From 508ce95809addea6d087299e789be8677381f3be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20K=C3=A4stner?= Date: Wed, 4 Feb 2026 17:21:43 +0100 Subject: [PATCH 1/6] Add GitHub Actions workflow for Kustomize validation Introduce a CI workflow that validates all kustomization.yaml files in the config directory on pull requests to main. This ensures Kustomize configurations remain valid and buildable. --- .github/workflows/kustomize-validation.yml | 25 ++++++++++++++++++++++ hack/validate-kustomize.sh | 18 ++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 .github/workflows/kustomize-validation.yml create mode 100755 hack/validate-kustomize.sh diff --git a/.github/workflows/kustomize-validation.yml b/.github/workflows/kustomize-validation.yml new file mode 100644 index 00000000..4b0e38d7 --- /dev/null +++ b/.github/workflows/kustomize-validation.yml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +name: Kustomize + +on: + pull_request: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + +jobs: + kustomize-validation: + name: Validate + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Install Kustomize + run: | + make install-kustomize + - name: Validate Kustomize + run: | + ./hack/validate-kustomize.sh diff --git a/hack/validate-kustomize.sh b/hack/validate-kustomize.sh new file mode 100755 index 00000000..1c62af45 --- /dev/null +++ b/hack/validate-kustomize.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +BASEDIR=$(cd -- "$(dirname -- "$0")" && pwd) + +for kustomization in $(find "$BASEDIR/../config" -name "kustomization.yaml"); do + dir=$(dirname "$kustomization") + name=${dir#"$BASEDIR/../"} + if kustomize build "$dir" >/dev/null 2>&1; then + echo "OK: $name" + else + echo "FAILED: $name" + exit 1 + fi +done From 8785ec181e19243298e685ec7904fd2fb9c13ff0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20K=C3=A4stner?= Date: Wed, 4 Feb 2026 17:26:40 +0100 Subject: [PATCH 2/6] Improve container image workflow with caching Enhance the github action workflow with Go build caching, PR triggers for validation builds, and tag-based releases. Images are only pushed on main branch commits and version tags, while PRs only build without pushing. The introduced caching uses the experimental GitHub Actions Cache Exporter Backend to fetch and upload cache blocks for the container image build. Additionally, buildkit cache mounts are being preserved between builds by injecting a temporary container with the cache mount data in the Docker build steps. The procedure is outlined in the Docker Documentation[^1]. [^1]: https://docs.docker.com/build/ci/github-actions/cache/#github-cache. --- .github/workflows/publish-image.yaml | 89 ++++++++++++++++++++++++++++ Makefile.maker.yaml | 8 +-- 2 files changed, 90 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/publish-image.yaml diff --git a/.github/workflows/publish-image.yaml b/.github/workflows/publish-image.yaml new file mode 100644 index 00000000..998c59a4 --- /dev/null +++ b/.github/workflows/publish-image.yaml @@ -0,0 +1,89 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +name: Container Image + +on: + push: + tags: + - 'v*' + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + pull_request: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + +permissions: + contents: read + packages: write + +jobs: + build-and-push-image: + name: Build and Push Docker Image + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: | + # https://github.com/docker/metadata-action#typeedge + type=edge + # https://github.com/docker/metadata-action#latest-tag + type=raw,value=latest,enable={{is_default_branch}} + # https://github.com/docker/metadata-action#typesemver + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + # https://github.com/docker/metadata-action#typeref + type=ref,event=branch + type=ref,event=pr + # https://github.com/docker/metadata-action#typesha + type=sha,format=long + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + id: setup-buildx + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Go Cache for Docker + uses: actions/cache@v4 + id: cache + with: + path: | + go-pkg-mod + go-build-cache + key: cache-mount-${{ hashFiles('go.sum') }} + - name: Restore Docker Cache Mounts + uses: reproducible-containers/buildkit-cache-dance@v3.3.2 + with: + cache-map: | + { + "go-pkg-mod": "/go/pkg/mod", + "go-build-cache": "/root/.cache/go-build" + } + skip-extraction: ${{ steps.cache.outputs.cache-hit }} + builder: ${{ steps.setup-buildx.outputs.name }} + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-to: type=gha,mode=max + cache-from: type=gha diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml index 5b32c085..b8a70c5b 100644 --- a/Makefile.maker.yaml +++ b/Makefile.maker.yaml @@ -65,13 +65,7 @@ githubWorkflow: securityChecks: enabled: true pushContainerToGhcr: - enabled: true - platforms: "linux/amd64,linux/arm64" - tagStrategy: - - edge - - latest - - semver - - sha + enabled: false variables: GO_BUILDENV: 'CGO_ENABLED=0' From 9de882519b27af05f23ce75e8b9ed1e8998e30f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20K=C3=A4stner?