From d9cb12f5926ae580d125239f7a3cf35724b9970e Mon Sep 17 00:00:00 2001 From: xeniape Date: Wed, 26 Nov 2025 14:18:36 +0100 Subject: [PATCH 1/4] chore: refactor the build workflow for operators --- config/retired_files.yaml | 3 +- config/versions.yaml | 2 + template/.github/workflows/build.yaml.j2 | 238 ++++++++++++++++++ .../.github/workflows/pr_pre-commit.yaml.j2 | 2 + template/.yamllint.yaml | 3 + template/Makefile.j2 | 82 +----- template/docker/Dockerfile.j2 | 2 + 7 files changed, 249 insertions(+), 83 deletions(-) create mode 100644 template/.github/workflows/build.yaml.j2 diff --git a/config/retired_files.yaml b/config/retired_files.yaml index 27fbe62f..730f453b 100644 --- a/config/retired_files.yaml +++ b/config/retired_files.yaml @@ -3,6 +3,5 @@ # This is uncommented as I had issues with everything being deleted when this was just present as an empty key. # May be something to investigate. retired_files: - - .github/ISSUE_TEMPLATE/bug_report.yml - .readme/static/borrowed/sdp_overview.png - - bors.toml + - .github/workflows/build.yml \ No newline at end of file diff --git a/config/versions.yaml b/config/versions.yaml index 51e3dc8c..a61f90fa 100644 --- a/config/versions.yaml +++ b/config/versions.yaml @@ -30,3 +30,5 @@ python_version: 3.14 # Usually the latest version should just work and as such the version here can # be bumped without any constraints. nix_pkg_manager_version: 2.30.0 + +jinja2_cli_version: 0.8.2 \ No newline at end of file diff --git a/template/.github/workflows/build.yaml.j2 b/template/.github/workflows/build.yaml.j2 new file mode 100644 index 00000000..af39919c --- /dev/null +++ b/template/.github/workflows/build.yaml.j2 @@ -0,0 +1,238 @@ +# ============= +# This file is automatically generated from the templates in stackabletech/operator-templating +# DON'T MANUALLY EDIT THIS FILE +# ============= +--- +name: Build {[ operator.name }] Artifacts + +permissions: {} + +on: + push: + branches: + - main + tags: + - '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+' + - '[0-9][0-9].[0-9]+.[0-9]+' + schedule: + # Run every Saturday morning: https://crontab.guru/#15_3_*_*_6 + - cron: '15 3 * * 6' + pull_request: + paths: + - '.github/workflows/build.yaml' + - 'rust-toolchain.toml' + - '.dockerignore' + - 'deploy/**' + - '.cargo/**' + - 'docker/**' + - 'Cargo.*' + - '*.rs' + +env: + OPERATOR_NAME: "{[ operator.name }]" + RUST_NIGHTLY_TOOLCHAIN_VERSION: "{[ rust_nightly_version }]" + NIX_PKG_MANAGER_VERSION: "{[ nix_pkg_manager_version }]" + RUST_TOOLCHAIN_VERSION: "{[ rust_version }]" + HADOLINT_VERSION: "{[ hadolint_version }]" + PYTHON_VERSION: "{[ python_version }]" + CARGO_TERM_COLOR: always + +jobs: + cargo-udeps: + name: Run cargo-udeps + runs-on: ubuntu-latest + env: + RUSTC_BOOTSTRAP: 1 + steps: + - name: Install host dependencies + uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https + version: ubuntu-latest + + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + submodules: recursive + + - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} toolchain + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b + with: + toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + + - name: Setup Rust Cache + uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 + with: + cache-all-crates: "true" + key: udeps + + - name: Install cargo-udeps + uses: stackabletech/cargo-install-action@8f7dbbcd2ebe22717efc132d0dd61e80841994b9 # cargo-udeps + + - name: Run cargo-udeps + run: cargo udeps --workspace --all-targets + + build-container-image: + name: Build/Publish ${{ matrix.runner.arch }} Image + needs: + - cargo-udeps + permissions: + id-token: write + strategy: + fail-fast: false + matrix: + runner: + - { name: "ubuntu-latest", arch: "amd64" } + - { name: "ubicloud-standard-8-arm", arch: "arm64" } + runs-on: ${{ matrix.runner.name }} + outputs: + operator-version: ${{ steps.version.outputs.OPERATOR_VERSION }} + steps: + - name: Install host dependencies + uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https + version: ${{ matrix.runner.name }} + + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + submodules: recursive + + - name: Update/Extract Operator Version + id: version + if: github.event_name == 'pull_request' + env: + PR_BASE_REF: ${{ github.event.pull_request.base.ref }} + PR_NUMBER: ${{ github.event.pull_request.number }} + GITHUB_DEBUG: ${{ runner.debug }} + shell: bash + run: | + set -euo pipefail + [ -n "$GITHUB_DEBUG" ] && set -x + CURRENT_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version') + if [ "$PR_BASE_REF" == 'main' ]; then + NEW_VERSION="0.0.0-pr$PR_NUMBER" + else + NEW_VERSION="$CURRENT_VERSION-pr$PR_NUMBER" + fi + sed -i "s/version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" Cargo.toml + echo "OPERATOR_VERSION=$NEW_VERSION" | tee -a "$GITHUB_OUTPUT" + - name: Install Nix + uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31.5.2 + + - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} Toolchain + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b + with: + toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + + - name: Build Container Image + id: build + uses: stackabletech/actions/build-container-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + with: + image-name: ${{ env.OPERATOR_NAME }} + image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }} + build-arguments: VERSION=${{ steps.version.outputs.OPERATOR_VERSION }} + container-file: docker/Dockerfile + + - name: Publish Container Image + uses: stackabletech/actions/publish-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + with: + image-registry-uri: oci.stackable.tech + image-registry-username: robot$sdp+github-action-build + image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + image-repository: sdp/${{ env.OPERATOR_NAME }} + image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }} + source-image-uri: ${{ steps.build.outputs.image-manifest-uri }} + + publish-index-manifest: + name: Publish/Sign ${{ needs.build-container-image.outputs.operator-version }} Index + needs: + - build-container-image + permissions: + id-token: write + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Publish and Sign Image Index + uses: stackabletech/actions/publish-image-index-manifest@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + with: + image-registry-uri: oci.stackable.tech + image-registry-username: robot$sdp+github-action-build + image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + image-repository: sdp/${{ env.OPERATOR_NAME }} + image-index-manifest-tag: ${{ needs.build-container-image.outputs.operator-version }} + + publish-helm-chart: + name: Package/Publish ${{ needs.build-container-image.outputs.operator-version }} Helm Chart + needs: + - build-container-image + permissions: + id-token: write + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + submodules: recursive + + - name: Package, Publish, and Sign Helm Chart + uses: stackabletech/actions/publish-helm-chart@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + with: + chart-registry-uri: oci.stackable.tech + chart-registry-username: robot$sdp-charts+github-action-build + chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }} + chart-repository: sdp-charts + chart-directory: deploy/helm/${{ env.OPERATOR_NAME }} + chart-version: ${{ needs.build-container-image.outputs.operator-version }} + app-version: ${{ needs.build-container-image.outputs.operator-version }} + + openshift-preflight-check: + name: Run OpenShift Preflight Check for ${{ needs.build-container-image.outputs.operator-version }}-${{ matrix.arch }} + needs: + - build-container-image + - publish-index-manifest + strategy: + fail-fast: false + matrix: + arch: + - amd64 + - arm64 + runs-on: ubuntu-latest + steps: + - name: Run OpenShift Preflight Check + uses: stackabletech/actions/run-openshift-preflight@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + with: + image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }} + image-architecture: ${{ matrix.arch }} + + notify: + name: Failure Notification + needs: + - build-container-image + - publish-index-manifest + - publish-helm-chart + runs-on: ubuntu-latest + if: failure() || github.run_attempt > 1 + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Send Notification + uses: stackabletech/actions/send-slack-notification@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + with: + publish-helm-chart-result: ${{ needs.publish-helm-chart.result }} + publish-manifests-result: ${{ needs.publish-index-manifest.result }} + build-result: ${{ needs.build-container-image.result }} + slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + channel-id: C07UG6JH44F # notifications-container-images + type: container-image-build \ No newline at end of file diff --git a/template/.github/workflows/pr_pre-commit.yaml.j2 b/template/.github/workflows/pr_pre-commit.yaml.j2 index 074df5c9..b94ca796 100644 --- a/template/.github/workflows/pr_pre-commit.yaml.j2 +++ b/template/.github/workflows/pr_pre-commit.yaml.j2 @@ -11,6 +11,7 @@ env: RUST_TOOLCHAIN_VERSION: "{[ rust_nightly_version }]" HADOLINT_VERSION: "{[ hadolint_version }]" PYTHON_VERSION: "{[ python_version }]" + JINJA2_CLI_VERSION: "{[ jinja2_cli_version }]" jobs: pre-commit: @@ -33,3 +34,4 @@ jobs: hadolint: ${{ env.HADOLINT_VERSION }} nix: ${{ env.NIX_PKG_MANAGER_VERSION }} nix-github-token: ${{ secrets.GITHUB_TOKEN }} + jinja2-cli: ${{ env.JINJA2_CLI_VERSION }} diff --git a/template/.yamllint.yaml b/template/.yamllint.yaml index 08bf167f..3aa8dcf6 100644 --- a/template/.yamllint.yaml +++ b/template/.yamllint.yaml @@ -13,3 +13,6 @@ rules: indentation: indent-sequences: consistent comments-indentation: disable # This is generally useless and interferes with commented example values + braces: + max-spaces-inside: 1 + max-spaces-inside-empty: 0 \ No newline at end of file diff --git a/template/Makefile.j2 b/template/Makefile.j2 index fc128743..710e8200 100644 --- a/template/Makefile.j2 +++ b/template/Makefile.j2 @@ -9,17 +9,11 @@ .PHONY: build publish -TAG := $(shell git rev-parse --short HEAD) OPERATOR_NAME := {[ operator.name }] VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | select(.name=="stackable-${OPERATOR_NAME}") | .version') -ARCH := $(shell uname -m | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#') OCI_REGISTRY_HOSTNAME := oci.stackable.tech OCI_REGISTRY_PROJECT_IMAGES := sdp -OCI_REGISTRY_PROJECT_CHARTS := sdp-charts -# This will be overwritten by an environmental variable if called from the github action -HELM_CHART_NAME := ${OPERATOR_NAME} -HELM_CHART_ARTIFACT := target/helm/${OPERATOR_NAME}-${VERSION}.tgz SHELL=/usr/bin/env bash -euo pipefail @@ -33,73 +27,6 @@ render-docs: docker-build: docker build --force-rm --build-arg VERSION=${VERSION} -t "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile . -docker-publish: - # Push to Harbor - # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) - docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' - DOCKER_OUTPUT=$$(docker push --all-tags '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}');\ - # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\ - REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}-${ARCH}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\ - if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\ - echo 'Could not find repo digest for container image: ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}';\ - exit 1;\ - fi;\ - # This generates a signature and publishes it to the registry, next to the image\ - # Uses the keyless signing flow with Github Actions as identity provider\ - cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\ - # Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\ - syft scan --output cyclonedx-json@1.5=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}-${ARCH}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\ - # Determine the PURL for the container image\ - URLENCODED_REPO_DIGEST_OF_IMAGE=$$(echo "$$REPO_DIGEST_OF_IMAGE" | sed 's/:/%3A/g');\ - PURL="pkg:oci/${OPERATOR_NAME}@$$URLENCODED_REPO_DIGEST_OF_IMAGE?arch=${ARCH}&repository_url=${OCI_REGISTRY_HOSTNAME}%2F${OCI_REGISTRY_PROJECT_IMAGES}%2F${OPERATOR_NAME}";\ - # Get metadata from the image\ - IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\ - IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\ - # Merge the SBOM with the metadata for the operator\ - jq -s '{"metadata":{"component":{"description":"'"$$IMAGE_NAME. $$IMAGE_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;\ - # Attest the SBOM to the image\ - cosign attest -y --predicate sbom.merged.json --type cyclonedx "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE" - -# This assumes "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64 and "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64 are built and pushed -docker-manifest-list-build: - docker manifest create "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64" - -docker-manifest-list-publish: - # Push to Harbor - # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) - docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' - DIGEST_HARBOR=$$(docker manifest push "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}");\ - # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...);\ - # This generates a signature and publishes it to the registry, next to the image\ - # Uses the keyless signing flow with Github Actions as identity provider\ - cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}@$$DIGEST_HARBOR" - -# TODO remove if not used/needed -docker: docker-build docker-publish - -print-docker-tag: - @echo "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" - -helm-publish: - # Push to Harbor - # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) - helm registry login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' - # Obtain the digest of the pushed artifact from the output of `helm push`, because signing by tag is deprecated and will be removed from cosign in the future\ - HELM_OUTPUT=$$(helm push '${HELM_CHART_ARTIFACT}' 'oci://${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}' 2>&1);\ - REPO_DIGEST_OF_ARTIFACT=$$(echo "$$HELM_OUTPUT" | awk '/^Digest: sha256:[0-9a-f]{64}$$/ { print $$2 }');\ - if [ -z "$$REPO_DIGEST_OF_ARTIFACT" ]; then\ - echo 'Could not find repo digest for helm chart: ${HELM_CHART_NAME}';\ - exit 1;\ - fi;\ - # Login to Harbor, needed for cosign to be able to push the signature for the Helm chart\ - docker login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}';\ - # This generates a signature and publishes it to the registry, next to the chart artifact\ - # Uses the keyless signing flow with Github Actions as identity provider\ - cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}/${HELM_CHART_NAME}@$$REPO_DIGEST_OF_ARTIFACT" - -helm-package: - mkdir -p target/helm && helm package --destination target/helm deploy/helm/${OPERATOR_NAME} - ## Chart related targets compile-chart: version crds config @@ -133,14 +60,7 @@ regenerate-charts: chart-clean compile-chart regenerate-nix: nix run --extra-experimental-features "nix-command flakes" -f . regenerateNixLockfiles -build: regenerate-charts regenerate-nix helm-package docker-build - -# This target is used by the CI -# It doesn't make use of any nix dependencies and thus aviods building the -# operator unnecessarily often. -build-ci: regenerate-charts helm-package docker-build - -publish: docker-publish helm-publish +build: regenerate-charts regenerate-nix docker-build check-nix: @which nix || (echo "Error: 'nix' is not installed. Please install it to proceed."; exit 1) diff --git a/template/docker/Dockerfile.j2 b/template/docker/Dockerfile.j2 index d6f3b595..9e3fbcf9 100644 --- a/template/docker/Dockerfile.j2 +++ b/template/docker/Dockerfile.j2 @@ -21,6 +21,8 @@ FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator ARG VERSION +# NOTE (@Techassi): This is required for OpenShift/Red Hat certification +# Keeping this as "1" seems to be fine since a couple of years /shrug ARG RELEASE="1" # These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system From 35e18d7d9cd3d4f8eb2fa97c4f4f176b1e882438 Mon Sep 17 00:00:00 2001 From: xeniape Date: Wed, 26 Nov 2025 14:24:00 +0100 Subject: [PATCH 2/4] linting fixes --- config/retired_files.yaml | 2 +- config/versions.yaml | 2 +- template/.github/workflows/build.yaml.j2 | 2 +- template/.yamllint.