Hotfix release

.github/actionlint.yaml

@@ -0,0 +1,6 @@
+paths:
+  # This pattern matches any YAML file under the '.github/workflows/' directory.
+  .github/workflows/**/*.yaml:
+    ignore:
+      # Ignore the specific error from shellcheck
+      - 'shellcheck reported issue in this script: SC2086:.+'

.github/actions/repository/action.yaml

@@ -0,0 +1,34 @@
+name: "Modify Repository Name"
+description: "Outputs a modified repository name based on given inputs."
+inputs:
+  repository:
+    description: "The original repository name."
+    required: true
+  registry:
+    description: "The registry name."
+    required: true
+outputs:
+  repository:
+    description: "The modified repository name after applying rules."
+    value: ${{ steps.modify_repository.outputs.repository }}
+runs:
+  using: "composite"
+  steps:
+    - name: modify_repository
+      id: modify_repository
+      shell: bash
+      run: |
+        # Step 1: Convert repository name to lowercase
+        repository_lower=$(echo "${{ inputs.repository }}" | tr '[:upper:]' '[:lower:]')
+
+        # Initialize the modified repository with the lowercase name
+        modified_repository="$repository_lower"
+
+        # Step 2: If registry is docker.io and repository is lf-decentralized-trust-labs,
+        # remove the '-' characters from the repository name
+        if [ "${{ inputs.registry }}" = "docker.io" ] && [ "$repository_lower" = "lf-decentralized-trust-labs" ]; then
+          modified_repository=$(echo "$repository_lower" | sed 's/-//g')
+        fi
+
+        # Set the output
+        echo "repository=$modified_repository" >> $GITHUB_OUTPUT

.github/actions/workflows-validation/action.yaml

@@ -0,0 +1,10 @@
+name: "Validate Workflows Action"
+description: "A GitHub Action to validate workflows."
+
+runs:
+  using: docker
+  image: docker.io/rhysd/actionlint:latest
+
+branding:
+  color: "blue"
+  icon: "check-circle"

.github/workflows/build-chart.yaml

@@ -2,7 +2,49 @@ name: Operator Build
 
 on:
   workflow_call:
-
+    inputs:
+      paladin-image:
+        required: true
+        type: string
+      paladin-image-tag:
+        required: true
+        type: string
+      operator-image:
+        required: true
+        type: string
+      operator-image-tag:
+        required: true
+        type: string
+      build-operator:
+        required: false
+        type: boolean
+        default: false
+      build-paladin:
+        required: false
+        type: boolean
+        default: false
+  workflow_dispatch:
+    inputs:
+      paladin-image:
+        required: true
+        type: string
+      paladin-image-tag:
+        required: true
+        type: string
+      operator-image:
+        required: true
+        type: string
+      operator-image-tag:
+        required: true
+        type: string
+      build-operator:
+        required: false
+        type: boolean
+        default: false
+      build-paladin:
+        required: false
+        type: boolean
+        default: false
 jobs:
   operator-build:
     runs-on: ubuntu-latest
@@ -46,12 +88,12 @@ jobs:
           ./gradlew deploy \
             -PclusterName=${{ env.CLUSTER_NAME }} \
             -Pnamespace=${{ env.NAMESPACE }} \
-            -PbuildOperator=false \
-            -PbuildPaladin=false \
-            -PoperatorImageName=paladin.io/paladin-operator \
-            -PoperatorImageTag=test \
-            -PpaladinImageName=paladin.io/paladin \
-            -PpaladinImageTag=test 
+            -PbuildOperator=${{ inputs.build-operator }} \
+            -PbuildPaladin=${{ inputs.build-paladin }} \
+            -PoperatorImageName=${{ inputs.operator-image }} \
+            -PoperatorImageTag=${{ inputs.operator-image-tag }} \
+            -PpaladinImageName=${{ inputs.paladin-image }} \
+            -PpaladinImageTag=${{ inputs.paladin-image-tag }} 
 
       - name: Uninstall Operator
         run: |

.github/workflows/build-image.yaml

@@ -28,6 +28,11 @@ on:
         required: false
         type: boolean
         default: true
+      upload-artifact:
+        description: 'Upload the image as an artifact'
+        required: false
+        type: boolean
+        default: false
       platforms:
         description: 'Platforms to build for'
         required: false
@@ -78,19 +83,18 @@ jobs:
           registry: ${{ inputs.registry }}
           username: ${{ secrets.username }}
           password: ${{ secrets.password }}
-
-      - name: Set lower case image name
-        run: |
-          echo "IMAGE_LC=${IMAGE,,}" >>${GITHUB_ENV}
-        env:
-          IMAGE: ${{ inputs.registry }}/${{ inputs.image }}
 
