From 25db78b84cf4baa384a8837db6cad503f2d3e439 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jul 2024 08:23:17 +0000 Subject: [PATCH] Bump the actions group across 1 directory with 2 updates (#5904) Bumps the actions group with 2 updates in the / directory: [lucacome/draft-release](https://github.com/lucacome/draft-release) and [github/codeql-action](https://github.com/github/codeql-action). Updates `lucacome/draft-release` from 1.0.0 to 1.1.0 - [Release notes](https://github.com/lucacome/draft-release/releases) - [Commits](https://github.com/lucacome/draft-release/compare/v1.0.0...8a63d32c79a171ae6048e614a8988f0ac3ed56d4) Updates `github/codeql-action` from 3.25.10 to 3.25.11 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/23acc5c183826b7a8a97bce3cecc52db901f8251...b611370bb5703a7efb587f9d136a52ea24c5c38c) --- updated-dependencies: - dependency-name: lucacome/draft-release dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +- .github/workflows/image-promotion.yml | 303 ++++++++++++++++++++++++++ .github/workflows/scorecards.yml | 2 +- 3 files changed, 307 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0d3b8874c1..cf324f5a29 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -70,7 +70,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -89,7 +89,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -102,6 +102,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index bba93a719b..32e5e3cde5 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -394,3 +394,306 @@ jobs: image: quay.io/nginx/nginx-ingress:edge-ubi project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + + scan-docker-oss: + name: Scan Docker OSS + runs-on: ubuntu-22.04 + needs: [checks] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 + continue-on-error: true + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: "sarif" + output: "${{ steps.directory.outputs.directory }}/trivy.sarif" + ignore-unfixed: "true" + + - name: DockerHub Login for Docker Scount + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 + with: + command: cves,recommendations + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + only-fixed: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" + + scan-docker-plus: + name: Scan Docker Plus + runs-on: ubuntu-22.04 + needs: [checks] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 + continue-on-error: true + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: "sarif" + output: "${{ steps.directory.outputs.directory }}/trivy.sarif" + ignore-unfixed: "true" + + - name: DockerHub Login for Docker Scount + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 + with: + command: cves,recommendations + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + only-fixed: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" + + scan-docker-nap: + name: Scan Docker Plus + NAP WAF/DOS + runs-on: ubuntu-22.04 + needs: [checks] + permissions: + contents: read + id-token: write + security-events: write + if: ${{ !cancelled() && !failure() }} + strategy: + fail-fast: false + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Make directory for security scan results + id: directory + run: | + directory=${{ matrix.image }}-${{ matrix.target }}-results + echo "directory=${directory}" >> $GITHUB_OUTPUT + mkdir -p "${directory}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + context: workflow + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress + flavor: | + suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}} + tags: | + type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }} + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 + continue-on-error: true + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: "sarif" + output: "${{ steps.directory.outputs.directory }}/trivy.sarif" + ignore-unfixed: "true" + + - name: DockerHub Login for Docker Scount + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run Docker Scout vulnerability scanner + id: docker-scout + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 + with: + command: cves,recommendations + image: ${{ steps.meta.outputs.tags }} + ignore-base: true + only-fixed: true + sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif" + write-comment: false + github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment + summary: true + + - name: Upload Scan Results to Github Artifacts + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" + path: "${{ steps.directory.outputs.directory }}/" + overwrite: true + + - name: Upload Scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 + with: + sarif_file: "${{ steps.directory.outputs.directory }}/" + + update-release-draft: + name: Update Release Draft + runs-on: ubuntu-22.04 + needs: [checks] + permissions: + contents: read + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Create/Update Draft + uses: lucacome/draft-release@8a63d32c79a171ae6048e614a8988f0ac3ed56d4 # v1.1.0 + id: release-notes + with: + minor-label: "enhancement" + major-label: "change" + publish: false + collapse-after: 50 + variables: | + helm-chart=${{ needs.checks.outputs.chart_version }} + notes-footer: | + ## Upgrade + - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking), [Azure Marketplace](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/category/containers?page=1&search=f5&subcategories=container-apps) or build your own image using the {{version}} source code. + - For Helm, use version {{helm-chart}} of the chart. + + ## Resources + - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ + - Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples + - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart + - Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator + if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b437936556..6bcbf21608 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: sarif_file: results.sarif