delivery: alpha release review

.dmtlint.yaml

@@ -0,0 +1,27 @@
+linters-settings:
+  openapi:
+    exclude-rules:
+      enum:
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.sts.properties.provider"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.provider"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.provider"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.sts.properties.provider"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.upgrade.properties.remediation.properties.strategy.properties"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.uninstall.properties.deletionPropagation"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.driftDetection.properties.mode"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.upgrade.properties.remediation.properties.strategy"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.chart.properties.spec.properties.verify.properties.provider"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.status.properties.lastAttemptedReleaseAction"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.chart.properties.spec.properties.verify.properties.provider"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.driftDetection.properties.mode"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.postRenderers.items.properties.kustomize.properties.patchesJson6902.items.properties.patch.items.properties.op"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.uninstall.properties.deletionPropagation"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.upgrade.properties.remediation.properties.strategy"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.status.properties.lastAttemptedReleaseAction"
+        - "properties.logLevel"
+        - "properties.logFormat"
+  rbac:
+    exclude-rules:
+      wildcards:
+        - kind: ClusterRole
+          name: d8:operator-helm:helm-controller

.github/workflows/build_dev.yml

@@ -0,0 +1,232 @@
+name: Build and Push for Dev
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: |
+          Pull request number, like 563, or leave empty and choose a branch
+          For branches main, release-*, tag will be generated as branch name
+        required: false
+        type: number
+      svace_enabled:
+        description: "Enable svace build"
+        type: boolean
+        required: false
+  pull_request:
+    types: [opened, reopened, synchronize, labeled, unlabeled]
+  push:
+    branches:
+      - main
+      - release-*
+    tags:
+      - "v*"
+
+jobs:
+  lint:
+    runs-on: [self-hosted, large]
+    continue-on-error: true
+    name: Lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: deckhouse/modules-actions/lint@main
+        env:
+          DMT_METRICS_URL: ${{ secrets.DMT_METRICS_URL }}
+          DMT_METRICS_TOKEN: ${{ secrets.DMT_METRICS_TOKEN }}
+
+  lint_go:
+    runs-on: [self-hosted, large]
+    name: Run golangci-lint
+    steps:
+      - name: Set up Go ${{ vars.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: "${{ vars.GO_VERSION }}"
+
+      - uses: actions/checkout@v4
+
+      - name: Install golangci-lint
+        run: |
+          echo "Installing golangci-lint..."
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v${{ vars.GOLANGCI_LINT_VERSION}}
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+          echo "golangci-lint v${{ vars.GOLANGCI_LINT_VERSION}} installed successfully!"
+
+      - name: Run golangci-lint in every directory with .golangci.yaml
+        shell: bash
+        run: |
+          # set -eo pipefail
+          set -e
+
+          # Find directories containing .golangci.yaml
+          mapfile -t config_dirs < <(
+            find . \
+              -type f -name '.golangci.yaml' -printf '%h\0' | \
+            xargs -0 -n1 | sort -u
+          )
+          count=${#config_dirs[@]}
+          echo "::notice title=Lint Setup::🔍 Found $count directories with linter configurations"
+
+          report=""
+          error_count=0
+
+          for dir in "${config_dirs[@]}"; do
+            find_errors=0
+            cd "$dir" || { echo "::error::Failed to access directory $dir"; continue; }
+
+            if ! output=$(golangci-lint run); then
+              error_count=$(( error_count + 1 ))
+              echo "::group::📂 Linting directory ❌: $dir"
+              echo -e "❌ Errors:\n$output\n"
+            else
+              echo "::group::📂 Linting directory ✅: $dir"
+              echo -e "✅ All check passed\n"
+            fi
+
+            cd - &>/dev/null
+
+            echo "::endgroup::"
+          done
+
+          has_errors=$( [[ "$error_count" -gt 0 ]] && echo true || echo false)
+          echo "has_errors=$has_errors" >> "$GITHUB_OUTPUT"
+
+          if [ $error_count -gt 0 ]; then
+            echo "$error_count error more than 0, exit 1"
+            exit 1
+          fi
+
+  build_dev:
