Run any Skill in Manus with one click

$pwd:

nic-ci-pipelines

Name: Nic Ci Pipelines
Author: nginx

// CI/CD pipeline structure, GitHub Actions workflows, reusable workflow patterns, and matrix builds for NIC. Use when working on CI workflows, debugging build failures, adding new workflow steps, modifying build matrices, or understanding the release pipeline.

Run Skill in Manus

$ git log --oneline --stat

stars:5,029

forks:2,043

updated:May 25, 2026 at 16:30

SKILL.md

readonly

name	nic-ci-pipelines
description	CI/CD pipeline structure, GitHub Actions workflows, reusable workflow patterns, and matrix builds for NIC. Use when working on CI workflows, debugging build failures, adding new workflow steps, modifying build matrices, or understanding the release pipeline.

NIC CI/CD Pipelines

Workflow Architecture

The CI system uses GitHub Actions with extensive reusable workflow composition.

ci.yml (main CI orchestrator)
  -> checks (format, lint, codegen, CRDs, chart version)
  -> unit-tests
  -> build-artifacts.yml (reusable)
       -> build-oss.yml (per-variant, matrix)
       -> build-plus.yml (per-variant, matrix)  <- also used for NAP variants
  -> helm-tests
  -> setup-smoke.yml (reusable)
  -> e2e tests

image-promotion.yml (post-merge)
  -> builds images, tags edge/stable
  -> Trivy + DockerScout security scans
  -> publishes edge Helm charts

release.yml (manual dispatch)
  -> oss-release.yml
  -> plus-release.yml
  -> publish-helm.yml
  -> certify-ubi-image.yml
  -> marketplace pushes (AWS, Azure, GCP)

Key Workflows

Workflow	Trigger	Purpose
`ci.yml`	PR to `main`/`release-*`, merge_group, workflow_dispatch	Main CI: checks + build + test
`lint-format.yml`	PR to `main`, merge_group	goimports, gofumpt, golangci-lint, actionlint
`regression.yml`	Daily cron (03:00 UTC), manual	Multi-K8s-version regression
`image-promotion.yml`	Push to `main`/`release-*`	Post-merge image tagging + scanning
`release.yml`	Manual dispatch	Full release orchestrator
`build-base-images.yml`	Weekday cron (04:30 UTC)	Rebuilds all base images

Release Sub-Workflows (called by `release.yml`)

Workflow	Purpose
`oss-release.yml`	OSS image release
`plus-release.yml`	Plus/NAP image release
`publish-helm.yml`	Helm chart publishing to registry

Reusable Build Workflows (called via `workflow_call`)

Workflow	Purpose
`build-artifacts.yml`	Orchestrates GoReleaser binary builds + image matrix
`build-oss.yml`	Builds single OSS image variant
`build-plus.yml`	Builds single Plus/NAP image variant
`build-test-image.yml`	Builds Python e2e test image
`setup-smoke.yml`	Sets up and runs smoke tests
`patch-image.yml`	OS-level patches on existing images
`retag-images.yml`	Re-tags images in GCR Dev Registry

Security & Compliance

Workflow	Purpose
`codeql-analysis.yml`	GitHub CodeQL scanning
`scorecards.yml`	OpenSSF Scorecards
`dependency-review.yml`	Dependency review for PRs
`mend.yml`	Mend (WhiteSource) software composition analysis
`certify-ubi-image.yml`	Red Hat UBI certification for OpenShift

CI Patterns

Matrix Builds

Image variants are defined in JSON under .github/data/:

matrix-images-oss.json: debian, alpine, ubi (amd64 + arm64)
matrix-images-plus.json: debian-plus, alpine-plus, alpine-plus-fips, ubi-10-plus
matrix-images-nap.json: WAF v4/v5, DoS, UBI 10 (amd64 only)
matrix-smoke-oss.json, matrix-smoke-plus.json, matrix-smoke-nap.json: Smoke test matrices
matrix-regression.json: Regression test matrix (K8s version combinations)
patch-images.json: Patch image definitions for patch-image.yml

Caching Strategy

Go binaries: cached by go_code_md5 hash
Docker images: cached by docker_md5 hash
Stable images in GCR are checked before rebuilding

Fork Awareness

forked_workflow variable gates authenticated operations. Forked PRs get local-only builds without secret access.

