Merge branch 'main' into waf-nim-compile

nginx · Jul 30, 2024 · 8e12720 · 8e12720
2 parents 9f00c1a + 67c9ad0
commit 8e12720
Show file tree

Hide file tree

Showing 24 changed files with 212 additions and 112 deletions.
diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag
@@ -1,6 +1,6 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
 declare -a ADDITIONAL_TAGS=()
diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release
@@ -1,8 +1,8 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
 export PUBLISH_OSS=false
diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json
@@ -33,24 +33,6 @@
       "platforms": "linux/amd64",
       "nap_modules": "waf,dos"
     },
-    {
-      "image": "ubi-9-plus-nap",
-      "target": "aws",
-      "platforms": "linux/amd64",
-      "nap_modules": "waf"
-    },
-    {
-      "image": "ubi-8-plus-nap",
-      "target": "aws",
-      "platforms": "linux/amd64",
-      "nap_modules": "dos"
-    },
-    {
-      "image": "ubi-8-plus-nap",
-      "target": "aws",
-      "platforms": "linux/amd64",
-      "nap_modules": "waf,dos"
-    },
     {
       "image": "alpine-plus-nap-fips",
       "target": "goreleaser",

diff --git a/.github/data/matrix-images-plus.json b/.github/data/matrix-images-plus.json
@@ -8,10 +8,14 @@
     "linux/arm64, linux/amd64"
   ],
   "target": [
-    "goreleaser",
-    "aws"
+    "goreleaser"
   ],
   "include": [
+    {
+      "image": "debian-plus",
+      "platforms": "linux/arm64, linux/amd64",
+      "target": "aws"
+    },
     {
       "image": "ubi-plus",
       "platforms": "linux/arm64, linux/amd64, linux/s390x",

diff --git a/.github/scripts/exclude_ci_files.txt b/.github/scripts/exclude_ci_files.txt
@@ -15,6 +15,8 @@
 .github/workflows/build-base-images.yml
 .github/workflows/build-ot-dependency.yml
 .github/workflows/build-test-image.yml
+.github/workflows/build-ubi-dependency.yml
+.github/workflows/build-single-image.yml
 .github/workflows/cache-update.yml
 .github/workflows/cherry-pick.yml
 .github/workflows/codeql-analysis.yml

diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
@@ -58,7 +58,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
@@ -123,7 +123,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
@@ -191,7 +191,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
       - name: Authenticate to Google Cloud
         id: auth

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
@@ -119,7 +119,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container

diff --git a/.github/workflows/build-ot-dependency.yml b/.github/workflows/build-ot-dependency.yml
@@ -52,7 +52,7 @@ jobs:
           platforms: arm,arm64,ppc64le,s390x
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
         with:
           buildkitd-flags: --debug
 

diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
@@ -124,7 +124,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container

diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml
@@ -0,0 +1,82 @@
+name: Build single image
+run-name: Building gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ github.actor }}-dev/${{ inputs.prefix }}:${{ inputs.tag }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'Image build make target to call'
+        required: true
+        type: string
+      prefix:
+        description: 'Image prefix to use in GCR, e.g. nginx-ic'
+        required: true
+        type: string
+      tag:
+        description: 'Image tag to use in GCR, e.g. 3.7.0-SNAPSHOT'
+        required: true
+        type: string
+      branch:
+        description: 'Branch to checkout for build'
+        required: false
+        type: string
+        default: main
+      plus_repo:
+        description: 'Plus repo to install from'
+        required: true
+        default: 'pkgs.nginx.com'
+        type: choice
+        options:
+          - pkgs.nginx.com
+          - pkgs-test.nginx.com
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for docker/build-push-action to read repo content
+      id-token: write # for login to GCP
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ inputs.branch }}
+          fetch-depth: 0
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+
+      - name: Build Image
+        run: |
+          make ${{ inputs.target }}
+        env:
+          REGISTRY: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ github.actor }}-dev
+          PREFIX: ${{ inputs.prefix }}
+          TAG: ${{ inputs.tag }}
+          PLUS_REPO: ${{ inputs.plus_repo }}
+
+      - name: Push image
+        run:
+          docker push gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/${{ github.actor }}-dev/${{ inputs.prefix }}:${{ inputs.tag }}
diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml
@@ -31,7 +31,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
       - name: Authenticate to Google Cloud
         id: auth

diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml
@@ -94,7 +94,7 @@ jobs:
           platforms: arm64,ppc64le,s390x
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -304,6 +304,7 @@ jobs:
       full-build: ${{ inputs.force && inputs.force || false }}
       tag: ${{ needs.checks.outputs.build_tag }}
       branch: ${{ (github.head_ref && needs.checks.outputs.forked_workflow != 'true') && github.head_ref || github.ref }}
+      ic-version: ${{ needs.checks.outputs.ic_version }}
     permissions:
       contents: read
       actions: read
@@ -329,6 +330,7 @@ jobs:
       tag: ${{ needs.checks.outputs.build_tag }}
       authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}
       full-build: ${{ inputs.force && inputs.force || false }}
+      ic-version: ${{ needs.checks.outputs.ic_version }}
     permissions:
       contents: read
       id-token: write
@@ -353,6 +355,7 @@ jobs:
       nap-modules: ${{ matrix.nap_modules }}
       authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}
       full-build: ${{ inputs.force && inputs.force || false }}
+      ic-version: ${{ needs.checks.outputs.ic_version }}
     permissions:
       contents: read
       id-token: write # gcr login
@@ -435,7 +438,7 @@ jobs:
         if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
         if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
 
       - name: Build Docker Image ${{ matrix.base-os }}
@@ -529,7 +532,7 @@ jobs:
           echo "matrix_nap=$(cat .github/data/matrix-smoke-nap.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT
 
       - name: Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
       - name: Authenticate to Google Cloud
         id: auth

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -70,7 +70,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -89,7 +89,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -102,6 +102,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml
@@ -112,6 +112,42 @@ jobs:
           echo stable_tag: ${{ steps.vars.outputs.stable_tag }}
           echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }}
 
+  govulncheck:
+    name: Run govulncheck
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Golang Environment
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: go.mod
+
+      - name: govulncheck
+        uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # v1.0.3
+        with:
+          output-format: sarif
+          output-file: govulncheck.sarif
+
+      - name: Check SARIF file
+        id: check-sarif
+        run: |
+          if [ -s govulncheck.sarif ] && grep -q '"results":' govulncheck.sarif; then
+            echo "sarif_has_results=true" >> $GITHUB_OUTPUT
+          else
+            echo "sarif_has_results=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        if: steps.check-sarif.outputs.sarif_has_results == 'true'
+        with:
+          sarif_file: govulncheck.sarif
+
   binaries:
     name: Build Binaries
     runs-on: ubuntu-22.04
@@ -170,6 +206,7 @@ jobs:
       authenticated: true
       tag: ${{ needs.checks.outputs.build_tag }}
       branch: ${{ github.ref }}
+      ic-version: ${{ needs.checks.outputs.ic_version }}
     permissions:
       contents: read
       actions: read
@@ -196,6 +233,7 @@ jobs:
       authenticated: true
       tag: ${{ needs.checks.outputs.build_tag }}
       branch: ${{ github.ref }}
+      ic-version: ${{ needs.checks.outputs.ic_version }}
     permissions:
       contents: read
       actions: read
@@ -223,6 +261,7 @@ jobs:
       authenticated: true
       tag: ${{ needs.checks.outputs.build_tag }}
       branch: ${{ github.ref }}
+      ic-version: ${{ needs.checks.outputs.ic_version }}
     permissions:
       contents: read
       actions: read
@@ -427,7 +466,7 @@ jobs:
           overwrite: true
 
       - name: Upload Scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: "${{ steps.directory.outputs.directory }}/"
 
@@ -517,7 +556,7 @@ jobs:
           overwrite: true
 
       - name: Upload Scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: "${{ steps.directory.outputs.directory }}/"
 
@@ -614,7 +653,7 @@ jobs:
           overwrite: true
 
       - name: Upload Scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: "${{ steps.directory.outputs.directory }}/"