Merge branch 'main' into ot-build

.github/actions/smoke-tests/action.yaml

@@ -79,6 +79,7 @@ runs:
  -v ${{ github.workspace }}/tests:/workspace/tests \
  -v ${{ github.workspace }}/deployments:/workspace/deployments \
  -v ${{ github.workspace }}/config:/workspace/config \
+ -v ${{ github.workspace }}/pyproject.toml:/workspace/pyproject.toml \
  -v ${{ steps.k8s.outputs.test_output_path }}:${{ steps.k8s.outputs.test_output_path }} \
  -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \
  --context=kind-${{ github.run_id }} \

.github/workflows/build-base-images.yml

@@ -61,7 +61,7 @@ jobs:
  uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
  - name: Setup QEMU
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
  with:
  platforms: arm,arm64,ppc64le,s390x
 
@@ -92,7 +92,7 @@ jobs:
  type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
  - name: Build Base Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."
@@ -126,7 +126,7 @@ jobs:
  uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
  - name: Setup QEMU
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
  with:
  platforms: arm64,s390x
 
@@ -157,7 +157,7 @@ jobs:
  type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
  - name: Build Base Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."
@@ -227,7 +227,7 @@ jobs:
  type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
  - name: Build Base Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."

.github/workflows/build-oss.yml

@@ -113,7 +113,7 @@ jobs:
  if: ${{ inputs.authenticated && ! inputs.full-build }}
 
  - name: Setup QEMU
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
  with:
  platforms: arm,arm64,ppc64le,s390x
  if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
@@ -123,7 +123,7 @@ jobs:
  if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
  - name: Build Base Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."
@@ -155,7 +155,7 @@ jobs:
  if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
  - name: Build Docker image
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  id: build-push
  with:
  file: build/Dockerfile

.github/workflows/build-plus.yml

@@ -118,7 +118,7 @@ jobs:
  if: ${{ inputs.authenticated && ! inputs.full-build }}
 
  - name: Setup QEMU
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
  with:
  platforms: arm,arm64,ppc64le,s390x
  if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
@@ -128,7 +128,7 @@ jobs:
  if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
  - name: Build Base Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."
@@ -165,7 +165,7 @@ jobs:
  if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
  - name: Build Docker image
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  id: build-push
  with:
  file: build/Dockerfile

.github/workflows/build-test-image.yml

@@ -49,7 +49,7 @@ jobs:
  password: ${{ steps.auth.outputs.access_token }}
 
  - name: Build Test-Runner Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: tests/Dockerfile
  context: "."

.github/workflows/ci.yml

@@ -439,7 +439,7 @@ jobs:
  if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
 
  - name: Build Docker Image ${{ matrix.base-os }}
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."
@@ -557,7 +557,7 @@ jobs:
  if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
 
  - name: Build Test-Runner Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: tests/Dockerfile
  context: "."

.github/workflows/codeql-analysis.yml

@@ -70,7 +70,7 @@ jobs:
 
  # Initializes the CodeQL tools for scanning.
  - name: Initialize CodeQL
- uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+ uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
  with:
  languages: ${{ matrix.language }}
  # If you wish to specify custom queries, you can do so here or in a config file.
@@ -89,7 +89,7 @@ jobs:
  # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
  # If this step fails, then you should remove it and run the build manually (see below)
  - name: Autobuild
- uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+ uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
 
  # ℹ️ Command-line programs to run using the OS shell.
  # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -102,6 +102,6 @@ jobs:
  # ./location_of_script_within_repo/buildscript.sh
 
  - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+ uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
  with:
  category: "/language:${{matrix.language}}"

.github/workflows/image-promotion.yml

@@ -427,7 +427,7 @@ jobs:
  overwrite: true
 
  - name: Upload Scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+ uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
  with:
  sarif_file: "${{ steps.directory.outputs.directory }}/"
 
@@ -517,7 +517,7 @@ jobs:
  overwrite: true
 
  - name: Upload Scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+ uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
  with:
  sarif_file: "${{ steps.directory.outputs.directory }}/"
 
@@ -607,7 +607,7 @@ jobs:
  overwrite: true
 
  - name: Upload Scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+ uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
  with:
  sarif_file: "${{ steps.directory.outputs.directory }}/"
 
@@ -616,13 +616,13 @@ jobs:
  runs-on: ubuntu-22.04
  needs: [checks]
  permissions:
- contents: read
+ contents: write
  steps:
  - name: Checkout Repository
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Create/Update Draft
- uses: lucacome/draft-release@3ed3808cb75e4398e021a19a171ce62f4943f2f7 # v1.0.0
+ uses: lucacome/draft-release@8a63d32c79a171ae6048e614a8988f0ac3ed56d4 # v1.1.0
  id: release-notes
  with:
  minor-label: "enhancement"

.github/workflows/patch-image.yml

@@ -50,7 +50,7 @@ jobs:
  uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
  - name: Setup QEMU
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
  with:
  platforms: arm,arm64,ppc64le,s390x
 
@@ -70,7 +70,7 @@ jobs:
  password: ${{ steps.auth.outputs.access_token }}
 
  - name: Apply OS patches to Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."

.github/workflows/scorecards.yml

@@ -57,6 +57,6 @@ jobs:
 
  # Upload the results to GitHub's code scanning dashboard.
  - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+ uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
  with:
  sarif_file: results.sarif

.github/workflows/setup-smoke.yml

@@ -112,7 +112,7 @@ jobs:
  if: ${{ inputs.authenticated }}
 
  - name: Build Test-Runner Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: tests/Dockerfile
  context: "."
@@ -124,7 +124,7 @@ jobs:
  if: ${{ ( !inputs.authenticated || steps.check-image.outcome == 'failure' ) }}
 
  - name: Build ${{ inputs.image }} Container
- uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
  with:
  file: build/Dockerfile
  context: "."

build/Dockerfile

@@ -15,7 +15,7 @@ FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c763
 FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17
 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19
 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
-FROM golang:1.22-alpine@sha256:ace6cc3fe58d0c7b12303c57afe6d6724851152df55e08057b43990b927ad5e8 AS golang-builder
+FROM golang:1.22-alpine@sha256:8c9183f715b0b4eca05b8b3dbf59766aaedb41ec07477b132ee2891ac0110a07 AS golang-builder
 
 
 ############################################# Base image for Alpine #############################################
@@ -29,7 +29,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 
 
 ############################################# Base image for Debian #############################################
-FROM nginx:1.27.0@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e AS debian
+FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df AS debian
 
 RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
  apt-get update \
@@ -214,7 +214,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
 
 
 ############################################# Base image for Debian with NGINX Plus #############################################
-FROM debian:12-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 AS debian-plus
+FROM debian:12-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 AS debian-plus
 ARG NGINX_PLUS_VERSION
 
 ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
@@ -427,7 +427,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 
 
 ############################################# Base image for UBI with NGINX Plus and App Protect WAF & DoS #############################################
-FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap
+FROM redhat/ubi8@sha256:44d75007b39e0e1bbf1bcfd0721245add54c54c3f83903f8926fb4bef6827aa2 AS ubi-8-plus-nap
 ARG NAP_MODULES
 ARG NGINX_AGENT
 ARG NGINX_PLUS_VERSION
@@ -491,7 +491,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 
 
 ############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 #############################################
-FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap-v5
+FROM redhat/ubi8@sha256:44d75007b39e0e1bbf1bcfd0721245add54c54c3f83903f8926fb4bef6827aa2 AS ubi-8-plus-nap-v5
 ARG NAP_MODULES
 ARG NGINX_AGENT
 ARG NGINX_PLUS_VERSION