feat: fleetconfig-controller for declarative orchestration of OCM multi-clusters

.github/actions/generate-repo-matrix/action.yml

@@ -0,0 +1,31 @@
+name: Generate Repository Matrix
+description: Generates a matrix of repositories from the repositories.json file
+inputs:
+  repoRoot:
+    description: The root directory of the repository
+    required: true
+    type: string
+outputs:
+  matrix:
+    description: JSON matrix of repositories
+    value: ${{ steps.generate.outputs.matrix }}
+  repositories:
+    description: Complete repositories configuration as JSON
+    value: ${{ steps.generate.outputs.repositories }}
+runs:
+  using: 'composite'
+  steps:
+    - name: generate matrix
+      id: generate
+      shell: bash
+      run: |
+        set -e
+
+        # Read repositories.json and properly escape for GitHub Actions
+        repositories_json=$(cat ${{ inputs.repoRoot }}/.github/repositories.json | jq -c .)
+        echo "repositories=$repositories_json" >> $GITHUB_OUTPUT
+
+        # Extract repository names for matrix
+        repository_names=$(echo "$repositories_json" | jq -r 'keys')
+        matrix_json=$(echo "$repository_names" | jq -c '{"repository": .}')
+        echo "matrix=$matrix_json" >> $GITHUB_OUTPUT

.github/dependabot.yml

@@ -0,0 +1,24 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: daily
+  commit-message:
+      prefix: ":seedling:"
+  open-pull-requests-limit: 3
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "weekly"
+  commit-message:
+      prefix: ":seedling:"
+  groups:
+    github-actions:
+      patterns:
+        - "*"
+      # These actions directly influence the build process and are excluded from grouped updates
+      exclude-patterns:
+        - "actions/setup-go"
+        - "arduino/setup-protoc"
+        - "goreleaser/goreleaser-action"

.github/repositories.json

@@ -0,0 +1,5 @@
+{
+  "fleetconfig-controller": {
+    "e2e-artifacts": ["hub-bundle.tar.gz", "spoke-bundle.tar.gz"]
+  }
+}

.github/workflows/chart-upload.yml

@@ -0,0 +1,72 @@
+name: ChartUpload
+
+permissions:
+  contents: read
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  env:
+    name: prepare release env
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          path: go/src/open-cluster-management.io/lab
+
+      - name: get release version
+        run: |
+          echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+      - name: get major release version
+        run: |
+          echo "MAJOR_RELEASE_VERSION=${RELEASE_VERSION%.*}" >> $GITHUB_ENV
+          echo "TRIMMED_RELEASE_VERSION=${RELEASE_VERSION#v}" >> $GITHUB_ENV
+
+      - name: generate matrix
+        id: generate-matrix
+        uses: ./go/src/open-cluster-management.io/lab/.github/actions/generate-repo-matrix
+        with:
+          repoRoot: go/src/open-cluster-management.io/lab
+    outputs:
+      MAJOR_RELEASE_VERSION: ${{ env.MAJOR_RELEASE_VERSION }}
+      RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
+      TRIMMED_RELEASE_VERSION: ${{ env.TRIMMED_RELEASE_VERSION }}
+      MATRIX: ${{ steps.generate-matrix.outputs.matrix }}
+
+  upload:
+    name: upload
+    runs-on: ubuntu-latest
+    needs: [env]
+    permissions:
+      contents: write
+    strategy:
+      matrix: ${{ fromJson(needs.env.outputs.MATRIX) }}
+    steps:
+      - name: submit fleetconfig-controller chart to OCM chart repo
+        if: github.event_name != 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.OCM_BOT_PAT }}
+          script: |
+            try {
+              const result = await github.rest.actions.createWorkflowDispatch({
+                owner:          'open-cluster-management-io',
+                repo:           'helm-charts',
+                workflow_id:    'download-chart.yml',
+                ref: 'main',
+                inputs: {
+                  repo:         "${{ github.repository }}",
+                  version:      "${{ needs.env.outputs.TRIMMED_RELEASE_VERSION }}",
+                  "chart-name": "${{ matrix.repository }}",
+                },
+              })
+              console.log(result);
+            } catch(error) {
+              console.error(error);
+              core.setFailed(error);
+            }

