Skip to content

chore(ci/release): Re-factor fluent-operator release process #1950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
joshuabaird wants to merge 14 commits into
base: master
Choose a base branch
from
Open

chore(ci/release): Re-factor fluent-operator release process #1950

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
4d037c2
Add release-please config and CI.
joshuabaird May 6, 2026
6026045
Add PR title linting.
joshuabaird May 6, 2026
e04abaf
Add CI for publishing manifest assets.
joshuabaird May 6, 2026
4211bba
Remove legacy relese-tool.
joshuabaird May 6, 2026
d72fdb8
Rename VERSION to version.txt for release-please compat.
joshuabaird May 6, 2026
4f64687
Update RELEASE.md
joshuabaird May 6, 2026
5a7925a
Update install docs in README.
joshuabaird May 6, 2026
8ec8f8b
Remove legacy docker build job.
joshuabaird May 6, 2026
55357df
Harden PR lint workflow.
joshuabaird May 8, 2026
e570135
Fix typo.
joshuabaird May 8, 2026
c38797d
Add CODEOWNERS.
joshuabaird May 8, 2026
afa4eeb
Add actionlint to CI.
joshuabaird May 8, 2026
76ac1d4
Merge branch 'master' into chore/refactor-release
joshuabaird May 8, 2026
9c0ff83
Fix actionlint failures.
joshuabaird May 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/.release-please-manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
".": "3.7.0"
}
5 changes: 5 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
<!--
PR titles must follow Conventional Commits format: https://www.conventionalcommits.org
Examples: feat: add X | fix: correct Y | chore: update Z | docs: improve W
-->

<!--
Thank you for contributing to Fluent Operator!
Your commits need to follow DCO: https://probot.github.io/apps/dco/
Expand Down
21 changes: 21 additions & 0 deletions .github/release-please-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{
"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
"release-type": "simple",
"extra-files": [
{
"type": "yaml",
"path": "charts/fluent-operator/Chart.yaml",
"jsonpath": "$.appVersion"
},
{
"type": "yaml",
"path": "charts/fluent-operator-fluent-bit-crds/Chart.yaml",
"jsonpath": "$.appVersion"
},
{
"type": "yaml",
"path": "charts/fluent-operator-fluentd-crds/Chart.yaml",
"jsonpath": "$.appVersion"
}
]
}
19 changes: 0 additions & 19 deletions .github/workflows/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,22 +134,3 @@ jobs:

- name: Run build all binaries
run: make binary

# docker-build:
# runs-on: ubuntu-22.04
# timeout-minutes: 30
# name: Docker amd64 build
# steps:
# - name: Checkout code
# uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# with:
# fetch-depth: 0

# - name: Install Go
# uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
# with:
# go-version-file: go.mod
# cache-dependency-path: go.sum

# - name: Run docker build
# run: make build-amd64
48 changes: 48 additions & 0 deletions .github/workflows/pr-title-lint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Lint PR Title

on:
pull_request_target:
Copy link
Copy Markdown

@patrick-stephens patrick-stephens May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is always a concern so let's make sure we're secure with it - it's part of the recent supply chain attacks.

I think we should at least comment why it is required and the mitigations in place for future reviews/changes to ensure we do not open things up.

Copy link
Copy Markdown
Collaborator Author

@joshuabaird joshuabaird May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for calling this out -- this is a valid concern.

One key thing here to call out is that this workflow is not checking out any code (eg, using actions/checkout) which is what allowed attacker-controlled code execution in the mentioned supply chain attacks.

I have attempted to harden this workflow a bit in 55357df:

  • Added a comment about the need for pull_request_target and a warning against adding checkout functionality to the workflow
  • Removed the synchronize type since PR title changes only occur on opened, reopened and edited events. The synchronize type fires on every new commit push and is unnecessary for this use-case
  • Removed top-level permissions and only grant needed access at the job-level to prevent accidental inheritence
  • Added a CODEOWNERS so that only users who are "Admins" of this repo can modify files in the .github/ directory

types:
- opened
- reopened
- edited
- synchronize

permissions:
pull-requests: write

jobs:
lint:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
id: lint_pr_title
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
if: always() && (steps.lint_pr_title.outputs.error_message != null)
with:
header: pr-title-lint-error
message: |
Thank you for your pull request! :wave:

Your PR title needs to follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) format so it can be included correctly in the changelog.

