ci: address OSSF Scorecard warnings (#243)

* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around * remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot * hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json` * ci: add `workflow_dispatch` and cron jobs to both the Scorecard and the S3 gateway build actions be able to run the workflow on demand and run the workflow at least once a week in case there's been no new builds/PRs in the last week
nginxinc · May 7, 2024 · 87cbc16 · 87cbc16
1 parent 62caea4
commit 87cbc16
Show file tree

Hide file tree

Showing 12 changed files with 361 additions and 256 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,12 @@
 ---
 version: 2
 updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "00:00"
   - package-ecosystem: github-actions
     directory: /
     schedule:

diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml
@@ -1,18 +1,19 @@
+---
 name: F5 CLA
 on:
   issue_comment:
     types: [created]
   pull_request_target:
     types: [opened, closed, synchronize]
-
-permissions:
-  actions: write
-  pull-requests: write
-  statuses: write
-
+permissions: read-all
 jobs:
   f5-cla:
+    name: F5 CLA
     runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+      pull-requests: write
+      statuses: write
     steps:
       - name: Run F5 Contributor License Agreement (CLA) assistant
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
@@ -31,7 +32,7 @@ jobs:
           remote-repository-name: 'f5-cla-data'
           path-to-signatures: 'signatures/beta/signatures.json'
           # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
-          allowlist: 4141done, dekobon, bot*
+          allowlist: 4141done, alessfg, dekobon, bot*
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:

diff --git a/.github/workflows/ossf_scorecard.yml → .github/workflows/ossf-scorecard.yml b/.github/workflows/ossf_scorecard.yml → .github/workflows/ossf-scorecard.yml
@@ -4,11 +4,12 @@ name: OSSF Scorecard
 on:
   # For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
   branch_protection_rule:
+  push:
+    branches: [main]
   # To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.
   schedule:
     - cron: "0 0 * * 1"
-  push:
-    branches: [main]
+  workflow_dispatch:
 # Declare default permissions as read only.
 permissions: read-all
 jobs:

diff --git a/.github/workflows/main.yml → .github/workflows/s3-gateway.yml b/.github/workflows/main.yml → .github/workflows/s3-gateway.yml
@@ -1,10 +1,13 @@
 ---
-name: CI
+name: NGINX S3 Gateway CI/CD
 on:
   push:
     branches: [main]
   pull_request:
     branches: [main]
+  schedule:
+    - cron: "0 0 * * 1"
+  workflow_dispatch:
 env:
   CI: true
 permissions: read-all
@@ -24,6 +27,7 @@ permissions: read-all
 
 jobs:
   build-oss-for-test:
+    name: Build NGINX OSS image
     runs-on: ubuntu-22.04
     steps:
       - name: Check out the codebase
@@ -49,6 +53,7 @@ jobs:
           if-no-files-found: error
 
   test-oss:
+    name: Test NGINX OSS image
     runs-on: ubuntu-22.04
     needs: build-oss-for-test
     strategy:
@@ -91,6 +96,7 @@ jobs:
         run: S3_STYLE=${{ matrix.path_style }} ./test.sh --type oss
 
   build-latest-njs-for-test:
+    name: Build NGINX OSS image using latest njs commit
     runs-on: ubuntu-22.04
     needs: test-oss
     steps:
@@ -134,6 +140,7 @@ jobs:
           if-no-files-found: error
 
   test-latest-njs:
+    name: Test NGINX OSS image using latest njs commit
     runs-on: ubuntu-22.04
     needs: build-latest-njs-for-test
     steps:
@@ -174,6 +181,7 @@ jobs:
         run: ./test.sh --latest-njs --type oss
 
   build-unprivileged-for-test:
+    name: Build NGINX OSS unprivileged image
     runs-on: ubuntu-22.04
     needs: test-oss
     steps:
@@ -217,6 +225,7 @@ jobs:
           if-no-files-found: error
 
   test-unprivileged:
+    name: Test NGINX OSS unprivileged image
     runs-on: ubuntu-22.04
     needs: build-unprivileged-for-test
     steps:
@@ -258,6 +267,7 @@ jobs:
 
 # As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry
   tag-and-push:
+    name: Tag and push all built and tested NGINX images
     runs-on: ubuntu-22.04
     needs: [test-oss, test-latest-njs, test-unprivileged]
     if: |

diff --git a/Dockerfile.buildkit.plus b/Dockerfile.buildkit.plus
@@ -1,4 +1,4 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb
 
 ENV NGINX_PLUS_VERSION   30-2
 ENV NGINX_VERSION        1.25.1

diff --git a/Dockerfile.oss b/Dockerfile.oss
@@ -1,7 +1,8 @@
-FROM nginx:1.25.3
+FROM nginx:1.25.5@sha256:711cc227e3c4181ab27cde13cf662f6dd1d06d16b3344f871c6d04cbff22f6f8
 
-ENV NGINX_VERSION "1.25.3"
-ENV NJS_VERSION   "0.8.2"
+ENV NGINX_VERSION   1.25.5
+ENV NJS_VERSION     0.8.4
+ENV NJS_RELEASE     3~bookworm
 
 ENV PROXY_CACHE_MAX_SIZE "10g"
 ENV PROXY_CACHE_INACTIVE "60m"
@@ -32,12 +33,12 @@ RUN set -eux \
     mkdir -p /var/cache/nginx/s3_proxy; \
     chown nginx:nginx /var/cache/nginx/s3_proxy; \
     chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; \
-    echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
+    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
     apt-get update; \
     apt-get install --no-install-recommends --no-install-suggests --yes \
       curl \
       libedit2 \
-      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE}; \
+      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE}; \
     apt-get remove --purge --auto-remove --yes; \
     rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 
diff --git a/Dockerfile.plus b/Dockerfile.plus
@@ -1,10 +1,10 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb
 
 ENV NGINX_PLUS_VERSION   30-2
 ENV NGINX_VERSION        1.25.1
 ENV NJS_VERSION          30+0.8.0-1
 ENV XSLT_VERSION         30-1
- 
+
 ENV PROXY_CACHE_MAX_SIZE "10g"
 ENV PROXY_CACHE_INACTIVE "60m"
 ENV PROXY_CACHE_SLICE_SIZE "1m"

diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
-[![CI](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml/badge.svg)](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml)
+[![NGINX S3 Gateway CI/CD](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/s3-gateway.yml/badge.svg)](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/s3-gateway.yml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/nginx-s3-gateway/badge)](https://securityscorecards.dev/viewer/?uri=github.com/nginxinc/nginx-s3-gateway)
 [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
-[![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md))
+[![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md)
 [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md)
 
 # NGINX S3 Gateway

diff --git a/examples/brotli-compression/Dockerfile.oss b/examples/brotli-compression/Dockerfile.oss
@@ -1,5 +1,4 @@
-FROM nginxinc/nginx-s3-gateway
-
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 ENV BROTLI_VERSION "v1.0.0rc"
 
 # Build Brotli module from source because there is no repository package

diff --git a/examples/gzip-compression/Dockerfile.oss b/examples/gzip-compression/Dockerfile.oss
@@ -1,3 +1,3 @@
-FROM nginxinc/nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 COPY etc/nginx/conf.d /etc/nginx/conf.d
diff --git a/examples/modsecurity/Dockerfile.oss b/examples/modsecurity/Dockerfile.oss
@@ -1,4 +1,4 @@
-FROM nginxinc/nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 ENV MODSECURITY_VERSION "v1.0.1"
 ENV OWASP_RULESET_VERSION "v3.3.0"