= Date: Wed, 4 Feb 2026 17:35:20 +0100 Subject: [PATCH 3/6] Add GitHub Actions workflow to label PRs by size Introduce a workflow that automatically labels pull requests with size indicators (XS, S, M, L, XL) based on lines changed. This helps reviewers quickly assess PR scope and prioritize reviews. --- .github/workflows/size-label.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/size-label.yml diff --git a/.github/workflows/size-label.yml b/.github/workflows/size-label.yml new file mode 100644 index 00000000..433b492c --- /dev/null +++ b/.github/workflows/size-label.yml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 +# +name: Size Label + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +permissions: + contents: read + pull-requests: write + +jobs: + size-label: + name: Label PR with size + runs-on: ubuntu-latest + steps: + - name: size-label + uses: pascalgn/size-label-action@v0.5.5 + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From de99dcf9be95aaa88caaff8265b4e6db69368391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20K=C3=A4stner?= Date: Wed, 4 Feb 2026 17:37:31 +0100 Subject: [PATCH 4/6] Add GitHub Actions workflow to publish Helm chart Introduce a workflow that packages and pushes the Helm chart to ghcr.io as an OCI artifact. Release tags use semantic versioning while branch builds use commit-based versions. PRs only validate the chart package. --- .github/workflows/publish-chart.yml | 60 +++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/publish-chart.yml diff --git a/.github/workflows/publish-chart.yml b/.github/workflows/publish-chart.yml new file mode 100644 index 00000000..cc9c6ee3 --- /dev/null +++ b/.github/workflows/publish-chart.yml @@ -0,0 +1,60 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +name: Helm Chart + +on: + push: + tags: + - 'v*' + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + pull_request: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + +permissions: + contents: read + packages: write + +jobs: + build-and-push-chart: + name: Build and Push Helm Chart + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: v4.1.0 + - name: Determine Chart Version + id: chart_version + run: | + if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + # Use tag version (strip 'v' prefix) + CHART_VERSION="${GITHUB_REF#refs/tags/v}" + else + # Use short commit hash + CHART_VERSION="0.0.0-$(git rev-parse --short HEAD)" + fi + echo "version=$CHART_VERSION" >> $GITHUB_OUTPUT + - name: Build Helm Dependencies + run: | + helm dependency build charts/network-operator + - name: Package Helm Chart + run: | + helm package charts/network-operator --version ${{ steps.chart_version.outputs.version }} + - name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin + - name: Push Helm Chart to ghcr.io + if: github.event_name != 'pull_request' + run: | + helm push network-operator-${{ steps.chart_version.outputs.version }}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts From 813b06356a6144fbf50ab077ba8481c58eab8624 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20K=C3=A4stner?= Date: Wed, 4 Feb 2026 17:41:02 +0100 Subject: [PATCH 5/6] Add GitHub Actions workflow to verify code generation Introduce a workflow that runs code generation targets and detects any uncommitted changes. This ensures generated code, docs, charts, and formatting are always up to date in pull requests. --- .github/workflows/check-codegen.yml | 38 +++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/check-codegen.yml diff --git a/.github/workflows/check-codegen.yml b/.github/workflows/check-codegen.yml new file mode 100644 index 00000000..b7a1b174 --- /dev/null +++ b/.github/workflows/check-codegen.yml @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +name: Check Codegen + +on: + pull_request: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + +jobs: + check-codegen: + name: Detect Drift + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: 'go.mod' + - name: Run make generate + run: make generate + - name: Run make docs + run: make docs + - name: Run make charts + run: make charts + - name: Run fmt + run: make fmt + - name: Compare the expected and actual generated/* directories + run: | + if [ "$(git diff | wc -l)" -gt "0" ]; then + echo "Detected uncommitted changes after build. Consider running 'make generate && make docs && make charts && make fmt'." + echo "See status below:" + git diff + exit 1 + fi From b01f94909993754d16f85d73a9e7a2488deaf6d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20K=C3=A4stner?