Concurrency

Each workflow uses group: ${{ github.ref_name }}-<suffix> with cancel-in-progress: true.

Secrets

Retrieved from Azure Key Vault via OIDC -- not stored as GitHub secrets directly.

Version Source of Truth

.github/data/version.txt contains IC_VERSION and HELM_CHART_VERSION.

Gotchas

Never add secrets as GitHub repository secrets -- use Azure Key Vault OIDC flow
Always pin GitHub Actions to immutable SHA hashes, not mutable tags
Matrix JSON files in .github/data/ must stay in sync with Makefile image targets
NAP variants are linux/amd64 only -- do not add arm64 to NAP matrices
Renovate manages tool versions via # renovate: comments -- do not update manually
image-promotion.yml runs on merge to main, not on PR -- don't expect images from PRs

related-skills.json

same repository

nic-debugging.md

from "nginx/kubernetes-ingress"

Debugging and troubleshooting patterns for NIC. Use when diagnosing failures, tracing issues, investigating NGINX reload errors, config generation bugs, or controller sync problems.

2026-05-275.0k

nic-planning.md

from "nginx/kubernetes-ingress"

Task planning and approach strategy for NIC. Use when starting any non-trivial task, reading issues or specs, planning before implementing, or when asked to create a plan for a change.

2026-05-275.0k

nic-docker-images.md

from "nginx/kubernetes-ingress"

Docker image build system, Dockerfile structure, image variants, build scripts, and Makefile targets for NIC. Use when building container images, modifying the Dockerfile, adding new image variants, debugging image builds, or working with build scripts.

2026-05-255.0k

nic-structure.md

from "nginx/kubernetes-ingress"

NIC architecture, resource processing pipeline, template systems, and key type definitions. Use when exploring the codebase, understanding data flow, debugging config generation, or working on controller logic.

2026-05-185.0k

nic-add-feature.md

from "nginx/kubernetes-ingress"

Checklists for adding Ingress annotations, VirtualServer/VSR fields, or Helm chart values to NIC. Use when adding new configuration options, new NGINX directives, new annotations, new CRD fields, or new Helm values.

2026-05-025.0k

nic-add-policy.md

from "nginx/kubernetes-ingress"

Step-by-step checklist for adding a new Policy CRD type to NIC. Use when implementing a new policy like AccessControl, RateLimit, JWTAuth, ExternalAuth, BasicAuth, IngressMTLS, EgressMTLS, OIDC, WAF, APIKey, Cache, or CORS, or extending the policy system with a new policy type.

2026-05-025.0k

package.json

"author": "nginx"

"repository": "nginx/kubernetes-ingress"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

name	nic-ci-pipelines
description	CI/CD pipeline structure, GitHub Actions workflows, reusable workflow patterns, and matrix builds for NIC. Use when working on CI workflows, debugging build failures, adding new workflow steps, modifying build matrices, or understanding the release pipeline.

NIC CI/CD Pipelines

Workflow Architecture

The CI system uses GitHub Actions with extensive reusable workflow composition.

ci.yml (main CI orchestrator)
  -> checks (format, lint, codegen, CRDs, chart version)
  -> unit-tests
  -> build-artifacts.yml (reusable)
       -> build-oss.yml (per-variant, matrix)
       -> build-plus.yml (per-variant, matrix)  <- also used for NAP variants
  -> helm-tests
  -> setup-smoke.yml (reusable)
  -> e2e tests

image-promotion.yml (post-merge)
  -> builds images, tags edge/stable
  -> Trivy + DockerScout security scans
  -> publishes edge Helm charts

release.yml (manual dispatch)
  -> oss-release.yml
  -> plus-release.yml
  -> publish-helm.yml
  -> certify-ubi-image.yml
  -> marketplace pushes (AWS, Azure, GCP)

