Skip to content

Change to F5 runners for release builds #1162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Oct 13, 2025
Merged

Change to F5 runners for release builds #1162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
f28a19e
F5 github runners
pdabelf5 Oct 7, 2025
bd5c511
test ci timestamp
AlexFenlon Oct 8, 2025
0ae2aed
Add Assertion Doc and GoProxy
AlexFenlon Oct 8, 2025
6b086e8
Download syft when running on main
AlexFenlon Oct 8, 2025
e4922ba
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Oct 9, 2025
2ebce6e
Merge branch 'main' into chore/secure-build
pdabelf5 Oct 9, 2025
ed72723
Add tag job & skip logic
pdabelf5 Oct 10, 2025
c1aa429
update go_proxy logic
AlexFenlon Oct 13, 2025
67e4137
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Oct 13, 2025
47c0636
Merge branch 'main' into chore/secure-build
AlexFenlon Oct 13, 2025
37ad46b
Merge branch 'main' into chore/secure-build
AlexFenlon Oct 13, 2025
bc3bfef
clean up netrc after use
AlexFenlon Oct 13, 2025
484480a
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Oct 13, 2025
79d642c
Merge branch 'main' into chore/secure-build
AlexFenlon Oct 13, 2025
f378b14
Merge branch 'main' into chore/secure-build
AlexFenlon Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 142 additions & 34 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
pull_request:
branches:
- main
Expand All @@ -21,6 +19,33 @@
contents: read

jobs:
variables:
name: Variables
runs-on: ubuntu-24.04
permissions:
contents: read
outputs:
go_proxy: ${{ steps.vars.outputs.go_proxy }}
forked_workflow: ${{ steps.vars.outputs.forked_workflow }}

steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Configure pipeline Variables
id: vars
run: |
forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || github.repository != 'nginx/nginx-prometheus-exporter' }}
echo "forked_workflow=${forked_workflow}" >> $GITHUB_OUTPUT
if [ "$forked_workflow" = "false" ] && [ "${{ github.ref_name }}" != "${{ github.event.repository.default_branch }}" ]; then
go_proxy="${{ secrets.ARTIFACTORY_DEV_ENDPOINT }}"
elif [ "${{ github.ref_name }}" = "${{ github.event.repository.default_branch }}" ]; then
go_proxy="${{ secrets.ARTIFACTORY_ENDPOINT }}"
else
go_proxy="https://proxy.golang.org,direct"
fi
echo "go_proxy=${go_proxy}" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT

unit-tests:
name: Unit Tests
runs-on: ubuntu-24.04
Expand All @@ -43,14 +68,18 @@

build-docker:
name: Build Docker Image
runs-on: ubuntu-24.04
runs-on: ${{ github.event_name == 'pull_request' && 'ubuntu-24.04' || 'ubuntu-24.04-amd64' }}
permissions:
contents: write # for lucacome/draft-release to create/update release draft
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS ECR and goreleaser/goreleaser-action to sign artifacts
packages: write # for docker/build-push-action to push to GHCR
issues: write # for goreleaser/goreleaser-action to close milestones
needs: unit-tests
needs: [unit-tests, variables]
env:
GOPROXY: ${{ needs.variables.outputs.go_proxy }}
outputs:
binaries: ${{ steps.prom_binaries.outputs.json }}
services:
registry:
image: registry:3
Expand All @@ -59,14 +88,22 @@
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0

- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: stable

- name: Setup netrc
run: |
cat <<EOF > $HOME/.netrc
machine azr.artifactory.f5net.com
login ${{ secrets.ARTIFACTORY_USER }}
password ${{ secrets.ARTIFACTORY_TOKEN }}
EOF
chmod 600 $HOME/.netrc
if: needs.variables.outputs.forked_workflow == 'false'

- name: Setup QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

Expand Down Expand Up @@ -125,10 +162,6 @@
tags: |
type=edge
type=ref,event=pr
type=schedule
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
labels: |
org.opencontainers.image.vendor=NGINX Inc <[email protected]>
env:
Expand All @@ -139,51 +172,47 @@
with:
minor-label: "enhancement"
major-label: "change"
publish: ${{ github.ref_type == 'tag' }}
publish: false
collapse-after: 30
notes-footer: |
## Upgrade

- Use the {{version}} image from our [DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginx/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) or [Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter/tag/{{version-number}}?tab=tags).
- Download the latest binaries from the [GitHub releases page](https://github.com/nginx/nginx-prometheus-exporter/releases/tag/{{version}}).
- Update to the latest version with `brew upgrade nginx-prometheus-exporter`, `snap refresh nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
- Update to the latest version with `brew upgrade nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.

