ci: address OSSF Scorecard warnings #494
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: NGINX S3 Gateway CI/CD | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
env: | |
CI: true | |
permissions: read-all | |
# Job progression. We make sure that the base image [oss] builds and passes tests before kicking off the other builds | |
# ┌──────────────────┐ ┌────────────────┐ ┌────────────────┐ | |
# ┌─────────┐ ┌─────────┬────► Build Latest NJS ├────────►Test Latest NJS ├─────►│Push Latest NJS │ | |
# │Build OSS├────►│Test OSS │ └──────────────────┘ └────────────────┘ └────────────────┘ | |
# └─────────┘ └──┬──────┤ | |
# │ │ ┌──────────────────┐ ┌──────────────────┐ ┌─────────────────┐ | |
# │ └────►Build Unprivileged├───────►Test Unprivileged ├────►│Push Unprivileged│ | |
# │ └──────────────────┘ └──────────────────┘ ├────────┬────────┘ | |
# │ ├────────┤ | |
# └──────────────────────────────────────────────────────────────►│Push OSS│ | |
# └────────┘ | |
# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry | |
jobs: | |
build-oss-for-test: | |
name: Build NGINX OSS image | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check out the codebase | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
- name: Build and export | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
file: Dockerfile.oss | |
context: . | |
tags: nginx-s3-gateway , nginx-s3-gateway:oss | |
outputs: type=docker,dest=${{ runner.temp }}/oss.tar | |
- name: Upload artifact | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: oss | |
path: ${{ runner.temp }}/oss.tar | |
retention-days: 1 | |
if-no-files-found: error | |
test-oss: | |
name: Test NGINX OSS image | |
runs-on: ubuntu-22.04 | |
needs: build-oss-for-test | |
strategy: | |
matrix: | |
path_style: [virtual, virtual-v2] | |
steps: | |
- name: Check out the codebase | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install dependencies | |
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it | |
- name: Restore cached binaries | |
id: cache-binaries-restore | |
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: .bin | |
key: ${{ runner.os }}-binaries | |
- name: Install MinIO Client | |
run: | | |
mkdir .bin || exit 0 | |
cd .bin | |
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z" | |
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check - | |
mv mc.RELEASE.2023-06-19T19-31-19Z mc | |
chmod +x mc | |
- name: Download artifact | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: oss | |
path: ${{ runner.temp }} | |
- name: Load image | |
run: | | |
docker load --input ${{ runner.temp }}/oss.tar | |
- name: Run tests - stable njs version | |
run: S3_STYLE=${{ matrix.path_style }} ./test.sh --type oss | |
build-latest-njs-for-test: | |
name: Build NGINX OSS image using latest njs commit | |
runs-on: ubuntu-22.04 | |
needs: test-oss | |
steps: | |
- name: Check out the codebase | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
with: | |
driver: docker | |
- name: Download artifact | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: oss | |
path: ${{ runner.temp }} | |
- name: Load image | |
run: | | |
docker load --input ${{ runner.temp }}/oss.tar | |
- name: Build and load oss image | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
file: Dockerfile.latest-njs | |
context: . | |
tags: nginx-s3-gateway:latest-njs-oss | |
load: true | |
# Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes. | |
- name: Export image to a tar | |
run: | | |
docker save nginx-s3-gateway:latest-njs-oss > ${{ runner.temp }}/latest-njs.tar | |
- name: Upload artifact - latest-njs | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: latest-njs | |
path: ${{ runner.temp }}/latest-njs.tar | |
retention-days: 1 | |
if-no-files-found: error | |
test-latest-njs: | |
name: Test NGINX OSS image using latest njs commit | |
runs-on: ubuntu-22.04 | |
needs: build-latest-njs-for-test | |
steps: | |
- name: Check out the codebase | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install dependencies | |
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it | |
- name: Restore cached binaries | |
id: cache-binaries-restore | |
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: .bin | |
key: ${{ runner.os }}-binaries | |
- name: Install MinIO Client | |
run: | | |
mkdir .bin || exit 0 | |
cd .bin | |
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z" | |
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check - | |
mv mc.RELEASE.2023-06-19T19-31-19Z mc | |
chmod +x mc | |
- name: Download artifact | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: latest-njs | |
path: ${{ runner.temp }} | |
- name: Load image | |
run: | | |
docker load --input ${{ runner.temp }}/latest-njs.tar | |
docker tag nginx-s3-gateway:latest-njs-oss nginx-s3-gateway | |
- name: Run tests - latest njs version | |
run: ./test.sh --latest-njs --type oss | |
build-unprivileged-for-test: | |
name: Build NGINX OSS unprivileged image | |
runs-on: ubuntu-22.04 | |
needs: test-oss | |
steps: | |
