.github/workflows/release.yml

name: Release NIC
run-name: ${{ inputs.dry_run && '[DRY RUN] ' || '' }}Release NIC ${{ inputs.nic_version }} from ${{ inputs.release_branch }} by @${{ github.actor }}

on:
  workflow_dispatch:
    inputs:
      nic_version:
        description: "Version to release"
        required: true
        type: string
      source_tag:
        description: "Source tag to release"
        required: false
        type: string
      chart_version:
        description: "Helm Chart version to release"
        required: false
        type: string
      cnab_version:
        description: "CNAB version for Azure Marketplace"
        required: false
        type: string
      operator_version:
        description: "Operator version to set"
        required: false
        type: string
      release_branch:
        description: "Branch to release from"
        required: true
        type: string
      dry_run:
        description: "Dry Run?"
        type: boolean
        default: false
      skip_step:
        description: "Comma separated list of jobs to skip"
        # publish-helm-chart,operator,release-oss,release-plus,certify-openshift-images,aws-marketplace,azure-marketplace,gcp-marketplace,azure-upload,github-release,release-image-notification
        type: string
        required: false

defaults:
  run:
    shell: bash

permissions:
  contents: read

jobs:
  variables:
    name: Set Variables
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    outputs:
      source_tag: ${{ steps.vars.outputs.stable_tag }}
      short_tag: ${{ steps.vars.outputs.short_tag }}
      go_code_md5: ${{ steps.vars.outputs.go_code_md5 }}
      binary_cache_sign_hit: ${{ steps.binary-cache-sign.outputs.cache-hit }}
      date: ${{ steps.vars.outputs.date }}
      k8s_version: ${{ steps.vars.outputs.k8s_version }}
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ inputs.release_branch }}

      - name: Output Variables
        id: vars
        run: |
          if [ -n "${{ inputs.source_tag }}" ]; then
            echo "stable_tag=${{ inputs.source_tag }}" >> $GITHUB_OUTPUT
          else
            ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT
          fi
          tag=${{ inputs.nic_version }}
          echo "short_tag=${tag%.*}" >> $GITHUB_OUTPUT
          ./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT
          date=$(date "+%Y%m%d")
          echo "date=${date}" >> $GITHUB_OUTPUT
          k8s_version=$(grep kindest tests/Dockerfile | cut -d ':' -f 2 | cut -d '@' -f 1)
          echo "k8s_version=${k8s_version}" >> $GITHUB_OUTPUT
          cat $GITHUB_OUTPUT

      - name: Fetch Cached Signed Binary Artifacts
        id: binary-cache-sign
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ${{ github.workspace }}/tarballs
          key: nginx-ingress-release-${{ steps.vars.outputs.go_code_md5 }}
          lookup-only: true

  tag:
    name: Create Tag on release branch in NIC repo
    runs-on: ubuntu-24.04
    permissions:
      contents: write
    steps:
      - name: Checkout NIC repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.release_branch }}
          fetch-depth: 0

      - name: Create new release Tag
        run: |
          git config --global user.email "kubernetes@nginx.com"
          git config --global user.name "NGINX Kubernetes Team"
          branch="${{ inputs.release_branch }}"
          tag="v${{ inputs.nic_version }}"
          if ! git rev-parse --verify refs/tags/${tag}; then
            echo "Adding tag ${tag}."
            git tag -a ${tag} -m "Version ${tag#v*}"
            echo "Pushing to tag ${tag} to branch ${branch}"
            if ! ${{ inputs.dry_run }}; then
              git push origin "${tag}"
            else
              echo "DRY RUN not making any changes"
              git push --dry-run origin "${tag}"
            fi
          else
            echo "Warning: Tag ${tag} already exists.  Not making any changes"
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}

  mend:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'mend') }}
    name: Run Mend workflow
    uses: ./.github/workflows/mend.yml
    needs: [tag]
    with:
      branch: "v${{ inputs.nic_version }}"
    secrets: inherit