.github/workflows/dependency-review.yml

@@ -0,0 +1,28 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0

.github/workflows/e2e.yml

@@ -0,0 +1,46 @@
+name: E2E
+
+on:
+  workflow_call:
+    inputs:
+        repo:
+          required: true
+          type: string
+        artifacts:
+          required: false
+          type: string
+
+env:
+  GO_REQUIRED_MIN_VERSION: ''
+
+permissions:
+  contents: read
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install DevSpace
+        uses: loft-sh/setup-devspace@main
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.24.4
+
+      - name: Test E2E
+        run: |
+          cd ${{ inputs.repo }} && make test-e2e
+
+      - name: Upload Artifacts
+        if: |
+          (success() || failure()) && inputs.artifacts != ''
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: e2e-artifacts
+          path: ${{ inputs.artifacts }}
+          if-no-files-found: ignore
+          retention-days: 7

.github/workflows/planner.yml

@@ -0,0 +1,121 @@
+name: Planner
+
+on:
+  pull_request:
+  pull_request_target:
+    types: [unlabeled]
+  workflow_dispatch:
+
+concurrency:
+  group: planner-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  generate-matrix:
+    runs-on: ubuntu-latest
+    # Skip this job (and subsequently all other planner jobs) if the PR has the `skip-ci` label
+    if: |
+      ! contains(github.event.pull_request.labels.*.name, 'skip-ci')
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+      repositories: ${{ steps.repo-matrix.outputs.repositories }}
+      artifacts: ${{ steps.generate.outputs.artifacts }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        fetch-depth: 0
+        ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+
+    - name: Compute diff refs
+      id: compute-refs
+      run: |
+        set -e
+
+        BASE_SHA=${{ github.event.pull_request.base.sha }}
+        HEAD_SHA=${{ github.event.after || github.event.pull_request.head.sha }}
+
+        # Ensure we have both the base and head commits
+        git fetch --depth=1 origin $BASE_SHA
+        git fetch --depth=1 origin $HEAD_SHA
+        echo "BASE_SHA=$BASE_SHA" >> $GITHUB_ENV
+        echo "HEAD_SHA=$HEAD_SHA" >> $GITHUB_ENV
+
+        echo "Diff will compare main ($BASE_SHA) with $HEAD_SHA"
+
+    - name: Generate repository matrix
+      id: repo-matrix
+      uses: ./.github/actions/generate-repo-matrix
+      with:
+        repoRoot: "."
+
+    - name: Build changed project matrix
+      id: generate
+      run: |
+        set -e
+
+        # Get repository names and check for changes
+        repositories_json='${{ steps.repo-matrix.outputs.repositories }}'
+        changed_repos=()
+
+        # Check each repository for changes
+        while IFS= read -r repo; do
+          if git diff --name-only $BASE_SHA $HEAD_SHA | grep "^$repo/" > /dev/null 2>&1; then
+            changed_repos+=("$repo")
+          fi
+        done < <(echo "$repositories_json" | jq -r 'keys[]')
+
+        if [ ${#changed_repos[@]} -eq 0 ]; then
+          echo "No changes detected for any project"
+          echo "matrix=" >> $GITHUB_OUTPUT
+          echo "artifacts={}" >> $GITHUB_OUTPUT
+        else
+          # Convert changed repos array to JSON
+          changed_repos_json=$(printf '%s\n' "${changed_repos[@]}" | jq -R . | jq -s .)
+          matrixJson=$(echo "$changed_repos_json" | jq -c '{"repo": .}')
+
+          # Generate artifacts JSON with workspace prefix
+          artifacts_json=$(echo "$repositories_json" | jq -c \
+            --argjson changed_repos "$changed_repos_json" \
+            --arg workspace "${{ github.workspace }}" \
+            'to_entries |
+              map(select(.key as $repo | $changed_repos | index($repo) != null)) |
+              from_entries |
+              with_entries(.key as $repo | .value = (.value["e2e-artifacts"] | map($workspace + "/" + $repo + "/" + .) | join("\n")))')
+
+          echo "matrix=$matrixJson" >> $GITHUB_OUTPUT
+          echo "artifacts=$artifacts_json" >> $GITHUB_OUTPUT
+        fi
+
+        echo "Matrix: $matrixJson"
+        echo "Artifacts: $artifacts_json"
+
+  call-test:
+    name: test
+    needs: generate-matrix
+    if: |
+      needs.generate-matrix.outputs.matrix != ''
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    uses: ./.github/workflows/test.yml
+    with:
+      repo: ${{ matrix.repo }}
+    secrets: inherit
+
+  call-e2e:
+    name: e2e
+    needs: generate-matrix
+    if: |
+      needs.generate-matrix.outputs.matrix != ''
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    uses: ./.github/workflows/e2e.yml
+    with:
+      repo: ${{ matrix.repo }}
+      artifacts: ${{ fromJson(needs.generate-matrix.outputs.artifacts)[matrix.repo] }}
+    secrets: inherit