprivileged
run: ./test.sh --unprivileged --type oss
# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry
tag-and-push:
runs-on: ubuntu-22.04
needs: [test-oss, test-latest-njs, test-unprivileged]
if: |
github.ref == 'refs/heads/main'
permissions:
packages: write
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Check out the codebase
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Get current date
id: date
run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx for local image build and push
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
with:
driver-opts: network=host
# Do an initial build of the base image and push to a local registry for downstream images because the `docker-container` driver can't find local images with `load`.
- name: Build and push image [oss] to local registry for downstream
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: Dockerfile.oss
context: .
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: localhost:5000/nginx-oss-s3-gateway:oss
- name: Login to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
# This second invocation of the build/push should just use the existing build cache.
- name: Build and push image [oss]
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: Dockerfile.oss
context: .
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-${{ steps.date.outputs.date }}
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest
nginxinc/nginx-s3-gateway:latest-${{ steps.date.outputs.date }}
nginxinc/nginx-s3-gateway:latest
- name: Build and push image [latest-njs]
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: Dockerfile.latest-njs
context: .
build-contexts: |
nginx-s3-gateway=docker-image://localhost:5000/nginx-oss-s3-gateway:oss
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-njs-oss
nginxinc/nginx-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
nginxinc/nginx-s3-gateway:latest-njs-oss
- name: Build and push image [unprivileged]
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
with:
file: Dockerfile.unprivileged
context: .
build-contexts: |
nginx-s3-gateway=docker-image://localhost:5000/nginx-oss-s3-gateway:oss
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:unprivileged-oss
nginxinc/nginx-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
nginxinc/nginx-s3-gateway:unprivileged-oss