Skip to content

Update Docker Images #7

Update Docker Images

Update Docker Images #7

name: Update Docker Images
on:
schedule:
- cron: "0 2 * * *" # run every day at 02:00 UTC
defaults:
run:
shell: bash
concurrency:
group: ${{ github.ref_name }}-update-images
cancel-in-progress: true
permissions:
contents: read
env:
platforms: "linux/arm64, linux/amd64"
jobs:
variables:
name: Get versions of base images
runs-on: ubuntu-22.04
outputs:
ngf_tag: ${{ steps.ngf.outputs.tag }}
nginx_version: ${{ steps.nginx.outputs.nginx_version }}
steps:
- name: Checkout Repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Set NGF version
id: ngf
run: |
tag="$(git tag --sort=-version:refname | head -n1)"
echo "tag=${tag//v}" >> $GITHUB_OUTPUT
- name: Checkout Repository at ${{ steps.ngf.outputs.tag }}
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
ref: refs/tags/v${{ steps.ngf.outputs.tag }}
- name: Set NGINX version
id: nginx
run: |
version=library/nginx:$(grep -m1 "FROM.*nginx:.*alpine" < build/Dockerfile.nginx | awk -F"[ :]" '{print $3}')
echo nginx_version=${version} >> $GITHUB_OUTPUT
check:
name: Check if updates are needed
runs-on: ubuntu-22.04
needs: variables
outputs:
needs-updating: ${{ steps.needs.outputs.needs-updating }}
steps:
- name: Check if update available for nginx image
id: update
uses: lucacome/docker-image-update-checker@f50d56412b948cfdbb842c5419372681e0db3df1 # v1.2.1
with:
base-image: ${{ needs.variables.outputs.nginx_version }}
image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:${{ needs.variables.outputs.ngf_tag }}
platforms: ${{ env.platforms }}
- id: needs
run: echo "needs-updating=${{ steps.update.outputs.needs-updating }}" >> $GITHUB_OUTPUT
build:
name: Build Image
runs-on: ubuntu-22.04
needs: [variables, check]
if: ${{ needs.check.outputs.needs-updating }}
strategy:
fail-fast: false
permissions:
contents: read # for docker/build-push-action to read repo content
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
packages: write # for docker/build-push-action to push to GHCR
steps:
- name: Checkout Repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: arm64
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: |
name=ghcr.io/nginxinc/nginx-gateway-fabric/nginx
tags: |
${{ needs.variables.outputs.ngf_tag }}
- name: Build Docker Image
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
file: 'build/Dockerfile.nginx'
context: "."
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: true
platforms: ${{ env.platforms }}
pull: true
no-cache: true
sbom: true
provenance: false
build-args: |
NJS_DIR=internal/mode/static/nginx/modules/src
NGINX_CONF_DIR=internal/mode/static/nginx/conf
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
continue-on-error: true
with:
image-ref: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:${{ needs.variables.outputs.ngf_tag }}
format: "sarif"
output: trivy-results-nginx-gateway-fabric-nginx
ignore-unfixed: "true"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8
continue-on-error: true
with:
sarif_file: trivy-results-nginx-gateway-fabric-nginx
- name: Upload Scan Results
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
continue-on-error: true
with:
name: trivy-results-nginx-gateway-fabric-nginx
path: trivy-results-nginx-gateway-fabric-nginx
if: always()