diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 11bd7cdd..524f7914 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,14 +1,11 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: daily - reviewers: - - "nginxinc/kic" - - package-ecosystem: "docker" - directory: "/docker" + interval: weekly + + - package-ecosystem: docker + directory: /docker schedule: - interval: daily - reviewers: - - "nginxinc/kic" + interval: weekly diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 00000000..dc366d98 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,23 @@ +change: + - head-branch: ['^change/'] + +enhancement: + - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/'] + +bug: + - head-branch: ['^fix/', '^bug/'] + +chore: + - head-branch: ['^chore/'] + +tests: + - head-branch: ['^tests/', '^test/'] + - changed-files: 'tests/**/*' + +documentation: + - head-branch: ['^docs/', '^doc/'] + - changed-files: '**/*.md' + +dependencies: + - head-branch: ['^deps/', '^dep/', '^dependabot/'] + - changed-files: ['go.mod', 'go.sum'] diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml deleted file mode 100644 index b4a8a9c0..00000000 --- a/.github/release-drafter.yml +++ /dev/null @@ -1,69 +0,0 @@ -name-template: 'v$RESOLVED_VERSION' -tag-template: 'v$RESOLVED_VERSION' -categories: - - title: '๐Ÿš€ Features' - labels: - - "enhancement" - - title: '๐Ÿ’ฃ Breaking Change' - labels: - - "change" - - title: '๐Ÿ› Bug Fixes' - labels: - - "bug" - - title: '๐Ÿ“ Documentation' - labels: - - "documentation" - - title: '๐Ÿ”จ Maintenance' - labels: - - "chore" - - title: 'โฌ†๏ธ Dependencies' - labels: - - "dependencies" -version-resolver: - major: - labels: - - 'change' - minor: - labels: - - 'enhancement' - patch: - labels: - - 'bug' - - 'chore' - - 'dependencies' - - 'documentation' - default: patch -exclude-labels: - - 'skip-changelog' -autolabeler: - - label: 'documentation' - files: - - '*.md' - branch: - - '/docs{0,1}\/.+/' - - label: 'chore' - branch: - - '/chore\/.+/' - - label: 'bug' - branch: - - '/fix\/.+/' - title: - - '/fix/i' - - label: 'enhancement' - branch: - - '/enh\/.+/' - - '/enhancement\/.+/' - - '/feat\/.+/' - - '/feature\/.+/' - title: - - '/feat/i' - - label: 'dependencies' - files: - - 'go.mod' - - 'go.sum' - branch: - - '/deps\/.+/' -template: | - ## New in NGINX Plus Go Client v$RESOLVED_VERSION - - $CHANGES diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 00000000..ceb3c631 --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,29 @@ +changelog: + exclude: + labels: + - skip changelog + categories: + - title: ๐Ÿ’ฃ Breaking Changes + labels: + - change + - title: ๐Ÿš€ Features + labels: + - enhancement + - title: ๐Ÿ› Bug Fixes + labels: + - bug + - title: ๐Ÿงช Tests + labels: + - tests + - title: ๐Ÿ”จ Maintenance + labels: + - chore + - title: ๐Ÿ“ Documentation + labels: + - documentation + - title: โฌ†๏ธ Dependencies + labels: + - dependencies + - title: Other Changes + labels: + - "*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24195eef..be6de2c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,38 +4,41 @@ on: push: branches: - main - paths-ignore: - - '**.md' - - 'LICENSE' tags: - - 'v[0-9]+.[0-9]+.[0-9]+' + - "v[0-9]+.[0-9]+.[0-9]+" pull_request: branches: - main - paths-ignore: - - '**.md' - - 'LICENSE' schedule: - - cron: '0 5 * * *' + - cron: "0 5 * * *" # runs every day at 5am UTC env: - DOCKER_BUILDKIT: 1 DOCKER_NETWORK: ${{ github.run_id }} DOCKER_NETWORK_ALIAS: nginx-plus-test DOCKER_NGINX_PLUS: nginx-plus-${{ github.run_id }} DOCKER_NGINX_PLUS_HELPER: nginx-plus-helper-${{ github.run_id }} -jobs: +concurrency: + group: ${{ github.ref_name }}-ci + cancel-in-progress: true + +permissions: + contents: read +jobs: build: name: Build Client runs-on: ubuntu-22.04 + permissions: + contents: write if: ${{ github.event.repository.fork == false }} steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Determine NGINX Plus version run: echo "NGINX_PLUS_VERSION=$(cat Makefile | grep -m1 NGINX_PLUS_VERSION | cut -d "=" -f2)" >> $GITHUB_ENV + - name: Switch