Merge branch 'main' into chore/linters

.github/CHANGELOG_TEMPLATE.md

@@ -29,7 +29,7 @@ KNOWN ISSUES:
 
 COMPATIBILITY:
 
-- The Gateway API version: ``
+- Gateway API version: ``
 - NGINX version: ``
 - NGINX Plus version: ``
 - Kubernetes version: ``

.github/workflows/build.yml

@@ -82,7 +82,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: auth
-        uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4
+        uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
@@ -162,23 +162,23 @@ jobs:
 
       - name: Scan SBOM
         id: scan
-        uses: anchore/scan-action@bc9adf64917dd9444d6cf4dd68620c34ca3a5f69 # v4.1.1
+        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
         with:
           sbom: "sbom-${{ inputs.image }}.json"
           only-fixed: true
           add-cpes-if-none: true
           fail-build: false
 
       - name: Upload scan result to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
           category: build-${{ inputs.image }}
         if: always()
 
       - name: Upload Scan Results
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         continue-on-error: true
         with:
           name: scan-results-${{ inputs.image }}

.github/workflows/ci.yml

@@ -58,9 +58,10 @@ jobs:
       - name: Output Variables
         id: vars
         run: |
+          K8S_KIND_VERSION=v1.31.0 # renovate: datasource=docker depName=kindest/node
           echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT
           echo "min_k8s_version=v1.25.16" >> $GITHUB_OUTPUT
-          echo "k8s_latest=$(grep -m1 'FROM kindest/node' <tests/Dockerfile | awk -F'[:]' '{print $2}')" >> $GITHUB_OUTPUT
+          echo "k8s_latest=${K8S_KIND_VERSION}" >> $GITHUB_OUTPUT
 
       - name: Check if go.mod and go.sum are up to date
         run: go mod tidy && git diff --exit-code -- go.mod go.sum
@@ -97,7 +98,7 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: Upload Coverage Report
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: cover-${{ github.run_id }}.html
           path: ${{ github.workspace }}/cover.html
@@ -159,7 +160,7 @@ jobs:
         if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
 
       - name: Download Syft
-        uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1
+        uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
         if: github.ref_type == 'tag'
 
       - name: Install Cosign
@@ -169,7 +170,7 @@ jobs:
       - name: Build binary
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
-          version: latest
+          version: v2.2.0 # renovate: datasource=github-tags depName=goreleaser/goreleaser
           args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -52,7 +52,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -64,6 +64,6 @@ jobs:
           # queries: security-extended,security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/conformance.yml

@@ -82,7 +82,7 @@ jobs:
       - name: Build binary
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
-          version: latest
+          version: v2.2.0 # renovate: datasource=github-tags depName=goreleaser/goreleaser
           args: build --single-target --snapshot --clean
         env:
           TELEMETRY_ENDPOINT: "" # disables sending telemetry
@@ -155,7 +155,7 @@ jobs:
         working-directory: ./tests
 
       - name: Upload profile to release
-        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        if: ${{ startsWith(github.ref, 'refs/tags/') && inputs.enable-experimental == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh release upload ${{ github.ref_name }} conformance-profile.yaml --clobber

.github/workflows/docs-build-push.yml

@@ -41,7 +41,7 @@ jobs:
   call-docs-build-push:
     needs: [vars]
     if: ${{ github.event.repository.fork == false && needs.vars.outputs.azure_creds == 'true' }}
-    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@03a9a3808fcb77cd0c19d7fa5d59b25565dd1d6d # v1.0.2
+    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@a733e84a262f8d5d885bfc8eac80bc85928da322 # v1.0.3
     permissions:
       pull-requests: write # needed to write preview url comment to PR
       contents: read

.github/workflows/functional.yml

@@ -69,7 +69,7 @@ jobs:
       - name: Build binary
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
-          version: latest
+          version: v2.2.0 # renovate: datasource=github-tags depName=goreleaser/goreleaser
           args: build --single-target --snapshot --clean
         env:
           TELEMETRY_ENDPOINT: otel-collector-opentelemetry-collector.collector.svc.cluster.local:4317
@@ -102,11 +102,11 @@ jobs:
 
       - name: Install cloud-provider-kind
         run: |
-          curl -fsSL -O https://github.com/kubernetes-sigs/cloud-provider-kind/releases/download/v0.3.0/cloud-provider-kind_0.3.0_linux_amd64.tar.gz
-          tar -xvf cloud-provider-kind_0.3.0_linux_amd64.tar.gz
+          CLOUD_PROVIDER_KIND_VERSION=v0.3.0 # renovate: datasource=github-tags depName=kubernetes-sigs/cloud-provider-kind
+          go install sigs.k8s.io/cloud-provider-kind@${CLOUD_PROVIDER_KIND_VERSION}
 
       - name: Run cloud-provider-kind
-        run: ./cloud-provider-kind & > cloud-provider-kind.log 2>&1
+        run: $(go env GOPATH)/bin/cloud-provider-kind & > cloud-provider-kind.log 2>&1
 
       - name: Deploy Kubernetes
         id: k8s

.github/workflows/helm.yml

@@ -86,11 +86,11 @@ jobs:
 
