chore: upgrade actions/dependency-review-action to v4.9.0 (#1555)

* chore: upgrade actions/dependency-review-action to v4.9.0
---------

Co-authored-by: Aphral Griffin <a.griffin@f5.com>

Author: oCHRISo

.github/workflows/ci.yml

@@ -266,7 +266,101 @@ jobs:
           name: official-oss-integration-test-logs-${{ matrix.container.image }}-${{ matrix.container.version }}
           path: /tmp/integration-test-logs/
           retention-days: 3
+  official-plus-image-integration-tests:
+      name: Integration Tests - Official Plus Images
+      needs: build-unsigned-snapshot
+      runs-on: ubuntu-24.04
+      permissions:
+          id-token: write  # for OIDC authentication
+      if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
+      strategy:
+          fail-fast: false
+          matrix:
+              container:
+                  -   image: "alpine"
+                      version: "3.20"
+                      plus: "r32"
+                      release: "alpine"
+                      path: "/nginx-plus/agent"
+                  -   image: "debian"
+                      version: "bookworm"
+                      plus: "r32"
+                      release: "debian"
+                      path: "/nginx-plus/agent"
+                  -   image: "debian"
+                      version: "bookworm"
+                      plus: "r31"
+                      release: "debian"
+                      path: "/nginx-plus/agent"
+      steps:
+          -   uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  fetch-depth: 0
+          -   uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+              with:
+                  go-version-file: 'go.mod'
+          -   name: Download Packages
+              uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+              with:
+                  name: nginx-agent-unsigned-snapshots
+                  path: build
+
+          -   name: Get Secrets from Agent Key Vault
+              uses: ./.github/actions/az-sync
+              with:
+                  az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+                  az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+                  az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+                  keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
+                  secrets-filter: 'artifactory'
+
+          -   name: Sync Secrets from Common Key Vault
+              uses: ./.github/actions/az-sync
+              with:
+                  az_client_id: ${{ secrets.AZ_KEYVAULT_CLIENT_ID }}
+                  az_tenant_id: ${{ secrets.AZ_KEYVAULT_TENANT_ID }}
+                  az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+                  keyvault: ${{ secrets.AZ_KEYVAULT_COMMON }}
+                  secrets-filter: 'docker,nginx-private-registry,nginx-pkg'
+
+          -   name: Login to Docker Registry
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: ${{ env.nginx-private-registry-url }}
+                  username: ${{ env.nginx-pkg-jwt }}
+                  password: "none"
+
+          -   name: Set Start Time
+              run: echo "START_TIME=$(date +"%Y-%m-%dT%H:%M:%S.%NZ")" >> ${GITHUB_ENV}
+          -   name: Create Directory
+              run: mkdir -p ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/
+          -   name: Start Promtail
+              uses: ./.github/actions/start-promtail
+              with:
+                  loki-dashboard-url: ${{ secrets.LOKI_DASHBOARD_URL }}
+          -   name: Run Integration Tests
+              run: |
+                  go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }}
+                  CONTAINER_NGINX_IMAGE_REGISTRY="${{ env.nginx-private-registry-url }}" TAG="${{ matrix.container.plus }}-${{ matrix.container.image }}-${{ matrix.container.version }}" \
+                  OS_RELEASE="${{ matrix.container.release }}" IMAGE_PATH="${{ matrix.container.path }}" \
+                    make official-image-integration-test | tee ${{github.workspace}}/test/dashboard/logs/${{github.job}}/${{matrix.container.image}}${{matrix.container.version}}/raw_logs.log && exit "${PIPESTATUS[0]}"
+          -   name: Generate Test Results
+              if: always()
+              run: bash ./scripts/workflow/generate_results.sh ${{job.status}} ${{env.START_TIME}} ${{github.job}}/${{matrix.container.image}}${{matrix.container.version}} ${{github.workspace}}
+          -   name: Container Output Logs
+              if: failure()
+              run: |
+                  docker ps -a
+                  dockerid=$(docker ps -a --format "{{.ID}}")
+                  docker logs "$dockerid"
 
+          -   name: Archive integration test logs
+              if: success() || failure()
+              uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+              with:
+                  name: official-plus-integration-test-logs-${{ matrix.container.image }}-${{ matrix.container.version }}-${{ matrix.container.plus }}
+                  path: /tmp/integration-test-logs/
+                  retention-days: 3
   performance-test:
     name: Performance Tests
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}

.github/workflows/dependency-review.yml

@@ -25,6 +25,6 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
           config-file: "nginx/k8s-common/dependency-review-config.yml@main"

test/integration/utils/test_container_utils.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"os"
 	"regexp"
+	"strings"
 	"testing"
 
 	"github.com/docker/docker/api/types/container"
@@ -200,7 +201,12 @@ func LogAndTerminateContainers(
 
 	tb.Log(logs)
 	if expectNoErrorsInLogs {
-		assert.NotContains(tb, logs, "level=ERROR", "agent log file contains logs at error level")
+		for _, line := range strings.Split(logs, "\n") {
+			if strings.Contains(line, "level=ERROR") &&
+				!strings.Contains(line, "NGINX master process not found yet, waiting for NGINX to start...") {
+				assert.Fail(tb, "agent log file contains logs at error level", line)
+			}
+		}
 	}
 
 	err = agentContainer.Terminate(ctx)
@@ -267,7 +273,12 @@ func TestAgentHasNoErrorLogs(t *testing.T, agentContainer testcontainers.Contain
 		assert.Fail(t, "failed log content for semver value passed to Agent")
 	}
 
-	assert.NotContains(t, string(agentLogContent), "level=error", "agent log file contains logs at error level")
+	for _, line := range strings.Split(string(agentLogContent), "\n") {
+		if strings.Contains(line, "level=error") &&
+			!strings.Contains(line, "NGINX master process not found yet, waiting for NGINX to start...") {
+			assert.Fail(t, "agent log file contains logs at error level", line)
+		}
+	}
 	assert.NotContains(t, string(agentLogContent), "level=panic", "agent log file contains logs at panic level")
 	assert.NotContains(t, string(agentLogContent), "level=fatal", "agent log file contains logs at fatal level")
 }