nginx
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 4 additions & 5 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎.github/workflows/nightly-scans.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/nightly-scans.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/release-branch.yml‎
Lines changed: 3 additions & 4 deletions b/‎.github/workflows/release-branch.yml‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎.github/workflows/scorecards.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecards.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/upload-release-assets.yml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/upload-release-assets.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎api/grpc/mpi/v1/command.pb.go‎
Lines changed: 219 additions & 134 deletions b/‎api/grpc/mpi/v1/command.pb.go‎
Lines changed: 219 additions & 134 deletions
diff --git a/‎api/grpc/mpi/v1/command.pb.validate.go‎
Lines changed: 2 additions & 0 deletions b/‎api/grpc/mpi/v1/command.pb.validate.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎api/grpc/mpi/v1/command.proto‎
Lines changed: 13 additions & 0 deletions b/‎api/grpc/mpi/v1/command.proto‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎docs/proto/protos.md‎
Lines changed: 20 additions & 0 deletions b/‎docs/proto/protos.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎internal/bus/message_pipe.go‎
Lines changed: 19 additions & 5 deletions b/‎internal/bus/message_pipe.go‎
Lines changed: 19 additions & 5 deletions
@@ -87,15 +87,14 @@ jobs:
     name: Vulnerability Scan
     uses: ./.github/workflows/vulncheck.yml
     permissions:
-      security-events: write
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
 
   unit-test:
     name: Unit Tests
     runs-on: ubuntu-22.04
-    permissions:
-      contents: write
     steps:
         - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         - name: Configure Go Proxy
@@ -592,7 +591,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot
     permissions:
-      contents: write
+      contents: write # Needed for pushing benchmark results to github branch
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Configure Go Proxy
@@ -634,7 +633,7 @@ jobs:
     name: Load Tests
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     permissions:
-      contents: write
+      contents: write # Needed for pushing benchmark results to github branch
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot
     steps:
 
@@ -4,15 +4,24 @@ on:
     - cron: '0 2 * * *'  # Runs daily at 2:00 AM UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   scan-main:
     name: Vulnerability Scan - Main
     uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: 'main'
 
   scan-v2:
     name: Vulnerability Scan - dev-v2
     uses: ./.github/workflows/vulncheck.yml
+    permissions:
+      contents: read
+      security-events: write # for reporting vulnerabilities via code-scanning API
     with:
       target-branch: 'dev-v2'
@@ -185,7 +185,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [vars,release-draft]
     permissions:
-      contents: write
+      contents: write # Needed to tag a release
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -206,8 +206,7 @@ jobs:
     runs-on: ubuntu-22.04-amd64
     needs: [vars,release-draft,tag-release]
     permissions:
-      id-token: write
-      contents: write # Needed to update a release
+      id-token: write # Needed to get a token to upload packages to NGINX repo
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -314,7 +313,7 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [vars,tag-release]
     permissions:
-      pull-requests: write
+      pull-requests: write # Needed to create pull request back into main branch
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
@@ -55,6 +55,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
         with:
           sarif_file: results.sarif
@@ -25,7 +25,7 @@ defaults:
     shell: bash
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   vars:
@@ -51,6 +51,8 @@ jobs:
     name: Upload assets
     runs-on: ubuntu-22.04
     needs: [vars]
+    permissions:
+      contents: write # Needed for uploading release assets to GitHub
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
@@ -152,12 +152,25 @@ message UpdateDataPlaneHealthResponse {}
 
 // Reports the status of an associated command. This may be in response to a ManagementPlaneRequest
 message DataPlaneResponse {
+    enum RequestType {
+        UNSPECIFIED_REQUEST = 0; 
+        CONFIG_APPLY_REQUEST = 1; 
+        CONFIG_UPLOAD_REQUEST = 2;
+        HEALTH_REQUEST = 3; 
+        STATUS_REQUEST = 4;
+        API_ACTION_REQUEST = 5; 
+        COMMAND_STATUS_REQUEST = 6; 
+        UPDATE_AGENT_CONFIG_REQUEST = 7;
+    }
+
     // Meta-information associated with a message
     mpi.v1.MessageMeta message_meta = 1;
     // The command response with the associated request
     mpi.v1.CommandResponse command_response = 2;
     // The instance identifier, if applicable, for this response
     string instance_id = 3;
+    // The management plane request type that is being responded to
+    RequestType request_type = 4;
 }
 
 // A Management Plane request for information, triggers an associated rpc on the Data Plane
 
@@ -85,6 +85,7 @@
     - [UpdateHTTPUpstreamServers](#mpi-v1-UpdateHTTPUpstreamServers)
     - [UpdateStreamServers](#mpi-v1-UpdateStreamServers)
 
