feat: check for codegen changes in ci

[olzemal]

What

Relates to #557

Checklist

• Tests added/updated n/a
• No breaking changes (or upgrade path documented above)
• Readable commit history (squashed and cleaned up as desired)
• AI code review considered and comments resolved

Summary by CodeRabbit

• New Features

  • Introduced automated code generation verification in CI/CD pipeline.

• Chores

  • Enhanced Go version management in CI workflows using dedicated action.
  • Extended code generation process to include Helm Chart reference documentation.
  • Updated Helm chart documentation reflecting latest etcd dependency versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new codegen validation workflow that extracts Go version detection into a reusable composite action, refactors the golang workflow to use it, extends the Makefile to regenerate Helm documentation during code generation, and updates the auto-generated Helm chart documentation with container image and configuration changes.

Changes

Code generation automation and validation infrastructure

Layer / File(s)	Summary
Golang workflow refactoring to use composite action .github/workflows/golang.yaml	Lint job replaces inline sed-based Go version extraction with a call to ./.github/actions/get-go-version composite action, renaming the step id and updating all downstream output references.
Codegen check workflow and execution .github/workflows/codegen.yaml	New "Codegen Check" workflow runs on push/pull_request to main/develop, derives Go version via composite action, installs Go, runs make codegen, and validates that generated files are up to date using diff-check.
Makefile codegen extension and Helm documentation Makefile, charts/solar/README.md	The codegen target now regenerates Helm chart reference documentation via docs-helm-ref. Auto-generated Helm README removes discovery.image.* entries, bumps etcd.image.tag to v3.6.11, and removes renderer.baseURL and renderer.pushSecretName.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• opendefensecloud/solution-arsenal#451: Overlaps on Makefile codegen target refactoring and documentation generation wiring.

Suggested reviewers

• trevex
• yocaba

Poem

A rabbit hops through workflows grand, 🐰
With Go versions now close at hand,
Helm docs dance as codegen flows,
Diff-check watches all that grows!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete, missing required sections: 'Why', 'Testing', and 'Notes for reviewers' are absent or empty.	Add 'Why' section explaining the motivation/problem being solved (can reference issue #557), add 'Testing' section documenting how changes were tested, and add 'Notes for reviewers' if there are relevant implementation details to communicate.
Linked Issues check	❓ Inconclusive	The PR adds a CI workflow to detect codegen changes, partially addressing issue #557's goal to ensure codegen runs on dependency updates, though the Renovate postUpgradeTask automation is not implemented.	Consider whether the codegen CI check alone satisfies #557 or if Renovate automation remains required; clarify if this is the complete solution or an interim step.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a CI check to verify code generation has been run.
Out of Scope Changes check	✅ Passed	The PR includes an expected Makefile update to extend codegen, and README documentation updates appear to be auto-generated outputs from the codegen workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/557-codegen-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/golang.yaml (1)

36-36: 💤 Low value

Consider persist-credentials: false on checkout.

This job only lints/tests and doesn't push, so the persisted GITHUB_TOKEN from checkout isn't needed. Disabling credential persistence reduces the artipacked exposure flagged by static analysis.

🔒 Proposed hardening

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golang.yaml at line 36, Update the actions/checkout step
(uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to include
persist-credentials: false so the GITHUB_TOKEN is not persisted in the
workspace; modify the checkout step to add the persist-credentials: false input
under that uses entry.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codegen.yaml:
- Around line 21-31: The job step "Run codegen and check for changes" currently
runs "make codegen" then only uses "git diff --exit-code" which misses brand-new
(untracked) generated files; change the check after "make codegen" to fail when
there are any modifications OR untracked files by replacing the single "git diff
--exit-code" check with a status check that considers untracked files (for
example use "git status --porcelain" and fail if its output is non-empty, or
combine "git diff --exit-code" with "git ls-files --others --exclude-standard"
so the step reports and exits non-zero when new generated files are created),
keeping the surrounding messages and listing changed/untracked filenames (use
"git diff --name-only" and "git ls-files --others --exclude-standard" to show
them).
- Line 15: Update the codegen workflow checkout step to disable persisted
credentials: locate the GitHub Actions step that uses actions/checkout@v6 (the
line with "uses: actions/checkout@de0fac2e4500...") and add the input
persist-credentials: false to that step so the runner does not retain auth
tokens when running the repo-controlled make codegen / hack scripts.

