chore: Update role to latest NGINX best practices

alessfg · alessfg · commit 98bcd33d24f5 · 2025-03-28T12:35:04.000+01:00
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,72 @@
+---
+name: 🐛 Bug report
+description: Create a report to help us improve
+labels: bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+
+        Before you continue filling out this report, please take a moment to check that your bug has not been [already reported on GitHub][issue search] 🙌
+
+        Remember to redact any sensitive information such as authentication credentials and/or license keys!
+
+        **Note:** If you are seeking community support or have a question, please consider starting a new thread via [GitHub discussions][discussions] or the [NGINX Community forum][forum].
+
+        [issue search]: ../search?q=is%3Aissue&type=issues
+
+        [discussions]: ../discussions
+        [forum]: https://community.nginx.org
+
+  - type: textarea
+    id: overview
+    attributes:
+      label: Bug Overview
+      description: A clear and concise overview of the bug.
+      placeholder: When I do "X" with the NGINX Ansible role, "Y" happens instead of "Z".
+    validations:
+      required: true
+
+  - type: textarea
+    id: behavior
+    attributes:
+      label: Expected Behavior
+      description: A clear and concise description of what you expected to happen.
+      placeholder: When I do "X" with the NGINX Ansible role, I expect "Z" to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce the Bug
+      description: Detail the series of steps required to reproduce the bug.
+      value: |
+        1. I have deployed/run the NGINX Ansible role using the following `playbook.yml`...
+        2. I have seen the following error(s) on my terminal/logs...
+    validations:
+      required: true
+
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment Details
+      description: Please provide details about your environment.
+      value: |
+        - Target deployment platforms: [e.g. AWS/GCP/local cluster/etc...]
+        - Target OSs: [e.g. RHEL 9/Ubuntu 24.04/etc...]
+        - Host OS (where you are running Ansible from): [e.g. RHEL 9/Ubuntu 24.04/etc...]
+        - Version of the NGINX Ansible role (or specific commit): [e.g. 0.25.0/commit hash]
+        - Version of Ansible: [e.g. 2.16.5]
+        - How is Ansible being managed: [e.g. CLI/pipeline/Automation Hub/etc...]
+        - Version of Jinja2 (if you are using any templating capability): [e.g. 3.1.1]
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional Context
+      description: Add any other context about the problem here.
+      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this issue in here.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,12 @@
+---
+blank_issues_enabled: false
+contact_links:
+  - name: 💬 Talk to the NGINX community!
+    url: https://community.nginx.org
+    about: A community forum for NGINX users, developers, and contributors
+  - name: 📝 Code of Conduct
+    url: https://www.contributor-covenant.org/version/2/1/code_of_conduct
+    about: NGINX follows the Contributor Covenant Code of Conduct to ensure a safe and inclusive community
+  - name: 💼 For commercial & enterprise users
+    url: https://www.f5.com/products/nginx
+    about: F5 offers a wide range of NGINX products for commercial & enterprise users
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,41 @@
+---
+name: ✨ Feature request
+description: Suggest an idea for this project
+labels: enhancement
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this feature request!
+
+        Before you continue filling out this request, please take a moment to check that your feature has not been [already requested on GitHub][issue search] 🙌
+
+        **Note:** If you are seeking community support or have a question, please consider starting a new thread via [GitHub discussions][discussions] or the [NGINX Community forum][forum].
+
+        [issue search]: ../search?q=is%3Aissue&type=issues
+
+        [discussions]: ../discussions
+        [forum]: https://community.nginx.org
+
+  - type: textarea
+    id: overview
+    attributes:
+      label: Feature Overview
+      description: A clear and concise description of what the feature request is.
+      placeholder: I would like the NGINX Ansible role to be able to do "X".
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Detail any potential alternative solutions/workarounds you've used or considered.
+      placeholder: I have done/might be able to do "X" in the NGINX Ansible role by doing "Y".
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional Context
+      description: Add any other context about the problem here.
+      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this feature request here.
diff --git a/.github/scorecard.yml b/.github/scorecard.yml
@@ -0,0 +1,10 @@
+---
+annotations:
+  - checks:
+      - contributors
+      - fuzzing
+      - packaging
+      - sast
+      - signed-releases
+    reasons:
+      - reason: not-applicable
diff --git a/.github/workflows/f5_cla.yml b/.github/workflows/f5_cla.yml
@@ -19,20 +19,21 @@ jobs:
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
         with:
-          # Any pull request targeting the following branch will trigger a CLA check.
-          branch: main
           # Path to the CLA document.
-          path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
+          path-to-document: https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md
           # Custom CLA messages.
-          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
+          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the [F5 Contributor License Agreement (CLA)](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md) and reply on a new comment with the following text to agree:'
           custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
           custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
           # Remote repository storing CLA signatures.
           remote-organization-name: f5
           remote-repository-name: f5-cla-data
+          # Branch where CLA signatures are stored.
+          branch: main
           path-to-signatures: signatures/signatures.json
           # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
-          allowlist: alessfg, oxpa, bot*
+          # NOTE: You will want to edit the usernames to suit your project needs.
+          allowlist: bot*
           # Do not lock PRs after a merge.
           lock-pullrequest-aftermerge: false
         env:
diff --git a/.github/workflows/milestone_pr.yml b/.github/workflows/milestone_pr.yml
diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml
@@ -4,11 +4,11 @@ name: OSSF Scorecard
 on:
   # For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
   branch_protection_rule:
-  push:
-    branches: [main]
   # To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.
   schedule:
     - cron: "0 0 * * 1"
+  push:
+    branches: [main]
   workflow_dispatch:
 # Declare default permissions as read only.
 permissions: read-all
@@ -17,16 +17,10 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-24.04
     permissions:
-      # Needed if using Code Scanning alerts
+      # Needed if using Code Scanning alerts.
       security-events: write
-      # Needed for GitHub OIDC token if publish_results is true
+      # Needed for GitHub OIDC token if publish_results is true.
       id-token: write
-      # Uncomment the permissions below if installing on a private repository.
-      # contents: read
-      # actions: read
-      # issues: read # To allow GraphQL ListCommits to work
-      # pull-requests: read # To allow GraphQL ListCommits to work
-      # checks: read # To detect SAST tools
     steps:
       - name: Check out the codebase
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -38,14 +32,7 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
-          #   - You want to enable the Branch-Protection check on a *public* repository.
-          #   - You are installing the OSSF Scorecard on a *private* repository.
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
           # Publish the results for public repositories to enable scorecard badges. For more details, see https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF format to the repository Actions tab.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,10 @@ BUG FIXES:
 - Fix Ansible and Jinja versions validation tasks in ansible check mode.
 - Correctly use the `nginx_version` (if defined) for NGINX module versions.
 
