nginx
diff --git a/‎.github/workflows/build-oss.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build-oss.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/build-plus.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build-plus.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/create-release-branch.yml‎
Lines changed: 69 additions & 0 deletions b/‎.github/workflows/create-release-branch.yml‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎.github/workflows/create-release-tag.yml‎
Lines changed: 56 additions & 0 deletions b/‎.github/workflows/create-release-tag.yml‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎.github/workflows/scorecards.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecards.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/version-bump.yml‎
Lines changed: 60 additions & 0 deletions b/‎.github/workflows/version-bump.yml‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎docs/content/installation/nic-images/pulling-ingress-controller-image.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/content/installation/nic-images/pulling-ingress-controller-image.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/content/tutorials/security-monitoring.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/content/tutorials/security-monitoring.md‎
Lines changed: 1 addition & 1 deletion
@@ -233,7 +233,7 @@ jobs:
           ignore-unfixed: "true"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         continue-on-error: true
         with:
           sarif_file: "trivy-results-${{ inputs.image }}.sarif"
 
@@ -264,7 +264,7 @@ jobs:
         if: ${{ inputs.publish-image }}
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         continue-on-error: true
         with:
           sarif_file: "trivy-results-${{ inputs.image }}.sarif"
 
@@ -48,7 +48,7 @@ jobs:
       docker_md5: ${{ steps.vars.outputs.docker_md5 }}
       build_tag: ${{ steps.vars.outputs.build_tag }}
       stable_tag: ${{ steps.vars.outputs.stable_tag }}
-      forked_workflow: ${{ (github.event.pull_request.head.repo.full_name != github.repository) && ! (startsWith(github.ref, 'refs/heads/release-') || github.ref_name == 'main') }}
+      forked_workflow: ${{ steps.vars.outputs.forked_workflow }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
@@ -87,6 +87,7 @@ jobs:
           source .github/data/version.txt
           echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT
           echo "chart_version=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
+          echo "forked_workflow=${{ (github.event.pull_request.head.repo.full_name != github.github.event.pull_request.base.repo.full_name) || github.repository != 'nginxinc/kubernetes-ingress' }}" >> $GITHUB_OUTPUT
           publish=false
           if ${{ github.event_name == 'workflow_dispatch' && inputs.publish-image }}; then
             publish=true
@@ -138,7 +139,7 @@ jobs:
         run: make cover
         if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }}
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # v4.1.1
+        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
         with:
           files: ./coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }} # required
 
