From b9ed174eba62b911fca522e1dd8454e94239a322 Mon Sep 17 00:00:00 2001
From: SequeI <asiek@redhat.com>
Date: Tue, 12 Aug 2025 13:34:06 +0100
Subject: [PATCH 1/2] feat(ci): dependabot configuration + using
 helm/kind-action for e2e cluster setup

Signed-off-by: SequeI <asiek@redhat.com>
---
 .github/dependabot.yml            | 37 +++++++++++++++++++++++++++++++
 .github/workflows/lint.yml        | 20 +++++++++++++----
 .github/workflows/sign-model.yaml | 18 ++++++++-------
 .github/workflows/test-e2e.yml    | 37 +++++++++++--------------------
 .github/workflows/test.yml        |  2 ++
 5 files changed, 78 insertions(+), 36 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..60c56049
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,37 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      go-modules:
+        patterns:
+          - "*"
+    pull-request-title:
+      prefix: "chore(deps)"
+      separator: " "
+    labels:
+      - "dependencies"
+      - "go"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      actions-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+          - "minor"
+          - "major"
+    pull-request-title:
+      prefix: "chore(deps-dev)"
+      separator: " "
+    labels:
+      - "dependencies"
+      - "github-actions"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d9605000..98b5f825 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,23 +1,35 @@
-name: Lint
+name: Linter
 
 on:
   push:
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
 
 jobs:
   lint:
-    name: Run on Ubuntu
+    name: Run Linting
     runs-on: ubuntu-latest
+
     steps:
-      - name: Clone the code
+      - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+          cache: true
+
+      - name: Go mod tidy
+        run: go mod tidy
 
-      - name: Run linter
+      - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
           version: v2.3.0
+          args: --timeout=5m --issues-exit-code=0 --verbose
+          cache: true
diff --git a/.github/workflows/sign-model.yaml b/.github/workflows/sign-model.yaml
index 1800cf98..2cd3028e 100644
--- a/.github/workflows/sign-model.yaml
+++ b/.github/workflows/sign-model.yaml
@@ -1,4 +1,4 @@
-name: Sign Model Tensorflow Saved Model
+name: Sign model with Sigstore
 
 on:
   workflow_dispatch:
@@ -27,18 +27,20 @@ jobs:
                     "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" | jq -r '.value')
         echo "OIDC_TOKEN=$token" >> $GITHUB_ENV
 
-    - name: Set up environment and sign model
+    - name: Sign model
       env:
         OIDC_TOKEN: ${{ env.OIDC_TOKEN }}
       run: |
-        docker run --rm -v $(pwd)/testdata/tensorflow_saved_model:/tensorflow_saved_model:z -w /tensorflow_saved_model ghcr.io/sigstore/model-transparency-cli:v1.0.1 sign sigstore --signature="/tensorflow_saved_model/model.sig" --identity_token "$OIDC_TOKEN" /tensorflow_saved_model
+        docker run --rm -v $(pwd)/testdata/tensorflow_saved_model:/tensorflow_saved_model:z -w \
+        /tensorflow_saved_model ghcr.io/sigstore/model-transparency-cli:v1.0.1 sign sigstore \
+        --signature="/tensorflow_saved_model/model.sig" --identity_token "$OIDC_TOKEN" /tensorflow_saved_model
 
-    - name: Create tar.gz of the signed model
+    - name: Create a tarball of the signed model and signature
       run: |
-        tar -czvf signed_model.tar.gz -C $(pwd)/testdata/tensorflow_saved_model .
+        tar -czvf signed_model_bundle.tar.gz -C $(pwd)/testdata/tensorflow_saved_model .
 
-    - name: Upload signed model as artifact
+    - name: Upload signed model artifact
       uses: actions/upload-artifact@v4
       with:
-        name: signed-model
-        path: signed_model.tar.gz
+        name: signed-model-bundle
+        path: signed_model_bundle.tar.gz
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
index 174b4211..7de00282 100644
--- a/.github/workflows/test-e2e.yml
+++ b/.github/workflows/test-e2e.yml
@@ -2,50 +2,39 @@ name: E2E Tests
 
 on:
   push:
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
 
 jobs:
   test-e2e:
-    name: Run on Ubuntu
+    name: Run E2E Tests
     runs-on: ubuntu-latest
     steps:
-      - name: Clone the code
+      - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
-      - name: Install the latest version of kind
-        run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-
-      - name: Verify kind installation
-        run: kind version
-
-      - name: Install kubectl
-        run: |
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          sudo mv kubectl /usr/local/bin/kubectl
-
-      - name: Verify kubectl installation
-        run: kubectl version --client
+          cache: true
 
       - name: Create kind cluster
-        run: kind create cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
 
-      - name: Wait for cluster to be ready
+      - name: Wait for kind cluster to be ready
         run: |
-          echo "Waiting for cluster to be ready..."
           kubectl wait --for=condition=Ready nodes --all --timeout=300s
           kubectl wait --for=condition=Ready --namespace=kube-system pod --all --timeout=300s
           echo "Cluster is ready"
 
-      - name: Running Test e2e
+      - name: Run E2E tests
         run: |
           go mod tidy
           make test-e2e
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fc2e80d3..922b5331 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,7 +2,9 @@ name: Tests
 
 on:
   push:
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
 
 jobs:
   test:

From 32e436ca3badd997e86de445579353f8ec26e49c Mon Sep 17 00:00:00 2001
From: SequeI <asiek@redhat.com>
Date: Wed, 13 Aug 2025 21:08:49 +0100
Subject: [PATCH 2/2] fix: remove mod tidy where it is not needed

Signed-off-by: SequeI <asiek@redhat.com>
---
 .github/workflows/lint.yml     | 3 ---
 .github/workflows/test-e2e.yml | 1 -
 .github/workflows/test.yml     | 1 -
 3 files changed, 5 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 98b5f825..aad4c355 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -24,9 +24,6 @@ jobs:
           go-version-file: go.mod
           cache: true
 
-      - name: Go mod tidy
-        run: go mod tidy
-
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
index 7de00282..7d02140f 100644
--- a/.github/workflows/test-e2e.yml
+++ b/.github/workflows/test-e2e.yml
@@ -36,5 +36,4 @@ jobs:
 
       - name: Run E2E tests
         run: |
-          go mod tidy
           make test-e2e
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 922b5331..ee7d33f2 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,5 +21,4 @@ jobs:
 
       - name: Running Tests
         run: |
-          go mod tidy
           make test