feat(workflows): add shared Go lint, test, build, release, and e2e reusable workflows#65
Open
onuryilmaz wants to merge 28 commits into
Open
feat(workflows): add shared Go lint, test, build, release, and e2e reusable workflows#65onuryilmaz wants to merge 28 commits into
onuryilmaz wants to merge 28 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a set of reusable (workflow_call) GitHub Actions workflows intended to standardize Go CI (lint/test/build), releases, and KinD-based e2e execution across cloudoperators/* repositories as part of GHA streamlining.
Changes:
- Introduces reusable Go lint, test, and build workflows with configurable runner, Go version (or
go.mod), working directory, and targets. - Adds a reusable release workflow that bumps Makefile
VERSION, optionally updatesChart.yaml, creates a release PR, creates a GitHub release, and optionally dispatches an event tocloudoperators/greenhouse-extensions. - Adds a reusable e2e workflow that wraps the existing
workflows/e2ecomposite action and runs a caller-providedmakee2e target.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/shared-go-lint.yaml |
Reusable Go lint workflow (golangci-lint + optional govulncheck). |
.github/workflows/shared-go-test.yaml |
Reusable Go test workflow with configurable make target and optional coverage artifact upload. |
.github/workflows/shared-go-build.yaml |
Reusable Go build workflow with optional Docker multi-arch build/push via GHCR. |
.github/workflows/shared-release.yaml |
Reusable release automation workflow (version bump, optional chart update, PR, release, optional dispatch). |
.github/workflows/shared-e2e.yaml |
Reusable e2e wrapper around the existing KinD-based workflows/e2e composite action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
3 tasks
…usable workflows Adds 5 new reusable workflows to support standardized CI/CD across cloudoperators repos (shoot-grafter, repo-guard, permission-manager, cloudctl, greenhouse-extensions): - shared-go-lint.yaml: golangci-lint + optional govulncheck - shared-go-test.yaml: parameterized make test target + optional coverage upload - shared-go-build.yaml: Go binary build + optional Docker multi-arch build/push - shared-release.yaml: semver bump, Chart.yaml update, release PR + GitHub release + optional greenhouse-extensions dispatch - shared-e2e.yaml: KinD-based e2e wrapping the existing workflows/e2e composite action Closes #2086 Signed-off-by: I313226 <onur.yilmaz@sap.com>
shared-release.yaml: - Replace non-POSIX \s with [[:space:]] in grep and sed expressions - Add -E flag to sed for portable extended regex - Add fail-fast VERSION parse validation (must match X.Y.Z) - Add environment input so callers can gate on protection rules - Fall back to release-token when dispatch-token is not provided shared-e2e.yaml: - Checkout calling repo into path: caller to avoid workspace collision with the greenhouse checkout in the e2e composite action - Run e2e make target in caller/<working-directory> - Remove unused with-remote-cluster input - Remove unused kubeconfig secret shared-go-build.yaml: - Add packages: write permission when push is true - Add early validation step when docker-build is true and image-name is empty Signed-off-by: I313226 <onur.yilmaz@sap.com>
onuryilmaz
force-pushed
the
feat/shared-go-workflows
branch
from
f2180c8 to
346f2b9
Compare
…-test job Signed-off-by: I313226 <onur.yilmaz@sap.com>
- Checkout default branch explicitly (ref: default_branch) so releases
are never cut from a feature branch
- Use github.event.repository.default_branch instead of hard-coded 'main'
for PR base and release --target, supporting non-main default branches
- Quote ${{ inputs.makefile-path }} in grep invocation
- Quote ${{ inputs.chart-path }} in both sed commands
- Create GitHub release targeting the default branch after fetching
latest, so the tag points at the correct merged commit
Signed-off-by: I313226 <onur.yilmaz@sap.com>
- shared-go-test: drop go-version input, always use go-version-file from go.mod - shared-release: add if condition to Update Makefile VERSION step (skip when makefile-path is empty) - shared-release: split Chart.yaml update into two steps with separate bump-chart-app-version input - shared-release: replace gh CLI release creation with actions/github-script@v7 - shared-release: replace dispatch-token with GitHub App token via actions/create-github-app-token@v3 and peter-evans/repository-dispatch@v4 Signed-off-by: I313226 <onur.yilmaz@sap.com>
