chore: refactor the build workflow for operators

Author: xeniape

config/retired_files.yaml

@@ -3,6 +3,5 @@
 # This is uncommented as I had issues with everything being deleted when this was just present as an empty key.
 # May be something to investigate.
 retired_files:
-  - .github/ISSUE_TEMPLATE/bug_report.yml
   - .readme/static/borrowed/sdp_overview.png
-  - bors.toml
+  - .github/workflows/build.yml

config/versions.yaml

@@ -30,3 +30,5 @@ python_version: 3.14
 # Usually the latest version should just work and as such the version here can
 # be bumped without any constraints.
 nix_pkg_manager_version: 2.30.0
+
+jinja2_cli_version: 0.8.2

template/.github/workflows/build.yaml.j2

@@ -0,0 +1,238 @@
+# =============
+# This file is automatically generated from the templates in stackabletech/operator-templating
+# DON'T MANUALLY EDIT THIS FILE
+# =============
+---
+name: Build {[ operator.name }] Artifacts
+
+permissions: {}
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '[0-9][0-9].[0-9]+.[0-9]+-rc[0-9]+'
+      - '[0-9][0-9].[0-9]+.[0-9]+'
+  schedule:
+    # Run every Saturday morning: https://crontab.guru/#15_3_*_*_6
+    - cron: '15 3 * * 6'
+  pull_request:
+    paths:
+      - '.github/workflows/build.yaml'
+      - 'rust-toolchain.toml'
+      - '.dockerignore'
+      - 'deploy/**'
+      - '.cargo/**'
+      - 'docker/**'
+      - 'Cargo.*'
+      - '*.rs'
+
+env:
+  OPERATOR_NAME: "{[ operator.name }]"
+  RUST_NIGHTLY_TOOLCHAIN_VERSION: "{[ rust_nightly_version }]"
+  NIX_PKG_MANAGER_VERSION: "{[ nix_pkg_manager_version }]"
+  RUST_TOOLCHAIN_VERSION: "{[ rust_version }]"
+  HADOLINT_VERSION: "{[ hadolint_version }]"
+  PYTHON_VERSION: "{[ python_version }]"
+  CARGO_TERM_COLOR: always
+
+jobs:
+  cargo-udeps:
+    name: Run cargo-udeps
+    runs-on: ubuntu-latest
+    env:
+      RUSTC_BOOTSTRAP: 1
+    steps:
+      - name: Install host dependencies
+        uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3
+        with:
+          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
+          version: ubuntu-latest
+
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} toolchain
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
+        with:
+          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
+
+      - name: Setup Rust Cache
+        uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
+        with:
+          cache-all-crates: "true"
+          key: udeps
+
+      - name: Install cargo-udeps
+        uses: stackabletech/cargo-install-action@8f7dbbcd2ebe22717efc132d0dd61e80841994b9 # cargo-udeps
+
+      - name: Run cargo-udeps
+        run: cargo udeps --workspace --all-targets
+
+  build-container-image:
+    name: Build/Publish ${{ matrix.runner.arch }} Image
+    needs:
+      - cargo-udeps
+    permissions:
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        runner:
+          - { name: "ubuntu-latest", arch: "amd64" }
+          - { name: "ubicloud-standard-8-arm", arch: "arm64" }
+    runs-on: ${{ matrix.runner.name }}
+    outputs:
+      operator-version: ${{ steps.version.outputs.OPERATOR_VERSION }}
+    steps:
+      - name: Install host dependencies
+        uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # v1.5.3
+        with:
+          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
+          version: ${{ matrix.runner.name }}
+
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Update/Extract Operator Version
+        id: version
+        if: github.event_name == 'pull_request'
+        env:
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GITHUB_DEBUG: ${{ runner.debug }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          [ -n "$GITHUB_DEBUG" ] && set -x
+          CURRENT_VERSION=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[0].version')
+          if [ "$PR_BASE_REF" == 'main' ]; then
+            NEW_VERSION="0.0.0-pr$PR_NUMBER"
+          else
+            NEW_VERSION="$CURRENT_VERSION-pr$PR_NUMBER"
+          fi
+          sed -i "s/version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" Cargo.toml
+          echo "OPERATOR_VERSION=$NEW_VERSION" | tee -a "$GITHUB_OUTPUT"
+      - name: Install Nix
+        uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31.5.2