**Examples of valid titles:**
- `feat: add support for new filter plugin`
- `fix: correct nil pointer in controller reconcile`
- `chore: update dependencies`
- `docs: improve installation guide`

**Details:**
```
${{ steps.lint_pr_title.outputs.error_message }}
```

- uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
if: ${{ steps.lint_pr_title.outputs.error_message == null }}
with:
header: pr-title-lint-error
delete: true
27 changes: 27 additions & 0 deletions .github/workflows/release-please.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Release

on:
push:
branches:
- master
workflow_dispatch:
inputs:
release-as:
description: 'Override the next release version (e.g. 3.8.0). Leave empty for automatic versioning from conventional commits.'
required: false
type: string

permissions:
Copy link
Copy Markdown

@patrick-stephens patrick-stephens May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs suggest it needs issues: write as well so do we (and if not maybe indicate why)?

Copy link
Copy Markdown
Collaborator Author

@joshuabaird joshuabaird May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I understand: release-please <4.0 did use "issues" to track the replace process but >=4.0 removed the issue-based workflow any only uses PRs/git tags for driving the release process.

contents: write
pull-requests: write

jobs:
release-please:
runs-on: ubuntu-latest
steps:
- uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
Copy link
Copy Markdown

@patrick-stephens patrick-stephens May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, had a hand crafted approach for our stuff so useful to know.

with:
token: ${{ secrets.GITHUB_TOKEN }}
config-file: .github/release-please-config.json
manifest-file: .github/.release-please-manifest.json
release-as: ${{ inputs.release-as }}
136 changes: 0 additions & 136 deletions .github/workflows/release-tool.yaml
View file
Open in desktop

This file was deleted.

33 changes: 33 additions & 0 deletions .github/workflows/upload-release-assets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Upload Release Assets

on:
release:
types: [published]

permissions:
contents: write

jobs:
upload-assets:
name: Upload setup.yaml
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.release.tag_name }}

- name: Read version
id: version
run: echo "version=$(cat version.txt)" >> $GITHUB_OUTPUT

- name: Stamp image tag in setup.yaml
run: |
sed -i \
's|ghcr.io/fluent/fluent-operator/fluent-operator:latest|ghcr.io/fluent/fluent-operator/fluent-operator:v${{ steps.version.outputs.version }}|g' \
manifests/setup/setup.yaml

- name: Upload setup.yaml to release
run: gh release upload "${{ github.event.release.tag_name }}" manifests/setup/setup.yaml --clobber
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ MAKEFLAGS = --warn-undefined-variables
SHELL = /usr/bin/env bash -o pipefail
.SHELLFLAGS = -ec

VERSION ?= $(shell cat VERSION | tr -d " \t\n\r")
VERSION ?= $(shell cat version.txt | tr -d " \t\n\r")
FB_VERSION?=$(shell grep -v '^#' cmd/fluent-watcher/fluentbit/VERSION | tr -d " \t\n\r")
# Image URL to use all building/pushing image targets
FB_IMG ?= ghcr.io/fluent/fluent-operator/fluent-bit:v${FB_VERSION}
Expand Down
6 changes: 3 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,17 +133,17 @@ Kubernetes v1.16.13+ is necessary for running Fluent Operator.
Install the latest stable version

```shell
kubectl apply -f https://raw.githubusercontent.com/fluent/fluent-operator/release-3.7/manifests/setup/setup.yaml
kubectl apply -f https://github.com/fluent/fluent-operator/releases/latest/download/setup.yaml
Copy link
Copy Markdown

@patrick-stephens patrick-stephens May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this work now? It used to intercept and provide you with HTML if you did not use the raw endpoint

Copy link
Copy Markdown
Collaborator Author

@joshuabaird joshuabaird May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah - it looks like it does work now. I wonder if this recently changed. I do recall exactly what you're talking about.


# You can change the namespace in manifests/setup/kustomization.yaml in corresponding release branch
# You can change the namespace in manifests/setup/kustomization.yaml
# and then use command below to install to another namespace
# kubectl kustomize manifests/setup/ | kubectl apply -f -
```

Install the development version

```shell
kubectl apply -f https://raw.githubusercontent.com/fluent/fluentbit-operator/master/manifests/setup/setup.yaml
kubectl apply -f https://raw.githubusercontent.com/fluent/fluent-operator/master/manifests/setup/setup.yaml

# You can change the namespace in manifests/setup/kustomization.yaml
# and then use command below to install to another namespace
Expand Down
Loading
Loading