Avoid deleting unmanaged files

.github/workflows/ci.yml

@@ -293,7 +293,7 @@ jobs:
           name: nginx-agent-unsigned-snapshots
           path: build
       - name: Login to Docker Registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ secrets.TEST_REGISTRY_URL }}
           username: ${{ secrets.REGISTRY_USERNAME }}
@@ -414,7 +414,7 @@ jobs:
           name: nginx-agent-unsigned-snapshots
           path: build
       - name: Login to Docker Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ secrets.TEST_REGISTRY_URL }}
           username: ${{ secrets.REGISTRY_USERNAME }}

.github/workflows/dependency-review.yml

@@ -25,6 +25,6 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
         with:
           config-file: "nginxinc/k8s-common/dependency-review-config.yml@main"

.github/workflows/release-branch.yml

@@ -100,7 +100,7 @@ jobs:
 
       - name: Create Draft Release
         if: ${{ needs.vars.outputs.github_release == 'true' }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: release
         env:
           version: ${{ inputs.packageVersion }}
@@ -270,7 +270,7 @@ jobs:
 
       - name: Get Id Token
         if: ${{ inputs.publishPackages == true }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: idtoken
         with:
           script: |
@@ -299,7 +299,7 @@ jobs:
           ref: ${{ inputs.releaseBranch }}
 
       - name: Create Pull Request
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const { repo, owner } = context.repo;

.github/workflows/scorecards.yml

@@ -55,6 +55,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
         with:
           sarif_file: results.sarif

internal/file/file_manager_service.go

@@ -162,6 +162,7 @@ func (fms *FileManagerService) ConfigApply(ctx context.Context,
 		return model.Error, errors.New("fileOverview is nil")
 	}
 
+	// check if any file in request is outside the allowed directories
 	allowedErr := fms.checkAllowedDirectory(fileOverview.GetFiles())
 	if allowedErr != nil {
 		return model.Error, allowedErr
@@ -355,18 +356,28 @@ func (fms *FileManagerService) DetermineFileActions(
 	// if file is in manifestFiles but not in modified files, file has been deleted
 	// copy contents, set file action
 	for fileName, manifestFile := range filesMap {
-		_, exists := modifiedFiles[fileName]
+		_, existsInReq := modifiedFiles[fileName]
 
+		// allowed directories may have been updated since manifest file was written
+		// if file is outside allowed directories skip deletion and return error
 		if !fms.agentConfig.IsDirectoryAllowed(fileName) {
 			return nil, fmt.Errorf("error deleting file %s: file not in allowed directories", fileName)
 		}
 
+		// if file is unmanaged skip deletion
+		if manifestFile.GetUnmanaged() {
+			slog.DebugContext(ctx, "Skipping unmanaged file deletion", "file_name", fileName)
+			continue
+		}
+
+		// if file doesn't exist on disk skip deletion
 		if _, err := os.Stat(fileName); os.IsNotExist(err) {
 			slog.DebugContext(ctx, "File already deleted, skipping", "file", fileName)
 			continue
 		}
 
-		if !exists {
+		// go ahead and delete the file
+		if !existsInReq {
 			fileDiff[fileName] = &model.FileCache{
 				File:   manifestFile,
 				Action: model.Delete,
@@ -382,6 +393,7 @@ func (fms *FileManagerService) DetermineFileActions(
 
 		// if file is unmanaged, action is set to unchanged so file is skipped when performing actions
 		if modifiedFile.File.GetUnmanaged() {
+			slog.DebugContext(ctx, "Skipping unmanaged file updates", "file_name", fileName)
 			continue
 		}
 		// if file doesn't exist in the current files, file has been added
@@ -729,6 +741,7 @@ func (fms *FileManagerService) convertToManifestFile(file *mpi.File, referenced
 			Size:       file.GetFileMeta().GetSize(),
 			Hash:       file.GetFileMeta().GetHash(),
 			Referenced: referenced,
+			Unmanaged:  file.GetUnmanaged(),
 		},
 	}
 }
@@ -750,6 +763,7 @@ func (fms *FileManagerService) convertToFile(manifestFile *model.ManifestFile) *
 			Hash: manifestFile.ManifestFileMeta.Hash,
 			Size: manifestFile.ManifestFileMeta.Size,
 		},
+		Unmanaged: manifestFile.ManifestFileMeta.Unmanaged,
 	}
 }
 

internal/model/config.go

@@ -45,6 +45,8 @@ type ManifestFileMeta struct {
 	Size int64 `json:"size"`
 	// File referenced in the NGINX config
 	Referenced bool `json:"referenced"`
+	// File is not managed by the agent
+	Unmanaged bool `json:"unmanaged"`
 }
 type ConfigApplyMessage struct {
 	Error         error