Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 32 additions & 10 deletions .github/workflows/e2e-ginkgo.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ permissions:
pull-requests: write

on:
release:
types: [created]
workflow_dispatch:
inputs:
ginkgo-label:
Expand Down Expand Up @@ -44,7 +42,9 @@ env:
jobs:
parse_label-filter:
name: Parse label filter and check if tests should run
if: github.repository_owner == 'loft-sh' # do not run on forks
# do not run on forks
if: >-
!cancelled() && github.repository_owner == 'loft-sh'
runs-on: ubuntu-22.04

outputs:
Expand All @@ -63,11 +63,19 @@ jobs:
with:
pr-body: ${{ github.event.pull_request.body }}
previous-pr-body: ${{ github.event.changes.body.from }}
event-name: ${{ github.event_name }}
# A release-validation dispatch runs at refs/tags/<version>; treat it
# like the old release:created path so the label filter resolves
# identically. A manual branch dispatch uses the ginkgo-label input;
# a PR uses pull_request.
event-name: ${{ startsWith(github.ref, 'refs/tags/') && 'release' || github.event_name }}
event-action: ${{ github.event.action }}
label-filter-input: ${{ inputs.ginkgo-label }}

detect_changes:
# PR-only: the release path is a workflow_dispatch --ref <tag> dispatch that
# always validates and bypasses change detection; entry jobs break
# skip-propagation with !cancelled().
if: github.event_name == 'pull_request'
needs: [parse_label-filter]
uses: loft-sh/github-actions/.github/workflows/detect-changes.yaml@detect-changes/v1
with:
Expand All @@ -86,8 +94,13 @@ jobs:

build:
runs-on: ubuntu-latest
if: github.repository_owner == 'loft-sh' && needs.detect_changes.outputs.has_changed == 'true'
needs: detect_changes
if: >-
!cancelled() && github.repository_owner == 'loft-sh' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
needs: [detect_changes]
steps:
- name: Checkout repository
uses: actions/checkout@v5
Expand Down Expand Up @@ -133,8 +146,13 @@ jobs:


download-latest-cli:
needs: detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
needs: [detect_changes]
if: >-
!cancelled() &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
name: Download the latest vCluster cli
runs-on: ubuntu-latest
steps:
Expand All @@ -154,9 +172,13 @@ jobs:
- build
- parse_label-filter
- detect_changes
if: >
if: >-
!cancelled() && needs.build.result == 'success' &&
needs.parse_label-filter.outputs.skip-edited != 'true' &&
needs.detect_changes.outputs.has_changed == 'true'
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
runs-on: large-8_32
permissions:
id-token: write # needed for OIDC → AWS
Expand Down
47 changes: 37 additions & 10 deletions .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
name: E2E CI

on:
release:
types: [created]
pull_request:
branches:
- main
Expand All @@ -22,24 +20,33 @@

jobs:
detect_changes:
# PR-only: the release path is a workflow_dispatch --ref <tag> dispatch that
# always validates, so it bypasses change detection. Entry jobs break the
# skip-propagation with !cancelled().
if: github.event_name == 'pull_request'
uses: loft-sh/github-actions/.github/workflows/detect-changes.yaml@detect-changes/v1
with:
paths: |
- "go.mod"
- "go.sum"
- "**.go"
- "!**_test.go" # exclude test files to ignore unit test changes
- "test/**" # include test files in e2e again
- "!e2e/**" # exclude e2e tests
- "!**.md"
- "Dockerfile.release"
- ".github/workflows/e2e.yaml"
- "chart/**"
- "manifests/**"
build:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
runs-on: ubuntu-latest
if: github.repository_owner == 'loft-sh' && needs.detect_changes.outputs.has_changed == 'true'
needs: detect_changes
if: >-
!cancelled() && github.repository_owner == 'loft-sh' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
needs: [detect_changes]
steps:
- name: Checkout repository
uses: actions/checkout@v6
Expand Down Expand Up @@ -84,35 +91,45 @@
retention-days: 7

get-testsuites-dir:
needs: detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
needs: [detect_changes]
if: >-
!cancelled() &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- id: set-paths-matrix
run: |
set -x
sudo apt-get install -y jq
EXCLUDE="e2e e2e_ha e2e_isolation_mode e2e_metrics_proxy e2e_node e2e_rootless e2e_scheduler"
paths=()
for dir in ./test/e2e*; do
suite_name=$(basename "$dir")
if echo "$EXCLUDE" | grep -qw "$suite_name"; then
continue
fi
paths+=("$dir")
done
echo "matrix=$(printf '%s\n' "${paths[@]}" | jq -R . | jq -cs .)" >> "$GITHUB_OUTPUT"
outputs:
matrix: ${{ steps.set-paths-matrix.outputs.matrix }}

vcluster-install-delete:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Install and delete virtual cluster
needs:
- build
- detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() && needs.build.result == 'success' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
Expand Down Expand Up @@ -168,28 +185,38 @@
./hack/vcluster-install-scripts/test-helm-install.sh

download-latest-cli:
needs: detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
needs: [detect_changes]
if: >-
!cancelled() &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
name: Download the latest vCluster cli
runs-on: ubuntu-latest
steps:
- name: download current cli
run: |
curl -L -o vcluster-current "https://github.com/loft-sh/vcluster/releases/latest/download/vcluster-linux-amd64"
- name: Upload vcluster cli to artifact
uses: actions/upload-artifact@v6
with:
name: vcluster-current
path: ./vcluster-current
retention-days: 7