+    runs-on: [self-hosted, large]
+    name: Build and Push images
+    outputs:
+      MODULES_MODULE_TAG: ${{ steps.modules_module_tag.outputs.MODULES_MODULE_TAG }}
+    steps:
+      - name: Set vars
+        id: modules_module_tag
+        run: |
+          if [[ "${{ github.ref_name }}" == 'main' ]]; then
+            MODULES_MODULE_TAG="${{ github.ref_name }}"
+          elif [[ "${{ github.ref_name }}" =~ ^v[0-9]+\.[0-9]+ ]]; then
+            MODULES_MODULE_TAG="${{ github.ref_name }}"
+          elif [[ -n "${{ github.event.pull_request.number }}" ]]; then
+            MODULES_MODULE_TAG="pr${{ github.event.pull_request.number }}"
+          elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
+            MODULES_MODULE_TAG="pr${{ github.event.inputs.pr_number }}"
+          else
+            echo "::error title=Module image tag is required::Can't detect module tag from workflow context. Dev build uses branch name as tag for main and release branches, and PR number for builds from pull requests. Check workflow for correctness."
+            exit 1
+          fi
+
+          echo "MODULES_MODULE_TAG=$MODULES_MODULE_TAG" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/checkout@v4
+
+      - uses: deckhouse/modules-actions/setup@main
+        with:
+          registry: ${{ vars.DEV_REGISTRY }}
+          registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+          registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+
+      - uses: deckhouse/modules-actions/build@main
+        with:
+          module_source: dev-registry.deckhouse.io/sys/deckhouse-oss/modules
+          module_name: ${{ vars.MODULES_MODULE_NAME }}
+          module_tag: ${{ steps.modules_module_tag.outputs.MODULES_MODULE_TAG }}
+          svace_enabled: false
+
+  show_dev_manifest:
+    runs-on: [self-hosted, large]
+    name: Show manifest
+    needs: build_dev
+    steps:
+      - name: Show dev config
+        run: |
+          cat << OUTER
+          Create ModuleConfig and ModulePullOverride resources to test this MR:
+
+          cat <<EOF | kubectl apply -f -
+          ---
+          apiVersion: deckhouse.io/v1alpha1
+          kind: ModulePullOverride
+          metadata:
+            name: ${{ vars.MODULES_MODULE_NAME }}
+          spec:
+            imageTag: ${{ needs.build_dev.outputs.MODULES_MODULE_TAG }}
+            source: deckhouse
+
+          ---
+          apiVersion: deckhouse.io/v1alpha1
+          kind: ModuleConfig
+          metadata:
+            name: ${{ vars.MODULES_MODULE_NAME }}
+          spec:
+            enabled: true
+          EOF
+
+          Or patch an existing ModulePullOverride:
+
+          kubectl patch mpo ${{ vars.MODULES_MODULE_NAME }} --type merge -p '{"spec":{"imageTag":"${{ needs.build_dev.outputs.MODULES_MODULE_TAG }}"}}'
+
+          OUTER
+
+  cve_scan_on_pr:
+    name: Trivy images check
+    runs-on: [self-hosted, large]
+    needs:
+      - build_dev
+    steps:
+      - uses: actions/checkout@v4
+      - uses: deckhouse/modules-actions/cve_scan@v6
+        with:
+          tag: ${{needs.build_dev.outputs.modules_module_tag}}
+          tag_type: dev
+          module_name: ${{ vars.MODULES_MODULE_NAME }}
+          dd_url: ${{ vars.DEFECTDOJO_HOST }}
+          dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
+          prod_registry: ${{ vars.TRIVY_REGISTRY }}
+          prod_registry_user: ${{ secrets.PROD_READ_REGISTRY_USER }}
+          prod_registry_password: ${{ secrets.PROD_READ_REGISTRY_PASSWORD }}
+          dev_registry: ${{ vars.DEV_REGISTRY }}
+          dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+          dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+          deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
+
+  e2e_tests:
+    name: Run e2e tests
+    runs-on: [self-hosted, large]
+    needs: build_dev
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          cache: true
+          go-version-file: tests/e2e/go.mod
+
+      - name: Install Task
+        uses: arduino/setup-task@v2
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install ginkgo
+        run: task --yes -p e2e:deps:install:ginkgo
+
+      - name: Setup kind with module operator-helm enabled
+        run: task --yes -p e2e:kind:ci:setup
+        env:
+          KIND_CLUSTER_NAME: d8-operator-helm-${{ github.run_number }}
+          MODULE_TAG_NAME: ${{ needs.build_dev.outputs.modules_module_tag }}
+          DEV_REGISTRY_DOCKER_CONFIG: ${{ secrets.DEV_REGISTRY_DOCKER_CONFIG }}
+
+      - name: Run e2e tests
+        run: task --yes -p e2e:tests
+        env:
+          KIND_CLUSTER_NAME: d8-operator-helm-${{ github.run_number }}
+
+      - name: Delete kind cluster
+        run: task --yes -p e2e:kind:ci:cleanup
+        env:
+          KIND_CLUSTER_NAME: d8-operator-helm-${{ github.run_number }}
+        if: always()