Repository (Nightly) if: (github.event_name == 'schedule') run: | @@ -44,13 +47,15 @@ jobs: sed -i "17i sed -i 's|pkgs|pkgs-test|g' /etc/apt/apt.conf.d/90pkgs-nginx" docker/Dockerfile sed -i 's|deb https|deb [trusted=yes] https|g' docker/Dockerfile sed -i 's|\${NGINX_PLUS_VERSION^^}/||g' docker/Dockerfile + - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + - name: Build Plus Docker Image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: docker/Dockerfile - context: 'docker' + context: "docker" tags: nginx-plus:${{ env.NGINX_PLUS_VERSION }} cache-from: type=gha cache-to: type=gha,mode=max @@ -58,38 +63,34 @@ jobs: secrets: | "nginx-repo.crt=${{ secrets.NGINX_CRT }}" "nginx-repo.key=${{ secrets.NGINX_KEY }}" - build-args: - NGINX_PLUS_VERSION=${{ env.NGINX_PLUS_VERSION }} + build-args: NGINX_PLUS_VERSION=${{ env.NGINX_PLUS_VERSION }} + - name: Test Client if: (github.event_name != 'schedule') run: make test + - name: Test Client (Nightly) if: (github.event_name == 'schedule') run: make test env: NGINX_PLUS_VERSION: nightly - release: - name: Release - runs-on: ubuntu-22.04 - if: ${{ startsWith(github.ref, 'refs/tags/') }} - needs: build - steps: - - name: Checkout Repository - uses: actions/checkout@v3 + - name: Create/Update Draft + uses: lucacome/draft-release@f6dc37dcdf44be100a649b72c62c628776750190 # v0.2.2 + id: release-notes with: - fetch-depth: 0 - - name: Publish Release Notes - uses: release-drafter/release-drafter@v5 - with: - publish: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + minor-label: "enhancement" + major-label: "change" + publish: ${{ github.ref_type == 'tag' }} + collapse-after: 50 + if: ${{ github.event_name == 'push' }} + - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v4 + uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }} + if: ${{ github.ref_type == 'tag' }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 64dca2b3..15af30d6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,67 +1,73 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: "CodeQL" on: push: - branches: [ main ] + branches: + - main pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: + - main schedule: - - cron: '33 16 * * 3' + - cron: "33 16 * * 3" # run every Wednesday at 16:33 UTC + +concurrency: + group: ${{ github.ref_name }}-codeql + cancel-in-progress: true + +permissions: + contents: read jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 + permissions: + actions: read + contents: read + security-events: write strategy: fail-fast: false matrix: - language: [ 'go' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + language: ["go"] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 - # โ„น๏ธ Command-line programs to run using the OS shell. - # ๐Ÿ“š https://git.io/JvXDl + # โ„น๏ธ Command-line programs to run using the OS shell. + # ๐Ÿ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # โœ๏ธ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - #- run: | - # make bootstrap - # make release + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 7084cacb..f3171a6e 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -1,16 +1,22 @@ name: Dependabot auto-merge + on: pull_request_target + permissions: - pull-requests: write - contents: write + contents: read + jobs: dependabot: runs-on: ubuntu-22.04 + permissions: + pull-requests: write + contents: write if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} steps: - name: Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v1.6.0 + - name: Enable auto-merge for Dependabot PRs run: gh pr merge --auto --squash "$PR_URL" env: diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 6f915ec1..56bd5a55 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -5,17 +5,25 @@ on: branches: - main paths-ignore: - - '**.md' + - "**.md" -jobs: +concurrency: + group: ${{ github.ref_name }}-fossa + cancel-in-progress: true + +permissions: + contents: read +jobs: scan: name: Fossa runs-on: ubuntu-22.04 + if: ${{ github.event.repository.fork == false }} steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Scan - uses: fossas/fossa-action@v1 + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: api-key: ${{ secrets.FOSSA_TOKEN }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 00000000..924b984d --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,17 @@ +name: "Pull Request Labeler" +on: + - pull_request_target + +permissions: + contents: read + +jobs: + triage: + permissions: + contents: read + pull-requests: write # for actions/labeler to add labels + runs-on: ubuntu-22.04 + steps: + - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index dab6e3b1..5f5586d0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,31 +5,39 @@ on: branches: - main paths-ignore: - - '**.md' - - 'LICENSE' - types: - - opened - - reopened - - synchronize + - "**.md" + - "LICENSE" -defaults: - run: - shell: bash +concurrency: + group: ${{ github.ref_name }}-lint + cancel-in-progress: true -jobs: +permissions: + contents: read +jobs: lint: name: Lint runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@v3 - - name: Output Variables - id: vars - run: echo "::set-output name=go_version::$(grep "go 1." go.mod | cut -d " " -f 2)" + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Setup Golang Environment - uses: actions/setup-go@v4 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: - go-version: ${{ steps.vars.outputs.go_version }} + go-version-file: go.mod + - name: Lint Code - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 + + actionlint: + name: Actionlint + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - uses: reviewdog/action-actionlint@7485c2136bd093d2317a854c72910eebaee35238 # v1.37.1 + with: + actionlint_flags: -shellcheck "" diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index 9e05b1db..cebbaf00 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -11,13 +11,19 @@ on: types: - completed +permissions: + contents: read + jobs: on-failure: runs-on: ubuntu-22.04 - if: ${{ github.event.workflow_run.conclusion == 'failure' }} + if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }} + permissions: + contents: read + actions: read # for 8398a7/action-slack steps: - name: Data - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 continue-on-error: true id: data with: @@ -38,7 +44,7 @@ jobs: } - name: Send Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@fbd6aa58ba854a740e11a35d0df80cb5d12101d8 # v3.15.1 with: status: custom custom_payload: | diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml deleted file mode 100644 index cd79a3df..00000000 --- a/.github/workflows/release-drafter.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Release Drafter - -on: - push: - branches: - - main - pull_request: - types: [opened, reopened, synchronize] - -jobs: - update_release_draft: - runs-on: ubuntu-22.04 - steps: - - uses: release-drafter/release-drafter@v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0f03949d..038bc50e 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,20 +1,26 @@ -name: 'Close stale issues and PRs' +name: "Close stale issues and PRs" on: schedule: - - cron: '30 1 * * *' + - cron: "30 1 * * *" + +permissions: + contents: read jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-22.04 steps: - - uses: actions/stale@v8 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.' - stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.' - close-issue-message: 'This issue was closed because it has been stalled for 7 days with no activity.' - close-pr-message: 'This PR was closed because it has been stalled for 7 days with no activity.' - stale-issue-label: 'stale' - stale-pr-label: 'stale' + stale-issue-message: "This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days." + stale-pr-message: "This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days." + close-issue-message: "This issue was closed because it has been stalled for 7 days with no activity." + close-pr-message: "This PR was closed because it has been stalled for 7 days with no activity." + stale-issue-label: "stale" + stale-pr-label: "stale" exempt-all-pr-assignees: true operations-per-run: 100