Skip to content

Alpine Mainline

Alpine Mainline #774

---
name: Alpine Mainline
on:
pull_request:
merge_group:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
jobs:
version:
name: Fetch NGINX mainline version
runs-on: ubuntu-24.04
outputs:
major: ${{ steps.nginx_version.outputs.major }}
minor: ${{ steps.nginx_version.outputs.minor }}
patch: ${{ steps.nginx_version.outputs.patch }}
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Parse NGINX mainline version
id: nginx_version
run: |
echo "major=$(cat update.sh | grep -m1 '\[mainline\]=' | cut -d"'" -f2 | cut -d"." -f1)" >> "$GITHUB_OUTPUT"
echo "minor=$(cat update.sh | grep -m1 '\[mainline\]=' | cut -d"'" -f2 | cut -d"." -f2)" >> "$GITHUB_OUTPUT"
echo "patch=$(cat update.sh | grep -m1 '\[mainline\]=' | cut -d"'" -f2 | cut -d"." -f3)" >> "$GITHUB_OUTPUT"
- name: Parse Alpine version
id: distro_version
run: |
echo "release=$(cat update.sh | grep -m8 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
slim:
name: Build Alpine NGINX mainline slim Docker image
needs: version
runs-on: ubuntu-24.04
strategy:
fail-fast: false
permissions:
id-token: write
packages: write
steps:
- name: Check out the codebase
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Get secrets from Azure
if: ${{ github.event_name != 'pull_request' }}
uses: nginx/ci-self-hosted/.github/actions/get-from-vault@5c3e1f8b51f66a851fdba80f70e19cf966199730
with:
client-id: ${{ secrets.SYSENG_CLIENT_ID }}
tenant-id: ${{ secrets.SYSENG_TENANT_ID }}
vault-name: ${{ secrets.SYSENG_VAULT_NAME }}
secret-names: "github-docker-nginx-unprivileged-public-ecr-aws-region, github-docker-nginx-unprivileged-public-ecr-aws-role-rw, docker-username, docker-github-syseng-rw-token, quay-unprivileged-username, quay-unprivileged-token"
env-names: "AWS_REGION, AWS_ROLE_ECR_PUBLIC_RW, DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, QUAY_USERNAME, QUAY_TOKEN"
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ env.AWS_ROLE_ECR_PUBLIC_RW }}
role-duration-seconds: 14400
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: quay.io
username: ${{ env.QUAY_USERNAME }}
password: ${{ env.QUAY_TOKEN }}
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-slim
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-slim
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=${{ needs.version.outputs.major }}-alpine-slim
type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=mainline-alpine-slim
type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim
type=raw,value=alpine-slim
type=raw,value=alpine${{ needs.version.outputs.distro }}-slim
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Build and push NGINX mainline slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:mainline/alpine-slim"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=alpine-slim
# cache-to: type=gha,mode=min,scope=alpine-slim
core:
name: Build Alpine NGINX mainline Docker image
needs: [version, slim]
runs-on: ubuntu-24.04
strategy:
fail-fast: false
permissions:
id-token: write
packages: write
steps:
- name: Check out the codebase
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Get secrets from Azure
if: ${{ github.event_name != 'pull_request' }}
uses: nginx/ci-self-hosted/.github/actions/get-from-vault@5c3e1f8b51f66a851fdba80f70e19cf966199730
with:
client-id: ${{ secrets.SYSENG_CLIENT_ID }}
tenant-id: ${{ secrets.SYSENG_TENANT_ID }}
vault-name: ${{ secrets.SYSENG_VAULT_NAME }}
secret-names: "github-docker-nginx-unprivileged-public-ecr-aws-region, github-docker-nginx-unprivileged-public-ecr-aws-role-rw, docker-username, docker-github-syseng-rw-token, quay-unprivileged-username, quay-unprivileged-token"
env-names: "AWS_REGION, AWS_ROLE_ECR_PUBLIC_RW, DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, QUAY_USERNAME, QUAY_TOKEN"
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ env.AWS_ROLE_ECR_PUBLIC_RW }}
role-duration-seconds: 14400
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: quay.io
username: ${{ env.QUAY_USERNAME }}
password: ${{ env.QUAY_TOKEN }}
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}
type=raw,value=${{ needs.version.outputs.major }}-alpine
type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}
type=raw,value=mainline-alpine
type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}
type=raw,value=alpine
