diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6dc92ecf..365eeece 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,14 +1,11 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: interval: daily - reviewers: - - "nginxinc/kic" - - package-ecosystem: "docker" - directory: "/" + + - package-ecosystem: docker + directory: / schedule: interval: daily - reviewers: - - "nginxinc/kic" diff --git a/.github/labeler.yml b/.github/labeler.yml index ae06fcf0..40ea6b47 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,3 +1,6 @@ +change: + - head-branch: ['^change/'] + enhancement: - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/'] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 74c68da3..32102321 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -160,4 +160,4 @@ jobs: architecture=("${arch#*/}") ./preflight check container quay.io/nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit done - if: ${{ startsWith(github.ref, 'refs/tags') }} + if: ${{ github.ref_type == 'tag' }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..c6910e4d --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +name: "Dependency Review" +on: + pull_request: + branches: + - main + +concurrency: + group: ${{ github.ref_name }}-deps-review + cancel-in-progress: true + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-22.04 + permissions: + contents: read # for actions/checkout + pull-requests: write # for actions/dependency-review-action to post comments + steps: + - name: "Checkout Repository" + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: "Dependency Review" + uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 + with: + config-file: "nginxinc/k8s-common/dependency-review-config.yml@main" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index ad4f9480..21249a07 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,6 +1,6 @@ name: "Pull Request Labeler" on: -- pull_request_target + - pull_request_target permissions: contents: read @@ -9,10 +9,10 @@ jobs: triage: permissions: contents: read - pull-requests: write - runs-on: ubuntu-latest + pull-requests: write # for actions/labeler to add labels + runs-on: ubuntu-22.04 steps: - - uses: joshdales/labeler@3352df1f2b0ef052cea774a5eaff917ea700a1b4 # if https://github.com/actions/labeler/pull/203 is merged, use the official action actions/labeler - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" - sync-labels: true + - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + sync-labels: true diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index fc233551..4e2ca3ea 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -16,6 +16,9 @@ jobs: on-failure: runs-on: ubuntu-22.04 if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }} + permissions: + contents: read + actions: read # for 8398a7/action-slack steps: - name: Data uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7caf98b1..d8ff9644 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -6,9 +6,10 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '33 10 * * 1' + - cron: "33 10 * * 1" # run every Monday at 10:33 UTC push: - branches: [ "main" ] + branches: + - main # Declare default permissions as read only. permissions: read-all @@ -16,12 +17,15 @@ permissions: read-all jobs: analysis: name: Scorecard analysis - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read steps: - name: "Checkout code" @@ -34,11 +38,15 @@ jobs: with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9cda66c4..c052436e 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,7 +1,7 @@ -name: 'Close stale issues and PRs' +name: "Close stale issues and PRs" on: schedule: - - cron: '30 1 * * *' + - cron: "30 1 * * *" # run at 1:30am every day permissions: contents: read @@ -9,21 +9,21 @@ permissions: jobs: stale: permissions: - issues: write # for actions/stale to close stale issues - pull-requests: write # for actions/stale to close stale PRs + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-22.04 steps: - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.' - stale-pr-message: 'This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.' - close-issue-message: 'This issue was closed because it has been stalled for 10 days with no activity.' - close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.' - stale-issue-label: 'stale' - stale-pr-label: 'stale' + stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days." + stale-pr-message: "This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days." + close-issue-message: "This issue was closed because it has been stalled for 10 days with no activity." + close-pr-message: "This PR was closed because it has been stalled for 10 days with no activity." + stale-issue-label: "stale" + stale-pr-label: "stale" exempt-all-assignees: true - exempt-issue-labels: 'proposal' + exempt-issue-labels: "proposal" operations-per-run: 100 days-before-stale: 90 days-before-close: 10 diff --git a/.github/workflows/sync-chart.yml b/.github/workflows/sync-chart.yml index ef62bd13..04d6bacb 100644 --- a/.github/workflows/sync-chart.yml +++ b/.github/workflows/sync-chart.yml @@ -8,9 +8,15 @@ on: required: true default: "0.0.0" +permissions: + contents: read + jobs: sync: runs-on: ubuntu-22.04 + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3