🤖 feat: ship generated install bundle and CI freshness checks

.github/workflows/ci.yaml

@@ -23,6 +23,7 @@ jobs:
       workflows: ${{ steps.merge_group_defaults.outputs.workflows || steps.filter.outputs.workflows }}
       publish: ${{ steps.merge_group_defaults.outputs.publish || steps.filter.outputs.publish }}
       terraform: ${{ steps.merge_group_defaults.outputs.terraform || steps.filter.outputs.terraform }}
+      installer: ${{ steps.merge_group_defaults.outputs.installer || steps.filter.outputs.installer }}
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
@@ -40,6 +41,7 @@ jobs:
             echo "workflows=true"
             echo "publish=false"
             echo "terraform=true"
+            echo "installer=true"
           } >> "$GITHUB_OUTPUT"
 
       - name: Detect changed paths
@@ -73,6 +75,15 @@ jobs:
             terraform:
               - 'terraform/**'
               - '.github/workflows/ci.yaml'
+            installer:
+              - 'api/**/*.go'
+              - 'config/crd/bases/**'
+              - 'config/rbac/**'
+              - 'config/default/**'
+              - 'deploy/deployment.yaml'
+              - 'hack/update-manifests.sh'
+              - 'Makefile'
+              - 'dist/install.yaml'
 
   lint:
     needs: changes
@@ -113,6 +124,34 @@ jobs:
       - name: Run govulncheck
         run: go tool govulncheck ./...
 
+  installer-manifest:
+    name: Verify installer manifest is up to date
+    needs: changes
+    if: github.event_name == 'merge_group' || ((needs.changes.outputs.go == 'true' || needs.changes.outputs.installer == 'true') && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]'))
+    runs-on: depot-ubuntu-24.04
+    timeout-minutes: 10
+    env:
+      GOFLAGS: -mod=vendor
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Verify installer manifests are up to date
+        run: |
+          make build-installer
+          git diff --exit-code -- \
+            dist/install.yaml \
+            config/crd/bases/kustomization.yaml \
+            config/rbac/kustomization.yaml
+
   scan-fs:
     name: Trivy filesystem scan
     needs: changes
@@ -455,14 +494,15 @@ jobs:
 
   publish-main:
     name: Publish GHCR :main
-    needs: [changes, test, lint, scan-fs, lint-actions, e2e-kind, image-scan, terraform]
+    needs: [changes, test, lint, installer-manifest, scan-fs, lint-actions, e2e-kind, image-scan, terraform]
     if: |
       always() &&
       github.event_name == 'push' &&
       github.ref == 'refs/heads/main' &&
       needs.changes.outputs.publish == 'true' &&
       (needs.test.result == 'success' || needs.test.result == 'skipped') &&
       (needs.lint.result == 'success' || needs.lint.result == 'skipped') &&
+      (needs.installer-manifest.result == 'success' || needs.installer-manifest.result == 'skipped') &&
       (needs.scan-fs.result == 'success' || needs.scan-fs.result == 'skipped') &&
       (needs.lint-actions.result == 'success' || needs.lint-actions.result == 'skipped') &&
       (needs.e2e-kind.result == 'success' || needs.e2e-kind.result == 'skipped') &&

Makefile

@@ -3,8 +3,10 @@ VENDOR_STAMP := vendor/modules.txt
 MODULE_FILES := go.mod $(wildcard go.sum)
 ENVTEST_K8S_VERSION ?= 1.35.x
 ENVTEST_ASSETS_DIR := $(shell pwd)/bin/envtest
+INSTALLER_MANIFEST := dist/install.yaml
+INSTALLER_RESOURCES := $(wildcard config/crd/bases/*.yaml) $(wildcard config/rbac/*.yaml)
 
-.PHONY: vendor test test-integration setup-envtest build lint vuln verify-vendor codegen manifests docs-reference docs-reference-check docs-serve docs-build docs-check update-coder-docs-skill kind-dev-up kind-dev-ctx kind-dev-load-image kind-dev-status kind-dev-k9s kind-dev-down
+.PHONY: vendor test test-integration setup-envtest build lint vuln verify-vendor codegen manifests build-installer docs-reference docs-reference-check docs-serve docs-build docs-check update-coder-docs-skill kind-dev-up kind-dev-ctx kind-dev-load-image kind-dev-status kind-dev-k9s kind-dev-down
 
 $(VENDOR_STAMP): $(MODULE_FILES)
 	go mod tidy
@@ -42,6 +44,12 @@ verify-vendor:
 manifests: $(VENDOR_STAMP)
 	bash ./hack/update-manifests.sh
 
+$(INSTALLER_MANIFEST): $(VENDOR_STAMP) config/default/kustomization.yaml config/default/namespace-coder-system.yaml config/default/namespace-coder.yaml deploy/deployment.yaml hack/update-manifests.sh $(INSTALLER_RESOURCES) manifests
+	@mkdir -p $(dir $@)
+	GOFLAGS=$(GOFLAGS) go tool kustomize build --load-restrictor=LoadRestrictionsNone config/default > $@
+
+build-installer: $(INSTALLER_MANIFEST)
+
 codegen: $(VENDOR_STAMP)
 	bash ./hack/update-codegen.sh
 

config/crd/bases/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - coder.com_codercontrolplanes.yaml
+  - coder.com_coderprovisioners.yaml
+  - coder.com_coderworkspaceproxies.yaml

config/default/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace-coder-system.yaml
+  - namespace-coder.yaml
+  - ../crd/bases
+  - ../rbac
+  - ../../deploy/deployment.yaml

config/default/namespace-coder-system.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coder-system

config/default/namespace-coder.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coder

config/rbac/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - auth-delegator-binding.yaml
+  - authentication-reader-binding.yaml
+  - clusterrolebinding.yaml
+  - role.yaml
+  - serviceaccount.yaml