Update workflows

.github/dependabot.yml

@@ -1,14 +1,11 @@
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
       interval: daily
-    reviewers:
-      - "nginxinc/kic"
-  - package-ecosystem: "docker"
-    directory: "/"
+
+  - package-ecosystem: docker
+    directory: /
     schedule:
       interval: daily
-    reviewers:
-      - "nginxinc/kic"

.github/labeler.yml

@@ -1,3 +1,6 @@
+change:
+  - head-branch: ['^change/']
+
 enhancement:
   - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/']
 

.github/workflows/ci.yml

@@ -160,4 +160,4 @@ jobs:
               architecture=("${arch#*/}")
               ./preflight check container quay.io/nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
           done
-        if: ${{ startsWith(github.ref, 'refs/tags') }}
+        if: ${{ github.ref_type == 'tag' }}

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+name: "Dependency Review"
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.ref_name }}-deps-review
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to post comments
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
+        with:
+          config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"

.github/workflows/labeler.yml

@@ -1,6 +1,6 @@
 name: "Pull Request Labeler"
 on:
-- pull_request_target
+  - pull_request_target
 
 permissions:
   contents: read
@@ -9,10 +9,10 @@ jobs:
   triage:
     permissions:
       contents: read
-      pull-requests: write
-    runs-on: ubuntu-latest
+      pull-requests: write # for actions/labeler to add labels
+    runs-on: ubuntu-22.04
     steps:
-    - uses: joshdales/labeler@3352df1f2b0ef052cea774a5eaff917ea700a1b4 # if https://github.com/actions/labeler/pull/203 is merged, use the official action actions/labeler
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"
-        sync-labels: true
+      - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          sync-labels: true

.github/workflows/notifications.yml

@@ -16,6 +16,9 @@ jobs:
   on-failure:
     runs-on: ubuntu-22.04
     if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }}
+    permissions:
+      contents: read
+      actions: read # for 8398a7/action-slack
     steps:
       - name: Data
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1

.github/workflows/scorecard.yml

@@ -6,22 +6,26 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '33 10 * * 1'
+    - cron: "33 10 * * 1" # run every Monday at 10:33 UTC
   push:
-    branches: [ "main" ]
+    branches:
+      - main
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
 
     steps:
       - name: "Checkout code"
@@ -34,11 +38,15 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
           repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF

.github/workflows/stale.yml

@@ -1,29 +1,29 @@
-name: 'Close stale issues and PRs'
+name: "Close stale issues and PRs"
 on:
   schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *" # run at 1:30am every day
 
 permissions:
   contents: read
 
 jobs:
   stale:
     permissions:
-      issues: write  # for actions/stale to close stale issues
-      pull-requests: write  # for actions/stale to close stale PRs
+      issues: write # for actions/stale to close stale issues
+      pull-requests: write # for actions/stale to close stale PRs
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
-          stale-pr-message: 'This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
-          close-issue-message: 'This issue was closed because it has been stalled for 10 days with no activity.'
-          close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
-          stale-issue-label: 'stale'
-          stale-pr-label: 'stale'
+          stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days."
+          stale-pr-message: "This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days."
+          close-issue-message: "This issue was closed because it has been stalled for 10 days with no activity."
+          close-pr-message: "This PR was closed because it has been stalled for 10 days with no activity."
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
           exempt-all-assignees: true
-          exempt-issue-labels: 'proposal'
+          exempt-issue-labels: "proposal"
           operations-per-run: 100
           days-before-stale: 90
           days-before-close: 10

.github/workflows/sync-chart.yml

@@ -8,9 +8,15 @@ on:
         required: true
         default: "0.0.0"
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3