  release-oss:
    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-oss') }}
    name: Release Docker OSS
    needs: [variables]
    uses: ./.github/workflows/oss-release.yml
    strategy:
      fail-fast: false
      matrix:
        tag:
          - "${{ inputs.nic_version }}"
          - "${{ needs.variables.outputs.short_tag }}"
          - "${{ inputs.nic_version }}-${{ needs.variables.outputs.date }}"
          - "latest"
    with:
      gcr_release_registry: true
      ecr_public_registry: true
      dockerhub_public_registry: true
      quay_public_registry: true
      github_public_registry: true
      source_tag: ${{ needs.variables.outputs.source_tag }}
      target_tag: ${{ matrix.tag }}
      branch: ${{ inputs.release_branch }}
      dry_run: ${{ inputs.dry_run }}
    permissions:
      contents: read
      id-token: write
      packages: write
    secrets: inherit

  release-plus-gcr-nginx:
    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-plus') }}
    name: Release Docker Plus
    needs: [variables]
    uses: ./.github/workflows/plus-release.yml
    strategy:
      fail-fast: false
      matrix:
        tag:
          - "${{ inputs.nic_version }}"
          - "${{ needs.variables.outputs.short_tag }}"
          - "${{ inputs.nic_version }}-${{ needs.variables.outputs.date }}"
          - "latest"
    with:
      gcr_release_registry: true
      nginx_registry: true
      gcr_mktpl_registry: false
      ecr_mktpl_registry: false
      az_mktpl_registry: false
      source_tag: ${{ needs.variables.outputs.source_tag }}
      target_tag: ${{ inputs.nic_version }}
      branch: ${{ inputs.release_branch }}
      dry_run: ${{ inputs.dry_run }}
    permissions:
      contents: read
      id-token: write
    secrets: inherit

  release-plus-gcr-mktpl:
    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-plus') }}
    name: Release Docker Plus
    needs: [variables]
    uses: ./.github/workflows/plus-release.yml
    strategy:
      fail-fast: false
      matrix:
        tag:
          - "${{ inputs.nic_version }}"
          - "${{ needs.variables.outputs.short_tag }}"
          - "${{ inputs.nic_version }}-${{ needs.variables.outputs.date }}"
    with:
      gcr_release_registry: false
      nginx_registry: false
      gcr_mktpl_registry: true
      ecr_mktpl_registry: false
      az_mktpl_registry: false
      source_tag: ${{ needs.variables.outputs.source_tag }}
      target_tag: ${{ inputs.nic_version }}
      branch: ${{ inputs.release_branch }}
      dry_run: ${{ inputs.dry_run }}
    permissions:
      contents: read
      id-token: write
    secrets: inherit

  release-plus-aws-mktpl:
    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-plus') }}
    name: Release Docker Plus
    needs: [variables]
    uses: ./.github/workflows/plus-release.yml
    strategy:
      fail-fast: false
      matrix:
        tag:
          - "${{ inputs.nic_version }}"
          - "${{ inputs.nic_version }}-${{ needs.variables.outputs.date }}"
    with:
      gcr_release_registry: false
      nginx_registry: false
      gcr_mktpl_registry: false
      ecr_mktpl_registry: true
      az_mktpl_registry: false
      source_tag: ${{ needs.variables.outputs.source_tag }}
      target_tag: ${{ inputs.nic_version }}
      branch: ${{ inputs.release_branch }}
      dry_run: ${{ inputs.dry_run }}
    permissions:
      contents: read
      id-token: write
    secrets: inherit

  release-plus-azure-mktpl:
    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-plus') }}
    name: Release Docker Plus
    needs: [variables]
    uses: ./.github/workflows/plus-release.yml
    strategy:
      fail-fast: false
      matrix:
        tag:
          - "${{ inputs.nic_version }}"
          - "${{ inputs.nic_version }}-${{ needs.variables.outputs.date }}"
    with:
      gcr_release_registry: false
      nginx_registry: false
      gcr_mktpl_registry: false
      ecr_mktpl_registry: false
      az_mktpl_registry: true
      source_tag: ${{ needs.variables.outputs.source_tag }}
      target_tag: ${{ inputs.nic_version }}
      branch: ${{ inputs.release_branch }}
      dry_run: ${{ inputs.dry_run }}
    permissions:
      contents: read
      id-token: write
    secrets: inherit

