diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 6a58165fcf..7c95189c49 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -17,6 +17,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: build: runs-on: ubuntu-22.04 @@ -179,5 +182,8 @@ jobs: tag: ${{ inputs.tag }} version: ${{ needs.build.outputs.version }} image_digest: ${{ needs.build.outputs.image_digest }} + permissions: + contents: read + actions: read secrets: inherit if: ${{ inputs.tag != '' }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d9cb295ac8..fd7a409db5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,10 +11,6 @@ on: branches: - main - release-* - types: - - opened - - reopened - - synchronize schedule: - cron: "0 4 * * *" # run every day at 04:00 UTC @@ -26,6 +22,9 @@ concurrency: group: ${{ github.ref_name }}-ci cancel-in-progress: true +permissions: + contents: read + jobs: checks: name: Checks and variables @@ -86,6 +85,8 @@ jobs: needs: [checks, unit-tests] outputs: release-url: ${{ steps.release-notes.outputs.release-url }} + permissions: + contents: write # for lucacome/draft-release and goreleaser/goreleaser-action to manage releases steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -165,13 +166,16 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Fetch Cached Artifacts uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} + - name: Docker Buildx uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + - name: Build Docker Image ${{ matrix.image }} uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: @@ -188,11 +192,13 @@ jobs: secrets: | ${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} ${{ contains(matrix.type, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} + - name: Deploy Kubernetes id: k8s run: | kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ needs.checks.outputs.k8s_latest }} --wait 75s kind load docker-image ${{ matrix.type }}:${{ github.sha }} --name ${{ github.run_id }} + - name: Install Chart run: > helm install @@ -204,9 +210,11 @@ jobs: --set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }} --wait working-directory: ${{ github.workspace }}/deployments/helm-chart + - name: Expose Test Ingresses run: | kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 & + - name: Test HTTP run: | counter=0 @@ -217,6 +225,7 @@ jobs: fi printf '.'; counter=$(($counter+1)); sleep 5; done + - name: Test HTTPS run: | counter=0 @@ -258,8 +267,10 @@ jobs: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Docker Buildx uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + - name: Build Test-Runner Container uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: @@ -281,6 +292,7 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Run Smoke Tests id: smoke-tests uses: ./.github/actions/smoke-tests @@ -291,6 +303,7 @@ jobs: nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + - name: Upload Test Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -314,6 +327,12 @@ jobs: with: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} + permissions: + contents: read + actions: read + security-events: write + id-token: write + packages: write secrets: inherit build-docker-plus: @@ -335,6 +354,10 @@ jobs: image: ${{ matrix.image }} target: ${{ matrix.target }} release-url: ${{ needs.binaries.outputs.release-url }} + permissions: + contents: read + security-events: write + id-token: write secrets: inherit build-docker-nap: @@ -353,6 +376,10 @@ jobs: image: ${{ matrix.image }} target: ${{ matrix.target }} nap_modules: ${{ matrix.nap_modules }} + permissions: + contents: read + security-events: write + id-token: write secrets: inherit publish-helm: @@ -360,6 +387,8 @@ jobs: runs-on: ubuntu-22.04 needs: [checks, helm-tests] if: ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') }} + permissions: + contents: write # for pushing to Helm Charts repository steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f8b7a874ff..8da97a1964 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,5 +1,13 @@ name: "Dependency Review" -on: [pull_request] +on: + pull_request: + branches: + - main + - release-* + +concurrency: + group: ${{ github.ref_name }}-deps-review + cancel-in-progress: true permissions: contents: read @@ -8,8 +16,8 @@ jobs: dependency-review: runs-on: ubuntu-22.04 permissions: - contents: read - pull-requests: write + contents: read # for actions/checkout + pull-requests: write # for actions/dependency-review-action to post comments steps: - name: "Checkout Repository" uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index f3945b3504..822b33721f 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -11,6 +11,8 @@ concurrency: group: ${{ github.ref_name }}-dockerhub cancel-in-progress: true +permissions: + contents: read jobs: dockerHubDescription: diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 6bb6f10c98..753771538f 