---

Nitpick comments:
In @.github/workflows/golang.yaml:
- Line 36: Update the actions/checkout step (uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to include
persist-credentials: false so the GITHUB_TOKEN is not persisted in the
workspace; modify the checkout step to add the persist-credentials: false input
under that uses entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6a2c5e91-a06b-4324-b4e4-87309f5366d8

📥 Commits

Reviewing files that changed from the base of the PR and between 3f141ba and df6c480.

📒 Files selected for processing (5)

• .github/actions/get-go-version/action.yml
• .github/workflows/codegen.yaml
• .github/workflows/golang.yaml
• Makefile
• charts/solar/README.md

[coveralls]

Coverage Report for CI Build 27003508463

Coverage decreased (-0.7%) to 73.265%

Details

• Coverage decreased (-0.7%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 25 coverage regressions across 2 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

25 previously-covered lines in 2 files lost coverage.

File	Lines Losing Coverage	Coverage
pkg/controller/target_controller.go	20	71.48%
pkg/controller/profile_controller.go	5	76.74%

---

Coverage Stats

Relevant Lines:	3531
Covered Lines:	2587
Line Coverage:	73.27%
Coverage Strength:	40.85 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/golang.yaml (2)

36-36: 💤 Low value

Consider adding persist-credentials: false to the checkout action.

Static analysis flags that the checkout action doesn't explicitly set persist-credentials: false. While this workflow doesn't perform git operations that require credentials, explicitly disabling credential persistence is a security best practice that reduces attack surface.

🔒 Proposed security hardening

       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - id: go-version

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golang.yaml at line 36, Update the checkout step that uses
"actions/checkout@de0fac2..." to explicitly set persist-credentials: false;
modify the checkout action configuration (the step where uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd appears) to include
the persist-credentials: false input so credentials are not left in the runner
environment.

---

37-38: ⚡ Quick win

Consider refactoring .github/workflows/release.yaml to use the shared get-go-version composite action

golang.yaml (and codegen.yaml) uses opendefensecloud/dev-kit/.github/actions/get-go-version, but release.yaml still extracts goVersion from flake.nix via an inline sed script. Refactoring release.yaml to the composite action would centralize the parsing logic and reduce duplication/fragility.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golang.yaml around lines 37 - 38, Release workflow
currently extracts GO_VERSION with an inline "Extract go version from flake.nix"
step (step id: get-go-version) using sed; replace that inline parsing with the
shared composite action opendefensecloud/dev-kit/.github/actions/get-go-version
(same action used by golang.yaml and codegen.yaml) by swapping the sed step for
a uses: entry pointing to that composite action and adapting any outputs/step
ids that downstream steps rely on (preserve the step id get-go-version or update
references to match the new step output name).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/golang.yaml:
- Around line 37-38: Replace the broken composite action reference used by the
step with id "go-version" (uses:
opendefensecloud/dev-kit/.github/actions/get-go-version@9fe77282c8260284d4efdb69d19b883e52e9a4d8)
by pinning it to a valid tag/commit or correct path in the
opendefensecloud/dev-kit repository, then verify the action's action.yml still
exposes the "version" output so steps.go-version.outputs.version remains valid;
update the "uses" value accordingly and adjust any output name if the action's
contract changed.

---

Nitpick comments:
In @.github/workflows/golang.yaml:
- Line 36: Update the checkout step that uses "actions/checkout@de0fac2..." to
explicitly set persist-credentials: false; modify the checkout action
configuration (the step where uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd appears) to include
the persist-credentials: false input so credentials are not left in the runner
environment.
- Around line 37-38: Release workflow currently extracts GO_VERSION with an
inline "Extract go version from flake.nix" step (step id: get-go-version) using
sed; replace that inline parsing with the shared composite action
opendefensecloud/dev-kit/.github/actions/get-go-version (same action used by
golang.yaml and codegen.yaml) by swapping the sed step for a uses: entry
pointing to that composite action and adapting any outputs/step ids that
downstream steps rely on (preserve the step id get-go-version or update
references to match the new step output name).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f517a8e8-1975-4c97-814b-18496c8eddd4

📥 Commits

Reviewing files that changed from the base of the PR and between df6c480 and 897970a.

📒 Files selected for processing (4)

• .github/workflows/codegen.yaml
• .github/workflows/golang.yaml
• Makefile
• charts/solar/README.md

✅ Files skipped from review due to trivial changes (2)

• Makefile
• charts/solar/README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/codegen.yaml