From 9803fe1874745abd0cf9811b2f0094720b202aaa Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Tue, 26 Aug 2025 10:44:26 +0530 Subject: [PATCH 01/26] ci-pull-requests: add tenki-standard-autoscale --- .github/workflows/ci-pull-requests.yml | 5 ++--- .github/workflows/linting-reusable.yml | 2 +- .github/workflows/units-tests-reusable.yml | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-pull-requests.yml b/.github/workflows/ci-pull-requests.yml index 722694991d625..1b38cf0e3e097 100644 --- a/.github/workflows/ci-pull-requests.yml +++ b/.github/workflows/ci-pull-requests.yml @@ -4,12 +4,11 @@ on: pull_request: branches: - '**' - - '!release/*' jobs: install-and-build: name: Install & Build - runs-on: blacksmith-2vcpu-ubuntu-2204 + runs-on: tenki-standard-autoscale env: NODE_OPTIONS: '--max-old-space-size=3072' outputs: @@ -59,7 +58,7 @@ jobs: name: Bundle Size Check needs: install-and-build if: needs.install-and-build.outputs.frontend_changed == 'true' - runs-on: ubuntu-latest + runs-on: tenki-standard-autoscale steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/linting-reusable.yml b/.github/workflows/linting-reusable.yml index 4d89d34ffd882..339f2341a6976 100644 --- a/.github/workflows/linting-reusable.yml +++ b/.github/workflows/linting-reusable.yml @@ -20,7 +20,7 @@ env: jobs: lint: name: Lint - runs-on: blacksmith-4vcpu-ubuntu-2204 + runs-on: tenki-standard-autoscale steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/units-tests-reusable.yml b/.github/workflows/units-tests-reusable.yml index 6d96f164533aa..032160c386352 100644 --- a/.github/workflows/units-tests-reusable.yml +++ b/.github/workflows/units-tests-reusable.yml @@ -28,7 +28,7 @@ env: jobs: unit-test: name: Unit tests - runs-on: blacksmith-4vcpu-ubuntu-2204 + runs-on: tenki-standard-autoscale env: COVERAGE_ENABLED: ${{ inputs.collectCoverage }} steps: From 9cd1ae30823c55e491b99c300edee2adec4491fe Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Tue, 26 Aug 2025 10:57:50 +0530 Subject: [PATCH 02/26] ci-pull-requests: dummy change to trigger CI --- .github/workflows/ci-pull-requests.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci-pull-requests.yml b/.github/workflows/ci-pull-requests.yml index 1b38cf0e3e097..bd5ed282bc2be 100644 --- a/.github/workflows/ci-pull-requests.yml +++ b/.github/workflows/ci-pull-requests.yml @@ -5,6 +5,8 @@ on: branches: - '**' +# dummy change to trigger workflow + jobs: install-and-build: name: Install & Build From b1134c523135eb9353a4041df200d3c16a1d2b80 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Tue, 26 Aug 2025 12:38:48 +0530 Subject: [PATCH 03/26] ci-pull-requests: use tenki-standard-medium-4c-8g --- .github/workflows/ci-pull-requests.yml | 4 ++-- .github/workflows/linting-reusable.yml | 2 +- .github/workflows/units-tests-reusable.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pull-requests.yml b/.github/workflows/ci-pull-requests.yml index bd5ed282bc2be..37374d308b308 100644 --- a/.github/workflows/ci-pull-requests.yml +++ b/.github/workflows/ci-pull-requests.yml @@ -10,7 +10,7 @@ on: jobs: install-and-build: name: Install & Build - runs-on: tenki-standard-autoscale + runs-on: tenki-standard-medium-4c-8g env: NODE_OPTIONS: '--max-old-space-size=3072' outputs: @@ -60,7 +60,7 @@ jobs: name: Bundle Size Check needs: install-and-build if: needs.install-and-build.outputs.frontend_changed == 'true' - runs-on: tenki-standard-autoscale + runs-on: tenki-standard-medium-4c-8g steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/linting-reusable.yml b/.github/workflows/linting-reusable.yml index 339f2341a6976..b0df13c4be02d 100644 --- a/.github/workflows/linting-reusable.yml +++ b/.github/workflows/linting-reusable.yml @@ -20,7 +20,7 @@ env: jobs: lint: name: Lint - runs-on: tenki-standard-autoscale + runs-on: tenki-standard-medium-4c-8g steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/units-tests-reusable.yml b/.github/workflows/units-tests-reusable.yml index 032160c386352..29d6b5851ce44 100644 --- a/.github/workflows/units-tests-reusable.yml +++ b/.github/workflows/units-tests-reusable.yml @@ -28,7 +28,7 @@ env: jobs: unit-test: name: Unit tests - runs-on: tenki-standard-autoscale + runs-on: tenki-standard-medium-4c-8g env: COVERAGE_ENABLED: ${{ inputs.collectCoverage }} steps: From ff2595d239ae0c0566c44a516bd2ec0401f7b4ad Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Tue, 26 Aug 2025 14:11:26 +0530 Subject: [PATCH 04/26] ci-pull-requests: tenki-standard-medium-4c-8g --- .github/workflows/ci-pull-requests.yml | 4 ++-- .github/workflows/linting-reusable.yml | 2 +- .github/workflows/units-tests-reusable.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pull-requests.yml b/.github/workflows/ci-pull-requests.yml index 37374d308b308..4871ecfa6de1b 100644 --- a/.github/workflows/ci-pull-requests.yml +++ b/.github/workflows/ci-pull-requests.yml @@ -10,7 +10,7 @@ on: jobs: install-and-build: name: Install & Build - runs-on: tenki-standard-medium-4c-8g + runs-on: tenki-standard-large-8c-16g env: NODE_OPTIONS: '--max-old-space-size=3072' outputs: @@ -60,7 +60,7 @@ jobs: name: Bundle Size Check needs: install-and-build if: needs.install-and-build.outputs.frontend_changed == 'true' - runs-on: tenki-standard-medium-4c-8g + runs-on: tenki-standard-large-8c-16g steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/linting-reusable.yml b/.github/workflows/linting-reusable.yml index b0df13c4be02d..87c06792ea634 100644 --- a/.github/workflows/linting-reusable.yml +++ b/.github/workflows/linting-reusable.yml @@ -20,7 +20,7 @@ env: jobs: lint: name: Lint - runs-on: tenki-standard-medium-4c-8g + runs-on: tenki-standard-large-8c-16g steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/units-tests-reusable.yml b/.github/workflows/units-tests-reusable.yml index 29d6b5851ce44..64288d6440bd5 100644 --- a/.github/workflows/units-tests-reusable.yml +++ b/.github/workflows/units-tests-reusable.yml @@ -28,7 +28,7 @@ env: jobs: unit-test: name: Unit tests - runs-on: tenki-standard-medium-4c-8g + runs-on: tenki-standard-large-8c-16g env: COVERAGE_ENABLED: ${{ inputs.collectCoverage }} steps: From 8acf62c7f09f48c3e353003785bb718724abc435 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Tue, 26 Aug 2025 14:49:53 +0530 Subject: [PATCH 05/26] ci-pull-requests: use tenki-standard-large-plus-16c-32g --- .github/workflows/ci-pull-requests.yml | 4 ++-- .github/workflows/linting-reusable.yml | 2 +- .github/workflows/units-tests-reusable.