Merge branch 'main' into external-file-mgmt-integration

Author: Akshay2191

.github/workflows/assertion.yml

@@ -39,6 +39,9 @@ on:
       ARTIFACTORY_URL:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build-assertion-document:
     name: Create Assertion Document

.github/workflows/ci.yml

@@ -81,20 +81,20 @@ jobs:
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           version: v2.4.0
+          skip-cache: true
 
   vulnerability-scan:
     name: Vulnerability Scan
     uses: ./.github/workflows/vulncheck.yml
     permissions:
-      security-events: write
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
 
   unit-test:
     name: Unit Tests
     runs-on: ubuntu-22.04
-    permissions:
-      contents: write
     steps:
         - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         - name: Configure Go Proxy
@@ -591,7 +591,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot
     permissions:
-      contents: write
+      contents: write # Needed for pushing benchmark results to github branch
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Configure Go Proxy
@@ -633,7 +633,7 @@ jobs:
     name: Load Tests
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     permissions:
-      contents: write
+      contents: write # Needed for pushing benchmark results to github branch
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot
     steps:
@@ -657,7 +657,7 @@ jobs:
           path: build
 
       - name: Set up Docker Build
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Set env
         run: echo "GO_VERSION=$(cat go.mod | grep toolchain | sed 's/toolchain //; s/go//')" >> $GITHUB_ENV

.github/workflows/dependency-review.yml

@@ -27,4 +27,4 @@ jobs:
       - name: "Dependency Review"
         uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
         with:
-          config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"
+          config-file: "nginx/k8s-common/dependency-review-config.yml@main"

.github/workflows/nightly-scans.yml

@@ -4,15 +4,24 @@ on:
     - cron: '0 2 * * *'  # Runs daily at 2:00 AM UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   scan-main:
     name: Vulnerability Scan - Main
     uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: 'main'
 
   scan-v2:
     name: Vulnerability Scan - dev-v2
     uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: 'dev-v2'

.github/workflows/release-branch.yml

@@ -185,7 +185,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [vars,release-draft]
     permissions:
-      contents: write
+      contents: write # Needed to tag a release
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -206,8 +206,7 @@ jobs:
     runs-on: ubuntu-22.04-amd64
     needs: [vars,release-draft,tag-release]
     permissions:
-      id-token: write
-      contents: write # Needed to update a release
+      id-token: write # Needed to get a token to upload packages to NGINX repo
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -314,7 +313,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [vars,tag-release]
     permissions:
-      pull-requests: write
+      pull-requests: write # Needed to create pull request back into main branch
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

.github/workflows/scorecards.yml

@@ -55,6 +55,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
         with:
           sarif_file: results.sarif

.github/workflows/upload-release-assets.yml

@@ -25,7 +25,7 @@ defaults:
     shell: bash
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   vars:
@@ -51,6 +51,8 @@ jobs:
     name: Upload assets
     runs-on: ubuntu-22.04
     needs: [vars]
+    permissions:
+      contents: write # Needed for uploading release assets to GitHub
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

.github/workflows/vulncheck.yml

@@ -14,6 +14,9 @@ on:
         required: false
         default: 'main'
 
+permissions:
+  contents: read
+
 jobs:
   vulncheck:
     name: Vulnerability Check
@@ -25,7 +28,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
             fetch-depth: 0
-            ref: ${{ inputs.targetBranch || 'main' }}
+            ref: ${{ inputs.target-branch || 'main' }}
 
       - name: Check Go version
         id: get-go-version

.gitignore

@@ -7,6 +7,7 @@ whitesource/
 .vscode/
 .idea/
 *.log
+!**/testdata/*.log
 *.test
 *.orig
 sdk/certs/**

Makefile

@@ -110,6 +110,7 @@ $(RPM_PACKAGE):
 include Makefile.tools
 include Makefile.containers
 include Makefile.packaging
+include Makefile.weaver
 
 .PHONY: help clean no-local-changes build lint format unit-test integration-test run dev run-mock-management-grpc-server generate generate-mocks local-apk-package local-deb-package local-rpm-package
 help: ## Show help message
@@ -282,7 +283,7 @@ stop-mock-otel-collector-without-nap: ## Stop running mock management plane OTel
 	@echo "Stopping mock management plane OTel collector without NAP"
 	AGENT_IMAGE_WITH_NGINX_PLUS=nginx_plus_$(IMAGE_TAG):latest AGENT_IMAGE_WITH_NGINX_OSS=nginx_oss_$(IMAGE_TAG):latest $(CONTAINER_COMPOSE) -f ./test/mock/collector/docker-compose.yaml down
 
-generate: ## Generate golang code
+generate: nginx-metadata-gen nginxplus-metadata-gen ## Generate golang code
 	@echo "🗄️ Generating proto files"
 	@cd api/grpc && $(GORUN) $(BUF) generate
 	@echo "🗃️ Generating go files"