Merge branch 'main' of https://github.com/nokia/crossplane

.github/PULL_REQUEST_TEMPLATE.md

@@ -14,7 +14,7 @@ We love pull requests that fix an open issue. If yours does, use the below line
 to indicate which issue it fixes, for example "Fixes #500".
 -->
 
-Fixes # 
+Fixes #
 
 I have: <!--You MUST either [x] check or [ ] ~strike through~ every item.-->
 
@@ -24,10 +24,12 @@ I have: <!--You MUST either [x] check or [ ] ~strike through~ every item.-->
 - [ ] Added or updated e2e tests.
 - [ ] Linked a PR or a [docs tracking issue] to [document this change].
 - [ ] Added `backport release-x.y` labels to auto-backport this PR.
+- [ ] Followed the [API promotion workflow] if this PR introduces, removes, or promotes an API.
 
 Need help with this checklist? See the [cheat sheet].
 
 [contribution process]: https://github.com/crossplane/crossplane/tree/main/contributing
 [docs tracking issue]: https://github.com/crossplane/docs/issues/new
 [document this change]: https://docs.crossplane.io/contribute/contribute
 [cheat sheet]: https://github.com/crossplane/crossplane/tree/main/contributing#checklist-cheat-sheet
+[API promotion workflow]: https://github.com/crossplane/crossplane/blob/main/contributing/guide-api-promotion.md

.github/renovate.json5

@@ -177,7 +177,6 @@
       // Currently we only have an Earthfile on main and some release branches, so we ignore the ones we know don't have it.
       matchBaseBranches: [
         '!/release-1\.16/',
-        '!/release-1\.17/',
       ],
       postUpgradeTasks: {
         commands: [
@@ -197,7 +196,6 @@
       // Currently we only have an Earthfile on main and some release branches, so we only run this on older release branches.
       matchBaseBranches: [
         'release-1.16',
-        'release-1.17'
       ],
       postUpgradeTasks: {
         // Post-upgrade tasks that are executed before a commit is made by Renovate.
@@ -218,7 +216,6 @@
       // Currently we only have an Earthfile on main and some release branches, so we ignore the ones we know don't have it.
       matchBaseBranches: [
         '!/release-1\.16/',
-        '!/release-1\.17/',
       ],
       postUpgradeTasks: {
         // Post-upgrade tasks that are executed before a commit is made by Renovate.
@@ -239,7 +236,6 @@
       // Currently we only have an Earthfile on main and some release branches, so we only run this on older release branches.
       matchBaseBranches: [
         'release-1.16',
-        'release-1.17',
       ],
       postUpgradeTasks: {
         // Post-upgrade tasks that are executed before a commit is made by Renovate.

.github/workflows/backport.yml

@@ -10,6 +10,9 @@ on:
     types: [closed]
   # See also commands.yml for the /backport triggered variant of this workflow.
 
+permissions:  
+  contents: read
+
 jobs:
   # NOTE(negz): I tested many backport GitHub actions before landing on this
   # one. Many do not support merge commits, or do not support pull requests with
@@ -18,6 +21,9 @@ jobs:
   # The main gotchas with this action are that it _only_ supports merge commits,
   # and that PRs _must_ be labelled before they're merged to trigger a backport.
   open-pr:
+    permissions:
+      contents: write  # for zeebe-io/backport-action to create branch
+      pull-requests: write  # for zeebe-io/backport-action to create PR to backport
     runs-on: ubuntu-22.04
     if: github.event.pull_request.merged
     steps:

.github/workflows/ci.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Earthly
-        uses: earthly/actions-setup@v1
+        uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ env.EARTHLY_VERSION }}
@@ -78,7 +78,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Earthly
-        uses: earthly/actions-setup@v1
+        uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ env.EARTHLY_VERSION }}
@@ -114,7 +114,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Earthly
-        uses: earthly/actions-setup@v1
+        uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ env.EARTHLY_VERSION }}
@@ -143,19 +143,22 @@ jobs:
         run: earthly --strict --remote-cache ghcr.io/crossplane/earthly-cache:${{ github.job }} +ci-codeql
 