Move all ${{ inputs.* }}, ${{ steps.*.outputs.* }}, and ${{ secrets.* }}
references out of run: shell scripts into env: blocks to prevent potential
shell injection and improve security posture across all five workflows:
- shared-go-test: validate extra-env lines match KEY=VALUE format before
appending to GITHUB_ENV to give callers a clear error on malformed input
- shared-go-build: pass push/docker-build and image-name via env vars in
both validate steps instead of inline template expressions
- shared-go-lint: pass govulncheck-version via env var in run: step
- shared-release: pass makefile-path, chart-path, bump, new-version, and
plugin-name via env vars in all run: steps; remove all inline expressions
from grep/sed/git commands
Signed-off-by: I313226 <onur.yilmaz@sap.com>
Wrap the module@version argument in double quotes to prevent word-splitting or globbing if GOVULNCHECK_VERSION contains unexpected characters. Signed-off-by: I313226 <onur.yilmaz@sap.com>
Add a preflight check that fails fast with a clear error if a Windows runner is used, since both workflows require make which is not available by default on Windows GitHub-hosted runners. Also update runs-on descriptions to document the Linux/macOS requirement. Signed-off-by: I313226 <onur.yilmaz@sap.com>
GH_TOKEN was set in the env block of the git commit/tag/push step but never used there — git authenticates via the release-token from checkout and the GitHub release is created in a separate step. Remove it to avoid implying gh CLI is needed and to reduce confusion. Signed-off-by: I313226 <onur.yilmaz@sap.com>
…to shared-e2e Signed-off-by: I313226 <onur.yilmaz@sap.com>
…criptions Signed-off-by: I313226 <onur.yilmaz@sap.com>
… inputs.remote-k8s-version Signed-off-by: I313226 <onur.yilmaz@sap.com>
Comment on lines
+87
to
+94
| if [ -z "$MAKEFILE_PATH" ]; then | ||
| echo "ERROR: makefile-path is required for version computation" | ||
| exit 1 | ||
| fi | ||
| if [ ! -f "$MAKEFILE_PATH" ]; then | ||
| echo "ERROR: makefile-path '$MAKEFILE_PATH' does not exist" | ||
| exit 1 | ||
| fi |
Comment on lines
+102
to
+112
| env: | ||
| MAKEFILE_PATH: ${{ inputs.makefile-path }} | ||
| BUMP: ${{ inputs.bump }} | ||
| run: | | ||
| CURRENT_VERSION=$(grep -E '^VERSION[[:space:]]*[:?]?=' "$MAKEFILE_PATH" | head -1 | sed 's/.*=[[:space:]]*//' | tr -d '[:space:]' || true) | ||
| echo "Current version: $CURRENT_VERSION" | ||
|
|
||
| if ! echo "$CURRENT_VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then | ||
| echo "ERROR: could not parse VERSION from $MAKEFILE_PATH (got: '$CURRENT_VERSION')" | ||
| exit 1 | ||
| fi |
… is now truly optional Signed-off-by: I313226 <onur.yilmaz@sap.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds 5 new reusable (
workflow_call) workflows tocloudoperators/commonas part of #2086 — GHA Streamlining across cloudoperators repos.shared-go-lint.yamlenable-govulncheck: true). Go version read fromgo.mod.shared-go-test.yamlmaketest target + optional coverage artifact upload. Go version read fromgo.mod.shared-go-build.yamlgo.mod.shared-release.yamlVERSIONfrom Makefile, updates Makefile + Chart.yaml, commits directly to the default branch, creates an annotated tag, creates a GitHub release viaactions/github-script@v7, and optionally dispatches togreenhouse-extensionsvia GitHub App token (actions/create-github-app-token@v3+peter-evans/repository-dispatch@v4).shared-e2e.yamlworkflows/e2ecomposite action for KinD-based Greenhouse e2e tests.Design notes
shared-release.yamlcommits directly to the default branch — no release branch, no PR. The version bump commit is tagged in-place and the GitHub release points at that exact commit.go-versioninput removed from all three Go workflows — version is always read fromgo.mod.dispatch-app-id+dispatch-app-private-key) replaces the olddispatch-tokenPAT for greenhouse-extensions dispatch.appVersionis controlled separately viabump-chart-app-versioninput (defaulttrue) to support chart-template-only bumps.shared-go-buildDocker push —image-namemust start withghcr.io/.cloudoperators/common) use@mainby convention.Consumer PRs (depend on this merging first)