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -5,19 +5,18 @@ on: branches: - main paths-ignore: - - 'docs/**' - - 'examples/**' - - '**.md' + - "docs/**" + - "examples/**" + - "**.md" concurrency: group: ${{ github.ref_name }}-fossa cancel-in-progress: true -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: - scan: name: Fossa runs-on: ubuntu-22.04 @@ -25,6 +24,7 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Scan uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: diff --git a/.github/workflows/issues.yaml b/.github/workflows/issues.yaml index 33387953e9..ed434bf72c 100644 --- a/.github/workflows/issues.yaml +++ b/.github/workflows/issues.yaml @@ -4,11 +4,17 @@ on: issues: types: [opened] +permissions: + contents: read + jobs: comment: name: Issue comment if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-22.04 + permissions: + contents: read + issues: write # for actions/github-script to create comments steps: - name: text id: controller @@ -16,11 +22,12 @@ jobs: run: | text="\n\n I\'ve parsed the text of your issue and it looks like you might be mixing up the two Ingress Controllers, please take a look at this [page](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-ingress-controllers) to see the differences between \`nginxinc/kubernetes-ingress\` (this repo) and \`kubernetes/ingress-nginx\`." echo "text=$text" >> $GITHUB_OUTPUT + - name: Check if Issue author is Org member id: membercheck uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + retries: 3 script: | let member try { @@ -35,11 +42,12 @@ jobs: member = false } return member + - name: Send message uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 if: steps.membercheck.outputs.result == 'false' with: - github-token: ${{secrets.GITHUB_TOKEN}} + retries: 3 script: | github.rest.issues.createComment({ issue_number: context.issue.number, diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 495e427ac3..924b984d1b 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,7 +9,7 @@ jobs: triage: permissions: contents: read - pull-requests: write + pull-requests: write # for actions/labeler to add labels runs-on: ubuntu-22.04 steps: - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index edb6c74020..05be06bcac 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,13 +5,9 @@ on: branches: - main paths-ignore: - - 'docs/**' - - 'examples/**' - - '**.md' - types: - - opened - - reopened - - synchronize + - "docs/**" + - "examples/**" + - "**.md" defaults: run: @@ -21,18 +17,25 @@ concurrency: group: ${{ github.ref_name }}-lint cancel-in-progress: true -jobs: +permissions: + contents: read +jobs: lint: name: Lint runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: read # for golangci-lint-action steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Setup Golang Environment uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: go.mod + - name: Lint Code uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 with: @@ -44,6 +47,7 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: reviewdog/action-actionlint@7485c2136bd093d2317a854c72910eebaee35238 # v1.37.1 with: actionlint_flags: -shellcheck "" @@ -54,5 +58,6 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Lint chart run: helm lint deployments/helm-chart diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index 4059f18e04..f28257b155 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -15,10 +15,16 @@ on: types: - completed +permissions: + contents: read + jobs: on-failure: runs-on: ubuntu-22.04 if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }} + permissions: + contents: read + actions: read # for 8398a7/action-slack steps: - name: Data uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4e7abaa2ec..8ce30056b4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,29 +1,29 @@ -name: 'Close stale issues and PRs' +name: "Close stale issues and PRs" on: schedule: - - cron: '30 1 * * *' # run every day at 01:30 UTC + - cron: "30 1 * * *" # run every day at 01:30 UTC -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: stale: permissions: - issues: write # for actions/stale to close stale issues - pull-requests: write # for actions/stale to close stale PRs + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-22.04 steps: - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.' - stale-pr-message: 'This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.' - close-issue-message: 'This issue was closed because it has been stalled for 10 days with no activity.' - close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.' - stale-issue-label: 'stale' - stale-pr-label: 'stale' + stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days." + stale-pr-message: "This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days." + close-issue-message: "This issue was closed because