upgrade-test:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
name: test if we can upgrade from older version
needs:
- build
- download-latest-cli
- detect_changes
if: needs.detect_changes.outputs.has_changed == 'true'
if: >-
!cancelled() && needs.build.result == 'success' && needs.download-latest-cli.result == 'success' &&
(
(github.event_name == 'pull_request' && needs.detect_changes.outputs.has_changed == 'true') ||
github.event_name == 'workflow_dispatch'
)
runs-on: ubuntu-latest
strategy:
fail-fast: false
Expand Down
47 changes: 40 additions & 7 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -1,20 +1,26 @@
name: Release

# Builder for the vCluster release pipeline (DEVOPS-1050). The GitHub Release is
# a pipeline OUTPUT, not a trigger: goreleaser creates it at the end of a green
# build. This workflow is dispatched by the loft-sh/github-actions
# vcluster-release action via `gh workflow run release.yaml --ref <tag>`, so
# github.ref is refs/tags/<version> and github.ref_name is the version. It no
# longer triggers on release:created, so a monorepo-created OSS release can never
# re-trigger this builder.
on:
release:
types: [created]
workflow_dispatch:

jobs:
check_minimum_version_tag:
if: github.repository_owner == 'loft-sh'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
if: ${{ !contains(github.event.release.tag_name, '-') }}
if: ${{ !contains(github.ref_name, '-') }}
with:
ref: ${{ github.event.release.tag_name }}
ref: ${{ github.ref_name }}
- name: Validate MinimumVersionTag is stable
if: ${{ !contains(github.event.release.tag_name, '-') }}
if: ${{ !contains(github.ref_name, '-') }}
run: |
MINIMUM_VERSION_TAG=$(grep -oP 'MinimumVersionTag\s*=\s*"\Kv[^"]+' pkg/platform/version.go)
if [[ ! "$MINIMUM_VERSION_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
Expand Down Expand Up @@ -72,7 +78,10 @@ jobs:
run: |
RELEASE_VERSION=$(echo "$GITHUB_REF" | sed -nE 's!refs/tags/!!p')
echo "release_version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
echo "previous_tag=$(git describe --abbrev=0 --tags "$(git rev-list --tags --skip=1 --max-count=1)")" >> "$GITHUB_OUTPUT"
# Branch-local previous tag: the tag reachable from this commit's
# parent on THIS branch, not the global latest tag (which would be
# wrong on a release branch). See DEVOPS-1050.
echo "previous_tag=$(git describe --tags --abbrev=0 --match 'v*' "${GITHUB_SHA}^" 2>/dev/null || true)" >> "$GITHUB_OUTPUT"
- name: Validate semver
id: semver
uses: loft-sh/github-actions/.github/actions/semver-validation@semver-validation/v1
Expand Down Expand Up @@ -228,6 +237,30 @@ jobs:
github-token: ${{ secrets.GH_ACCESS_TOKEN }}
linear-token: ${{ secrets.LINEAR_TOKEN }}

trigger-validators:
needs: [publish]
if: ${{ success() && github.repository_owner == 'loft-sh' && !contains(needs.publish.outputs.release_version, '-next') }}
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
steps:
- name: Dispatch release validators at the built tag
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ needs.publish.outputs.release_version }}
run: |
# Run each validator's OWN version at the built tag (per-line consistent).
# Each validator exists on the default branch (dispatchable) and carries a
# workflow_dispatch trigger in the tag's tree (true for lines cut from main).
for wf in e2e.yaml e2e-ginkgo.yaml unit-tests.yaml; do
if gh workflow run "$wf" --repo "$GITHUB_REPOSITORY" --ref "$VERSION"; then
echo "dispatched $wf @ $VERSION"
else
echo "::warning::could not dispatch $wf @ $VERSION (missing or no workflow_dispatch at tag)"
fi
done

notify_failure:
if: ${{ always() && contains(needs.*.result, 'failure') && github.repository_owner == 'loft-sh' }}
needs:
Expand All @@ -239,7 +272,7 @@ jobs:
contents: read
uses: loft-sh/github-actions/.github/workflows/notify-release.yaml@release-notification/v2
with:
release_version: ${{ github.event.release.tag_name }}
release_version: ${{ github.ref_name }}
target_repo: ${{ github.repository }}
product: vCluster
status: failure
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/unit-tests.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
name: Unit tests

on:
release:
types: [created]
workflow_dispatch:
pull_request:
branches:
- main
Expand All @@ -23,7 +22,8 @@ concurrency:
jobs:
helm-unit-tests:
name: Execute all helm tests
if: github.repository_owner == 'loft-sh' # do not run on forks
# do not run on forks
if: github.repository_owner == 'loft-sh'
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -37,7 +37,8 @@ jobs:

go-unit-test:
name: Execute all go tests
if: github.repository_owner == 'loft-sh' # do not run on forks
# do not run on forks
if: github.repository_owner == 'loft-sh'
runs-on: ubuntu-22.04
steps:
- name: Check out code into the Go module directory
Expand Down
Loading