  publish-helm-chart:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'publish-helm-chart') }}
    name: Publish Helm Chart
    uses: ./.github/workflows/publish-helm.yml
    with:
      branch: ${{ inputs.release_branch }}
      ic_version: ${{ inputs.nic_version }}
      chart_version: ${{ inputs.chart_version }}
      nginx_helm_repo: true
    permissions:
      contents: write # for pushing to Helm Charts repository
      packages: write # for helm to push to GHCR
    secrets: inherit

  certify-openshift-images:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }}
    name: Certify OpenShift UBI images
    runs-on: ubuntu-24.04
    needs: [release-oss]
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.release_branch }}

      - name: Certify UBI OSS images in quay
        uses: ./.github/actions/certify-openshift-image
        continue-on-error: true
        with:
          image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi
          project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
          pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
          preflight_version: 1.11.1

  operator:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }}
    name: Trigger PR for Operator
    runs-on: ubuntu-24.04
    needs: [variables,publish-helm-chart]
    steps:
      - name:
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          github-token: ${{ secrets.NGINX_PAT }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: context.repo.owner,
              repo: 'nginx-ingress-helm-operator',
              workflow_id: 'sync-chart.yml',
              ref: 'main',
              inputs: {
                chart_version: '${{ inputs.chart_version }}',
                operator_version: '${{ inputs.operator_version }}',
                k8s_version: '${{ needs.variables.outputs.k8s_version }}',
                dry_run: '${{ inputs.dry_run }}'
              },
            })

  gcp-marketplace:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'gcp-marketplace') }}
    name: Trigger PR for GCP Marketplace
    runs-on: ubuntu-24.04
    needs: [publish-helm-chart,release-plus-gcr-mktpl]
    steps:
      - name:
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          github-token: ${{ secrets.NGINX_PAT }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: context.repo.owner,
              repo: 'kubernetes-ingress-gcp',
              workflow_id: 'sync-chart.yml',
              ref: 'main',
              inputs: {
                chart_version: '${{ inputs.chart_version }}'
              },
            })

  azure-marketplace:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }}
    name: Trigger CNAB Build for Azure Marketplace
    runs-on: ubuntu-24.04
    needs: [publish-helm-chart,release-plus-azure-mktpl]
    steps:
      - name:
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          github-token: ${{ secrets.NGINX_PAT }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: context.repo.owner,
              repo: 'kubernetes-ingress-azure',
              workflow_id: 'build-cnab.yml',
              ref: 'main',
              inputs: {
                chart_version: '${{ inputs.chart_version }}',
                ic_version: '${{ inputs.nic_version }}',
                cnab_version: '${{ inputs.cnab_version }}'
              },
            })

  aws-marketplace:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'aws-marketplace') }}
    name: Publish to AWS Marketplace
    runs-on: ubuntu-24.04
    needs: [release-plus-aws-mktpl]
    permissions:
      contents: read
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - image: 709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress:${{ inputs.nic_version }}-mktpl
            product_id: AWS_PRODUCT_ID
          - image: 709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress-nap:${{ inputs.nic_version }}-mktpl
            product_id: AWS_NAP_WAF_PRODUCT_ID
          - image: 709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress-dos:${{ inputs.nic_version }}-mktpl
            product_id: AWS_NAP_DOS_PRODUCT_ID
          - image: 709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress-dos-nap:${{ inputs.nic_version }}-mktpl
            product_id: AWS_NAP_WAF_DOS_PRODUCT_ID
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.release_branch }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3
        with:
          aws-region: us-east-1
          role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }}

