Merge pull request #169 from morri-son/enhance-controller-release

Enhance controller release

Author: morri-son

.github/scripts/compute-version.js

@@ -47,7 +47,7 @@ export function computeVersion(ref, tagPrefix, options = {}) {
         // using current timestamp and git SHA for uniqueness
         const timestamp = toUtcCompactTimestamp(options.now ?? new Date());
         const sanitizedRef = sanitizePrereleaseIdentifier(ref) || "ref";
-        const shortSha = normalizeSha(options.gitSha ?? "unknown") || "unknown";
+        const shortSha = options.gitSha ? normalizeSha(options.gitSha) : "unknown";
 
         return `0.0.0-${sanitizedRef}.${timestamp}.${shortSha}`;
     }
@@ -84,7 +84,13 @@ function toUtcCompactTimestamp(date) {
  * @returns {string}
  */
 function normalizeSha(sha) {
-    return sha.toLowerCase().replace(/[^0-9a-f]/g, "").slice(0, 12);
+    const normalized = sha.toLowerCase().replace(/[^0-9a-f]/g, "").slice(0, 12);
+    if (normalized.length < 7) {
+        throw new Error(
+            `Invalid git SHA: expected at least 7 hex characters, got "${sha}" (normalized: "${normalized}")`
+        );
+    }
+    return normalized;
 }
 
 /**

.github/workflows/cli-release.yml

@@ -105,6 +105,7 @@ jobs:
     secrets: inherit
     with:
       ref: ${{ needs.prepare.outputs.new_tag }}
+      version: ${{ needs.prepare.outputs.base_version }}
 
   # --------------------------------------------------------
   # 4. RELEASE RC: Create GitHub pre-release
@@ -480,7 +481,16 @@ jobs:
 
           # Verify patching was successful
           ACTUAL_VERSION=$(yq '.version' "${CONSTRUCTOR}")
-          test "${ACTUAL_VERSION}" = "${FINAL_VERSION}" || { echo "❌ Version mismatch: ${ACTUAL_VERSION} != ${FINAL_VERSION}"; exit 1; }
+          test "${ACTUAL_VERSION}" = "${FINAL_VERSION}" || { echo "❌ .version mismatch: ${ACTUAL_VERSION} != ${FINAL_VERSION}"; exit 1; }
+
+          # Verify all resource versions were patched
+          RESOURCE_VERSIONS=$(yq '[.resources[].version] | unique | .[]' "${CONSTRUCTOR}")
+          test "${RESOURCE_VERSIONS}" = "${FINAL_VERSION}" || { echo "❌ Resource version mismatch: ${RESOURCE_VERSIONS}"; exit 1; }
+
+          # Verify image reference uses final version tag
+          ACTUAL_IMAGE_REF=$(yq '.resources[] | select(.name == "image") | .access.imageReference' "${CONSTRUCTOR}")
+          test "${ACTUAL_IMAGE_REF}" = "${IMAGE_REF}" || { echo "❌ Image ref mismatch: ${ACTUAL_IMAGE_REF} != ${IMAGE_REF}"; exit 1; }
+
           echo "✅ Constructor patched to ${FINAL_VERSION}"
 
       - name: Upload final constructor artifact

.github/workflows/cli.yml

@@ -29,6 +29,10 @@ on:
         description: "The ref to build on (branch or tag). Defaults to the current ref."
         type: string
         required: false
+      version:
+        description: "Explicit version to embed (overrides computed version from ref). Leading 'v' is stripped automatically."
+        type: string
+        required: false
     outputs:
       artifact_name:
         description: "The artifact name that was built."
@@ -99,8 +103,17 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           TAG_PREFIX: "cli/v"
+          VERSION_OVERRIDE: ${{ inputs.version || '' }}
         with:
           script: |
+            const override = process.env.VERSION_OVERRIDE;
+            if (override) {
+              const version = override.replace(/^v/, "");
+              core.exportVariable("VERSION", version);
+              core.setOutput("version", version);
+              core.info(`✅ Using explicit VERSION=${version} (override)`);
+              return;
+            }
             const script = await import('${{ github.workspace }}/.github/scripts/compute-version.js');
             await script.default({ core });
 

.github/workflows/controller-release.yml

@@ -319,6 +319,7 @@ jobs:
           IMAGE_REPO: ${{ env.REGISTRY }}/${{ github.repository_owner }}/kubernetes/controller
           SET_LATEST: ${{ needs.prepare.outputs.set_latest }}
         run: |
+          set -euo pipefail
           if [ "$SET_LATEST" = "true" ]; then
             oras tag "${IMAGE_REPO}:${RC_VERSION}" "${FINAL_VERSION}" "latest"
             echo "✅ Tagged :${FINAL_VERSION} and :latest"
@@ -345,6 +346,7 @@ jobs:
           VERSION: ${{ needs.prepare.outputs.base_version }}
           IMAGE_DIGEST: ${{ needs.build.outputs.image_digest }}
         run: |
+          set -euo pipefail
           task helm/package VERSION="${VERSION}" APP_VERSION="${VERSION}" IMAGE_DIGEST="${IMAGE_DIGEST}"
           helm push dist/chart-${VERSION}.tgz oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/kubernetes/controller
 
@@ -353,6 +355,7 @@ jobs:
         env:
           VERSION: ${{ needs.prepare.outputs.base_version }}
         run: |
+          set -euo pipefail
           CHART_REPO="${{ env.REGISTRY }}/${{ github.repository_owner }}/kubernetes/controller/chart"
           echo "digest=$(oras resolve ${CHART_REPO}:${VERSION})" >> "$GITHUB_OUTPUT"
 
@@ -368,6 +371,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set -euo pipefail
           gh release view "${{ needs.prepare.outputs.new_tag }}" \
             --repo "${{ github.repository }}" --json body --jq '.body' > "${{ runner.temp }}/CHANGELOG.md"
 

kubernetes/controller/cliff.toml

@@ -0,0 +1,83 @@
+# git-cliff ~ configuration file
+# https://git-cliff.org/docs/configuration
+
+
+[changelog]
+# A Tera template to be rendered for each release in the changelog.
+# See https://keats.github.io/tera/docs/#introduction
+body = """
+{% if version %}\
+    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+{% else %}\
+    ## [unreleased]
+{% endif %}\
+{% for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {% for commit in commits %}
+        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+            {% if commit.breaking %}[**breaking**] {% endif %}\
+            {{ commit.message | upper_first }}\
+    {% endfor %}
+{% endfor %}
+{% if github.contributors | length > 0 %}
+### Community & Contributors
+
+This release we had a total of **{{ github.contributors | length }}** contributors!
+If you want to engage with us, check our [community page](https://ocm.software/community/engagement/)!
+{% endif %}
+"""
+
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+# Render body even when there are no releases to process.
+render_always = true
+# An array of regex based postprocessors to modify the changelog.
+postprocessors = [
+    # Replace the placeholder <REPO> with a URL.
+    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
+]
+
+[git]
+# Parse commits according to the conventional commits specification.
+# See https://www.conventionalcommits.org
+conventional_commits = true
+# Exclude commits that do not match the conventional commits specification.
+filter_unconventional = true
+# Require all commits to be conventional.
+# Takes precedence over filter_unconventional.
+require_conventional = false
+# Split commits on newlines, treating each line as an individual commit.
+split_commits = false
+# An array of regex based parsers to modify commit messages prior to further processing.
+commit_preprocessors = [
+    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
+    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+]
+# Prevent commits that are breaking from being excluded by commit parsers.
+protect_breaking_commits = true
+# An array of regex based parsers for extracting data from the commit message.
+# Assigns commits to groups.
+# Optionally sets the commit's scope and can decide to exclude commits from further processing.
+commit_parsers = [
+    { message = "^feat", group = "<!-- 0 -->🚀 Features" },
+    { message = "^chore\\(deps.*\\)", group = "<!-- 2 -->📚 Dependencies" },
+    { message = "^fix\\(deps.*\\)", group = "<!-- 2 -->📚 Dependencies" },
+    { message = "^chore\\(docs.*\\)", group = "<!-- 8 -->📚 Documentation" },
+    { message = "^fix\\(docs.*\\)", group = "<!-- 8 -->📚 Documentation" },
+    { message = "^docs", group = "<!-- 8 -->📚 Documentation" },
+    { message = "^fix", group = "<!-- 1 -->🐛 Bug Fixes" },
+    { message = "^chore|^ci|chore\\(ci.*\\)|fix\\(ci.*\\)", group = "<!-- 7 -->⚙️ Miscellaneous Tasks" },
+]
+# Exclude commits that are not matched by any commit parser.
+filter_commits = false
+# An array of link parsers for extracting external references, and turning them into URLs, using regex.
+link_parsers = []
+# Order releases topologically instead of chronologically.
+topo_order = false
+# Order releases topologically instead of chronologically.
+topo_order_commits = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "oldest"
+# Process submodules commits
+recurse_submodules = false