+
+      - name: Install Rust ${{ env.RUST_TOOLCHAIN_VERSION }} Toolchain
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
+        with:
+          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
+
+      - name: Build Container Image
+        id: build
+        uses: stackabletech/actions/build-container-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4
+        with:
+          image-name: ${{ env.OPERATOR_NAME }}
+          image-index-manifest-tag: ${{ steps.version.outputs.OPERATOR_VERSION }}
+          build-arguments: VERSION=${{ steps.version.outputs.OPERATOR_VERSION }}
+          container-file: docker/Dockerfile
+
+      - name: Publish Container Image
+        uses: stackabletech/actions/publish-image@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4
+        with:
+          image-registry-uri: oci.stackable.tech
+          image-registry-username: robot$sdp+github-action-build
+          image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+          image-repository: sdp/${{ env.OPERATOR_NAME }}
+          image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }}
+          source-image-uri: ${{ steps.build.outputs.image-manifest-uri }}
+
+  publish-index-manifest:
+    name: Publish/Sign ${{ needs.build-container-image.outputs.operator-version }} Index
+    needs:
+      - build-container-image
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Publish and Sign Image Index
+        uses: stackabletech/actions/publish-image-index-manifest@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4
+        with:
+          image-registry-uri: oci.stackable.tech
+          image-registry-username: robot$sdp+github-action-build
+          image-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+          image-repository: sdp/${{ env.OPERATOR_NAME }}
+          image-index-manifest-tag: ${{ needs.build-container-image.outputs.operator-version }}
+
+  publish-helm-chart:
+    name: Package/Publish ${{ needs.build-container-image.outputs.operator-version }} Helm Chart
+    needs:
+      - build-container-image
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Package, Publish, and Sign Helm Chart
+        uses: stackabletech/actions/publish-helm-chart@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4
+        with:
+          chart-registry-uri: oci.stackable.tech
+          chart-registry-username: robot$sdp-charts+github-action-build
+          chart-registry-password: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
+          chart-repository: sdp-charts
+          chart-directory: deploy/helm/${{ env.OPERATOR_NAME }}
+          chart-version: ${{ needs.build-container-image.outputs.operator-version }}
+          app-version: ${{ needs.build-container-image.outputs.operator-version }}
+
+  openshift-preflight-check:
+    name: Run OpenShift Preflight Check for ${{ needs.build-container-image.outputs.operator-version }}-${{ matrix.arch }}
+    needs:
+      - build-container-image
+      - publish-index-manifest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run OpenShift Preflight Check
+        uses: stackabletech/actions/run-openshift-preflight@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4
+        with:
+          image-index-uri: oci.stackable.tech/sdp/${{ env.OPERATOR_NAME }}:${{ needs.build-container-image.outputs.operator-version }}
+          image-architecture: ${{ matrix.arch }}
+
+  notify:
+    name: Failure Notification
+    needs:
+      - build-container-image
+      - publish-index-manifest
+      - publish-helm-chart
+    runs-on: ubuntu-latest
+    if: failure() || github.run_attempt > 1
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Send Notification
+        uses: stackabletech/actions/send-slack-notification@976e8c293cb59f391dbf8563ab28e965e79ca36d # v0.10.4
+        with:
+          publish-helm-chart-result: ${{ needs.publish-helm-chart.result }}
+          publish-manifests-result: ${{ needs.publish-index-manifest.result }}
+          build-result: ${{ needs.build-container-image.result }}
+          slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+          channel-id: C07UG6JH44F # notifications-container-images
+          type: container-image-build

