From 940a0d142a7f2ba6f2a7459881c7f7b8de199601 Mon Sep 17 00:00:00 2001 From: Michael McKeen Date: Wed, 13 Mar 2024 11:57:01 -0400 Subject: [PATCH 1/5] ci: add gh action workflow file for f5 cla automation --- .github/workflows/f5-cla.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/f5-cla.yml diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml new file mode 100644 index 00000000..fbf680ea --- /dev/null +++ b/.github/workflows/f5-cla.yml @@ -0,0 +1,33 @@ +name: "F5 Contributor License Agreement" +on: + issue_comment: + types: [created] + pull_request_target: + types: [opened, closed, synchronize] + +permissions: + actions: write + contents: write + pull-requests: write + statuses: write + +jobs: + cla: + runs-on: ubuntu-latest + steps: + - name: "CLA Assistant" + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target' + uses: contributor-assistant/github-action@v2.3.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} + with: + path-to-signatures: 'signatures/beta/signatures.json' + path-to-document: 'https://github.com/f5/.github/blob/main/CLA/cla-markdown.md' + branch: 'master' + custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms' + custom-notsigned-prcomment: 'πŸŽ‰ Thank you for your contribution. It appears you have not yet signed the F5 Contributor License Agreement, which is required for your changes to be incorporated into an F5 project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and comment the following to agree:' + custom-allsigned-prcomment: 'All required contributors have signed the F5 CLA for this PR βœ…' + remote-organization-name: 'f5' + remote-repository-name: 'f5-cla-data' + allowlist: 4141done, dekobon, bot* \ No newline at end of file From 7351cbbbb95e24d5326797e445920fc719772cc8 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Thu, 25 Apr 2024 23:30:21 +0200 Subject: [PATCH 2/5] ci: update f5-cla.yml based on latest changes --- .github/workflows/f5-cla.yml | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml index fbf680ea..72e71f2e 100644 --- a/.github/workflows/f5-cla.yml +++ b/.github/workflows/f5-cla.yml @@ -1,4 +1,4 @@ -name: "F5 Contributor License Agreement" +name: F5 CLA on: issue_comment: types: [created] @@ -7,27 +7,33 @@ on: permissions: actions: write - contents: write pull-requests: write statuses: write jobs: - cla: - runs-on: ubuntu-latest + f5-cla: + runs-on: ubuntu-22.04 steps: - - name: "CLA Assistant" + - name: Run F5 Contributor License Agreement (CLA) assistant if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target' - uses: contributor-assistant/github-action@v2.3.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} + uses: contributor-assistant/github-action@dbc1c64d82d3aad5072007a41fff2828ae6d23ec # v2.3.2 with: - path-to-signatures: 'signatures/beta/signatures.json' + # Any pull request targeting the following branch will trigger a CLA check. + branch: 'main' + # Path to the CLA document. path-to-document: 'https://github.com/f5/.github/blob/main/CLA/cla-markdown.md' - branch: 'master' + # Custom CLA messages. + custom-notsigned-prcomment: 'πŸŽ‰ Thank you for your contribution. It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and comment the following to agree:' custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms' - custom-notsigned-prcomment: 'πŸŽ‰ Thank you for your contribution. It appears you have not yet signed the F5 Contributor License Agreement, which is required for your changes to be incorporated into an F5 project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and comment the following to agree:' - custom-allsigned-prcomment: 'All required contributors have signed the F5 CLA for this PR βœ…' + custom-allsigned-prcomment: 'βœ… All required contributors have signed the F5 CLA for this PR. Thank you!' + # Remote repository storing CLA signatures. remote-organization-name: 'f5' remote-repository-name: 'f5-cla-data' - allowlist: 4141done, dekobon, bot* \ No newline at end of file + path-to-signatures: 'signatures/beta/signatures.json' + # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA. + allowlist: 4141done, dekobon, bot* + # Do not lock PRs after a merge. + lock-pullrequest-aftermerge: false + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} From 30aa334a59235af3c79edcbdc6d2c2190eb5a569 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 26 Apr 2024 21:52:08 +0200 Subject: [PATCH 3/5] docs: add CLA docs * add CLA to the PR template * mention CLA in the contributing guidelines --- .github/pull_request_template.md | 1 + CONTRIBUTING.md | 12 +++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d22f09f0..a85f627f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -7,6 +7,7 @@ Describe the use case and detail of the change. If this PR addresses an issue on Before creating a PR, run through this checklist and mark each as complete: - [ ] I have read the [`contributing guidelines`](/CONTRIBUTING.md). +- [ ] I have signed the F5 Contributor License Agreement (CLA). - [ ] If applicable, I have added tests that prove my fix is effective or that my feature works. - [ ] If applicable, I have checked that any relevant tests pass after adding my changes. - [ ] I have updated any relevant documentation (e.g. [`README.md`](/README.md)). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1df2db10..214d07ac 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -28,13 +28,19 @@ To report a bug, open an issue on GitHub with the label `bug` using the availabl To suggest a feature or enhancement, please create an issue on GitHub with the label `enhancement` using the available [feature request template](/.github/feature_request_template.md). Please ensure the feature or enhancement has not already been suggested. -### Open a Pull Request +### Open a Pull Request (PR) -- Fork the repo, create a branch, implement your changes, add any relevant tests, submit a PR when your changes are **tested** and ready for review. -- Fill in [our pull request template](/.github/pull_request_template.md). +- Fork the repo, create a branch, implement your changes, add any relevant tests, and submit a PR when your changes are **tested** and ready for review. +- Fill in the [PR template](/.github/pull_request_template.md). **Note:** If you'd like to implement a new feature, please consider creating a [feature request issue](/.github/feature_request_template.md) first to start a discussion about the feature. +#### F5 Contributor License Agreement (CLA) + +F5 requires all external contributors to agree to the terms of the F5 CLA (available [here](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md)) before any of their changes can be incorporated into an F5 Open Source repository. + +If you have not yet agreed to the F5 CLA terms and submit a PR to this repository, a bot will prompt you to view and agree to the F5 CLA. You will have to agree to the F5 CLA terms through a comment in the PR before any of your changes can be merged. Your agreement signature will be safely stored by F5 and no longer be required in future PRs. + ## Code Guidelines From 5eeb230b6d1238d503e009ed54a0463ac5416da7 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 26 Apr 2024 12:48:04 -0800 Subject: [PATCH 4/5] ci: implement OSSF scorecard and Dependabot (#235) --- .github/dependabot.yml | 15 +++ .github/pull_request_template.md | 2 +- .github/workflows/main.yml | 164 ++++++++++++++++----------- .github/workflows/ossf_scorecard.yml | 62 ++++++++++ README.md | 1 + 5 files changed, 175 insertions(+), 69 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/ossf_scorecard.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..59dc1b1d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +--- +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + time: "00:00" + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + day: monday + time: "00:00" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d22f09f0..b6ff69f5 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,7 +6,7 @@ Describe the use case and detail of the change. If this PR addresses an issue on Before creating a PR, run through this checklist and mark each as complete: -- [ ] I have read the [`contributing guidelines`](/CONTRIBUTING.md). +- [ ] I have read the [contributing guidelines](/CONTRIBUTING.md). - [ ] If applicable, I have added tests that prove my fix is effective or that my feature works. - [ ] If applicable, I have checked that any relevant tests pass after adding my changes. - [ ] I have updated any relevant documentation (e.g. [`README.md`](/README.md)). diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 52675aa0..ea7ba3a3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,50 +1,47 @@ +--- name: CI - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the master branch on: push: - branches: [ master ] + branches: [main] pull_request: - branches: [ master ] - - + branches: [main] env: CI: true - +permissions: read-all # Job progression. We make sure that the base image [oss] builds and passes tests before kicking off the other builds - - # β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” - # β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β–Ί Build Latest NJS β”œβ”€β”€β”€β”€β”€β”€β”€β”€β–ΊTest Latest NJS β”œβ”€β”€β”€β”€β”€β–Ίβ”‚Push Latest NJS β”‚ - # β”‚Build OSSβ”œβ”€β”€β”€β”€β–Ίβ”‚Test OSS β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ - # β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ └──┬─────── - # β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” - # β”‚ └────►Build Unprivilegedβ”œβ”€β”€β”€β”€β”€β”€β”€β–ΊTest Unprivileged β”œβ”€β”€β”€β”€β–Ίβ”‚Push Unprivilegedβ”‚ - # β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜ - # β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€ - # └──────────────────────────────────────────────────────────────►│Push OSSβ”‚ - # β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ - -# As a last step, if we are on the main/master branch, multi-architecture images will be built and pushed to github packages -# and docker hub +# β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +# β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β–Ί Build Latest NJS β”œβ”€β”€β”€β”€β”€β”€β”€β”€β–ΊTest Latest NJS β”œβ”€β”€β”€β”€β”€β–Ίβ”‚Push Latest NJS β”‚ +# β”‚Build OSSβ”œβ”€β”€β”€β”€β–Ίβ”‚Test OSS β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +# β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ └──┬─────── +# β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +# β”‚ └────►Build Unprivilegedβ”œβ”€β”€β”€β”€β”€β”€β”€β–ΊTest Unprivileged β”œβ”€β”€β”€β”€β–Ίβ”‚Push Unprivilegedβ”‚ +# β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +# β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€ +# └──────────────────────────────────────────────────────────────►│Push OSSβ”‚ +# β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry jobs: build-oss-for-test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + - name: Build and export - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: file: Dockerfile.oss context: . tags: nginx-s3-gateway , nginx-s3-gateway:oss outputs: type=docker,dest=${{ runner.temp }}/oss.tar + - name: Upload artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: oss path: ${{ runner.temp }}/oss.tar @@ -58,15 +55,19 @@ jobs: matrix: path_style: [virtual, virtual-v2] steps: - - uses: actions/checkout@v4 + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Install dependencies run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it + - name: Restore cached binaries id: cache-binaries-restore - uses: actions/cache/restore@v3 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: .bin key: ${{ runner.os }}-binaries + - name: Install MinIO Client run: | mkdir .bin || exit 0 @@ -77,13 +78,15 @@ jobs: chmod +x mc - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: oss path: ${{ runner.temp }} + - name: Load image run: | docker load --input ${{ runner.temp }}/oss.tar + - name: Run tests - stable njs version run: S3_STYLE=${{ matrix.path_style }} ./test.sh --type oss @@ -91,33 +94,39 @@ jobs: runs-on: ubuntu-22.04 needs: test-oss steps: - - uses: actions/checkout@v4 + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: driver: docker + - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: oss path: ${{ runner.temp }} + - name: Load image run: | docker load --input ${{ runner.temp }}/oss.tar + - name: Build and load oss image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: file: Dockerfile.latest-njs context: . tags: nginx-s3-gateway:latest-njs-oss load: true - # Save manually here since we need to use the `docker` buildx `driver` but that can't output - # a file that upload-artifact likes. - - name: save image + + # Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes. + - name: Export image to a tar run: | docker save nginx-s3-gateway:latest-njs-oss > ${{ runner.temp }}/latest-njs.tar + - name: Upload artifact - latest-njs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: latest-njs path: ${{ runner.temp }}/latest-njs.tar @@ -128,15 +137,19 @@ jobs: runs-on: ubuntu-22.04 needs: build-latest-njs-for-test steps: - - uses: actions/checkout@v4 + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Install dependencies run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it + - name: Restore cached binaries id: cache-binaries-restore - uses: actions/cache/restore@v3 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: .bin key: ${{ runner.os }}-binaries + - name: Install MinIO Client run: | mkdir .bin || exit 0 @@ -145,15 +158,18 @@ jobs: curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check - mv mc.RELEASE.2023-06-19T19-31-19Z mc chmod +x mc + - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: latest-njs path: ${{ runner.temp }} + - name: Load image run: | docker load --input ${{ runner.temp }}/latest-njs.tar docker tag nginx-s3-gateway:latest-njs-oss nginx-s3-gateway + - name: Run tests - latest njs version run: ./test.sh --latest-njs --type oss @@ -161,33 +177,39 @@ jobs: runs-on: ubuntu-22.04 needs: test-oss steps: - - uses: actions/checkout@v4 + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: driver: docker + - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: oss path: ${{ runner.temp }} + - name: Load image run: | docker load --input ${{ runner.temp }}/oss.tar + - name: Build and load oss image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: file: Dockerfile.unprivileged context: . tags: nginx-s3-gateway:unprivileged-oss load: true - # Save manually here since we need to use the `docker` buildx `driver` but that can't output - # a file that upload-artifact likes. - - name: save image + + # Save manually here since we need to use `docker` buildx but that can't output a file that upload-artifact likes. + - name: Export image to a tar run: | docker save nginx-s3-gateway:unprivileged-oss > ${{ runner.temp }}/unprivileged.tar + - name: Upload artifact - unprivileged - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: unprivileged path: ${{ runner.temp }}/unprivileged.tar @@ -198,15 +220,19 @@ jobs: runs-on: ubuntu-22.04 needs: build-unprivileged-for-test steps: - - uses: actions/checkout@v4 + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Install dependencies run: sudo apt-get update -qq && sudo apt-get install -y curl wait-for-it + - name: Restore cached binaries id: cache-binaries-restore - uses: actions/cache/restore@v3 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: .bin key: ${{ runner.os }}-binaries + - name: Install MinIO Client run: | mkdir .bin || exit 0 @@ -215,49 +241,51 @@ jobs: curl --insecure --retry 6 --fail --silent --location "https://dl.min.io/client/mc/release/linux-$(dpkg --print-architecture)/archive/mc.RELEASE.2023-06-19T19-31-19Z.sha256sum" | sha256sum --check - mv mc.RELEASE.2023-06-19T19-31-19Z mc chmod +x mc + - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: unprivileged path: ${{ runner.temp }} + - name: Load image run: | docker load --input ${{ runner.temp }}/unprivileged.tar docker tag nginx-s3-gateway:unprivileged-oss nginx-s3-gateway + - name: Run tests - unprivileged run: ./test.sh --unprivileged --type oss -# After the tests are done, build multiarch and push to both github packages and dockerhub if we are on master/main +# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry tag-and-push: runs-on: ubuntu-22.04 needs: [test-oss, test-latest-njs, test-unprivileged] - if: | - github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' services: registry: image: registry:2 ports: - 5000:5000 - steps: - - uses: actions/checkout@v4 + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - name: Get current date id: date run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT + - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + - name: Set up Docker Buildx for local image build and push - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: - platforms: linux/amd64,linux/arm64 driver-opts: network=host - # Do an initial build of the base image and push to a local registry for downstream - # images because the `docker-container` driver can't find local images with `load` + # Do an initial build of the base image and push to a local registry for downstream images because the `docker-container` driver can't find local images with `load`. - name: Build and push image [oss] to local registry for downstream - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: file: Dockerfile.oss context: . @@ -267,21 +295,21 @@ jobs: tags: localhost:5000/nginx-oss-s3-gateway:oss - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - # This second invocation of build/push should just use the existing build cache + # This second invocation of the build/push should just use the existing build cache. - name: Build and push image [oss] - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: file: Dockerfile.oss context: . @@ -295,7 +323,7 @@ jobs: nginxinc/nginx-s3-gateway:latest - name: Build and push image [latest-njs] - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: file: Dockerfile.latest-njs context: . @@ -311,7 +339,7 @@ jobs: nginxinc/nginx-s3-gateway:latest-njs-oss - name: Build and push image [unprivileged] - uses: docker/build-push-action@v5 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: file: Dockerfile.unprivileged context: . diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml new file mode 100644 index 00000000..56350e7b --- /dev/null +++ b/.github/workflows/ossf_scorecard.yml @@ -0,0 +1,62 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. +name: OSSF Scorecard +on: + # For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection. + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained. + schedule: + - cron: "0 0 * * 1" + push: + branches: [main] +# Declare default permissions as read only. +permissions: read-all +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-22.04 + permissions: + # Needed if using Code Scanning alerts + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + # Uncomment the permissions below if installing on a private repository. + # contents: read + # actions: read + # issues: read # To allow GraphQL ListCommits to work + # pull-requests: read # To allow GraphQL ListCommits to work + # checks: read # To detect SAST tools + steps: + - name: Check out the codebase + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if: + # - You want to enable the Branch-Protection check on a *public* repository. + # - You are installing the OSSF Scorecard on a *private* repository. + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF format to the repository Actions tab. + - name: Upload artifact + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: Upload SARIF results to code scanning + uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 4395d8ef..1f2b267e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ [![CI](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml/badge.svg)](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/nginx-s3-gateway/badge)](https://securityscorecards.dev/viewer/?uri=github.com/nginxinc/nginx-s3-gateway) [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) [![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md)) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md) From 21841d76b9eb038957e19625b2fd3d5eb1301a77 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 26 Apr 2024 23:50:22 +0200 Subject: [PATCH 5/5] Update pull_request_template.md --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 6af2ff69..43e53fa2 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -7,7 +7,7 @@ Describe the use case and detail of the change. If this PR addresses an issue on Before creating a PR, run through this checklist and mark each as complete: - [ ] I have read the [contributing guidelines](/CONTRIBUTING.md). -- [ ] I have signed the F5 Contributor License Agreement (CLA). +- [ ] I have signed the [F5 Contributor License Agreement (CLA)](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md). - [ ] If applicable, I have added tests that prove my fix is effective or that my feature works. - [ ] If applicable, I have checked that any relevant tests pass after adding my changes. - [ ] I have updated any relevant documentation (e.g. [`README.md`](/README.md)).