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pull-requests.yml b/.github/workflows/ci-pull-requests.yml index 4871ecfa6de1b..ffa7e5c664052 100644 --- a/.github/workflows/ci-pull-requests.yml +++ b/.github/workflows/ci-pull-requests.yml @@ -10,7 +10,7 @@ on: jobs: install-and-build: name: Install & Build - runs-on: tenki-standard-large-8c-16g + runs-on: tenki-standard-large-plus-16c-32g env: NODE_OPTIONS: '--max-old-space-size=3072' outputs: @@ -60,7 +60,7 @@ jobs: name: Bundle Size Check needs: install-and-build if: needs.install-and-build.outputs.frontend_changed == 'true' - runs-on: tenki-standard-large-8c-16g + runs-on: tenki-standard-large-plus-16c-32g steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/linting-reusable.yml b/.github/workflows/linting-reusable.yml index 87c06792ea634..3eb045c91de6c 100644 --- a/.github/workflows/linting-reusable.yml +++ b/.github/workflows/linting-reusable.yml @@ -20,7 +20,7 @@ env: jobs: lint: name: Lint - runs-on: tenki-standard-large-8c-16g + runs-on: tenki-standard-large-plus-16c-32g steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/units-tests-reusable.yml b/.github/workflows/units-tests-reusable.yml index 64288d6440bd5..262fe7c30db54 100644 --- a/.github/workflows/units-tests-reusable.yml +++ b/.github/workflows/units-tests-reusable.yml @@ -28,7 +28,7 @@ env: jobs: unit-test: name: Unit tests - runs-on: tenki-standard-large-8c-16g + runs-on: tenki-standard-large-plus-16c-32g env: COVERAGE_ENABLED: ${{ inputs.collectCoverage }} steps: From 6617548e107ce39ecb04b82bcde84a84446a65d4 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Tue, 26 Aug 2025 17:22:26 +0530 Subject: [PATCH 06/26] docker-build-and--push: use tenki-standard-autoscale --- .github/workflows/docker-build-push.yml | 20 ++++++++----------- .../security-trivy-scan-callable.yml | 2 +- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 28aadba74662e..34a7d2b66a027 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -10,8 +10,6 @@ env: NODE_OPTIONS: '--max-old-space-size=7168' on: - schedule: - - cron: '0 0 * * *' workflow_call: inputs: @@ -44,16 +42,14 @@ on: pull_request: types: + - synchronize - opened - - ready_for_review - paths: - - '.github/workflows/docker-build-push.yml' - - 'docker/images/n8n/Dockerfile' + - edited jobs: determine-build-context: name: Determine Build Context - runs-on: ubuntu-latest + runs-on: tenki-standard-autoscale outputs: release_type: ${{ steps.context.outputs.release_type }} n8n_version: ${{ steps.context.outputs.n8n_version }} @@ -134,7 +130,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "blacksmith-4vcpu-ubuntu-2204", + "runner": "tenki-standard-autoscale", "docker_platform": "linux/amd64" }] }' @@ -144,7 +140,7 @@ jobs: "platform": ["amd64", "arm64"], "include": [{ "platform": "amd64", - "runner": "blacksmith-4vcpu-ubuntu-2204", + "runner": "tenki-standard-autoscale", "docker_platform": "linux/amd64" }, { "platform": "arm64", @@ -290,13 +286,13 @@ jobs: platforms: ${{ matrix.docker_platform }} provenance: true sbom: true - push: ${{ needs.determine-build-context.outputs.push_enabled == 'true' }} + push: false tags: ${{ steps.determine-tags.outputs.tags }} create_multi_arch_manifest: name: Create Multi-Arch Manifest needs: [determine-build-context, build-and-push-docker] - runs-on: ubuntu-latest + runs-on: tenki-standard-autoscale if: | needs.build-and-push-docker.result == 'success' && needs.determine-build-context.outputs.push_enabled == 'true' @@ -389,7 +385,7 @@ jobs: call-success-url: name: Call Success URL needs: [create_multi_arch_manifest] - runs-on: ubuntu-latest + runs-on: tenki-standard-autoscale if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' steps: - name: Call Success URL diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index cce2253ceae06..32f4e70e2f39c 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -27,7 +27,7 @@ env: jobs: security_scan: name: Security - Scan Docker Image With Trivy - runs-on: ubuntu-latest + runs-on: tenki-standard-autoscale steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 From da3840f3d0346f6542f17c5acb4fa994f47a5876 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 11:34:23 +0530 Subject: [PATCH 07/26] docker-build-and--push: use ubuntu-latest --- .github/workflows/ci-pull-requests.yml | 4 ++-- .github/workflows/docker-build-push.yml | 11 +++++------ .github/workflows/linting-reusable.yml | 2 +- .github/workflows/security-trivy-scan-callable.yml | 2 +- .github/workflows/units-tests-reusable.yml | 2 +- 5 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci-pull-requests.yml b/.github/workflows/ci-pull-requests.yml index ffa7e5c664052..1880c8b32c7df 100644 --- a/.github/workflows/ci-pull-requests.yml +++ b/.github/workflows/ci-pull-requests.yml @@ -10,7 +10,7 @@ on: jobs: install-and-build: name: Install & Build - runs-on: tenki-standard-large-plus-16c-32g + runs-on: ubuntu-latest env: NODE_OPTIONS: '--max-old-space-size=3072' outputs: @@ -60,7 +60,7 @@ jobs: name: Bundle Size Check needs: install-and-build if: needs.install-and-build.outputs.frontend_changed == 'true' - runs-on: tenki-standard-large-plus-16c-32g + runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 34a7d2b66a027..5404110aa6957 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -10,7 +10,6 @@ env: NODE_OPTIONS: '--max-old-space-size=7168' on: - workflow_call: inputs: n8n_version: @@ -49,7 +48,7 @@ on: jobs: determine-build-context: name: Determine Build Context - runs-on: tenki-standard-autoscale + runs-on: ubuntu-latest outputs: release_type: ${{ steps.context.outputs.release_type }} n8n_version: ${{ steps.context.outputs.n8n_version }} @@ -130,7 +129,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-autoscale", + "runner": "ubuntu-latest", "docker_platform": "linux/amd64" }] }' @@ -140,7 +139,7 @@ jobs: "platform": ["amd64", "arm64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-autoscale", + "runner": "ubuntu-latest", "docker_platform": "linux/amd64" }, { "platform": "arm64", @@ -292,7 +291,7 @@ jobs: create_multi_arch_manifest: name: Create Multi-Arch Manifest needs: [determine-build-context, build-and-push-docker] - runs-on: tenki-standard-autoscale + runs-on: ubuntu-latest if: | needs.build-and-push-docker.result == 'success' && needs.determine-build-context.outputs.push_enabled == 'true' @@ -385,7 +384,7 @@ jobs: call-success-url: name: Call Success URL needs: [create_multi_arch_manifest] - runs-on: tenki-standard-autoscale + runs-on: ubuntu-latest if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' steps: - name: Call Success URL diff --git a/.github/workflows/linting-reusable.yml b/.github/workflows/linting-reusable.yml index 3eb045c91de6c..7351b22e94812 100644 --- a/.github/workflows/linting-reusable.yml +++ b/.github/workflows/linting-reusable.yml @@ -20,7 +20,7 @@ env: jobs: lint: name: Lint - runs-on: tenki-standard-large-plus-16c-32g + runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index 32f4e70e2f39c..cce2253ceae06 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -27,7 +27,7 @@ env: jobs: security_scan: name: Security - Scan Docker Image With Trivy - runs-on: tenki-standard-autoscale + runs-on: ubuntu-latest steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 diff --git a/.github/workflows/units-tests-reusable.yml b/.github/workflows/units-tests-reusable.yml index 262fe7c30db54..556eef85f29a1 100644 --- a/.github/workflows/units-tests-reusable.yml +++ b/.github/workflows/units-tests-reusable.yml @@ -28,7 +28,7 @@ env: jobs: unit-test: name: Unit tests - runs-on: tenki-standard-large-plus-16c-32g + runs-on: ubuntu-latest env: COVERAGE_ENABLED: ${{ inputs.collectCoverage }} steps: From 8dc2c1f727bf27c5602a02d5b350ab93ff75bd2a Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 13:05:46 +0530 Subject: [PATCH 08/26] docker-build-and--push: bypass few steps to finish the job successfully --- .github/workflows/docker-build-push.yml | 40 ++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 5404110aa6957..a1d4966017f77 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -258,20 +258,20 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - - name: Login to GitHub Container Registry - if: needs.determine-build-context.outputs.push_enabled == 'true' - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to DockerHub - if: needs.determine-build-context.outputs.push_enabled == 'true' && steps.determine-tags.outputs.dockerhub_platform_tag != '' - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + # - name: Login to GitHub Container Registry + # if: needs.determine-build-context.outputs.push_enabled == 'true' + # uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + + # - name: Login to DockerHub + # if: needs.determine-build-context.outputs.push_enabled == 'true' && steps.determine-tags.outputs.dockerhub_platform_tag != '' + # uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + # with: + # username: ${{ secrets.DOCKER_USERNAME }} + # password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and push Docker image uses: useblacksmith/build-push-action@574eb0ee0b59c6a687ace24192f0727dfb65d6d7 # v1.2 @@ -342,12 +342,12 @@ jobs: ;; esac - - name: Login to Docker Hub - if: steps.dockerhub_check.outputs.CREATE_DOCKERHUB_MANIFEST == 'true' - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + # - name: Login to Docker Hub + # if: steps.dockerhub_check.outputs.CREATE_DOCKERHUB_MANIFEST == 'true' + # uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + # with: + # username: ${{ secrets.DOCKER_USERNAME }} + # password: ${{ secrets.DOCKER_PASSWORD }} - name: Create GHCR multi-arch manifest if: needs.build-and-push-docker.outputs.primary_ghcr_manifest_tag != '' From 5bc992a528d517d5891e61b8592bcaec4e0d8c43 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 13:24:14 +0530 Subject: [PATCH 09/26] docker-build-and--push: bypass few steps to finish the job successfully --- .github/workflows/docker-build-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index a1d4966017f77..ca1f2c8d8859d 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -274,7 +274,7 @@ jobs: # password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and push Docker image - uses: useblacksmith/build-push-action@574eb0ee0b59c6a687ace24192f0727dfb65d6d7 # v1.2 + uses: docker/build-push-action@v6 with: context: . file: ./docker/images/n8n/Dockerfile From 370079ce993c77c5ac7d9e86111a05c477c94d84 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 15:19:33 +0530 Subject: [PATCH 10/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index ca1f2c8d8859d..c36054b2b6c07 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -179,7 +179,7 @@ jobs: run: | RELEASE_TYPE="${{ needs.determine-build-context.outputs.release_type }}" N8N_VERSION_TAG="${{ needs.determine-build-context.outputs.n8n_version }}" - GHCR_BASE="ghcr.io/${{ github.repository_owner }}/n8n" + GHCR_BASE="ghcr.io/tenkicloud/n8n" DOCKER_BASE="${{ secrets.DOCKER_USERNAME }}/n8n" PLATFORM="${{ matrix.platform }}" From 4113809d2fc1ed21f1ac973c48908b58a6e7b96f Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 16:01:37 +0530 Subject: [PATCH 11/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 28 ++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index c36054b2b6c07..f9b75be836935 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -133,20 +133,20 @@ jobs: "docker_platform": "linux/amd64" }] }' - else - # All other builds (stable, nightly, dev, PR) need both platforms - MATRIX='{ - "platform": ["amd64", "arm64"], - "include": [{ - "platform": "amd64", - "runner": "ubuntu-latest", - "docker_platform": "linux/amd64" - }, { - "platform": "arm64", - "runner": "blacksmith-4vcpu-ubuntu-2204-arm", - "docker_platform": "linux/arm64" - }] - }' + # else + # # All other builds (stable, nightly, dev, PR) need both platforms + # MATRIX='{ + # "platform": ["amd64", "arm64"], + # "include": [{ + # "platform": "amd64", + # "runner": "ubuntu-latest", + # "docker_platform": "linux/amd64" + # }, { + # "platform": "arm64", + # "runner": "blacksmith-4vcpu-ubuntu-2204-arm", + # "docker_platform": "linux/arm64" + # }] + # }' fi # Output matrix as single line for GITHUB_OUTPUT From 32bfe10081be5dd0701d3fdb83ea0de337113a0f Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 16:06:43 +0530 Subject: [PATCH 12/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 38 ++++++++++++++++--------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index f9b75be836935..e74bac424e5f0 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -133,20 +133,30 @@ jobs: "docker_platform": "linux/amd64" }] }' - # else - # # All other builds (stable, nightly, dev, PR) need both platforms - # MATRIX='{ - # "platform": ["amd64", "arm64"], - # "include": [{ - # "platform": "amd64", - # "runner": "ubuntu-latest", - # "docker_platform": "linux/amd64" - # }, { - # "platform": "arm64", - # "runner": "blacksmith-4vcpu-ubuntu-2204-arm", - # "docker_platform": "linux/arm64" - # }] - # }' + else + # All other builds (stable, nightly, dev, PR) need both platforms + # MATRIX='{ + # "platform": ["amd64", "arm64"], + # "include": [{ + # "platform": "amd64", + # "runner": "ubuntu-latest", + # "docker_platform": "linux/amd64" + # }, { + # "platform": "arm64", + # "runner": "blacksmith-4vcpu-ubuntu-2204-arm", + # "docker_platform": "linux/arm64" + # }] + # }' + + # Temporary: only build AMD64 (same as branch build) + MATRIX='{ + "platform": ["amd64"], + "include": [{ + "platform": "amd64", + "runner": "ubuntu-latest", + "docker_platform": "linux/amd64" + }] + }' fi # Output matrix as single line for GITHUB_OUTPUT From 3fc6b713c42312ae3f8a814f5a6d4c0d4e8c02b5 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 16:22:40 +0530 Subject: [PATCH 13/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index e74bac424e5f0..46d8c5e936684 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -302,9 +302,9 @@ jobs: name: Create Multi-Arch Manifest needs: [determine-build-context, build-and-push-docker] runs-on: ubuntu-latest - if: | - needs.build-and-push-docker.result == 'success' && - needs.determine-build-context.outputs.push_enabled == 'true' + # if: | + # needs.build-and-push-docker.result == 'success' && + # needs.determine-build-context.outputs.push_enabled == 'true' steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 From 5e7368f3ed591705530a2ccd9dc3f619fe6eeade Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 16:39:33 +0530 Subject: [PATCH 14/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 214 ++++++++++++------------ 1 file changed, 107 insertions(+), 107 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 46d8c5e936684..deef0db6d9e52 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -298,113 +298,113 @@ jobs: push: false tags: ${{ steps.determine-tags.outputs.tags }} - create_multi_arch_manifest: - name: Create Multi-Arch Manifest - needs: [determine-build-context, build-and-push-docker] - runs-on: ubuntu-latest - # if: | - # needs.build-and-push-docker.result == 'success' && - # needs.determine-build-context.outputs.push_enabled == 'true' - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Determine Docker Hub manifest tag - id: dockerhub_check - run: | - RELEASE_TYPE="${{ needs.determine-build-context.outputs.release_type }}" - N8N_VERSION="${{ needs.determine-build-context.outputs.n8n_version }}" - DOCKER_BASE="${{ secrets.DOCKER_USERNAME }}/n8n" - - # Determine if Docker Hub manifest is needed and construct the tag - case "$RELEASE_TYPE" in - "stable") - { - echo "DOCKER_MANIFEST_TAG=${DOCKER_BASE}:${N8N_VERSION}" - echo "CREATE_DOCKERHUB_MANIFEST=true" - } >> "$GITHUB_OUTPUT" - ;; - "nightly") - { - echo "DOCKER_MANIFEST_TAG=${DOCKER_BASE}:nightly" - echo "CREATE_DOCKERHUB_MANIFEST=true" - } >> "$GITHUB_OUTPUT" - ;; - "dev") - if [[ "$N8N_VERSION" != pr-* ]]; then - { - echo "DOCKER_MANIFEST_TAG=${DOCKER_BASE}:dev" - echo "CREATE_DOCKERHUB_MANIFEST=true" - } >> "$GITHUB_OUTPUT" - else - echo "CREATE_DOCKERHUB_MANIFEST=false" >> "$GITHUB_OUTPUT" - fi - ;; - *) - echo "CREATE_DOCKERHUB_MANIFEST=false" >> "$GITHUB_OUTPUT" - ;; - esac - - # - name: Login to Docker Hub - # if: steps.dockerhub_check.outputs.CREATE_DOCKERHUB_MANIFEST == 'true' - # uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 - # with: - # username: ${{ secrets.DOCKER_USERNAME }} - # password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Create GHCR multi-arch manifest - if: needs.build-and-push-docker.outputs.primary_ghcr_manifest_tag != '' - run: | - MANIFEST_TAG="${{ needs.build-and-push-docker.outputs.primary_ghcr_manifest_tag }}" - RELEASE_TYPE="${{ needs.determine-build-context.outputs.release_type }}" - - echo "Creating GHCR manifest: $MANIFEST_TAG" - - # For branch builds, only AMD64 is built - if [[ "$RELEASE_TYPE" == "branch" ]]; then - docker buildx imagetools create \ - --tag $MANIFEST_TAG \ - ${MANIFEST_TAG}-amd64 - else - docker buildx imagetools create \ - --tag $MANIFEST_TAG \ - ${MANIFEST_TAG}-amd64 \ - ${MANIFEST_TAG}-arm64 - fi - - - name: Create Docker Hub multi-arch manifest - if: steps.dockerhub_check.outputs.CREATE_DOCKERHUB_MANIFEST == 'true' - run: | - MANIFEST_TAG="${{ steps.dockerhub_check.outputs.DOCKER_MANIFEST_TAG }}" - - echo "Creating Docker Hub manifest: $MANIFEST_TAG" - - docker buildx imagetools create \ - --tag $MANIFEST_TAG \ - ${MANIFEST_TAG}-amd64 \ - ${MANIFEST_TAG}-arm64 - - call-success-url: - name: Call Success URL - needs: [create_multi_arch_manifest] - runs-on: ubuntu-latest - if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' - steps: - - name: Call Success URL - env: - SUCCESS_URL: ${{ github.event.inputs.success_url }} - if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.success_url != '' }} - run: | - echo "Calling success URL: ${{ env.SUCCESS_URL }}" - curl -v "${{ env.SUCCESS_URL }}" || echo "Failed to call success URL" - shell: bash + # create_multi_arch_manifest: + # name: Create Multi-Arch Manifest + # needs: [determine-build-context, build-and-push-docker] + # runs-on: ubuntu-latest + # # if: | + # # needs.build-and-push-docker.result == 'success' && + # # needs.determine-build-context.outputs.push_enabled == 'true' + # steps: + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + # - name: Login to GitHub Container Registry + # uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + + # - name: Determine Docker Hub manifest tag + # id: dockerhub_check + # run: | + # RELEASE_TYPE="${{ needs.determine-build-context.outputs.release_type }}" + # N8N_VERSION="${{ needs.determine-build-context.outputs.n8n_version }}" + # DOCKER_BASE="${{ secrets.DOCKER_USERNAME }}/n8n" + + # # Determine if Docker Hub manifest is needed and construct the tag + # case "$RELEASE_TYPE" in + # "stable") + # { + # echo "DOCKER_MANIFEST_TAG=${DOCKER_BASE}:${N8N_VERSION}" + # echo "CREATE_DOCKERHUB_MANIFEST=true" + # } >> "$GITHUB_OUTPUT" + # ;; + # "nightly") + # { + # echo "DOCKER_MANIFEST_TAG=${DOCKER_BASE}:nightly" + # echo "CREATE_DOCKERHUB_MANIFEST=true" + # } >> "$GITHUB_OUTPUT" + # ;; + # "dev") + # if [[ "$N8N_VERSION" != pr-* ]]; then + # { + # echo "DOCKER_MANIFEST_TAG=${DOCKER_BASE}:dev" + # echo "CREATE_DOCKERHUB_MANIFEST=true" + # } >> "$GITHUB_OUTPUT" + # else + # echo "CREATE_DOCKERHUB_MANIFEST=false" >> "$GITHUB_OUTPUT" + # fi + # ;; + # *) + # echo "CREATE_DOCKERHUB_MANIFEST=false" >> "$GITHUB_OUTPUT" + # ;; + # esac + + # # - name: Login to Docker Hub + # # if: steps.dockerhub_check.outputs.CREATE_DOCKERHUB_MANIFEST == 'true' + # # uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + # # with: + # # username: ${{ secrets.DOCKER_USERNAME }} + # # password: ${{ secrets.DOCKER_PASSWORD }} + + # - name: Create GHCR multi-arch manifest + # if: needs.build-and-push-docker.outputs.primary_ghcr_manifest_tag != '' + # run: | + # MANIFEST_TAG="${{ needs.build-and-push-docker.outputs.primary_ghcr_manifest_tag }}" + # RELEASE_TYPE="${{ needs.determine-build-context.outputs.release_type }}" + + # echo "Creating GHCR manifest: $MANIFEST_TAG" + + # # For branch builds, only AMD64 is built + # if [[ "$RELEASE_TYPE" == "branch" ]]; then + # docker buildx imagetools create \ + # --tag $MANIFEST_TAG \ + # ${MANIFEST_TAG}-amd64 + # else + # docker buildx imagetools create \ + # --tag $MANIFEST_TAG \ + # ${MANIFEST_TAG}-amd64 \ + # ${MANIFEST_TAG}-arm64 + # fi + + # - name: Create Docker Hub multi-arch manifest + # if: steps.dockerhub_check.outputs.CREATE_DOCKERHUB_MANIFEST == 'true' + # run: | + # MANIFEST_TAG="${{ steps.dockerhub_check.outputs.DOCKER_MANIFEST_TAG }}" + + # echo "Creating Docker Hub manifest: $MANIFEST_TAG" + + # docker buildx imagetools create \ + # --tag $MANIFEST_TAG \ + # ${MANIFEST_TAG}-amd64 \ + # ${MANIFEST_TAG}-arm64 + + # call-success-url: + # name: Call Success URL + # needs: [create_multi_arch_manifest] + # runs-on: ubuntu-latest + # if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' + # steps: + # - name: Call Success URL + # env: + # SUCCESS_URL: ${{ github.event.inputs.success_url }} + # if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.success_url != '' }} + # run: | + # echo "Calling success URL: ${{ env.SUCCESS_URL }}" + # curl -v "${{ env.SUCCESS_URL }}" || echo "Failed to call success URL" + # shell: bash security-scan: name: Security Scan From c1f75ec1c46e1596e665e8c8beeb604d41d28c66 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 16:59:23 +0530 Subject: [PATCH 15/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index deef0db6d9e52..6839c9afb46c3 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -409,10 +409,10 @@ jobs: security-scan: name: Security Scan needs: [determine-build-context, build-and-push-docker] - if: | - success() && - (needs.determine-build-context.outputs.release_type == 'stable' || - needs.determine-build-context.outputs.release_type == 'nightly') + # if: | + # success() && + # (needs.determine-build-context.outputs.release_type == 'stable' || + # needs.determine-build-context.outputs.release_type == 'nightly') uses: ./.github/workflows/security-trivy-scan-callable.yml with: image_ref: ${{ needs.build-and-push-docker.outputs.image_ref }} From 8d8237d331edd4462287eff9326dd94b971ba0e0 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 17:17:31 +0530 Subject: [PATCH 16/26] docker-build-and--push: bypass steps to avoid failure --- .../security-trivy-scan-callable.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index cce2253ceae06..7381c5a942ca2 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -20,9 +20,9 @@ on: permissions: contents: read -env: - QBOT_SLACK_TOKEN: ${{ secrets.QBOT_SLACK_TOKEN }} - SLACK_CHANNEL_ID: C042WDXPTEZ #mission-security +# env: +# QBOT_SLACK_TOKEN: ${{ secrets.QBOT_SLACK_TOKEN }} +# SLACK_CHANNEL_ID: C042WDXPTEZ #mission-security jobs: security_scan: @@ -225,13 +225,13 @@ jobs: echo "slack_blocks=$BLOCKS_JSON" >> "$GITHUB_OUTPUT" - - name: Send Slack Notification - if: steps.process_results.outputs.vulnerabilities_found == 'true' - uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 - with: - method: chat.postMessage - token: ${{ secrets.QBOT_SLACK_TOKEN }} - payload: | - channel: ${{ env.SLACK_CHANNEL_ID }} - text: "🚨 Trivy Scan: ${{ steps.process_results.outputs.critical_count }} Critical, ${{ steps.process_results.outputs.high_count }} High, ${{ steps.process_results.outputs.medium_count }} Medium, ${{ steps.process_results.outputs.low_count }} Low vulnerabilities found in ${{ inputs.image_ref }}" - blocks: ${{ steps.generate_blocks.outputs.slack_blocks }} + # - name: Send Slack Notification + # if: steps.process_results.outputs.vulnerabilities_found == 'true' + # uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 + # with: + # method: chat.postMessage + # token: ${{ secrets.QBOT_SLACK_TOKEN }} + # payload: | + # channel: ${{ env.SLACK_CHANNEL_ID }} + # text: "🚨 Trivy Scan: ${{ steps.process_results.outputs.critical_count }} Critical, ${{ steps.process_results.outputs.high_count }} High, ${{ steps.process_results.outputs.medium_count }} Medium, ${{ steps.process_results.outputs.low_count }} Low vulnerabilities found in ${{ inputs.image_ref }}" + # blocks: ${{ steps.generate_blocks.outputs.slack_blocks }} From 4e67f60c4b1138763e0bbcccbb153ba1385e9ee4 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 17:31:37 +0530 Subject: [PATCH 17/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 1 + .github/workflows/security-trivy-scan-callable.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 6839c9afb46c3..802b85a5e4de1 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -296,6 +296,7 @@ jobs: provenance: true sbom: true push: false + load: true tags: ${{ steps.determine-tags.outputs.tags }} # create_multi_arch_manifest: diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index 7381c5a942ca2..644c6dbc1a4a9 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -13,9 +13,9 @@ on: type: string description: 'Full image reference to scan e.g. ghcr.io/n8n-io/n8n:latest' required: true - secrets: - QBOT_SLACK_TOKEN: - required: true + # secrets: + # QBOT_SLACK_TOKEN: + # required: true permissions: contents: read From 64445c620a75b4a2ac2f03875ce3e0cece1e752f Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 18:34:53 +0530 Subject: [PATCH 18/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 36 ++++++++++++++++--- .../security-trivy-scan-callable.yml | 28 +++++++++++++-- 2 files changed, 58 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 802b85a5e4de1..d6a9ac0295c9a 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -173,6 +173,8 @@ jobs: outputs: image_ref: ${{ steps.determine-tags.outputs.primary_ghcr_manifest_tag }} primary_ghcr_manifest_tag: ${{ steps.determine-tags.outputs.primary_ghcr_manifest_tag }} + image_artifact: ${{ steps.artifact-meta.outputs.name }} + image_tar: ${{ steps.artifact-meta.outputs.tar }} steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -293,11 +295,34 @@ jobs: N8N_VERSION=${{ needs.determine-build-context.outputs.n8n_version }} N8N_RELEASE_TYPE=${{ needs.determine-build-context.outputs.release_type }} platforms: ${{ matrix.docker_platform }} - provenance: true - sbom: true + provenance: false + sbom: false push: false load: true - tags: ${{ steps.determine-tags.outputs.tags }} + tags: ${{ steps.determine-tags.outputs.ghcr_platform_tag }} + + - name: Tag local image with simple name + run: | + docker tag "${{ steps.determine-tags.outputs.ghcr_platform_tag }}" "n8n:local-${{ matrix.platform }}" + docker images + + - name: Save image as tar + run: | + docker save "n8n:local-${{ matrix.platform }}" -o "image-${{ matrix.platform }}.tar" + ls -lh "image-${{ matrix.platform }}.tar" + + - name: Upload image tar as artifact + uses: actions/upload-artifact@v4 + with: + name: n8n-image-${{ matrix.platform }} + path: image-${{ matrix.platform }}.tar + retention-days: 5 + + - name: Expose artifact metadata + id: artifact-meta + run: | + echo "name=n8n-image-${{ matrix.platform }}" >> "$GITHUB_OUTPUT" + echo "tar=image-${{ matrix.platform }}.tar" >> "$GITHUB_OUTPUT" # create_multi_arch_manifest: # name: Create Multi-Arch Manifest @@ -416,5 +441,8 @@ jobs: # needs.determine-build-context.outputs.release_type == 'nightly') uses: ./.github/workflows/security-trivy-scan-callable.yml with: - image_ref: ${{ needs.build-and-push-docker.outputs.image_ref }} + # image_ref: ${{ needs.build-and-push-docker.outputs.image_ref }} + input_tar_artifact: ${{ needs.build-and-push-docker.outputs.image_artifact }} + input_tar_filename: ${{ needs.build-and-push-docker.outputs.image_tar }} + artifact_run_id: ${{ github.run_id }} secrets: inherit diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index 644c6dbc1a4a9..3b3ccd108068b 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -5,13 +5,27 @@ on: inputs: image_ref: description: 'Full image reference to scan e.g. ghcr.io/n8n-io/n8n:latest' - required: true + required: false default: 'ghcr.io/n8n-io/n8n:latest' workflow_call: inputs: image_ref: type: string description: 'Full image reference to scan e.g. ghcr.io/n8n-io/n8n:latest' + required: false + input_tar_artifact: + type: string + description: 'Artifact name that contains a saved image tar (from docker save)' + required: false + default: '' + input_tar_filename: + type: string + description: 'Filename of the tar inside the artifact' + required: false + default: 'image-amd64.tar' + artifact_run_id: + type: string + description: 'Caller workflow run ID that produced the artifact' required: true # secrets: # QBOT_SLACK_TOKEN: @@ -19,6 +33,7 @@ on: permissions: contents: read + actions: read # env: # QBOT_SLACK_TOKEN: ${{ secrets.QBOT_SLACK_TOKEN }} @@ -29,11 +44,20 @@ jobs: name: Security - Scan Docker Image With Trivy runs-on: ubuntu-latest steps: + - name: Download image tar artifact (from caller run) + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.input_tar_artifact }} + path: ./_image + repository: ${{ github.repository }} + run-id: ${{ inputs.artifact_run_id }} + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 id: trivy_scan with: - image-ref: ${{ inputs.image_ref }} + # image-ref: ${{ inputs.image_ref }} + input: ./_image/${{ inputs.input_tar_filename }} format: 'json' output: 'trivy-results.json' severity: 'CRITICAL,HIGH,MEDIUM,LOW' From bdc50ace1f6e5ee30f7a22c9215097a48aefbce5 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 18:42:31 +0530 Subject: [PATCH 19/26] docker-build-and--push: bypass steps to avoid failure --- .github/workflows/docker-build-push.