nginx
diff --git a/‎.github/workflows/f5-cla.yml
Lines changed: 39 additions & 39 deletions b/‎.github/workflows/f5-cla.yml
Lines changed: 39 additions & 39 deletions
diff --git a/‎.github/workflows/ossf-scorecard.yml
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/ossf-scorecard.yml
Lines changed: 63 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml
Lines changed: 19 additions & 19 deletions b/‎.github/workflows/release.yml
Lines changed: 19 additions & 19 deletions
diff --git a/‎CHANGELOG.md
Lines changed: 8 additions & 1 deletion b/‎CHANGELOG.md
Lines changed: 8 additions & 1 deletion
diff --git a/‎CONTRIBUTING.md
Lines changed: 1 addition & 1 deletion b/‎CONTRIBUTING.md
Lines changed: 1 addition & 1 deletion
@@ -1,40 +1,40 @@
 ---
-  name: F5 CLA
-  on:
-    issue_comment:
-      types: [created]
-    pull_request_target:
-      types: [opened, closed, synchronize]
-  permissions: read-all
-  jobs:
-    f5-cla:
-      name: F5 CLA
-      runs-on: ubuntu-24.04
-      permissions:
-        actions: write
-        pull-requests: write
-        statuses: write
-      steps:
-        - name: Run F5 Contributor License Agreement (CLA) assistant
-          if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
-          uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
-          with:
-            # Any pull request targeting the following branch will trigger a CLA check.
-            branch: main
-            # Path to the CLA document.
-            path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
-            # Custom CLA messages.
-            custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
-            custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
-            custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
-            # Remote repository storing CLA signatures.
-            remote-organization-name: f5
-            remote-repository-name: f5-cla-data
-            path-to-signatures: signatures/signatures.json
-            # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
-            allowlist: alessfg, oxpa, bot*
-            # Do not lock PRs after a merge.
-            lock-pullrequest-aftermerge: false
-          env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-            PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
+name: F5 CLA
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+permissions: read-all
+jobs:
+  f5-cla:
+    name: F5 CLA
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+      pull-requests: write
+      statuses: write
+    steps:
+      - name: Run F5 Contributor License Agreement (CLA) assistant
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
+        with:
+          # Any pull request targeting the following branch will trigger a CLA check.
+          branch: main
+          # Path to the CLA document.
+          path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
+          # Custom CLA messages.
+          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
+          custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
+          custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
+          # Remote repository storing CLA signatures.
+          remote-organization-name: f5
+          remote-repository-name: f5-cla-data
+          path-to-signatures: signatures/signatures.json
+          # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
+          allowlist: alessfg, oxpa, bot*
+          # Do not lock PRs after a merge.
+          lock-pullrequest-aftermerge: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
@@ -0,0 +1,63 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+name: OSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
+  branch_protection_rule:
+  push:
+    branches: [main]
+  # To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.
+  schedule:
+    - cron: "0 0 * * 1"
+  workflow_dispatch:
+# Declare default permissions as read only.
+permissions: read-all
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-24.04
+    permissions:
+      # Needed if using Code Scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+      # Uncomment the permissions below if installing on a private repository.
+      # contents: read
+      # actions: read
+      # issues: read # To allow GraphQL ListCommits to work
+      # pull-requests: read # To allow GraphQL ListCommits to work
+      # checks: read # To detect SAST tools
+    steps:
+      - name: Check out the codebase
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
+          #   - You want to enable the Branch-Protection check on a *public* repository.
+          #   - You are installing the OSSF Scorecard on a *private* repository.
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF format to the repository Actions tab.
+      - name: Upload artifact
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: Upload SARIF results to code scanning
+        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
+        with:
+          sarif_file: results.sarif
@@ -1,20 +1,20 @@
 ---
-  name: Release Drafter
-  on:
-    push:
-      branches: [main]
-    pull_request_target:
-      types: [opened, reopened, synchronize]
-  permissions: read-all
-  jobs:
-    release-draft:
-      name: Update release draft
-      runs-on: ubuntu-24.04
-      permissions:
-        contents: write
-        pull-requests: write
-      steps:
-        - name: Run release drafter
-          uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
-          env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+name: Release Drafter
+on:
+  push:
+    branches: [main]
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+permissions: read-all
+jobs:
+  release-draft:
+    name: Update release draft
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Run release drafter
+        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -13,19 +13,26 @@ FEATURES:
 - Add support for installing NGINX Open Source on Alpine Linux 3.20.
 - Add support for installing NGINX Agent on Ubuntu noble.
 - Add validation tasks to check the Ansible version, the Jinja2 version, and whether the required Ansible collections for this role are installed.
+- Bump the minimum version of Ansible supported to `2.16`, whilst clarifying that Ansible `2.18` is not supported at this stage.
 - Bump the Ansible `community.general` collection to `9.2.0`, `community.crypto` collection to `2.21.1` and `community.docker` collection to `3.11.0`.
 
 DOCUMENTATION:
 
 - Update community docs per the latest [NGINX template repository](https://github.com/nginxinc/template-repository) guidelines.
 - Update and tweak the README. In order to make the installation instructions easier, some file names used by the various GitHub Actions workflows have been renamed.
 
+TESTS:
+
+- Update RHEL UBI images to UBI 8.10 and UBI 9.4.
+
 CI/CD:
 
 - Update GitHub Actions to Ubuntu 24.04.
 - Switch GitHub Actions from using tags to release hashes.
 - Remove commented out Molecule platforms and GitHub Actions QEMU step for the time being. These changes will be reverted if multi-arch testing can be reinstated in GitHub Actions.
+- Bump the minimum version of Ansible supported on Ansible Galaxy to `2.16`.
 - Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG.
+- Implement OSSF Scorecard.
 
 ## 0.24.3 (July 11, 2024)
 
@@ -58,7 +65,7 @@ CI/CD:
 - Add Molecule tests for NGINX Amplify.
 - Update the RHEL based tests to use the latest UBI release.
 - Use the local role name (`ansible-role-nginx`) instead of the fully qualified role name (`nginxinc.nginx`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand.
-- Implement F5 CLA signatures.
+- Implement F5 CLA.
 - Hardcode version of Python requests module given its propensity to break the Docker Python SDK.
 
 ## 0.24.2 (October 3rd, 2023)
 
@@ -21,7 +21,7 @@ Follow this project's [Installation Guide](/README.md#Installation) to install A
 
 ### Project Structure
 
-- The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify.
+- The NGINX Ansible role is written in [`yaml`](https://yaml.org) and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify.
 - The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html):
   - The main "codebase" is found in the [`tasks/`](/tasks/) directory.
   - Variables can be found in [`defaults/main/`](/defaults/main/). The filenames in this directory highlight which variables are contained in each file.