Merge pull request #119 from mallardduck/new-build-system-v2

[ci] Simplify build system to use `kuberlr` for fetching

Author: mallardduck

.github/scripts/bump-kubectl-patch-versions

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# If the first argument ($1) is provided and not empty, use it.
+# Otherwise, default to "kubectl-versions.txt".
+VERSIONS_FILE=${1:-"kubectl-versions.txt"}
+TEMP_FILE="${VERSIONS_FILE}.tmp"
+
+echo "Using versions file: $VERSIONS_FILE"
+echo "Temporary file will be: $TEMP_FILE"
+
+# Check if the input file exists
+if [[ ! -f "$VERSIONS_FILE" ]]; then
+    echo "Error: Input file '$VERSIONS_FILE' not found."
+    exit 1
+fi
+
+RELEASES=$(gh api graphql -F owner='kubernetes' -F name='kubernetes' -f query='query($name: String!, $owner: String!) {repository(owner: $owner, name: $name) {releases(first: 100) {nodes { tagName, isPrerelease }} }}' | jq -r '.data.repository.releases.nodes[] | select(.isPrerelease != true) | .tagName' | sort -V)
+
+# Iterate over each line of the input file
+while IFS= read -r VERSION; do
+    PREFIX=$(echo "$VERSION" | cut -d. -f1,2)
+    echo "Checking version for $VERSION - using $PREFIX to search..."
+    NEWEST_OPTION=$(echo "$RELEASES"| grep "$PREFIX" | sort -rn |head -1)
+    if [ "$VERSION" == "$NEWEST_OPTION" ]; then
+      echo "Nothing to update - $VERSION already newest patch for that Major.Minor"
+      # If the version is the same, keep the original line
+      echo "$VERSION" >> "$TEMP_FILE"
+      continue
+    fi
+    echo "Found newer patch $NEWEST_OPTION to replace $VERSION"
+    echo "$NEWEST_OPTION" >> "$TEMP_FILE"
+done < "$VERSIONS_FILE"
+
+# Check if the temporary file was created successfully
+if [[ -f "$TEMP_FILE" ]]; then
+    # Replace the original file with the temporary file
+    mv "$TEMP_FILE" "$VERSIONS_FILE"
+    echo "File updated successfully: $VERSIONS_FILE"
+else
+    echo "Error: Temporary file not created. No changes made."
+    exit 1
+fi

.github/workflows/kubectl-auto-update.yml

@@ -0,0 +1,29 @@
+name: "Kubectl - Auto-Updates"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 1 * * 0,3'
+
+permissions:
+  actions: read
+  contents: read
+  pull-requests: read
+
+jobs:
+  branch-update-checks:
+    permissions:
+      contents: write
+      pull-requests: write
+    strategy:
+      max-parallel: 2
+      matrix:
+        target_branch:
+          - main
+          - release/v2.x
+          - release/v3.x
+          - release/v4.x
+    uses: ./.github/workflows/kubectl-create-bump-pr.yml
+    with:
+      target_branch: ${{ matrix.target_branch }}
+      script_ref: ${{ github.sha }}

.github/workflows/kubectl-create-bump-pr.yml

@@ -0,0 +1,130 @@
+name: "Kubectl - Create Bump PR"
+on:
+  workflow_dispatch:
+    inputs:
+      target_branch:
+        description: "Branch to run the update script on"
+        required: true
+        type: string
+      script_ref:
+        description: "A git ref (hash/branch) to use for the bump script"
+        required: false
+        type: string
+
+  workflow_call:
+    inputs:
+      target_branch:
+        description: "Branch to run the update script on"
+        required: true
+        type: string
+      script_ref:
+        description: "A git ref (hash/branch) to use for the bump script"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-and-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout target branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.target_branch }}
+
+      - name: Check for new build system support
+        id: new_build
+        run: |
+          if [ ! -f "kubectl-versions.txt" ]; then
+            echo "❌ This branch does not support the new build system. Failing early."
+            echo "is_supported=false" >> $GITHUB_ENV
+            echo "changes_exist=false" >> $GITHUB_ENV
+            exit 0
+          fi
+          echo "is_supported=true" >> $GITHUB_ENV
+
+      - name: Pull script from main branch
+        if: ${{ env.is_supported == 'true' }}
+        run: |
+          git fetch origin ${{ inputs.script_ref || 'main' }}
+          git checkout FETCH_HEAD -- .github/scripts/bump-kubectl-patch-versions
+
+      - name: Run update script
+        if: ${{ env.is_supported == 'true' }}
+        run: bash .github/scripts/bump-kubectl-patch-versions
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check for changes
+        if: ${{ env.is_supported == 'true' }}
+        run: |
+          rm -f .github/scripts/update-script.sh
+          git restore --staged --worktree .github/scripts/update-script.sh || true
+
+          if git diff --quiet; then
+            echo "No changes detected."
+            echo "changes_exist=false" >> $GITHUB_ENV
+          else
+            echo "Changes detected."
+            git diff --name-only
+            echo "changes_exist=true" >> $GITHUB_ENV
+          fi
+
+      - name: "Git: Config, create branch, commit and push"
+        if: ${{ env.changes_exist == 'true' }}
+        run: |
+          safe_branch=$(echo "${{ inputs.target_branch }}" | sed 's/[^a-zA-Z0-9._-]/_/g')
+          BRANCH="gha-kubectl/update-$safe_branch-$(date +%Y-%m-%d-%H-%M-%S)"
+          echo "UPDATE_BRANCH=${BRANCH}" >> "$GITHUB_ENV"
+          
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+          
+          git checkout -b "$BRANCH"
+          git commit -a -m "Updating new kubectl patch versions"
+          git push origin "$BRANCH"
+
+      - name: Build PR body
+        if: ${{ env.changes_exist == 'true' }}
+        run: |
+          {
+            echo 'PR_BODY<<EOF'
+            echo "Automated update using the script from \`main\` branch."
+            echo ""
+            echo "Triggered on: \`${{ inputs.target_branch }}\`"
+            echo "Initiated by: @${GITHUB_ACTOR}"
+            echo ""
+            echo "## Review Instructions"
+            echo "- Review the changes"
+            echo "- Ensure CI passes"
+            echo "- Approve and merge"
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+      - name: Create or update PR
+        if: ${{ env.changes_exist == 'true' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_TITLE: "Automated `kubectl` update for `${{ inputs.target_branch }}`"
+        run: |
+          EXISTING_PR=$(gh pr list --limit 100 --json title,url \
+            | jq --arg t "${PR_TITLE}" -r '.[] | select(.title==$t) | .url')
+
+          CREATED_PR=$(gh pr create \
+            --title "${PR_TITLE}" \
+            --body "${PR_BODY}" \
+            --label "status/auto-created" \
+            --label "dependencies" \
+            --base "${{ inputs.target_branch }}" \
+            --head "${UPDATE_BRANCH}")
+
+          echo "Created PR: ${CREATED_PR}" >> $GITHUB_STEP_SUMMARY
+
+          if [ -n "${EXISTING_PR}" ]; then
+            echo "Closing previous PR: ${EXISTING_PR}"
+            gh pr close "${EXISTING_PR}" --comment "Superseded by ${CREATED_PR}" --delete-branch
+            echo "Closed previous PR: ${EXISTING_PR}" >> $GITHUB_STEP_SUMMARY
+          fi

