fix(scripts): fix update-copyright in venv and remove unused repos

.github/labeler.yml

@@ -57,6 +57,10 @@ core/tracing:
 - kong/tracing/**/*
 - kong/pdk/tracing.lua
 
+core/wasm:
+- changed-files:
+  - any-glob-to-any-file: ['kong/runloop/wasm.lua', 'kong/runloop/wasm/**/*']
+
 chore:
 - .github/**/*
 - .devcontainer/**/*

.github/workflows/backport-fail-bot.yml

@@ -8,30 +8,44 @@ jobs:
   check_comment:
     runs-on: ubuntu-latest
     if: github.event.issue.pull_request != null && contains(github.event.comment.body, 'To backport manually, run these commands in your terminal')
+
     steps:
-      - name: Generate Slack Payload
-        id: generate-payload
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const slack_mapping = JSON.parse(process.env.SLACK_MAPPING);
-            const pr_url = "${{ github.event.issue.pull_request.html_url}}";
-            const pr_author_github_id = "${{ github.event.issue.user.login }}"
-            const pr_author_slack_id = slack_mapping[pr_author_github_id];
-            const author = (pr_author_slack_id ? `<@${pr_author_slack_id}>` : pr_author_github_id);
-            const payload = {
-              text: `Backport failed in PR: ${pr_url}. Please check it ${author}.`,
-              channel: process.env.SLACK_CHANNEL,
-            };
-            return JSON.stringify(payload);
-          result-encoding: string
-        env:
-          SLACK_CHANNEL: gateway-notifications
-          SLACK_MAPPING: "${{ vars.GH_ID_2_SLACK_ID_MAPPING }}"
+    - name: Fetch mapping file
+      id: fetch_mapping
+      uses: actions/github-script@v6
+      env:
+        ACCESS_TOKEN: ${{ secrets.PAT }}
+      with:
+        script: |
+          const url = 'https://raw.githubusercontent.com/Kong/github-slack-mapping/main/mapping.json';
+          const headers = {Authorization: `token ${process.env.ACCESS_TOKEN}`};
+          const response = await fetch(url, {headers});
+          const mapping = await response.json();
+          return mapping;
+
+    - name: Generate Slack Payload
+      id: generate-payload
+      uses: actions/github-script@v6
+      env:
+        SLACK_CHANNEL: gateway-notifications
+        SLACK_MAPPING: "${{ steps.fetch_mapping.outputs.result }}"
+      with:
+        script: |
+          const pr_url = ${{ github.event.issue.pull_request.html_url }};
+          const slack_mapping = JSON.parse(process.env.SLACK_MAPPING);
+          const pr_author_github_id = ${{ github.event.issue.user.login }};
+          const pr_author_slack_id = slack_mapping[pr_author_github_id];
+          const author = pr_author_slack_id ? `<@${pr_author_slack_id}>` : pr_author_github_id;
+          const payload = {
+            text: `${pr_url} from ${author} failed to backport.`,
+            channel: process.env.SLACK_CHANNEL,
+          };
+          return JSON.stringify(payload);
+        result-encoding: string
 
-      - name: Send Slack Message
-        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
-        with:
-          payload: ${{ steps.generate-payload.outputs.result }}
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_GATEWAY_NOTIFICATIONS_WEBHOOK }}
+    - name: Send Slack Message
+      uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
+      with:
+        payload: ${{ steps.generate-payload.outputs.result }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_GATEWAY_NOTIFICATIONS_WEBHOOK }}

.github/workflows/backport.yml

@@ -1,24 +1,27 @@
 name: Backport
 on:
   pull_request_target:
-    types:
-      - closed
-      - labeled
-
+    types: [closed]
+permissions:
+  contents: write # so it can comment
+  pull-requests: write # so it can create pull requests
 jobs:
   backport:
     name: Backport
     runs-on: ubuntu-latest
-    if: >
-      github.event.pull_request.merged
-      && (
-        github.event.action == 'closed'
-        || (
-          github.event.action == 'labeled'
-          && contains(github.event.label.name, 'backport')
-        )
-      )
+    if: github.event.pull_request.merged
     steps:
-      - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2.0.4
+      - uses: actions/checkout@v4
+      - name: Create backport pull requests
+        uses: korthout/backport-action@cb79e4e5f46c7d7d653dd3d5fa8a9b0a945dfe4b # v2.1.0
         with:
           github_token: ${{ secrets.PAT }}
+          pull_title: '[backport -> ${target_branch}] ${pull_title}'
+          merge_commits: 'skip'
+          copy_labels_pattern: ^(?!backport ).* # copies all labels except those starting with "backport "
+          label_pattern: ^backport (release\/[^ ]+)$ # filters for labels starting with "backport " and extracts the branch name
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
+          copy_assignees: true
+          copy_milestone: true
+          copy_requested_reviewers: true

