Skip to content

fix: Add RBAC permission to patch events #2621

fix: Add RBAC permission to patch events

fix: Add RBAC permission to patch events #2621

Workflow file for this run

# =============
# This file is automatically generated from the templates in stackabletech/operator-templating
# DON'T MANUALLY EDIT THIS FILE
# =============
---
name: Stackable Build Pipeline
on:
push:
branches:
- main
- staging
- trying
- "renovate/**"
tags:
- '[0-9][0-9].[0-9]+.[0-9]+'
- '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+'
pull_request:
merge_group:
schedule:
# Run every Saturday morning: https://crontab.guru/#15_3_*_*_6
- cron: '15 3 * * 6'
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
CARGO_INCREMENTAL: '0'
CARGO_PROFILE_DEV_DEBUG: '0'
RUST_TOOLCHAIN_VERSION: "1.87.0"
RUST_NIGHTLY_TOOLCHAIN_VERSION: "nightly-2025-05-26"
PYTHON_VERSION: "3.13"
RUSTFLAGS: "-D warnings"
RUSTDOCFLAGS: "-D warnings"
RUST_LOG: "info"
jobs:
# Identify unused dependencies
run_udeps:
name: Run Cargo Udeps
runs-on: ubuntu-latest
env:
RUSTC_BOOTSTRAP: 1
steps:
- name: Install host dependencies
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1
with:
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
version: ubuntu-latest
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
with:
key: udeps
cache-all-crates: "true"
- uses: stackabletech/cargo-install-action@cargo-udeps
- run: cargo udeps --workspace --all-targets
# This job evaluates the github environment to determine why this action is running and decides if
# Helm charts are published based on this.
#
# The following scenarios are identified:
# - all pull requests land are published:
# condition: github.event_name == "pull_request"
#
# - all tagged releases are published:
# condition: github.event_name == 'push' & github.ref.startswith('refs/tags/')
#
# - all pushes to main (i.e. PR-merges) and all scheduled/manual workflow runs on main land are published:
# condition: ( github.event_name == 'push' | github.event_name == 'schedule' | github.event_name == 'workflow_dispatch' ) & github.ref == 'refs/heads/main'
#
# Any other scenarios (e.g. when a branch is created/pushed) will cause the publish step to be skipped, most commonly this is expected to happen for the
# branches that the GitHub merge queue feature uses internally for which the checks need to run, but we do not want artifacts to be published.
check_helm_publish:
name: Decide if Helm charts are pushed to the helm repository based on action trigger
runs-on: ubuntu-latest
outputs:
skip_helm: ${{ steps.checkhelmpublish.outputs.skip_helm }}
steps:
- id: checkhelmpublish
env:
TRIGGER: ${{ github.event_name }}
GITHUB_REF: ${{ github.ref }}
run: |
if [[ "$TRIGGER" == "pull_request" ]]; then
echo "skip_helm=false" >> "$GITHUB_OUTPUT"
elif [[ ( "$TRIGGER" == "push" || "$TRIGGER" == "schedule" || "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then
echo "skip_helm=false" >> "$GITHUB_OUTPUT"
elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then
echo "skip_helm=false" >> "$GITHUB_OUTPUT"
else
echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF"
echo "skip_helm=true" >> "$GITHUB_OUTPUT"
fi
run_cargodeny:
name: Run Cargo Deny
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources
# Prevent sudden announcement of a new advisory from failing ci:
continue-on-error: ${{ matrix.checks == 'advisories' }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- uses: EmbarkStudios/cargo-deny-action@30f817c6f72275c6d54dc744fbca09ebc958599f # v2.0.12
with:
command: check ${{ matrix.checks }}
run_rustfmt:
name: Run Rustfmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }}
components: rustfmt
- env:
RUST_TOOLCHAIN_VERSION: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }}
run: cargo "+$RUST_TOOLCHAIN_VERSION" fmt --all -- --check
run_clippy:
name: Run Clippy
runs-on: ubuntu-latest
steps:
- name: Install host dependencies
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1
with:
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
version: ubuntu-latest
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
components: clippy
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
with:
key: clippy
cache-all-crates: "true"
# TODO (@Techassi): Remove this step (unmaintained action, kinda useless step anyway)
- name: Run clippy action to produce annotations
uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: env.GITHUB_TOKEN != null
with:
clippy_flags: --all-targets -- -D warnings
reporter: 'github-pr-review'
github_token: ${{ secrets.GITHUB_TOKEN }}
# TODO (@Techassi): Remove, done by pre-commit
- name: Run clippy manually without annotations
