nginx
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 15 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 11 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/docker-build.yml‎
Lines changed: 78 additions & 0 deletions b/‎.github/workflows/docker-build.yml‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎.github/workflows/f5.cla.yml‎
Lines changed: 51 additions & 0 deletions b/‎.github/workflows/f5.cla.yml‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎.github/workflows/fossa.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/fossa.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/go-builder.yml‎
Lines changed: 0 additions & 41 deletions b/‎.github/workflows/go-builder.yml‎
Lines changed: 0 additions & 41 deletions
diff --git a/‎.github/workflows/release-builder.yml‎
Lines changed: 58 additions & 38 deletions b/‎.github/workflows/release-builder.yml‎
Lines changed: 58 additions & 38 deletions
@@ -0,0 +1,15 @@
+### Proposed changes
+
+Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to
+that issue here in this description (not in the title of the PR).
+
+### Checklist
+
+Before creating a PR, run through this checklist and mark each as complete.
+
+- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/nginx-supportpkg-for-k8s/blob/main/CONTRIBUTING.md) guide
+- [ ] I have proven my fix is effective or that my feature works
+- [ ] I have checked that all unit tests pass after adding my changes
+- [ ] I have ensured the README is up to date
+- [ ] I have rebased my branch onto main
+- [ ] I will ensure my PR is targeting the main branch and pulling from my branch on my own fork
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
@@ -0,0 +1,78 @@
+name: Build and Push Docker Image For nginx-utils Container
+permissions:
+  contents: read
+  packages: write
+  actions: write
+on:
+  release:
+    types: [created]
+
+env:
+  RELEASE_VERSION: ${{ github.event.release.tag_name }}
+jobs:
+  run-on-release:
+    if: endsWith(github.event.release.tag_name, '-docker')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set Release Version
+        run: echo "RELEASE_VERSION=${RELEASE_VERSION%-docker}" >> $GITHUB_ENV     
+         
+      - name: Starting Release Build
+        run: echo "Starting Release Build for ${RELEASE_VERSION}"
+        
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: List repository files
+        run: ls -R .; pwd
+      - name: Set up Docker Buildx
+        uses: docker/[email protected]
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push Docker image
+        uses: docker/[email protected]
+        with:
+          context: .
+          file: nginx-utils/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/nginx/nginx-utils:${{ env.RELEASE_VERSION }}
+            ghcr.io/nginx/nginx-utils:latest
+
+      - name: Install Trivy and scan image for vulnerabilities
+        uses: aquasecurity/[email protected]
+
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/nginx-utils:latest
+          format: json
+          output: vuln-report.json
+
+      - name: Upload Vulnerability Report
+        uses: actions/[email protected]
+        with:
+          name: vuln-report
+          path: vuln-report.json
+
+      - name: Update Release Notes with Docker Image Info
+        uses: softprops/[email protected]
+        with:
+          tag_name: ${{ github.event.release.tag_name }}
+          body: |
+            ## Docker Image
+            The Docker image for this release can be pulled using:
+
+            ```
+            docker pull ghcr.io/${{ github.repository_owner }}/nginx-utils:${{ github.event.release.tag_name }}
+            ```
+
+            Or use the `latest` tag:
+
+            ```
+            docker pull ghcr.io/${{ github.repository_owner }}/nginx-utils:latest
+            ```
@@ -0,0 +1,51 @@
+name: F5 CLA
+
+on:
+  issue_comment:
+    types:
+      - created
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+concurrency:
+  group: ${{ github.ref_name }}-cla
+
+permissions:
+  contents: read
+
+jobs:
+  f5-cla:
+    name: F5 CLA
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+      contents: read
+      pull-requests: write
+      statuses: write
+    steps:
+      - name: Run F5 Contributor License Agreement (CLA) assistant
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
+        with:
+          # Any pull request targeting the following branch will trigger a CLA check.
+          branch: "main"
+          # Path to the CLA document.
+          path-to-document: "https://github.com/f5/.github/blob/main/CLA/cla-markdown.md"
+          # Custom CLA messages.
+          custom-notsigned-prcomment: "🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:"
+          custom-pr-sign-comment: "I have hereby read the F5 CLA and agree to its terms"
+          custom-allsigned-prcomment: "✅ All required contributors have signed the F5 CLA for this PR. Thank you!"
+          # Remote repository storing CLA signatures.
+          remote-organization-name: "f5"
+          remote-repository-name: "f5-cla-data"
+          path-to-signatures: "signatures/beta/signatures.json"
+          # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
+          allowlist: bot*
+          # Do not lock PRs after a merge.
+          lock-pullrequest-aftermerge: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
@@ -0,0 +1,30 @@
+name: Fossa
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "**.md"
+      - "LICENSE"
+
+concurrency:
+  group: ${{ github.ref_name }}-fossa
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    name: Fossa
+    runs-on: ubuntu-22.04
+    if: ${{ github.event.repository.fork == false }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Scan
+        uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
+        with:
+          api-key: ${{ secrets.FOSSA_TOKEN }}
@@ -1,5 +1,8 @@
 name: Build and upload release artifact
 
+permissions:
+  contents: read
+
 on:
   release:
     types: [created]
@@ -9,44 +12,61 @@ env:
 
 jobs:
   build:
+    if: endsWith(github.event.release.tag_name, '-krew')
+    permissions:
+      contents: write
+
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Set Release Version
-      run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
-
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: '1.22.4'
-
-    - name: Build
-      run: |
-        BUILD=$(git log --format='%H' -n 1)
-        VERSION=$RELEASE_VERSION
-        OSES="linux darwin windows"
-        ARCHS="amd64 arm64"
-        IFS=" "
-
-        for OS in $OSES; do
-        for ARCH in $ARCHS; do
-        echo "OS: ${OS} and ARCH: ${ARCH}"
-        CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\
-                                                   -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\
-                                                   -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg
-        cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/
-        tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ .
-        done; done
-
-    - name: Upload release binaries
-      uses: alexellis/[email protected]
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-      with:
-        asset_paths: '["./release/*.gz"]'
-
-    - name: Update new version in krew-index
-      uses: rajatjindal/[email protected]
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set Release Version
+        run: echo "RELEASE_VERSION=${RELEASE_VERSION%-krew}" >> $GITHUB_ENV
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.24.3'
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+        with:
+          cosign-release: 'v2.4.0'
+
+      - name: Check cosign version
+        run: cosign version
+
+      - name: Build
+        run: |
+          set -e
+          BUILD=$(git log --format='%H' -n 1)
+          VERSION=$RELEASE_VERSION
+          OSES="linux darwin windows"
+          ARCHS="amd64 arm64"
+          IFS=" "
+          
+          for OS in $OSES; do
+          for ARCH in $ARCHS; do
+          echo "OS: ${OS} and ARCH: ${ARCH}"
+          CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\
+                                                     -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\
+                                                     -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg
+          cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/
+          tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ .
+          sha256sum "release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz" >> "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt"
+          done; done
+          cosign sign-blob "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt" \
+                --output-signature="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.sig" \
+                --output-certificate="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.pem" -y
+
+      - name: Upload release binaries
+        uses: alexellis/upload-assets@13926a61cdb2cb35f5fdef1c06b8b591523236d3 # 0.4.1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          asset_paths: '["./release/*.gz", "./release/*.txt", "./release/*.sig", "./release/*.pem"]'
+
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47