Merge branch 'main' into update-docs

.ansible-lint

@@ -3,5 +3,4 @@ offline: true
 exclude_paths:
   - .github/
 skip_list:
-  - schema[meta]
   - yaml[line-length]

.github/workflows/f5-cla.yml

@@ -1,38 +1,39 @@
+---
 name: F5 CLA
 on:
   issue_comment:
     types: [created]
   pull_request_target:
     types: [opened, closed, synchronize]
-
-permissions:
-  actions: write
-  pull-requests: write
-  statuses: write
-
+permissions: read-all
 jobs:
   f5-cla:
-    runs-on: ubuntu-22.04
+    name: F5 CLA
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+      pull-requests: write
+      statuses: write
     steps:
-      - name: Run F5 CLA assistant
+      - name: Run F5 Contributor License Agreement (CLA) assistant
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
         with:
-          # Any pull request targeting the following branch will trigger a CLA check
-          branch: 'main'
-          # Path to the CLA document
-          path-to-document: 'https://github.com/f5/.github/blob/main/CLA/cla-markdown.md'
-          # Custom CLA messages
-          custom-notsigned-prcomment: '🎉 Thank you for your contribution. It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and comment the following to agree:'
+          # Any pull request targeting the following branch will trigger a CLA check.
+          branch: main
+          # Path to the CLA document.
+          path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
+          # Custom CLA messages.
+          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
           custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
           custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
-          # Remote repository storing CLA signatures
-          remote-organization-name: 'f5'
-          remote-repository-name: 'f5-cla-data'
-          path-to-signatures: 'signatures/beta/signatures.json'
-          # Comma seperated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
+          # Remote repository storing CLA signatures.
+          remote-organization-name: f5
+          remote-repository-name: f5-cla-data
+          path-to-signatures: signatures/signatures.json
+          # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
           allowlist: alessfg, oxpa, bot*
-          # Do not lock PRs after a merge
+          # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/galaxy.yml

@@ -1,25 +1,25 @@
 ---
-name: Ansible Galaxy import
+name: Ansible Galaxy Role Import
 on:
   release:
-    types:
-      - published
+    types: [published]
   workflow_dispatch:
+permissions: read-all
 jobs:
-  galaxy:
-    name: Galaxy
-    runs-on: ubuntu-22.04
+  ansible-galaxy:
+    name: Import role to Ansible Galaxy
+    runs-on: ubuntu-24.04
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python 3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.x
 
-      - name: Install Ansible
+      - name: Install Ansible core
         run: pip3 install -r .github/workflows/requirements/requirements_galaxy.txt
 
-      - name: Import release to Ansible Galaxy
+      - name: Import role releases to Ansible Galaxy
         run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

.github/workflows/molecule.yml

@@ -2,41 +2,39 @@
 name: Molecule CI/CD
 on:
   pull_request:
-    branches:
-      - main
+    branches: [main]
   push:
-    branches:
-      - main
-    tags-ignore:
-      - "**"
+    branches: [main]
+    tags-ignore: ["**"]
   schedule:
     - cron: "0 0 1 * *"
   workflow_dispatch:
+permissions: read-all
 jobs:
   ansible-lint:
     name: Ansible Lint
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Check out the codebase
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python 3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.x
 
-      - name: Install Ansible Lint
+      - name: Install Ansible core and Ansible Lint
         run: pip3 install -r .github/workflows/requirements/requirements_ansible_lint.txt
 
-      - name: Install Ansible collection dependencies
+      - name: Install Ansible core collection dependencies
         run: ansible-galaxy install -r .github/workflows/requirements/requirements_ansible.yml
 
       - name: Run Ansible Lint
         run: ansible-lint --force-color
 
   molecule:
     name: Molecule
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       NGINX_CRT: ${{ secrets.NGINX_CRT }}
       NGINX_KEY: ${{ secrets.NGINX_KEY }}
@@ -57,15 +55,15 @@ jobs:
     steps:
       - name: Check out the codebase
         if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python 3
         if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.x
 
-      - name: Install Molecule dependencies
+      - name: Install Ansible core and Molecule
         if: ${{ !(contains(matrix.scenario, 'plus')) || (env.NGINX_CRT != 0 && env.NGINX_KEY != 0) }}
         run: pip3 install -r .github/workflows/requirements/requirements_molecule.txt
 

.github/workflows/release.yml

@@ -0,0 +1,20 @@
+---
+name: Release Drafter
+on:
+  push:
+    branches: [main]
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+permissions: read-all
+jobs:
+  release-draft:
+    name: Update release draft
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Run release drafter
+        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -6,15 +6,26 @@ BUG FIXES:
 
 - Fix incompatibility when using the `listen` directive and setting both the `quic` and `so_keepalive` parameters.
 