       - name: Install cloud-provider-kind
         run: |
-          curl -fsSL -O https://github.com/kubernetes-sigs/cloud-provider-kind/releases/download/v0.3.0/cloud-provider-kind_0.3.0_linux_amd64.tar.gz
-          tar -xvf cloud-provider-kind_0.3.0_linux_amd64.tar.gz
+          CLOUD_PROVIDER_KIND_VERSION=v0.3.0 # renovate: datasource=github-tags depName=kubernetes-sigs/cloud-provider-kind
+          go install sigs.k8s.io/cloud-provider-kind@${CLOUD_PROVIDER_KIND_VERSION}
 
       - name: Run cloud-provider-kind
-        run: ./cloud-provider-kind & > cloud-provider-kind.log 2>&1
+        run: $(go env GOPATH)/bin/cloud-provider-kind & > cloud-provider-kind.log 2>&1
 
       - name: Deploy Kubernetes
         id: k8s
@@ -100,7 +100,7 @@ jobs:
           kubectl kustomize config/crd/gateway-api/standard | kubectl apply -f -
 
       - name: Set up Python
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.x"
           check-latest: true
@@ -130,11 +130,11 @@ jobs:
 
       - name: Install cloud-provider-kind
         run: |
-          curl -fsSL -O https://github.com/kubernetes-sigs/cloud-provider-kind/releases/download/v0.3.0/cloud-provider-kind_0.3.0_linux_amd64.tar.gz
-          tar -xvf cloud-provider-kind_0.3.0_linux_amd64.tar.gz
+          CLOUD_PROVIDER_KIND_VERSION=v0.3.0 # renovate: datasource=github-tags depName=kubernetes-sigs/cloud-provider-kind
+          go install sigs.k8s.io/cloud-provider-kind@${CLOUD_PROVIDER_KIND_VERSION}
 
       - name: Run cloud-provider-kind
-        run: ./cloud-provider-kind & > cloud-provider-kind.log 2>&1
+        run: $(go env GOPATH)/bin/cloud-provider-kind & > cloud-provider-kind.log 2>&1
 
       - name: Deploy Kubernetes
         id: k8s
@@ -149,7 +149,7 @@ jobs:
           kubectl create secret docker-registry nginx-plus-registry-secret --docker-server=private-registry.nginx.com --docker-username=${{ secrets.JWT_PLUS_REGISTRY }} --docker-password=none -n nginx-gateway
 
       - name: Set up Python
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.x"
           check-latest: true

.github/workflows/labeler.yml

@@ -12,7 +12,15 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-22.04
     steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          sparse-checkout: |
+            labeler.yml
+          sparse-checkout-cone-mode: false
+          repository: nginxinc/k8s-common
+
       - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           sync-labels: true
+          configuration-path: labeler.yml

.github/workflows/lint.yml

@@ -40,6 +40,7 @@ jobs:
         uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         with:
           working-directory: ${{ matrix.directory }}
+          version: v1.60.3 # renovate: datasource=github-tags depName=golangci/golangci-lint
 
   njs-lint:
     name: NJS Lint
@@ -48,11 +49,6 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - name: Get Prettier version
-        id: prettier-version
-        run: |
-          echo "version=$(jq -r .devDependencies.prettier ${{ github.workspace }}/internal/mode/static/nginx/modules/package.json)" >> $GITHUB_OUTPUT
-
       - name: Setup Node.js Environment
         uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
@@ -64,7 +60,7 @@ jobs:
         with:
           config_path: ${{ github.workspace }}/internal/mode/static/nginx/modules/.prettierrc
           file_pattern: ${{ github.workspace }}/internal/mode/static/nginx/modules/**/*.js
-          prettier_version: ${{ steps.prettier-version.outputs.version }}
+          prettier_version: 3.3.3 # renovate: datasource=npm depName=prettier
 
       - name: Prettier Output
         if: failure()
@@ -110,13 +106,15 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Python
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.x"
           check-latest: true
 
       - name: Set up chart-testing
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        with:
+          version: 3.11.0 # renovate: datasource=github-tags depName=helm/chart-testing
 
       - name: Run chart-testing
         run: ct lint --print-config --config .ct.yaml

.github/workflows/nfr.yml

@@ -4,11 +4,11 @@ on:
   workflow_dispatch:
     inputs:
       test_label:
-        description: NFR test to run. Choose between performance, upgrade, scale, or all
+        description: NFR test to run. Choose between a specific test or all tests
         required: true
         default: all
         type: choice
-        options: [performance, upgrade, scale, all]
+        options: [performance, upgrade, scale, zero-downtime-scale, reconfiguration, all]
       version:
         description: Version of NGF under test
         required: true
@@ -75,7 +75,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: auth
-        uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4
+        uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
@@ -129,7 +129,7 @@ jobs:
           fi
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: results-${{ matrix.type }}
           path: tests/results/**/*-${{ matrix.type }}.*
@@ -160,7 +160,7 @@ jobs:
           merge-multiple: true
 
       - name: Open a PR with the results
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+        uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0
         with:
           token: ${{ secrets.NGINX_PAT }}
           commit-message: NFR Test Results for NGF version ${{ needs.vars.outputs.version }}

.github/workflows/release-pr.yml

@@ -89,7 +89,7 @@ jobs:
           make generate-all
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+        uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0
         with:
           token: ${{ secrets.NGINX_PAT }}
           commit-message: Release ${{ inputs.version }}

.github/workflows/scorecards.yml

@@ -52,14 +52,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           sarif_file: results.sarif