Bump actions/upload-artifact from 4.3.3 to 4.3.4 #904

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	tags:
	- "v[0-9]+.[0-9]+.[0-9]+"
	pull_request:
	branches:
	- main

	env:
	platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"

	concurrency:
	group: ${{ github.ref_name }}-ci
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	build:
	name: Build Image
	runs-on: ubuntu-22.04
	outputs:
	version: ${{ steps.meta.outputs.version }}
	permissions:
	contents: write # for lucacome/draft-release to create a draft release
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	packages: write # for docker/build-push-action to push to GHCR
	steps:
	- name: Checkout Repository
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: DockerHub Login
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	if: github.event_name != 'pull_request'

	- name: Login to GitHub Container Registry
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Login to Quay.io
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME }}
	password: ${{ secrets.QUAY_ROBOT_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Setup QEMU
	uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
	with:
	platforms: arm64,ppc64le,s390x
	if: github.event_name != 'pull_request'

	- name: Docker Buildx
	uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0

	- name: Output Variables
	id: vars
	run: \|
	echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT
	echo "chart_version=$(yq '.appVersion' <helm-charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
	echo "openshift_version=$(yq '.annotations["com.redhat.openshift.versions"]' <bundle/metadata/annotations.yaml \| cut -dv -f2)" >> $GITHUB_OUTPUT

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	nginx/nginx-ingress-operator
	ghcr.io/nginxinc/nginx-ingress-operator
	quay.io/nginx/nginx-ingress-operator
	tags: \|
	type=edge
	type=ref,event=pr
	type=semver,pattern={{version}}
	labels: \|
	org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
	org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
	name="NGINX Ingress Operator"
	maintainer="kubernetes@nginx.com"
	vendor="NGINX Inc"
	version=${{ steps.vars.outputs.version }}
	release=1
	summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
	description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"

	- name: Build Image
	uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
	with:
	context: "."
	cache-from: type=gha
	cache-to: type=gha,mode=max
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	platforms: ${{ github.event_name != 'pull_request' && env.platforms \|\| '' }}
	load: ${{ github.event_name == 'pull_request' }}
	push: ${{ github.event_name != 'pull_request' }}
	no-cache: ${{ github.event_name != 'pull_request' }}
	pull: true
	sbom: ${{ github.event_name != 'pull_request' }}
	provenance: false

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
	continue-on-error: true
	with:
	image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
	format: "sarif"
	output: "trivy-results.sarif"
	ignore-unfixed: "true"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
	continue-on-error: true
	with:
	sarif_file: "trivy-results.sarif"

	- name: Upload Scan Results
	uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
	continue-on-error: true
	with:
	name: "trivy-results.sarif"
	path: "trivy-results.sarif"
	if: always()

	- name: Create/Update Draft
	uses: lucacome/draft-release@8a63d32c79a171ae6048e614a8988f0ac3ed56d4 # v1.1.0
	with:
	minor-label: "enhancement"
	major-label: "change"
	publish: ${{ github.ref_type == 'tag' }}
	variables: \|
	nic_version=${{ steps.vars.outputs.chart_version }}
	openshift_version=${{ steps.vars.outputs.openshift_version }}
	notes-footer: \|
	## Compatibility

	- NGINX Ingress Controller {{nic_version}}
	- OpenShift {{openshift_version}} or newer.
	if: github.event_name != 'pull_request'

	certify:
	name: Certify for Red Hat OpenShift
	runs-on: ubuntu-22.04
	needs: build
	if: ${{ github.ref_type == 'tag' }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Certify Images
	continue-on-error: false
	run: \|
	curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.9.4/preflight-linux-amd64 --output preflight
	chmod +x preflight

	IFS=',' read -ra arch_list <<< "${{ env.platforms }}"

	for arch in "${arch_list[@]}"; do
	architecture=("${arch#*/}")
	./preflight check container quay.io/nginx/nginx-ingress-operator:${{ needs.build.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
	done

	- name: Make
	run: \|
	make bundle USE_IMAGE_DIGESTS=true

	- name: Checkout certified-operators repo
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	token: ${{ secrets.NGINX_PAT }}
	repository: nginx-bot/certified-operators
	path: certified-operators

	- name: Update certified-operators repo
	working-directory: certified-operators/operators/nginx-ingress-operator
	run: \|
	mkdir v${{ needs.build.outputs.version }}
	cp -R ../../../bundle/manifests v${{ needs.build.outputs.version }}/
	cp -R ../../../bundle/metadata v${{ needs.build.outputs.version }}/

	- name: Commit changes
	uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
	with:
	commit_message: operator nginx-ingress-operator (v${{ needs.build.outputs.version }})
	commit_author: nginx-bot <integrations@nginx.com>
	commit_user_name: nginx-bot
	commit_user_email: integrations@nginx.com
	create_branch: true
	branch: update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }}
	repository: certified-operators

	- name: Create PR
	working-directory: certified-operators
	run: \|
	gh pr create --title "operator nginx-ingress-operator (v${{ needs.build.outputs.version }})" --body "Update nginx-ingress-operator to v${{ needs.build.outputs.version }}" --head nginx-bot:update-nginx-ingress-operator-to-v${{ needs.build.outputs.version }} --base main --repo redhat-openshift-ecosystem/certified-operators
	env:
	GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump actions/upload-artifact from 4.3.3 to 4.3.4 #904

Workflow file

Bump actions/upload-artifact from 4.3.3 to 4.3.4 #904

Jobs

Run details

Workflow file for this run