Initial commit

.dockerignore

@@ -0,0 +1,7 @@
+# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Ignore build and test binaries.
+bin/
+testbin/
+controllers/testdata
+charts/
+**/*_test.go

.github/actions/docker-build/action.yaml

@@ -0,0 +1,44 @@
+name: docker-build
+description: "builds and optionally pushes a docker image"
+inputs:
+  tags:
+    required: true
+    description: "tags to be built"
+  push:
+    required: false
+    default: "false"
+    description: "true if to push the image"
+  load:
+    required: false
+    default: "true"
+    description: "true if to load the image"
+  platforms:
+    required: false
+    description: "optional platforms to be used"
+outputs:
+  digest:
+    description: "digest of the built image"
+    value: ${{ steps.docker-build.outputs.digest }}
+  imageid:
+    description: "id of the built image"
+    value: ${{ steps.docker-build.outputs.imageid }}
+runs:
+  using: composite
+  steps:
+    # Build and push Docker image with Buildx (don't push on PR)
+    # https://github.com/docker/build-push-action
+    - name: Build docker image
+      id: docker-build
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        load: ${{ inputs.load }}
+        push: ${{ inputs.push }}
+        platforms: ${{ inputs.platforms }}
+        build-args: |
+          VERSION=${{ github.ref_name }}
+          COMMIT_SHA=${{ github.sha }}
+        tags: ${{ inputs.tags }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+

.github/actions/docker-setup/action.yaml

@@ -0,0 +1,20 @@
+name: docker-setup
+description: "sets up docker"
+inputs:
+  platforms:
+    required: false
+    default: ""
+    description: "platforms to be setup, if not default"
+runs:
+  using: composite
+  steps:
+    # Workaround: https://github.com/docker/build-push-action/issues/461
+    - name: Setup Docker buildx
+      uses: docker/setup-buildx-action@v3
+      with:
+        platforms: ${{ inputs.platform }}
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+      with:
+        platforms: ${{ inputs.platforms }}
+

.github/actions/go-setup/action.yaml

@@ -0,0 +1,29 @@
+description: setup go env
+name: go-setup
+inputs:
+  version:
+    default: "1.21"
+    required: false
+    description: "go version to be setup"
+runs:
+  using: "composite"
+  steps:
+    - name: setup go
+      uses: actions/setup-go@v4
+      with:
+        go-version: "1.21"
+    - id: go-cache-paths
+      shell: bash
+      run: |
+        echo "::set-output name=go-build::$(go env GOCACHE)"
+        echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+    - name: setup go build-cache
+      uses: actions/cache@v3
+      with:
+        path: ${{ steps.go-cache-paths.outputs.go-build }}
+        key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
+    - name: setup go-mod-cache
+      uses: actions/cache@v3
+      with:
+        path: ${{ steps.go-cache-paths.outputs.go-mod }}
+        key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

.github/actions/helm-setup/action.yaml

@@ -0,0 +1,18 @@
+name: helm-setup
+description: setup helm tooling
+runs:
+  using: composite
+  steps:
+    # Setup helm itself
+    - name: Set up Helm
+      uses: azure/setup-helm@v3
+      with:
+        version: v3.12.3
+    # Setup python (for helm chart testing)
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.9'
+        check-latest: true
+    # Setup helm chart-testing itself
+    - name: Set up chart-testing
+      uses: helm/[email protected]

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/auto-approve-dependabot.yaml

@@ -0,0 +1,41 @@
+name: auto-approve dependabot
+
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  auto-merge-pr:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/[email protected]
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Approve patch and minor updates
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'}}
+        run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Approve major updates of development dependencies
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development'}}
+        run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a major update of a dependency used only in development**"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Comment on major updates of non-development dependencies
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production'}}
+        run: |
+          gh pr comment $PR_URL --body "I'm **not approving** this PR because **it includes a major update of a dependency used in production**"
+          gh pr edit $PR_URL --add-label "requires-manual-qa"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/auto-approve-owner.yaml

@@ -0,0 +1,23 @@
+name: auto-approve owner
+
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  auto-merge-pr:
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == github.actor }}
+    steps:
+      - name: Enable auto-merge for owner PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Approve the PR
+        run: gh pr review $PR_URL --approve -b "self-approval for repository owner"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/deploy.yaml

@@ -0,0 +1,21 @@
+name: "deploy"
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*.*.*"]
+jobs:
+  verify:
+    uses: ./.github/workflows/verify.yml
+    secrets: inherit
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+  publish:
+    uses: ./.github/workflows/publish.yml
+    needs: ["verify"]
+    secrets: inherit
+    permissions:
+      contents: write
+      packages: write
+      id-token: write

.github/workflows/publish.yml

@@ -0,0 +1,95 @@
+name: "publish"
+on:
+  workflow_call:
+    inputs: {}
+env:
+  REGISTRY: ghcr.io
+  PLATFORMS: "linux/amd64,linux/arm64/v8"
+  CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+    steps:
+      # Checkout
+      - name: changes
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: image-name
+        run: echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        uses: sigstore/[email protected]
+      - uses: ./.github/actions/docker-setup
+        with:
+          platforms: ${{ env.PLATFORMS }}
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - uses: ./.github/actions/docker-build
+        id: build-and-push
+        with:
+          tags: ${{ steps.meta.outputs.tags }}
+          push: true
+          load: false
+          platforms: ${{ env.PLATFORMS }}
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
+  helm:
+    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
+    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@main
+        with:
+          charts_dir: charts
+          mark_as_latest: false
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/verify-docker.yaml

@@ -0,0 +1,33 @@
+on:
+  workflow_call:
+    inputs: {}
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    # Run hadolint
+    steps:
+      # Checkout
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: hadolint/[email protected]
+        with:
+          dockerfile: Dockerfile
+  test:
+    runs-on: ubuntu-latest
+    # Build docker image
+    steps:
+      - name: image-name
+        run: echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+      # Checkout
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: ./.github/actions/docker-setup
+      - uses: ./.github/actions/docker-build
+        with:
+          tags: ${{env.IMAGE_NAME}}:${{ github.sha }}
+          push: false
+          load: false

.github/workflows/verify-go.yaml

@@ -0,0 +1,44 @@
+on:
+  workflow_call:
+    inputs: {}
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: ./.github/actions/go-setup
+      # Run golangci-lint
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          only-new-issues: true
+      # Update the go report
+      - name: update-go-report
+        uses: creekorful/[email protected]
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: ./.github/actions/go-setup
+      # Run ginkgo
+      - name: ginkgo
+        run: |
+          go run github.com/onsi/ginkgo/v2/ginkgo -r --randomize-all --randomize-suites \
+          --fail-on-pending --keep-going --trace \
+          --cover --coverprofile=cover.profile \
+          --json-report=test-report.json \
+          --race --junit-report=test-report.xml \
+          ./...
+      # Push results to code coverages
+      - name: Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          files: cover.profile