feat: backport gha

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

.github/dependabot.yml

@@ -1,9 +1,5 @@
 version: 2
 updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "weekly"
 
   - package-ecosystem: "github-actions"
     directory: "/"

.github/pull_request_template.md

@@ -0,0 +1,19 @@
+## Problem Statement
+
+What is the problem you're trying to solve?
+
+## Related Issue
+
+Fixes #...
+
+## Proposed Changes
+
+How do you like to solve the issue and why?
+
+## Checklist
+
+- [ ] I have read the [contribution guidelines](https://external-secrets.io/latest/contributing/process/#submitting-a-pull-request)
+- [ ] All commits are signed with `git commit --signoff`
+- [ ] My changes have reasonable test coverage
+- [ ] All tests pass with `make test`
+- [ ] I ensured my PR is ready for review with `make reviewable`

.github/workflows/ci.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - release-*
   pull_request: {}
 
 env:
@@ -39,7 +40,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
 
@@ -83,7 +84,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
 
@@ -125,7 +126,7 @@ jobs:
         run: git fetch --prune --unshallow
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
 
@@ -185,7 +186,7 @@ jobs:
           build-platform: "linux/amd64,linux/arm64"
           tag-suffix: "-ubi"
         - dockerfile: "Dockerfile.ubi"
-          build-args: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto"
+          build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto"
           build-arch: "amd64"
           build-platform: "linux/amd64"
           tag-suffix: "-ubi-boringssl"

.github/workflows/docs.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - release-*
 
 jobs:
   deploy:
@@ -14,7 +15,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
 

.github/workflows/e2e-managed.yml

@@ -10,7 +10,7 @@ permissions:
 env:
   # Common versions
   GO_VERSION: '1.19'
-  GINKGO_VERSION: 'v2.1.6'
+  GINKGO_VERSION: 'v2.8.0'
   DOCKER_BUILDX_VERSION: 'v0.4.2'
 
   # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run

.github/workflows/e2e.yml

@@ -14,7 +14,7 @@ name: e2e tests
 env:
   # Common versions
   GO_VERSION: '1.19'
-  GINKGO_VERSION: 'v2.1.6'
+  GINKGO_VERSION: 'v2.8.0'
   DOCKER_BUILDX_VERSION: 'v0.4.2'
   KIND_VERSION: 'v0.17.0'
   KIND_IMAGE: 'kindest/node:v1.26.0'
@@ -36,7 +36,11 @@ env:
   AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET}}
   TENANT_ID: ${{ secrets.TENANT_ID}}
   VAULT_URL: ${{ secrets.VAULT_URL}}
-
+  SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
+  SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
+  SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
+  SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
+  SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
 
 jobs:
 

.github/workflows/helm.yml

@@ -43,9 +43,25 @@ jobs:
           if [[ -n "$changed" ]]; then
             echo "::set-output name=changed::true"
           fi
+      - name: Install chart unittest
+        run: |
+          helm env
+          helm plugin install https://github.com/helm-unittest/helm-unittest
       - name: Run chart-testing (lint)
         run: ct lint --config=.github/ci/ct.yaml
 
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.5.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run unitests
+        if: steps.list-changed.outputs.changed == 'true'
+        run: make helm.test
+
   release:
     runs-on: ubuntu-latest
     steps:

.github/workflows/publish.yml

@@ -66,7 +66,7 @@ jobs:
           install: true
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
 
@@ -107,10 +107,13 @@ jobs:
         env:
           GITHUB_REF: ${{ github.ref }}
         run: |
+          # rebuild-image
           if [ "${{ inputs.image-tag }}" != "" ]; then
             TAG="${{ inputs.image-tag }}${{ inputs.tag-suffix }}"
-          elif [ "$GITHUB_REF" == "refs/heads/main" ]; then
-            TAG=main${{ inputs.tag-suffix }}
+          # main / release-x.y
+          elif [[ "$GITHUB_REF" == "refs/heads/main" || "$GITHUB_REF" =~ "refs/heads/release-.*"  ]]; then
+            TAG=${GITHUB_REF#refs/heads/}${{ inputs.tag-suffix }}
+          # Pull Request
           else
             TAG=$(make docker.tag)
           fi

