From 4391f761004c8452e582a7c83dac0ebf47a55b5b Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 6 Oct 2025 11:22:16 +0100 Subject: [PATCH 1/7] Use renovate to monitor dependencies on release branch --- .github/workflows/cherry-pick.yml | 2 +- renovate.json | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index 06dcb7e9b1..fff5f97929 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -15,7 +15,7 @@ jobs: pull-requests: write runs-on: ubuntu-24.04 name: Cherry pick into release branch - if: ${{ (contains(github.event.pull_request.labels.*.name, 'dependencies') || contains(github.event.pull_request.labels.*.name, 'needs cherry pick')) && github.event.pull_request.merged == true }} + if: ${{ contains(github.event.pull_request.labels.*.name, 'needs cherry pick') && github.event.pull_request.merged == true }} steps: - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/renovate.json b/renovate.json index a8e76236b3..94e4a823ce 100644 --- a/renovate.json +++ b/renovate.json @@ -179,6 +179,10 @@ "timezone": "Europe/Dublin", "automerge": true, "automergeStrategy": "squash", + "baseBranchPatterns": [ + "main", + "release-5.2" + ], "commitBodyTable": true, "configMigration": true, "customDatasources": { From 2259cc38aec670c74ffcca35768dd03f0bad6cb0 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 7 Oct 2025 13:19:46 +0100 Subject: [PATCH 2/7] remove update docker sha schedule --- .github/workflows/update-docker-sha.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index f1f78b5ee2..e75ef9d6c7 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -16,8 +16,6 @@ on: dry_run: type: boolean default: false - schedule: - - cron: "0 1 * * 1-5" # 01:00 UTC Mon-Fri defaults: run: From 6070cece36f1e40f6736ffcb29a1307a918d05e6 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 7 Oct 2025 15:08:15 +0100 Subject: [PATCH 3/7] add renovate for helm schema --- renovate.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/renovate.json b/renovate.json index 94e4a823ce..72a2397fff 100644 --- a/renovate.json +++ b/renovate.json @@ -174,6 +174,18 @@ "source[\\s]+=[\\s]+\"github.com/(?\\S*)\"[\\s]+version[\\s]+=[\\s]+\"(?\\S*)\"", "version[\\s]+=[\\s]+\"(?\\S*)[\\s]+source[\\s]+=[\\s]+\"github.com/(?\\S*)\"" ] + }, + { + "customType": "regex", + "datasourceTemplate": "docker", + "depNameTemplate": "kindest/node", + "description": "Kubernetes version in helm schema file", + "managerFilePatterns": [ + "/values\\.schema\\.json$/" + ], + "matchStrings": [ + "master\\/(?v\\d+\\.\\d+\\.\\d+)\\/_definitions\\.json" + ] } ], "timezone": "Europe/Dublin", From bcea851133eeaa8c8e9c03f55d9b5c7025c0af10 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Tue, 7 Oct 2025 15:08:51 +0100 Subject: [PATCH 4/7] commit it --- .goreleaser.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index 4b44b0e9de..bf7d1eb756 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -7,6 +7,7 @@ builds: - id: kubernetes-ingress goos: - linux + - darwin goarch: - amd64 - arm64 From 09ec990f05ef82c4e12eef2d57f23979f80309b4 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 8 Oct 2025 09:26:25 +0100 Subject: [PATCH 5/7] Remove no longer required workflow --- .github/scripts/exclude_ci_files.txt | 1 - .../workflows/update-kubernetes-version.yml | 55 ------------------- 2 files changed, 56 deletions(-) delete mode 100644 .github/workflows/update-kubernetes-version.yml diff --git a/.github/scripts/exclude_ci_files.txt b/.github/scripts/exclude_ci_files.txt index 8aa59ef9dc..f9c7bfd144 100644 --- a/.github/scripts/exclude_ci_files.txt +++ b/.github/scripts/exclude_ci_files.txt @@ -49,7 +49,6 @@ .github/workflows/stale.yml .github/workflows/update-docker-images.yml .github/workflows/update-docker-sha.yml -.github/workflows/update-kubernetes-version.yml .github/workflows/update-release-draft.yml .github/workflows/updates-notification.yml .github/workflows/version-bump.yml diff --git a/.github/workflows/update-kubernetes-version.yml b/.github/workflows/update-kubernetes-version.yml deleted file mode 100644 index 8b5b355893..0000000000 --- a/.github/workflows/update-kubernetes-version.