Merge branch 'nginx:main' into bgv/nim-nap-otel-log-parser

Author: devbgv

.codecov.yml

@@ -0,0 +1,54 @@
+# Codecov configuration file
+# This file configures code coverage reporting and requirements for the project
+coverage:
+
+  # Coverage status configuration
+  status:
+
+    # Project-level coverage settings
+    project:
+
+      # Default status check configuration
+      default:
+
+        # The minimum required coverage value for the project
+        target: 80%
+
+        # The allowed coverage decrease before failing the status check
+        threshold: 0%
+
+        # Whether to run coverage checks only on pull requests
+        only_pulls: false
+
+    # Patch-level coverage settings
+    patch:
+
+      default:
+
+        target: 80%
+        threshold: 0%
+        only_pulls: false
+
+comment:
+  layout: "header,diff,files,footer"
+  behavior: default
+  require_changes: false
+  require_base: false
+  require_head: true
+
+
+# Ignore files or packages matching their paths
+ignore:
+  - '\.pb\.go$'       # Excludes all protobuf generated files
+  - '\.gen\.go'      # Excludes generated files
+  - '^fake_.*\.go'    # Excludes fakes
+  - '^test/.*$'
+  - 'app.go'          # app.go and main.go should be tested by integration tests.
+  - 'main.go'
+  # ignore metadata generated files
+  - 'metadata/generated_.*\.go'
+  # ignore wrappers around gopsutil
+  - 'internal/datasource/host'
+  - 'internal/watcher/process'
+  - 'pkg/nginxprocess'
+

.github/actions/configure-goproxy/action.yml

@@ -0,0 +1,36 @@
+name: configure-goproxy
+author: s.breen
+description: Sets the current Go module proxy based on the presence of a private proxy URL in secrets
+inputs:
+  user:
+    description: Artifactory username secret name
+    required: false
+    default: ""
+  token:
+    description: Artifactory token secret name
+    required: false
+    default: ""
+  url:
+    description: Artifactory URL
+    required: false
+    default: ""
+runs:
+  using: 'composite'
+  steps:
+    - name: Configure Go Proxy
+      id: configure-goproxy
+      shell: bash
+      run: |
+        if [[ -z "${{ inputs.user }}" ]] || \
+        [[ -z "${{ inputs.token }}" ]] || \
+        [[ -z "${{ inputs.url }}" ]] || \
+        [[ "${{ github.event.pull_request.head.repo.fork }}" == 'true' ]] ||
+        [[ "${{ startsWith(github.head_ref, 'dependabot-')}}" == 'true' ]] ; then
+          echo "No Artifactory secrets available - using direct GOPROXY"
+          GOPROXY_VALUE="direct"
+        else
+          echo "Development mode - using dev Artifactory"
+          GOPROXY_VALUE="https://${{ inputs.user }}:${{ inputs.token }}@${{ inputs.url }}"
+        fi
+        echo "GOPROXY=${GOPROXY_VALUE}" >> $GITHUB_ENV
+    

.github/workflows/assertion.yml

@@ -0,0 +1,89 @@
+
+name: Generate and Sign Assertion Document
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        type: string
+        description: "The branch to run the assertion workflow on"
+        required: false
+        default: main
+
+jobs:
+  build-assertion-document:
+    name: Build and Generate Assertion Document
+    runs-on: ubuntu-22.04
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
+    outputs:
+      agent_binary: ${{ steps.check_binary.outputs.agent_binary }}
+      goversionm: ${{ steps.godeps.outputs.goversionm }}
+      assertion_document: ${{ steps.assertiondoc.outputs.assertion-document-path }}
+    strategy:
+        matrix:
+            osarch: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Gather build dependencies
+        id: godeps
+        run: |
+          if [ -z ${{inputs.branch}} ]; then
+            echo "No branch input provided, using current branch: $GITHUB_REF_NAME"
+          else
+            echo "Checking out branch: ${{inputs.branch}}"
+            git checkout ${{inputs.branch}}
+          fi
+          echo "Current branch: $GITHUB_REF_NAME"
+          echo "branch_name=$GITHUB_REF_NAME" >> $GITHUB_ENV
+          GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//')
+          echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
+          echo "GO_VERSION=$GO_VERSION"
+          echo "time_start=$(date +%s)" >> $GITHUB_ENV
+          OSARCH=${{matrix.osarch}} make build
+          echo "time_end=$(date +%s)" >> $GITHUB_ENV
+          echo "Build time: $((time_end - time_start)) seconds"
+          
+          echo "Getting sha256sum of the built nginx-agent binary..."
+          echo "agent-digest=$(sha256sum build/nginx-agent | awk '{print $1}')" >> $GITHUB_ENV
+          
+          echo "Checking dependencies..."
+          go version -m build/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt
+          ls -l goversionm_*.txt
+          echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV
+
+      - name: Generate Assertion Document
+        id: assertiondoc
+        uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          artifact-name: nginx-agent_${{ env.branch_name }}_${{ matrix.osarch }}
+          artifact-digest: ${{ env.agent-digest }}
+          build-type: 'github'
+          builder-id: 'github.com'
+          builder-version: '${{env.GO_VERSION}}_test'
+          invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
+          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-repo: 'f5-nginx-go-local-approved-dependency'
+          assertion-doc-file: assertion_nginx-agent_${{env.branch_name}}_${{matrix.osarch}}.json
+          build-content-path: ${{ env.goversionm }}
+          started-on: '${{ env.time_start }}'
+          finished-on: '${{ env.time_end }}'
+
+      - name: Sign and Store Assertion Document
+        id: sign
+        uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}