+DOCUMENTATION:
+
+- Update community files and best practices/required workflows (CLA & OSSF scorecard) to the latest versions.
+
 ## 0.25.0 (Nov 28, 2024)
 
 BREAKING CHANGES:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -5,21 +5,15 @@ The following is a set of guidelines for contributing to the NGINX Ansible role.
 #### Table Of Contents
 
 [Getting Started](#getting-started)
-
 [Contributing](#contributing)
-
 [Code Guidelines](#code-guidelines)
-
-- [Git Guidelines](#git-guidelines)
-- [Ansible Guidelines](#ansible-guidelines)
-
 [Code of Conduct](/CODE_OF_CONDUCT.md)
 
 ## Getting Started
 
-Follow this project's [Installation Guide](/README.md#Installation) to install Ansible, Ansible Lint, and Molecule and get ready to develop and test the NGINX Ansible role.
+Follow the role's [installation guide](/README.md#Installation) to install Ansible, Ansible Lint, and Molecule and get ready to develop and test the NGINX Ansible role.
 
-### Project Structure
+### Project Overview & Structure
 
 - The NGINX Ansible role is written in [`yaml`](https://yaml.org) and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify.
 - The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html):
@@ -34,23 +28,23 @@ Follow this project's [Installation Guide](/README.md#Installation) to install A
 
 ### Report a Bug
 
-To report a bug, open an issue on GitHub with the label `bug` using the available bug report issue template. Please ensure the bug has not already been reported. **If the bug is a potential security vulnerability, please report it using our [security policy](/SECURITY.md).**
+To report a bug, open an issue on GitHub with the label `bug` using the available [bug report issue form](/.github/ISSUE_TEMPLATE/bug_report.yml). Please ensure the bug has not already been reported. **If the bug is a potential security vulnerability, please report it using our [security policy](/SECURITY.md).**
 
 ### Suggest a Feature or Enhancement
 
-To suggest a feature or enhancement, please create an issue on GitHub with the label `enhancement` using the available [feature request template](/.github/feature_request_template.md). Please ensure the feature or enhancement has not already been suggested.
+To suggest a feature or enhancement, please create an issue on GitHub with the label `enhancement` using the available [feature request issue form](/.github/ISSUE_TEMPLATE/feature_request.yml). Please ensure the feature or enhancement has not already been suggested.
 
 ### Open a Pull Request (PR)
 
 - Fork the repo, create a branch, implement your changes, add any relevant tests, and submit a PR when your changes are **tested** (using Molecule) and ready for review.
 - Fill in the [PR template](/.github/pull_request_template.md).
 