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: Update Kubernetes version in Helm chart -on: - push: - branches: - - main - - release-* - paths: - - tests/Makefile - -concurrency: - group: ${{ github.ref_name }}-k8s-version - cancel-in-progress: true - -permissions: - contents: read - -jobs: - update-k8s-version: - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Get current k8s version from Kind image - id: k8s-version - run: | - v=$(grep "^K8S_CLUSTER_VERSION" tests/Makefile | awk '{ print $3 }') - echo "version=${v}" >> $GITHUB_OUTPUT - cat $GITHUB_OUTPUT - - - name: Search for the version in the schema file - id: search - run: | - found="false" - if grep -q ${{ steps.k8s-version.outputs.version }} charts/nginx-ingress/values.schema.json; then - found="true" - fi - echo "found=$found" >> $GITHUB_OUTPUT - cat $GITHUB_OUTPUT - - - name: Replace version in Helm schema file - run: | - sed -i -e "s#/v[0-9]\+\.[0-9]\+\.[0-9]\+/_definitions.json#/${{ steps.k8s-version.outputs.version }}/_definitions.json#" charts/nginx-ingress/values.schema.json - if: ${{ steps.search.outputs.found == 'false' }} - - - name: Create Pull Request - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 - with: - token: ${{ secrets.NGINX_PAT }} - commit-message: update kubernetes version to ${{ steps.k8s-version.outputs.version }} in helm schema - title: update kubernetes version to ${{ steps.k8s-version.outputs.version }} in helm schema - branch: chore/k8s-${{ steps.k8s-version.outputs.version }} - author: nginx-bot - body: | - This automated PR updates the helm schema k8s version to ${{ steps.k8s-version.outputs.version }}. - if: ${{ steps.search.outputs.found == 'false' }} From 3279847fe05dac9ecc680d2de87528cdd29a95c3 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 8 Oct 2025 17:16:27 +0100 Subject: [PATCH 6/7] use renovate to manage NGINX OSS version --- .goreleaser.yml | 1 - Makefile | 3 ++- build/Dockerfile | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index bf7d1eb756..4b44b0e9de 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -7,7 +7,6 @@ builds: - id: kubernetes-ingress goos: - linux - - darwin goarch: - amd64 - arm64 diff --git a/Makefile b/Makefile index 8a1c1fb42e..5a1b82a010 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,8 @@ VER = $(shell grep IC_VERSION .github/data/version.txt | cut -d '=' -f 2) GIT_TAG = $(shell git describe --exact-match --tags || echo untagged) VERSION = $(VER)-SNAPSHOT -NGINX_OSS_VERSION ?= 1.29 +# renovate: datasource=docker depName=nginx/nginx +NGINX_OSS_VERSION ?= 1.29.1 NGINX_PLUS_VERSION ?= R35 NAP_WAF_VERSION ?= 35+5.527 NAP_WAF_COMMON_VERSION ?= 11.559 diff --git a/build/Dockerfile b/build/Dockerfile index e5ceb30425..448db0bf81 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,6 +1,7 @@ # syntax=docker/dockerfile:1.19 ARG BUILD_OS=debian -ARG NGINX_OSS_VERSION=1.29 +# renovate: datasource=docker depName=nginx/nginx +ARG NGINX_OSS_VERSION=1.29.1 ARG NGINX_PLUS_VERSION=R35 ARG NAP_WAF_VERSION=35+5.527 ARG NAP_WAF_COMMON_VERSION=11.559 From dbfd105940a6b7becbaef083d818e21cf7d811d8 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Thu, 9 Oct 2025 09:26:07 +0100 Subject: [PATCH 7/7] Pass OSS variable to the debian docker target --- build/Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index 448db0bf81..21714b1809 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -107,6 +107,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk ############################################# Base image for Debian ############################################# FROM nginx:1.29.1@sha256:8adbdcb969e2676478ee2c7ad333956f0c8e0e4c5a7463f4611d7a2e7a7ff5dc AS debian +ARG NGINX_OSS_VERSION ARG NGINX_AGENT_VERSION RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ @@ -122,7 +123,9 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s http://packages.nginx.org/nginx-agent/debian `lsb_release -cs` agent" >> /etc/apt/sources.list.d/nginx.list \ && printf "%s" "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" > /etc/apt/preferences.d/99nginx \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-agent=${NGINX_AGENT_VERSION}* nginx-module-otel=${NGINX_OSS_VERSION}* \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + nginx-agent=${NGINX_AGENT_VERSION}* \ + nginx-module-otel=${NGINX_OSS_VERSION}* \ && apt-get purge --auto-remove -y gpg \ && rm -rf /var/lib/apt/lists/* /etc/apt/preferences.d/99nginx /etc/apt/sources.list.d/nginx.list \ && agent.sh