.github/workflows/build.yml

# =============
# This file is automatically generated from the templates in stackabletech/operator-templating
# DON'T MANUALLY EDIT THIS FILE
# =============
---
name: Stackable Build Pipeline

on:
  push:
    branches:
      - main
      - staging
      - trying
      - "renovate/**"
    tags:
      - '[0-9][0-9].[0-9]+.[0-9]+'
  pull_request:
  merge_group:

env:
  CARGO_TERM_COLOR: always
  CARGO_INCREMENTAL: '0'
  CARGO_PROFILE_DEV_DEBUG: '0'
  RUST_TOOLCHAIN_VERSION: "1.76.0"
  RUSTFLAGS: "-D warnings"
  RUSTDOCFLAGS: "-D warnings"
  RUST_LOG: "info"
  DEV_REPO_HELM_URL: https://repo.stackable.tech/repository/helm-dev
  TEST_REPO_HELM_URL: https://repo.stackable.tech/repository/helm-test
  STABLE_REPO_HELM_URL: https://repo.stackable.tech/repository/helm-stable

jobs:
  # Identify unused dependencies
  run_udeps:
    name: Run Cargo Udeps
    runs-on: ubuntu-latest
    env:
      RUSTC_BOOTSTRAP: 1
    steps:
      - name: Install host dependencies
        uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1
        with:
          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
          version: 1.0
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
      - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1
        with:
          key: udeps
          cache-all-crates: "true"
      - uses: stackabletech/cargo-install-action@cargo-udeps
      - run: cargo udeps --workspace

  # This job evaluates the github environment to determine why this action is running and selects the appropriate
  # target repository for published Helm charts based on this.
  #
  # The following scenarios are identified:
  #    - all pull requests land in the test repository:
  #        condition: github.event_name == "pull_request"
  #        repository: test
  #
  #    - all tagged releases land in stable:
  #         condition: github.event_name == 'create' & github.ref.startswith('refs/tags/')
  #         repository: stable
  #
  #    - all pushes to main (i.e. PR-merges) land in dev:
  #         condition: github.event_name == 'push' & github.ref == 'refs/heads/main'
  #         repository: dev
  #
  # Any other scenarios (e.g. when a branch is created/pushed) will cause the publish step to be skipped, most commonly this is expected to happen for the
  # branches that the GitHub merge queue feature uses internally for which the checks need to run, but we do not want artifacts to be published.
  select_helm_repo:
    name: Select target helm repository based on action trigger
    runs-on: ubuntu-latest
    outputs:
      helm_repository: ${{ steps.selecthelmrepo.outputs.helm_repo }}
    steps:
      - id: selecthelmrepo
        env:
          TRIGGER: ${{ github.event_name }}
          GITHUB_REF: ${{ github.ref }}
        run: |
          if [[ $TRIGGER == "pull_request" ]]; then
            echo "exporting test as target helm repo: ${{ env.TEST_REPO_HELM_URL }}"
            echo "helm_repo=${{ env.TEST_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
          elif [[ $TRIGGER == "push" && $GITHUB_REF == "refs/heads/main" ]]; then
            echo "exporting dev as target helm repo: ${{ env.DEV_REPO_HELM_URL }}"
            echo "helm_repo=${{ env.DEV_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
          elif [[ ( $TRIGGER == "create" || $TRIGGER == "push" ) && $GITHUB_REF == refs/tags/* ]]; then
            echo "exporting stable as target helm repo: ${{ env.STABLE_REPO_HELM_URL }}"
            echo "helm_repo=${{ env.STABLE_REPO_HELM_URL }}" >> $GITHUB_OUTPUT
          else
            echo "Unknown trigger and ref combination encountered, skipping publish step: $TRIGGER $GITHUB_REF"
            echo "helm_repo=skip" >> $GITHUB_OUTPUT
          fi

  run_cargodeny:
    name: Run Cargo Deny
    runs-on: ubuntu-latest
    strategy:
      matrix:
        checks:
          - advisories
          - bans licenses sources

    # Prevent sudden announcement of a new advisory from failing ci:
    continue-on-error: ${{ matrix.checks == 'advisories' }}

    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: EmbarkStudios/cargo-deny-action@1e59595bed8fc55c969333d08d7817b36888f0c5 # v1.5.5
        with:
          command: check ${{ matrix.checks }}

  run_rustfmt:
    name: Run Rustfmt
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
          components: rustfmt
      - run: cargo fmt --all -- --check

  run_clippy:
    name: Run Clippy
    runs-on: ubuntu-latest
    steps:
      - name: Install host dependencies
        uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1
        with:
          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
          version: 1.0
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
          components: clippy
      - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1
        with:
          key: clippy
          cache-all-crates: "true"
      - name: Run clippy action to produce annotations
        uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        if: env.GITHUB_TOKEN != null
        with:
          clippy_flags: --all-targets -- -D warnings
          reporter: 'github-pr-review'
          github_token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run clippy manually without annotations
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        if: env.GITHUB_TOKEN == null
        run: cargo clippy --color never -q --all-targets -- -D warnings

  run_rustdoc:
    name: Run RustDoc
    runs-on: ubuntu-latest
    steps:
      - name: Install host dependencies
        uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1
        with:
          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
          version: 1.0
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
          components: rustfmt
      - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1
        with:
          key: doc
          cache-all-crates: "true"
      - run: cargo doc --document-private-items

  run_tests:
    name: Run Cargo Tests
    runs-on: ubuntu-latest
    steps:
      - name: Install host dependencies
        uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1
        with:
          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
          version: 1.0
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
      - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1
        with:
          key: test
          cache-all-crates: "true"
      - run: cargo test


