From 26675af7bab0435283d5fb776edf071cebc2a1b0 Mon Sep 17 00:00:00 2001 From: Techassi Date: Mon, 24 Nov 2025 17:09:59 +0100 Subject: [PATCH 01/10] ci: Improve build workflow --- .github/workflows/build.yaml | 214 ++++++++++++++++ .github/workflows/build.yml | 484 ----------------------------------- .yamllint.yaml | 3 + 3 files changed, 217 insertions(+), 484 deletions(-) create mode 100644 .github/workflows/build.yaml delete mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 00000000..1c34c0a7 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,214 @@ +# ============= +# This file is automatically generated from the templates in stackabletech/operator-templating +# DON'T MANUALLY EDIT THIS FILE +# ============= +--- +# TODO: Template operator name +name: Build Airflow Operator Artifacts + +permissions: {} + +on: + push: + branches: + - main + tags: + - '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+' + - '[0-9][0-9].[0-9]+.[0-9]+' + schedule: + # Run every Saturday morning: https://crontab.guru/#15_3_*_*_6 + - cron: '15 3 * * 6' + pull_request: + paths: + - '.github/workflows/build.yaml' + - 'rust-toolchain.toml' + - '.dockerignore' + - 'deploy/**' + - '.cargo/**' + - 'docker/**' + - 'Cargo.*' + - '*.rs' + +# These are pretty much all templated +env: + # TODO: Template env var for operator name + OPERATOR_NAME: airflow-operator + RUST_NIGHTLY_TOOLCHAIN_VERSION: "nightly-2025-10-23" + NIX_PKG_MANAGER_VERSION: "2.30.0" + RUST_TOOLCHAIN_VERSION: "1.89.0" + HADOLINT_VERSION: "v2.12.0" + PYTHON_VERSION: "3.13" + CARGO_TERM_COLOR: always + +jobs: + cargo-udeps: + name: Run cargo-udeps + runs-on: ubuntu-latest + env: + RUSTC_BOOTSTRAP: 1 + steps: + - name: Install host dependencies + uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https + version: ubuntu-latest + + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + submodules: recursive + + - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} toolchain + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b + with: + toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + + - name: Setup Rust Cache + uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 + with: + cache-all-crates: "true" + key: udeps + + - name: Install cargo-udeps + uses: stackabletech/cargo-install-action@8f7dbbcd2ebe22717efc132d0dd61e80841994b9 # cargo-udeps + + - name: Run cargo-udeps + run: cargo udeps --workspace --all-targets + + build-image: + name: Build/Publish ${{ matrix.runner.arch }} Image + needs: + - cargo-udeps + permissions: + id-token: write + strategy: + fail-fast: false + matrix: + runner: + - { name: "ubuntu-latest", arch: "amd64" } + - { name: "ubicloud-standard-8-arm", arch: "arm64" } + runs-on: ${{ matrix.runner.name }} + outputs: + operator-version: ${{ steps.version.outputs.OPERATOR_VERSION }} + steps: + - name: Install host dependencies + uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https + version: ${{ matrix.runner.name }} + + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + submodules: recursive + + - name: Update/Extract Operator Version + id: version + if: github.event_name == 'pull_request' + env: + PR_BASE_REF: ${{ github.event.pull_request.base.ref }} + PR_NUMBER: ${{ github.event.pull_request.number }} + GITHUB_DEBUG: ${{ runner.debug }} + shell: bash + run: | + set -euo pipefail + [ -n "$GITHUB_DEBUG" ] && set -x + + CURRENT_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version') + + if [ "$PR_BASE_REF" == 'main' ]; then + NEW_VERSION="0.0.0-pr$PR_NUMBER" + else + NEW_VERSION="$CURRENT_VERSION-pr$PR_NUMBER" + fi + + sed -i "s/version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" Cargo.toml + echo "OPERATOR_VERSION=$NEW_VERSION" | tee -a "$GITHUB_OUTPUT" + + - name: Install Nix + uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31.5.2 + + - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} Toolchain + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b + with: + toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + + - name: Build Container Image + id: build + uses: stackabletech/actions/build-container-image@7ffd8c8c5c0378ebeae80f95e2680510d3d1be4c # TODO: Use released image + with: + image-name: ${{ env.OPERATOR_NAME }} + image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }} + build-arguments: VERSION=${{ steps.version.outputs.OPERATOR_VERSION }} + container-file: docker/Dockerfile + + - name: Publish Container Image + uses: stackabletech/actions/publish-image@7ffd8c8c5c0378ebeae80f95e2680510d3d1be4c # TODO: Use released image + with: + image-registry-uri: oci.stackable.tech + image-registry-username: robot$sdp+github-action-build + image-registry-password: ${{ secrets.harbor-robot-secret }} + image-repository: sdp/${{ env.OPERATOR_NAME }} + image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }} + source-image-uri: ${{ steps.build.outputs.image-manifest-uri }} + + publish-index-manifest: + name: Publish/Sign ${{ needs.build-image.outputs.operator-version }} Index + needs: + - build-image + permissions: + id-token: write + runs-on: ubuntu-latest + steps: + - name: Publish and Sign Image Index + uses: stackabletech/actions/publish-index-manifest@497f3e3cbfe9b89b1e570351b97d050eebcad5d0 # 0.8.3 + with: + image-registry-uri: oci.stackable.tech + image-registry-username: robot$sdp+github-action-build + image-registry-password: ${{ secrets.harbor-robot-secret }} + image-repository: sdp/${{ env.OPERATOR_NAME }} + image-index-manifest-tag: ${{ needs.build-image.outputs.operator-version }} + + package-chart: + name: Package/Publish ${{ needs.build-image.outputs.operator-version }} Helm Chart + needs: + - build-image + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + submodules: recursive + + - name: Package, Publish, and Sign Helm Chart + uses: stackabletech/actions/publish-helm-chart@923b9de2c77d2a736035e744c22ab6e5937b4c18 # TODO: Use released version + with: + chart-registry-uri: oci.stackable.tech + chart-registry-username: robot$sdp+github-action-build + chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + chart-repository: sdp-charts/${{ env.OPERATOR_NAME }} + chart-directory: deploy/helm/${{ env.OPERATOR_NAME }} + chart-version: ${{ needs.build-image.outputs.operator-version }} + app-version: ${{ needs.build-image.outputs.operator-version }} + + openshift-preflight-check: + name: Run OpenShift Preflight Check for ${{ needs.build-image.outputs.operator-version }}-${{ matrix.arch }} + needs: + - build-image + - publish-index-manifest + strategy: + fail-fast: false + matrix: + arch: + - amd64 + - arm64 + runs-on: ubuntu-latest + steps: + - name: Run OpenShift Preflight Check + uses: stackabletech/actions/run-openshift-preflight@50f31550a09fc10b16892a85edfb75b6f2e448d6 # TODO: Use released version + with: + image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-image.outputs.operator-version }} + image-architecture: ${{ matrix.arch }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index ae1963e9..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,484 +0,0 @@ -# ============= -# This file is automatically generated from the templates in stackabletech/operator-templating -# DON'T MANUALLY EDIT THIS FILE -# ============= ---- -name: Stackable Build Pipeline - -on: - push: - branches: - - main - - staging - - trying - - "renovate/**" - tags: - - '[0-9][0-9].[0-9]+.[0-9]+' - - '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+' - pull_request: - merge_group: - schedule: - # Run every Saturday morning: https://crontab.guru/#15_3_*_*_6 - - cron: '15 3 * * 6' - workflow_dispatch: - -env: - CARGO_TERM_COLOR: always - CARGO_INCREMENTAL: '0' - CARGO_PROFILE_DEV_DEBUG: '0' - RUST_TOOLCHAIN_VERSION: "1.89.0" - RUST_NIGHTLY_TOOLCHAIN_VERSION: "nightly-2025-10-23" - PYTHON_VERSION: "3.14" - RUSTFLAGS: "-D warnings" - RUSTDOCFLAGS: "-D warnings" - RUST_LOG: "info" - -jobs: - # Identify unused dependencies - run_udeps: - name: Run Cargo Udeps - runs-on: ubuntu-latest - env: - RUSTC_BOOTSTRAP: 1 - steps: - - name: Install host dependencies - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0 - with: - packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https - version: ubuntu-latest - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1 - with: - key: udeps - cache-all-crates: "true" - - uses: stackabletech/cargo-install-action@cargo-udeps - - run: cargo udeps --workspace --all-targets - - # This job evaluates the github environment to determine why this action is running and decides if - # Helm charts are published based on this. - # - # The following scenarios are identified: - # - all pull requests land are published: - # condition: github.event_name == "pull_request" - # - # - all tagged releases are published: - # condition: github.event_name == 'push' & github.ref.startswith('refs/tags/') - # - # - all pushes to main (i.e. PR-merges) and all scheduled/manual workflow runs on main land are published: - # condition: ( github.event_name == 'push' | github.event_name == 'schedule' | github.event_name == 'workflow_dispatch' ) & github.ref == 'refs/heads/main' - # - # Any other scenarios (e.g. when a branch is created/pushed) will cause the publish step to be