Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: address OSSF Scorecard warnings #243

Merged
merged 5 commits into from
May 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
---
version: 2
updates:
- package-ecosystem: docker
directory: /
schedule:
interval: weekly
day: monday
time: "00:00"
- package-ecosystem: github-actions
directory: /
schedule:
Expand Down
15 changes: 8 additions & 7 deletions .github/workflows/f5-cla.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,19 @@
---
name: F5 CLA
on:
issue_comment:
types: [created]
pull_request_target:
types: [opened, closed, synchronize]

permissions:
actions: write
pull-requests: write
statuses: write

permissions: read-all
jobs:
f5-cla:
name: F5 CLA
runs-on: ubuntu-22.04
permissions:
actions: write
pull-requests: write
statuses: write
steps:
- name: Run F5 Contributor License Agreement (CLA) assistant
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
Expand All @@ -31,7 +32,7 @@ jobs:
remote-repository-name: 'f5-cla-data'
path-to-signatures: 'signatures/beta/signatures.json'
# Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
allowlist: 4141done, dekobon, bot*
allowlist: 4141done, alessfg, dekobon, bot*
# Do not lock PRs after a merge.
lock-pullrequest-aftermerge: false
env:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ name: OSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
branch_protection_rule:
push:
branches: [main]
# To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.
schedule:
- cron: "0 0 * * 1"
push:
branches: [main]
workflow_dispatch:
# Declare default permissions as read only.
permissions: read-all
jobs:
Expand Down
12 changes: 11 additions & 1 deletion .github/workflows/main.yml → .github/workflows/s3-gateway.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
---
name: CI
name: NGINX S3 Gateway CI/CD
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
env:
CI: true
permissions: read-all
Expand All @@ -24,6 +27,7 @@ permissions: read-all

jobs:
build-oss-for-test:
name: Build NGINX OSS image
runs-on: ubuntu-22.04
steps:
- name: Check out the codebase
Expand All @@ -49,6 +53,7 @@ jobs:
if-no-files-found: error

test-oss:
name: Test NGINX OSS image
runs-on: ubuntu-22.04
needs: build-oss-for-test
strategy:
Expand Down Expand Up @@ -91,6 +96,7 @@ jobs:
run: S3_STYLE=${{ matrix.path_style }} ./test.sh --type oss

build-latest-njs-for-test:
name: Build NGINX OSS image using latest njs commit
runs-on: ubuntu-22.04
needs: test-oss
steps:
Expand Down Expand Up @@ -134,6 +140,7 @@ jobs:
if-no-files-found: error

test-latest-njs:
name: Test NGINX OSS image using latest njs commit
runs-on: ubuntu-22.04
needs: build-latest-njs-for-test
steps:
Expand Down Expand Up @@ -174,6 +181,7 @@ jobs:
run: ./test.sh --latest-njs --type oss

build-unprivileged-for-test:
name: Build NGINX OSS unprivileged image
runs-on: ubuntu-22.04
needs: test-oss
steps:
Expand Down Expand Up @@ -217,6 +225,7 @@ jobs:
if-no-files-found: error

test-unprivileged:
name: Test NGINX OSS unprivileged image
runs-on: ubuntu-22.04
needs: build-unprivileged-for-test
steps:
Expand Down Expand Up @@ -258,6 +267,7 @@ jobs:

# As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry
tag-and-push:
name: Tag and push all built and tested NGINX images
runs-on: ubuntu-22.04
needs: [test-oss, test-latest-njs, test-unprivileged]
if: |
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.buildkit.plus
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM debian:bookworm-slim
FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb

ENV NGINX_PLUS_VERSION 30-2
ENV NGINX_VERSION 1.25.1
Expand Down
11 changes: 6 additions & 5 deletions Dockerfile.oss
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
FROM nginx:1.25.3
FROM nginx:1.25.5@sha256:711cc227e3c4181ab27cde13cf662f6dd1d06d16b3344f871c6d04cbff22f6f8

ENV NGINX_VERSION "1.25.3"
ENV NJS_VERSION "0.8.2"
ENV NGINX_VERSION 1.25.5
ENV NJS_VERSION 0.8.4
ENV NJS_RELEASE 3~bookworm

ENV PROXY_CACHE_MAX_SIZE "10g"
ENV PROXY_CACHE_INACTIVE "60m"
Expand Down Expand Up @@ -32,12 +33,12 @@ RUN set -eux \
mkdir -p /var/cache/nginx/s3_proxy; \
chown nginx:nginx /var/cache/nginx/s3_proxy; \
chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; \
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
apt-get update; \
apt-get install --no-install-recommends --no-install-suggests --yes \
curl \
libedit2 \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE}; \
nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE}; \
apt-get remove --purge --auto-remove --yes; \
rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list

4 changes: 2 additions & 2 deletions Dockerfile.plus
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
FROM debian:bookworm-slim
FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb

ENV NGINX_PLUS_VERSION 30-2
ENV NGINX_VERSION 1.25.1
ENV NJS_VERSION 30+0.8.0-1
ENV XSLT_VERSION 30-1

ENV PROXY_CACHE_MAX_SIZE "10g"
ENV PROXY_CACHE_INACTIVE "60m"
ENV PROXY_CACHE_SLICE_SIZE "1m"
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[![CI](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml/badge.svg)](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/nginx-s3-gateway/badge)](https://securityscorecards.dev/viewer/?uri=github.com/nginxinc/nginx-s3-gateway)
[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
[![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md))
[![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md)
[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md)

# NGINX S3 Gateway
Expand Down
3 changes: 1 addition & 2 deletions examples/brotli-compression/Dockerfile.oss
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
FROM nginxinc/nginx-s3-gateway

FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
ENV BROTLI_VERSION "v1.0.0rc"

# Build Brotli module from source because there is no repository package
Expand Down
2 changes: 1 addition & 1 deletion examples/gzip-compression/Dockerfile.oss
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
FROM nginxinc/nginx-s3-gateway
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this just presents a bit of a maintenance issue since we'll have to periodically update these to make sure they don't reference a super old version. Let's leave the SHAs in for now since these have not been tested in a while anyway. I'll add a note in some of the organizational changes we make later to remind folks to update.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot should hopefully take care of Docker SHA updates! 😁

COPY etc/nginx/conf.d /etc/nginx/conf.d
2 changes: 1 addition & 1 deletion examples/modsecurity/Dockerfile.oss
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM nginxinc/nginx-s3-gateway
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment

ENV MODSECURITY_VERSION "v1.0.1"
ENV OWASP_RULESET_VERSION "v3.3.0"
Expand Down
Loading
Loading