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: env.GITHUB_TOKEN == null
run: cargo clippy --color never -q --all-targets -- -D warnings
# TODO (@Techassi): Can be done by pre-commit
run_rustdoc:
name: Run RustDoc
runs-on: ubuntu-latest
steps:
- name: Install host dependencies
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1
with:
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
version: ubuntu-latest
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: recursive
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
components: rustfmt
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
with:
key: doc
cache-all-crates: "true"
- run: cargo doc --document-private-items
# TODO (@Techassi): Remove, done by pre-commit
run_tests:
name: Run Cargo Tests
runs-on: ubuntu-latest
steps:
- name: Install host dependencies
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1
with:
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
version: ubuntu-latest
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
with:
key: test
cache-all-crates: "true"
- run: cargo test
# Similar to check_charts, this tries to render the README, and see if there are unintended changes.
# This will save us from merging changes to the wrong file (instead of the templated source), and from
# forgetting to render out modifications to the README.
check_readme:
name: Check if committed README is the one we would render from the available parts
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install jinja2-cli
run: pip install jinja2-cli==0.8.2
- name: Regenerate charts
run: make render-readme
- name: Check if committed README were up to date
run: git diff --exit-code
- name: Git Diff showed uncommitted changes
if: ${{ failure() }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
core.setFailed('Committed README are not up to date, please make sure to apply them to the templated partials, and re-commit!')
# This job cleans up the CRDs and Helm charts, followed by rebuilding them
# It then runs a `git diff` and fails the entire workflow, if any difference is encountered.
#
# Since CRD files are generated during the 'cargo build' process we need to run this once after
# removing the CRD files to ensure that the checked in versions match what the code expects.
#
# The reason for this step is, that developers are expected to check in up-to-date versions of charts
# as we'd otherwise have to build these in CI and commit them back to the PR, which
# creates all kinds of problems.
# This failsafe simply aborts anything that has not had charts rebuilt before pushing.
check_charts:
name: Check if committed Helm charts are up to date
runs-on: ubuntu-latest
steps:
- name: Install host dependencies
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1
with:
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
version: ubuntu-latest
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- name: Set up Helm
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
with:
version: v3.16.1
- name: Set up cargo
uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
with:
key: charts
cache-all-crates: "true"
- name: Regenerate charts
run: make regenerate-charts
- name: Check if committed charts were up to date
run: git diff --exit-code
- name: Git Diff showed uncommitted changes
if: ${{ failure() }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
core.setFailed('Committed charts were not up to date, please regenerate and re-commit!')
tests_passed:
name: All tests passed
needs:
- run_udeps
- run_cargodeny
- run_clippy
- run_rustfmt
- run_rustdoc
- run_tests
- check_charts
- check_readme
runs-on: ubuntu-latest
steps:
- name: log
run: echo All tests have passed!
# TODO (@Techassi): Most of these publishing and signing tasks can be done by our own actions.
# Make use of them just like we do in docker-images.
package_and_publish:
name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }}
needs:
- tests_passed
- check_helm_publish
strategy:
matrix:
runner: ["ubuntu-latest", "ubicloud-standard-8-arm"]
runs-on: ${{ matrix.runner }}
timeout-minutes: 120
permissions:
id-token: write
env:
OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
if: needs.check_helm_publish.outputs.skip_helm != 'true'
outputs:
IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }}
steps:
- name: Install host dependencies
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1
with:
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
version: ${{ matrix.runner }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31.4.1
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
components: rustfmt