+TESTS:
+
+- Add Molecule tests covering common NGINX use cases (web server, reverse proxy), enabling the NGINX stub status metrics, and NGINX Plus API and live metrics dashboard.
+- Update the platforms used in the various Molecule scenarios.
+- Use the local role name (`ansible-role-nginx-config`) instead of the fully qualified role name (`nginxinc.nginx_config`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand.
+
 DOCUMENTATION:
 
 - Update community docs per the latest [NGINX template repository](https://github.com/nginxinc/template-repository) guidelines.
 
 CI/CD:
 
-- Add Molecule tests covering common NGINX use cases (web server, reverse proxy), enabling the NGINX stub status metrics, and NGINX Plus API and live metrics dashboard.
-- Update the platforms used in the various Molecule scenarios.
-- Use the local role name (`ansible-role-nginx-config`) instead of the fully qualified role name (`nginxinc.nginx_config`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand.
+- Bump the minimum version of Ansible supported on Ansible Galaxy to `2.16`.
+- Update GitHub Actions to Ubuntu 24.04.
+- Switch GitHub Actions from using tags to release hashes.
+- Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG.
+
+MAINTENANCE:
+
+- Remove CentOS 7 related artifacts, tests, and metadata since RHEL 7 related distributions are no longer tested nor supported.
 
 ## 0.7.1 (October 3rd, 2023)
 
@@ -29,7 +40,7 @@ BUG FIXES:
 CI/CD:
 
 - Uncomment the `ansible-compat` version from the CI/CD pipeline.
-- Implement F5 CLA signatures.
+- Implement F5 CLA.
 
 ## 0.7.0 (July 6, 2023)
 

README.md

@@ -16,7 +16,7 @@ This role configures NGINX Open Source and NGINX Plus on your target host.
 
 ### Ansible
 
-- This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core (above `2.12`).
+- This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core (above `2.16`).
 - When using Ansible core, you will also need to install the following collections:
 
     ```yaml

defaults/main/selinux.yml

@@ -1,5 +1,5 @@
 ---
-# Set SELinux enforcing for NGINX (Centos/Redhat only) - you may need to open ports on your own
+# Set SELinux enforcing for NGINX (Redhat only) - you may need to open ports on your own
 nginx_config_selinux: false
 
 # Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_config_selinux: true)

meta/main.yml

@@ -7,25 +7,7 @@ galaxy_info:
 
   license: Apache License, Version 2.0
 
-  min_ansible_version: '2.12'
-
-  platforms:
-    - name: Alpine
-      versions: [all]
-    - name: Amazon Linux
-      versions: ['2', '2023']
-    - name: Debian
-      versions: [bullseye, bookworm]
-    - name: EL
-      versions: ['7', '8', '9']
-    - name: FreeBSD
-      versions: ['12.1', '12.2', '12.3', '12.4', '13.0', '13.1', '13.2']
-    - name: OracleLinux
-      versions: ['7', '8', '9']
-    - name: Ubuntu
-      versions: [focal, jammy, kinetic, lunar]
-    - name: SLES
-      versions: ['12', '15']
+  min_ansible_version: '2.16'
 
   galaxy_tags:
     - nginx

molecule/common/Dockerfile.j2

@@ -25,8 +25,7 @@ RUN \
     && dnf clean all; \
   elif [ $(command -v yum) ]; then \
     yum makecache fast \
-    && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \
-    && yum install -y http://mirror.centos.org/centos/7/os/x86_64/Packages/yum-plugin-copr-1.1.31-54.el7_8.noarch.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libseccomp-2.3.1-4.el7.x86_64.rpm \
+    && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-copr yum-plugin-ovl \
     && yum copr enable -y jsynacek/systemd-backports-for-centos-7 \
     && yum update --disableplugin=priorities -y systemd \
     && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \

molecule/common/requirements/oss_requirements.yml

@@ -1,4 +1,4 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.24.0
+    version: 0.24.3

molecule/common/requirements/plus_requirements.yml

@@ -1,6 +1,7 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.24.0
+    version: 0.24.3
   - name: nginxinc.nginx_app_protect
-    version: 0.9.0
+    src: https://github.com/nginxinc/ansible-role-nginx-app-protect
+    version: main