      - name: Publish to AWS Marketplace
        uses: nginx/aws-marketplace-publish@accf7b4c725796b744f2ee27acc2488d76f63d32 # v1.0.8
        continue-on-error: true
        with:
          version: ${{ inputs.nic_version }}
          product-id: ${{ secrets[matrix.product_id] }}
          registry: ${{ matrix.image }}
          release-notes: https://github.com/nginx/kubernetes-ingress/releases/tag/v${{ inputs.nic_version }}
          description: |
            Best-in-class traffic management solution for services in Amazon EKS.
            This is the official implementation of NGINX Ingress Controller (based on NGINX Plus) from NGINX.
          usage-instructions: |
            This container requires Kubernetes and can be deployed to EKS.
            Review the installation instructions https://docs.nginx.com/nginx-ingress-controller/installation/ and utilize the deployment resources available https://github.com/nginx/kubernetes-ingress/tree/v${{ inputs.nic_version }}/deployments
            Use this image instead of building your own.

  binaries:
    name: Process Binaries
    runs-on: ubuntu-24.04
    needs: [variables]
    permissions:
      contents: read
      id-token: write # for cosign to sign artifacts
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.release_branch }}

      - name: Fetch Binary Artifacts from Cache
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ${{ github.workspace }}/dist
          key: nginx-ingress-${{ needs.variables.outputs.go_code_md5 }}
        if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }}

      - name: Download Syft
        id: syft
        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
        if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }}

      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }}

      - name: Create Tarballs
        run: |
          ./.github/scripts/create-release-tarballs.sh dist ${{ inputs.nic_version }}
        env:
          SYFT_BIN: ${{ steps.syft.outputs.cmd }}
        if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }}

      - name: Store Tarball Artifacts in Cache
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          path: ${{ github.workspace }}/tarballs
          key: nginx-ingress-release-${{ needs.variables.outputs.go_code_md5 }}
        if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }}

  azure-upload:
    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'azure-upload') }}
    name: Upload packages to Azure
    runs-on: ubuntu-24.04
    needs: [variables, binaries]
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.release_branch }}

      - name: Fetch Cached Tarball Artifacts
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          key: nginx-ingress-release-${{ needs.variables.outputs.go_code_md5 }}
          path: ${{ github.workspace }}/tarballs
          fail-on-cache-miss: true

      - name: Azure login
        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Azure Upload Release Packages
        uses: azure/CLI@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0
        with:
          inlineScript: |
            for i in $(find tarballs -type f); do
              echo -n "Uploading ${i} to kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/} ... "
              if ${{ ! inputs.dry_run}}; then
                az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_BUCKET_NAME }} \
                  --account-name ${{ secrets.AZURE_STORAGE_ACCOUNT }} --overwrite -n kubernetes-ingress/v${{ inputs.nic_version }}/${i##*/}
                echo "done"
              else
                echo "skipped, dry_run."
              fi
            done

  github-release:
    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'github-release') }}
    name: Publish release to GitHub
    runs-on: ubuntu-24.04
    needs: [variables, binaries, release-oss, release-plus-gcr-nginx, azure-upload]
    permissions:
      contents: write # to modify the release
      issues: write # to close milestone
      actions: read # for slack notification
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.release_branch }}

      - name: Fetch Cached Tarball Artifacts
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
        with:
          key: nginx-ingress-release-${{ needs.variables.outputs.go_code_md5 }}
          path: ${{ github.workspace }}/tarballs
          fail-on-cache-miss: true

      - name: Upload Release Assets
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # clobber overwrites existing assets of the same name
        run: |
          if ! ${{ inputs.dry_run }}; then
            gh release upload --clobber v${{ inputs.nic_version }} \
              $(find ./tarballs -type f)
          else
            echo "Skipping adding binaries to Github Release, DRY_RUN"
          fi