.github/workflows/cve_scan_daily.yml

@@ -0,0 +1,56 @@
+# Copyright 2025 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Daily CVE tests"
+on:
+    schedule:
+        # Run at 2:00 every night (UTC).
+        - cron: "0 02 * * *"
+    workflow_dispatch:
+        inputs:
+            tag_type:
+                type: choice
+                description: Tag type
+                required: false
+                options:
+                    - release
+                    - dev
+            tag_name:
+                description: "release version in semver minor format (example: 1.68) or specified tag from dev registry"
+                required: false
+
+concurrency:
+    group: cve-daily
+
+jobs:
+    cve_scan_daily:
+        name: Trivy images check
+        runs-on: [self-hosted, large]
+        steps:
+            - uses: actions/checkout@v4
+            - uses: deckhouse/modules-actions/cve_scan@v6
+              with:
+                  tag: ${{ github.event.inputs.tag_name || 'main' }}
+                  tag_type: ${{ github.event.inputs.tag_type }}
+                  module_name: ${{ vars.MODULES_MODULE_NAME }}
+                  dd_url: ${{ vars.DEFECTDOJO_HOST }}
+                  dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
+                  prod_registry: ${{ vars.TRIVY_REGISTRY }}
+                  prod_registry_user: ${{ secrets.PROD_READ_REGISTRY_USER }}
+                  prod_registry_password: ${{ secrets.PROD_READ_REGISTRY_PASSWORD }}
+                  dev_registry: ${{ vars.DEV_REGISTRY }}
+                  dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+                  dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+                  deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
+                  latest_releases_amount: 5

.github/workflows/deploy_dev.yml

@@ -0,0 +1,39 @@
+name: Deploy Dev
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_channel:
+        description: "Select the release channel"
+        type: choice
+        default: alpha
+        options:
+          - "alpha"
+          - "beta"
+          - "early-access"
+          - "stable"
+          - "rock-solid"
+      tag:
+        description: "Tag of the module, e.g., v1.21.1"
+        type: string
+        required: true
+
+jobs:
+  deploy:
+    runs-on: [self-hosted, large]
+    name: Deploy the module
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: deckhouse/modules-actions/setup@main
+        with:
+          registry: ${{ vars.DEV_REGISTRY }}
+          registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+          registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+
+      - uses: deckhouse/modules-actions/deploy@main
+        with:
+          module_source: dev-registry.deckhouse.io/sys/deckhouse-oss/modules
+          module_name: ${{ vars.MODULES_MODULE_NAME }}
+          module_tag: ${{ github.event.inputs.tag }}
+          release_channel: ${{ github.event.inputs.release_channel }}