.github/workflows/rebuild-image.yml

@@ -38,15 +38,29 @@ jobs:
       matrix:
         include:
         - dockerfile: "Dockerfile"
+          build-args: "CGO_ENABLED=0"
+          build-arch: "amd64 arm64"
+          build-platform: "linux/amd64,linux/arm64"
           tag-suffix: "-${{ needs.checkout.outputs.timestamp }}" # distroless
         - dockerfile: "Dockerfile.ubi"
-          tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}"
+          build-args: "CGO_ENABLED=0"
+          build-arch: "amd64 arm64"
+          build-platform: "linux/amd64,linux/arm64"
+          tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}" # ubi
+        - dockerfile: "Dockerfile.ubi"
+          build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto" # fips
+          build-arch: "amd64"
+          build-platform: "linux/amd64"
+          tag-suffix: "-ubi-boringssl-${{ needs.checkout.outputs.timestamp }}"
     with:
       dockerfile: ${{ matrix.dockerfile }}
-      ref: ${{ github.event.inputs.ref }}
-      image-tag: ${{ github.event.inputs.ref }}
       tag-suffix: ${{ matrix.tag-suffix }}
       image-name: ghcr.io/${{ github.repository }}
+      build-platform: ${{ matrix.build-platform }}
+      build-args: ${{ matrix.build-args }}
+      build-arch: ${{ matrix.build-arch }}
+      ref: ${{ github.event.inputs.ref }}
+      image-tag: ${{ github.event.inputs.ref }}
     secrets:
       GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
       GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}

.github/workflows/release.yml

@@ -7,6 +7,10 @@ on:
         description: 'version to release, e.g. v1.5.13'
         required: true
         default: 'v0.1.0'
+      source_ref:
+        description: 'source ref to publish from. E.g.: main or release-x.y'
+        required: true
+        default: 'main'
 
 env:
   IMAGE_NAME: ghcr.io/${{ github.repository }}
@@ -55,7 +59,7 @@ jobs:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
 
@@ -65,6 +69,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Update Docs
+        if: github.ref == 'refs/heads/main'
         run: make docs.publish DOCS_VERSION=${{ github.event.inputs.version }} DOCS_ALIAS=latest
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
@@ -84,7 +89,7 @@ jobs:
       contents: write
 
     env:
-      SOURCE_TAG: main${{ matrix.tag_suffix }}
+      SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}
       RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }}
 
     steps:
@@ -94,7 +99,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: "go.mod"
 

.github/workflows/stale.yml

@@ -13,5 +13,6 @@ jobs:
           stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
           stale-pr-message: 'This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
           close-issue-message: 'This issue was closed because it has been stalled for 30 days with no activity.'
+          exempt-issue-labels: kind/feature
           days-before-stale: 90
           days-before-close: 30

.github/workflows/update-deps.yml

@@ -0,0 +1,73 @@
+name: "Update dependencies"
+on:
+  schedule:
+    # Monday, 10AM UTC
+    - cron: "0 10 * * 1"
+
+  workflow_dispatch:
+    inputs: {}
+
+
+jobs:
+  branches:
+    name: get branch data
+    runs-on: ubuntu-latest
+    outputs:
+      branches: ${{ steps.branches.outputs.branches }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.ref }}
+      - name: set branches output
+        id: branches
+        # outputs the two most recent `release-x.y` branches plus `main` as JSON
+        run: |
+          echo "branches=$(git branch -a | grep -E "remotes/origin/(main|release-)" | sed 's/  remotes\/origin\///' | sort -V | tail -2 | jq -R -s -c 'split("\n") | map(select(length > 0)) | . + ["main"]')" >> $GITHUB_OUTPUT
+
+  update-dependencies:
+    runs-on: ubuntu-latest
+    needs: branches
+    strategy:
+      matrix:
+        branch: ${{ fromJson(needs.branches.outputs.branches) }}
+    steps:
+    - name: Setup Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: "1.19"
+
+      # we can not use the default GHA token, as it prevents subsequent GHA
+      # from running: we can create a PR but the tests won't run :/
+    - name: Generate token
+      id: generate_token
+      uses: tibdex/github-app-token@v1
+      with:
+        app_id: ${{ secrets.APP_ID }}
+        private_key: ${{ secrets.PRIVATE_KEY }}
+    - uses: actions/checkout@v3
+      with:
+        token: ${{ steps.generate_token.outputs.token }}
+        ref: ${{ matrix.branch }}
+        fetch-depth: 0
+    - name: create pull request
+      run: |
+        git config --global user.email "ExternalSecretsOperator@users.noreply.github.com"
+        git config --global user.name "External Secrets Operator"
+        BRANCH=update-deps-$(date "+%s")
+        make update-deps || true
+
+        if git diff-index --quiet HEAD --; then
+          echo "nothing changed. skipping."
+          exit 0;
+        fi
+
+        git checkout -b $BRANCH
+        git add -A
+        git commit -m "update dependencies" -s
+        git push origin $BRANCH
+        gh pr create -B ${{ matrix.branch }} -H ${BRANCH} --title 'chore: update dependencies' --body 'Update dependencies'
+      env:
+        GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}