= Date: Wed, 4 Feb 2026 17:48:13 +0100 Subject: [PATCH 6/6] Replace go-makefile-maker workflows with manually maintained ones Stop using go-makefile-maker for GitHub Actions workflow generation. With recent additions of custom workflows, maintaining consistency between auto-generated and manually written pipelines became impractical. The effort to update all workflows already requires reviewing each one, so auto-generation provides diminishing value. Additionally, some generated workflows like CodeQL are redundant (enabled at repo level) while others like test-chart required manual modifications anyway. Going forward, all workflows will be manually maintained for this project, providing full control over CI/CD configuration. --- .github/workflows/checks.yaml | 56 ------------- .github/workflows/ci.yaml | 79 ------------------ .github/workflows/lint.yml | 66 +++++++++++++++ .github/workflows/publish-docs.yml | 17 ++-- .../{publish-image.yaml => publish-image.yml} | 10 +++ .../{goreleaser.yaml => release.yml} | 29 +++---- .github/workflows/reuse.yaml | 22 ----- .github/workflows/reuse.yml | 27 +++++++ .github/workflows/{stale.yaml => stale.yml} | 14 ++-- .github/workflows/test-chart.yml | 81 +++++-------------- .github/workflows/test-e2e.yml | 48 ++++------- .github/workflows/test.yaml | 65 +++++++++++++++ Dockerfile | 6 +- Makefile.maker.yaml | 9 +-- 14 files changed, 239 insertions(+), 290 deletions(-) delete mode 100644 .github/workflows/checks.yaml delete mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/lint.yml rename .github/workflows/{publish-image.yaml => publish-image.yml} (83%) rename .github/workflows/{goreleaser.yaml => release.yml} (55%) delete mode 100644 .github/workflows/reuse.yaml create mode 100644 .github/workflows/reuse.yml rename .github/workflows/{stale.yaml => stale.yml} (85%) create mode 100644 .github/workflows/test.yaml diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml deleted file mode 100644 index 2239b325..00000000 --- a/.github/workflows/checks.yaml +++ /dev/null @@ -1,56 +0,0 @@ -################################################################################ -# This file is AUTOGENERATED with # -# Edit Makefile.maker.yaml instead. # -################################################################################ - -# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company -# SPDX-License-Identifier: Apache-2.0 - -name: Checks -"on": - push: - branches: - - main - pull_request: - branches: - - '*' - workflow_dispatch: {} -permissions: - checks: write - contents: read -jobs: - checks: - name: Checks - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v6 - - name: Set up Go - uses: actions/setup-go@v6 - with: - check-latest: true - go-version: 1.26.1 - - name: Run prepare make target - run: make generate - - name: Run golangci-lint - uses: golangci/golangci-lint-action@v9 - with: - version: latest - - name: Delete pre-installed shellcheck - run: sudo rm -f $(which shellcheck) - - name: Run shellcheck - run: make run-shellcheck - - name: Dependency Licenses Review - run: make check-dependency-licenses - - name: Check for spelling errors - uses: crate-ci/typos@v1 - env: - CLICOLOR: "1" - - name: Delete typos binary - run: rm typos - - name: Check if source code files have license header - run: make check-addlicense - - name: Install govulncheck - run: go install golang.org/x/vuln/cmd/govulncheck@latest - - name: Run govulncheck - run: govulncheck -format text ./... diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index 5d30ca3e..00000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,79 +0,0 @@ -################################################################################ -# This file is AUTOGENERATED with # -# Edit Makefile.maker.yaml instead. # -################################################################################ - -# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company -# SPDX-License-Identifier: Apache-2.0 - -name: CI -"on": - push: - branches: - - main - paths-ignore: - - '**.md' - pull_request: - branches: - - '*' - paths-ignore: - - '**.md' - workflow_dispatch: {} -permissions: - contents: read -jobs: - build: - name: Build - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v6 - - name: Set up Go - uses: actions/setup-go@v6 - with: - check-latest: true - go-version: 1.26.1 - - name: Run prepare make target - run: make generate - - name: Build all binaries - run: make build-all - code_coverage: - name: Code coverage report - if: github.event_name == 'pull_request' && github.base_ref == 'main' - needs: - - test - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v6 - - name: Post coverage report - uses: fgrosse/go-coverage-report@v1.2.0 - with: - coverage-artifact-name: code-coverage - coverage-file-name: cover.out - permissions: - actions: read - contents: read - pull-requests: write - test: - name: Test - needs: - - build - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v6 - - name: Set up Go - uses: actions/setup-go@v6 - with: - check-latest: true - go-version: 1.26.1 - - name: Run prepare make target - run: make generate - - name: Run tests and generate coverage report - run: make build/cover.out - - name: Archive code coverage results - uses: actions/upload-artifact@v7 - with: - name: code-coverage - path: build/cover.out diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..fb164b73 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,66 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +name: Lint + +on: + pull_request: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + +jobs: + lint: + name: Check Go Code + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: 'go.mod' + - name: Run golangci-lint + uses: golangci/golangci-lint-action@v9 + with: + version: latest + vulnerabilities: + name: Check Vulnerabilities + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version: 'stable' + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + - name: Run govulncheck + run: govulncheck -format text ./... + spelling: + name: Check Spelling Errors + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Run typos + uses: crate-ci/typos@v1 + env: + CLICOLOR: "1" + shellcheck: + name: Check Shell Scripts + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Run shellcheck + uses: reviewdog/action-shellcheck@v1 + license: + name: Check Licenses + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: 'go.mod' + - name: Dependency Licenses Review + run: make check-dependency-licenses + - name: Check if source code files have license header + run: make check-addlicense diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 4d96c833..2cc6efe0 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -5,20 +5,21 @@ name: Documentation on: push: - branches: [main] + branches: + - main pull_request: - types: [ assigned, opened, synchronize, reopened ] - workflow_dispatch: - -permissions: - contents: read - pages: write - id-token: write + branches: + - main concurrency: group: pages cancel-in-progress: false +permissions: + contents: read + id-token: write + pages: write + jobs: build: name: Build VitePress Site diff --git a/.github/workflows/publish-image.yaml b/.github/workflows/publish-image.yml similarity index 83% rename from .github/workflows/publish-image.yaml rename to .github/workflows/publish-image.yml index 998c59a4..1e522349 100644 --- a/.github/workflows/publish-image.yaml +++ b/.github/workflows/publish-image.yml @@ -48,6 +48,12 @@ jobs: type=ref,event=pr # https://github.com/docker/metadata-action#typesha type=sha,format=long + - name: Extract build-args for Docker + id: build_args + run: | + echo "version=$(git describe --tags --always --abbrev=7)" >> $GITHUB_OUTPUT + echo "commit=$(git rev-parse --verify HEAD)" >> $GITHUB_OUTPUT + echo "date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx @@ -81,6 +87,10 @@ jobs: uses: docker/build-push-action@v6 with: context: . + build-args: | + BININFO_VERSION=${{ steps.build_args.outputs.version }} + BININFO_COMMIT_HASH=${{ steps.build_args.outputs.commit }} + BININFO_BUILD_DATE=${{ steps.build_args.outputs.date }} platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/release.yml similarity index 55% rename from .github/workflows/goreleaser.yaml rename to .github/workflows/release.yml index 38c427d8..ec401882 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/release.yml @@ -1,33 +1,26 @@ -################################################################################ -# This file is AUTOGENERATED with # -# Edit Makefile.maker.yaml instead. # -################################################################################ - -# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company # SPDX-License-Identifier: Apache-2.0 -name: goreleaser -"on": +name: Release + +on: push: tags: - - '*' + - 'v*' + permissions: contents: write packages: write + jobs: release: - name: goreleaser + name: Publish Release runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - name: Set up Go - uses: actions/setup-go@v6 + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 with: - check-latest: true - go-version: 1.26.1 + go-version-file: 'go.mod' - name: Run prepare make target run: make generate - name: Install syft diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml deleted file mode 100644 index affe89df..00000000 --- a/.github/workflows/reuse.