Key Workflows

Workflow	Trigger	Purpose
`ci.yml`	PR to `main`/`release-*`, merge_group, workflow_dispatch	Main CI: checks + build + test
`lint-format.yml`	PR to `main`, merge_group	goimports, gofumpt, golangci-lint, actionlint
`regression.yml`	Daily cron (03:00 UTC), manual	Multi-K8s-version regression
`image-promotion.yml`	Push to `main`/`release-*`	Post-merge image tagging + scanning
`release.yml`	Manual dispatch	Full release orchestrator
`build-base-images.yml`	Weekday cron (04:30 UTC)	Rebuilds all base images

Release Sub-Workflows (called by `release.yml`)

Workflow	Purpose
`oss-release.yml`	OSS image release
`plus-release.yml`	Plus/NAP image release
`publish-helm.yml`	Helm chart publishing to registry

Reusable Build Workflows (called via `workflow_call`)

Workflow	Purpose
`build-artifacts.yml`	Orchestrates GoReleaser binary builds + image matrix
`build-oss.yml`	Builds single OSS image variant
`build-plus.yml`	Builds single Plus/NAP image variant
`build-test-image.yml`	Builds Python e2e test image
`setup-smoke.yml`	Sets up and runs smoke tests
`patch-image.yml`	OS-level patches on existing images
`retag-images.yml`	Re-tags images in GCR Dev Registry

Security & Compliance

Workflow	Purpose
`codeql-analysis.yml`	GitHub CodeQL scanning
`scorecards.yml`	OpenSSF Scorecards
`dependency-review.yml`	Dependency review for PRs
`mend.yml`	Mend (WhiteSource) software composition analysis
`certify-ubi-image.yml`	Red Hat UBI certification for OpenShift

CI Patterns

Matrix Builds

Image variants are defined in JSON under .github/data/:

matrix-images-oss.json: debian, alpine, ubi (amd64 + arm64)
matrix-images-plus.json: debian-plus, alpine-plus, alpine-plus-fips, ubi-10-plus
matrix-images-nap.json: WAF v4/v5, DoS, UBI 10 (amd64 only)
matrix-smoke-oss.json, matrix-smoke-plus.json, matrix-smoke-nap.json: Smoke test matrices
matrix-regression.json: Regression test matrix (K8s version combinations)
patch-images.json: Patch image definitions for patch-image.yml

Caching Strategy

Go binaries: cached by go_code_md5 hash
Docker images: cached by docker_md5 hash
Stable images in GCR are checked before rebuilding

Fork Awareness

forked_workflow variable gates authenticated operations. Forked PRs get local-only builds without secret access.

Concurrency

Each workflow uses group: ${{ github.ref_name }}-<suffix> with cancel-in-progress: true.

Secrets

Retrieved from Azure Key Vault via OIDC -- not stored as GitHub secrets directly.

Version Source of Truth

.github/data/version.txt contains IC_VERSION and HELM_CHART_VERSION.

Gotchas

Never add secrets as GitHub repository secrets -- use Azure Key Vault OIDC flow
Always pin GitHub Actions to immutable SHA hashes, not mutable tags
Matrix JSON files in .github/data/ must stay in sync with Makefile image targets
NAP variants are linux/amd64 only -- do not add arm64 to NAP matrices
Renovate manages tool versions via # renovate: comments -- do not update manually
image-promotion.yml runs on merge to main, not on PR -- don't expect images from PRs

nic-ci-pipelines

NIC CI/CD Pipelines

Workflow Architecture

Key Workflows

Release Sub-Workflows (called by release.yml)

Reusable Build Workflows (called via workflow_call)

Security & Compliance

CI Patterns

Matrix Builds

Caching Strategy

Fork Awareness

Concurrency

Secrets

Version Source of Truth

Gotchas

More from this repository

More from this repository

NIC CI/CD Pipelines

Workflow Architecture

Key Workflows

Release Sub-Workflows (called by release.yml)

Reusable Build Workflows (called via workflow_call)

Security & Compliance

CI Patterns

Matrix Builds

Caching Strategy

Fork Awareness

Concurrency

Secrets

Version Source of Truth

Gotchas

Release Sub-Workflows (called by `release.yml`)

Reusable Build Workflows (called via `workflow_call`)

Release Sub-Workflows (called by `release.yml`)

Reusable Build Workflows (called via `workflow_call`)