nginx
diff --git a/‎.github/release-drafter.yml‎
Lines changed: 32 additions & 0 deletions b/‎.github/release-drafter.yml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎.github/release.yml‎
Lines changed: 26 additions & 0 deletions b/‎.github/release.yml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 4 additions & 3 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/dependency-review.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/label-pr.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/label-pr.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/mend.yml‎
Lines changed: 33 additions & 0 deletions b/‎.github/workflows/mend.yml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎.github/workflows/release-branch.yml‎
Lines changed: 12 additions & 47 deletions b/‎.github/workflows/release-branch.yml‎
Lines changed: 12 additions & 47 deletions
@@ -0,0 +1,32 @@
+autolabeler:
+    - label: 'documentation'
+      files:
+          - '*.md'
+      branch:
+          - '/docs{0,1}\/.+/'
+    - label: 'chore'
+      branch:
+          - '/chore\/.+/'
+      files:
+          - '*.go'
+    - label: 'bug'
+      branch:
+          - '/fix\/.+/'
+      title:
+          - '/fix/i'
+    - label: 'enhancement'
+      branch:
+          - '/enh\/.+/'
+          - '/enhancement\/.+/'
+          - '/feat\/.+/'
+          - '/feature\/.+/'
+      title:
+          - '/feat/i'
+    - label: 'dependencies'
+      files:
+          - 'go.mod'
+          - 'go.sum'
+          - 'vendor*'
+      branch:
+          - '/deps\/.+/'
+template: "not used, but required"
@@ -0,0 +1,26 @@
+changelog:
+    exclude:
+        labels:
+            - skip-changelog
+    categories:
+        - title: 🌟 Highlights
+          labels:
+              - highlights
+        - title: 🚀 Features
+          labels:
+              - enhancement
+        - title: 💣 Breaking Changes
+          labels:
+              - change
+        - title: 🐛 Bug Fixes
+          labels:
+              - bug
+        - title: 📝 Documentation
+          labels:
+              - documentation
+        - title: 🔨 Maintenance
+          labels:
+              - chore
+        - title: ⬆️ Dependencies
+          labels:
+              - dependencies
@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     branches:
-    - 'v3'
+    - 'main'
     - 'release-*'
     paths-ignore:
     - "**.md"
@@ -15,6 +15,9 @@ on:
     - reopened
     - synchronize
 
+permissions:
+  contents: read
+
 env:
   NFPM_VERSION: 'v2.35.3'
 
@@ -90,8 +93,6 @@ jobs:
     strategy:
       matrix:
         container:
-        - image: "ubuntu"
-          version: "22.04"
         - image: "redhatenterprise"
           version: "9"
         - image: "alpine"
 
@@ -0,0 +1,63 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+      - dev-v2
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches:
+      - main
+      - dev-v2
+    paths-ignore:
+      - '**/vendor'
+  merge_group:
+  schedule:
+    - cron: "36 6 * * 4" # run every Thursday at 06:36 UTC
+
+concurrency:
+  group: ${{ github.ref_name }}-codeql
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  checks:
+    name: Checks and variables
+    runs-on: ubuntu-24.04
+    outputs:
+      docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          fetch-depth: 0
+
+      - name: Filter only docs changes
+        id: docs
+        run: |
+          files=$(git diff --name-only HEAD^ | egrep -v "^site/" | egrep -v "^examples/" | egrep -v "^README.md")
+          if [ -z "$files" ]; then
+            echo "docs_only=true" >> $GITHUB_OUTPUT
+          else
+            echo "docs_only=false" >> $GITHUB_OUTPUT
+          fi
+          echo $files
+          cat $GITHUB_OUTPUT
+        shell: bash --noprofile --norc -o pipefail {0}
+
+  analyze:
+    if: ${{ needs.checks.outputs.docs_only != 'true' }}
+    needs: [checks]
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      packages: read
+      security-events: write # for github/codeql-action/autobuild to send a status report
+    name: Analyze
+    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@c903bfe6c668eaba362cde6a7882278bc1564401 # v0.1
+    with:
+      requested_languages: go
@@ -0,0 +1,30 @@
+name: "Dependency Review"
+on:
+  pull_request:
+    branches:
+      - main
+      - release-*
+      - dev-v2
+  merge_group:
+
+concurrency:
+  group: ${{ github.ref_name }}-deps-review
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to post comments
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
+        with:
+          config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   label-pr:
     permissions:
 
@@ -0,0 +1,33 @@
+name: Mend
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+*"
+    paths-ignore:
+      - docs/**
+  pull_request:
+    branches:
+      - main
+      - release-*
+    paths-ignore:
+      - docs/**
+
+concurrency:
+  group: ${{ github.ref_name }}-mend
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  mend:
+    if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) || (github.event_name == 'push' && github.event.repository.fork == false) }}
+    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@a27656f8f9a8748085b434ebe007f5b572709aad # v0.2
+    secrets: inherit
+    with:
+      product_name: nginx-agent-v3_${{ github.ref_name }}
+      project_name: nginx-agent-v3
@@ -28,7 +28,7 @@ on:
         default: false
         type: boolean
       createPullRequest:
-        description: 'Create pull request back into v3'
+        description: 'Create pull request back into main'
         default: false
         type: boolean
       releaseBranch:
@@ -85,6 +85,8 @@ jobs:
     name: Update Release Draft
     runs-on: ubuntu-22.04
     needs: [vars]
+    permissions:
+      contents: write # Needed to create draft release
     outputs:
       release_id: ${{ steps.vars.outputs.RELEASE_ID }}
     steps:
@@ -104,6 +106,7 @@ jobs:
           version: ${{ inputs.packageVersion }}
         with:
           script: |
+            const ref = context.ref.split("/")[2]
             const {version} = process.env
             console.log(`The release version is v${version}`)
 
@@ -181,6 +184,8 @@ jobs:
     name: Tag Release
     runs-on: ubuntu-22.04
     needs: [vars,release-draft]
+    permissions:
+      contents: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
@@ -205,7 +210,7 @@ jobs:
     needs: [vars,release-draft,tag-release]
     permissions:
       id-token: write
-      contents: read
+      contents: write # Needed to update a github release
     steps:
       - name: Checkout Repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
@@ -257,23 +262,6 @@ jobs:
           echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE}
           make package
 
-      - name: Azure Login
-        if: ${{ inputs.uploadAzure == true }}
-        uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-
-      - name: Azure Upload Release Packages
-        if: ${{ inputs.uploadAzure == true }}
-        uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0
-        with:
-          inlineScript: |
-            for i in ./build/azure/packages/nginx-agent*; do
-              echo "Uploading ${i} to nginx-agent/${GITHUB_REF##*/}/${i##*/}"
-              az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
-              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/${GITHUB_REF##*/}/${i##*/}
-            done
-
       - name: Install GPG tools
         if: ${{ inputs.publishPackages == true }}
         run: |
@@ -297,36 +285,13 @@ jobs:
         run: |
           make release
 
-      - name: Upload Release Assets
-        if: ${{ needs.vars.outputs.github_release == 'true' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        # clobber overwrites existing assets of the same name
-        run: |
-          gh release upload --clobber v${{ inputs.packageVersion }} \
-            $(find ./build/github/packages -type f \( -name "*.deb" -o -name "*.rpm" -o -name "*.pkg" -o -name "*.apk" \))
-
-      - name: Publish Github Release
-        if: ${{ needs.vars.outputs.github_release == 'true' }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const {RELEASE_ID} = process.env
-            const release = (await github.rest.repos.updateRelease({
-              owner: context.payload.repository.owner.login,
-              repo: context.payload.repository.name,
-              release_id: `${RELEASE_ID}`,
-              draft: false,
-            }))
-            console.log(`Release published: ${release.data.html_url}`)
-        env:
-          RELEASE_ID: ${{ needs.release-draft.outputs.release_id }}
-
   merge-release:
     if: ${{ needs.vars.outputs.create_pull_request == 'true' }}
-    name: Merge release branch back into V3 branch
+    name: Merge release branch back into main branch
     runs-on: ubuntu-22.04
     needs: [vars,tag-release]
+    permissions:
+      pull-requests: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
@@ -339,11 +304,11 @@ jobs:
           script: |
             const { repo, owner } = context.repo;
             const result = await github.rest.pulls.create({
-              title: 'Merge ${{ github.ref_name }} back into v3',
+              title: 'Merge ${{ github.ref_name }} back into main',
               owner,
               repo,
               head: '${{ github.ref_name }}',
-              base: 'v3',
+              base: 'main',
               body: [
                 'This PR is auto-generated by the release workflow.'
               ].join('\n')