chore: Update templated files (26d779f) #2600

Workflow file for this run

	# =============
	# This file is automatically generated from the templates in stackabletech/operator-templating
	# DON'T MANUALLY EDIT THIS FILE
	# =============
	---
	name: Stackable Build Pipeline

	on:
	push:
	branches:
	- main
	- staging
	- trying
	- "renovate/**"
	tags:
	- '[0-9][0-9].[0-9]+.[0-9]+'
	- '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+'
	pull_request:
	merge_group:
	schedule:
	# Run every Saturday morning: https://crontab.guru/#15_3___6
	- cron: '15 3 * * 6'
	workflow_dispatch:

	env:
	CARGO_TERM_COLOR: always
	CARGO_INCREMENTAL: '0'
	CARGO_PROFILE_DEV_DEBUG: '0'
	RUST_TOOLCHAIN_VERSION: "1.89.0"
	RUST_NIGHTLY_TOOLCHAIN_VERSION: "nightly-2025-10-23"
	PYTHON_VERSION: "3.14"
	RUSTFLAGS: "-D warnings"
	RUSTDOCFLAGS: "-D warnings"
	RUST_LOG: "info"

	jobs:
	# Identify unused dependencies
	run_udeps:
	name: Run Cargo Udeps
	runs-on: ubuntu-latest
	env:
	RUSTC_BOOTSTRAP: 1
	steps:
	- name: Install host dependencies
	uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
	with:
	packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
	version: ubuntu-latest
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false
	submodules: recursive
	- uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
	with:
	toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
	- uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
	with:
	key: udeps
	cache-all-crates: "true"
	- uses: stackabletech/cargo-install-action@cargo-udeps
	- run: cargo udeps --workspace --all-targets

	# This job evaluates the github environment to determine why this action is running and decides if
	# Helm charts are published based on this.
	#
	# The following scenarios are identified:
	# - all pull requests land are published:
	# condition: github.event_name == "pull_request"
	#
	# - all tagged releases are published:
	# condition: github.event_name == 'push' & github.ref.startswith('refs/tags/')
	#
	# - all pushes to main (i.e. PR-merges) and all scheduled/manual workflow runs on main land are published:
	# condition: ( github.event_name == 'push' \| github.event_name == 'schedule' \| github.event_name == 'workflow_dispatch' ) & github.ref == 'refs/heads/main'
	#
	# Any other scenarios (e.g. when a branch is created/pushed) will cause the publish step to be skipped, most commonly this is expected to happen for the
	# branches that the GitHub merge queue feature uses internally for which the checks need to run, but we do not want artifacts to be published.
	check_helm_publish:
	name: Decide if Helm charts are pushed to the helm repository based on action trigger
	runs-on: ubuntu-latest
	outputs:
	skip_helm: ${{ steps.checkhelmpublish.outputs.skip_helm }}
	steps:
	- id: checkhelmpublish
	env:
	TRIGGER: ${{ github.event_name }}
	GITHUB_REF: ${{ github.ref }}
	run: \|
	if [[ "$TRIGGER" == "pull_request" ]]; then
	echo "skip_helm=false" >> "$GITHUB_OUTPUT"
	elif [[ ( "$TRIGGER" == "push" \|\| "$TRIGGER" == "schedule" \|\| "$TRIGGER" == "workflow_dispatch" ) && "$GITHUB_REF" == "refs/heads/main" ]]; then
	echo "skip_helm=false" >> "$GITHUB_OUTPUT"
	elif [[ "$TRIGGER" == "push" && $GITHUB_REF == refs/tags/* ]]; then
	echo "skip_helm=false" >> "$GITHUB_OUTPUT"
	else
	echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF"
	echo "skip_helm=true" >> "$GITHUB_OUTPUT"
	fi

	# TODO (@Techassi): Most of these publishing and signing tasks can be done by our own actions.
	# Make use of them just like we do in docker-images.
	package_and_publish:
	name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }}
	needs:
	- run_udeps
	- check_helm_publish
	strategy:
	matrix:
	runner: ["ubuntu-latest", "ubicloud-standard-8-arm"]
	runs-on: ${{ matrix.runner }}
	timeout-minutes: 120
	permissions:
	id-token: write
	env:
	OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
	OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
	OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
	OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
	if: needs.check_helm_publish.outputs.skip_helm != 'true'
	outputs:
	IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }}
	steps:
	- name: Install host dependencies
	uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
	with:
	packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
	version: ${{ matrix.runner }}
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false
	submodules: recursive
	- uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31.8.1
	- uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
	with:
	toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
	components: rustfmt
	# This step checks if the current run was triggered by a push to a pr (or a pr being created).
	# If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
	# "-pr<prnumber>" so that the published artifacts can be linked to this PR.
	- uses: stackabletech/cargo-install-action@main
	with:
	crate: cargo-edit
	bin: cargo-set-version
	- name: Update version if PR against main branch
	if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }}
	env:
	PR_NUMBER: ${{ github.event.pull_request.number }}
	run: \|
	PR_VERSION="0.0.0-pr${PR_NUMBER}"
	cargo set-version --offline --workspace "$PR_VERSION"
	- name: Update version if PR against non-main branch
	# For PRs to be merged against a release branch, use the version that has already been set in the calling script.
	# We can't rely on cargo set-version here as we will break semver rules when changing the version to make it
	# specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually.
	if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }}
	env:
	PR_NUMBER: ${{ github.event.pull_request.number }}
	shell: bash
	run: \|
	set -euo pipefail

	MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps \| jq -r '.packages[0].version')
	PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}"
	sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml

	# Recreate charts and publish charts and docker image.
	- name: Install cosign
	uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
	- name: Install syft
	uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
	- name: Build Docker image and Helm chart
	run: \|
	# Installing helm and yq on ubicloud-standard-8-arm only
	if [ "$(arch)" = "aarch64" ]; then
	curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey \| gpg --dearmor \| sudo tee /usr/share/keyrings/helm.gpg > /dev/null
	echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \| sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
	sudo apt-get -y update
	sudo apt-get -y install helm
	sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq
	fi

	make build
	- name: Publish Docker image and Helm chart
	if: ${{ !github.event.pull_request.head.repo.fork }}
	run: \|
	# We want to publish helmcharts only once as they have a common name, while still publishing both images with architecture specific tags
	if [ "$(uname -m)" = "x86_64" ]; then
	make publish
	else
	make docker-publish
	fi
	# Output the name of the published image to the Job output for later use
	- id: printtag
	name: Output image name and tag
	if: ${{ !github.event.pull_request.head.repo.fork }}
	run: echo "IMAGE_TAG=$(make print-docker-tag)" >> "$GITHUB_OUTPUT"

	create_manifest_list:
	name: Build and publish manifest list
	if: ${{ !github.event.pull_request.head.repo.fork }}
	needs:
	- package_and_publish
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	env:
	OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
	OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
	OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
	OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
	steps:
	- name: Install cosign
	uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
	- name: Checkout
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false
	submodules: recursive
	# This step checks if the current run was triggered by a push to a pr (or a pr being created).
	# If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
	# "-pr<prnumber>" so that the published artifacts can be linked to this PR.
	- uses: stackabletech/cargo-install-action@main
	with:
	crate: cargo-edit
	bin: cargo-set-version
	- name: Update version if PR against main branch
	if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'main' }}
	env:
	PR_NUMBER: ${{ github.event.pull_request.number }}
	run: \|
	PR_VERSION="0.0.0-pr${PR_NUMBER}"
	cargo set-version --offline --workspace "$PR_VERSION"
	- name: Update version if PR against non-main branch
	# For PRs to be merged against a release branch, use the version that has already been set in the calling script.
	# We can't rely on cargo set-version here as we will break semver rules when changing the version to make it
	# specific to this PR e.g. 1.2.0 --> 1.2.0-pr678, so set it manually.
	if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.ref != 'main' }}
	env:
	PR_NUMBER: ${{ github.event.pull_request.number }}
	shell: bash
	run: \|
	set -euo pipefail

	MANIFEST_VERSION=$(cargo metadata --format-version 1 --no-deps \| jq -r '.packages[0].version')
	PR_VERSION="${MANIFEST_VERSION}-pr${PR_NUMBER}"
	sed -i "s/version = \"${MANIFEST_VERSION}\"/version = \"${PR_VERSION}\"/" Cargo.toml
	- name: Build manifest list
	run: \|
	# Creating manifest list
	make -e docker-manifest-list-build
	# Pushing and signing manifest list
	make -e docker-manifest-list-publish

	openshift_preflight:
	name: Run the OpenShift Preflight check on the published images
	if: ${{ !github.event.pull_request.head.repo.fork }}
	needs:
	- create_manifest_list
	- package_and_publish
	runs-on: ubuntu-latest
	env:
	IMAGE_TAG: ${{ needs.package_and_publish.outputs.IMAGE_TAG }}
	steps:
	- name: Install preflight
	run: \|
	wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.10.0/preflight-linux-amd64
	chmod +x preflight-linux-amd64
	- name: Check container
	run: \|
	ARCH_FOR_PREFLIGHT="$(arch \| sed -e 's#x86_64#amd64#' \| sed -e 's#aarch64#arm64#')"
	./preflight-linux-amd64 check container "$IMAGE_TAG" --platform "${ARCH_FOR_PREFLIGHT}" > preflight.out
	- name: "Passed?"
	run: '[ "$(jq -r .passed < preflight.out)" == true ]'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore: Update templated files (26d779f) #2600

Workflow file

chore: Update templated files (26d779f) #2600

Uh oh!

Jobs

Run details

Workflow file for this run