Makefile

@@ -1,7 +1,3 @@
-# To avoid polluting the Makefile, versions and checksums for tooling and
-# dependencies are defined at hack/make/deps.mk.
-include hack/make/deps.mk
-
 # Include logic that can be reused across projects.
 include hack/make/build.mk
 

hack/make/deps.mk

@@ -0,0 +1,3 @@
+v1.31.9
+v1.32.5
+v1.33.1

kubectl-versions.txt

@@ -24,38 +24,21 @@ RUN zypper --non-interactive refresh && \
 COPY --from=kuberlr /bin/kuberlr /chroot/bin/
 RUN cd /chroot/bin && ln -s ./kuberlr ./kubectl
 COPY --from=kuberlr /home/kuberlr /chroot/home/kuberlr
-RUN sed -i 's/AllowDownload = true/AllowDownload = false/' /chroot/home/kuberlr/.kuberlr/kuberlr.conf
 
 WORKDIR /tmp
+COPY kubectl-versions.txt /tmp/kubectl-versions.txt
+# kuberlr get verifies bin hash for us
+RUN while read -r version; do \
+    /chroot/bin/kuberlr get $version; \
+    done < ./kubectl-versions.txt; \
+    /chroot/bin/kuberlr bins \
+    && cp -a /root/.kuberlr/linux-*/* /chroot/usr/bin/ \
+    && /chroot/bin/kuberlr bins
+
+# Disable ability to download kubectl due to air-gap support
+RUN sed -i 's/AllowDownload = true/AllowDownload = false/' /chroot/home/kuberlr/.kuberlr/kuberlr.conf
 
-ARG KUBECTL_VERSION_INFO
-
-SHELL ["/bin/bash", "-c"]
-RUN set -fx; versions=($KUBECTL_VERSION_INFO); \
-    for i in "${!versions[@]}"; do \
-        echo "The index is $i and the value is ${versions[$i]}"; \
-        version=$(echo ${versions[$i]} | cut -d: -f1); \
-        kubectl_url="https://dl.k8s.io/release/${version}/bin/linux/${TARGETARCH}/kubectl"; \
-        kubectl_target="/tmp/kubectl${version:1}"; \
-        echo "Downloading kubectl version ${version} from ${kubectl_url}"; \
-        echo "Targeting ${kubectl_target}"; \
-        curl -fsSL "$kubectl_url" -o "$kubectl_target"; \
-        chmod 0755 "$kubectl_target"; \
-    done
-
-RUN set -fx; versions=($KUBECTL_VERSION_INFO); \
-    for i in "${!versions[@]}"; do \
-        version=$(echo ${versions[$i]} | cut -d: -f1); \
-        arm64_sum=$(echo ${versions[$i]} | cut -d: -f2); \
-        amd64_sum=$(echo ${versions[$i]} | cut -d: -f3); \
-        kubectl_target="/tmp/kubectl${version:1}"; \
-        KUBE_SUM_NAME="${TARGETARCH}_sum"; \
-        KUBE_SUM=${!KUBE_SUM_NAME}; \
-        echo "${KUBE_SUM} ${kubectl_target}" | sha256sum -c -; \
-    done
-
-RUN cp /tmp/kubectl* /chroot/usr/bin/
-
+# Setup kuberlr user and perms
 RUN useradd -u 1000 -U kuberlr \
     && cp /etc/passwd /chroot/etc/passwd \
     && cp /etc/group /chroot/etc/group \