.github/workflows/changelog-requirement.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Check changelog existence
         if: steps.changelog-list.outputs.changelogs_any_changed == 'false'
-        run: >
+        run: |
           echo "Changelog file expected but found none. If you believe this PR requires no changelog entry, label it with \"skip-changelog\"."
           echo "Refer to https://github.com/Kong/gateway-changelog for format guidelines."
           exit 1
@@ -56,7 +56,7 @@ jobs:
           exit 1
 
       - name: Fail when deprecated YAML keys are used
-        run: >
+        run: |
           for file in ${{ steps.changelog-list.outputs.changelogs_all_changed_files }}; do
             if grep -q "prs:" $file || grep -q "jiras:" $file; then
               echo "Please do not include \"prs\" or \"jiras\" keys in new changelogs, put the JIRA number inside commit message and PR description instead."

.github/workflows/release-and-tests-fail-bot.yml

@@ -15,25 +15,37 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.event != 'schedule' }}
     steps:
+    - name: Fetch mapping file
+      id: fetch_mapping
+      uses: actions/github-script@v6
+      env:
+        ACCESS_TOKEN: ${{ secrets.PAT }}
+      with:
+        script: |
+          const url = 'https://raw.githubusercontent.com/Kong/github-slack-mapping/main/mapping.json';
+          const headers = {Authorization: `token ${process.env.ACCESS_TOKEN}`};
+          const response = await fetch(url, {headers});
+          const mapping = await response.json();
+          return mapping;
+
     - name: Generate Slack Payload
       id: generate-payload
       env:
         SLACK_CHANNEL: gateway-notifications
-        SLACK_MAPPING: "${{ vars.GH_ID_2_SLACK_ID_MAPPING }}"
+        SLACK_MAPPING: "${{ steps.fetch_mapping.outputs.result }}"
       uses: actions/github-script@v6
       with:
         script: |
-          const slack_mapping = JSON.parse(process.env.SLACK_MAPPING);
-          const repo_name = "${{ github.event.workflow_run.repository.full_name }}";
-          const run_id = ${{ github.event.workflow_run.id }};
-          const run_url = `https://github.com/${repo_name}/actions/runs/${run_id}`;
           const workflow_name = "${{ github.event.workflow_run.name }}";
+          const repo_name = "${{ github.event.workflow_run.repository.full_name }}";
           const branch_name = "${{ github.event.workflow_run.head_branch }}";
+          const run_url = "${{ github.event.workflow_run.html_url }}";
+          const slack_mapping = JSON.parse(process.env.SLACK_MAPPING);
           const actor_github_id = "${{ github.event.workflow_run.actor.login }}";
           const actor_slack_id = slack_mapping[actor_github_id];
           const actor = actor_slack_id ? `<@${actor_slack_id}>` : actor_github_id;
           const payload = {
-            text: `Workflow “${workflow_name}” failed in repo: "${repo_name}", branch: "${branch_name}". Run URL: ${run_url}. Please check it ${actor} .`,
+            text: `Hello ${actor} , workflow “${workflow_name}” failed in repo: "${repo_name}", branch: "${branch_name}". Please check it: ${run_url}.`,
             channel: process.env.SLACK_CHANNEL,
           };
           return JSON.stringify(payload);

.github/workflows/release.yml

@@ -1,6 +1,9 @@
 name: Package & Release
 
 # The workflow to build and release official Kong packages and images.
+#
+# TODO:
+# Do not bump the version of actions/checkout to v4 before dropping rhel7 and amazonlinux2.
 
 on:  # yamllint disable-line rule:truthy
   pull_request:
@@ -12,8 +15,6 @@ on:  # yamllint disable-line rule:truthy
   schedule:
   - cron:  '0 0 * * *'
   push:
-    tags:
-    - '**'
     branches:
     - master
   workflow_dispatch:
@@ -54,9 +55,11 @@ jobs:
       deploy-environment: ${{ steps.build-info.outputs.deploy-environment }}
       matrix: ${{ steps.build-info.outputs.matrix }}
       arch: ${{ steps.build-info.outputs.arch }}
+      # use github.event.pull_request.head.sha instead of github.sha on a PR, as github.sha on PR is the merged commit (temporary commit)
+      commit-sha: ${{ github.event.pull_request.head.sha || github.sha }}
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: Build Info
       id: build-info
       run: |
@@ -173,7 +176,7 @@ jobs:
         apt install -y wget libz-dev libssl-dev libcurl4-gnutls-dev libexpat1-dev sudo
 
     - name: Checkout Kong source code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
 
