fix: Backport Add RBAC permission to patch events #2624
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ============= | |
# This file is automatically generated from the templates in stackabletech/operator-templating | |
# DON'T MANUALLY EDIT THIS FILE | |
# ============= | |
--- | |
name: Stackable Build Pipeline | |
on: | |
push: | |
branches: | |
- main | |
- staging | |
- trying | |
- "renovate/**" | |
tags: | |
- '[0-9][0-9].[0-9]+.[0-9]+' | |
- '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+' | |
pull_request: | |
merge_group: | |
schedule: | |
# Run every Saturday morning: https://crontab.guru/#15_3_*_*_6 | |
- cron: '15 3 * * 6' | |
workflow_dispatch: | |
env: | |
CARGO_TERM_COLOR: always | |
CARGO_INCREMENTAL: '0' | |
CARGO_PROFILE_DEV_DEBUG: '0' | |
RUST_TOOLCHAIN_VERSION: "1.87.0" | |
RUST_NIGHTLY_TOOLCHAIN_VERSION: "nightly-2025-05-26" | |
PYTHON_VERSION: "3.13" | |
RUSTFLAGS: "-D warnings" | |
RUSTDOCFLAGS: "-D warnings" | |
RUST_LOG: "info" | |
jobs: | |
# Identify unused dependencies | |
run_udeps: | |
name: Run Cargo Udeps | |
runs-on: ubuntu-latest | |
env: | |
RUSTC_BOOTSTRAP: 1 | |
steps: | |
- name: Install host dependencies | |
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1 | |
with: | |
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https | |
version: ubuntu-latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b | |
with: | |
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} | |
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
with: | |
key: udeps | |
cache-all-crates: "true" | |
- uses: stackabletech/cargo-install-action@cargo-udeps | |
- run: cargo udeps --workspace --all-targets | |
# This job evaluates the github environment to determine why this action is running and decides if | |
# Helm charts are published based on this. | |
# | |
# The following scenarios are identified: | |
# - all pull requests land are published: | |
# condition: github.event_name == "pull_request" | |
# | |
# - all tagged releases are published: | |
# condition: github.event_name == 'push' & github.ref.startswith('refs/tags/') | |
# | |
# - all pushes to main (i.e. PR-merges) and all scheduled/manual workflow runs on main land are published: | |
# condition: ( github.event_name == 'push' | github.event_name == 'schedule' | github.event_name == 'workflow_dispatch' ) & github.ref == 'refs/heads/main' | |
# | |
# Any other scenarios (e.g. when a branch is created/pushed) will cause the publish step to be skipped, most commonly this is expected to happen for the | |
# branches that the GitHub merge queue feature uses internally for which the checks need to run, but we do not want artifacts to be published. | |
check_helm_publish: | |
name: Decide if Helm charts are pushed to the helm repository based on action trigger | |
runs-on: ubuntu-latest | |
outputs: | |
skip_helm: ${{ steps.checkhelmpublish.outputs.skip_helm }} | |
steps: | |
- id: checkhelmpublish | |
env: | |
TRIGGER: ${{ github.event_name }} | |
GITHUB_REF: ${{ github.ref }} | |
run: | | |
if [[ "$TRIGGER" == "pull_request" ]]; then | |
echo "skip_helm=false" >> "$GITHUB_OUTPUT" | |
elif [[ ( "$TRIGGER" == "push" || "$TRIGGER" == "schedule" || "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then | |
echo "skip_helm=false" >> "$GITHUB_OUTPUT" | |
elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then | |
echo "skip_helm=false" >> "$GITHUB_OUTPUT" | |
else | |
echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF" | |
echo "skip_helm=true" >> "$GITHUB_OUTPUT" | |
fi | |
run_cargodeny: | |
name: Run Cargo Deny | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
checks: | |
- advisories | |
- bans licenses sources | |
# Prevent sudden announcement of a new advisory from failing ci: | |
continue-on-error: ${{ matrix.checks == 'advisories' }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- uses: EmbarkStudios/cargo-deny-action@30f817c6f72275c6d54dc744fbca09ebc958599f # v2.0.12 | |
with: | |
command: check ${{ matrix.checks }} | |
run_rustfmt: | |
name: Run Rustfmt | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b | |
with: | |
toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }} | |
components: rustfmt | |
- env: | |
RUST_TOOLCHAIN_VERSION: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }} | |
run: cargo "+$RUST_TOOLCHAIN_VERSION" fmt --all -- --check | |
run_clippy: | |
name: Run Clippy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install host dependencies | |
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1 | |
with: | |
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https | |
version: ubuntu-latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b | |
with: | |
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} | |
components: clippy | |
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
with: | |
key: clippy | |
cache-all-crates: "true" | |
# TODO (@Techassi): Remove this step (unmaintained action, kinda useless step anyway) | |
- name: Run clippy action to produce annotations | |
uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
if: env.GITHUB_TOKEN != null | |
with: | |
clippy_flags: --all-targets -- -D warnings | |
reporter: 'github-pr-review' | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
# TODO (@Techassi): Remove, done by pre-commit | |
- name: Run clippy manually without annotations | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
if: env.GITHUB_TOKEN == null | |
run: cargo clippy --color never -q --all-targets -- -D warnings | |
# TODO (@Techassi): Can be done by pre-commit | |
run_rustdoc: | |
