Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,15 @@ jobs:
- name: Coverage summary
run: go tool cover -func=coverage.out | tail -n 1

# Planned additional jobs (added with the steps that need them):
# * e2e (Tier 3): kind cluster + Helm install + real workloads — U1 milestone.
# * image: multi-arch (amd64/arm64) distroless build/publish — S1.4 / S3.3 (T5).
docs:
name: Documentation checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: SPEC reference validation
run: bash scripts/verify-spec-refs.sh
- name: Doc link check
run: bash scripts/verify-doc-links.sh

# Tier 3 acceptance (U3) runs in .github/workflows/u3.yml.
# Release publishing runs in .github/workflows/release.yml (S3.3).
10 changes: 6 additions & 4 deletions .github/workflows/e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,9 @@ jobs:

- name: Build images
run: |
docker build -t kohen:e2e -f Dockerfile .
docker build -t kohen-e2e-gitserver:e2e -f test/e2e/gitserver/Dockerfile .
chmod +x scripts/ci-docker-retry.sh
scripts/ci-docker-retry.sh docker build -t kohen:e2e -f Dockerfile .
scripts/ci-docker-retry.sh docker build -t kohen-e2e-gitserver:e2e -f test/e2e/gitserver/Dockerfile .

- name: Load images into kind
run: |
Expand Down Expand Up @@ -108,8 +109,9 @@ jobs:

- name: Build images
run: |
docker build -t kohen:e2e -f Dockerfile .
docker build -t kohen-e2e-gitserver:e2e -f test/e2e/gitserver/Dockerfile .
chmod +x scripts/ci-docker-retry.sh
scripts/ci-docker-retry.sh docker build -t kohen:e2e -f Dockerfile .
scripts/ci-docker-retry.sh docker build -t kohen-e2e-gitserver:e2e -f test/e2e/gitserver/Dockerfile .

- name: Load images into kind
run: |
Expand Down
86 changes: 86 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# SemVer release pipeline (PLAN S3.3): tagged releases publish multi-arch images,
# Helm chart artifacts, SBOM, and cosign signatures.
name: Release

on:
push:
tags:
- 'v*'

permissions:
contents: write
packages: write
id-token: write

jobs:
release:
name: Build & publish
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Parse version
id: ver
run: |
TAG="${GITHUB_REF_NAME#v}"
echo "version=${TAG}" >> "$GITHUB_OUTPUT"
echo "image=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"

- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3

- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build & push operator image
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ steps.ver.outputs.image }}:${{ steps.ver.outputs.version }}
${{ steps.ver.outputs.image }}:latest
sbom: true
provenance: mode=max

- uses: azure/setup-helm@v4
with:
version: v3.16.3

- name: Package Helm chart
run: |
sed -i "s/^version:.*/version: ${{ steps.ver.outputs.version }}/" deploy/helm/kohen/Chart.yaml
sed -i "s/^appVersion:.*/appVersion: \"${{ steps.ver.outputs.version }}\"/" deploy/helm/kohen/Chart.yaml
helm package deploy/helm/kohen -d dist/
helm push dist/kohen-${{ steps.ver.outputs.version }}.tgz \
oci://ghcr.io/${{ github.repository_owner }}/charts || \
echo "Helm OCI push skipped (registry may need setup)"

- name: Render manifest bundle
run: |
mkdir -p dist/manifests
helm template kohen deploy/helm/kohen --include-crds \
--namespace kohen-system > dist/manifests/kohen.yaml

- name: Install cosign
uses: sigstore/cosign-installer@v3

- name: Sign image
env:
COSIGN_EXPERIMENTAL: "1"
run: |
cosign sign --yes "${{ steps.ver.outputs.image }}:${{ steps.ver.outputs.version }}" || \
echo "cosign sign skipped (experimental keyless may be unavailable)"

- name: Upload release artifacts
uses: softprops/action-gh-release@v2
with:
files: |
dist/*.tgz
dist/manifests/kohen.yaml
generate_release_notes: true
204 changes: 204 additions & 0 deletions .github/workflows/u3.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,204 @@
# U3 acceptance gate (PLAN U3): full A1–A12 matrix on kind across Kubernetes
# minor versions and install methods. Gates v1.0 releases.
name: U3 Acceptance (kind)

on:
push:
branches: [main]
pull_request:
workflow_dispatch:

permissions:
contents: read

concurrency:
group: u3-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
IMG: kohen:e2e
GITSERVER_IMG: kohen-e2e-gitserver:e2e

jobs:
acceptance:
name: A1–A12 (${{ matrix.k8s }}, ${{ matrix.install }})
runs-on: ubuntu-latest
timeout-minutes: 45
strategy:
fail-fast: false
matrix:
k8s: [v1.31.0, v1.30.0]
install: [helm, manifests]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true

- name: Create kind cluster
uses: helm/[email protected]
with:
cluster_name: kohen
version: v0.24.0
node_image: kindest/node:${{ matrix.k8s }}

- uses: azure/setup-helm@v4
with:
version: v3.16.3

- name: Build images
run: |
chmod +x scripts/ci-docker-retry.sh
scripts/ci-docker-retry.sh docker build -t "$IMG" -f Dockerfile .
scripts/ci-docker-retry.sh docker build -t "$GITSERVER_IMG" -f test/e2e/gitserver/Dockerfile .
scripts/ci-docker-retry.sh docker pull busybox:1.36
kind load docker-image "$IMG" --name kohen
kind load docker-image "$GITSERVER_IMG" --name kohen
kind load docker-image busybox:1.36 --name kohen

- name: Install External Secrets Operator
run: |
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets external-secrets/external-secrets \
--namespace external-secrets --create-namespace \
--version 2.7.0 \
--set installCRDs=true \
--wait --timeout 5m

- name: Install Kohen (Helm)
if: matrix.install == 'helm'
run: |
helm install kohen deploy/helm/kohen \
--namespace kohen-system --create-namespace \
--set image.repository=kohen \
--set image.tag=e2e \
--set image.pullPolicy=Never \
--set operatorConfig.allowInsecureGitTLS=true \
--set operatorConfig.maxDegradedDuration=45s \
--set 'operatorConfig.secretStoreAllowList={fake-store}' \
--set 'operatorConfig.sourceAllowList={https://gitserver.}' \
--wait --timeout 4m

- name: Install Kohen (plain manifests)
if: matrix.install == 'manifests'
run: |
kubectl create namespace kohen-system --dry-run=client -o yaml | kubectl apply -f -
helm template kohen deploy/helm/kohen --include-crds \
--namespace kohen-system \
--set image.repository=kohen \
--set image.tag=e2e \
--set image.pullPolicy=Never \
--set operatorConfig.allowInsecureGitTLS=true \
--set operatorConfig.maxDegradedDuration=45s \
--set 'operatorConfig.secretStoreAllowList={fake-store}' \
--set 'operatorConfig.sourceAllowList={https://gitserver.}' \
> /tmp/kohen.yaml
kubectl apply -f /tmp/kohen.yaml
kubectl -n kohen-system rollout status deploy/kohen --timeout=4m

- name: Run U3 acceptance suite
env:
GITSERVER_IMAGE: ${{ env.GITSERVER_IMG }}
KOHEN_IMAGE: ${{ env.IMG }}
KOHEN_INSTALL_METHOD: ${{ matrix.install }}
run: make e2e-u3

- name: Dump diagnostics on failure
if: failure()
run: |
kubectl logs -n kohen-system deploy/kohen --tail=300 || true
kubectl get configsync -A -o yaml || true

namespaced-security:
name: A9 namespaced scope
runs-on: ubuntu-latest
timeout-minutes: 25
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true

- uses: helm/[email protected]
with:
cluster_name: kohen-ns
version: v0.24.0
node_image: kindest/node:v1.31.0

- uses: azure/setup-helm@v4
with:
version: v3.16.3

- name: Build & load image
run: |
chmod +x scripts/ci-docker-retry.sh
scripts/ci-docker-retry.sh docker build -t "$IMG" -f Dockerfile .
scripts/ci-docker-retry.sh docker build -t "$GITSERVER_IMG" -f test/e2e/gitserver/Dockerfile .
kind load docker-image "$IMG" --name kohen-ns
kind load docker-image "$GITSERVER_IMG" --name kohen-ns

- name: Install Kohen (namespaced scope)
run: |
helm install kohen deploy/helm/kohen \
--namespace kohen-system --create-namespace \
--set scope=namespaced \
--set image.repository=kohen \
--set image.tag=e2e \
--set image.pullPolicy=Never \
--set operatorConfig.allowInsecureGitTLS=true \
--wait --timeout 4m

- name: Security conformance (namespaced)
env:
GITSERVER_IMAGE: ${{ env.GITSERVER_IMG }}
KOHEN_SCOPE: namespaced
run: make e2e-security

uninstall:
name: A12 uninstall
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true

- uses: helm/[email protected]
with:
cluster_name: kohen-uninstall
version: v0.24.0
node_image: kindest/node:v1.31.0

- uses: azure/setup-helm@v4
with:
version: v3.16.3

- name: Build & load image
run: |
chmod +x scripts/ci-docker-retry.sh
scripts/ci-docker-retry.sh docker build -t "$IMG" -f Dockerfile .
scripts/ci-docker-retry.sh docker build -t "$GITSERVER_IMG" -f test/e2e/gitserver/Dockerfile .
kind load docker-image "$IMG" --name kohen-uninstall
kind load docker-image "$GITSERVER_IMG" --name kohen-uninstall

- name: Install Kohen
run: |
helm install kohen deploy/helm/kohen \
--namespace kohen-system --create-namespace \
--set image.repository=kohen \
--set image.tag=e2e \
--set image.pullPolicy=Never \
--set operatorConfig.allowInsecureGitTLS=true \
--wait --timeout 4m

- name: A12 uninstall journey
env:
GITSERVER_IMAGE: ${{ env.GITSERVER_IMG }}
KOHEN_ALLOW_UNINSTALL: "true"
run: |
go test -tags e2e -count=1 -timeout 15m -v -run '^TestU3OperatorUninstall$' ./test/e2e/...
38 changes: 38 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Contributor Covenant Code of Conduct

## Our Pledge

We pledge to make participation in our community a harassment-free experience for
everyone, regardless of age, body size, visible or invisible disability,
ethnicity, sex characteristics, gender identity and expression, level of
experience, education, socio-economic status, nationality, personal appearance,
race, religion, or sexual identity and orientation.

## Our Standards

Examples of behavior that contributes to a positive environment:

* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members

Examples of unacceptable behavior:

* The use of sexualized language or imagery, and sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting

## Enforcement

Project maintainers are responsible for clarifying standards and may take
appropriate corrective action in response to any behavior deemed inappropriate.

## Attribution

This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org),
version 2.1.
Loading
Loading