ThinkParQ · iamjoemccormick · Apr 22, 2025 · Apr 21, 2025 · Apr 21, 2025 · Apr 21, 2025
diff --git a/.github/workflows/build-test-publish.yaml b/.github/workflows/build-test-publish.yaml
@@ -44,7 +44,7 @@ env:
 
 jobs:
   build-test-and-push-images:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 10
     permissions:
       packages: write
@@ -58,7 +58,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.23.2
+          go-version-file: go.mod
       # Dependencies are cached by default: https://github.com/actions/setup-go#v4
       # This can be explicitly disabled if it ever causes problems.
 
@@ -71,8 +71,7 @@ jobs:
 
       - name: Install test dependencies
         run: |
-          go install github.com/onsi/ginkgo/v2/ginkgo@v2.4.0
-          go install github.com/google/go-licenses@v1.6.0
+          make install-tools
         timeout-minutes: 5
 
       - name: Verify license compliance and the NOTICE file is updated
@@ -267,15 +266,15 @@ jobs:
           make -e IMG=${{ steps.determine_image_name.outputs.OPERATOR_IMAGE }}:${{ github.sha }} -e BUNDLE_IMG=${{ env.OPERATOR_TEST_BUNDLE_NAME }}:${{ github.sha }} bundle bundle-build bundle-push
 
   e2e-tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 10
     needs: build-test-and-push-images
     if: github.event_name == 'pull_request'
     strategy:
       fail-fast: true
       matrix:
-        k8s-version: [1.27.11, 1.28.7, 1.29.10, 1.30.6, 1.31.2]
-        beegfs-version: [7.3.4, 7.4.5]
+        k8s-version: [1.29.15, 1.30.11, 1.31.7, 1.32.3]
+        beegfs-version: [7.4.6]
     permissions:
       packages: read
       contents: read
@@ -288,31 +287,19 @@ jobs:
           driver: none
           kubernetes-version: ${{ matrix.k8s-version }}
 
-      # Starting with BeeGFS 7.4.1 the container registry used to host BeeGFS images switched from DockerHub
-      # to ghcr.io. This can be removed once we no longer test with BeeGFS 7.3.4.
-      - name: Determine BeeGFS image registry
-        id: determine_registry
-        run: |
-          if [ "${{ matrix.beegfs-version }}" = "7.3.4" ]; then
-            echo "BEEGFS_REGISTRY=beegfs/" >> $GITHUB_OUTPUT
-          else
-            echo "BEEGFS_REGISTRY=ghcr.io/thinkparq/" >> $GITHUB_OUTPUT      
-          fi
-
       - name: Deploy BeeGFS ${{ matrix.beegfs-version }} for testing
         run: |
           export BEEGFS_VERSION=$(echo ${{ matrix.beegfs-version }})
           export BEEGFS_SECRET=$(echo ${{ secrets.CONN_AUTH_SECRET }})
-          export BEEGFS_REGISTRY=$(echo ${{ steps.determine_registry.outputs.BEEGFS_REGISTRY }})
           envsubst < test/env/beegfs-ubuntu/beegfs-fs-1.yaml | kubectl apply -f -
           kubectl get pods -A
 
       # TODO: Cache BeeGFS packages https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
       # https://stackoverflow.com/questions/59269850/caching-apt-packages-in-github-actions-workflow
       - name: Install the BeeGFS ${{ matrix.beegfs-version }} DKMS client
         run: |
-          sudo wget -P /etc/apt/sources.list.d/. https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/dists/beegfs-focal.list
-          sudo wget -q https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/gpg/GPG-KEY-beegfs -O- | sudo apt-key add -
+          sudo wget -P /etc/apt/sources.list.d/. https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/dists/beegfs-jammy.list
+          sudo wget https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/gpg/GPG-KEY-beegfs -O /etc/apt/trusted.gpg.d/beegfs.asc
           sudo apt-get update && sudo apt-get install beegfs-client-dkms beegfs-helperd beegfs-utils -y
           sudo sed -i 's/connDisableAuthentication = false/connDisableAuthentication = true/' /etc/beegfs/beegfs-helperd.conf
           sudo systemctl start beegfs-helperd && sudo systemctl enable beegfs-helperd
@@ -372,15 +359,15 @@ jobs:
           fi
 
   operator-e2e-tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 10
     needs: build-test-and-push-images
     if: github.event_name == 'pull_request'
     strategy:
       fail-fast: true
       matrix:
-        k8s-version: [1.27.11, 1.28.7, 1.29.10, 1.30.6, 1.31.2]
-        beegfs-version: [7.3.4, 7.4.5]
+        k8s-version: [1.29.15, 1.30.11, 1.31.7, 1.32.3]
+        beegfs-version: [7.4.6]
     permissions:
       packages: read
       contents: read
@@ -423,24 +410,12 @@ jobs:
           chmod +x install.sh
           ./install.sh v0.25.0
 
-      # Starting with BeeGFS 7.4.1 the container registry used to host BeeGFS images switched from DockerHub
-      # to ghcr.io. This can be removed once we no longer test with BeeGFS 7.3.4.
-      - name: Determine BeeGFS image registry
-        id: determine_registry
-        run: |
-          if [ "${{ matrix.beegfs-version }}" = "7.3.4" ]; then
-            echo "BEEGFS_REGISTRY=beegfs/" >> $GITHUB_OUTPUT
-          else
-            echo "BEEGFS_REGISTRY=ghcr.io/thinkparq/" >> $GITHUB_OUTPUT      
-          fi
-
       # Test using a base64 encoded secret for the Operator based deployment to
       # ensure the broadest coverage for how we handle base64 encoded secrets.
       - name: Deploy BeeGFS ${{ matrix.beegfs-version }} for testing and expose as a service to the host OS
         run: |
           export BEEGFS_VERSION=$(echo ${{ matrix.beegfs-version }})
           export BEEGFS_SECRET=$(echo ${{ secrets.CONN_AUTH_BASE64_SECRET }})
-          export BEEGFS_REGISTRY=$(echo ${{ steps.determine_registry.outputs.BEEGFS_REGISTRY }})
           envsubst < test/env/beegfs-ubuntu/beegfs-fs-2.yaml | kubectl apply -f -
 
           MAX_ATTEMPTS=36
@@ -480,18 +455,21 @@ jobs:
       # https://stackoverflow.com/questions/59269850/caching-apt-packages-in-github-actions-workflow
       - name: Install the BeeGFS ${{ matrix.beegfs-version }} DKMS client
         run: |
-          sudo wget -P /etc/apt/sources.list.d/. https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/dists/beegfs-focal.list
-          sudo wget -q https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/gpg/GPG-KEY-beegfs -O- | sudo apt-key add -
+          sudo wget -P /etc/apt/sources.list.d/. https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/dists/beegfs-jammy.list
+          sudo wget https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/gpg/GPG-KEY-beegfs -O /etc/apt/trusted.gpg.d/beegfs.asc
           sudo apt-get update && sudo apt-get install beegfs-client-dkms beegfs-helperd beegfs-utils -y
           sudo sed -i 's/connDisableAuthentication = false/connDisableAuthentication = true/' /etc/beegfs/beegfs-helperd.conf
           sudo systemctl start beegfs-helperd && sudo systemctl enable beegfs-helperd
 
+      # Remove all third-party APT sources then only add back the BeeGFS sources. This prevents
+      # broken or expired keys from blocking `apt-get update` and optimizes the update.
       - name: Install BeeGFS ${{ matrix.beegfs-version }} beegfs-ctl tool into the Minikube container
         run: |
+          minikube ssh "sudo rm -f /etc/apt/sources.list.d/*"
           minikube ssh "sudo apt-get update"
           minikube ssh "sudo apt-get install wget -y"
-          minikube ssh "sudo wget -q https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/gpg/GPG-KEY-beegfs -O- | sudo apt-key add -"
-          minikube ssh "sudo wget -P /etc/apt/sources.list.d/ https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/dists/beegfs-focal.list"
+          minikube ssh "sudo wget https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/gpg/GPG-KEY-beegfs -O /etc/apt/trusted.gpg.d/beegfs.asc"
+          minikube ssh "sudo wget -P /etc/apt/sources.list.d/ https://www.beegfs.io/release/beegfs_${{ matrix.beegfs-version }}/dists/beegfs-jammy.list"
           minikube ssh "sudo apt-get update"
           minikube ssh "sudo apt-get install beegfs-utils -y"
 
@@ -557,7 +535,7 @@ jobs:
   # We'll keep around a few old test packages to (a) avoid deleting image for workflows running in parallel,
   # and (b) it may be useful to pull a package to troubleshoot workflow failures.
   cleanup-test-images:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 3
     needs: [build-test-and-push-images, e2e-tests, operator-e2e-tests]
     if: always()