     - name: Swap git with https
       run: git config --global url."https://github".insteadOf git://github
@@ -284,7 +287,7 @@ jobs:
         include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}"
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
 
     - name: Download artifact
       uses: actions/download-artifact@v3
@@ -316,7 +319,7 @@ jobs:
         include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}"
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
 
     - name: Download artifact
       uses: actions/download-artifact@v3
@@ -341,11 +344,13 @@ jobs:
     - name: Docker meta
       id: meta
       uses: docker/metadata-action@v5
+      env:
+        DOCKER_METADATA_PR_HEAD_SHA: true
       with:
         images: ${{ needs.metadata.outputs.prerelease-docker-repository }}
         tags: |
-          type=raw,${{ github.sha }}-${{ matrix.label }}
-          type=raw,enable=${{ matrix.label == 'ubuntu' }},${{ github.sha }}
+          type=raw,${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
+          type=raw,enable=${{ matrix.label == 'ubuntu' }},${{ needs.metadata.outputs.commit-sha }}
 
     - name: Set up QEMU
       if: matrix.docker-platforms != ''
@@ -389,6 +394,7 @@ jobs:
         build-args: |
           KONG_BASE_IMAGE=${{ matrix.base-image }}
           KONG_ARTIFACT_PATH=bazel-bin/pkg/
+          KONG_VERSION=${{ needs.metadata.outputs.kong-version }}
           RPM_PLATFORM=${{ steps.docker_rpm_platform_arg.outputs.rpm_platform }}
           EE_PORTS=8002 8445 8003 8446 8004 8447
 
@@ -399,7 +405,7 @@ jobs:
         token: ${{ secrets.GHA_COMMENT_TOKEN }}
         body: |
           ### Bazel Build
-          Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}`
+          Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}`
           Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
   verify-manifest-images:
@@ -428,7 +434,7 @@ jobs:
         # docker image verify requires sudo to set correct permissions, so we
         # also install deps for root
         sudo -E pip install -r requirements.txt
-        IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }}
+        IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
 
         sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image
 
@@ -450,7 +456,7 @@ jobs:
       matrix:
         include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}"
     env:
-      IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}
+      IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
     steps:
     - name: Install regctl
       uses: regclient/actions/regctl-installer@main
@@ -489,16 +495,16 @@ jobs:
       if: steps.image_manifest_metadata.outputs.amd64_sha != ''
       uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
       with:
-        asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-amd64
-        image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}
+        asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64
+        image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
 
     - name: Scan ARM64 Image digest
       if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
       id: sbom_action_arm64
       uses: Kong/public-shared-actions/security-actions/scan-docker-image@v1
       with:
-        asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-arm64
-        image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}
+        asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64
+        image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
 
   smoke-tests:
     name: Smoke Tests - ${{ matrix.label }}
@@ -551,7 +557,7 @@ jobs:
           --restart always \
           --network=host -d \
           --pull always \
-          ${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }} \
+          ${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} \
           sh -c "kong migrations bootstrap && kong start"
         sleep 3
         docker logs kong
@@ -696,7 +702,7 @@ jobs:
       env:
         TAGS: "${{ steps.meta.outputs.tags }}"
       run: |
-        PRERELEASE_IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }}
+        PRERELEASE_IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}
         docker pull $PRERELEASE_IMAGE
         for tag in $TAGS; do
           regctl -v debug image copy $PRERELEASE_IMAGE $tag

.requirements

@@ -1,8 +1,8 @@
 KONG_PACKAGE_NAME=kong
 
-OPENRESTY=1.21.4.2
+OPENRESTY=1.21.4.3
 LUAROCKS=3.9.2
-OPENSSL=3.1.2
+OPENSSL=3.1.4
 PCRE=8.45
 LIBEXPAT=2.5.0
 
@@ -12,8 +12,8 @@ LUA_RESTY_EVENTS=8448a92cec36ac04ea522e78f6496ba03c9b1fd8 # 0.2.0
 LUA_RESTY_WEBSOCKET=60eafc3d7153bceb16e6327074e0afc3d94b1316 # 0.4.0
 ATC_ROUTER=b0d5e7e2a2ca59bb051959385d3e42d96c93bb98 # 1.2.0
 
-KONG_MANAGER=nightly
-NGX_WASM_MODULE=21732b18fc46f409962ae77ddf01c713b568d078 # prerelease-0.1.1
+KONG_MANAGER=v3.5.0.0
+NGX_WASM_MODULE=388d5720293f5091ccee1f859a42683fbfd14e7d # prerelease-0.2.0
 WASMER=3.1.1
-WASMTIME=12.0.2
+WASMTIME=14.0.3
 V8=10.5.18