  # Similar to check_charts, this tries to render the README, and see if there are unintended changes.
  # This will save us from merging changes to the wrong file (instead of the templated source), and from
  # forgetting to render out modifications to the README.
  check_readme:
    name: Check if committed README is the one we would render from the available parts
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # tag=v5.0.0
        with:
          python-version: '3.11'
      - name: Install jinja2-cli
        run: pip install jinja2-cli==0.8.2
      - name: Regenerate charts
        run: make render-readme
      - name: Check if committed README were up to date
        run: git diff --exit-code
      - name: Git Diff showed uncommitted changes
        if: ${{ failure() }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            core.setFailed('Committed README are not up to date, please make sure to apply them to the templated partials, and re-commit!')

  # This job cleans up the CRDs and Helm charts, followed by rebuilding them
  # It then runs a `git diff` and fails the entire workflow, if any difference is encountered.
  #
  # Since CRD files are generated during the 'cargo build' process we need to run this once after
  # removing the CRD files to ensure that the checked in versions match what the code expects.
  #
  # The reason for this step is, that developers are expected to check in up-to-date versions of charts
  # as we'd otherwise have to build these in CI and commit them back to the PR, which
  # creates all kinds of problems.
  # This failsafe simply aborts anything that has not had charts rebuilt before pushing.
  check_charts:
    name: Check if committed Helm charts are up to date
    runs-on: ubuntu-latest
    steps:
      - name: Install host dependencies
        uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1
        with:
          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
          version: 1.0
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - name: Set up Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: v3.13.3
      - name: Set up cargo
        uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
      - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1
        with:
          key: charts
          cache-all-crates: "true"
      - name: Regenerate charts
        run: make regenerate-charts
      - name: Check if committed charts were up to date
        run: git diff --exit-code
      - name: Git Diff showed uncommitted changes
        if: ${{ failure() }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            core.setFailed('Committed charts were not up to date, please regenerate and re-commit!')

  tests_passed:
    name: All tests passed
    needs:
      - run_udeps
      - run_cargodeny
      - run_clippy
      - run_rustfmt
      - run_rustdoc
      - run_tests
      - check_charts
      - check_readme
    runs-on: ubuntu-latest
    steps:
      - name: log
        run: echo All tests have passed!

  package_and_publish:
    name: Package Charts, Build Docker Image and publish them
    needs:
      - tests_passed
      - select_helm_repo
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    env:
      NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
      HELM_REPO: ${{ needs.select_helm_repo.outputs.helm_repository }}
      OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
      OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build"
      OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }}
      OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
    if: needs.select_helm_repo.outputs.helm_repository != 'skip'
    outputs:
      IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }}
    steps:
      - name: Install host dependencies
        uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1
        with:
          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
          version: 1.0
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          submodules: recursive
      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # tag=v25
      - uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
          components: rustfmt
        # This step checks if the current run was triggered by a push to a pr (or a pr being created).
        # If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
        # "-pr<prnumber>" so that the published artifacts can be linked to this PR.
      - uses: stackabletech/cargo-install-action@main
        with:
          crate: cargo-edit
          bin: cargo-set-version
      - name: Update version if PR
        if: ${{ github.event_name == 'pull_request' }}
        run: cargo set-version --offline --workspace 0.0.0-pr${{ github.event.pull_request.number }}

        # Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the
        # default value in the makefile if called from this action, but not otherwise (i.e. when called locally).
        # This is needed for the HELM_REPO variable.
      - name: Install cosign
        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # tag=v3.3.0
      - name: Install syft
        uses: anchore/sbom-action/download-syft@24b0d5238516480139aa8bc6f92eeb7b54a9eb0a # tag=v0.15.5
      - name: Build Docker image and Helm chart
        run: make -e build
      - name: Publish Docker image and Helm chart
        if: ${{ !github.event.pull_request.head.repo.fork }}
        run: make -e publish
        # Output the name of the published image to the Job output for later use
      - id: printtag
        name: Output image name and tag
        if: ${{ !github.event.pull_request.head.repo.fork }}
        run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> $GITHUB_OUTPUT

  openshift_preflight:
    name: Run the OpenShift Preflight check on the published images
    if: ${{ !github.event.pull_request.head.repo.fork }}
    needs:
      - package_and_publish
    runs-on: ubuntu-latest
    env:
      IMAGE_TAG: ${{ needs.package_and_publish.outputs.IMAGE_TAG }}
    steps:
      - name: Install preflight
        run: |
          wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.7.2/preflight-linux-amd64
          chmod +x preflight-linux-amd64
      - name: Check container
        run: ./preflight-linux-amd64 check container "$IMAGE_TAG" > preflight.out
      - name: "Passed?"
        run: '[ "$(./preflight-linux-amd64 check container "$IMAGE_TAG" | jq -r .passed)" == true ]'