skipped, most commonly this is expected to happen for the - # branches that the GitHub merge queue feature uses internally for which the checks need to run, but we do not want artifacts to be published. - check_helm_publish: - name: Decide if Helm charts are pushed to the helm repository based on action trigger - runs-on: ubuntu-latest - outputs: - skip_helm: ${{ steps.checkhelmpublish.outputs.skip_helm }} - steps: - - id: checkhelmpublish - env: - TRIGGER: ${{ github.event_name }} - GITHUB_REF: ${{ github.ref }} - run: | - if [[ "$TRIGGER" == "pull_request" ]]; then - echo "skip_helm=false" >> "$GITHUB_OUTPUT" - elif [[ ( "$TRIGGER" == "push" || "$TRIGGER" == "schedule" || "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then - echo "skip_helm=false" >> "$GITHUB_OUTPUT" - elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then - echo "skip_helm=false" >> "$GITHUB_OUTPUT" - else - echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF" - echo "skip_helm=true" >> "$GITHUB_OUTPUT" - fi - - run_cargodeny: - name: Run Cargo Deny - runs-on: ubuntu-latest - strategy: - matrix: - checks: - - advisories - - bans licenses sources - - # Prevent sudden announcement of a new advisory from failing ci: - continue-on-error: ${{ matrix.checks == 'advisories' }} - - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad # v2.0.13 - with: - command: check ${{ matrix.checks }} - - run_rustfmt: - name: Run Rustfmt - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 - with: - toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }} - components: rustfmt - - env: - RUST_TOOLCHAIN_VERSION: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }} - run: cargo "+$RUST_TOOLCHAIN_VERSION" fmt --all -- --check - - run_clippy: - name: Run Clippy - runs-on: ubuntu-latest - steps: - - name: Install host dependencies - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0 - with: - packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https - version: ubuntu-latest - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: clippy - - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1 - with: - key: clippy - cache-all-crates: "true" - # TODO (@Techassi): Remove this step (unmaintained action, kinda useless step anyway) - - name: Run clippy action to produce annotations - uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: env.GITHUB_TOKEN != null - with: - clippy_flags: --all-targets -- -D warnings - reporter: 'github-pr-review' - github_token: ${{ secrets.GITHUB_TOKEN }} - # TODO (@Techassi): Remove, done by pre-commit - - name: Run clippy manually without annotations - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: env.GITHUB_TOKEN == null - run: cargo clippy --color never -q --all-targets -- -D warnings - - # TODO (@Techassi): Can be done by pre-commit - run_rustdoc: - name: Run RustDoc - runs-on: ubuntu-latest - steps: - - name: Install host dependencies - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0 - with: - packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https - version: ubuntu-latest - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - submodules: recursive - - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt - - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1 - with: - key: doc - cache-all-crates: "true" - - run: cargo doc --document-private-items - - # TODO (@Techassi): Remove, done by pre-commit - run_tests: - name: Run Cargo Tests - runs-on: ubuntu-latest - steps: - - name: Install host dependencies - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0 - with: - packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https - version: ubuntu-latest - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1 - with: - key: test - cache-all-crates: "true" - - run: cargo test - - - # Similar to check_charts, this tries to render the README, and see if there are unintended changes. - # This will save us from merging changes to the wrong file (instead of the templated source), and from - # forgetting to render out modifications to the README. - check_readme: - name: Check if committed README is the one we would render from the available parts - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 - with: - python-version: ${{ env.PYTHON_VERSION }} - - name: Install jinja2-cli - run: pip install jinja2-cli==0.8.2 - - name: Regenerate charts - run: make render-readme - - name: Check if committed README were up to date - run: git diff --exit-code - - name: Git Diff showed uncommitted changes - if: ${{ failure() }} - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - script: | - core.setFailed('Committed README are not up to date, please make sure to apply them to the templated partials, and re-commit!') - - # This job cleans up the CRDs and Helm charts, followed by rebuilding them - # It then runs a `git diff` and fails the entire workflow, if any difference is encountered. - # - # Since CRD files are generated during the 'cargo build' process we need to run this once after - # removing the CRD files to ensure that the checked in versions match what the code expects. - # - # The reason for this step is, that developers are expected to check in up-to-date versions of charts - # as we'd otherwise have to build these in CI and commit them back to the PR, which - # creates all kinds of problems. - # This failsafe simply aborts anything that has not had charts rebuilt before pushing. - check_charts: - name: Check if committed Helm charts are up to date - runs-on: ubuntu-latest - steps: - - name: Install host dependencies - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0 - with: - packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https - version: ubuntu-latest - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - name: Set up Helm - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 - with: - version: v3.16.1 - - name: Set up cargo - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1 - with: - key: charts - cache-all-crates: "true" - - name: Regenerate charts - run: make regenerate-charts - - name: Check if committed charts were up to date - run: git diff --exit-code - - name: Git Diff showed uncommitted changes - if: ${{ failure() }} - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - script: | - core.setFailed('Committed charts were not up to date, please regenerate and re-commit!') - - tests_passed: - name: All tests passed - needs: - - run_udeps - - run_cargodeny - - run_clippy - - run_rustfmt - - run_rustdoc - - run_tests - - check_charts - - check_readme - runs-on: ubuntu-latest - steps: - - name: log - run: echo All tests have passed! - - # TODO (@Techassi): Most of these publishing and signing tasks can be done by our own actions. - # Make use of them just like we do in docker-images. - package_and_publish: - name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }} - needs: - - tests_passed - - check_helm_publish - strategy: - matrix: - runner: ["ubuntu-latest", "ubicloud-standard-8-arm"] - runs-on: ${{ matrix.runner }} - timeout-minutes: 120 - permissions: - id-token: write - env: - OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} - OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build" - OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }} - OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build" - if: needs.check_helm_publish.outputs.skip_helm != 'true' - outputs: - IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }} - steps: - - name: Install host dependencies - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0 - with: - packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https - version: ${{ matrix.runner }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31.8.1 - - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt - # This step checks if the current run was triggered by a push to a pr (or a pr being created). - # If this is the case it changes the version of this project in all Cargo.toml files to include the suffix - # "-pr" so that the published artifacts can be linked to this PR. - - uses: stackabletech/cargo-install-action@main - with: - crate: cargo-edit - bin: cargo-set-version - - name: Update version if PR against main branch - if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }} - env: - PR_NUMBER: ${{ github.event.pull_request.number }} - run: | - PR_VERSION="0.0.0-pr${PR_NUMBER}" - cargo set-version --offline --workspace "$PR_VERSION" - - name: Update version if PR against non-main branch - # For PRs to be merged against a release branch, use the version that has already been set in the calling script. - # We can't rely on cargo set-version here as we will break semver rules when changing the version to make it - # specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually. - if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }} - env: - PR_NUMBER: ${{ github.event.pull_request.number }} - shell: bash - run: | - set -euo pipefail - - MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version') - PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}" - sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml - - # Recreate charts and publish charts and docker image. - - name: Install cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - - name: Install syft - uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9 - - name: Build Docker image and Helm chart - run: | - # Installing helm and yq on ubicloud-standard-8-arm only - if [ "$(arch)" = "aarch64" ]; then - curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list - sudo apt-get -y update - sudo apt-get -y install helm - sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq - fi - - make build - - name: Publish Docker image and Helm chart - if: ${{ !github.event.pull_request.head.repo.fork }} - run: | - # We want to publish helmcharts only once as they have a common name, while still publishing both images with architecture specific tags - if [ "$(uname -m)" = "x86_64" ]; then - make publish - else - make docker-publish - fi - # Output the name of the published image to the Job output for later use - - id: printtag - name: Output image name and tag - if: ${{ !github.event.pull_request.head.repo.fork }} - run: echo "IMAGE_TAG=$(make print-docker-tag)" >> "$GITHUB_OUTPUT" - - create_manifest_list: - name: Build and publish manifest list - if: ${{ !github.event.pull_request.head.repo.fork }} - needs: - - package_and_publish - runs-on: ubuntu-latest - permissions: - id-token: write - env: - OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} - OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build" - OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }} - OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build" - steps: - - name: Install cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - # This step checks if the current run was triggered by a push to a pr (or a pr being created). - # If this is the case it changes the version of this project in all Cargo.toml files to include the suffix - # "-pr" so that the published artifacts can be linked to this PR. - - uses: stackabletech/cargo-install-action@main - with: - crate: cargo-edit - bin: cargo-set-version - - name: Update version if PR against main branch - if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }} - env: - PR_NUMBER: ${{ github.event.pull_request.number }} - run: | - PR_VERSION="0.0.0-pr${PR_NUMBER}" - cargo set-version --offline --workspace "$PR_VERSION" - - name: Update version if PR against non-main branch - # For PRs to be merged against a release branch, use the version that has already been set in the calling script. - # We can't rely on cargo set-version here as we will break semver rules when changing the version to make it - # specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually. - if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }} - env: - PR_NUMBER: ${{ github.event.pull_request.number }} - shell: bash - run: | - set -euo pipefail - - MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version') - PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}" - sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml - - name: Build manifest list - run: | - # Creating manifest list - make -e docker-manifest-list-build - # Pushing and signing manifest list - make -e docker-manifest-list-publish - - openshift_preflight: - name: Run the OpenShift Preflight check on the published images - if: ${{ !github.event.pull_request.head.repo.fork }} - needs: - - create_manifest_list - - package_and_publish - runs-on: ubuntu-latest - env: - IMAGE_TAG: ${{ needs.package_and_publish.outputs.IMAGE_TAG }} - steps: - - name: Install preflight - run: | - wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.10.0/preflight-linux-amd64 - chmod +x preflight-linux-amd64 - - name: Check container - run: | - ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')" - ./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out - - name: "Passed?" - run: '[ "$(jq -r .passed < preflight.out)" == true ]' diff --git a/.yamllint.yaml b/.yamllint.yaml index 08bf167f..020cb5f0 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -13,3 +13,6 @@ rules: indentation: indent-sequences: consistent comments-indentation: disable # This is generally useless and interferes with commented example values + braces: + max-spaces-inside: 1 + max-spaces-inside-empty: 0 From cefff11b48b8b251ab38048ba6ffebfd7cdfe029 Mon Sep 17 00:00:00 2001 From: Techassi Date: Mon, 24 Nov 2025 17:21:31 +0100 Subject: [PATCH 02/10] ci: Use correct password --- .github/workflows/build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1c34c0a7..d8c831ce 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -149,7 +149,7 @@ jobs: with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build - image-registry-password: ${{ secrets.harbor-robot-secret }} + image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} image-repository: sdp/${{ env.OPERATOR_NAME }} image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }} source-image-uri: ${{ steps.build.outputs.image-manifest-uri }} @@ -167,7 +167,7 @@ jobs: with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build - image-registry-password: ${{ secrets.harbor-robot-secret }} + image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} image-repository: sdp/${{ env.OPERATOR_NAME }} image-index-manifest-tag: ${{ needs.build-image.outputs.operator-version }} From f02424f734866c5c04e60856a48eee0cf9a10d93 Mon Sep 17 00:00:00 2001 From: Techassi Date: Mon, 24 Nov 2025 17:35:05 +0100 Subject: [PATCH 03/10] ci: Comment out cargo-udeps, use released action --- .github/workflows/build.yaml | 80 ++++++++++++++++++------------------ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d8c831ce..9931d62a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -41,45 +41,45 @@ env: CARGO_TERM_COLOR: always jobs: - cargo-udeps: - name: Run cargo-udeps - runs-on: ubuntu-latest - env: - RUSTC_BOOTSTRAP: 1 - steps: - - name: Install host dependencies - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3 - with: - packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https - version: ubuntu-latest - - - name: Checkout Repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - submodules: recursive - - - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} toolchain - uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - - - name: Setup Rust Cache - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 - with: - cache-all-crates: "true" - key: udeps - - - name: Install cargo-udeps - uses: stackabletech/cargo-install-action@8f7dbbcd2ebe22717efc132d0dd61e80841994b9 # cargo-udeps - - - name: Run cargo-udeps - run: cargo udeps --workspace --all-targets + # cargo-udeps: + # name: Run cargo-udeps + # runs-on: ubuntu-latest + # env: + # RUSTC_BOOTSTRAP: 1 + # steps: + # - name: Install host dependencies + # uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3 + # with: + # packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https + # version: ubuntu-latest + + # - name: Checkout Repository + # uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + # with: + # persist-credentials: false + # submodules: recursive + + # - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} toolchain + # uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b + # with: + # toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + + # - name: Setup Rust Cache + # uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 + # with: + # cache-all-crates: "true" + # key: udeps + + # - name: Install cargo-udeps + # uses: stackabletech/cargo-install-action@8f7dbbcd2ebe22717efc132d0dd61e80841994b9 # cargo-udeps + + # - name: Run cargo-udeps + # run: cargo udeps --workspace --all-targets build-image: name: Build/Publish ${{ matrix.runner.arch }} Image - needs: - - cargo-udeps + # needs: + # - cargo-udeps permissions: id-token: write strategy: @@ -137,7 +137,7 @@ jobs: - name: Build Container Image id: build - uses: stackabletech/actions/build-container-image@7ffd8c8c5c0378ebeae80f95e2680510d3d1be4c # TODO: Use released image + uses: stackabletech/actions/build-container-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 with: image-name: ${{ env.OPERATOR_NAME }} image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }} @@ -145,7 +145,7 @@ jobs: container-file: docker/Dockerfile - name: Publish Container Image - uses: stackabletech/actions/publish-image@7ffd8c8c5c0378ebeae80f95e2680510d3d1be4c # TODO: Use released image + uses: stackabletech/actions/publish-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build @@ -184,7 +184,7 @@ jobs: submodules: recursive - name: Package, Publish, and Sign Helm Chart - uses: stackabletech/actions/publish-helm-chart@923b9de2c77d2a736035e744c22ab6e5937b4c18 # TODO: Use released version + uses: stackabletech/actions/publish-helm-chart@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 with: chart-registry-uri: oci.stackable.tech chart-registry-username: robot$sdp+github-action-build @@ -208,7 +208,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Run OpenShift Preflight Check - uses: stackabletech/actions/run-openshift-preflight@50f31550a09fc10b16892a85edfb75b6f2e448d6 # TODO: Use released version + uses: stackabletech/actions/run-openshift-preflight@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 with: image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-image.outputs.operator-version }} image-architecture: ${{ matrix.arch }} From f492d2ce335989a475bc743a33105296ca0b4ab0 Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 26 Nov 2025 12:04:10 +0100 Subject: [PATCH 04/10] ci: Use updated actions, add notify job --- .github/workflows/build.yaml | 58 +++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9931d62a..9cbc9a7c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -76,7 +76,7 @@ jobs: # - name: Run cargo-udeps # run: cargo udeps --workspace --all-targets - build-image: + build-container-image: name: Build/Publish ${{ matrix.runner.arch }} Image # needs: # - cargo-udeps @@ -137,7 +137,7 @@ jobs: - name: Build Container Image id: build - uses: stackabletech/actions/build-container-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 + uses: stackabletech/actions/build-container-image@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: image-name: ${{ env.OPERATOR_NAME }} image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }} @@ -145,7 +145,7 @@ jobs: container-file: docker/Dockerfile - name: Publish Container Image - uses: stackabletech/actions/publish-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 + uses: stackabletech/actions/publish-image@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build @@ -155,26 +155,26 @@ jobs: source-image-uri: ${{ steps.build.outputs.image-manifest-uri }} publish-index-manifest: - name: Publish/Sign ${{ needs.build-image.outputs.operator-version }} Index + name: Publish/Sign ${{ needs.build-container-image.outputs.operator-version }} Index needs: - - build-image + - build-container-image permissions: id-token: write runs-on: ubuntu-latest steps: - name: Publish and Sign Image Index - uses: stackabletech/actions/publish-index-manifest@497f3e3cbfe9b89b1e570351b97d050eebcad5d0 # 0.8.3 + uses: stackabletech/actions/publish-index-manifest@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} image-repository: sdp/${{ env.OPERATOR_NAME }} - image-index-manifest-tag: ${{ needs.build-image.outputs.operator-version }} + image-index-manifest-tag: ${{ needs.build-container-image.outputs.operator-version }} - package-chart: - name: Package/Publish ${{ needs.build-image.outputs.operator-version }} Helm Chart + publish-helm-chart: + name: Package/Publish ${{ needs.build-container-image.outputs.operator-version }} Helm Chart needs: - - build-image + - build-container-image runs-on: ubuntu-latest steps: - name: Checkout Repository @@ -184,20 +184,20 @@ jobs: submodules: recursive - name: Package, Publish, and Sign Helm Chart - uses: stackabletech/actions/publish-helm-chart@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 + uses: stackabletech/actions/publish-helm-chart@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: chart-registry-uri: oci.stackable.tech chart-registry-username: robot$sdp+github-action-build chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} chart-repository: sdp-charts/${{ env.OPERATOR_NAME }} chart-directory: deploy/helm/${{ env.OPERATOR_NAME }} - chart-version: ${{ needs.build-image.outputs.operator-version }} - app-version: ${{ needs.build-image.outputs.operator-version }} + chart-version: ${{ needs.build-container-image.outputs.operator-version }} + app-version: ${{ needs.build-container-image.outputs.operator-version }} openshift-preflight-check: - name: Run OpenShift Preflight Check for ${{ needs.build-image.outputs.operator-version }}-${{ matrix.arch }} + name: Run OpenShift Preflight Check for ${{ needs.build-container-image.outputs.operator-version }}-${{ matrix.arch }} needs: - - build-image + - build-container-image - publish-index-manifest strategy: fail-fast: false @@ -208,7 +208,31 @@ jobs: runs-on: ubuntu-latest steps: - name: Run OpenShift Preflight Check - uses: stackabletech/actions/run-openshift-preflight@976e8c293cb59f391dbf8563ab28e965e79ca36d # 0.10.4 + uses: stackabletech/actions/run-openshift-preflight@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: - image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-image.outputs.operator-version }} + image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }} image-architecture: ${{ matrix.arch }} + + notify: + name: Failure Notification + needs: + - build-container-image + - publish-index-manifest + - publish-helm-chart + runs-on: ubuntu-latest + if: failure() || github.run_attempt > 1 + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Send Notification + uses: stackabletech/actions/send-slack-notification@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action + with: + publish-helm-chart-result: ${{ needs.publish-helm-chart.result }} + publish-manifests-result: ${{ needs.publish-index-manifest.result }} + build-result: ${{ needs.build-container-image.result }} + slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + channel-id: C07UG6JH44F # notifications-container-images + type: container-image-build From 162eae9b8d4f55ebdfe50205ad61f89d74532b78 Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 26 Nov 2025 12:04:51 +0100 Subject: [PATCH 05/10] chore: Add comment about release arg --- docker/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index 1c1e0ca2..ecb09c94 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -21,6 +21,8 @@ FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator ARG VERSION +# NOTE (@Techassi): This is required for OpenShift/Red Hat certification +# Keeping this as "1" seems to be fine since a couple of years /shrug ARG RELEASE="1" # These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system From c8c4b980d62d6d141423aa5c3fc5e7db7388fe88 Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 26 Nov 2025 12:18:09 +0100 Subject: [PATCH 06/10] ci: Checkout repo when publishing index manifest --- .github/workflows/build.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9cbc9a7c..cd7d841b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -162,6 +162,11 @@ jobs: id-token: write runs-on: ubuntu-latest steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - name: Publish and Sign Image Index uses: stackabletech/actions/publish-index-manifest@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: From 85d7766cf1bae367c38b9388b4e042b7d2c26caf Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 26 Nov 2025 12:18:39 +0100 Subject: [PATCH 07/10] ci: Use correct chart repository --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cd7d841b..8337fbec 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -194,7 +194,7 @@ jobs: chart-registry-uri: oci.stackable.tech chart-registry-username: robot$sdp+github-action-build chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} - chart-repository: sdp-charts/${{ env.OPERATOR_NAME }} + chart-repository: sdp-charts chart-directory: deploy/helm/${{ env.OPERATOR_NAME }} chart-version: ${{ needs.build-container-image.outputs.operator-version }} app-version: ${{ needs.build-container-image.outputs.operator-version }} From e1f8efb99ebec91e9a63d917a894a1ee74eddb68 Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 26 Nov 2025 12:27:06 +0100 Subject: [PATCH 08/10] ci: Use correct action name --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8337fbec..8cad3ca5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -168,7 +168,7 @@ jobs: persist-credentials: false - name: Publish and Sign Image Index - uses: stackabletech/actions/publish-index-manifest@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action + uses: stackabletech/actions/publish-image-index-manifest@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: image-registry-uri: oci.stackable.tech image-registry-username: robot$sdp+github-action-build From 521de4e49a6d1675e16e6a4b64b71f01b0a1fdea Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 26 Nov 2025 12:37:22 +0100 Subject: [PATCH 09/10] ci: Use correct robot user --- .github/workflows/build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8cad3ca5..12355859 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -192,8 +192,8 @@ jobs: uses: stackabletech/actions/publish-helm-chart@29bea1b451c0c2e994bd495969286f95bf49ed6a # TODO: Use released action with: chart-registry-uri: oci.stackable.tech - chart-registry-username: robot$sdp+github-action-build - chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + chart-registry-username: robot$sdp-charts+github-action-build + chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }} chart-repository: sdp-charts chart-directory: deploy/helm/${{ env.OPERATOR_NAME }} chart-version: ${{ needs.build-container-image.outputs.operator-version }} From 543964545368e894394e67f2b373b7edef9bc15f Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 26 Nov 2025 13:15:27 +0100 Subject: [PATCH 10/10] ci: Provide id-token permission --- .github/workflows/build.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 12355859..f217ff4f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -180,6 +180,8 @@ jobs: name: Package/Publish ${{ needs.build-container-image.outputs.operator-version }} Helm Chart needs: - build-container-image + permissions: + id-token: write runs-on: ubuntu-latest steps: - name: Checkout Repository