template/.github/workflows/pr_pre-commit.yaml.j2

@@ -11,6 +11,7 @@ env:
   RUST_TOOLCHAIN_VERSION: "{[ rust_nightly_version }]"
   HADOLINT_VERSION: "{[ hadolint_version }]"
   PYTHON_VERSION: "{[ python_version }]"
+  JINJA2_CLI_VERSION: "{[ jinja2_cli_version }]"
 
 jobs:
   pre-commit:
@@ -33,3 +34,4 @@ jobs:
           hadolint: ${{ env.HADOLINT_VERSION }}
           nix: ${{ env.NIX_PKG_MANAGER_VERSION }}
           nix-github-token: ${{ secrets.GITHUB_TOKEN }}
+          jinja2-cli: ${{ env.JINJA2_CLI_VERSION }}

template/.yamllint.yaml

@@ -13,3 +13,6 @@ rules:
   indentation:
     indent-sequences: consistent
   comments-indentation: disable # This is generally useless and interferes with commented example values
+  braces:
+    max-spaces-inside: 1
+    max-spaces-inside-empty: 0

template/Makefile.j2

@@ -9,17 +9,11 @@
 
 .PHONY: build publish
 
-TAG    := $(shell git rev-parse --short HEAD)
 OPERATOR_NAME := {[ operator.name }]
 VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | select(.name=="stackable-${OPERATOR_NAME}") | .version')
-ARCH := $(shell uname -m | sed -e 's#x86_64#amd64#' | sed -e 's#aarch64#arm64#')
 
 OCI_REGISTRY_HOSTNAME := oci.stackable.tech
 OCI_REGISTRY_PROJECT_IMAGES := sdp
-OCI_REGISTRY_PROJECT_CHARTS := sdp-charts
-# This will be overwritten by an environmental variable if called from the github action
-HELM_CHART_NAME := ${OPERATOR_NAME}
-HELM_CHART_ARTIFACT := target/helm/${OPERATOR_NAME}-${VERSION}.tgz
 
 SHELL=/usr/bin/env bash -euo pipefail
 
@@ -33,73 +27,6 @@ render-docs:
 docker-build:
 	docker build --force-rm --build-arg VERSION=${VERSION} -t "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile .
 