+    - [DataPlaneResponse.RequestType](#mpi-v1-DataPlaneResponse-RequestType)
     - [InstanceHealth.InstanceHealthStatus](#mpi-v1-InstanceHealth-InstanceHealthStatus)
     - [InstanceMeta.InstanceType](#mpi-v1-InstanceMeta-InstanceType)
     - [Log.LogLevel](#mpi-v1-Log-LogLevel)
@@ -862,6 +863,7 @@ Reports the status of an associated command. This may be in response to a Manage
 | message_meta | [MessageMeta](#mpi-v1-MessageMeta) |  | Meta-information associated with a message |
 | command_response | [CommandResponse](#mpi-v1-CommandResponse) |  | The command response with the associated request |
 | instance_id | [string](#string) |  | The instance identifier, if applicable, for this response |
+| request_type | [DataPlaneResponse.RequestType](#mpi-v1-DataPlaneResponse-RequestType) |  | The management plane request type that is being responded to |
 
 
 
@@ -1326,6 +1328,24 @@ Update Upstream Stream Servers for an instance
 
 
 
+<a name="mpi-v1-DataPlaneResponse-RequestType"></a>
+
+### DataPlaneResponse.RequestType
+
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| UNSPECIFIED_REQUEST | 0 |  |
+| CONFIG_APPLY_REQUEST | 1 |  |
+| CONFIG_UPLOAD_REQUEST | 2 |  |
+| HEALTH_REQUEST | 3 |  |
+| STATUS_REQUEST | 4 |  |
+| API_ACTION_REQUEST | 5 |  |
+| COMMAND_STATUS_REQUEST | 6 |  |
+| UPDATE_AGENT_CONFIG_REQUEST | 7 |  |
+
+
+
 <a name="mpi-v1-InstanceHealth-InstanceHealthStatus"></a>
 
 ### InstanceHealth.InstanceHealthStatus
 
@@ -206,8 +206,13 @@ func (p *MessagePipe) Reconfigure(ctx context.Context, agentConfig *mpi.AgentCon
 
 		// If the agent update was received from a create connection request no data plane response needs to be sent
 		if topic == AgentConfigUpdateTopic {
-			response := p.createDataPlaneResponse(correlationID, mpi.CommandResponse_COMMAND_STATUS_FAILURE,
-				"Failed to update agent config", reconfigureError.Error())
+			response := p.createDataPlaneResponse(
+				correlationID,
+				mpi.CommandResponse_COMMAND_STATUS_FAILURE,
+				mpi.DataPlaneResponse_UPDATE_AGENT_CONFIG_REQUEST,
+				"Failed to update agent config",
+				reconfigureError.Error(),
+			)
 			p.bus.Publish(DataPlaneResponseTopic, ctx, &Message{Topic: DataPlaneResponseTopic, Data: response})
 		}
 
@@ -222,8 +227,13 @@ func (p *MessagePipe) Reconfigure(ctx context.Context, agentConfig *mpi.AgentCon
 
 	slog.InfoContext(ctx, "Finished reconfiguring plugins", "plugins", p.plugins)
 	if topic == AgentConfigUpdateTopic {
-		response := p.createDataPlaneResponse(correlationID, mpi.CommandResponse_COMMAND_STATUS_OK,
-			"Successfully updated agent config", "")
+		response := p.createDataPlaneResponse(
+			correlationID,
+			mpi.CommandResponse_COMMAND_STATUS_OK,
+			mpi.DataPlaneResponse_UPDATE_AGENT_CONFIG_REQUEST,
+			"Successfully updated agent config",
+			"",
+		)
 		p.bus.Publish(DataPlaneResponseTopic, ctx, &Message{Topic: DataPlaneResponseTopic, Data: response})
 	}
 }
@@ -339,7 +349,10 @@ func (p *MessagePipe) initPlugins(ctx context.Context) {
 	}
 }
 
-func (p *MessagePipe) createDataPlaneResponse(correlationID string, status mpi.CommandResponse_CommandStatus,
+func (p *MessagePipe) createDataPlaneResponse(
+	correlationID string,
+	status mpi.CommandResponse_CommandStatus,
+	requestType mpi.DataPlaneResponse_RequestType,
 	message, err string,
 ) *mpi.DataPlaneResponse {
 	return &mpi.DataPlaneResponse{
@@ -353,6 +366,7 @@ func (p *MessagePipe) createDataPlaneResponse(correlationID string, status mpi.C
 			Message: message,
 			Error:   err,
 		},
+		RequestType: requestType,
 	}
 }