Merge branch 'main' into renovate/lock-file-maintenance

Author: NickLarsenNZ

.gitattributes

@@ -6,3 +6,4 @@ Cargo.nix linguist-generated
 yarn.lock linguist-generated
 nix/** linguist-generated
 go.sum linguist-generated
+gomod2nix.toml linguist-generated

.github/actionlint.yaml

@@ -14,27 +14,39 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
           cache: yarn
       - run: yarn install --frozen-lockfile
       - run: yarn --cwd web run build
 
+  eslint:
+    name: Run web linting via ESLint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        with:
+          node-version: 18
+          cache: yarn
+      - run: yarn install --frozen-lockfile
+      - run: yarn --cwd web run lint
+
   prettier:
     name: Validate web formatting
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
           cache: yarn
       - run: yarn install --frozen-lockfile
       - run: yarn --cwd web run format --check
       - name: Git Diff showed uncommitted changes
         if: ${{ failure() }}
-        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
-            core.setFailed('web/ contains unformatted code, run `pnpm prettier . --write` and re-commit!')
+            core.setFailed('web/ contains unformatted code, run `yarn --cwd web run format --write` and re-commit!')

.github/workflows/pr_cockpit-web.yml

@@ -15,8 +15,8 @@ on:
       - "go.sum"
 
 env:
-  RUST_VERSION: 1.75.0
-  GO_VERSION: '^1.22.2'
+  RUST_VERSION: 1.85.0
+  GO_VERSION: '^1.22.5'
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: "0"
   CARGO_PROFILE_DEV_DEBUG: "0"
@@ -30,16 +30,11 @@ jobs:
     name: General Pull Request Checks
     uses: ./.github/workflows/pr_general.yml
 
-  reviewdog-checks:
-    name: Reviewdog Pull Request Checks
-    uses: ./.github/workflows/pr_reviewdog.yml
-
   check-charts:
     name: Helm Chart Check
     runs-on: ubuntu-latest
     needs:
       - general-checks
-      - reviewdog-checks
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -57,7 +52,7 @@ jobs:
           toolchain: ${{ env.RUST_VERSION }}
 
       - name: Setup Rust Cache
-        uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6 # v2.2.0
+        uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
         with:
           key: pr-stackable-cockpit-chart
 
@@ -69,16 +64,27 @@ jobs:
 
       - name: Helm Charts not up-to-date
         if: ${{ failure() }}
-        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             core.setFailed('Committed Helm charts were not up to date, please regenerate and re-commit!')
 
   publish:
-    name: Publish Docker Image
-    runs-on: ubuntu-latest
+    name: Publish ${{ matrix.runner.arch }} Image
+    permissions:
+      id-token: write
+    runs-on: ${{ matrix.runner.name }}
+    strategy:
+      matrix:
+        runner:
+          - {name: "ubuntu-latest", arch: "amd64"}
+          - {name: "ubicloud-standard-8-arm", arch: "arm64"}
     env:
       NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
+      OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+      OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
+      OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
+      OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
     outputs:
       IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }}
     needs:
@@ -95,12 +101,18 @@ jobs:
         with:
           toolchain: ${{ env.RUST_VERSION }}
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+
       - name: Setup Rust Cache
-        uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6 # v2.2.0
+        uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
         with:
           key: pr-stackable-cockpit-chart
 
@@ -121,3 +133,40 @@ jobs:
         if: ${{ !github.event.pull_request.head.repo.fork }}
         name: Output Image Name and Tag
         run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> "$GITHUB_OUTPUT"
+
+  create_manifest_list:
+    name: Build and publish manifest list
+    needs:
+      - publish
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    env:
+      NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
+      OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+      OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
+      OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
+      OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          submodules: recursive
+      # This step checks if the current run was triggered by a push to a pr (or a pr being created).
+      # If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
+      # "-pr<prnumber>" so that the published artifacts can be linked to this PR.
+      - uses: stackabletech/cargo-install-action@main
+        with:
+          crate: cargo-edit
+          bin: cargo-set-version
+      - name: Update version if PR
+        if: ${{ github.event_name == 'pull_request' }}
+        run: cargo set-version --offline --package stackable-cockpit 0.0.0-pr${{ github.event.pull_request.number }}
+      - name: Build manifest list
+        run: |
+          # Creating manifest list
+          make -e docker-manifest-list-build
+          # Pushing and signing manifest list
+          make -e docker-manifest-list-publish

