nginx
diff --git a/‎.github/workflows/assertion.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/assertion.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/dependency-review.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/nightly-scans.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/nightly-scans.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/release-branch.yml‎
Lines changed: 3 additions & 4 deletions b/‎.github/workflows/release-branch.yml‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎.github/workflows/scorecards.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecards.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/upload-release-assets.yml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/upload-release-assets.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/vulncheck.yml‎
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/vulncheck.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 1 deletion b/‎Makefile‎
Lines changed: 2 additions & 1 deletion
@@ -17,6 +17,9 @@ on:
         required: false
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   build-assertion-document:
     name: Create Assertion Document
 
@@ -92,12 +92,14 @@ jobs:
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           version: v2.4.0
+          skip-cache: true
 
   vulnerability-scan:
     name: Vulnerability Scan
     uses: ./.github/workflows/vulncheck.yml
     permissions:
-      security-events: write
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
 
@@ -667,7 +669,7 @@ jobs:
     needs: build-unsigned-snapshot
     permissions:
       id-token: write
-      contents: write
+      contents: write # Needed for pushing benchmark results to github branch
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Get Secrets from Azure Key Vault
@@ -714,7 +716,7 @@ jobs:
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     permissions:
       id-token: write
-      contents: write
+      contents: write # Needed for pushing benchmark results to github branch
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot
     steps:
@@ -738,7 +740,7 @@ jobs:
           path: build
 
       - name: Set up Docker Build
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Set env
         run: echo "GO_VERSION=$(cat go.mod | grep toolchain | sed 's/toolchain //; s/go//')" >> $GITHUB_ENV
 
@@ -27,4 +27,4 @@ jobs:
       - name: "Dependency Review"
         uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
         with:
-          config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"
+          config-file: "nginx/k8s-common/dependency-review-config.yml@main"
@@ -4,15 +4,24 @@ on:
     - cron: '0 2 * * *'  # Runs daily at 2:00 AM UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   scan-main:
     name: Vulnerability Scan - Main
     uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: 'main'
 
   scan-v2:
     name: Vulnerability Scan - dev-v2
     uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: 'dev-v2'
@@ -185,7 +185,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [vars,release-draft]
     permissions:
-      contents: write
+      contents: write # Needed to tag a release
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -206,8 +206,7 @@ jobs:
     runs-on: ubuntu-22.04-amd64
     needs: [vars,release-draft,tag-release]
     permissions:
-      id-token: write
-      contents: write # Needed to update a release
+      id-token: write # Needed to get a token to upload packages to NGINX repo
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -294,7 +293,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [vars,tag-release]
     permissions:
-      pull-requests: write
+      pull-requests: write # Needed to create pull request back into main branch
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
@@ -55,6 +55,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
         with:
           sarif_file: results.sarif
@@ -25,7 +25,7 @@ defaults:
     shell: bash
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   vars:
@@ -51,6 +51,8 @@ jobs:
     name: Upload assets
     runs-on: ubuntu-22.04
     needs: [vars]
+    permissions:
+      contents: write # Needed for uploading release assets to GitHub
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
@@ -14,6 +14,9 @@ on:
         required: true
         default: 'main'
 
+permissions:
+  contents: read
+
 jobs:
   vulncheck:
     name: Vulnerability Check
@@ -25,7 +28,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
             fetch-depth: 0
-            ref: ${{ inputs.targetBranch || github.event.inputs.target-branch }}
+            ref: ${{ inputs.targetBranch || 'main' }}
 
       - name: Check Go version
         id: get-go-version
 
@@ -7,6 +7,7 @@ whitesource/
 .vscode/
 .idea/
 *.log
+!**/testdata/*.log
 *.test
 *.orig
 sdk/certs/**
 
@@ -110,6 +110,7 @@ $(RPM_PACKAGE):
 include Makefile.tools
 include Makefile.containers
 include Makefile.packaging
+include Makefile.weaver
 
 .PHONY: help clean no-local-changes build lint format unit-test integration-test run dev run-mock-management-grpc-server generate generate-mocks local-apk-package local-deb-package local-rpm-package
 help: ## Show help message
@@ -282,7 +283,7 @@ stop-mock-otel-collector-without-nap: ## Stop running mock management plane OTel
 	@echo "Stopping mock management plane OTel collector without NAP"
 	AGENT_IMAGE_WITH_NGINX_PLUS=nginx_plus_$(IMAGE_TAG):latest AGENT_IMAGE_WITH_NGINX_OSS=nginx_oss_$(IMAGE_TAG):latest $(CONTAINER_COMPOSE) -f ./test/mock/collector/docker-compose.yaml down
 
-generate: ## Generate golang code
+generate: nginx-metadata-gen nginxplus-metadata-gen ## Generate golang code
 	@echo "🗄️ Generating proto files"
 	@cd api/grpc && $(GORUN) $(BUF) generate
 	@echo "🗃️ Generating go files"