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/retired_files.yaml b/config/retired_files.yaml index 730f453b..374056ca 100644 --- a/config/retired_files.yaml +++ b/config/retired_files.yaml @@ -4,4 +4,4 @@ # May be something to investigate. retired_files: - .readme/static/borrowed/sdp_overview.png - - .github/workflows/build.yml \ No newline at end of file + - .github/workflows/build.yml diff --git a/config/versions.yaml b/config/versions.yaml index a61f90fa..4f467198 100644 --- a/config/versions.yaml +++ b/config/versions.yaml @@ -31,4 +31,4 @@ python_version: 3.14 # be bumped without any constraints. nix_pkg_manager_version: 2.30.0 -jinja2_cli_version: 0.8.2 \ No newline at end of file +jinja2_cli_version: 0.8.2 diff --git a/template/.github/workflows/build.yaml.j2 b/template/.github/workflows/build.yaml.j2 index af39919c..9af7fc13 100644 --- a/template/.github/workflows/build.yaml.j2 +++ b/template/.github/workflows/build.yaml.j2 @@ -235,4 +235,4 @@ jobs: build-result: ${{ needs.build-container-image.result }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} channel-id: C07UG6JH44F # notifications-container-images - type: container-image-build \ No newline at end of file + type: container-image-build diff --git a/template/.yamllint.yaml b/template/.yamllint.yaml index 3aa8dcf6..020cb5f0 100644 --- a/template/.yamllint.yaml +++ b/template/.yamllint.yaml @@ -15,4 +15,4 @@ rules: comments-indentation: disable # This is generally useless and interferes with commented example values braces: max-spaces-inside: 1 - max-spaces-inside-empty: 0 \ No newline at end of file + max-spaces-inside-empty: 0 From d619d6b9ce53d4f0c6ad44c9b732094c9b2579a4 Mon Sep 17 00:00:00 2001 From: xeniape Date: Wed, 26 Nov 2025 14:50:27 +0100 Subject: [PATCH 3/4] add yamllint braces config --- .yamllint.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.yamllint.yaml b/.yamllint.yaml index 5b315dc4..fe477af6 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -14,6 +14,9 @@ rules: comments: min-spaces-from-content: 1 # Needed due to https://github.com/adrienverge/yamllint/issues/443 comments-indentation: disable # This is generally useless and interferes with commented example values + braces: + max-spaces-inside: 1 + max-spaces-inside-empty: 0 yaml-files: - '*.yaml' From 6c8e0834af827a16a6e2977c000ebcbb1171e9bd Mon Sep 17 00:00:00 2001 From: xeniape Date: Wed, 26 Nov 2025 15:19:22 +0100 Subject: [PATCH 4/4] update the actions version --- .github/workflows/pr_pre-commit.yml | 2 +- template/.github/workflows/build.yaml.j2 | 12 ++++++------ template/.github/workflows/integration-test.yml | 4 ++-- template/.github/workflows/pr_pre-commit.yaml.j2 | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pr_pre-commit.yml b/.github/workflows/pr_pre-commit.yml index e88d5eec..6e66b844 100644 --- a/.github/workflows/pr_pre-commit.yml +++ b/.github/workflows/pr_pre-commit.yml @@ -18,7 +18,7 @@ jobs: with: persist-credentials: false fetch-depth: 0 - - uses: stackabletech/actions/run-pre-commit@75e0756966dea229d697165bfd06ba79abcda72c # v0.10.3 + - uses: stackabletech/actions/run-pre-commit@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: python-version: ${{ env.PYTHON_VERSION }} hadolint: ${{ env.HADOLINT_VERSION }} diff --git a/template/.github/workflows/build.yaml.j2 b/template/.github/workflows/build.yaml.j2 index 9af7fc13..d0a33e40 100644 --- a/template/.github/workflows/build.yaml.j2 +++ b/template/.github/workflows/build.yaml.j2 @@ -130,7 +130,7 @@ jobs: - name: Build Container Image id: build - uses: stackabletech/actions/build-container-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + uses: stackabletech/actions/build-container-image@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: image-name: ${{ env.OPERATOR_NAME }} image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }} @@ -138,7 +138,7 @@ jobs: container-file: docker/Dockerfile - name: Publish Container Image - uses: stackabletech/actions/publish-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + uses: stackabletech/actions/publish-image@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build @@ -161,7 +161,7 @@ jobs: persist-credentials: false - name: Publish and Sign Image Index - uses: stackabletech/actions/publish-image-index-manifest@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + uses: stackabletech/actions/publish-image-index-manifest@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build @@ -184,7 +184,7 @@ jobs: submodules: recursive - name: Package, Publish, and Sign Helm Chart - uses: stackabletech/actions/publish-helm-chart@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + uses: stackabletech/actions/publish-helm-chart@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: chart-registry-uri: oci.stackable.tech chart-registry-username: robot$sdp-charts+github-action-build @@ -208,7 +208,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run OpenShift Preflight Check - uses: stackabletech/actions/run-openshift-preflight@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + uses: stackabletech/actions/run-openshift-preflight@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }} image-architecture: ${{ matrix.arch }} @@ -228,7 +228,7 @@ jobs: persist-credentials: false - name: Send Notification - uses: stackabletech/actions/send-slack-notification@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4 + uses: stackabletech/actions/send-slack-notification@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: publish-helm-chart-result: ${{ needs.publish-helm-chart.result }} publish-manifests-result: ${{ needs.publish-index-manifest.result }} diff --git a/template/.github/workflows/integration-test.yml b/template/.github/workflows/integration-test.yml index b49b7712..0f9f268e 100644 --- a/template/.github/workflows/integration-test.yml +++ b/template/.github/workflows/integration-test.yml @@ -41,7 +41,7 @@ jobs: # TODO: Enable the scheduled runs which hard-code what profile to use - name: Run Integration Test id: test - uses: stackabletech/actions/run-integration-test@75e0756966dea229d697165bfd06ba79abcda72c # v0.10.3 + uses: stackabletech/actions/run-integration-test@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: replicated-api-token: ${{ secrets.REPLICATED_API_TOKEN }} test-mode-input: ${{ inputs.test-mode-input }} @@ -51,7 +51,7 @@ jobs: - name: Send Notification if: ${{ failure() || github.run_attempt > 1 }} - uses: stackabletech/actions/send-slack-notification@75e0756966dea229d697165bfd06ba79abcda72c # v0.10.3 + uses: stackabletech/actions/send-slack-notification@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: slack-token: ${{ secrets.SLACK_INTEGRATION_TEST_TOKEN }} failed-tests: ${{ steps.test.outputs.failed-tests }} diff --git a/template/.github/workflows/pr_pre-commit.yaml.j2 b/template/.github/workflows/pr_pre-commit.yaml.j2 index b94ca796..fb99204b 100644 --- a/template/.github/workflows/pr_pre-commit.yaml.j2 +++ b/template/.github/workflows/pr_pre-commit.yaml.j2 @@ -27,7 +27,7 @@ jobs: persist-credentials: false submodules: recursive fetch-depth: 0 - - uses: stackabletech/actions/run-pre-commit@75e0756966dea229d697165bfd06ba79abcda72c # v0.10.3 + - uses: stackabletech/actions/run-pre-commit@29bea1b451c0c2e994bd495969286f95bf49ed6a # v0.11.0 with: python-version: ${{ env.PYTHON_VERSION }} rust: ${{ env.RUST_TOOLCHAIN_VERSION }}