       - name: Upload CodeQL Results to GitHub
-        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
         with:
           sarif_file: '_output/codeql/go.sarif'
 
 
   trivy-scan-fs:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Run Trivy vulnerability scanner in fs mode
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -166,7 +169,7 @@ jobs:
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy Results to GitHub
-        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
         with:
           sarif_file: 'trivy-results.sarif'
 
@@ -178,7 +181,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Earthly
-        uses: earthly/actions-setup@v1
+        uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ env.EARTHLY_VERSION }}
@@ -220,7 +223,6 @@ jobs:
       matrix:
         test-suite:
           - base
-          - usage
           - ssa-claims
           - realtime-compositions
           - package-dependency-upgrades
@@ -231,7 +233,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Earthly
-        uses: earthly/actions-setup@v1
+        uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ env.EARTHLY_VERSION }}
@@ -319,7 +321,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Earthly
-        uses: earthly/actions-setup@v1
+        uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ env.EARTHLY_VERSION }}
@@ -377,7 +379,7 @@ jobs:
             +ci-promote-build-artifacts --AWS_DEFAULT_REGION=us-east-1 --CROSSPLANE_VERSION=${CROSSPLANE_VERSION} --BUILD_DIR=${GITHUB_REF##*/} --CHANNEL=master
 
       - name: Upload Artifacts to GitHub
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         with:
           name: output
           path: _output/**
@@ -390,20 +392,20 @@ jobs:
       # seems to build Crossplane inside of a Docker image.
       - name: Build Fuzzers
         id: build
-        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@a2d113bc6b45af6135bc4bdb30916bb7c0aae07b # master
         with:
           oss-fuzz-project-name: "crossplane"
           language: go
 
       - name: Run Fuzzers
-        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@a2d113bc6b45af6135bc4bdb30916bb7c0aae07b # master
         with:
           oss-fuzz-project-name: "crossplane"
           fuzz-seconds: 300
           language: go
 
       - name: Upload Crash
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         if: failure() && steps.build.outcome == 'success'
         with:
           name: artifacts
@@ -417,12 +419,12 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Buf
-        uses: bufbuild/buf-setup-action@v1
+        uses: bufbuild/buf-setup-action@76ddbd1bcb9da6da11cb7c41bd97e47f81c39a39 # v1.37.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Lint Protocol Buffers
-        uses: bufbuild/buf-lint-action@v1
+        uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1
         with:
           input: apis
 
@@ -438,7 +440,7 @@ jobs:
 
       - name: Push Protocol Buffers to Buf Schema Registry
         if: ${{ github.repository == 'crossplane/crossplane' && github.ref == 'refs/heads/main' }}
-        uses: bufbuild/buf-push-action@v1
+        uses: bufbuild/buf-push-action@a654ff18effe4641ebea4a4ce242c49800728459 # v1.2.0
         with:
           input: apis
           buf_token: ${{ secrets.BUF_TOKEN }}

.github/workflows/promote.yml

@@ -38,7 +38,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Setup Earthly
-        uses: earthly/actions-setup@v1
+        uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # v1.0.13
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ env.EARTHLY_VERSION }}

.github/workflows/renovate.yml

@@ -39,7 +39,7 @@ jobs:
           private-key: ${{ secrets.RENOVATE_GITHUB_APP_PRIVATE_KEY }}
 
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@67a664fc9b4481b33a3eff6ee9edfb7a7b9dfa1e # v41.0.2
+        uses: renovatebot/github-action@e3a862510f27d57a380efb11f0b52ad7e8dbf213 # v41.0.6
         env:
           RENOVATE_REPOSITORIES: ${{ github.repository }}
           # Use GitHub API to create commits

.github/workflows/scan.yaml

@@ -8,6 +8,9 @@ on:
 env:
   DOCKER_USR: ${{ secrets.DOCKER_USR }}
 
+permissions:  
+  contents: read
+
 jobs:
   generate-matrix:
     runs-on: ubuntu-latest
@@ -78,6 +81,8 @@ jobs:
           echo $supported_releases | jq .
 
