.github/workflows/update-docker-images.yml

name: Update Docker Images

on:
  schedule:
    - cron: "0 2 * * *" # run every day at 02:00 UTC

defaults:
  run:
    shell: bash

concurrency:
  group: ${{ github.ref_name }}-update-images
  cancel-in-progress: true

permissions:
  contents: read

env:
  platforms: "linux/arm64, linux/amd64"

jobs:
  variables:
    name: Get versions of base images
    runs-on: ubuntu-22.04
    outputs:
      nkg_tag: ${{ steps.nkg.outputs.tag }}
      nginx_version: ${{ steps.nginx.outputs.nginx_version }}
    steps:
      - name: Checkout Repository
        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
        with:
          fetch-depth: 0

      - name: Set NKG version
        id: nkg
        run: |
          tag="$(git tag --sort=-version:refname | head -n1)"
          echo "tag=${tag//v}" >> $GITHUB_OUTPUT

      - name: Checkout Repository at ${{ steps.nkg.outputs.tag }}
        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
        with:
          ref: refs/tags/v${{ steps.nkg.outputs.tag }}

      - name: Set NGINX version
        id: nginx
        run: |
          version=library/nginx:$(grep -m1 "FROM.*nginx:.*alpine" < build/Dockerfile.nginx | awk -F"[ :]" '{print $3}')
          echo nginx_version=${version} >> $GITHUB_OUTPUT

  check:
    name: Check if updates are needed
    runs-on: ubuntu-22.04
    needs: variables
    outputs:
      needs-updating: ${{ steps.needs.outputs.needs-updating }}
    steps:
      - name: Check if update available for nginx image
        id: update
        uses: lucacome/docker-image-update-checker@f50d56412b948cfdbb842c5419372681e0db3df1 # v1.2.1
        with:
          base-image: ${{ needs.variables.outputs.nginx_version }}
          image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx:${{ needs.variables.outputs.nkg_tag }}
          platforms: ${{ env.platforms }}

      - id: needs
        run: echo "needs-updating=${{ steps.update.outputs.needs-updating }}" >> $GITHUB_OUTPUT

  build:
    name: Build Image
    runs-on: ubuntu-22.04
    needs: [variables, check]
    if: ${{ needs.check.outputs.needs-updating }}
    strategy:
      fail-fast: false
    permissions:
      contents: read # for docker/build-push-action to read repo content
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      packages: write # for docker/build-push-action to push to GHCR
    steps:
      - name: Checkout Repository
        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

      - name: Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Setup QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
          platforms: arm64

      - name: Login to GitHub Container Registry
        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
        with:
          images: |
            name=ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx
          tags: |
            ${{ needs.variables.outputs.nkg_tag }}

      - name: Build Docker Image
        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        with:
          file: 'build/Dockerfile.nginx'
          context: "."
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          push: true
          platforms: ${{ env.platforms }}
          pull: true
          no-cache: true
          sbom: true
          provenance: false
          build-args: |
            NJS_DIR=internal/mode/static/nginx/modules/src
            NGINX_CONF_DIR=internal/mode/static/nginx/conf

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
        continue-on-error: true
        with:
          image-ref: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx:${{ needs.variables.outputs.nkg_tag }}
          format: "sarif"
          output: trivy-results-nginx-kubernetes-gateway-nginx
          ignore-unfixed: "true"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
        continue-on-error: true
        with:
          sarif_file: trivy-results-nginx-kubernetes-gateway-nginx

      - name: Upload Scan Results
        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
        continue-on-error: true
        with:
          name: trivy-results-nginx-kubernetes-gateway-nginx
          path: trivy-results-nginx-kubernetes-gateway-nginx
        if: always()