Skip to content

Build Base Images

Build Base Images #170

name: Build Base Images
on:
workflow_dispatch:
workflow_call:
schedule:
- cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC
defaults:
run:
shell: bash
concurrency:
group: ${{ github.ref_name }}-base-image
cancel-in-progress: false
permissions:
contents: read
jobs:
checks:
name: Checks and variables
runs-on: ubuntu-24.04
outputs:
docker_md5: ${{ steps.vars.outputs.docker_md5 }}
ic_version: ${{ steps.vars.outputs.ic_version }}
image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }}
image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }}
image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Output Variables
id: vars
run: |
./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT
source .github/data/version.txt
echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT
echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT
echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
build-oss:
name: Build OSS base images
runs-on: ubuntu-24.04
needs: checks
permissions:
contents: read
pull-requests: write # for scout report
id-token: write
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Setup QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm,arm64,ppc64le,s390x
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss
flavor: |
suffix=-${{ matrix.image }},onlatest=false
tags: |
type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
- name: Build Base Container
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
file: build/Dockerfile
context: "."
cache-from: type=gha,scope=${{ matrix.image }}
cache-to: type=gha,scope=${{ matrix.image }},mode=max
target: common
tags: ${{ steps.meta.outputs.tags }}
platforms: ${{ matrix.platforms }}
pull: true
push: true
build-args: |
BUILD_OS=${{ matrix.image }}
IC_VERSION=${{ needs.checks.outputs.ic_version }}
build-plus:
name: Build Plus base images
runs-on: ubuntu-24.04
needs: checks
permissions:
contents: read
id-token: write
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Setup QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm64,s390x
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus
flavor: |
suffix=-${{ matrix.image }},onlatest=false
tags: |
type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
- name: Build Base Container
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
file: build/Dockerfile
context: "."
cache-from: type=gha,scope=${{ matrix.image }}
cache-to: type=gha,scope=${{ matrix.image }},mode=max
target: common
tags: ${{ steps.meta.outputs.tags }}
platforms: ${{ matrix.platforms }}
pull: true
push: true
build-args: |
BUILD_OS=${{ matrix.image }}
IC_VERSION=${{ needs.checks.outputs.ic_version }}
secrets: |
"nginx-repo.crt=${{ secrets.NGINX_CRT }}"
"nginx-repo.key=${{ secrets.NGINX_KEY }}"
build-plus-nap:
name: Build Plus NAP base images
runs-on: ubuntu-24.04
needs: checks
permissions:
contents: read
id-token: write
pull-requests: write # for scout report
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
- name: Login to GCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: NAP modules
id: nap_modules
run: |
[[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}"
echo "modules=${modules}" >> $GITHUB_OUTPUT
[[ "${{ matrix.nap_modules }}" =~ waf ]] && agent="true" || agent="false"
echo "agent=${agent}" >> $GITHUB_OUTPUT
if: ${{ matrix.nap_modules != '' }}
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus
flavor: |
suffix=-${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},onlatest=false
tags: |
type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
- name: Build Base Container
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
file: build/Dockerfile
context: "."
cache-from: type=gha,scope=${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }}
cache-to: type=gha,scope=${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},mode=max
target: common
tags: ${{ steps.meta.outputs.tags }}
platforms: ${{ matrix.platforms }}
pull: true
push: true
build-args: |
BUILD_OS=${{ matrix.image }}
IC_VERSION=${{ needs.checks.outputs.ic_version }}
NAP_MODULES=${{ matrix.nap_modules }}
${{ contains(matrix.nap_modules,'waf') && format('NGINX_AGENT={0}', steps.nap_modules.outputs.agent) || '' }}
secrets: |
"nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}"
"nginx-repo.key=${{ secrets.NGINX_AP_KEY }}"
${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}