   scan:
+    permissions:
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     needs:
       - check-matrix
       - generate-matrix
@@ -110,21 +115,21 @@ jobs:
         run: docker pull ${{ matrix.image }}:${{ env.tag }}
 
       - name: Run Trivy Vulnerability Scanner
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           image-ref: ${{ matrix.image }}:${{ env.tag }}
           format: 'sarif'
           output: 'trivy-results.sarif'
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
         with:
           name: trivy-${{ env.escaped_filename }}.sarif
           path: trivy-results.sarif
           retention-days: 3
 
       - name: Upload Trivy Scan Results To GitHub Security Tab
-        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
         with:
           sarif_file: 'trivy-results.sarif'
           category: ${{ matrix.image }}:${{ env.tag }}

ADOPTERS.md

@@ -92,4 +92,5 @@ This list is sorted in the order that organizations were added to it.
 | [Zuru Tech Italy](https://zuru.tech/) | [@nello1992](https://github.com/nello1992) | We currently use Crossplane in production environments to deploy workload clusters, with more use cases across the organization to come. |
 | [Rogo](https://rogodata.com/) | [@aiell0](https://github.com/aiell0) | We use Crossplane to deploy application-specific infrastructure to multiple cloud providers in our production environments. |
 | [Arcfield](https://arcfield.com/) | [@DE-Wizard](https://github.com/DE-Wizard) | Our entire cloud architecture was redesigned from the ground up using [Crossplane](https://www.crossplane.io/) to manage the cloud resources and [Flux](https://fluxcd.io/) to manage feeding [Crossplane](https://www.crossplane.io/) with its configurations. We have architected a Control - Workload cluster configuration that spans multiple regions and providers. The combination of the 2 controllers allowed us to more tightly control environment changes and apply drift correction to mitigate manual configuration changes that may be unauthorized. Our combination covers both dev and production environments with the production environment Master Control Cluster having dominion over both in the end. |
-| [Jove](https://www.jove.com/) | [@arturkasperek](https://github.com/arturkasperek) | We use Crossplane in production environments to build a Heroku like Internal Developer Platform on top of AWS and AWS EKS. |
+| [Jove](https://www.jove.com/) | [@arturkasperek](https://github.com/arturkasperek) | We use Crossplane in production environments to build a Heroku like Internal Developer Platform on top of AWS and AWS EKS. |
+| [Alauda](https://www.alauda.io/) | [@tossmilestone](https://github.com/tossmilestone) | Our container platform product (ACP) uses Crossplane to simplify application deployment and infrastructure provisioning for our clients in production environments. |

Earthfile

@@ -3,7 +3,7 @@ VERSION --try --raw-output 0.8
 
 PROJECT crossplane/crossplane
 
-ARG --global GO_VERSION=1.22.8
+ARG --global GO_VERSION=1.23.4
 
 # reviewable checks that a branch is ready for review. Run it before opening a
 # pull request. It will catch a lot of the things our CI workflow will catch.
@@ -46,10 +46,19 @@ generate:
 
 # e2e runs end-to-end tests. See test/e2e/README.md for details.
 e2e:
+  ARG TARGETARCH
+  ARG TARGETOS
+  ARG GOARCH=${TARGETARCH}
+  ARG GOOS=${TARGETOS}
   ARG FLAGS="-test-suite=base"
-  # Docker installs faster on Alpine, and we only need Go for go tool test2json.
-  FROM golang:${GO_VERSION}-alpine3.20
-  RUN apk add --no-cache docker jq
+  # Using earthly image to allow compatibility with different development environments e.g. WSL
+  FROM earthly/dind:alpine-3.20-docker-26.1.5-r0
+  RUN wget https://dl.google.com/go/go${GO_VERSION}.${GOOS}-${GOARCH}.tar.gz
+  RUN tar -C /usr/local -xzf go${GO_VERSION}.${GOOS}-${GOARCH}.tar.gz
+  ENV GOTOOLCHAIN=local
+  ENV GOPATH /go
+  ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+  RUN apk add --no-cache jq
   COPY +helm-setup/helm /usr/local/bin/helm
   COPY +kind-setup/kind /usr/local/bin/kind
   COPY +gotestsum-setup/gotestsum /usr/local/bin/gotestsum
@@ -207,7 +216,7 @@ go-test:
 