## Compatibility

- NGINX 0.1.18 or newer.
- NGINX Plus R19 or newer.
if: github.event_name != 'pull_request'


- name: Download Syft
uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
if: github.ref_type == 'tag'

- name: Install Cosign
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
if: github.ref_type == 'tag'

- name: Setup Snapcraft
run: |
sudo snap install snapcraft --classic
mkdir -p $HOME/.cache/snapcraft/download
mkdir -p $HOME/.cache/snapcraft/stage-packages
if: github.ref_type == 'tag'

- name: Install Nix
uses: cachix/install-nix-action@9280e7aca88deada44c930f1e2c78e21c3ae3edd # v31
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
if: github.ref_type == 'tag'
if: github.event_name != 'pull_request'

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
version: v2.12.5 # renovate: datasource=github-tags depName=goreleaser/goreleaser
args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean
args: build --snapshot --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NGINX_GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN }}

- name: Extract NGINX Prometheus Exporter binary info
id: prom_binaries
run: |
curl -sSL https://raw.githubusercontent.com/nginx/k8s-common/main/files/binary-json.sh -o binary-json.sh
chmod +x binary-json.sh
echo "json=$(./binary-json.sh ${{ github.workspace }}/dist ${{ github.event.repository.name }} "nginx-prometheus-exporter")" >> $GITHUB_OUTPUT

- name: Store Artifacts in Cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ${{ github.workspace }}/dist
key: nginx-prometheus-exporter-${{ github.sha }}

- name: Print NGINX Prometheus Exporter info
run: ./dist/nginx-prometheus-exporter_linux_amd64_v1/nginx-prometheus-exporter --version
Expand All @@ -199,7 +228,7 @@
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
push: true
push: ${{ github.event_name != 'pull_request' }}
cache-from: type=gha,scope=exporter
cache-to: type=gha,scope=exporter,mode=max
no-cache: ${{ github.event_name != 'pull_request' }}
Expand All @@ -211,12 +240,91 @@
id: scan
continue-on-error: true
with:
image: localhost:5000/nginx/nginx-prometheus-exporter:${{ steps.meta.outputs.version }}
image: localhost:5000/nginx/nginx-prometheus-exporter:edge
only-fixed: true
add-cpes-if-none: true
if: github.event_name != 'pull_request'

- name: Upload scan result to GitHub Security tab
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
continue-on-error: true
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
if: github.event_name != 'pull_request'

- name: Clean up NETRC
run: |
rm -f $HOME/.netrc
if: ${{ always() }}

generate-assertion-doc:
if: ${{ github.event_name != 'pull_request' }}
name: Assertion Doc ${{ matrix.prometheus.arch }}
needs: [build-docker, variables]
runs-on: ubuntu-24.04-amd64

Check failure on line 264 in .github/workflows/ci.yml

View workflow job for this annotation

GitHub Actions / Actionlint 

[actionlint] reported by reviewdog 🐶
label "ubuntu-24.04-amd64" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]

Raw Output:
e:.github/workflows/ci.yml:264:14: label "ubuntu-24.04-amd64" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]
permissions:
contents: read
id-token: write # for compliance-rules action to sign assertion doc
strategy:
fail-fast: false
matrix:
prometheus: ${{ fromJSON( needs.build-docker.outputs.binaries ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- name: Setup Golang Environment
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod

- name: Setup netrc
run: |
cat <<EOF > $HOME/.netrc
machine azr.artifactory.f5net.com
login ${{ secrets.ARTIFACTORY_USER }}
password ${{ secrets.ARTIFACTORY_TOKEN }}
EOF
chmod 600 $HOME/.netrc

- name: Fetch Cached Artifacts
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
path: ${{ github.workspace }}/dist
key: nginx-prometheus-exporter-${{ github.sha }}
fail-on-cache-miss: true

- name: List packages in Go binary
id: godeps
env:
GOPROXY: ${{ needs.variables.outputs.go_proxy }}
run: |
go version -m ${{ matrix.prometheus.path }} > go_version_out_${{ github.run_id }}_${{ github.run_number }}.txt
echo "go_version_out=$(find -type f -name "go_version_out*.txt" | head -n 1)" >> $GITHUB_OUTPUT
echo "artifact_digest=$(openssl dgst -sha256 -r ${{ matrix.prometheus.path }} | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT

- name: Generate Assertion Document
id: assertiondoc
uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
with:
artifact-name: "${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.prometheus.os }}_${{ matrix.prometheus.arch }}"
artifact-digest: ${{ steps.godeps.outputs.artifact_digest }}
build-type: "github.com"
builder-id: "github"
builder-version: v0.1.0
started-on: ${{ github.event.head_commit.timestamp }}
finished-on: ${{ github.event.head_commit.timestamp }}
invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
artifactory-repo: 'f5-nginx-go-local-approved-dependency'
assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.prometheus.os }}_${{ matrix.prometheus.arch }}.json
build-content-path: ${{ steps.godeps.outputs.go_version_out }}

- name: Sign and Store Assertion Document
id: sign
uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
with:
assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}
Loading
Loading