.github/workflows/pr_cockpit.yml

@@ -11,7 +11,3 @@ jobs:
   general-checks:
     name: General Pull Request Checks
     uses: ./.github/workflows/pr_general.yml
-
-  reviewdog-checks:
-    name: Reviewdog Pull Request Checks
-    uses: ./.github/workflows/pr_reviewdog.yml

.github/workflows/pr_docs.yml

@@ -4,8 +4,8 @@ name: Pull Request General
 on: workflow_call
 
 env:
-  RUST_VERSION: 1.75.0
-  GO_VERSION: '^1.22.2'
+  RUST_VERSION: 1.85.0
+  GO_VERSION: '^1.22.5'
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: "0"
   CARGO_PROFILE_DEV_DEBUG: "0"
@@ -28,11 +28,11 @@ jobs:
         with:
           toolchain: ${{ env.RUST_VERSION }}
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
           cache: yarn
@@ -42,7 +42,7 @@ jobs:
         with:
           key: udeps
           cache-all-crates: "true"
-      - run: cargo install --locked cargo-udeps@0.1.39
+      - run: cargo install --locked cargo-udeps@0.1.55
       - run: cargo udeps --workspace
 
   run_cargodeny:
@@ -59,66 +59,10 @@ jobs:
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           submodules: recursive
-      - uses: EmbarkStudios/cargo-deny-action@a50c7d5f86370e02fae8472c398f15a36e517bb8 # v1.5.4
+      - uses: EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868 # v1.6.3
         with:
           command: check ${{ matrix.checks }}
 
-  run_rustfmt:
-    name: Run Rustfmt
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        with:
-          submodules: recursive
-      - uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e # v1
-        with:
-          toolchain: ${{ env.RUST_VERSION }}
-          components: rustfmt
-      - run: cargo fmt --all -- --check
-
-  run_clippy:
-    name: Run Clippy
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        with:
-          submodules: recursive
-
-      - uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e # v1
-        with:
-          toolchain: ${{ env.RUST_VERSION }}
-          components: clippy
-
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6 # v2.2.0
-        with:
-          key: clippy
-
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
-        with:
-          node-version: 18
-          cache: yarn
-
-      - run: yarn install --frozen-lockfile
-      - name: Run clippy action to produce annotations
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        uses: giraffate/clippy-action@871cc4173f2594435c7ea6b0bce499cf6c2164a1
-        if: env.GITHUB_TOKEN != null
-        with:
-          clippy_flags: --all-targets -- -D warnings
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: "github-pr-check"
-
-      - name: Run clippy manually without annotations
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        if: env.GITHUB_TOKEN == null
-        run: cargo clippy --all-targets -- -D warnings
-
   run_rustdoc:
     name: Run RustDoc
     runs-on: ubuntu-latest
@@ -132,15 +76,15 @@ jobs:
           toolchain: ${{ env.RUST_VERSION }}
           components: rustfmt
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6 # v2.2.0
+      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
         with:
           key: doc
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
           cache: yarn
@@ -159,15 +103,15 @@ jobs:
         with:
           toolchain: ${{ env.RUST_VERSION }}
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6 # v2.2.0
+      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
         with:
           key: test
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
           cache: yarn
@@ -179,8 +123,6 @@ jobs:
     needs:
       - run_udeps
       - run_cargodeny
-      - run_clippy
-      - run_rustfmt
       - run_rustdoc
       - run_tests
     runs-on: ubuntu-latest

.github/workflows/pr_general.yml

@@ -0,0 +1,30 @@
+---
+name: pre-commit
+
+on:
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_TOOLCHAIN_VERSION: "nightly-2025-01-15"
+  HADOLINT_VERSION: "v1.17.6"
+  NIX_VERSION: "2.25.2"
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 18
+          cache: yarn
+      - run: yarn install --frozen-lockfile
+      - uses: stackabletech/actions/run-pre-commit@5901c3b1455488820c4be367531e07c3c3e82538 # v0.4.0
+        with:
+          rust: ${{ env.RUST_TOOLCHAIN_VERSION }}
+          hadolint: ${{ env.HADOLINT_VERSION }}
+          nix: ${{ env.NIX_VERSION }}
+          nix-github-token: ${{ secrets.GITHUB_TOKEN }}