it has been stalled for 10 days with no activity." + close-pr-message: "This PR was closed because it has been stalled for 10 days with no activity." + stale-issue-label: "stale" + stale-pr-label: "stale" exempt-all-assignees: true - exempt-issue-labels: 'proposal' + exempt-issue-labels: "proposal" operations-per-run: 100 days-before-stale: 90 days-before-close: 10 diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index bcd6ec7407..6ab2a022e6 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -2,18 +2,23 @@ name: Sync labels on: schedule: - - cron: '8 0 * * 1' # run every Monday at 00:08 UTC + - cron: "8 0 * * 1" # run every Monday at 00:08 UTC workflow_dispatch: concurrency: group: ${{ github.ref_name }}-sync cancel-in-progress: true +permissions: + contents: read + jobs: # This job sync the labels across the various repos labels-sync: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} + permissions: + contents: write # for micnncim/action-label-syncer strategy: fail-fast: false matrix: @@ -26,6 +31,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Sync Labels uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 with: diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index c958801a18..42cb91506b 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.ref_name }}-update cancel-in-progress: true +permissions: + contents: read + jobs: variables: name: Get versions of base images @@ -26,15 +29,18 @@ jobs: uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 + - name: Set KIC version id: kic run: | tag="$(git tag --sort=-version:refname | head -n1)" echo "tag=${tag//v}" >> $GITHUB_OUTPUT + - name: Checkout Repository at ${{ steps.kic.outputs.tag }} uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: refs/tags/v${{ steps.kic.outputs.tag }} + - name: Set NGINX versions id: versions run: | @@ -42,6 +48,7 @@ jobs: nginx_alpine=library/nginx:$(grep -m1 "FROM.*nginx:.*alpine" < build/Dockerfile | awk -F"[ :]" '{print $3}') nginx_ubi=$(grep -m1 "FROM nginxcontrib/nginx:" < build/Dockerfile | awk -F" " '{print $2}') echo "matrix=[{\"version\": \"${nginx}\", \"distro\": \"debian\"}, {\"version\": \"${nginx_alpine}\", \"distro\": \"alpine\"}, {\"version\": \"${nginx_ubi}\", \"distro\": \"ubi\"}]" >> $GITHUB_OUTPUT + - name: Set other variables id: vars run: | @@ -64,6 +71,7 @@ jobs: run: | if [ ${{ matrix.base_image.distro }} == "debian" ]; then dist=""; else dist="-${{ matrix.base_image.distro }}"; fi echo "tag=${{ needs.variables.outputs.kic-tag }}${dist}" >> $GITHUB_OUTPUT + - name: Check if update available for ${{ matrix.base_image.version }} id: update uses: lucacome/docker-image-update-checker@f50d56412b948cfdbb842c5419372681e0db3df1 # v1.2.1 @@ -72,6 +80,7 @@ jobs: image: nginx/nginx-ingress:${{ steps.dist.outputs.tag }} env: DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }} + - id: needs run: echo "${{ matrix.base_image.distro }}=${{ steps.update.outputs.needs-updating }}" >> $GITHUB_OUTPUT @@ -86,13 +95,16 @@ jobs: with: fetch-depth: 0 ref: refs/tags/v${{ needs.variables.outputs.kic-tag }} + - name: Setup Golang Environment uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: go.mod + - name: Determine GOPATH id: go run: echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT + - name: Build binaries uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: @@ -101,6 +113,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ steps.go.outputs.go_path }} + - name: Store Artifacts in Cache uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: @@ -129,12 +142,14 @@ jobs: with: ref: refs/tags/v${{ needs.variables.outputs.kic-tag }} if: ${{ matrix.needs-updating == 'true' }} + - name: Fetch Cached Artifacts uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} if: ${{ matrix.needs-updating == 'true' }} + - name: Run Smoke Tests id: smoke-tests uses: ./.github/actions/smoke-tests @@ -143,6 +158,7 @@ jobs: marker: ${{ matrix.marker }} k8s-version: ${{ needs.variables.outputs.k8s_version }} if: ${{ matrix.needs-updating == 'true' }} + - name: Upload Test Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index db97bd5236..037c046382 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -17,15 +17,22 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: send-notifications: name: Send Notifications runs-on: ubuntu-22.04 + permissions: + contents: read + actions: read # for 8398a7/action-slack steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: refs/tags/v${{ inputs.tag }} + - name: Get variables for Slack id: slack run: | @@ -33,6 +40,7 @@ jobs: echo "date=$(date +%s)" >> $GITHUB_OUTPUT echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT echo "sha_long=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + - name: Send Notification uses: 8398a7/action-slack@fbd6aa58ba854a740e11a35d0df80cb5d12101d8 # v3.15.1 with: