ci: address OSSF Scorecard warnings (#243)

* ci: address OSS scorecard warnings

* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around
* remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot
* hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json`

* style: remove unnecessary closing parenthesis

* fix: remove SHAs from S3 Gateway image

* style: rename main workflow to be clearer

* ci: add `workflow_dispatch` and cron jobs

both the Scorecard and the S3 gateway build actions could use from both:
* being able to run the workflow on demand
* running the workflow once a week in case there's been no new builds/PRs in the last week

.github/dependabot.yml

@@ -1,6 +1,12 @@
 ---
 version: 2
 updates:
+ - package-ecosystem: docker
+ directory: /
+ schedule:
+ interval: weekly
+ day: monday
+ time: "00:00"
  - package-ecosystem: github-actions
  directory: /
  schedule:

.github/workflows/f5-cla.yml

@@ -1,18 +1,19 @@
+---
 name: F5 CLA
 on:
  issue_comment:
  types: [created]
  pull_request_target:
  types: [opened, closed, synchronize]
-
-permissions:
- actions: write
- pull-requests: write
- statuses: write
-
+permissions: read-all
 jobs:
  f5-cla:
+ name: F5 CLA
  runs-on: ubuntu-22.04
+ permissions:
+ actions: write
+ pull-requests: write
+ statuses: write
  steps:
  - name: Run F5 Contributor License Agreement (CLA) assistant
  if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
@@ -31,7 +32,7 @@ jobs:
  remote-repository-name: 'f5-cla-data'
  path-to-signatures: 'signatures/beta/signatures.json'
  # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
- allowlist: 4141done, dekobon, bot*
+ allowlist: 4141done, alessfg, dekobon, bot*
  # Do not lock PRs after a merge.
  lock-pullrequest-aftermerge: false
  env:

.github/workflows/ossf_scorecard.yml → .github/workflows/ossf-scorecard.yml

@@ -4,11 +4,12 @@ name: OSSF Scorecard
 on:
  # For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
  branch_protection_rule:
+ push:
+ branches: [main]
  # To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.
  schedule:
  - cron: "0 0 * * 1"
- push:
- branches: [main]
+ workflow_dispatch:
 # Declare default permissions as read only.
 permissions: read-all
 jobs:

.github/workflows/main.yml → .github/workflows/s3-gateway.yml

@@ -1,10 +1,13 @@
 ---
-name: CI
+name: NGINX S3 Gateway CI/CD
 on:
  push:
  branches: [main]
  pull_request:
  branches: [main]
+ schedule:
+ - cron: "0 0 * * 1"
+ workflow_dispatch:
 env:
  CI: true
 permissions: read-all
@@ -24,6 +27,7 @@ permissions: read-all
 
 jobs:
  build-oss-for-test:
+ name: Build NGINX OSS image
  runs-on: ubuntu-22.04
  steps:
  - name: Check out the codebase
@@ -49,6 +53,7 @@ jobs:
  if-no-files-found: error
 
  test-oss:
+ name: Test NGINX OSS image
  runs-on: ubuntu-22.04
  needs: build-oss-for-test
  strategy:
@@ -91,6 +96,7 @@ jobs:
  run: S3_STYLE=${{ matrix.path_style }} ./test.sh --type oss
 
  build-latest-njs-for-test:
+ name: Build NGINX OSS image using latest njs commit
  runs-on: ubuntu-22.04
  needs: test-oss
  steps:
@@ -134,6 +140,7 @@ jobs:
  if-no-files-found: error
 
  test-latest-njs:
+ name: Test NGINX OSS image using latest njs commit
  runs-on: ubuntu-22.04
  needs: build-latest-njs-for-test
  steps:
@@ -174,6 +181,7 @@ jobs:
  run: ./test.sh --latest-njs --type oss
 
  build-unprivileged-for-test:
+ name: Build NGINX OSS unprivileged image
  runs-on: ubuntu-22.04
  needs: test-oss
  steps:
@@ -217,6 +225,7 @@ jobs:
  if-no-files-found: error
 
  test-unprivileged:
+ name: Test NGINX OSS unprivileged image
  runs-on: ubuntu-22.04
  needs: build-unprivileged-for-test
  steps:
@@ -258,6 +267,7 @@ jobs:
 
 # As a last step (only if run from main) multi-architecture images are built and pushed to Docker Hub and the GitHub Container Registry
  tag-and-push:
+ name: Tag and push all built and tested NGINX images
  runs-on: ubuntu-22.04
  needs: [test-oss, test-latest-njs, test-unprivileged]
  if: |

Dockerfile.buildkit.plus

@@ -1,4 +1,4 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb
 
 ENV NGINX_PLUS_VERSION 30-2
 ENV NGINX_VERSION 1.25.1

Dockerfile.oss

@@ -1,7 +1,8 @@
-FROM nginx:1.25.3
+FROM nginx:1.25.5@sha256:711cc227e3c4181ab27cde13cf662f6dd1d06d16b3344f871c6d04cbff22f6f8
 
-ENV NGINX_VERSION "1.25.3"
-ENV NJS_VERSION "0.8.2"
+ENV NGINX_VERSION 1.25.5
+ENV NJS_VERSION 0.8.4
+ENV NJS_RELEASE 3~bookworm
 
 ENV PROXY_CACHE_MAX_SIZE "10g"
 ENV PROXY_CACHE_INACTIVE "60m"
@@ -32,12 +33,12 @@ RUN set -eux \
  mkdir -p /var/cache/nginx/s3_proxy; \
  chown nginx:nginx /var/cache/nginx/s3_proxy; \
  chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; \
- echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
+ echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
  apt-get update; \
  apt-get install --no-install-recommends --no-install-suggests --yes \
  curl \
  libedit2 \
- nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE}; \
+ nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE}; \
  apt-get remove --purge --auto-remove --yes; \
  rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 

Dockerfile.plus

@@ -1,10 +1,10 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb
 
 ENV NGINX_PLUS_VERSION 30-2
 ENV NGINX_VERSION 1.25.1
 ENV NJS_VERSION 30+0.8.0-1
 ENV XSLT_VERSION 30-1
- 
+
 ENV PROXY_CACHE_MAX_SIZE "10g"
 ENV PROXY_CACHE_INACTIVE "60m"
 ENV PROXY_CACHE_SLICE_SIZE "1m"

README.md

@@ -1,7 +1,7 @@
 [![CI](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml/badge.svg)](https://github.com/nginxinc/nginx-s3-gateway/actions/workflows/main.yml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/nginx-s3-gateway/badge)](https://securityscorecards.dev/viewer/?uri=github.com/nginxinc/nginx-s3-gateway)
 [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
-[![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md))
+[![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md)
 [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md)
 
 # NGINX S3 Gateway

examples/brotli-compression/Dockerfile.oss

@@ -1,5 +1,4 @@
-FROM nginxinc/nginx-s3-gateway
-
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 ENV BROTLI_VERSION "v1.0.0rc"
 
 # Build Brotli module from source because there is no repository package

examples/gzip-compression/Dockerfile.oss

@@ -1,3 +1,3 @@
-FROM nginxinc/nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 COPY etc/nginx/conf.d /etc/nginx/conf.d

examples/modsecurity/Dockerfile.oss

@@ -1,4 +1,4 @@
-FROM nginxinc/nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 ENV MODSECURITY_VERSION "v1.0.1"
 ENV OWASP_RULESET_VERSION "v3.3.0"