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index d6a9ac0295c9a..9bd2bde3b09b3 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -435,6 +435,9 @@ jobs: security-scan: name: Security Scan needs: [determine-build-context, build-and-push-docker] + permissions: + contents: read + actions: read # if: | # success() && # (needs.determine-build-context.outputs.release_type == 'stable' || From afde8ae5c5d1f719f15fdb9f72e8ad30c339c611 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 19:40:40 +0530 Subject: [PATCH 20/26] docker-build-and--push: test tenki-standard-autoscale --- .github/workflows/docker-build-push.yml | 12 ++++++------ .github/workflows/security-trivy-scan-callable.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 9bd2bde3b09b3..d47ad6e209831 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -48,7 +48,7 @@ on: jobs: determine-build-context: name: Determine Build Context - runs-on: ubuntu-latest + runs-on: tenki-standard-autoscale outputs: release_type: ${{ steps.context.outputs.release_type }} n8n_version: ${{ steps.context.outputs.n8n_version }} @@ -129,7 +129,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "ubuntu-latest", + "runner": "tenki-standard-autoscale", "docker_platform": "linux/amd64" }] }' @@ -139,7 +139,7 @@ jobs: # "platform": ["amd64", "arm64"], # "include": [{ # "platform": "amd64", - # "runner": "ubuntu-latest", + # "runner": "tenki-standard-autoscale", # "docker_platform": "linux/amd64" # }, { # "platform": "arm64", @@ -153,7 +153,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "ubuntu-latest", + "runner": "tenki-standard-autoscale", "docker_platform": "linux/amd64" }] }' @@ -327,7 +327,7 @@ jobs: # create_multi_arch_manifest: # name: Create Multi-Arch Manifest # needs: [determine-build-context, build-and-push-docker] - # runs-on: ubuntu-latest + # runs-on: tenki-standard-autoscale # # if: | # # needs.build-and-push-docker.result == 'success' && # # needs.determine-build-context.outputs.push_enabled == 'true' @@ -420,7 +420,7 @@ jobs: # call-success-url: # name: Call Success URL # needs: [create_multi_arch_manifest] - # runs-on: ubuntu-latest + # runs-on: tenki-standard-autoscale # if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' # steps: # - name: Call Success URL diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index 3b3ccd108068b..d29f3b05f6734 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -42,7 +42,7 @@ permissions: jobs: security_scan: name: Security - Scan Docker Image With Trivy - runs-on: ubuntu-latest + runs-on: tenki-standard-autoscale steps: - name: Download image tar artifact (from caller run) uses: actions/download-artifact@v4 From c014ab6094a6c5fa50ada245949094fddb4bd391 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 20:00:38 +0530 Subject: [PATCH 21/26] docker-build-and--push: test tenki-standard-medium-4c-8g --- .github/workflows/security-trivy-scan-callable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index d29f3b05f6734..ecdcb42cd65dd 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -42,7 +42,7 @@ permissions: jobs: security_scan: name: Security - Scan Docker Image With Trivy - runs-on: tenki-standard-autoscale + runs-on: tenki-standard-medium-4c-8g steps: - name: Download image tar artifact (from caller run) uses: actions/download-artifact@v4 From 199ce2f5ba45cbde273ec00b45a087bd66565f34 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 20:14:29 +0530 Subject: [PATCH 22/26] docker-build-and--push: test tenki-standard-medium-4c-8g, dummy change to trigger ci --- .github/workflows/security-trivy-scan-callable.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index ecdcb42cd65dd..1ea5d04b6d5e1 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -259,3 +259,4 @@ jobs: # channel: ${{ env.SLACK_CHANNEL_ID }} # text: "🚨 Trivy Scan: ${{ steps.process_results.outputs.critical_count }} Critical, ${{ steps.process_results.outputs.high_count }} High, ${{ steps.process_results.outputs.medium_count }} Medium, ${{ steps.process_results.outputs.low_count }} Low vulnerabilities found in ${{ inputs.image_ref }}" # blocks: ${{ steps.generate_blocks.outputs.slack_blocks }} + From d45515f8a1c8e8c4cd384317f409506ccb76d172 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 20:15:53 +0530 Subject: [PATCH 23/26] docker-build-and--push: test tenki-standard-medium-4c-8g --- .github/workflows/docker-build-push.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index d47ad6e209831..e387227ced9ac 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -48,7 +48,7 @@ on: jobs: determine-build-context: name: Determine Build Context - runs-on: tenki-standard-autoscale + runs-on: tenki-standard-medium-4c-8g outputs: release_type: ${{ steps.context.outputs.release_type }} n8n_version: ${{ steps.context.outputs.n8n_version }} @@ -129,7 +129,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-autoscale", + "runner": "tenki-standard-medium-4c-8g", "docker_platform": "linux/amd64" }] }' @@ -139,7 +139,7 @@ jobs: # "platform": ["amd64", "arm64"], # "include": [{ # "platform": "amd64", - # "runner": "tenki-standard-autoscale", + # "runner": "tenki-standard-medium-4c-8g", # "docker_platform": "linux/amd64" # }, { # "platform": "arm64", @@ -153,7 +153,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-autoscale", + "runner": "tenki-standard-medium-4c-8g", "docker_platform": "linux/amd64" }] }' @@ -327,7 +327,7 @@ jobs: # create_multi_arch_manifest: # name: Create Multi-Arch Manifest # needs: [determine-build-context, build-and-push-docker] - # runs-on: tenki-standard-autoscale + # runs-on: tenki-standard-medium-4c-8g # # if: | # # needs.build-and-push-docker.result == 'success' && # # needs.determine-build-context.outputs.push_enabled == 'true' @@ -420,7 +420,7 @@ jobs: # call-success-url: # name: Call Success URL # needs: [create_multi_arch_manifest] - # runs-on: tenki-standard-autoscale + # runs-on: tenki-standard-medium-4c-8g # if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' # steps: # - name: Call Success URL From f9d71f93aa34ed7c4bb6232d748fdba59919647d Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Thu, 28 Aug 2025 23:23:51 +0530 Subject: [PATCH 24/26] docker-build-and--push: test tenki-standard-medium-4c-8g, without time limit --- .github/workflows/docker-build-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index e387227ced9ac..250a8e90b410b 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -167,7 +167,7 @@ jobs: name: Build App, then Build and Push Docker Image (${{ matrix.platform }}) needs: determine-build-context runs-on: ${{ matrix.runner }} - timeout-minutes: 15 + # timeout-minutes: 15 strategy: matrix: ${{ fromJSON(needs.determine-build-context.outputs.build_matrix) }} outputs: From 61196f11ce196c5e054ebed37ac8247eb02220f7 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Fri, 29 Aug 2025 00:24:52 +0530 Subject: [PATCH 25/26] docker-build-and--push: test tenki-standard-large-8c-16g --- .github/workflows/docker-build-push.yml | 12 ++++++------ .github/workflows/security-trivy-scan-callable.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 250a8e90b410b..9f2f0d442ea22 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -48,7 +48,7 @@ on: jobs: determine-build-context: name: Determine Build Context - runs-on: tenki-standard-medium-4c-8g + runs-on: tenki-standard-large-8c-16g outputs: release_type: ${{ steps.context.outputs.release_type }} n8n_version: ${{ steps.context.outputs.n8n_version }} @@ -129,7 +129,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-medium-4c-8g", + "runner": "tenki-standard-large-8c-16g", "docker_platform": "linux/amd64" }] }' @@ -139,7 +139,7 @@ jobs: # "platform": ["amd64", "arm64"], # "include": [{ # "platform": "amd64", - # "runner": "tenki-standard-medium-4c-8g", + # "runner": "tenki-standard-large-8c-16g", # "docker_platform": "linux/amd64" # }, { # "platform": "arm64", @@ -153,7 +153,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-medium-4c-8g", + "runner": "tenki-standard-large-8c-16g", "docker_platform": "linux/amd64" }] }' @@ -327,7 +327,7 @@ jobs: # create_multi_arch_manifest: # name: Create Multi-Arch Manifest # needs: [determine-build-context, build-and-push-docker] - # runs-on: tenki-standard-medium-4c-8g + # runs-on: tenki-standard-large-8c-16g # # if: | # # needs.build-and-push-docker.result == 'success' && # # needs.determine-build-context.outputs.push_enabled == 'true' @@ -420,7 +420,7 @@ jobs: # call-success-url: # name: Call Success URL # needs: [create_multi_arch_manifest] - # runs-on: tenki-standard-medium-4c-8g + # runs-on: tenki-standard-large-8c-16g # if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' # steps: # - name: Call Success URL diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index 1ea5d04b6d5e1..8c446b6a52840 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -42,7 +42,7 @@ permissions: jobs: security_scan: name: Security - Scan Docker Image With Trivy - runs-on: tenki-standard-medium-4c-8g + runs-on: tenki-standard-large-8c-16g steps: - name: Download image tar artifact (from caller run) uses: actions/download-artifact@v4 From abaa5faa799f98d08ab03fc121200c53be93ad66 Mon Sep 17 00:00:00 2001 From: Asutosh Panda Date: Fri, 29 Aug 2025 00:45:05 +0530 Subject: [PATCH 26/26] docker-build-and--push: test tenki-standard-large-plus-16c-32g --- .github/workflows/docker-build-push.yml | 12 ++++++------ .github/workflows/security-trivy-scan-callable.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml index 9f2f0d442ea22..c688781b856d6 100644 --- a/.github/workflows/docker-build-push.yml +++ b/.github/workflows/docker-build-push.yml @@ -48,7 +48,7 @@ on: jobs: determine-build-context: name: Determine Build Context - runs-on: tenki-standard-large-8c-16g + runs-on: tenki-standard-large-plus-16c-32g outputs: release_type: ${{ steps.context.outputs.release_type }} n8n_version: ${{ steps.context.outputs.n8n_version }} @@ -129,7 +129,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-large-8c-16g", + "runner": "tenki-standard-large-plus-16c-32g", "docker_platform": "linux/amd64" }] }' @@ -139,7 +139,7 @@ jobs: # "platform": ["amd64", "arm64"], # "include": [{ # "platform": "amd64", - # "runner": "tenki-standard-large-8c-16g", + # "runner": "tenki-standard-large-plus-16c-32g", # "docker_platform": "linux/amd64" # }, { # "platform": "arm64", @@ -153,7 +153,7 @@ jobs: "platform": ["amd64"], "include": [{ "platform": "amd64", - "runner": "tenki-standard-large-8c-16g", + "runner": "tenki-standard-large-plus-16c-32g", "docker_platform": "linux/amd64" }] }' @@ -327,7 +327,7 @@ jobs: # create_multi_arch_manifest: # name: Create Multi-Arch Manifest # needs: [determine-build-context, build-and-push-docker] - # runs-on: tenki-standard-large-8c-16g + # runs-on: tenki-standard-large-plus-16c-32g # # if: | # # needs.build-and-push-docker.result == 'success' && # # needs.determine-build-context.outputs.push_enabled == 'true' @@ -420,7 +420,7 @@ jobs: # call-success-url: # name: Call Success URL # needs: [create_multi_arch_manifest] - # runs-on: tenki-standard-large-8c-16g + # runs-on: tenki-standard-large-plus-16c-32g # if: needs.create_multi_arch_manifest.result == 'success' || needs.create_multi_arch_manifest.result == 'skipped' # steps: # - name: Call Success URL diff --git a/.github/workflows/security-trivy-scan-callable.yml b/.github/workflows/security-trivy-scan-callable.yml index 8c446b6a52840..d56079e77a378 100644 --- a/.github/workflows/security-trivy-scan-callable.yml +++ b/.github/workflows/security-trivy-scan-callable.yml @@ -42,7 +42,7 @@ permissions: jobs: security_scan: name: Security - Scan Docker Image With Trivy - runs-on: tenki-standard-large-8c-16g + runs-on: tenki-standard-large-plus-16c-32g steps: - name: Download image tar artifact (from caller run) uses: actions/download-artifact@v4