Without this patch, we'll get kubernetes updates.
This is not necessary, and could be even a problem on merge:
those kubernetes updates are done separately, knowingly,
to respect the life cycle of the kubernetes we need
(and stay one version below latest to have a larger coverage
of versions).
We could keep dependabot to update those on a lower frequency,
but that sounds clunky and not great. Instead disable them all,
and rely on the team to do this regular maintenance work.
There are lots of duplicated code in this workflow.
This fixes it by making a unique job with parameters. The
matrix buys us the parallelisation and the fail-fast.
Without this patch, the lint action incorrectly returns everything
is fine.
This is a problem, as lint effectively is not running, and
therefore we could merge broken charts.
This fixes it by updating to the latest practices you can find
in the official chart-repo-actions.
(See the official example in
i1a9640d998/.github/workflows/lint-test.yaml)
- Made all the file extensions ".yaml"
- Regrouped actions together to make it easy to see when they
are useful: on-pr is useful at every PR, on-tag when we are
ready to tag next image, on-pr-chart when we have a PR to
modify the chart with the published image, on-release when
we have released and need to publish the final helm chart
- Regrouped periodic jobs together, to deal with stale prs/issues
and ensuring that our helm chart always works.
We don't need to test with kustomize, manifest testing is good
enough, as we just test that the manifest are correct, not that
they are functional (which would require a change in the poll time).
This extends our test coverages for kured-* manifest changes on PRs,
and any eventual changes in kubernetes/kubectl on periodics.
Signed-off-by: Jean-Philippe Evrard <open-source@a.spamming.party>
In the past, we had lint issues which were merged into the code,
and/or lint changed without us adapting our code.
This should allow us to stay on top of linting issue by
highlighting them in PRs.
Without this patch, we might hold old issues and PR for a long
time. Instead we should close them. People can reopen if necessary.
This would show that we have a proper triage process, and a proper
way to handle those.
Without this patch, there is no way we can see, in the development
process, if the image we are about to publish is insecure.
This is a problem as we might be releasing new versions of kured
with outdated base image which contains vulnerabilities.
This fixes it by creating a job which will show any eventual
vulnerability.
Without this patch, we don't test on release whether kured actually
works and behave well.
This is a problem, as a functional issue could have been hidden by
a recent change, as our testing is minimalist (only test the
usability, not the functionality).
Instead of testing manually, we should ensure this in CI.
This fixes it by adding a github action which tests the previously
built artifacts before publishing a release. The job consume the helm
chart in our code tree (note: this relies on the last released image),
and run a functional test triggering a coordinated restart of a
whole 5 node cluster deployed with kind, through github actions.
Note: The github action needs to reset docker configuration, else
the reboot of the node (a docker container in kind) will fail.
It will be correctly triggered, but the node will not come back up,
with its systemd log mentioning: "Failed to attach 1 to compat systemd cgroup".
