From 721bbd3dbd4fb0995bb2eb65e3061a35acc95cbf Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 15:54:48 -0800 Subject: [PATCH 01/11] add check command --- deploy/cloud/operator/Makefile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/deploy/cloud/operator/Makefile b/deploy/cloud/operator/Makefile index 57d832e60b..748a9e803d 100644 --- a/deploy/cloud/operator/Makefile +++ b/deploy/cloud/operator/Makefile @@ -44,6 +44,19 @@ help: ## Display this help. ##@ Development +.PHONY: check +check: generate manifests generate-api-docs + @echo "> Checking for uncommitted changes" + @if [ -n "$$(git status --porcelain)" ]; then \ + echo "ERROR: Git tree is dirty after running validation steps."; \ + echo "Please check the diff to identify the step that dirtied the tree."; \ + git --no-pager status; \ + git --no-pager diff; \ + exit 1; \ + fi + @echo "> Check complete" + + .PHONY: ensure-yq ensure-yq: @if ! command -v yq &> /dev/null; then \ From de1d51715558fa2dbdcaf0aebf2b3e13f3d3f32c Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 15:58:02 -0800 Subject: [PATCH 02/11] add proper header to role.yaml --- deploy/cloud/operator/config/rbac/role.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/deploy/cloud/operator/config/rbac/role.yaml b/deploy/cloud/operator/config/rbac/role.yaml index b3436669f9..188af8b03b 100644 --- a/deploy/cloud/operator/config/rbac/role.yaml +++ b/deploy/cloud/operator/config/rbac/role.yaml @@ -1,5 +1,17 @@ -# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-FileCopyrightText: Copyright (c) 2024-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. --- apiVersion: rbac.authorization.k8s.io/v1 From 6a732073a5c7f549cdff2c177ea267137b0d262d Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 15:59:14 -0800 Subject: [PATCH 03/11] ensure config/rbac files are getting license header --- deploy/cloud/operator/Makefile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/deploy/cloud/operator/Makefile b/deploy/cloud/operator/Makefile index 748a9e803d..6089f4e636 100644 --- a/deploy/cloud/operator/Makefile +++ b/deploy/cloud/operator/Makefile @@ -113,6 +113,29 @@ manifests: controller-gen ensure-yq ## Generate WebhookConfiguration, ClusterRol if [ -d "../helm/crds/templates/" ]; then \ cp config/crd/bases/*.yaml ../helm/crds/templates/; \ fi + echo "Adding NVIDIA header to RBAC files" + for file in config/rbac/*.yaml; do \ + if [ -f "$$file" ] && ! head -20 "$$file" | grep -q "NVIDIA CORPORATION"; then \ + { printf '%s\n' \ + '# SPDX-FileCopyrightText: Copyright (c) 2024-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.' \ + '# SPDX-License-Identifier: Apache-2.0' \ + '#' \ + '# Licensed under the Apache License, Version 2.0 (the "License");' \ + '# you may not use this file except in compliance with the License.' \ + '# You may obtain a copy of the License at' \ + '#' \ + '# http://www.apache.org/licenses/LICENSE-2.0' \ + '#' \ + '# Unless required by applicable law or agreed to in writing, software' \ + '# distributed under the License is distributed on an "AS IS" BASIS,' \ + '# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.' \ + '# See the License for the specific language governing permissions and' \ + '# limitations under the License.' \ + ''; \ + cat "$$file"; \ + } > "$$file.tmp" && mv "$$file.tmp" "$$file"; \ + fi; \ + done .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. From d1f5373f092c7a843b3dd98a54dd13e642352812 Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 16:04:42 -0800 Subject: [PATCH 04/11] add make check to operator workflow --- .github/workflows/container-validation-backends.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/container-validation-backends.yml b/.github/workflows/container-validation-backends.yml index 79bceb2c85..a30f81273e 100644 --- a/.github/workflows/container-validation-backends.yml +++ b/.github/workflows/container-validation-backends.yml @@ -87,6 +87,15 @@ jobs: --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ \ -f Dockerfile \ -t dynamo-operator:latest . + + - name: Check for uncommitted changes + shell: bash + env: + ECR_HOSTNAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com + run: | + cd deploy/cloud/operator + make check + - name: Docker Tag and Push uses: ./.github/actions/docker-tag-push with: From 7e9166ae68aac8059a6b9ba6ad1a1b05ccdae8ee Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 16:05:27 -0800 Subject: [PATCH 05/11] testing that removing header is properly caught by make test --- deploy/cloud/operator/config/rbac/role.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/deploy/cloud/operator/config/rbac/role.yaml b/deploy/cloud/operator/config/rbac/role.yaml index 188af8b03b..2da394861c 100644 --- a/deploy/cloud/operator/config/rbac/role.yaml +++ b/deploy/cloud/operator/config/rbac/role.yaml @@ -1,18 +1,3 @@ -# SPDX-FileCopyrightText: Copyright (c) 2024-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From 68b4fa625740fa42c08539b45a7eb1dca84a2894 Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 16:14:55 -0800 Subject: [PATCH 06/11] need to install make --- .github/workflows/container-validation-backends.