Deploy README.md for repository cff669b

.github/bash.sh

@@ -0,0 +1,20 @@
+YAML_PATH=".github/toc.yml"
+cat $YAML_PATH
+
+# Correct the query for checking if v0.9.0 exists under cheetah-application
+result=$(yq '.[] | select(has("cheetah-application")) | .["cheetah-application"].items[] | select(.name == "v0.9.0") | .name' "$YAML_PATH")
+
+if [ -z "$result" ]; then
+    # Insert v0.9.0 into the items list of cheetah-application, maintaining the correct structure
+    yq eval '
+      .[] |= (
+        select(has("cheetah-application")) |
+        .["cheetah-application"].items |= [{"name": "v0.9.0", "href": "charts/cheetah-application/v0.9.0/README.md"}] + .
+      )
+    ' -i "$YAML_PATH"
+    echo "Version v0.9.0 added"
+else
+    echo "Version v0.9.0 found, skipping"
+fi
+
+echo "Result: $result"

.github/ct-config.yaml

@@ -0,0 +1,10 @@
+target-branch: main
+remote: origin
+chart-dirs:
+  - charts
+check-version-increment: false
+debug: true
+validate-chart-schema: true
+validate-maintainers: false
+validate-yaml: true
+lint-conf: lintconf.yaml

.github/polaris.yaml

@@ -0,0 +1,43 @@
+checks:
+  # reliability
+  deploymentMissingReplicas: warning
+  livenessProbeMissing: warning
+  metadataAndNameMismatched: ignore
+  missingPodDisruptionBudget: ignore
+  pdbDisruptionsIsZero: warning
+  priorityClassNotSet: ignore
+  pullPolicyNotAlways: ignore
+  readinessProbeMissing: warning
+  tagNotSpecified: ignore # shouldn't be specified in a generic chart
+
+  # efficiency
+  cpuLimitsMissing: warning
+  cpuRequestsMissing: warning
+  memoryLimitsMissing: warning
+  memoryRequestsMissing: warning
+
+  # security
+  automountServiceAccountToken: ignore
+  clusterrolePodExecAttach: danger
+  clusterrolebindingClusterAdmin: danger
+  clusterrolebindingPodExecAttach: danger
+  dangerousCapabilities: danger
+  hostIPCSet: danger
+  hostNetworkSet: danger
+  hostPIDSet: danger
+  hostPortSet: warning
+  insecureCapabilities: warning
+  linuxHardening: danger
+  missingNetworkPolicy: ignore
+  notReadOnlyRootFilesystem: warning
+  privilegeEscalationAllowed: danger
+  rolePodExecAttach: danger
+  rolebindingClusterAdminClusterRole: ignore # TODO: change to danger
+  rolebindingClusterAdminRole: danger
+  rolebindingClusterRolePodExecAttach: ignore # TODO: change to danger
+  rolebindingRolePodExecAttach: danger
+  runAsPrivileged: danger
+  runAsRootAllowed: danger
+  sensitiveConfigmapContent: danger
+  sensitiveContainerEnvVar: danger
+  tlsSettingsMissing: warning

.github/release-template.md

@@ -0,0 +1,13 @@
+# What's Changed
+
+## Changes
+
+- 
+
+## Improvements
+
+- 
+
+## Bug fixes
+
+- 

.github/scripts/sync.py

@@ -0,0 +1,139 @@
+"""
+Upload Flink operator Helm chart to OCI registry
+
+Usage:
+    python sync.py
+
+Environment variables:
+    GITHUB_TOKEN: GitHub token with read/write access to the OCI registry
+
+Requirements:
+    requests (pip install requests)
+    helm (https://helm.sh/docs/intro/install/)
+"""
+
+import base64
+import os
+import re
+import subprocess
+import sys
+
+import requests
+
+ARCHIVE_URL = "https://archive.apache.org/dist/flink/"
+
+GIT_REPO = "trifork/cheetah-charts"
+IMAGE = "flink-kubernetes-operator"
+
+
+def get_existing_versions() -> list[str]:
+    """Get existing versions"""
+    token = os.getenv("GITHUB_TOKEN")
+    if token is None:
+        print("GITHUB_TOKEN is not set")
+        sys.exit(1)
+
+    b64_token_bytes = base64.b64encode(token.encode("ascii"))
+    headers = {"Authorization": f"Bearer {b64_token_bytes.decode('ascii')}"}
+    resp = requests.get(
+        f"https://ghcr.io/v2/{GIT_REPO}/{IMAGE}/tags/list",
+        timeout=10,
+        headers=headers,
+    )
+
+    result = resp.json()
+    if "tags" not in result:
+        return []
+
+    return result["tags"]
+
+
+def download_chart(url: str, file: str):
+    """Download Helm chart"""
+    resp = requests.get(url, timeout=10)
+    try:
+        resp.raise_for_status()
+    except requests.exceptions.HTTPError as err:
+        print(f"Error collecting tar ball from {url}: {err}")
+        sys.exit(1)
+
+    with open(file, "wb") as f:
+        f.write(resp.content)
+
+
+def helm_login():
+    """Login to the Helm registry"""
+    token = os.getenv("GITHUB_TOKEN")
+    if token is None:
+        print("GITHUB_TOKEN is not set")
+        sys.exit(1)
+
+    cmd = [
+        "helm",
+        "registry",
+        "login",
+        f"ghcr.io/{GIT_REPO}",
+        "--username",
+        "github-actions",
+        "--password-stdin",
+    ]
+    try:
+        subprocess.run(cmd, input=token.encode("ascii"), check=True, timeout=10)
+    except subprocess.CalledProcessError as err:
+        print(f"Error logging into the Helm registry: {err}")
+        sys.exit(1)
+
+
+def helm_push(chart: str):
+    """Push the Helm chart"""
+    cmd = ["helm", "push", chart, f"oci://ghcr.io/{GIT_REPO}"]
+    try:
+        subprocess.run(cmd, check=True, timeout=10)
+    except subprocess.CalledProcessError as err:
+        print(f"Error pushing Helm chart: {err}")
+        sys.exit(1)
+
+
+def main():
+    """Main function"""
+    print("Logging into the Helm registry")
+    helm_login()
+
+    print("Getting existing operator versions")
+    existing_versions = get_existing_versions()
+    print(f"Found existing versions: {existing_versions}")
+
+    print(f"Collecting operator versions from {ARCHIVE_URL}")
+    resp = requests.get(ARCHIVE_URL, timeout=10)
+    try:
+        resp.raise_for_status()
+    except requests.exceptions.HTTPError as err:
+        print(f"Error collecting Kubernetes operator versions: {err}")
+        sys.exit(1)
+
+    pattern = re.compile(
+        r"<a href=\"flink-kubernetes-operator-(?P<version>\d+\.\d+\.\d+)/\">"
+    )
+    for result in pattern.finditer(resp.text):
+        version = result.group("version")
+        print(f"Found version {version}")
+
+        if version in existing_versions:
+            print(f"Version {version} already exists")
+            continue
+
+        tar_url = f"{ARCHIVE_URL}flink-kubernetes-operator-{version}/flink-kubernetes-operator-{version}-helm.tgz"
+        chart = f"{IMAGE}-{version}.tgz"
+
+        print(f"Downloading chart from {tar_url}")
+        download_chart(url=tar_url, file=chart)
+
+        print(f"Pushing chart {chart}")
+        helm_push(chart)
+
+        print(f"Cleaning up {chart}")
+        os.remove(chart)
+
+
+if __name__ == "__main__":
+    main()

.github/toc.yml

@@ -0,0 +1,12 @@
+- name: cheetah-application
+  items:
+    - name: v0.8
+      href: cheetah-application/v0.8/README.md
+- name: flink-job
+  items:
+- name: image-automation
+  items:
+- name: opensearchrole
+  items:
+- name: redpanda-console-oauth2proxy
+  items:

.github/workflows/auto-merge.yml

@@ -0,0 +1,18 @@
+name: automerge
+
+on:
+    pull_request:
+        branches: [ 'main', 'release/**' ]
+        types: [ opened, reopened, labeled, synchronize ]
+
+jobs:
+    create-release-branch:
+        runs-on: ubuntu-latest
+        steps:
+            - name: automerge for pull request
+              if: ${{ github.actor == 'cheetahbot' }}
+              uses: peter-evans/enable-pull-request-automerge@v3
+              with:
+                pull-request-number: ${{ github.event.pull_request.number }}
+                merge-method: merge
+                token: ${{secrets.CHEETAHBOT_READ_PACKAGE}}

.github/workflows/doc-publish.yml

@@ -0,0 +1,126 @@
+name: Docs publish
+
+on:
+  workflow_call:
+    inputs:
+      chart:
+        required: true
+        type: string
+    secrets:
+      token:
+        required: true
+
+  workflow_dispatch:
+    inputs:
+      chart:
+        type: choice
+        options:
+          - cheetah-application
+          - flink-job
+          - image-automation
+          - opensearchrole
+          - redpanda-console-oauth2proxy
+
+permissions:
+  pull-requests: write
+  contents: write
+  packages: write
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: Read Helm Chart
+        id: chart
+        uses: jacobtomlinson/[email protected]
+        with:
+          path: ./charts/${{ inputs.chart}}
+
+      - name: Print outputs
+        shell: bash
+        run: |
+          echo "Name - ${{ steps.chart.outputs.name }}"
+          echo "Version - ${{ steps.chart.outputs.version }}"
+
+      - name: Update toc file with new version v${{ steps.chart.outputs.version }}
+        id: update-toc
+        uses: trifork/cheetah-infrastructure-utils-workflows/.github/actions/update-toc@update-variables
+        with:
+          toc-file: .github/toc.yml
+          version: ${{ steps.chart.outputs.version }}
+          repo-name: ${{ inputs.chart}}
+
+      - name: create toc-folder/
+        if: ${{steps.update-toc.outputs.updated == 'true'}}
+        run: |
+          mkdir -p toc-folder/
+          cp .github/toc.yml toc-folder/
+
+      - name: Deploy toc.yml to GitHub Pages
+        if: ${{steps.update-toc.outputs.updated == 'true'}}
+        uses: peaceiris/actions-gh-pages@v4
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./toc-folder/
+          commit_message: "Update toc file with new version v${{ steps.chart.outputs.version }}"
+          keep_files: true
+
+      - name: Create Pull Request
+        id: cpr
+        if: ${{steps.update-toc.outputs.updated == 'true'}}
+        uses: peter-evans/[email protected]
+        with:
+          commit-message: "Update toc file with new version v${{ steps.chart.outputs.version }} for ${{ inputs.chart}}"
+          sign-commits: true
+          title: "Update toc file with new version v${{ steps.chart.outputs.version }} for ${{ inputs.chart }}"
+          labels: "automated"
+          token: ${{ secrets.CHEETAHBOT_WRITE_PACKAGE  || secrets.token}}
+          add-paths: .github/toc.yml
+          signoff: true
+          branch-token: ${{ secrets.GITHUB_TOKEN }}
+          branch: Update-toc-file-${{ inputs.chart }}-${{ steps.chart.outputs.version }}
+
+      - name: Enable Pull Request Automerge
+        if: ${{steps.update-toc.outputs.updated == 'true'}}
+        uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+          token: ${{ secrets.CHEETAHBOT_WRITE_PACKAGE  || secrets.token}}
+          merge-method: squash
+
+      - name: create public/
+        run: |
+          mkdir -p public/docs/${{ inputs.chart }}/
+          cp charts/${{ inputs.chart }}/README.md public/docs/${{ inputs.chart }}
+          cp README.md public/docs
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: peaceiris/actions-gh-pages@v4
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./public/docs/
+          exclude_assets: ""
+          destination_dir: docs/${{ inputs.chart }}/v${{ steps.chart.outputs.version }}
+          commit_message: "Deploy docs for version v${{ steps.chart.outputs.version }}"
+          keep_files: true
+
+      - name: Deploy to GitHub Pages
+        uses: peaceiris/actions-gh-pages@v4
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: .
+          exclude_assets: "./public/docs"
+          commit_message: "Deploy README.md for repository"
+          keep_files: true
+
+      - name: Repository Dispatch
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ secrets.CHEETAHBOT_WRITE_PACKAGE  || secrets.token}}
+          repository: trifork/cheetah-artifact-documentation
+          event-type: docs-update