name: Run RustDoc | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install host dependencies | |
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1 | |
with: | |
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https | |
version: ubuntu-latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
submodules: recursive | |
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b | |
with: | |
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} | |
components: rustfmt | |
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
with: | |
key: doc | |
cache-all-crates: "true" | |
- run: cargo doc --document-private-items | |
# TODO (@Techassi): Remove, done by pre-commit | |
run_tests: | |
name: Run Cargo Tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install host dependencies | |
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1 | |
with: | |
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https | |
version: ubuntu-latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b | |
with: | |
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} | |
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
with: | |
key: test | |
cache-all-crates: "true" | |
- run: cargo test | |
# Similar to check_charts, this tries to render the README, and see if there are unintended changes. | |
# This will save us from merging changes to the wrong file (instead of the templated source), and from | |
# forgetting to render out modifications to the README. | |
check_readme: | |
name: Check if committed README is the one we would render from the available parts | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
- name: Install jinja2-cli | |
run: pip install jinja2-cli==0.8.2 | |
- name: Regenerate charts | |
run: make render-readme | |
- name: Check if committed README were up to date | |
run: git diff --exit-code | |
- name: Git Diff showed uncommitted changes | |
if: ${{ failure() }} | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
core.setFailed('Committed README are not up to date, please make sure to apply them to the templated partials, and re-commit!') | |
# This job cleans up the CRDs and Helm charts, followed by rebuilding them | |
# It then runs a `git diff` and fails the entire workflow, if any difference is encountered. | |
# | |
# Since CRD files are generated during the 'cargo build' process we need to run this once after | |
# removing the CRD files to ensure that the checked in versions match what the code expects. | |
# | |
# The reason for this step is, that developers are expected to check in up-to-date versions of charts | |
# as we'd otherwise have to build these in CI and commit them back to the PR, which | |
# creates all kinds of problems. | |
# This failsafe simply aborts anything that has not had charts rebuilt before pushing. | |
check_charts: | |
name: Check if committed Helm charts are up to date | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install host dependencies | |
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1 | |
with: | |
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https | |
version: ubuntu-latest | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- name: Set up Helm | |
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 | |
with: | |
version: v3.16.1 | |
- name: Set up cargo | |
uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b | |
with: | |
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} | |
- uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | |
with: | |
key: charts | |
cache-all-crates: "true" | |
- name: Regenerate charts | |
run: make regenerate-charts | |
- name: Check if committed charts were up to date | |
run: git diff --exit-code | |
- name: Git Diff showed uncommitted changes | |
if: ${{ failure() }} | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
core.setFailed('Committed charts were not up to date, please regenerate and re-commit!') | |
tests_passed: | |
name: All tests passed | |
needs: | |
- run_udeps | |
- run_cargodeny | |
- run_clippy | |
- run_rustfmt | |
- run_rustdoc | |
- run_tests | |
- check_charts | |
- check_readme | |
runs-on: ubuntu-latest | |
steps: | |
- name: log | |
run: echo All tests have passed! | |
# TODO (@Techassi): Most of these publishing and signing tasks can be done by our own actions. | |
# Make use of them just like we do in docker-images. | |
package_and_publish: | |
name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }} | |
needs: | |
- tests_passed | |
- check_helm_publish | |
strategy: | |
matrix: | |
runner: ["ubuntu-latest", "ubicloud-standard-8-arm"] | |
runs-on: ${{ matrix.runner }} | |
timeout-minutes: 120 | |
permissions: | |
id-token: write | |
env: | |
OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} | |
OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build" | |
OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }} | |
OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build" | |
if: needs.check_helm_publish.outputs.skip_helm != 'true' | |
outputs: | |
IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }} | |
steps: | |
- name: Install host dependencies | |
uses: awalsh128/cache-apt-pkgs-action@4c82c3ccdc1344ee11e9775dbdbdf43aa8a5614e # v1.5.1 | |
with: | |
packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https | |
version: ${{ matrix.runner }} | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31.4.1 | |
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b | |
with: | |
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} | |
components: rustfmt | |