@@ -44,7 +44,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/autobuild@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -76,6 +76,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           category: "/language:${{matrix.language}}"
@@ -0,0 +1,69 @@
+name: "Create release branch"
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        required: true
+        type: string
+        default: '0.0'
+      source_branch:
+        required: false
+        type: string
+        default: 'main'
+      branch_prefix:
+        required: false
+        type: string
+        default: 'release-'
+      update:
+        type: boolean
+        default: false
+      dry_run:
+        type: boolean
+        default: false
+
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  create:
+    name: Create release branch
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout NIC repo
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ inputs.source_branch }}
+
+      - name: Create new release branch
+        run: |
+          branch="${{ inputs.branch_prefix }}${{ inputs.release_version }}"
+          if git rev-parse --verify remotes/origin/${branch}; then
+            git checkout ${branch}
+            git pull
+            if ${{ inputs.update }}; then
+              echo "Updating from ${{ inputs.source_branch }}."
+              git merge -Xtheirs ${{ inputs.source_branch }} -m "chore: Merge branch ${{ inputs.source_branch }} into ${branch}"
+            else
+              echo "UPDATE not requested.  Not making any changes"
+            fi
+          else
+            git checkout -b ${branch}
+          fi
+
+          echo "Pushing to branch $branch"
+          if ! ${{ inputs.dry_run }}; then
+              git push origin "${branch}"
+          else
+              echo "DRY RUN not making any changes"
+              git push --dry-run origin "${branch}"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
@@ -0,0 +1,56 @@
+name: "Create Tag on release branch"
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_branch:
+        required: true
+        type: string
+        default: 'release-0.0'
+      tag:
+        required: false
+        type: string
+        default: 'vx.x.x'
+      dry_run:
+        type: boolean
+        default: false
+
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  create:
+    name: Create Tag on release branch in NIC repo
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout NIC repo
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ inputs.release_branch }}
+
+      - name: Create new release Tag
+        run: |
+          branch="${{ inputs.release_branch }}"
+          tag="${{ inputs.tag }}"
+          if git rev-parse --verify refs/tags/${tag}; then
+            echo "Adding tag ${tag}."
+            git tag -a ${tag} -m "Version ${tag#v*}"
+            echo "Pushing to tag ${tag} to branch ${branch}"
+            if ! ${{ inputs.dry_run }}; then
+                git push origin "${tag}"
+            else
+                echo "DRY RUN not making any changes"
+                git push --dry-run origin "${tag}"
+            fi
+          else
+            echo "Warning: Tag ${tag} already exists.  Not making any changes"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           sarif_file: results.sarif
@@ -0,0 +1,60 @@
+name: "Bump the IC & Helm chart version"
+
+on:
+  workflow_dispatch:
+    inputs:
+      source_branch:
+        required: true
+        type: string
+        default: 'main'
+      ic_version:
+        required: true
+        type: string
+        default: '0.0.0'
+      helm_chart_version:
+        required: true
+        type: string
+        default: '0.0.0'
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  version-bump:
+    permissions:
+      contents: write
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ inputs.source_branch }}
+
+      - name: Replace Versions
+        run: |
+          yq -i e '.version = env(CHART_VERSION) | .appVersion = env(IC_VERSION)' kubernetes-ingress/charts/nginx-ingress/Chart.yaml
+          cat kubernetes-ingress/charts/nginx-ingress/Chart.yaml
+          cat > kubernetes-ingress/.github/data/version.txt << EOF
+          IC_VERSION=${IC_VERSION}
+          HELM_CHART_VERSION=${CHART_VERSION}
+          EOF
+          cat kubernetes-ingress/.github/data/version.txt
+        env:
+          IC_VERSION: ${{ inputs.ic_version }}
+          CHART_VERSION: ${{ inputs.helm_chart_version }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2
+        with:
+          token: ${{ secrets.NGINX_PAT }}
+          commit-message: Version Bump for ${{ github.event.inputs.ic_version }}
+          title: Version Bump for ${{ github.event.inputs.ic_version }}
+          branch: chore/version-bump-${{ github.event.inputs.ic_version }}
+          author: nginx-bot <integrations@nginx.com>
+          labels: chore
+          body: |
+            This automated PR updates the NIC & Helm chart versions for the upcoming ${{ github.event.inputs.ic_version }} release.
@@ -60,6 +60,12 @@ To pull an image, follow these steps. Replace `<version-tag>` with the specific
    docker pull private-registry.nginx.com/nginx-ic-dos/nginx-plus-ingress:<version-tag>
    ```
 
+- For NGINX Plus Ingress Controller with NGINX App Protect WAF and DoS, run:
+
+   ```shell
+   docker pull private-registry.nginx.com/nginx-ic-nap-dos/nginx-plus-ingress:<version-tag>
+   ```
+
 You can use the Docker registry API to list the available image tags by running the following commands. Replace `<path-to-client.key>` with the location of your client key and `<path-to-client.cert>` with the location of your client certificate. The `jq` command is used to format the JSON output for easier reading.
 
 ```json
 
@@ -14,7 +14,7 @@ This guide assumes that you have an installation of NGINX Instance Manager with
 
 If you use custom container images, NGINX Agent must be installed along with NGINX App Protect WAF. See the [Dockerfile](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.0/build/Dockerfile) for examples of how to install NGINX Agent or the [NGINX Agent installation documentation](https://docs.nginx.com/nginx-agent/installation-upgrade/) for more information.
 
-## Deploying NGINX Ingress Controller with GlobalConfiguration resource
+## Deploying NGINX Ingress Controller with NGINX Agent configuration
 
 {{<tabs name="deploy-config-resource">}}