ci: 1st implementation

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,26 @@
+---
+name: Bug report
+about: Create a report to help us improve
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Kubernetes (please complete the following information):**
+ - Kubernetes version [`kubectl version --short`]
+
+**HRE pod logs**
+`kubectl logs hre-xxxxxxx`
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/dependabot.yml

@@ -0,0 +1,27 @@
+# .github/dependabot.yml
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    open-pull-requests-limit: 20
+    schedule:
+      interval: "weekly"
+      day: friday
+      time: '04:00'
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    open-pull-requests-limit: 20
+    schedule:
+      interval: "weekly"
+      day: friday
+      time: '04:10'
+
+  - package-ecosystem: "python"
+    directory: "/"
+    open-pull-requests-limit: 20
+    schedule:
+      interval: "weekly"
+      day: friday
+      time: '04:20'

.github/release-drafter.yml

@@ -0,0 +1,74 @@
+template: |
+  # What's Changed
+  $CHANGES
+  **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...$RESOLVED_VERSION
+name-template: "Version $RESOLVED_VERSION"
+tag-template: "$RESOLVED_VERSION"
+
+categories:
+  - title: '🚀 Features'
+    labels:
+    - 'feature'
+    - 'feat'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🧰 Maintenance'
+    label: 'chore'
+  - title: '📚 Documentation'
+    label: 'docs'
+  - title: '🧪 Tests'
+    label: 'test'
+  - title: '🏷️ Version Tags'
+    label: 'version'
+  - title: '🔖 Release Tags'
+    label: 'release'
+  - title: '🧩 Dependencies'
+    label: 'dependencies'
+  - title: '🔒 Security'
+    label: 'security'
+  - title: '🚨 Breaking Changes'
+    label: 'breaking'
+  - title: '🧹 Code Cleanup'
+    label: 'cleanup'
+  - title: '🔧 Config'
+    label: 'config'
+  - title: '📦 Packages'
+    label: 'package'
+  - title: '🔥 Removals'
+    label: 'removal'
+  - title: '🚧 Work In Progress'
+    label: 'wip'
+  - title: '🔀 Merges'
+    label: 'merge'
+  - title: '🎨 Style'
+    label: 'style'
+  - title: '🔊 Logging'
+    label: 'logging'
+  - title: '🔇 Silence'
+    label: 'silence'
+  - title: '🤖 CI/CD'
+    label: 'ci'
+
+version-resolver:
+  major:
+    labels:
+      - "release-major"
+  minor:
+    labels:
+      - "release-minor"
+  patch:
+    labels:
+      - "release-patch"
+  default: patch
+
+autolabeler:
+  - label: "release-major"
+    title:
+      - "/^BREAKING CHANGE:/"
+  - label: "release-minor"
+    title:
+      - "/^feat:/"
+      - "/^feat\\(.+\\):/"

.github/workflows/__shared-ci.yml

@@ -0,0 +1,108 @@
+name: Internal - Common Continuous Integration tasks
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: "Tag Version (semver - x.x.x)"
+        type: string
+        required: false
+    outputs:
+      built-images:
+        value: ${{ jobs.docker-build-images.outputs.built-images }}
+
+jobs:
+
+  shellcheck:
+    name: "Shell: Lint Shell Scripts"
+    id: shellcheck
+    runs-on: self-hosted
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Lint Shell Scripts
+        run: |
+          shellcheck --shell=bash entrypoint.sh
+
+  hadolint:
+    name: "Docker: Lint Dockerfile"
+    id: hadolint
+    runs-on: self-hosted
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Lint Dockerfile
+        run: |
+          docker run --rm -i hadolint/hadolint < Dockerfile
+
+  docker-build-images:
+    name: "Docker: Build Images"
+    needs:
+      - shellcheck
+      - hadolint
+    uses: hoverkraft-tech/ci-github-container/.github/workflows/[email protected]
+    permissions:
+      actions: write
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
+    secrets:
+      oci-registry-password: ${{ secrets.OCI_REGISTRY_PASSWORD }}
+    with:
+      runs-on: '["self-hosted"]'
+      oci-registry: ${{ vars.OCI_REGISTRY }}
+      oci-registry-username: ${{ vars.OCI_REGISTRY_USERNAME }}
+      images: |
+        [{
+          "repository": ${{ vars.OCI_REGISTRY_IMAGE_REPOSITORY }},
+          "tag": "${{ inputs.tag }}",
+          "dockerfile": "./Dockerfile",
+          "platforms": [
+            "linux/amd64",
+            "linux/arm64"
+          ]
+        }]
+
+  chart-testing:
+    name: "Helm: Chart Testing"
+    runs-on: self-hosted
+    needs:
+      - docker-build-images
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install tools with asdf
+        uses: asdf-vm/actions/install@v3
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+      - name: Create kind cluster
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: helm/[email protected]
+      - name: Run chart-testing (install)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          ct install \
+            --target-branch ${{ github.event.repository.default_branch }} \
+            --helm-extra-args "--set image.tag=${{ needs.docker-build-images.outputs.built-images[0].tag }} --wait"
+      - name: show pods
+        id: k-get-pods
+        run: |
+          sleep 10
+          kubectl get cronjob -n default
+          kubectl create job --from=cronjob/ovh-snapshoter -n default ovh-snapshoter-job
+          sleep 10
+          kubectl get pods -n default

