Update workflows

.github/labeler.yml

@@ -0,0 +1,18 @@
+enhancement:
+  - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/']
+
+bug:
+  - head-branch: ['^fix/', '^bug/']
+
+chore:
+  - head-branch: ['^chore/']
+
+tests:
+  - head-branch: ['^tests/', '^test/']
+
+documentation:
+  - head-branch: ['^docs/', '^doc/']
+  - changed-files: '**/*.md'
+
+dependencies:
+  - head-branch: ['^deps/', '^dep/', '^dependabot/']

.github/release.yml

@@ -0,0 +1,29 @@
+changelog:
+  exclude:
+    labels:
+      - skip changelog
+  categories:
+    - title: 💣 Breaking Changes
+      labels:
+        - change
+    - title: 🚀 Features
+      labels:
+        - enhancement
+    - title: 🐛 Bug Fixes
+      labels:
+        - bug
+    - title: 🧪 Tests
+      labels:
+        - tests
+    - title: 🔨 Maintenance
+      labels:
+        - chore
+    - title: 📝 Documentation
+      labels:
+        - documentation
+    - title: ⬆️ Dependencies
+      labels:
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/ci.yml

@@ -4,23 +4,11 @@ on:
   push:
     branches:
       - main
-    paths-ignore:
-      - 'docs/**'
-      - 'examples/**'
-      - '**.md'
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+'
   pull_request:
     branches:
       - main
-    types:
-      - opened
-      - reopened
-      - synchronize
-    paths-ignore:
-      - 'docs/**'
-      - 'examples/**'
-      - '**.md'
 
 env:
   platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
@@ -32,46 +20,57 @@ concurrency:
 jobs:
   build:
     name: Build Image
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read # for docker/build-push-action to read repo content
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      packages: write # for docker/build-push-action to push to GHCR
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
       - name: DockerHub Login
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
         if: github.event_name != 'pull_request'
+
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
         if: github.event_name != 'pull_request'
+
       - name: Login to Quay.io
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_ROBOT_TOKEN }}
         if: github.event_name != 'pull_request'
+
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
         with:
           platforms: arm64,ppc64le,s390x
         if: github.event_name != 'pull_request'
+
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+
       - name: Output Variables
         id: vars
         run: |
           echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT
+          echo "chart_version=$(yq '.appVersion' <helm-charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
+          echo "openshift_version=$(yq '.annotations["com.redhat.openshift.versions"]' <bundle/metadata/annotations.yaml | cut -dv -f2)" >> $GITHUB_OUTPUT
+
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0
         with:
           images: |
             nginx/nginx-ingress-operator
@@ -91,8 +90,9 @@ jobs:
             release=1
             summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
             description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
+
       - name: Build Image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
         with:
           context: '.'
           cache-from: type=gha
@@ -104,23 +104,43 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           no-cache: ${{ github.event_name != 'pull_request' }}
           pull: true
+          sbom: ${{ github.event_name != 'pull_request' }}
+          provenance: false
+
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/[email protected]
+        uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
         continue-on-error: true
         with:
           image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
           format: 'sarif'
           output: 'trivy-results.sarif'
           ignore-unfixed: 'true'
+
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
         continue-on-error: true
         with:
           sarif_file: 'trivy-results.sarif'
+
       - name: Upload Scan Results
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         continue-on-error: true
         with:
           name: 'trivy-results.sarif'
           path: 'trivy-results.sarif'
         if: always()
+
+      - name: Create/Update Draft
+        uses: lucacome/draft-release@b79be3ff634f771230b2b6ee9f47308c5793671a # v0.2.0
+        with:
+          minor-label: 'enhancement'
+          major-label: 'change'
+          variables: |
+            nic_version=${{ steps.vars.outputs.chart_version }}
+            openshift_version=${{ steps.vars.outputs.openshift_version }}
+          notes-footer: |
+            ## Compatibility
+
+            - NGINX Ingress Controller {{nic_version}}
+            - OpenShift {{openshift_version}} or newer.
+        if: github.event_name != 'pull_request'

.github/workflows/dockerhub-description.yml

@@ -13,15 +13,15 @@ concurrency:
 
 jobs:
   dockerHubDescription:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Modify readme for DockerHub
         run: |
           sed -i '1,2d' README.md
       - name: Docker Hub Description
-        uses: peter-evans/dockerhub-description@v3
+        uses: peter-evans/dockerhub-description@579f64ca0abced29dbbc44ab4c6a0b9e33ab3588 # v3.4.1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}

.github/workflows/labeler.yml

@@ -0,0 +1,15 @@
+name: "Pull Request Labeler"
+on:
+- pull_request_target
+
+jobs:
+  triage:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: joshdales/labeler@a256a58edf82de10195c71e2666c7fcd645b6e97 # if https://github.com/actions/labeler/pull/203 is merged, use the official action actions/labeler
+      with:
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"
+        sync-labels: true

.github/workflows/notifications.yml

@@ -11,11 +11,11 @@ on:
 
 jobs:
   on-failure:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }}
     steps:
       - name: Data
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         continue-on-error: true
         id: data
         with:
@@ -36,7 +36,7 @@ jobs:
             }
 
       - name: Send Notification
-        uses: 8398a7/action-slack@v3
+        uses: 8398a7/action-slack@fbd6aa58ba854a740e11a35d0df80cb5d12101d8 # v3.15.1
         with:
           status: custom
           custom_payload: |

.github/workflows/stale.yml

@@ -5,9 +5,12 @@ on:
 
 jobs:
   stale:
-    runs-on: ubuntu-20.04
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'