.github/workflows/ci.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-22.04
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     env:
-      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev"
+      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL_DEV }}"
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
@@ -46,6 +46,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
             go-version-file: 'go.mod'
@@ -62,26 +68,35 @@ jobs:
         contents: write
       steps:
           - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+          - name: Configure Go Proxy
+            uses: ./.github/actions/configure-goproxy
+            with:
+              user: ${{ secrets.ARTIFACTORY_USER }}
+              token: ${{ secrets.ARTIFACTORY_TOKEN }}
+              url: ${{ secrets.ARTIFACTORY_URL_DEV }}
           - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
             with:
                 go-version-file: 'go.mod'
                 cache: false
           - name: Run Unit Tests
             run: make unit-test
-          - name: Check Coverage
-            uses: vladopajic/go-test-coverage@dd4b1f21c4e48db0425e1187d2845404b1206919
+          - name: Uplaod Test Coverage
+            uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
             with:
-              config: ./.testcoverage.yaml
-              ## when token is not specified (value '') this feature is turned off
-              git-token: ${{ github.ref_name == 'main' && secrets.GITHUB_TOKEN || '' }}
-              ## name of orphaned branch where badges are stored
-              git-branch: badges
+              files: ./build/test/coverage.out
+              token: ${{ secrets.CODECOV_TOKEN }}
 
   race-condition-test:
       name: Unit tests with race condition detection
       runs-on: ubuntu-22.04
       steps:
           - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+          - name: Configure Go Proxy
+            uses: ./.github/actions/configure-goproxy
+            with:
+              user: ${{ secrets.ARTIFACTORY_USER }}
+              token: ${{ secrets.ARTIFACTORY_TOKEN }}
+              url: ${{ secrets.ARTIFACTORY_URL_DEV }}
           - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
             with:
                 go-version-file: 'go.mod'
@@ -96,6 +111,12 @@ jobs:
           - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
             with:
               fetch-tags: 'true'
+          - name: Configure Go Proxy
+            uses: ./.github/actions/configure-goproxy
+            with:
+              user: ${{ secrets.ARTIFACTORY_USER }}
+              token: ${{ secrets.ARTIFACTORY_TOKEN }}
+              url: ${{ secrets.ARTIFACTORY_URL_DEV }}
           - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
             with:
                 go-version-file: 'go.mod'
@@ -127,6 +148,12 @@ jobs:
           version: "3.22"
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: 'go.mod'
@@ -171,6 +198,12 @@ jobs:
             version: "3.22"
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: 'go.mod'
@@ -222,6 +255,12 @@ jobs:
             release: "alpine"
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: 'go.mod'
@@ -283,6 +322,12 @@ jobs:
           path: "/nginx-plus/agent"
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: 'go.mod'
@@ -293,7 +338,7 @@ jobs:
           name: nginx-agent-unsigned-snapshots
           path: build
       - name: Login to Docker Registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ secrets.TEST_REGISTRY_URL }}
           username: ${{ secrets.REGISTRY_USERNAME }}
@@ -342,7 +387,13 @@ jobs:
             version: "mainline"
             release: "alpine"
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: 'go.mod'
@@ -403,7 +454,13 @@ jobs:
             release: "debian"
             path: "/nginx-plus/agent"
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: 'go.mod'
@@ -414,7 +471,7 @@ jobs:
           name: nginx-agent-unsigned-snapshots
           path: build
       - name: Login to Docker Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ secrets.TEST_REGISTRY_URL }}
           username: ${{ secrets.REGISTRY_USERNAME }}
@@ -449,6 +506,12 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Configure Go Proxy
+        uses: ./.github/actions/configure-goproxy
+        with:
+          user: ${{ secrets.ARTIFACTORY_USER }}
+          token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          url: ${{ secrets.ARTIFACTORY_URL_DEV }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: 'go.mod'

.github/workflows/dependency-review.yml

@@ -25,6 +25,6 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
+        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1
         with:
           config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"