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors -# SPDX-License-Identifier: Apache-2.0 - -name: REUSE Compliance -on: - push: - branches: - - main - pull_request: - branches: - - '*' - workflow_dispatch: {} -permissions: - contents: read -jobs: - test: - name: Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: REUSE Compliance Check - uses: fsfe/reuse-action@v6 diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml new file mode 100644 index 00000000..fdc013ac --- /dev/null +++ b/.github/workflows/reuse.yml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +name: REUSE + +on: + push: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + pull_request: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + +jobs: + compliance-check: + name: Compliance Check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Compliance Check + uses: fsfe/reuse-action@v5 diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yml similarity index 85% rename from .github/workflows/stale.yaml rename to .github/workflows/stale.yml index 79d72896..f07d1d7b 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yml @@ -1,17 +1,21 @@ -# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors # SPDX-License-Identifier: Apache-2.0 -name: Close inactive issues +name: Stale + on: schedule: - cron: "35 1 * * *" +permissions: + contents: read + issues: write + pull-requests: write + jobs: close-issues: + name: Close Inactive Issues and PRs runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write steps: - uses: actions/stale@v9 with: diff --git a/.github/workflows/test-chart.yml b/.github/workflows/test-chart.yml index 3ee1d13e..380bcb5c 100644 --- a/.github/workflows/test-chart.yml +++ b/.github/workflows/test-chart.yml @@ -1,62 +1,43 @@ -# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors # SPDX-License-Identifier: Apache-2.0 -name: Test +name: Test Chart + on: - push: - branches: - - main - paths-ignore: - - '**.md' pull_request: branches: - - '*' + - main paths-ignore: - - '**.md' - workflow_dispatch: {} -permissions: - contents: read + - 'docs/**' + - '**/*.md' + jobs: test-chart: - name: Chart + name: Run Chart Tests runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v6 + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 with: - check-latest: true - go-version: 1.26.1 - - name: Fetch latest kubectl version - id: kubectl - run: | - KUBECTL_VERSION=$(curl -sL https://dl.k8s.io/release/stable.txt) - echo "version=$KUBECTL_VERSION" >> $GITHUB_OUTPUT - - name: Fetch latest kind version - id: kind + go-version-file: 'go.mod' + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: latest + - name: Lint Helm Chart run: | - KIND_VERSION=$(curl -s https://api.github.com/repos/kubernetes-sigs/kind/releases/latest | grep '"tag_name":' | cut -d'"' -f4) - echo "version=$KIND_VERSION" >> $GITHUB_OUTPUT - - name: Create k8s kind cluster + helm lint ./charts/network-operator + - name: Create kind cluster uses: helm/kind-action@v1 with: - version: ${{ steps.kind.outputs.version }} + version: v0.31.0 + kubectl_version: v1.35.0 cluster_name: kind - kubectl_version: ${{ steps.kubectl.outputs.version }} - name: Prepare network-operator run: | - go mod tidy + go mod download make docker-build IMG=network-operator:v0.1.0 kind load docker-image network-operator:v0.1.0 - - name: Install Helm - run: | - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash - - name: Verify Helm installation - run: helm version - - name: Lint Helm Chart - run: | - helm lint ./charts/network-operator - name: Install cert-manager via Helm run: | helm repo add jetstack https://charts.jetstack.io @@ -67,28 +48,10 @@ jobs: kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-cainjector kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-webhook -# TODO: Uncomment if Prometheus is enabled -# - name: Install Prometheus Operator CRDs -# run: | -# helm repo add prometheus-community https://prometheus-community.github.io/helm-charts -# helm repo update -# helm install prometheus-crds prometheus-community/prometheus-operator-crds -# - name: Install Prometheus via Helm -# run: | -# helm repo add prometheus-community https://prometheus-community.github.io/helm-charts -# helm repo update -# helm install prometheus prometheus-community/prometheus --namespace monitoring --create-namespace -# - name: Wait for Prometheus to be ready -# run: | -# kubectl wait --namespace monitoring --for=condition=available --timeout=300s deployment/prometheus-server - - name: Install Helm chart for project + - name: Install Helm Chart run: | helm dependency build ./charts/network-operator helm install network-operator ./charts/network-operator --create-namespace --namespace network-operator-system - name: Check Helm release status run: | helm status