-docker-publish:
-	# Push to Harbor
-	# We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
-	docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}'
-	DOCKER_OUTPUT=$$(docker push --all-tags '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}');\
-	# Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\
-	REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}-${ARCH}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\
-	if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\
-		echo 'Could not find repo digest for container image: ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}';\
-		exit 1;\
-	fi;\
-	# This generates a signature and publishes it to the registry, next to the image\
-	# Uses the keyless signing flow with Github Actions as identity provider\
-	cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
-	# Generate the SBOM for the operator image, this leverages the already generated SBOM for the operator binary by cargo-cyclonedx\
-	syft scan --output [email protected]=sbom.json --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" --scope all-layers --source-name "${OPERATOR_NAME}" --source-version "${VERSION}-${ARCH}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE";\
-	# Determine the PURL for the container image\
-	URLENCODED_REPO_DIGEST_OF_IMAGE=$$(echo "$$REPO_DIGEST_OF_IMAGE" | sed 's/:/%3A/g');\
-	PURL="pkg:oci/${OPERATOR_NAME}@$$URLENCODED_REPO_DIGEST_OF_IMAGE?arch=${ARCH}&repository_url=${OCI_REGISTRY_HOSTNAME}%2F${OCI_REGISTRY_PROJECT_IMAGES}%2F${OPERATOR_NAME}";\
-	# Get metadata from the image\
-	IMAGE_DESCRIPTION=$$(docker inspect --format='{{.Config.Labels.description}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
-	IMAGE_NAME=$$(docker inspect --format='{{.Config.Labels.name}}' "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-${ARCH}");\
-	# Merge the SBOM with the metadata for the operator\
-	jq -s '{"metadata":{"component":{"description":"'"$$IMAGE_NAME. $$IMAGE_DESCRIPTION"'","supplier":{"name":"Stackable GmbH","url":["https://stackable.tech/"]},"author":"Stackable GmbH","purl":"'"$$PURL"'","publisher":"Stackable GmbH"}}} * .[0]' sbom.json > sbom.merged.json;\
-	# Attest the SBOM to the image\
-	cosign attest -y --predicate sbom.merged.json --type cyclonedx "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}@$$REPO_DIGEST_OF_IMAGE"
-
-# This assumes "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64 and "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64 are built and pushed
-docker-manifest-list-build:
-	docker manifest create "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-amd64" --amend "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}-arm64"
-
-docker-manifest-list-publish:
-	# Push to Harbor
-	# We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
-	docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}'
-	DIGEST_HARBOR=$$(docker manifest push "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}");\
-	# Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...);\
-	# This generates a signature and publishes it to the registry, next to the image\
-	# Uses the keyless signing flow with Github Actions as identity provider\
-	cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}@$$DIGEST_HARBOR"
-
-# TODO remove if not used/needed
-docker: docker-build docker-publish
-
-print-docker-tag:
-	@echo "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}"
-
-helm-publish:
-	# Push to Harbor
-	# We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot)
-	helm registry login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}'
-	# Obtain the digest of the pushed artifact from the output of `helm push`, because signing by tag is deprecated and will be removed from cosign in the future\
-	HELM_OUTPUT=$$(helm push '${HELM_CHART_ARTIFACT}' 'oci://${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}' 2>&1);\
-	REPO_DIGEST_OF_ARTIFACT=$$(echo "$$HELM_OUTPUT" | awk '/^Digest: sha256:[0-9a-f]{64}$$/ { print $$2 }');\
-	if [ -z "$$REPO_DIGEST_OF_ARTIFACT" ]; then\
-		echo 'Could not find repo digest for helm chart: ${HELM_CHART_NAME}';\
-		exit 1;\
-	fi;\
-	# Login to Harbor, needed for cosign to be able to push the signature for the Helm chart\
-	docker login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}';\
-	# This generates a signature and publishes it to the registry, next to the chart artifact\
-	# Uses the keyless signing flow with Github Actions as identity provider\
-	cosign sign -y "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}/${HELM_CHART_NAME}@$$REPO_DIGEST_OF_ARTIFACT"
-
-helm-package:
-	mkdir -p target/helm && helm package --destination target/helm deploy/helm/${OPERATOR_NAME}
-
 ## Chart related targets
 compile-chart: version crds config
 
@@ -133,14 +60,7 @@ regenerate-charts: chart-clean compile-chart
 regenerate-nix:
 	nix run --extra-experimental-features "nix-command flakes" -f . regenerateNixLockfiles
 
-build: regenerate-charts regenerate-nix helm-package docker-build
-
-# This target is used by the CI
-# It doesn't make use of any nix dependencies and thus aviods building the
-# operator unnecessarily often.
-build-ci: regenerate-charts helm-package docker-build
-
-publish: docker-publish helm-publish
+build: regenerate-charts regenerate-nix docker-build
 
 check-nix:
 	@which nix || (echo "Error: 'nix' is not installed. Please install it to proceed."; exit 1)

template/docker/Dockerfile.j2

@@ -21,6 +21,8 @@ FROM oci.stackable.tech/sdp/ubi9-rust-builder:latest AS builder
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS operator
 
 ARG VERSION
+# NOTE (@Techassi): This is required for OpenShift/Red Hat certification
+# Keeping this as "1" seems to be fine since a couple of years /shrug
 ARG RELEASE="1"
 
 # These are chosen at random and are this high on purpose to have very little chance to clash with an existing user or group on the host system