 > [!NOTE]
-> If you'd like to implement a new feature, please consider creating a [feature request issue](/.github/feature_request_template.md) first to start a discussion about the feature.
+> If you'd like to implement a new feature, please consider creating a [feature request issue](/.github/ISSUE_TEMPLATE/feature_request.yml) first to start a discussion about the feature.
 
 #### F5 Contributor License Agreement (CLA)
 
-F5 requires all external contributors to agree to the terms of the F5 CLA (available [here](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md)) before any of their changes can be incorporated into an F5 Open Source repository.
+F5 requires all contributors to agree to the terms of the F5 CLA (available [here](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md)) before any of their changes can be incorporated into an F5 Open Source repository (even contributions to the F5 CLA itself!).
 
 If you have not yet agreed to the F5 CLA terms and submit a PR to this repository, a bot will prompt you to view and agree to the F5 CLA. You will have to agree to the F5 CLA terms through a comment in the PR before any of your changes can be merged. Your agreement signature will be safely stored by F5 and no longer be required in future PRs.
 
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 [![Ansible Galaxy](https://img.shields.io/badge/galaxy-nginxinc.nginx-5bbdbf.svg)](https://galaxy.ansible.com/nginxinc/nginx)
-[![Molecule CI/CD](https://github.com/nginxinc/ansible-role-nginx/workflows/Molecule%20CI/CD/badge.svg)](https://github.com/nginxinc/ansible-role-nginx/actions/workflows/molecule.yml)
+[![Molecule CI/CD](https://github.com/nginxinc/ansible-role-nginx/actions/workflows/molecule.yml/badge.svg)](https://github.com/nginxinc/ansible-role-nginx/actions/workflows/molecule.yml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/ansible-role-nginx/badge)](https://securityscorecards.dev/viewer/?uri=github.com/nginxinc/ansible-role-nginx)
 [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
 [![Community Support](https://badgen.net/badge/support/community/cyan?icon=awesome)](/SUPPORT.md)
diff --git a/SECURITY.md b/SECURITY.md
@@ -18,9 +18,9 @@ If you find a security vulnerability that directly affects Ansible, we encourage
 
 ### Codebase
 
-The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security vulnerabilities:
+The F5 Security Incident Response Team (F5 SIRT) offers two methods to easily report potential security vulnerabilities:
 
-- If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/services/support).
-- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 product to the F5 Security Incident Response Team at <F5SIRT@f5.com>.
+- If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/support).
+- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities in any F5 product to the F5 Security Incident Response Team at <f5sirt@f5.com>.
 
-For more information please read the F5 SIRT vulnerability reporting guidelines available at [https://www.f5.com/services/support/report-a-vulnerability](https://www.f5.com/services/support/report-a-vulnerability).
+For more information, please read the F5 SIRT vulnerability reporting guidelines available at [https://www.f5.com/support/report-a-vulnerability](https://www.f5.com/support/report-a-vulnerability).
diff --git a/SUPPORT.md b/SUPPORT.md
@@ -2,21 +2,17 @@
 
 ## Ask a Question
 
-We use GitHub for tracking bugs and feature requests related to this project.
+We use GitHub for tracking bugs and feature requests related to all NGINX Ansible roles.
 
-Don't know how something in this project works? Curious if this project can achieve your desired functionality? Please open an issue on GitHub with the label `question`.
+Don't know how something in this project works? Curious if this project can achieve your desired functionality? Please open an issue on GitHub with the label `question`. Alternatively, start a GitHub discussion!
 
 ## NGINX Specific Questions and/or Issues
 
 This isn't the right place to get support for NGINX specific questions, but the following resources are available below. Thanks for your understanding!
 
 ### Community Slack
 
-We have a community [Slack](https://nginxcommunity.slack.com/)!
-
-If you are not a member, click [here](https://community.nginx.org/joinslack) to sign up. (Let us know if the link does not seem to be working at <nginx-oss-community@f5.com>!)
-
-Once you join, check out the `#beginner-questions` and `nginx-users` channels :)
+We have a community [forum](https://community.nginx.org/)! If you have any questions and/or issues, try checking out the [`Troubleshooting`](https://community.nginx.org/c/troubleshooting/8) and [`How do I...?`](https://community.nginx.org/c/how-do-i/9) categories. Both fellow community members and NGINXers might be able to help you! :)
 
 ### Documentation
 
@@ -34,4 +30,4 @@ Please see the [contributing guide](/CONTRIBUTING.md) for guidelines on how to b
 
 ## Community Support
 
-This project does **not** offer commercial support. Community support is offered on a best effort basis through either GitHub issues/PRs/discussions or via any of our active communities.
+This project does **not** offer commercial support. Community support is offered on a best effort basis through either GitHub issues/PRs/discussions or through any of our active communities.
