stackabletech
diff --git a/‎.github/workflows/build.yaml‎
Lines changed: 296 additions & 0 deletions b/‎.github/workflows/build.yaml‎
Lines changed: 296 additions & 0 deletions
@@ -0,0 +1,296 @@
+# =============
+# This file is automatically generated from the templates in stackabletech/operator-templating
+# DON'T MANUALLY EDIT THIS FILE
+# =============
+---
+name: Build opa-operator Artifacts
+
+permissions: {}
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+'
+      - '[0-9][0-9].[0-9]+.[0-9]+'
+  schedule:
+    # Run every Saturday morning: https://crontab.guru/#15_3_*_*_6
+    - cron: '15 3 * * 6'
+  pull_request:
+    # Do not limit by paths. This workflow contains a required job.
+  merge_group:
+
+env:
+  OPERATOR_NAME: "opa-operator"
+  RUST_NIGHTLY_TOOLCHAIN_VERSION: "nightly-2025-10-23"
+  NIX_PKG_MANAGER_VERSION: "2.30.0"
+  RUST_TOOLCHAIN_VERSION: "1.89.0"
+  HADOLINT_VERSION: "v2.14.0"
+  PYTHON_VERSION: "3.14"
+  CARGO_TERM_COLOR: always
+
+jobs:
+  # This workflow contains a "required job", and GitHub Actions isn't clever
+  # enough to detect that it should be skipped, and therefore pass (like they
+  # allow for skipping jobs in a workflow).
+  # Therefore, we have to move path filters/globs down to an actual job, and
+  # emit an output that can be used to skip irrelevant jobs.
+  detect-changes:
+    name: Detect relevant changed files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Check for changed files
+        id: check
+        uses: stackabletech/actions/detect-changes@babe44d7b1db87f8e7731c011151d22a8a374191 # v0.12.0
+        with:
+          patterns: |
+            - '.github/workflows/build.yaml'
+            - 'rust-toolchain.toml'
+            - '.dockerignore'
+            - 'deploy/**'
+            - '.cargo/**'
+            - 'docker/**'
+            - 'Cargo.*'
+            - '*.rs'
+    outputs:
+      detected: ${{ steps.check.outputs.detected }}
+
+  cargo-udeps:
+    name: Run cargo-udeps
+    if: needs.detect-changes.outputs.detected == 'true'
+    needs: [detect-changes]
+    runs-on: ubuntu-latest
+    env:
+      RUSTC_BOOTSTRAP: 1
+    steps:
+      - name: Install host dependencies
+        uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3
+        with:
+          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
+          version: ubuntu-latest
+
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} toolchain
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
+        with:
+          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
+
+      - name: Setup Rust Cache
+        uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
+        with:
+          cache-all-crates: "true"
+          key: udeps
+
+      - name: Install cargo-udeps
+        uses: stackabletech/cargo-install-action@8f7dbbcd2ebe22717efc132d0dd61e80841994b9 # cargo-udeps
+
+      - name: Run cargo-udeps
+        run: cargo udeps --workspace --all-targets
+
+  build-container-image:
+    name: Build/Publish ${{ matrix.runner.arch }} Image
+    if: (github.event_name != 'merge_group') && needs.detect-changes.outputs.detected == 'true'
+    needs: [detect-changes]
+    permissions:
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        runner:
+          - { name: "ubuntu-latest", arch: "amd64" }
+          - { name: "ubicloud-standard-8-arm", arch: "arm64" }
+    runs-on: ${{ matrix.runner.name }}
+    outputs:
+      operator-version: ${{ steps.version.outputs.OPERATOR_VERSION }}
+    steps:
+      - name: Install host dependencies
+        uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3
+        with:
+          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
+          version: ${{ matrix.runner.name }}
+
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Update/Extract Operator Version
+        id: version
+        env:
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+          GITHUB_DEBUG: ${{ runner.debug }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          [ -n "$GITHUB_DEBUG" ] && set -x
+
+          CURRENT_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version')
+
+          if [ "$GITHUB_EVENT_NAME" == 'pull_request' ]; then
+            # Include a PR suffix if this workflow is triggered by a PR
+            if [ "$PR_BASE_REF" == 'main' ]; then
+              NEW_VERSION="0.0.0-pr$PR_NUMBER"
+            else
+              NEW_VERSION="$CURRENT_VERSION-pr$PR_NUMBER"
+            fi
+          else
+            # Just use the current version if this workflow is run on push, schedule, etc...
+            NEW_VERSION="$CURRENT_VERSION"
+          fi
+
+          sed -i "s/version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" Cargo.toml
+          echo "OPERATOR_VERSION=$NEW_VERSION" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31.5.2
+
+      - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} Toolchain
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
+        with:
+          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
+
+      - name: Build Container Image
+        id: build
+        uses: stackabletech/actions/build-container-image@babe44d7b1db87f8e7731c011151d22a8a374191 # v0.12.0
+        with:
+          image-name: ${{ env.OPERATOR_NAME }}
+          image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }}
+          build-arguments: VERSION=${{ steps.version.outputs.OPERATOR_VERSION }}
+          container-file: docker/Dockerfile
+
+      - name: Publish Container Image
+        uses: stackabletech/actions/publish-image@babe44d7b1db87f8e7731c011151d22a8a374191 # v0.12.0
+        with:
+          image-registry-uri: oci.stackable.tech
+          image-registry-username: robot$sdp+github-action-build
+          image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+          image-repository: sdp/${{ env.OPERATOR_NAME }}
+          image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }}
+          source-image-uri: ${{ steps.build.outputs.image-manifest-uri }}
+
+  publish-index-manifest:
+    name: Publish/Sign ${{ needs.build-container-image.outputs.operator-version }} Index
+    if: (github.event_name != 'merge_group') && needs.detect-changes.outputs.detected == 'true'
+    needs:
+      - detect-changes
+      - build-container-image
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Publish and Sign Image Index
+        uses: stackabletech/actions/publish-image-index-manifest@babe44d7b1db87f8e7731c011151d22a8a374191 # v0.12.0
+        with:
+          image-registry-uri: oci.stackable.tech
+          image-registry-username: robot$sdp+github-action-build
+          image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+          image-repository: sdp/${{ env.OPERATOR_NAME }}
+          image-index-manifest-tag: ${{ needs.build-container-image.outputs.operator-version }}
+
+  publish-helm-chart:
+    name: Package/Publish ${{ needs.build-container-image.outputs.operator-version }} Helm Chart
+    if: (github.event_name != 'merge_group') && needs.detect-changes.outputs.detected == 'true'
+    needs:
+      - detect-changes
+      - build-container-image
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Package, Publish, and Sign Helm Chart
+        uses: stackabletech/actions/publish-helm-chart@babe44d7b1db87f8e7731c011151d22a8a374191 # v0.12.0
+        with:
+          chart-registry-uri: oci.stackable.tech
+          chart-registry-username: robot$sdp-charts+github-action-build
+          chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
+          chart-repository: sdp-charts
+          chart-directory: deploy/helm/${{ env.OPERATOR_NAME }}
+          chart-version: ${{ needs.build-container-image.outputs.operator-version }}
+          app-version: ${{ needs.build-container-image.outputs.operator-version }}
+
+  openshift-preflight-check:
+    name: Run OpenShift Preflight Check for ${{ needs.build-container-image.outputs.operator-version }}-${{ matrix.arch }}
+    if: (github.event_name != 'merge_group') && needs.detect-changes.outputs.detected == 'true'
+    needs:
+      - detect-changes
+      - build-container-image
+      - publish-index-manifest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run OpenShift Preflight Check
+        uses: stackabletech/actions/run-openshift-preflight@babe44d7b1db87f8e7731c011151d22a8a374191 # v0.12.0
+        with:
+          image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }}
+          image-architecture: ${{ matrix.arch }}
+
+  # This job is a required check in GitHub Settings for this repository.
+  # It saves us having to list many required jobs, or work around dynamically
+  # named jobs (since there is no concept of required settings).
+  finished:
+    # WARNING: Do not change the name unless you will also be changing the
+    # Required Checks (in branch protections) in GitHub settings.
+    name: Finished Build and Publish
+    needs:
+      - cargo-udeps
+      - openshift-preflight-check
+      - publish-helm-chart
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "We are done here"
+
+  notify:
+    name: Failure Notification
+    if: (failure() || github.run_attempt > 1) && github.event_name != 'merge_group' && needs.detect-changes.outputs.detected == 'true'
+    needs:
+      - detect-changes
+      - build-container-image
+      - publish-index-manifest
+      - publish-helm-chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Send Notification
+        uses: stackabletech/actions/send-slack-notification@babe44d7b1db87f8e7731c011151d22a8a374191 # v0.12.0
+        with:
+          publish-helm-chart-result: ${{ needs.publish-helm-chart.result }}
+          publish-manifests-result: ${{ needs.publish-index-manifest.result }}
+          build-result: ${{ needs.build-container-image.result }}
+          slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+          channel-id: C07UG6JH44F # notifications-container-images
+          type: container-image-build