      - name: Close Release Milestone
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          milestone_number=$(gh api \
            -H "Accept: application/vnd.github.v3+json" \
            /repos/${{ github.repository }}/milestones \
            | jq --arg version "v${{ inputs.nic_version }}" -r \
            '.[] | select(.title == $version) | .number')
          if [ -n "${milestone_number}" ]; then
            if ! ${{ inputs.dry_run }}; then
              gh api --method PATCH -H "Accept: application/vnd.github.v3+json" \
                /repos/${{ github.repository }}/milestones/${milestone_number} \
                -f "title=v${{ inputs.nic_version }}" \
                -f "state=closed";
            else
              echo "Skipping closing Github Release milestone, DRY_RUN"
            fi
          else
            echo "Github Milestone not available, closed already."
          fi

      - name: Get Github release id
        id: release-id
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          release_id=$(gh api \
            -H "Accept: application/vnd.github.v3+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            /repos/${{ github.repository }}/releases \
            | jq --arg version "v${{ inputs.nic_version }}" -r \
            '.[] | select(.name == $version) | .id')
          echo "release_id=${release_id}" >> $GITHUB_OUTPUT

      - name: Publish Github Release
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const {RELEASE_ID} = process.env
            const release = (await github.rest.repos.updateRelease({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              release_id: `${RELEASE_ID}`,
              draft: false,
            }))
            console.log(`Release published: ${release.data.html_url}`)
        env:
          RELEASE_ID: ${{ steps.release-id.outputs.release_id }}
        if: ${{ ! inputs.dry_run }}

      - name: Send Notification
        uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
        with:
          status: custom
          custom_payload: |
            {
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "NGINX Ingress Controller v${{ inputs.nic_version }} is out! Check it out: https://github.com/nginx/kubernetes-ingress/releases/tag/v${{ inputs.nic_version }}"
                  }
                }
              ]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }}
        if: ${{ ! inputs.dry_run }}

  release-image-notification:
    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'release-image-notification') }}
    name: Notify Slack channels about image release
    runs-on: ubuntu-24.04
    needs: [variables, binaries, release-oss, release-plus-gcr-nginx]
    permissions:
      contents: read
      actions: read
    strategy:
      fail-fast: false
      matrix:
        image: ["nginx/nginx-ingress:${{ inputs.nic_version }}", "nginx/nginx-ingress:${{ inputs.nic_version }}-ubi", "nginx/nginx-ingress:${{ inputs.nic_version }}-alpine"]
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.release_branch }}

      - name: Get Image manifest digest
        id: digest
        run: |
          digest=$(docker buildx imagetools inspect ${{ matrix.image }} --format '{{ json . }}' | jq -r .manifest.digest)

      - name: Get Image tag
        id: tag
        run: |
          tag=$(echo ${{ matrix.image }} | cut -d ':' -f 2)

      - name: Get variables for Slack
        id: slack
        run: |
          echo "message=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
          echo "date=$(date +%s)" >> $GITHUB_OUTPUT
          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
          echo "sha_long=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT

      - name: Send Notification
        uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2
        with:
          status: custom
          custom_payload: |
            {
              username: "Docker",
              icon_emoji: ":docker:",
              mention: "here",
              attachments: [{
                title: `New Docker image was pushed to DockerHub for ${process.env.AS_REPO}`,
                color: "good",
                fields: [{
                  title: "Docker Image",
                  value: `<https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=${{ steps.tag.outputs.tag }}|nginx/nginx-ingress:${{ inputs.nic_version }}>`,
                  short: true
                },
                {
                  title: "Image digest",
                  value: "${{ steps.digest.outputs.digest }}",
                  short: true
                },
                {
                  title: "Commit Message",
                  value: `${{ steps.slack.outputs.message }}`,
                  short: true
                },
                {
                  title: "Commit Hash",
                  value: `<https://github.com/${{ github.repository }}/commit/${{ steps.slack.outputs.sha_long }}|${{ steps.slack.outputs.sha_short }}>`,
                  short: true
                }],
                footer: "Update DockerHub Image",
                footer_icon: "https://raw.githubusercontent.com/docker-library/docs/c350af05d3fac7b5c3f6327ac82fe4d990d8729c/docker/logo.png",
                ts: ${{ steps.slack.outputs.date }}
              }]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}