Merge branch 'main' into add-security-context

diranged · Feb 21, 2025 · d0d8dcc · d0d8dcc
2 parents 0435b53 + 6f117df
commit d0d8dcc
Show file tree

Hide file tree

Showing 82 changed files with 6,249 additions and 4,062 deletions.
diff --git a/.github/actions/setup-go/action.yaml b/.github/actions/setup-go/action.yaml
@@ -5,7 +5,7 @@ runs:
   using: composite
   steps:
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         cache: true
         go-version-file: "go.mod"
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,20 +1,26 @@
 # Add 'repo' label to any root file changes
 repo:
-- '*'
+- changed-files:
+  - any-glob-to-any-file: '*'
 
 github_actions:
-- '.github/**/*'
+- changed-files:
+  - any-glob-to-any-file: '.github/**/*'
 
 build:
-- '.github/*'
-- Makefile
-- Common.mk
-- go.mod
-- go.sum
+- changed-files:
+  - any-glob-to-any-file: '.github/*'
+  - any-glob-to-any-file: Makefile
+  - any-glob-to-any-file: Common.mk
+  - any-glob-to-any-file: go.mod
+  - any-glob-to-any-file: go.sum
 
 documentation:
-- '*.md'
-- '**/*.md'
-
+- changed-files:
+  - any-glob-to-any-file: '*.md'
+  - any-glob-to-any-file: '**/*.md'
+
 go:
-- '*.go'
+- changed-files:
+  - any-glob-to-any-file: '*.go'
+  - any-glob-to-any-file: '**/*.go'
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -0,0 +1,21 @@
+name-template: v$RESOLVED_VERSION
+tag-template: '$RESOLVED_VERSION'
+tag-prefix: ''
+categories:
+  - title: '🚀 Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🧰 Maintenance'
+    label: 'chore'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+template: |
+  ## Changes
+
+  $CHANGES
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
@@ -22,7 +22,7 @@ jobs:
         run: git diff --exit-code
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: dist
           path: dist/**
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -14,7 +14,7 @@ jobs:
     steps:
       - name: Detect No-op Changes
         id: noop
-        uses: fkirc/[email protected].0
+        uses: fkirc/[email protected].1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           paths_ignore: '["**.md", "**.png", "**.jpg"]'
@@ -52,3 +52,13 @@ jobs:
     uses: ./.github/workflows/publish.yaml
     with:
       publish: false
+
+  helm-docs:
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    uses: ./.github/workflows/helm-docs.yaml
+
+  helm-test:
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+    uses: ./.github/workflows/helm-test.yaml
diff --git a/.github/workflows/docgen.yaml b/.github/workflows/docgen.yaml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/godeps.yaml b/.github/workflows/godeps.yaml
@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ">=1.18.0"
 
       - name: Run snapshot action
-        uses: actions/go-dependency-submission@v1
+        uses: actions/go-dependency-submission@v2
         with:
           go-mod-path: go.mod
diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml
@@ -0,0 +1,32 @@
+name: Helm-Docs
+on:
+  workflow_call: {}
+jobs:
+  helm-docs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # required for ct helm tool
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+
+      - name: Run helm-docs
+        run: make helm-docs || true
+
+      - name: Find mutations
+        id: self_mutation
+        run: |-
+          git add .
+          git diff --staged --patch --exit-code || echo "self_mutation_happened=true" >> "$GITHUB_OUTPUT"
+
+      - uses: stefanzweifel/git-auto-commit-action@v5
+        if: steps.self_mutation.outputs.self_mutation_happened
+        with:
+          commit_message: Automated Commit
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -0,0 +1,39 @@
+name: Helm Chart Release
+
+on:
+  workflow_call: {}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Update Helm Chart version
+        run: |
+          NEW_VERSION="${{ github.event.release.tag_name }}"
+          sed -i "s/^version:.*/version: $NEW_VERSION/" charts/oz/Chart.yaml
+          sed -i "s/^appVersion:.*/appVersion: $NEW_VERSION/" charts/oz/Chart.yaml
+          make helm-docs || true
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 3.10.2
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        with:
+          charts_dir: charts
+        env:
+          CR_SKIP_EXISTING: "true"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_RELEASE_NAME_TEMPLATE: "oz-chart-{{ .Version }}"
diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
@@ -0,0 +1,50 @@
+name: Chart Test
+on:
+  workflow_call: {}
+jobs:
+  helm-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # required for ct helm tool
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 3.10.2
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct --config ct.yaml list-changed)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> ${GITHUB_OUTPUT}
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct --config ct.yaml lint
+
+      - name: Create kind cluster
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: helm/[email protected]
+
+      - name: Install cert-manager
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.yaml
+          kubectl wait deployment -l app.kubernetes.io/instance=cert-manager -n cert-manager --for=condition=Available=True
+
+      - name: Run chart-testing (install)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct --config ct.yaml install
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # https://github.com/golangci/golangci-lint-action/issues/807
       #
@@ -19,7 +19,7 @@ jobs:
       # such error. Cache is to be enabled once the fix is available for
       # this issue.
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           cache: false
           go-version-file: "go.mod"
@@ -31,7 +31,7 @@ jobs:
           config: revive.toml
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
           args: --timeout=5m
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -25,40 +25,40 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
 
       - name: Build Artifacts
         run: make build
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v2.2.0
+        uses: docker/login-action@v3.3.0
         with:
           registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - if: ${{ ! inputs.publish }}
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: latest
-          args: release --snapshot --rm-dist
+          args: release --snapshot --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # Just to make the .goreleaser.yml pass when not using `make ..` targets.
           IMG: img:local
 
       - if: ${{ inputs.publish }}
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # Just to make the .goreleaser.yml pass when not using `make ..` targets.

diff --git a/.github/workflows/pull-request-dependency-review.yaml b/.github/workflows/pull-request-dependency-review.yaml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/pull-request-labeler.yaml b/.github/workflows/pull-request-labeler.yaml
@@ -9,7 +9,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v4
+    - uses: actions/labeler@v5
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         sync-labels: true
diff --git a/.github/workflows/pull-request-lint.yaml b/.github/workflows/pull-request-lint.yaml
@@ -15,7 +15,7 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: amannn/action-semantic-pull-request@v5.2.0
+      - uses: amannn/action-semantic-pull-request@v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with: