Add Operator image build and publish to the pipeline (#3980)

Author: shaun-nx

.github/workflows/build.yml

@@ -120,6 +120,7 @@ jobs:
             name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
             name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/operator,enable=${{ inputs.image == 'operator' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}
           flavor: |
             latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
@@ -147,7 +148,7 @@ jobs:
       - name: Build Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: ${{ inputs.build-os != '' && format('build/{0}/Dockerfile{1}', inputs.build-os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') }}
+          file: ${{ inputs.image == 'operator' && 'operators/Dockerfile' || (inputs.build-os != '' && format('build/{0}/Dockerfile{1}', inputs.build-os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '')) }}
           context: "."
           target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }}
           tags: ${{ steps.meta.outputs.tags }}

.github/workflows/ci.yml

@@ -20,6 +20,10 @@ on:
         required: false
         type: string
         default: ''
+      operator_version:
+        required: false
+        type: string
+        default: ''
       dry_run:
         required: false
         type: boolean
@@ -388,6 +392,23 @@ jobs:
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
 
+  build-operator:
+    name: Build Operator images
+    needs: [vars, binary]
+    uses: ./.github/workflows/build.yml
+    with:
+      image: operator
+      platforms: "linux/arm64, linux/amd64"
+      tag: ${{ inputs.operator_version || '' }}
+      dry_run: ${{ inputs.dry_run || false }}
+      runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
+    permissions:
+      contents: read # for docker/build-push-action to read repo content
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      packages: write # for docker/build-push-action to push to GHCR
+      id-token: write # for docker/login to login to NGINX registry
+    secrets: inherit
+
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]

.github/workflows/production-release.yml

@@ -7,6 +7,11 @@ on:
         description: 'Release version (e.g., v2.0.3)'
         required: true
         type: string
+      operator-version:
+        description: 'Operator release version (e.g., v1.0.0). Optional'
+        required: false
+        type: string
+        default: ''
       dry_run:
         description: 'If true, does a dry run of the production workflow'
         required: false
@@ -33,6 +38,7 @@ jobs:
           echo "Validating release from: ${GITHUB_REF}"
 
           INPUT_VERSION="${{ github.event.inputs.version }}"
+          INPUT_OPERATOR_VERSION="${{ github.event.inputs.operator-version }}"
 
           # Validate version format
           if [[ ! "${INPUT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -41,8 +47,17 @@ jobs:
           exit 1
           fi
 
+          # Validate version format if operator version is provided
+          if [[ -n "${INPUT_OPERATOR_VERSION}" && ! "${INPUT_OPERATOR_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "❌ Invalid operator version format: ${INPUT_OPERATOR_VERSION}"
+          echo "Expected format: v1.2.3"
+          exit 1
+          fi
+
+
           echo "✅ Valid release branch: ${GITHUB_REF}"
           echo "✅ Valid version format: ${INPUT_VERSION}"
+          [[ -n "${INPUT_OPERATOR_VERSION}" ]] && echo "✅ Valid operator version format: ${INPUT_OPERATOR_VERSION}"
 
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -62,7 +77,7 @@ jobs:
           git tag -a "${VERSION}" -m "Release ${VERSION}"
 
           if [[ "${{ inputs.dry_run }}" == "true" ]]; then
-          echo "DRY RUN: Would push tag ${VERSION}"
+          echo "DRY RUN: Would push tag ${VERSION} and operator tag ${{ github.event.inputs.operator-version || '' }}"
           git push --dry-run origin "${VERSION}"
           else
           git push origin "${VERSION}"
@@ -76,6 +91,7 @@ jobs:
     with:
       is_production_release: true
       release_version: ${{ github.event.inputs.version }}
+      operator_version: ${{ github.event.inputs.operator-version }}
       dry_run: ${{ github.event.inputs.dry_run }}
     secrets: inherit
     permissions:

docs/developer/release-process.md

@@ -58,6 +58,7 @@ To create a new release, follow these steps:
       - If the supported Gateway API minor version has changed since the last release, add a note to the release notes explaining if the previous version is no longer supported.
       - Merge the release PR once it has received all necessary approvals.
 6. Once you are ready to release, run the [Production Release](https://github.com/nginx/nginx-gateway-fabric/actions/workflows/production-release.yml) workflow with the correct tag e.g. `v2.1.0`. (Note: It is also possible to do a dry run of the production release workflow for verification if required. This will not push the tag, images, and chart, and won't publish the release)
+If this release includes an updated release of our [Operator](https://github.com/nginx/nginx-gateway-fabric/tree/main/operators), include the new version as well e.g. `v1.0.1`
    As a result, the CI/CD pipeline will:
    - Create and push the tag
    - Build NGF, NGINX and NGINX Plus container images with the release tag `X.Y.Z` and push them to the registries.