 # go-lint lints Go code.
 go-lint:
-  ARG GOLANGCI_LINT_VERSION=v1.62.0
+  ARG GOLANGCI_LINT_VERSION=v1.62.2
   FROM +go-modules
   # This cache is private because golangci-lint doesn't support concurrent runs.
   CACHE --id go-lint --sharing private /root/.cache/golangci-lint
@@ -233,7 +242,7 @@ image:
   ARG TARGETPLATFORM
   ARG TARGETARCH
   ARG TARGETOS
-  FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static@sha256:f4a57e8ffd7ba407bdd0eb315bb54ef1f21a2100a7f032e9102e4da34fe7c196
+  FROM --platform=${TARGETPLATFORM} gcr.io/distroless/static@sha256:5c7e2b465ac6a2a4e5f4f7f722ce43b147dabe87cb21ac6c4007ae5178a1fa58
   COPY --platform=${NATIVEPLATFORM} (+go-build/crossplane --GOOS=${TARGETOS} --GOARCH=${TARGETARCH}) /usr/local/bin/
   COPY --dir cluster/crds/ /crds
   COPY --dir cluster/webhookconfigurations/ /webhookconfigurations

README.md

@@ -59,15 +59,15 @@ delivery timeline.
 
 ## Get Involved
 
-[![Slack](https://img.shields.io/badge/slack-crossplane-red?logo=slack)](https://slack.crossplane.io) [![Twitter Follow](https://img.shields.io/twitter/follow/crossplane_io?logo=X&label=Follow&style=flat)](https://twitter.com/intent/follow?screen_name=crossplane_io&user_id=788180534543339520) [![YouTube Channel Subscribers](https://img.shields.io/youtube/channel/subscribers/UC19FgzMBMqBro361HbE46Fw)](https://www.youtube.com/@Crossplane)
+[![Slack](https://img.shields.io/badge/slack-crossplane-red?logo=slack)](https://slack.crossplane.io) [![Bluesky Follow](https://img.shields.io/badge/bluesky-Follow-blue?logo=bluesky)](https://bsky.app/profile/crossplane.io) [![Twitter Follow](https://img.shields.io/twitter/follow/crossplane_io?logo=X&label=Follow&style=flat)](https://twitter.com/intent/follow?screen_name=crossplane_io&user_id=788180534543339520) [![YouTube Channel Subscribers](https://img.shields.io/youtube/channel/subscribers/UC19FgzMBMqBro361HbE46Fw)](https://www.youtube.com/@Crossplane)
 
 Crossplane is a community driven project; we welcome your contribution. To file
 a bug, suggest an improvement, or request a new feature please open an [issue
 against Crossplane] or the relevant provider. Refer to our [contributing guide]
 for more information on how you can help.
 
 * Discuss Crossplane on [Slack] or our [developer mailing list].
-* Follow us on [Twitter] or [LinkedIn], or subscribe to our [newsletter].
+* Follow us on [Bluesky], [Twitter], or [LinkedIn], or subscribe to our [newsletter].
 * Contact us via [Email].
 * Join our regular community meetings.
 * Provide feedback on our [roadmap and releases board].
@@ -120,6 +120,7 @@ Crossplane is under the Apache 2.0 license.
 [install]: https://crossplane.io/docs/latest
 [Slack]: https://slack.crossplane.io
 [developer mailing list]: https://groups.google.com/forum/#!forum/crossplane-dev
+[Bluesky]: https://bsky.app/profile/crossplane.io
 [Twitter]: https://twitter.com/crossplane_io
 [LinkedIn]: https://www.linkedin.com/company/crossplane/
 [newsletter]: https://eepurl.com/ivy4v-/

apis/apiextensions/v1alpha1/zz_generated.environment_config_types.go

@@ -24,6 +24,7 @@ import (
 )
 
 // +kubebuilder:object:root=true
+// +kubebuilder:storageversion
 // +genclient
 // +genclient:nonNamespaced