ci: address OSS scorecard warnings

* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around
* remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot
* hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json`

.github/dependabot.yml

@@ -1,6 +1,12 @@
 ---
 version: 2
 updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "00:00"
   - package-ecosystem: github-actions
     directory: /
     schedule:

.github/workflows/f5-cla.yml

@@ -1,18 +1,19 @@
+---
 name: F5 CLA
 on:
   issue_comment:
     types: [created]
   pull_request_target:
     types: [opened, closed, synchronize]
-
-permissions:
-  actions: write
-  pull-requests: write
-  statuses: write
-
+permissions: read-all
 jobs:
   f5-cla:
+    name: F5 CLA
     runs-on: ubuntu-22.04
+    permissions:
+      actions: write
+      pull-requests: write
+      statuses: write
     steps:
       - name: Run F5 Contributor License Agreement (CLA) assistant
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
@@ -31,7 +32,7 @@ jobs:
           remote-repository-name: 'f5-cla-data'
           path-to-signatures: 'signatures/beta/signatures.json'
           # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
-          allowlist: 4141done, dekobon, bot*
+          allowlist: 4141done, alessfg, dekobon, bot*
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:

.github/workflows/main.yml

@@ -1,5 +1,5 @@
 ---
-name: CI
+name: NGINX S3 Gateway CI/CD
 on:
   push:
     branches: [main]

Dockerfile.buildkit.plus

@@ -1,4 +1,4 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb
 
 ENV NGINX_PLUS_VERSION   30-2
 ENV NGINX_VERSION        1.25.1

Dockerfile.latest-njs

@@ -1,7 +1,7 @@
 # This container image removes the existing njs package from the inherited image
 # (which could be OSS NGINX or NGINX Plus), builds njs from the latest
 # source, and installs it.
-FROM nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 RUN set -eux \
     export DEBIAN_FRONTEND=noninteractive;  \

Dockerfile.oss

@@ -1,7 +1,8 @@
-FROM nginx:1.25.3
+FROM nginx:1.25.5@sha256:711cc227e3c4181ab27cde13cf662f6dd1d06d16b3344f871c6d04cbff22f6f8
 
-ENV NGINX_VERSION "1.25.3"
-ENV NJS_VERSION   "0.8.2"
+ENV NGINX_VERSION   1.25.5
+ENV NJS_VERSION     0.8.4
+ENV NJS_RELEASE     3~bookworm
 
 ENV PROXY_CACHE_MAX_SIZE "10g"
 ENV PROXY_CACHE_INACTIVE "60m"
@@ -32,12 +33,12 @@ RUN set -eux \
     mkdir -p /var/cache/nginx/s3_proxy; \
     chown nginx:nginx /var/cache/nginx/s3_proxy; \
     chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; \
-    echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
+    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
     apt-get update; \
     apt-get install --no-install-recommends --no-install-suggests --yes \
       curl \
       libedit2 \
-      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE}; \
+      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE}; \
     apt-get remove --purge --auto-remove --yes; \
     rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 

Dockerfile.plus

@@ -1,10 +1,10 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:155280b00ee0133250f7159b567a07d7cd03b1645714c3a7458b2287b0ca83cb
 
 ENV NGINX_PLUS_VERSION   30-2
 ENV NGINX_VERSION        1.25.1
 ENV NJS_VERSION          30+0.8.0-1
 ENV XSLT_VERSION         30-1
- 
+
 ENV PROXY_CACHE_MAX_SIZE "10g"
 ENV PROXY_CACHE_INACTIVE "60m"
 ENV PROXY_CACHE_SLICE_SIZE "1m"

Dockerfile.unprivileged

@@ -3,7 +3,7 @@
 # to allow running NGINX S3 Gateway as a non root user.
 # Steps are based on the official unprivileged container:
 # https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/Dockerfile-debian.template
-FROM nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 # Implement changes required to run NGINX as an unprivileged user
 RUN sed -i "/^server {/a \    listen       8080;" /etc/nginx/templates/default.conf.template \

examples/brotli-compression/Dockerfile.oss

@@ -1,4 +1,4 @@
-FROM nginxinc/nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 ENV BROTLI_VERSION "v1.0.0rc"
 

examples/gzip-compression/Dockerfile.oss

@@ -1,3 +1,3 @@
-FROM nginxinc/nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 COPY etc/nginx/conf.d /etc/nginx/conf.d

examples/modsecurity/Dockerfile.oss

@@ -1,4 +1,4 @@
-FROM nginxinc/nginx-s3-gateway
+FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
 
 ENV MODSECURITY_VERSION "v1.0.1"
 ENV OWASP_RULESET_VERSION "v3.3.0"