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/container-validation-backends.yml b/.github/workflows/container-validation-backends.yml index a30f81273e..38468c6815 100644 --- a/.github/workflows/container-validation-backends.yml +++ b/.github/workflows/container-validation-backends.yml @@ -93,6 +93,7 @@ jobs: env: ECR_HOSTNAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com run: | + sudo apt-get update && sudo apt-get install -y make cd deploy/cloud/operator make check From a2bbf31cd12f9359da37b2e42ed5c955a5de6826 Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 16:24:09 -0800 Subject: [PATCH 07/11] use docker approach instead --- .../container-validation-backends.yml | 18 ++++++++---------- deploy/cloud/operator/Dockerfile | 11 ++++++++++- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/.github/workflows/container-validation-backends.yml b/.github/workflows/container-validation-backends.yml index 38468c6815..bd90b2a10e 100644 --- a/.github/workflows/container-validation-backends.yml +++ b/.github/workflows/container-validation-backends.yml @@ -75,6 +75,14 @@ jobs: run: | cd deploy/cloud/operator docker build --target tester --progress=plain --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ . + + - name: Check for uncommitted changes + shell: bash + env: + ECR_HOSTNAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com + run: | + cd deploy/cloud/operator + docker build --target check --progress=plain --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ . - name: Build Container id: build-image shell: bash @@ -87,16 +95,6 @@ jobs: --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ \ -f Dockerfile \ -t dynamo-operator:latest . - - - name: Check for uncommitted changes - shell: bash - env: - ECR_HOSTNAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com - run: | - sudo apt-get update && sudo apt-get install -y make - cd deploy/cloud/operator - make check - - name: Docker Tag and Push uses: ./.github/actions/docker-tag-push with: diff --git a/deploy/cloud/operator/Dockerfile b/deploy/cloud/operator/Dockerfile index 150f6b90a6..6e8dd0df1b 100644 --- a/deploy/cloud/operator/Dockerfile +++ b/deploy/cloud/operator/Dockerfile @@ -43,7 +43,16 @@ RUN apt-get update && apt-get install -y make && apt-get clean && rm -rf /var/li # Run tests using Makefile RUN make test -# Build stage - depends on successful lint and test +# Check stage +FROM base AS checker + +# Install make if not present +RUN apt-get update && apt-get install -y make && apt-get clean && rm -rf /var/lib/apt/lists/* + +# Run check using Makefile +RUN make check + +# Build stage - depends on successful lint, test and check FROM base AS builder # Build the binary From eada2ce4d052b43fe52a0eed659c340a5640c1fc Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 16:28:55 -0800 Subject: [PATCH 08/11] stage is checker --- .github/workflows/container-validation-backends.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container-validation-backends.yml b/.github/workflows/container-validation-backends.yml index bd90b2a10e..a31cf665a3 100644 --- a/.github/workflows/container-validation-backends.yml +++ b/.github/workflows/container-validation-backends.yml @@ -82,7 +82,7 @@ jobs: ECR_HOSTNAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com run: | cd deploy/cloud/operator - docker build --target check --progress=plain --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ . + docker build --target checker --progress=plain --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ . - name: Build Container id: build-image shell: bash From 692230c85f32df8806ff78f9f50155b4b522a731 Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 16:45:05 -0800 Subject: [PATCH 09/11] relying on direct make --- .github/workflows/container-validation-backends.yml | 7 ++++++- deploy/cloud/operator/Dockerfile | 11 +---------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/container-validation-backends.yml b/.github/workflows/container-validation-backends.yml index a31cf665a3..cbbf08def3 100644 --- a/.github/workflows/container-validation-backends.yml +++ b/.github/workflows/container-validation-backends.yml @@ -76,13 +76,18 @@ jobs: cd deploy/cloud/operator docker build --target tester --progress=plain --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ . + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.24' - name: Check for uncommitted changes shell: bash env: ECR_HOSTNAME: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com run: | + sudo apt-get update && sudo apt-get install -y make cd deploy/cloud/operator - docker build --target checker --progress=plain --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ . + make check - name: Build Container id: build-image shell: bash diff --git a/deploy/cloud/operator/Dockerfile b/deploy/cloud/operator/Dockerfile index 6e8dd0df1b..150f6b90a6 100644 --- a/deploy/cloud/operator/Dockerfile +++ b/deploy/cloud/operator/Dockerfile @@ -43,16 +43,7 @@ RUN apt-get update && apt-get install -y make && apt-get clean && rm -rf /var/li # Run tests using Makefile RUN make test -# Check stage -FROM base AS checker - -# Install make if not present -RUN apt-get update && apt-get install -y make && apt-get clean && rm -rf /var/lib/apt/lists/* - -# Run check using Makefile -RUN make check - -# Build stage - depends on successful lint, test and check +# Build stage - depends on successful lint and test FROM base AS builder # Build the binary From 58bed78488e891a42dced800338cf42af536d0d0 Mon Sep 17 00:00:00 2001 From: tmontfort Date: Wed, 5 Nov 2025 16:59:06 -0800 Subject: [PATCH 10/11] add license header back to role yaml --- deploy/cloud/operator/config/rbac/role.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/deploy/cloud/operator/config/rbac/role.yaml b/deploy/cloud/operator/config/rbac/role.yaml index 2da394861c..188af8b03b 100644 --- a/deploy/cloud/operator/config/rbac/role.yaml +++ b/deploy/cloud/operator/config/rbac/role.yaml @@ -1,3 +1,18 @@ +# SPDX-FileCopyrightText: Copyright (c) 2024-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From 60a20146de1b5073d93ca34719896b1581451493 Mon Sep 17 00:00:00 2001 From: tmontfort Date: Thu, 6 Nov 2025 08:57:12 -0800 Subject: [PATCH 11/11] pin setup go action commit --- .github/workflows/container-validation-backends.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container-validation-backends.yml b/.github/workflows/container-validation-backends.yml index cbbf08def3..8845f822ba 100644 --- a/.github/workflows/container-validation-backends.yml +++ b/.github/workflows/container-validation-backends.yml @@ -77,7 +77,7 @@ jobs: docker build --target tester --progress=plain --build-arg DOCKER_PROXY=${ECR_HOSTNAME}/dockerhub/ . - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: '1.24' - name: Check for uncommitted changes