type=raw,value=alpine${{ needs.version.outputs.distro }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Build and push NGINX mainline Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:mainline/alpine"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=debian-perl
# cache-to: type=gha,mode=min,scope=debian-perl
perl:
name: Build Alpine NGINX mainline perl Docker image
needs: [version, core]
runs-on: ubuntu-24.04
strategy:
fail-fast: false
permissions:
id-token: write
packages: write
steps:
- name: Check out the codebase
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Get secrets from Azure
if: ${{ github.event_name != 'pull_request' }}
uses: nginx/ci-self-hosted/.github/actions/get-from-vault@5c3e1f8b51f66a851fdba80f70e19cf966199730
with:
client-id: ${{ secrets.SYSENG_CLIENT_ID }}
tenant-id: ${{ secrets.SYSENG_TENANT_ID }}
vault-name: ${{ secrets.SYSENG_VAULT_NAME }}
secret-names: "github-docker-nginx-unprivileged-public-ecr-aws-region, github-docker-nginx-unprivileged-public-ecr-aws-role-rw, docker-username, docker-github-syseng-rw-token, quay-unprivileged-username, quay-unprivileged-token"
env-names: "AWS_REGION, AWS_ROLE_ECR_PUBLIC_RW, DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, QUAY_USERNAME, QUAY_TOKEN"
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ env.AWS_ROLE_ECR_PUBLIC_RW }}
role-duration-seconds: 14400
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: quay.io
username: ${{ env.QUAY_USERNAME }}
password: ${{ env.QUAY_TOKEN }}
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-perl
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-perl
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-perl
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl
type=raw,value=${{ needs.version.outputs.major }}-alpine-perl
type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-perl
type=raw,value=mainline-alpine-perl
type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl
type=raw,value=alpine-perl
type=raw,value=alpine${{ needs.version.outputs.distro }}-perl
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Build and push NGINX mainline perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:mainline/alpine-perl"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=alpine-perl
# cache-to: type=gha,mode=min,scope=alpine-perl
otel:
name: Build Alpine NGINX mainline otel Docker image
needs: [version, core]
runs-on: ubuntu-24.04
strategy:
fail-fast: false
permissions:
id-token: write
packages: write
steps:
- name: Check out the codebase
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Get secrets from Azure
if: ${{ github.event_name != 'pull_request' }}
uses: nginx/ci-self-hosted/.github/actions/get-from-vault@5c3e1f8b51f66a851fdba80f70e19cf966199730
with:
client-id: ${{ secrets.SYSENG_CLIENT_ID }}
tenant-id: ${{ secrets.SYSENG_TENANT_ID }}
vault-name: ${{ secrets.SYSENG_VAULT_NAME }}
secret-names: "github-docker-nginx-unprivileged-public-ecr-aws-region, github-docker-nginx-unprivileged-public-ecr-aws-role-rw, docker-username, docker-github-syseng-rw-token, quay-unprivileged-username, quay-unprivileged-token"
env-names: "AWS_REGION, AWS_ROLE_ECR_PUBLIC_RW, DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, QUAY_USERNAME, QUAY_TOKEN"
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
with:
aws-region: ${{ env.AWS_REGION }}
role-to-assume: ${{ env.AWS_ROLE_ECR_PUBLIC_RW }}
role-duration-seconds: 14400
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: quay.io
username: ${{ env.QUAY_USERNAME }}
password: ${{ env.QUAY_TOKEN }}
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel
type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel
type=raw,value=${{ needs.version.outputs.major }}-alpine-otel
type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-otel
type=raw,value=mainline-alpine-otel
type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-otel
type=raw,value=alpine-otel
type=raw,value=alpine${{ needs.version.outputs.distro }}-otel
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Build and push NGINX mainline otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm64
context: "{{ defaultContext }}:mainline/alpine-otel"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
tags: ${{ steps.meta.outputs.tags }}
push: ${{ github.event_name != 'pull_request' }}
# cache-from: type=gha,scope=alpine-otel
# cache-to: type=gha,mode=min,scope=alpine-otel