Skip to content

Commit

Permalink
[cherry-pick] Bump the actions group across 1 directory with 2 updates (
Browse files Browse the repository at this point in the history 
#5931)
  • Loading branch information
@nginx-bot
nginx-bot committed Jul 3, 2024
1 parent 6e0b5b2 commit fa95fba
Show file tree
Hide file tree
Showing 3 changed files with 307 additions and 4 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/codeql-analysis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -89,7 +89,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
Expand All @@ -102,6 +102,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
category: "/language:${{matrix.language}}"
303 changes: 303 additions & 0 deletions .github/workflows/image-promotion.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,3 +394,306 @@ jobs:
image: quay.io/nginx/nginx-ingress:edge-ubi
project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}

scan-docker-oss:
name: Scan Docker OSS
runs-on: ubuntu-22.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
continue-on-error: true
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: "sarif"
output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
ignore-unfixed: "true"

- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true

- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true

- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"

scan-docker-plus:
name: Scan Docker Plus
runs-on: ubuntu-22.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
continue-on-error: true
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: "sarif"
output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
ignore-unfixed: "true"

- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true

- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true

- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"

scan-docker-nap:
name: Scan Docker Plus + NAP WAF/DOS
runs-on: ubuntu-22.04
needs: [checks]
permissions:
contents: read
id-token: write
security-events: write
if: ${{ !cancelled() && !failure() }}
strategy:
fail-fast: false
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Make directory for security scan results
id: directory
run: |
directory=${{ matrix.image }}-${{ matrix.target }}-results
echo "directory=${directory}" >> $GITHUB_OUTPUT
mkdir -p "${directory}"
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
context: workflow
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress
flavor: |
suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
tags: |
type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
with:
token_format: access_token
workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}

- name: Login to GCR
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
continue-on-error: true
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: "sarif"
output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
ignore-unfixed: "true"

- name: DockerHub Login for Docker Scount
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Run Docker Scout vulnerability scanner
id: docker-scout
uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
ignore-base: true
only-fixed: true
sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
write-comment: false
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
summary: true

- name: Upload Scan Results to Github Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
path: "${{ steps.directory.outputs.directory }}/"
overwrite: true

- name: Upload Scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: "${{ steps.directory.outputs.directory }}/"

update-release-draft:
name: Update Release Draft
runs-on: ubuntu-22.04
needs: [checks]
permissions:
contents: read
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Create/Update Draft
uses: lucacome/draft-release@8a63d32c79a171ae6048e614a8988f0ac3ed56d4 # v1.1.0
id: release-notes
with:
minor-label: "enhancement"
major-label: "change"
publish: false
collapse-after: 50
variables: |
helm-chart=${{ needs.checks.outputs.chart_version }}
notes-footer: |
## Upgrade
- For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
- For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking), [Azure Marketplace](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/category/containers?page=1&search=f5&subcategories=container-apps) or build your own image using the {{version}} source code.
- For Helm, use version {{helm-chart}} of the chart.
## Resources
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator
if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }}
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: results.sarif

0 comments on commit fa95fba

Please sign in to comment.