       - name: Set build tag
         id: build_tag_generator
         run: |
           echo "BUILD_TAG=$(date +"%Y%m%d")-$GITHUB_RUN_NUMBER" >> $GITHUB_OUTPUT
           echo "BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT
 
+      - name: Set sanitized artifact name
+        run: echo "IMAGE_NAME_SANITIZED=${IMAGE//\//-}" >> $GITHUB_ENV
+        env:
+          IMAGE: ${{ inputs.image }}
+
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
@@ -99,18 +103,19 @@ jobs:
           builder: ${{ steps.buildx.outputs.name }}
           push: ${{ inputs.push }}
           platforms: ${{ inputs.platforms }}
-          tags: "${{ env.IMAGE_LC }}:${{ inputs.image_tag }}"
+          tags: "${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.image_tag }}"
           labels: |
             commit=${{ github.sha }}
             build_date=${{ steps.build_tag_generator.outputs.BUILD_DATE }}
             tag=${{ steps.build_tag_generator.outputs.BUILD_TAG }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          outputs: type=docker,dest=/tmp/${{ inputs.image }}-${{ github.sha }}.tar
+          outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME_SANITIZED }}-${{ github.sha }}.tar
 
       - name: Upload artifact
+        if: ${{ inputs.upload-artifact }}
         uses: actions/upload-artifact@v4
         with:
           name: ${{ inputs.image }}-${{ github.sha }}
-          path: /tmp/${{ inputs.image }}-${{ github.sha }}.tar
+          path: /tmp/${{ env.IMAGE_NAME_SANITIZED }}-${{ github.sha }}.tar
           retention-days: 1

.github/workflows/build-workflows.yaml

@@ -0,0 +1,16 @@
+# run only when workflows are triggered by a push event
+on:
+  pull_request:
+    paths:
+    - '.github/workflows/**'
+    - '.github/actions/**'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Validate workflows
+        uses: ./.github/actions/workflows-validation

.github/workflows/cross-build-images.yaml

@@ -28,25 +28,41 @@ on:
         required: false
 
 jobs:
+  set-repository:
+    runs-on: ubuntu-latest
+    outputs:
+      repository: ${{ steps.modify_repo.outputs.repository }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set Repository Name
+        id: modify_repo
+        uses: ./.github/actions/repository
+        with:
+          repository: ${{ inputs.repository }}
+          registry: ${{ inputs.registry }}
+
   core-macos:
+    needs: set-repository
     uses: ./.github/workflows/build-image.yaml
     with:
       dockerfile: ./Dockerfile
       registry: ${{ inputs.registry }}
-      image: ${{ inputs.repository }}/paladin
+      image: ${{ needs.set-repository.outputs.repository }}/paladin
       image_tag: "${{ github.sha }}-arm64"
       push: ${{ inputs.push }}
       platforms: linux/arm64
       runs-on: ubuntu-latest
     secrets:
       username: ${{ secrets.username }}
       password: ${{ secrets.password }}
+
   core-ubuntu:
+    needs: set-repository
     uses: ./.github/workflows/build-image.yaml
     with:
       dockerfile: ./Dockerfile
       registry: ${{ inputs.registry }}
-      image: ${{ inputs.repository }}/paladin
+      image: ${{ needs.set-repository.outputs.repository }}/paladin
       image_tag: "${{ github.sha }}-amd64"
       push: ${{ inputs.push }}
       platforms: linux/amd64
@@ -56,24 +72,27 @@ jobs:
       password: ${{ secrets.password }}
 
   operator-ubuntu:
+    needs: set-repository
     uses: ./.github/workflows/build-image.yaml
     with:
       dockerfile: ./operator/Dockerfile
       registry: ${{ inputs.registry }}
-      image: ${{ inputs.repository }}/paladin-operator
+      image: ${{ needs.set-repository.outputs.repository }}/paladin-operator
       image_tag: ${{ github.sha }}-amd64
       push: ${{ inputs.push }}
       platforms: linux/amd64
       runs-on: ubuntu-latest
     secrets:
       username: ${{ secrets.username }}
       password: ${{ secrets.password }}
+
   operator-macos:
+    needs: set-repository
     uses: ./.github/workflows/build-image.yaml
     with:
       dockerfile: ./operator/Dockerfile
       registry: ${{ inputs.registry }}
-      image: ${{ inputs.repository }}/paladin-operator
+      image: ${{ needs.set-repository.outputs.repository }}/paladin-operator
       image_tag: ${{ github.sha }}-arm64
       push: ${{ inputs.push }}
       platforms: linux/arm64
@@ -84,20 +103,17 @@ jobs:
 
