diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 00000000..ae06fcf0 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,18 @@ +enhancement: + - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/'] + +bug: + - head-branch: ['^fix/', '^bug/'] + +chore: + - head-branch: ['^chore/'] + +tests: + - head-branch: ['^tests/', '^test/'] + +documentation: + - head-branch: ['^docs/', '^doc/'] + - changed-files: '**/*.md' + +dependencies: + - head-branch: ['^deps/', '^dep/', '^dependabot/'] diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml deleted file mode 100644 index c3c00126..00000000 --- a/.github/release-drafter.yml +++ /dev/null @@ -1,66 +0,0 @@ -name-template: 'v$RESOLVED_VERSION' -tag-template: 'v$RESOLVED_VERSION' -categories: - - title: '๐Ÿš€ Features' - labels: - - "enhancement" - - title: '๐Ÿ’ฃ Breaking Change' - labels: - - "change" - - title: '๐Ÿ› Bug Fixes' - labels: - - "bug" - - title: '๐Ÿ“ Documentation' - labels: - - "documentation" - - title: '๐Ÿ”จ Maintenance' - labels: - - "chore" - - title: 'โฌ†๏ธ Dependencies' - labels: - - "dependencies" -version-resolver: - major: - labels: - - 'change' - minor: - labels: - - 'enhancement' - patch: - labels: - - 'bug' - - 'chore' - - 'dependencies' - - 'documentation' - default: patch -exclude-labels: - - 'skip-changelog' -autolabeler: - - label: 'documentation' - files: - - '*.md' - branch: - - '/docs{0,1}\/.+/' - - label: 'chore' - branch: - - '/chore\/.+/' - - label: 'bug' - branch: - - '/fix\/.+/' - title: - - '/fix/i' - - label: 'enhancement' - branch: - - '/enh\/.+/' - - '/enhancement\/.+/' - - '/feat\/.+/' - - '/feature\/.+/' -template: | - ## New in NGINX Ingress Operator v$RESOLVED_VERSION - - $CHANGES - - ## Compatibility - - - NGINX Ingress Controller NIC_VERSION_REPLACE_ME! - - OpenShift 4.5 or newer. diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 00000000..ceb3c631 --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,29 @@ +changelog: + exclude: + labels: + - skip changelog + categories: + - title: ๐Ÿ’ฃ Breaking Changes + labels: + - change + - title: ๐Ÿš€ Features + labels: + - enhancement + - title: ๐Ÿ› Bug Fixes + labels: + - bug + - title: ๐Ÿงช Tests + labels: + - tests + - title: ๐Ÿ”จ Maintenance + labels: + - chore + - title: ๐Ÿ“ Documentation + labels: + - documentation + - title: โฌ†๏ธ Dependencies + labels: + - dependencies + - title: Other Changes + labels: + - "*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d61c48ff..8c27664b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,23 +4,11 @@ on: push: branches: - main - paths-ignore: - - 'docs/**' - - 'examples/**' - - '**.md' tags: - 'v[0-9]+.[0-9]+.[0-9]+' pull_request: branches: - main - types: - - opened - - reopened - - synchronize - paths-ignore: - - 'docs/**' - - 'examples/**' - - '**.md' env: platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x" @@ -32,46 +20,57 @@ concurrency: jobs: build: name: Build Image - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 + permissions: + contents: read # for docker/build-push-action to read repo content + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + packages: write # for docker/build-push-action to push to GHCR steps: - name: Checkout Repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - name: DockerHub Login - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: github.event_name != 'pull_request' + - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} if: github.event_name != 'pull_request' + - name: Login to Quay.io - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} if: github.event_name != 'pull_request' + - name: Setup QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 with: platforms: arm64,ppc64le,s390x if: github.event_name != 'pull_request' + - name: Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + - name: Output Variables id: vars run: | echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT + echo "chart_version=$(yq '.appVersion' > $GITHUB_OUTPUT + echo "openshift_version=$(yq '.annotations["com.redhat.openshift.versions"]' > $GITHUB_OUTPUT + - name: Docker meta id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 with: images: | nginx/nginx-ingress-operator @@ -91,8 +90,9 @@ jobs: release=1 summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers" description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers" + - name: Build Image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 with: context: '.' cache-from: type=gha @@ -104,23 +104,43 @@ jobs: push: ${{ github.event_name != 'pull_request' }} no-cache: ${{ github.event_name != 'pull_request' }} pull: true + sbom: ${{ github.event_name != 'pull_request' }} + provenance: false + - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.10.0 + uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0 continue-on-error: true with: image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }} format: 'sarif' output: 'trivy-results.sarif' ignore-unfixed: 'true' + - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 continue-on-error: true with: sarif_file: 'trivy-results.sarif' + - name: Upload Scan Results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 continue-on-error: true with: name: 'trivy-results.sarif' path: 'trivy-results.sarif' if: always() + + - name: Create/Update Draft + uses: lucacome/draft-release@b79be3ff634f771230b2b6ee9f47308c5793671a # v0.2.0 + with: + minor-label: 'enhancement' + major-label: 'change' + variables: | + nic_version=${{ steps.vars.outputs.chart_version }} + openshift_version=${{ steps.vars.outputs.openshift_version }} + notes-footer: | + ## Compatibility + + - NGINX Ingress Controller {{nic_version}} + - OpenShift {{openshift_version}} or newer. + if: github.event_name != 'pull_request' diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index 83d1c30f..2b82b151 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -13,15 +13,15 @@ concurrency: jobs: dockerHubDescription: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Modify readme for DockerHub run: | sed -i '1,2d' README.md - name: Docker Hub Description - uses: peter-evans/dockerhub-description@v3 + uses: peter-evans/dockerhub-description@579f64ca0abced29dbbc44ab4c6a0b9e33ab3588 # v3.4.1 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 00000000..193299b2 --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,15 @@ +name: "Pull Request Labeler" +on: +- pull_request_target + +jobs: + triage: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: joshdales/labeler@a256a58edf82de10195c71e2666c7fcd645b6e97 # if https://github.com/actions/labeler/pull/203 is merged, use the official action actions/labeler + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + sync-labels: true diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index df291778..99c117bf 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -11,11 +11,11 @@ on: jobs: on-failure: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }} steps: - name: Data - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 continue-on-error: true id: data with: @@ -36,7 +36,7 @@ jobs: } - name: Send Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@fbd6aa58ba854a740e11a35d0df80cb5d12101d8 # v3.15.1 with: status: custom custom_payload: | diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml deleted file mode 100644 index 55914008..00000000 --- a/.github/workflows/release-drafter.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Release Drafter - -on: - push: - branches: - - main - pull_request: - types: [opened, reopened, synchronize] - -jobs: - update_release_draft: - runs-on: ubuntu-20.04 - steps: - - uses: release-drafter/release-drafter@v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f949a531..bd2461be 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,9 +5,12 @@ on: jobs: stale: - runs-on: ubuntu-20.04 + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs + runs-on: ubuntu-22.04 steps: - - uses: actions/stale@v8 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'