Skip to content

build(deps): bump github/codeql-action from 3.27.4 to 3.27.9 #269

build(deps): bump github/codeql-action from 3.27.4 to 3.27.9

build(deps): bump github/codeql-action from 3.27.4 to 3.27.9 #269

Workflow file for this run

---
name: NGINX S3 Gateway CI/CD
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
env:
CI: true
permissions: read-all
# Job progression. We make sure that the base image [oss] builds and passes tests before kicking off the other builds
# ┌──────────────────┐ ┌────────────────┐ ┌────────────────┐
# ┌─────────┐ ┌─────────┬────► Build Latest NJS ├────────►Test Latest NJS ├─────►│Push Latest NJS │
# │Build OSS├────►│Test OSS │ └──────────────────┘ └────────────────┘ └────────────────┘
# └─────────┘ └──┬──────┤
# │ │ ┌──────────────────┐ ┌──────────────────┐ ┌─────────────────┐
# │ └────►Build Unprivileged├───────►Test Unprivileged ├────►│Push Unprivileged│
# │ └──────────────────┘ └──────────────────┘ ├────────┬────────┘
# │ ├────────┤
# └──────────────────────────────────────────────────────────────►│Push OSS│
# └────────┘
# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry
jobs:
build-oss-for-test:
name: Build NGINX OSS image
runs-on: ubuntu-24.04
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Build and export
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
file: Dockerfile.oss
context: .
tags: nginx-s3-gateway , nginx-s3-gateway:oss
outputs: type=docker,dest=${{ runner.temp }}/oss.tar
- name: Upload artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: oss
path: ${{ runner.temp }}/oss.tar
retention-days: 1
if-no-files-found: error
test-oss:
name: Test NGINX OSS image
runs-on: ubuntu-22.04
needs: build-oss-for-test
strategy:
matrix:
path_style: [virtual, virtual-v2]
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install dependencies
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it
- name: Restore cached binaries
id: cache-binaries-restore
uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: .bin
key: ${{ runner.os }}-binaries
- name: Install MinIO Client
run: |
mkdir .bin || exit 0
cd .bin
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z"
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check -
mv mc.RELEASE.2023-06-19T19-31-19Z mc
chmod +x mc
- name: Download artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: oss
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/oss.tar
- name: Run tests - stable njs version
run: S3_STYLE=${{ matrix.path_style }} ./test.sh --type oss
build-latest-njs-for-test:
name: Build NGINX OSS image using latest njs commit
runs-on: ubuntu-22.04
needs: test-oss
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
driver: docker
- name: Download artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: oss
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/oss.tar
- name: Build and load oss image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
file: Dockerfile.latest-njs
context: .
tags: nginx-s3-gateway:latest-njs-oss
load: true
# Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes.
- name: Export image to a tar
run: |
docker save nginx-s3-gateway:latest-njs-oss > ${{ runner.temp }}/latest-njs.tar
- name: Upload artifact - latest-njs
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: latest-njs
path: ${{ runner.temp }}/latest-njs.tar
retention-days: 1
if-no-files-found: error
test-latest-njs:
name: Test NGINX OSS image using latest njs commit
runs-on: ubuntu-22.04
needs: build-latest-njs-for-test
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install dependencies
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it
- name: Restore cached binaries
id: cache-binaries-restore
uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: .bin
key: ${{ runner.os }}-binaries
- name: Install MinIO Client
run: |
mkdir .bin || exit 0
cd .bin
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z"
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check -
mv mc.RELEASE.2023-06-19T19-31-19Z mc
chmod +x mc
- name: Download artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: latest-njs
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/latest-njs.tar
docker tag nginx-s3-gateway:latest-njs-oss nginx-s3-gateway
- name: Run tests - latest njs version
run: ./test.sh --latest-njs --type oss
build-unprivileged-for-test:
name: Build NGINX OSS unprivileged image
runs-on: ubuntu-22.04
needs: test-oss
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
driver: docker
- name: Download artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: oss
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/oss.tar
- name: Build and load oss image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
file: Dockerfile.unprivileged
context: .
tags: nginx-s3-gateway:unprivileged-oss
load: true
# Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes.
- name: Export image to a tar
run: |
docker save nginx-s3-gateway:unprivileged-oss > ${{ runner.temp }}/unprivileged.tar
- name: Upload artifact - unprivileged
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: unprivileged
path: ${{ runner.temp }}/unprivileged.tar
retention-days: 1
if-no-files-found: error
test-unprivileged:
name: Test NGINX OSS unprivileged image
runs-on: ubuntu-22.04
needs: build-unprivileged-for-test
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install dependencies
run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it
- name: Restore cached binaries
id: cache-binaries-restore
uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: .bin
key: ${{ runner.os }}-binaries
- name: Install MinIO Client
run: |
mkdir .bin || exit 0
cd .bin
curl --insecure --retry 6 --fail --location --output mc.RELEASE.2023-06-19T19-31-19Z "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z"
curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check -
mv mc.RELEASE.2023-06-19T19-31-19Z mc
chmod +x mc
- name: Download artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: unprivileged
path: ${{ runner.temp }}
- name: Load image
run: |
docker load --input ${{ runner.temp }}/unprivileged.tar
docker tag nginx-s3-gateway:unprivileged-oss nginx-s3-gateway
- name: Run tests - unprivileged
run: ./test.sh --unprivileged --type oss
# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry
tag-and-push:
name: Tag and push all built and tested NGINX images
runs-on: ubuntu-22.04
needs: [test-oss, test-latest-njs, test-unprivileged]
if: |
github.ref == 'refs/heads/main'
permissions:
packages: write
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Check out the codebase
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get current date
id: date
run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx for local image build and push
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
driver-opts: network=host
# Do an initial build of the base image and push to a local registry for downstream images because the `docker-container` driver can't find local images with `load`.
- name: Build and push image [oss] to local registry for downstream
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
file: Dockerfile.oss
context: .
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: localhost:5000/nginx-oss-s3-gateway:oss
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
# This second invocation of the build/push should just use the existing build cache.
- name: Build and push image [oss]
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
file: Dockerfile.oss
context: .
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-${{ steps.date.outputs.date }}
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest
nginxinc/nginx-s3-gateway:latest-${{ steps.date.outputs.date }}
nginxinc/nginx-s3-gateway:latest
- name: Build and push image [latest-njs]
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
file: Dockerfile.latest-njs
context: .
build-contexts: |
nginx-s3-gateway=docker-image://localhost:5000/nginx-oss-s3-gateway:oss
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:latest-njs-oss
nginxinc/nginx-s3-gateway:latest-njs-oss-${{ steps.date.outputs.date }}
nginxinc/nginx-s3-gateway:latest-njs-oss
- name: Build and push image [unprivileged]
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
file: Dockerfile.unprivileged
context: .
build-contexts: |
nginx-s3-gateway=docker-image://localhost:5000/nginx-oss-s3-gateway:oss
push: true
platforms: linux/amd64,linux/arm64
provenance: false
tags: |
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
ghcr.io/${{ github.repository }}/nginx-oss-s3-gateway:unprivileged-oss
nginxinc/nginx-s3-gateway:unprivileged-oss-${{ steps.date.outputs.date }}
nginxinc/nginx-s3-gateway:unprivileged-oss