   core-docker-manifest:
     if: ${{ inputs.push }}
-    needs: [core-macos, core-ubuntu]
+    needs: [set-repository, core-macos, core-ubuntu]
     runs-on: ubuntu-latest
     env:
-      IMAGE: ${{ inputs.registry }}/${{ inputs.repository }}/paladin
+      IMAGE: ${{ inputs.registry }}/${{ needs.set-repository.outputs.repository }}/paladin
     steps:
       - uses: actions/checkout@v4
 
       - name: Set lower case image name
         run: |
-          LOWER_IMAGE=${IMAGE,,}
-          echo "IMAGE=$LOWER_IMAGE" >> $GITHUB_ENV
-          echo "TEMP_IMAGE=$LOWER_IMAGE:$GITHUB_SHA" >> $GITHUB_ENV
-          echo "Image: $LOWER_IMAGE"
-          echo "Temp image: $LOWER_IMAGE:$GITHUB_SHA"
+          echo "TEMP_IMAGE=$IMAGE:$GITHUB_SHA" >> $GITHUB_ENV
+          echo "Temp image: $IMAGE:$GITHUB_SHA"
 
       - name: Docker registry login
         uses: docker/login-action@v3
@@ -120,20 +136,17 @@ jobs:
 
   operator-docker-manifest:
     if: ${{ inputs.push }}
-    needs: [operator-macos, operator-ubuntu]
+    needs: [set-repository, operator-macos, operator-ubuntu]
     runs-on: ubuntu-latest
     env:
-      IMAGE: ${{ inputs.registry }}/${{ inputs.repository }}/paladin-operator
+      IMAGE: ${{ inputs.registry }}/${{ needs.set-repository.outputs.repository }}/paladin-operator
     steps:
       - uses: actions/checkout@v4
 
       - name: Set lower case image name
         run: |
-          LOWER_IMAGE=${IMAGE,,}
-          echo "IMAGE=$LOWER_IMAGE" >> $GITHUB_ENV
-          echo "TEMP_IMAGE=$LOWER_IMAGE:$GITHUB_SHA" >> $GITHUB_ENV
-          echo "Image: $LOWER_IMAGE"
-          echo "Temp image: $LOWER_IMAGE:$GITHUB_SHA"
+          echo "TEMP_IMAGE=$IMAGE:$GITHUB_SHA" >> $GITHUB_ENV
+          echo "Temp image: $IMAGE:$GITHUB_SHA"
 
       - name: Docker registry login
         uses: docker/login-action@v3
@@ -153,4 +166,3 @@ jobs:
             --amend $TEMP_IMAGE-amd64
             docker manifest push $IMAGE:$tag
           done
-

.github/workflows/docs.yaml

@@ -20,7 +20,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout source
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

.github/workflows/paladin-PR-build.yml

@@ -6,7 +6,8 @@ permissions:
 
 on:
   push:
-    branches: [main]
+    branches: 
+      - main
     paths-ignore:
       - '**.md'
       - 'operator/charts/**'
@@ -56,6 +57,7 @@ jobs:
       image: paladin
       image_tag: test
       push: false
+      upload-artifact: true
       platforms: linux/amd64
       runs-on: ubuntu-latest
 
@@ -69,6 +71,7 @@ jobs:
         image: paladin-operator
         image_tag: test
         push: false
+        upload-artifact: true
         platforms: linux/amd64
         runs-on: ubuntu-latest
 
@@ -77,6 +80,11 @@ jobs:
     if: github.event_name == 'pull_request'
     needs: [core-image-build, operator-image-build]
     uses: ./.github/workflows/build-chart.yaml
+    with:
+      paladin-image: paladin.io/paladin
+      paladin-image-tag: test
+      operator-image: paladin.io/paladin-operator
+      operator-image-tag: test
 
   image-release:
     # run only on pushes to main or manual triggers