# This step checks if the current run was triggered by a push to a pr (or a pr being created).
# If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
# "-pr<prnumber>" so that the published artifacts can be linked to this PR.
- uses: stackabletech/cargo-install-action@main
with:
crate: cargo-edit
bin: cargo-set-version
- name: Update version if PR against main branch
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }}
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
PR_VERSION="0.0.0-pr${PR_NUMBER}"
cargo set-version --offline --workspace "$PR_VERSION"
- name: Update version if PR against non-main branch
# For PRs to be merged against a release branch, use the version that has already been set in the calling script.
# We can't rely on cargo set-version here as we will break semver rules when changing the version to make it
# specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually.
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }}
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
shell: bash
run: |
set -euo pipefail
MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version')
PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}"
sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml
# Recreate charts and publish charts and docker image.
- name: Install cosign
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
- name: Install syft
uses: anchore/sbom-action/download-syft@cee1b8e05ae5b2593a75e197229729eabaa9f8ec # v0.20.2
- name: Build Docker image and Helm chart
run: |
# Installing helm and yq on ubicloud-standard-8-arm only
if [ "$(arch)" = "aarch64" ]; then
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get -y update
sudo apt-get -y install helm
sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq
fi
make build
- name: Publish Docker image and Helm chart
if: ${{ !github.event.pull_request.head.repo.fork }}
run: |
# We want to publish helmcharts only once as they have a common name, while still publishing both images with architecture specific tags
if [ "$(uname -m)" = "x86_64" ]; then
make publish
else
make docker-publish
fi
# Output the name of the published image to the Job output for later use
- id: printtag
name: Output image name and tag
if: ${{ !github.event.pull_request.head.repo.fork }}
run: echo "IMAGE_TAG=$(make print-docker-tag)" >> "$GITHUB_OUTPUT"
create_manifest_list:
name: Build and publish manifest list
if: ${{ !github.event.pull_request.head.repo.fork }}
needs:
- package_and_publish
runs-on: ubuntu-latest
permissions:
id-token: write
env:
OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
steps:
- name: Install cosign
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
submodules: recursive
# This step checks if the current run was triggered by a push to a pr (or a pr being created).
# If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
# "-pr<prnumber>" so that the published artifacts can be linked to this PR.
- uses: stackabletech/cargo-install-action@main
with:
crate: cargo-edit
bin: cargo-set-version
- name: Update version if PR against main branch
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }}
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
PR_VERSION="0.0.0-pr${PR_NUMBER}"
cargo set-version --offline --workspace "$PR_VERSION"
- name: Update version if PR against non-main branch
# For PRs to be merged against a release branch, use the version that has already been set in the calling script.
# We can't rely on cargo set-version here as we will break semver rules when changing the version to make it
# specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually.
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }}
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
shell: bash
run: |
set -euo pipefail
MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version')
PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}"
sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml
- name: Build manifest list
run: |
# Creating manifest list
make -e docker-manifest-list-build
# Pushing and signing manifest list
make -e docker-manifest-list-publish
openshift_preflight:
name: Run the OpenShift Preflight check on the published images
if: ${{ !github.event.pull_request.head.repo.fork }}
needs:
- create_manifest_list
- package_and_publish
runs-on: ubuntu-latest
env:
IMAGE_TAG: ${{ needs.package_and_publish.outputs.IMAGE_TAG }}
steps:
- name: Install preflight
run: |
wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.10.0/preflight-linux-amd64
chmod +x preflight-linux-amd64
- name: Check container
run: |
ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')"
./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out
- name: "Passed?"
run: '[ "$(jq -r .passed < preflight.out)" == true ]'