# This step checks if the current run was triggered by a push to a pr (or a pr being created). | |
# If this is the case it changes the version of this project in all Cargo.toml files to include the suffix | |
# "-pr<prnumber>" so that the published artifacts can be linked to this PR. | |
- uses: stackabletech/cargo-install-action@main | |
with: | |
crate: cargo-edit | |
bin: cargo-set-version | |
- name: Update version if PR against main branch | |
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }} | |
env: | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
run: | | |
PR_VERSION="0.0.0-pr${PR_NUMBER}" | |
cargo set-version --offline --workspace "$PR_VERSION" | |
- name: Update version if PR against non-main branch | |
# For PRs to be merged against a release branch, use the version that has already been set in the calling script. | |
# We can't rely on cargo set-version here as we will break semver rules when changing the version to make it | |
# specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually. | |
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }} | |
env: | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
shell: bash | |
run: | | |
set -euo pipefail | |
MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version') | |
PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}" | |
sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml | |
# Recreate charts and publish charts and docker image. | |
- name: Install cosign | |
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1 | |
- name: Install syft | |
uses: anchore/sbom-action/download-syft@cee1b8e05ae5b2593a75e197229729eabaa9f8ec # v0.20.2 | |
- name: Build Docker image and Helm chart | |
run: | | |
# Installing helm and yq on ubicloud-standard-8-arm only | |
if [ "$(arch)" = "aarch64" ]; then | |
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null | |
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list | |
sudo apt-get -y update | |
sudo apt-get -y install helm | |
sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq | |
fi | |
make build | |
- name: Publish Docker image and Helm chart | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
run: | | |
# We want to publish helmcharts only once as they have a common name, while still publishing both images with architecture specific tags | |
if [ "$(uname -m)" = "x86_64" ]; then | |
make publish | |
else | |
make docker-publish | |
fi | |
# Output the name of the published image to the Job output for later use | |
- id: printtag | |
name: Output image name and tag | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
run: echo "IMAGE_TAG=$(make print-docker-tag)" >> "$GITHUB_OUTPUT" | |
create_manifest_list: | |
name: Build and publish manifest list | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
needs: | |
- package_and_publish | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
env: | |
OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} | |
OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build" | |
OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }} | |
OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build" | |
steps: | |
- name: Install cosign | |
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1 | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
submodules: recursive | |
# This step checks if the current run was triggered by a push to a pr (or a pr being created). | |
# If this is the case it changes the version of this project in all Cargo.toml files to include the suffix | |
# "-pr<prnumber>" so that the published artifacts can be linked to this PR. | |
- uses: stackabletech/cargo-install-action@main | |
with: | |
crate: cargo-edit | |
bin: cargo-set-version | |
- name: Update version if PR against main branch | |
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }} | |
env: | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
run: | | |
PR_VERSION="0.0.0-pr${PR_NUMBER}" | |
cargo set-version --offline --workspace "$PR_VERSION" | |
- name: Update version if PR against non-main branch | |
# For PRs to be merged against a release branch, use the version that has already been set in the calling script. | |
# We can't rely on cargo set-version here as we will break semver rules when changing the version to make it | |
# specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually. | |
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }} | |
env: | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
shell: bash | |
run: | | |
set -euo pipefail | |
MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version') | |
PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}" | |
sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml | |
- name: Build manifest list | |
run: | | |
# Creating manifest list | |
make -e docker-manifest-list-build | |
# Pushing and signing manifest list | |
make -e docker-manifest-list-publish | |
openshift_preflight: | |
name: Run the OpenShift Preflight check on the published images | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
needs: | |
- create_manifest_list | |
- package_and_publish | |
runs-on: ubuntu-latest | |
env: | |
IMAGE_TAG: ${{ needs.package_and_publish.outputs.IMAGE_TAG }} | |
steps: | |
- name: Install preflight | |
run: | | |
wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.10.0/preflight-linux-amd64 | |
chmod +x preflight-linux-amd64 | |
- name: Check container | |
run: | | |
ARCH_FOR_PREFLIGHT="$(arch | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')" | |
./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out | |
- name: "Passed?" | |
run: '[ "$(jq -r .passed < preflight.out)" == true ]' |