Merge branch 'main' into feat/prom-relabeling

Signed-off-by: Jonathan Gonzalez V. <[email protected]>

.github/actions/deploy-operator/action.yml

@@ -0,0 +1,16 @@
+name: Deploy the CNPG Operator
+description: Deploys the CNPG Operator to a Kubernetes cluster
+runs:
+  using: composite
+  steps:
+    - name: Deploy the operator
+      shell: bash
+      run:
+        helm dependency update charts/cloudnative-pg
+
+        helm upgrade
+        --install 
+        --namespace cnpg-system
+        --create-namespace
+        --wait
+        cnpg charts/cloudnative-pg

.github/actions/setup-kind/action.yml

@@ -0,0 +1,24 @@
+name: Setup Kind
+description: Sets up a kind cluster and installs Helm and kubectl
+outputs:
+  helm-path:
+    description: The path to the Helm binary
+    value: ${{ steps.helm.outputs.helm-path }}
+  kubectl-path:
+    description: The path to the kubectl binary
+    value: ${{ steps.kubectl.outputs.kubectl-path }}
+runs:
+  using: composite
+  steps:
+    - id: helm
+      name: Set up Helm
+      uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+      with:
+        version: v3.6.2
+
+    - id: kubectl
+      name: Install kubectl
+      uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
+
+    - name: Create kind cluster
+      uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0

.github/actions/verify-cluster-ready/action.yml

@@ -0,0 +1,32 @@
+name: Verifies that a CNPG cluster has a certain amount of ready instances
+description: Verifies that a CNPG cluster has a certain amount of ready instances
+inputs:
+  cluster-name:
+    description: The name of the cluster to verify
+    required: true
+    default: database-cluster
+  ready-instances:
+    description: The amount of ready instances to wait for
+    required: true
+    default: "3"
+
+runs:
+  using: composite
+  steps:
+    - name: Wait for the cluster to become ready
+      shell: bash
+      run: |
+        ITER=0
+        while true; do
+          if [[ $ITER -ge 300 ]]; then
+            echo "Cluster not ready"
+            exit 1
+          fi
+          READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io ${INPUT_CLUSTER_NAME} -o jsonpath='{.status.readyInstances}')
+          if [[ "$READY_INSTANCES" == ${INPUT_READY_INSTANCES} ]]; then
+            echo "Cluster up and running"
+            break
+          fi
+          sleep 1
+          (( ++ITER ))
+        done

.github/actions/verify-pooler-ready/action.yml

@@ -0,0 +1,32 @@
+name: Verifies that a CNPG cluster has a certain amount of ready instances
+description: Verifies that a CNPG cluster has a certain amount of ready instances
+inputs:
+  pooler-name:
+    description: The name of the pooler to verify
+    required: true
+    default: database-cluster
+  ready-instances:
+    description: The amount of ready instances to wait for
+    required: true
+    default: "3"
+
+runs:
+  using: composite
+  steps:
+    - name: Wait for the pooler to become ready
+      shell: bash
+      run: |
+        ITER=0
+        while true; do
+          if [[ $ITER -ge 300 ]]; then
+            echo "Pooler not ready"
+            exit 1
+          fi
+          READY_INSTANCES=$(kubectl get deployments.apps ${INPUT_POOLER_NAME} -o jsonpath='{.status.readyReplicas}')
+          if [[ "$READY_INSTANCES" == ${INPUT_READY_INSTANCES} ]]; then
+            echo "Pooler up and running"
+            break
+          fi
+          sleep 1
+          (( ++ITER ))
+        done

.github/workflows/lint.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
@@ -20,12 +20,12 @@ jobs:
         with:
           version: v3.4.0
 
-      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: 3.7
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -37,4 +37,4 @@ jobs:
 
       - name: Run chart-testing (lint)
         run: |
-          ct lint --target-branch=main --check-version-increment=false
+          ct lint --chart-repos cnpg-grafana=https://cloudnative-pg.github.io/grafana-dashboards --target-branch=main --check-version-increment=false

.github/workflows/release-pr.yml

@@ -1,31 +1,31 @@
-# Create a PR for a release when a commit is pushed on a release/v* branch
-
+##
+# Create a PR for a release when a commit is pushed on a release/*-v* branch to support the releases of both the
+# operator and cluster charts
 name: release-pr
 
 on:
   push:
     branches:
-    - release/*-v*
+      - release/*-v*
+
+permissions:
+  pull-requests: write
 
 jobs:
-  pull-request:
+  create-pull-request:
     runs-on: ubuntu-22.04
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
-      -
-        name: Get tag
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Create Pull Request
+        id: create-pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          echo "TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
-      -
-        name: Pull Request
-        id: open-pr
-        uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1
-        with:
-          destination_branch: "main"
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          pr_body: "Automated PR. Will trigger the ${{ env.TAG }} release when approved."
-          pr_label: release
-          pr_title: "Release ${{ env.TAG }}"
-
+          TAG="${GITHUB_REF##*/}"
+          TITLE="Release ${TAG}"
+          BODY="Automated PR. Will trigger the ${TAG} release when approved."
+          LABEL=release
+          ASSIGNEE=${{ github.actor }}
+          gh pr create --title "${TITLE}" --body "${BODY}" --label "${LABEL}" --assignee "${ASSIGNEE}" ||
+          gh pr edit --title "${TITLE}" --body "${BODY}" --add-label "${LABEL}"

.github/workflows/release-publish.yml

@@ -2,21 +2,87 @@ name: release-publish
 
 on:
   push:
-    tags:
-      - '*-v*'
+    branches:
+      - main
+
+permissions:
+  contents: write # Required for pushing the Helm charts to the gh-pages branch
+  packages: write # Required for GHCR access
+  id-token: write # Required for signing
 
 jobs:
   release:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0 # important for fetching all history to run comparison against
+
+      - name: Fetch history
+        run: git fetch --prune
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Import PGP Private Key
+        run: |
+          echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output /tmp/keyring.gpg
+          echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > /tmp/passphrase-file.txt
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
-          fetch-depth: 0
+          version: v3.14.1
+
+      - name: Add chart dependencies
+        run: |
+          helm repo add cnpg-grafana-dashboard https://cloudnative-pg.github.io/grafana-dashboards
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_KEY: [email protected]
+          CR_KEYRING: /tmp/keyring.gpg
+          CR_PASSPHRASE_FILE: /tmp/passphrase-file.txt
+          CR_SIGN: true
+          CR_SKIP_EXISTING: true
+          CR_GENERATE_RELEASE_NOTES: true
+          CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-v{{ .Version }}"
 
-      - name: Publish Helm charts
-        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
+      - name: Securely delete the PGP key and passphrase
+        if: always()
+        run: shred --remove=wipesync /tmp/keyring.gpg /tmp/passphrase-file.txt
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
-          helm_version: 3.4.0
-          token: "${{ secrets.REPO_GHA_PAT }}"
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install sigstore/cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
+      - name: Push charts to GHCR
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        # when filling gaps with previously released charts, cr would create
+        # nothing in .cr-release-packages/, and the original globbing character
+        # would be preserved, causing a non-zero exit. Set nullglob to fix this
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*.tgz; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY}"
+            file=${pkg##*/}
+            name=${file%-*}
+            version=${file%.*}
+            version=${version##*-}
+            cosign sign --yes ghcr.io/"${GITHUB_REPOSITORY}"/"${name}":"${version}"
+          done