.github/workflows/main-ci.yml

@@ -0,0 +1,23 @@
+name: Main - Continuous Integration
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+
+  ci:
+    name: Continuous Integration
+    uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      actions: write
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
+    secrets: inherit

.github/workflows/pull-request-ci.yml

@@ -0,0 +1,33 @@
+name: Pull request - Continuous Integration
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+
+  pull-request-labeler:
+    name: Pull request labeler
+    runs-on: self-hosted
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          disable-releaser: true
+
+  ci:
+    name: Continuous Integration
+    uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      actions: write
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
+    secrets: inherit

.github/workflows/release.yml

@@ -0,0 +1,77 @@
+name: 🚀 Release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  check-branches:
+    name: Check branches
+    runs-on: self-hosted
+    steps:
+      - name: Check branch
+        run: |
+          if [[ "${{ github.ref_name }}" != "${{ github.event.repository.default_branch }}" ]]; then
+            echo "This action can only be run on the ${{ github.event.repository.default_branch }} branch"
+            exit 1
+          fi
+
+  ci:
+    needs: check-branches
+    name: Continuous Integration
+    uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
+
+  update_release_draft:
+    name: Draft a new release
+    # we want to publish a new tag only if ci succeeds
+    needs: ci
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: self-hosted
+    steps:
+      - id: update_release_draft
+        uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          publish: true
+          disable-autolabeler: true
+
+  helm-push:
+    name: "Helm: push chart to OCI registry"
+    needs: ci
+    runs-on: self-hosted
+    steps:
+      # Get a local copy of the code
+      - uses: actions/checkout@v4
+
+      # install tools with asdf
+      - name: 📦 Install tools with asdf
+        uses: asdf-vm/actions/install@v3
+
+      - name: 🔒 Login to OCI registry
+        run: |
+          echo "+ login to OCI registry"
+          helm registry login ${vars.OCI_REGISTRY} -u "${secrets.OCI_REGISTRY_USERNAME}" -p "${secrets.OCI_REGISTRY_PASSWORD}"
+
+      # Push the chart
+      - name: ⚓ Push Helm Chart to OCI registry
+        uses: hoverkraft-tech/[email protected]
+        with:
+          useOCIRegistry: true
+          username: ${{ secrets.OCI_REGISTRY_USERNAME }}
+          # NOTE: access-token is the password for OCI registry
+          #       cf https://github.com/bsord/helm-push/blob/5ec3320fb5720a0a5aa210d871999f2b836f2d97/entrypoint.sh#L37
+          access-token: ${{ secrets.OCI_REGISTRY_PASSWORD }}
+          registry-url: oci://${vars.OCI_REGISTRY}/${vars.OCI_REGISTRY_CHART_REPOSITORY}
+          chart-folder: helm/chart
+          force: true
+          update-dependencies: true
+          version: ${{ github.event.inputs.tagVersion }}
+          appVersion: ${{ github.event.inputs.tagVersion }}