Update workflows

.github/dependabot.yml

@@ -1,21 +1,16 @@
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
       interval: weekly
-    reviewers:
-      - "nginxinc/kic"
-      - "ciarams87"
-  - package-ecosystem: "gomod"
-    directory: "/"
+
+  - package-ecosystem: gomod
+    directory: /
     schedule:
       interval: weekly
-    reviewers:
-      - "nginxinc/kic"
-  - package-ecosystem: "docker"
-    directory: "/build"
+
+  - package-ecosystem: docker
+    directory: /build
     schedule:
       interval: weekly
-    reviewers:
-      - "nginxinc/kic"

.github/workflows/ci.yml

@@ -13,6 +13,10 @@ on:
 env:
   DOCKER_PLATFORMS: "linux/arm,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x,linux/mips64le,linux/386"
 
+concurrency:
+  group: ${{ github.ref_name }}-ci
+  cancel-in-progress: true
+
 permissions:
   contents: read
 

.github/workflows/codeql-analysis.yml

@@ -20,7 +20,11 @@ on:
   schedule:
     - cron: "24 0 * * 0"
 
-permissions: # added using https://github.com/step-security/secure-workflows
+concurrency:
+  group: ${{ github.ref_name }}-codeql
+  cancel-in-progress: true
+
+permissions:
   contents: read
 
 jobs:

.github/workflows/dependabot-auto-merge.yml

@@ -1,16 +1,21 @@
 name: Dependabot auto-merge
 on: pull_request_target
+
 permissions:
-  pull-requests: write
-  contents: write
+  contents: read
+
 jobs:
   dependabot:
     runs-on: ubuntu-22.04
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
+
       - name: Enable auto-merge for Dependabot PRs
         run: gh pr merge --auto --squash "$PR_URL"
         env:

.github/workflows/dependency-review.yml

@@ -0,0 +1,28 @@
+name: "Dependency Review"
+on:
+  pull_request:
+    branches:
+      - main
+      - release-*
+
+concurrency:
+  group: ${{ github.ref_name }}-deps-review
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to post comments
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
+        with:
+          config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"

.github/workflows/dockerhub-description.yml

@@ -6,6 +6,14 @@ on:
     paths:
       - README.md
       - .github/workflows/dockerhub-description.yml
+
+concurrency:
+  group: ${{ github.ref_name }}-dockerhub
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   dockerHubDescription:
     runs-on: ubuntu-22.04

.github/workflows/fossa.yml

@@ -5,20 +5,24 @@ on:
     branches:
       - main
     paths-ignore:
-      - '**.md'
-      - 'LICENSE'
+      - "**.md"
+      - "LICENSE"
 
-permissions:  # added using https://github.com/step-security/secure-workflows
+concurrency:
+  group: ${{ github.ref_name }}-fossa
+  cancel-in-progress: true
+
+permissions:
   contents: read
 
 jobs:
-
   scan:
     name: Fossa
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Scan
         uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
         with:

.github/workflows/lint.yml

@@ -5,8 +5,8 @@ on:
     branches:
       - main
     paths-ignore:
-      - '**.md'
-      - 'LICENSE'
+      - "**.md"
+      - "LICENSE"
     types:
       - opened
       - reopened
@@ -16,23 +16,28 @@ defaults:
   run:
     shell: bash
 
-permissions:  # added using https://github.com/step-security/secure-workflows
+concurrency:
+  group: ${{ github.ref_name }}-lint
+  cancel-in-progress: true
+
+permissions:
   contents: read
 
 jobs:
-
   lint:
     permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: Lint
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Output Variables
         id: vars
         run: echo "go_version=$(grep "go 1." go.mod | cut -d " " -f 2)" >> $GITHUB_OUTPUT
+
       - name: Setup Golang Environment
         uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:

.github/workflows/notifications.yml

@@ -11,10 +11,16 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   on-failure:
     runs-on: ubuntu-22.04
     if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+    permissions:
+      contents: read
+      actions: read # for 8398a7/action-slack
     steps:
       - name: Data
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1

.github/workflows/stale.yml

@@ -1,29 +1,29 @@
-name: 'Close stale issues and PRs'
+name: "Close stale issues and PRs"
 on:
   schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
 
-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions:
   contents: read
 
 jobs:
   stale:
     permissions:
-      issues: write  # for actions/stale to close stale issues
-      pull-requests: write  # for actions/stale to close stale PRs
+      issues: write # for actions/stale to close stale issues
+      pull-requests: write # for actions/stale to close stale PRs
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
-          stale-pr-message: 'This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
-          close-issue-message: 'This issue was closed because it has been stalled for 10 days with no activity.'
-          close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
-          stale-issue-label: 'stale'
-          stale-pr-label: 'stale'
+          stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days."
+          stale-pr-message: "This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days."
+          close-issue-message: "This issue was closed because it has been stalled for 10 days with no activity."
+          close-pr-message: "This PR was closed because it has been stalled for 10 days with no activity."
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
           exempt-all-assignees: true
-          exempt-issue-labels: 'proposal'
+          exempt-issue-labels: "proposal"
           operations-per-run: 100
           days-before-stale: 90
           days-before-close: 10