Skip to content

Update Docker Images #1124

Update Docker Images

Update Docker Images #1124

name: Update Docker Images
on:
schedule:
- cron: "0 1 * * 0" # run every week at 01:00 UTC on Sunday
workflow_dispatch:
inputs:
tag:
description: "Update images with tag"
required: true
dry_run:
type: boolean
default: false
defaults:
run:
shell: bash
concurrency:
group: ${{ github.ref_name }}-update
cancel-in-progress: true
permissions:
contents: read
jobs:
variables:
name: Set variables for workflow
runs-on: ubuntu-24.04
outputs:
tag: ${{ steps.kic.outputs.tag }}
short_tag: ${{ steps.kic.outputs.short }}
date: ${{ steps.kic.outputs.date }}
matrix: ${{ steps.kic.outputs.matrix }}
steps:
- name: Checkout Repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
- name: Set variables
id: kic
run: |
tag="$(git tag --sort=-version:refname | head -n1)"
if [ -n "${{ inputs.tag }}" ]; then
tag=${{ inputs.tag }}
else
tag=${tag//v}
fi
echo "tag=${tag}" >> $GITHUB_OUTPUT
date=$(date "+%Y%m%d")
echo "date=${date}" >> $GITHUB_OUTPUT
short="${tag%.*}"
echo "short=$short" >> $GITHUB_OUTPUT
echo "matrix=$(cat .github/data/patch-images.json | jq -c)" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
patch-images:
name: Patch Images
needs: [variables]
strategy:
fail-fast: false
matrix:
include: ${{ fromJSON( needs.variables.outputs.matrix ) }}
uses: ./.github/workflows/patch-image.yml
with:
platforms: ${{ matrix.platforms }}
image: ${{ matrix.source_image }}
tag: ${{ matrix.source_os == 'debian' && needs.variables.outputs.tag || format('{0}-{1}', needs.variables.outputs.tag, matrix.source_os) }}
ic_version: ${{ needs.variables.outputs.tag }}
target_image: ${{ matrix.target_image }}
target_tag: ${{ matrix.source_os == 'debian' && format('{0}-{1}', needs.variables.outputs.tag, needs.variables.outputs.date) || format('{0}-{1}-{2}', needs.variables.outputs.tag, needs.variables.outputs.date, matrix.source_os) }}
permissions:
contents: read
id-token: write
secrets: inherit
release-oss-internal:
name: "Publish Docker OSS ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to internal release Registries"
needs: [variables, patch-images]
uses: ./.github/workflows/oss-release.yml
with:
gcr_release_registry: true
ecr_public_registry: false
dockerhub_public_registry: false
quay_public_registry: false
github_public_registry: false
source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
branch: "release-${{ needs.variables.outputs.short_tag }}"
dry_run: ${{ inputs.dry_run || false }}
permissions:
contents: read
id-token: write
packages: write
secrets: inherit
release-oss-public:
name: Publish Docker OSS ${{ matrix.tag }} to Public Registries
needs: [variables, patch-images]
strategy:
fail-fast: false
matrix:
tag:
- "${{ needs.variables.outputs.tag }}"
- "${{ needs.variables.outputs.short_tag }}"
- "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
- "latest"
uses: ./.github/workflows/oss-release.yml
with:
gcr_release_registry: false
ecr_public_registry: true
dockerhub_public_registry: true
quay_public_registry: true
github_public_registry: true
source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
target_tag: ${{ matrix.tag }}
branch: "release-${{ needs.variables.outputs.short_tag }}"
dry_run: ${{ inputs.dry_run || false }}
permissions:
contents: read
id-token: write
packages: write
secrets: inherit
release-plus-nginx:
name: Publish Docker Plus ${{ matrix.tag }} to NGINX registry
needs: [variables, patch-images]
strategy:
fail-fast: false
matrix:
tag:
- "${{ needs.variables.outputs.tag }}"
- "${{ needs.variables.outputs.short_tag }}"
- "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
- "latest"
uses: ./.github/workflows/plus-release.yml
with:
nginx_registry: true
gcr_release_registry: false
gcr_mktpl_registry: false
ecr_mktpl_registry: false
az_mktpl_registry: false
source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
target_tag: ${{ matrix.tag }}
branch: "release-${{ needs.variables.outputs.short_tag }}"
dry_run: ${{ inputs.dry_run || false }}
permissions:
contents: read
id-token: write
secrets: inherit
release-plus-internal:
name: Publish Docker Plus ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to internal release Registries
needs: [variables, patch-images]
uses: ./.github/workflows/plus-release.yml
with:
nginx_registry: false
gcr_release_registry: true
gcr_mktpl_registry: false
ecr_mktpl_registry: false
az_mktpl_registry: false
source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
branch: "release-${{ needs.variables.outputs.short_tag }}"
dry_run: ${{ inputs.dry_run || false }}
permissions:
contents: read
id-token: write
secrets: inherit
certify-openshift-images:
name: Certify OpenShift UBI images
runs-on: ubuntu-24.04
needs: [variables, release-oss-public]
steps:
- name: Checkout Repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Certify UBI OSS images in quay
uses: ./.github/actions/certify-openshift-image
with:
image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi
project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
platforms: ""
if: ${{ ! inputs.dry_run || false }}