- name: Check out the codebase | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
with: | |
driver: docker | |
- name: Download artifact | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: oss | |
path: ${{ runner.temp }} | |
- name: Load image | |
run: | | |
docker load --input ${{ runner.temp }}/oss.tar | |
- name: Build and load oss image | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
file: Dockerfile.unprivileged | |
context: . | |
tags: nginx-s3-gateway:unprivileged-oss | |
load: true | |
# Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes. | |
- name: Export image to a tar | |
run: | | |
docker save nginx-s3-gateway:unprivileged-oss > ${{ runner.temp }}/unprivileged.tar | |
- name: Upload artifact - unprivileged | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: unprivileged | |
path: ${{ runner.temp }}/unprivileged.tar | |
retention-days: 1 | |
if-no-files-found: error | |
test-unprivileged: | |
name: Test NGINX OSS unprivileged image | |
runs-on: ubuntu-22.04 | |
needs: build-unprivileged-for-test | |
steps: | |
- name: Check out the codebase | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install dependencies | |
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it | |
- name: Restore cached binaries | |
id: cache-binaries-restore | |
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: .bin | |
key: ${{ runner.os }}-binaries | |
- name: Install MinIO Client | |
run: | | |
mkdir .bin || exit 0 | |
cd .bin | |
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z" | |
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check - | |
mv mc.RELEASE.2023-06-19T19-31-19Z mc | |
chmod +x mc | |
- name: Download artifact | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: unprivileged | |
path: ${{ runner.temp }} | |
- name: Load image | |
run: | | |
docker load --input ${{ runner.temp }}/unprivileged.tar | |
docker tag nginx-s3-gateway:unprivileged-oss nginx-s3-gateway | |
- name: Run tests - unprivileged | |
run: ./test.sh --unprivileged --type oss | |
# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry | |
tag-and-push: | |
name: Tag and push all built and tested NGINX images | |
runs-on: ubuntu-22.04 | |
needs: [test-oss, test-latest-njs, test-unprivileged] | |
if: | | |
github.ref == 'refs/heads/main' | |
permissions: | |
packages: write | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
- name: Check out the codebase | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Get current date | |
id: date | |
run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
- name: Set up Docker Buildx for local image build and push | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
with: | |
driver-opts: network=host | |
# Do an initial build of the base image and push to a local registry for downstream images because the `docker-container` driver can't find local images with `load`. | |
- name: Build and push image [oss] to local registry for downstream | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
file: Dockerfile.oss | |
context: . | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
provenance: false | |
tags: localhost:5000/nginx-oss-s3-gateway:oss | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login to Docker Hub | |
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | |
# This second invocation of the build/push should just use the existing build cache. | |
- name: Build and push image [oss] | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
file: Dockerfile.oss | |
context: . | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
provenance: false | |
tags: | | |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-${{ steps.date.outputs.date }} | |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest | |
nginxinc/nginx-s3-gateway:latest-${{ steps.date.outputs.date }} | |
nginxinc/nginx-s3-gateway:latest | |
- name: Build and push image [latest-njs] | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
file: Dockerfile.latest-njs | |
context: . | |
build-contexts: | | |
nginx-s3-gateway=docker-image://localhost:5000/nginx-oss-s3-gateway:oss | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
provenance: false | |
tags: | | |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }} | |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-njs-oss | |
nginxinc/nginx-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }} | |
nginxinc/nginx-s3-gateway:latest-njs-oss | |
- name: Build and push image [unprivileged] | |
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
with: | |
file: Dockerfile.unprivileged | |
context: . | |
build-contexts: | | |
nginx-s3-gateway=docker-image://localhost:5000/nginx-oss-s3-gateway:oss | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
provenance: false | |
tags: | | |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }} | |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:unprivileged-oss | |
nginxinc/nginx-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }} | |
nginxinc/nginx-s3-gateway:unprivileged-oss |