🤖 feat: add CoderProvisioner CRD and controller for external provisioner daemons #192
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| merge_group: | |
| types: [checks_requested] | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| changes: | |
| name: Detect changed paths | |
| runs-on: depot-ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| go: ${{ steps.merge_group_defaults.outputs.go || steps.filter.outputs.go }} | |
| workflows: ${{ steps.merge_group_defaults.outputs.workflows || steps.filter.outputs.workflows }} | |
| publish: ${{ steps.merge_group_defaults.outputs.publish || steps.filter.outputs.publish }} | |
| terraform: ${{ steps.merge_group_defaults.outputs.terraform || steps.filter.outputs.terraform }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| # Required so paths-filter can diff push events using github.event.before without fetching. | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set merge-group defaults | |
| if: github.event_name == 'merge_group' | |
| id: merge_group_defaults | |
| run: | | |
| { | |
| echo "go=true" | |
| echo "workflows=true" | |
| echo "publish=false" | |
| echo "terraform=true" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Detect changed paths | |
| if: github.event_name != 'merge_group' | |
| id: filter | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| with: | |
| filters: | | |
| go: | |
| - '**/*.go' | |
| - 'go.mod' | |
| - 'go.sum' | |
| - 'vendor/**' | |
| - 'Makefile' | |
| - '.golangci.yml' | |
| - '.golangci.yaml' | |
| - 'hack/update-reference-docs.sh' | |
| - 'hack/crd-ref-docs/**' | |
| - 'docs/reference/api/**' | |
| workflows: | |
| - '.github/workflows/**' | |
| - '.github/actionlint.yaml' | |
| - '.github/actionlint.yml' | |
| publish: | |
| - '**/*.go' | |
| - 'go.mod' | |
| - 'go.sum' | |
| - 'vendor/**' | |
| - 'Dockerfile*' | |
| - 'Dockerfile.goreleaser' | |
| terraform: | |
| - 'terraform/**' | |
| - '.github/workflows/ci.yaml' | |
| lint: | |
| needs: changes | |
| if: github.event_name == 'merge_group' || (needs.changes.outputs.go == 'true' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]')) | |
| runs-on: depot-ubuntu-24.04-8 | |
| timeout-minutes: 20 | |
| env: | |
| GOFLAGS: -mod=vendor | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Verify vendor is up to date | |
| run: | | |
| go mod tidy | |
| go mod vendor | |
| git diff --exit-code -- go.mod go.sum vendor/ | |
| - name: Verify API reference docs are up to date | |
| run: | | |
| bash ./hack/update-reference-docs.sh | |
| git diff --exit-code -- docs/reference/api/ | |
| - name: Run golangci-lint | |
| run: go tool golangci-lint run --timeout=5m ./... | |
| - name: Run golangci-lint formatter checks | |
| run: go tool golangci-lint fmt --diff | |
| - name: Run govulncheck | |
| run: go tool govulncheck ./... | |
| test: | |
| needs: changes | |
| if: github.event_name == 'merge_group' || (needs.changes.outputs.go == 'true' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]')) | |
| runs-on: depot-ubuntu-24.04-8 | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Verify vendor is up to date | |
| run: | | |
| go mod tidy | |
| go mod vendor | |
| git diff --exit-code -- go.mod go.sum vendor/ | |
| - name: Setup envtest assets | |
| env: | |
| GOFLAGS: -mod=vendor | |
| run: | | |
| KUBEBUILDER_ASSETS_PATH="$(go run ./vendor/sigs.k8s.io/controller-runtime/tools/setup-envtest use 1.35.x --bin-dir "${{ github.workspace }}/bin/envtest" -p path)" | |
| echo "KUBEBUILDER_ASSETS=${KUBEBUILDER_ASSETS_PATH}" >> "$GITHUB_ENV" | |
| - name: Run tests | |
| env: | |
| GOFLAGS: -mod=vendor | |
| KUBEBUILDER_ASSETS: ${{ env.KUBEBUILDER_ASSETS }} | |
| run: go test ./... -count=1 | |
| - name: Build | |
| env: | |
| GOFLAGS: -mod=vendor | |
| run: go build ./... | |
| e2e-kind: | |
| name: E2E Smoke (Kind) | |
| needs: [changes, test] | |
| if: needs.changes.outputs.go == 'true' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]') | |
| runs-on: depot-ubuntu-24.04-8 | |
| timeout-minutes: 45 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Create Kind cluster | |
| uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 | |
| with: | |
| cluster_name: e2e | |
| - name: Build binary | |
| env: | |
| GOFLAGS: -mod=vendor | |
| CGO_ENABLED: "0" | |
| GOOS: linux | |
| GOARCH: amd64 | |
| run: go build -o coder-k8s ./ | |
