diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml new file mode 100644 index 0000000000..28f2895a8b --- /dev/null +++ b/.github/workflows/build-ubi-dependency.yml @@ -0,0 +1,137 @@ +name: Build UBI ppc64le Dependency + +on: + push: + branches: + - main + paths: + - build/dependencies/Dockerfile.ubi-ppc64le + workflow_dispatch: + inputs: + nginx_version: + type: string + description: "NGINX Version to build for" + required: false + force: + type: boolean + description: "Force rebuild" + required: false + default: false + +env: + IMAGE_NAME: ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le + +concurrency: + group: ${{ github.ref_name }}-ubi-ppc64le-build + cancel-in-progress: true + +jobs: + checks: + name: Check versions + runs-on: ubuntu-22.04 + permissions: + packages: read + contents: read + strategy: + fail-fast: false + outputs: + nginx_version: ${{ steps.var.outputs.nginx_version }} + njs_version: ${{ steps.var.outputs.njs_version }} + target_exists: ${{ steps.var.outputs.target_image_exists }} + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Login to GitHub Container Registry + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Output Variables + id: var + run: | + if [ -n "${{ inputs.nginx_version }}" ]; then + nginx_v=${{ inputs.nginx_version }} + else + nginx_v=$(grep -m1 'FROM nginx:' Outputs -------------------------------" + echo "NJS_VERSION=$njs" + echo "nginx_version=${nginx_v}" + echo "njs_version=${njs}" + echo "target_image_exists=${target_image_exists}" + echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT + echo "njs_version=${njs}" >> $GITHUB_OUTPUT + echo "target_image_exists=${target_image_exists}" >> $GITHUB_OUTPUT + + build-binaries: + name: Build Binary Container Image + if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }} + needs: checks + runs-on: ubuntu-22.04 + permissions: + packages: write + contents: read + strategy: + fail-fast: false + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Setup QEMU + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + with: + platforms: arm64,ppc64le,s390x + + - name: Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: | + name=${{ env.IMAGE_NAME }},enable=true + tags: | + type=raw,value=nginx-${{ needs.checks.outputs.nginx_version }},enable=true + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Build and push + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + with: + file: ./build/dependencies/Dockerfile.ubi-ppc64le + context: "." + pull: true + push: true + # build multi-arch so that it can be mounted from any image + # even though only ppc64le will contain binaries + platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x" + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=gha,scope=nginx-ubi-ppc64le + cache-to: type=gha,scope=nginx-ubi-ppc64le,mode=max + target: final + sbom: false + provenance: mode=max + build-args: | + NGINX=${{ needs.checks.outputs.nginx_version }} + NJS=${{ needs.checks.outputs.njs_version }} diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le new file mode 100644 index 0000000000..516ed19a1c --- /dev/null +++ b/build/dependencies/Dockerfile.ubi-ppc64le @@ -0,0 +1,33 @@ +# syntax=docker/dockerfile:1.8 +FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df AS nginx + +FROM redhat/ubi9:9.4@sha256:081c96d1b1c7cd1855722d01f1ca53360510443737b1eb33284c6c4c330e537c AS rpm-build +ARG NGINX +ARG NJS +ENV NGINX_VERSION ${NGINX} +ENV NJS_VERSION ${NJS} + + +RUN mkdir -p /nginx/; \ + # only build for ppc64le but make multiarch image for mounting + [ $(uname -p) != ppc64le ] && exit 0; \ + rpm --import https://nginx.org/keys/nginx_signing.key \ + && printf "%s\n" "[nginx]" "name=nginx src repo" \ + "baseurl=https://nginx.org/packages/mainline/centos/9/SRPMS" \ + "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \ + && dnf install rpm-build gcc make dnf-plugins-core which -y \ + && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ + && nginxPackages=" \ + nginx-${NGINX_VERSION} \ + nginx-module-xslt-${NGINX_VERSION} \ + nginx-module-image-filter-${NGINX_VERSION} \ + nginx-module-njs-${NGINX_VERSION}+${NJS_VERSION} \ + " \ + && dnf config-manager --set-enabled ubi-9-codeready-builder \ + && dnf download --source ${nginxPackages} \ + && dnf builddep -y --srpm nginx*.rpm \ + && rpmbuild --rebuild --nodebuginfo nginx*.rpm \ + && cp /root/rpmbuild/RPMS/$(arch)/* /nginx/ + +FROM scratch AS final +COPY --link --from=rpm-build /nginx /