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -52,9 +52,9 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.23.2
+          go-version-file: go.mod
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
@@ -0,0 +1,113 @@
+name: Contributor Verification
+
+# This workflow serves two purposes:
+# * Verifies all commit authors/committers have signed the ThinkParQ CLA.
+# * Verified all commits are made using expected names+email addresses to avoid a contributor
+#   accidentally leaking their private information (i.e., forgetting to use a GitHub noreply email).
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # Ensure we have the full commit history for this PR
+      - name: Verify the creator of this PR has signed the ThinkParQ contributor license agreement (CLA)
+        env:
+          APPROVED_CONTRIBUTORS: ${{ vars.APPROVED_CONTRIBUTORS }}
+        run: |
+          PR_USER="${{ github.event.pull_request.user.login }}"
+          echo "Pull request created by '$PR_USER'"
+
+          # APPROVED_CONTRIBUTORS is expected as a space-separated list (name1, name2, ...)
+          ALLOWED_USERS="$APPROVED_CONTRIBUTORS"
+          IS_ALLOWED=false
+
+          for user in $ALLOWED_USERS; do
+            if [ "$user" = "$PR_USER" ]; then
+              IS_ALLOWED=true
+              break
+            fi
+          done
+
+          if [ "$IS_ALLOWED" = "false" ]; then
+            echo "::error::User '$PR_USER' has not yet signed the ThinkParQ contributor license agreement. Please contact info@thinkparq.com to get started."
+            exit 1
+          else
+            echo "::notice::User '$PR_USER' has signed the ThinkParQ contributor license agreement."
+          fi
+      - name: Verify all commits were made by known committers using their expected names and emails
+        env:
+          # Fine to print the list of approved committers in the logs because it only contains a
+          # list of names and emails that should be allowed in commits.
+          APPROVED_COMMITTERS: ${{ vars.APPROVED_COMMITTERS }}
+        run: |
+          # Determine base branch for this PR
+          BASE_REF="${{ github.event.pull_request.base.ref }}"
+          echo "Base branch is $BASE_REF"
+
+          # Gather the commits that are unique to this PR
+          COMMITS=$(git log "origin/$BASE_REF..HEAD" --pretty=format:"%H")
+
+          if [ -z "$COMMITS" ]; then
+            echo "No new commits found (maybe this PR is empty?)."
+            exit 0
+          fi
+
+          echo "Analyzing commits in this PR:"
+          echo "$COMMITS"
+
+          # Parse the JSON from $APPROVED_COMMITTERS using 'jq'
+          # Expected JSON structure is { "Name1": "Email1", "Name2": "Email2", ... }
+
+          EXIT_CODE=0
+
+          for c in $COMMITS; do
+            AUTH_NAME=$(git show -s --format="%an" "$c")
+            AUTH_EMAIL=$(git show -s --format="%ae" "$c")
+            COMM_NAME=$(git show -s --format="%cn" "$c")
+            COMM_EMAIL=$(git show -s --format="%ce" "$c")
+
+            # Mask both emails so they won't appear in cleartext logs
+            echo "::add-mask::$AUTH_EMAIL"
+            echo "::add-mask::$COMM_EMAIL"
+
+            echo "Checking commit $c by $AUTH_NAME / committer $COMM_NAME"
+
+            # Lookup the expected email for the AUTHOR name
+            EXPECTED_AUTHOR_EMAIL=$(echo "${APPROVED_COMMITTERS}" | jq -r ".\"$AUTH_NAME\"")
+            if [ "$EXPECTED_AUTHOR_EMAIL" = "null" ] || [ -z "$EXPECTED_AUTHOR_EMAIL" ]; then
+              echo "::error::Author name '$AUTH_NAME' is not an approved name. Did they forget to set the right Git user.name?"
+              EXIT_CODE=1
+            else
+              # Compare actual email to the expected email
+              if [ "$AUTH_EMAIL" != "$EXPECTED_AUTHOR_EMAIL" ]; then
+                echo "::error::Author '$AUTH_NAME' used an unapproved email. Did they forget to set the right Git user.email?"
+                EXIT_CODE=1
+              fi
+            fi
+
+            # Lookup the expected email for the COMMITTER name
+            EXPECTED_COMMITTER_EMAIL=$(echo "${APPROVED_COMMITTERS}" | jq -r ".\"$COMM_NAME\"")
+            if [ "$EXPECTED_COMMITTER_EMAIL" = "null" ] || [ -z "$EXPECTED_COMMITTER_EMAIL" ]; then
+              echo "::error::Committer name '$COMM_NAME' is not an approved name. Did they forget to set the right Git user.name?"
+              EXIT_CODE=1
+            else
+              if [ "$COMM_EMAIL" != "$EXPECTED_COMMITTER_EMAIL" ]; then
+                echo "::error::Committer '$COMM_NAME' used an unapproved email. Did they forget to set the right Git user.email"
+                EXIT_CODE=1
+              fi
+            fi
+          done
+
+          if [ "$EXIT_CODE" -ne 0 ]; then
+            echo "::error::One or more commits failed the policy check."
+            exit $EXIT_CODE
+          fi
+
+          echo "::notice::All commits were made by known committers with their expected names and emails."