| - name: Build and load image | |
| run: | | |
| docker build -f Dockerfile.goreleaser -t ghcr.io/coder/coder-k8s:e2e . | |
| kind load docker-image ghcr.io/coder/coder-k8s:e2e --name e2e | |
| - name: Apply CRDs and RBAC | |
| run: | | |
| kubectl apply -f config/crd/bases/ | |
| kubectl apply -f config/rbac/ | |
| - name: Deploy controller | |
| run: | | |
| kubectl apply -f config/e2e/namespace.yaml | |
| kubectl apply -f config/e2e/ | |
| - name: Wait for controller | |
| run: kubectl wait --for=condition=Available deploy/coder-k8s -n coder-system --timeout=120s | |
| - name: Apply sample CR | |
| run: kubectl apply -f config/samples/coder_v1alpha1_codercontrolplane.yaml | |
| - name: Verify CR exists | |
| run: | | |
| kubectl get codercontrolplanes -A | |
| COUNT=$(kubectl get codercontrolplanes -A -o json | jq '.items | length') | |
| if [ "$COUNT" -lt 1 ]; then | |
| echo "assertion failed: expected at least 1 CoderControlPlane resource" >&2 | |
| exit 1 | |
| fi | |
| terraform: | |
| name: Terraform (fmt/validate/tflint/trivy) | |
| needs: changes | |
| if: github.event_name == 'merge_group' || (needs.changes.outputs.terraform == 'true' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]')) | |
| runs-on: depot-ubuntu-24.04 | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: 1.14.4 | |
| - name: terraform fmt (check) | |
| working-directory: terraform | |
| run: terraform fmt -check -diff -recursive | |
| - name: terraform init (backend disabled) | |
| working-directory: terraform | |
| run: terraform init -backend=false -lockfile=readonly -input=false | |
| - name: terraform validate | |
| working-directory: terraform | |
| run: terraform validate -no-color | |
| - name: Setup TFLint | |
| uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 | |
| with: | |
| tflint_version: v0.61.0 | |
| - name: tflint | |
| working-directory: terraform | |
| run: | | |
| tflint --init | |
| tflint --recursive | |
| - name: Trivy config scan (Terraform) | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| with: | |
| scan-type: config | |
| scan-ref: terraform/ | |
| trivyignores: terraform/.trivyignore | |
| severity: HIGH,CRITICAL | |
| exit-code: '1' | |
| lint-actions: | |
| name: Lint GitHub Actions | |
| needs: changes | |
| if: github.event_name == 'merge_group' || (needs.changes.outputs.workflows == 'true' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]')) | |
| runs-on: depot-ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| env: | |
| GOFLAGS: -mod=vendor | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Run actionlint | |
| run: go tool actionlint | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 | |
| with: | |
| advanced-security: false | |
| online-audits: false | |
| inputs: .github/workflows | |
| codex-comments: | |
| name: Codex Comments | |
| if: github.event_name == 'pull_request' | |
| runs-on: depot-ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Check unresolved Codex comments | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./scripts/check_codex_comments.sh ${{ github.event.pull_request.number }} | |
| publish-main: | |
| name: Publish GHCR :main | |
| needs: [changes, test, lint, lint-actions, e2e-kind, terraform] | |
| if: | | |
| always() && | |
| github.event_name == 'push' && | |
| github.ref == 'refs/heads/main' && | |
| needs.changes.outputs.publish == 'true' && | |
| (needs.test.result == 'success' || needs.test.result == 'skipped') && | |
| (needs.lint.result == 'success' || needs.lint.result == 'skipped') && | |
| (needs.lint-actions.result == 'success' || needs.lint-actions.result == 'skipped') && | |
| (needs.e2e-kind.result == 'success' || needs.e2e-kind.result == 'skipped') && | |
| (needs.terraform.result == 'success' || needs.terraform.result == 'skipped') | |
| runs-on: depot-ubuntu-24.04-8 | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: false | |
| - name: Build linux/amd64 binary for image | |
| env: | |
| GOFLAGS: -mod=vendor | |
| CGO_ENABLED: "0" | |
| GOOS: linux | |
| GOARCH: amd64 | |
| run: go build -o coder-k8s ./ | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push :main | |
| uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 | |
| with: | |
| context: . | |
| file: Dockerfile.goreleaser | |
| push: true | |
| tags: ghcr.io/coder/coder-k8s:main |