network-operator --namespace network-operator-system -# TODO: Uncomment if prometheus.enabled is set to true to confirm that the ServiceMonitor gets created -# - name: Check Presence of ServiceMonitor -# run: | -# kubectl wait --namespace network-operator-system --for=jsonpath='{.kind}'=ServiceMonitor servicemonitor/network-operator-controller-manager-metrics-monitor diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 9f4f7c2f..4dd9c267 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -1,50 +1,32 @@ -# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors # SPDX-License-Identifier: Apache-2.0 -name: Test +name: Test E2E + on: - push: - branches: - - main - paths-ignore: - - '**.md' pull_request: branches: - - '*' + - main paths-ignore: - - '**.md' - workflow_dispatch: {} -permissions: - contents: read + - 'docs/**' + - '**/*.md' + jobs: test-e2e: - name: E2E + name: Run E2E Tests runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v6 + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 with: - check-latest: true - go-version: 1.26.1 - - name: Fetch latest kubectl version - id: kubectl - run: | - KUBECTL_VERSION=$(curl -sL https://dl.k8s.io/release/stable.txt) - echo "version=$KUBECTL_VERSION" >> $GITHUB_OUTPUT - - name: Fetch latest kind version - id: kind - run: | - KIND_VERSION=$(curl -s https://api.github.com/repos/kubernetes-sigs/kind/releases/latest | grep '"tag_name":' | cut -d'"' -f4) - echo "version=$KIND_VERSION" >> $GITHUB_OUTPUT - - name: Create k8s kind cluster + go-version-file: 'go.mod' + - name: Create kind cluster uses: helm/kind-action@v1 with: - version: ${{ steps.kind.outputs.version }} + version: v0.31.0 + kubectl_version: v1.35.0 cluster_name: network - kubectl_version: ${{ steps.kubectl.outputs.version }} - name: Running E2E Tests run: | - go mod tidy + go mod download make test-e2e diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 00000000..e344e454 --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,65 @@ +# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors +# SPDX-License-Identifier: Apache-2.0 + +name: Test and Code Coverage + +on: + pull_request: + branches: + - main + paths-ignore: + - 'docs/**' + - '**/*.md' + +permissions: + actions: read + contents: read + pull-requests: write + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: 'go.mod' + - name: Run prepare make target + run: make generate + - name: Build all binaries + run: make build-all + test: + name: Test + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: 'go.mod' + - name: Run prepare make target + run: make generate + - name: Run tests and generate coverage report + run: make build/cover.out + - name: Archive code coverage results + uses: actions/upload-artifact@v6 + with: + name: code-coverage + path: build/cover.out + code-coverage: + name: Code Coverage Report + needs: test + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + permissions: + actions: read + contents: read + pull-requests: write + steps: + - uses: actions/checkout@v6 + - name: Post coverage report + uses: fgrosse/go-coverage-report@v1.2.0 + with: + coverage-artifact-name: code-coverage + coverage-file-name: cover.out diff --git a/Dockerfile b/Dockerfile index f6538da3..8619d433 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,8 +4,6 @@ FROM --platform=$BUILDPLATFORM golang:1.26-alpine3.22 AS builder -RUN apk add --no-cache --no-progress git make - ARG BININFO_BUILD_DATE ARG BININFO_COMMIT_HASH ARG BININFO_VERSION @@ -20,10 +18,10 @@ RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=bind,source=go.sum,target=go.sum \ go mod download -x -RUN --mount=type=bind,target=.,readwrite \ +RUN --mount=type=bind,target=. \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ - GO_BUILDENV="GOOS=${TARGETOS} GOARCH=${TARGETARCH}" GOTOOLCHAIN=local make install + GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOTOOLCHAIN=local CGO_ENABLED=0 go build -ldflags "-s -w -X github.com/sapcc/go-api-declarations/bininfo.binName=network-operator -X github.com/sapcc/go-api-declarations/bininfo.version=${BININFO_VERSION} -X github.com/sapcc/go-api-declarations/bininfo.commit=${BININFO_COMMIT_HASH} -X github.com/sapcc/go-api-declarations/bininfo.buildDate=${BININFO_BUILD_DATE}" -o /usr/bin/network-operator ./cmd FROM gcr.io/distroless/static:nonroot diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml index b8a70c5b..5261a7e2 100644 --- a/Makefile.maker.yaml +++ b/Makefile.maker.yaml @@ -53,15 +53,12 @@ testPackages: except: '/test' githubWorkflow: - global: - defaultBranch: main ci: - enabled: true - prepareMakeTarget: generate + enabled: false license: - enabled: true + enabled: false release: - enabled: true + enabled: false securityChecks: enabled: true pushContainerToGhcr: