fix: unbreak CI workflow and Helm chart, publish image on main#1
fix: unbreak CI workflow and Helm chart, publish image on main#1Arsolitt wants to merge 7 commits into
Conversation
Restrict CRD generation to ./api/... so manifests no longer produces config/crd/bases/kilo.squat.ai_peers.yaml for the external Kilo Peer type. Regenerate deepcopy files so the boilerplate header from hack/boilerplate.go.txt is committed, matching what controller-gen produces in CI. Signed-off-by: Arsolitt <arsolitt@gmail.com>
Test files contain CIDRs, namespace names and similar fixtures repeated across cases; promoting them to constants only obscures intent. Add goconst to the linter exclusion list for _test\.go. Signed-off-by: Arsolitt <arsolitt@gmail.com>
The operator binary does not define a --namespace flag; passing it caused the manager to exit at startup. Remove the argument from the Deployment and the corresponding unit test. The chart wired --metrics-bind-address=:8080 while the binary defaults metrics-secure to true, which started HTTPS on an HTTP port and made metrics unscrapeable without a TLS setup. Expose metricsSecure in values.yaml (default false) and pass --metrics-secure explicitly. Signed-off-by: Arsolitt <arsolitt@gmail.com>
Helm 4.1 requires plugin source verification by default, which the helm-unittest source does not support. Without the flag the helm CI job aborts with "plugin source does not support verification" before helm lint and unit tests can run. Signed-off-by: Arsolitt <arsolitt@gmail.com>
Add an image job that builds the multi-arch Containerfile and pushes to ghcr.io/cozystack/kilo-clustermesh-operator with :main and :sha-<commit> tags. The job runs only on push to main and waits for all checks (lint, test, integration, build, helm, generate) so a broken commit cannot publish an image. Tagged releases are still handled by .github/workflows/release.yml. Signed-off-by: Arsolitt <arsolitt@gmail.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds metrics security configuration to the Helm chart, enhances the CI pipeline with Docker image building and publication to ghcr.io, refines build tooling by splitting controller-gen invocations, adjusts linter exclusions for test files, and maintains Apache 2.0 license headers in autogenerated files. ChangesMetrics and Build Infrastructure Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several configuration and build-related updates. The Makefile was modified to refine CRD generation by targeting specific API paths, and the goconst linter was enabled for test files in the golangci configuration. The kilo-clustermesh-operator Helm chart was updated to include a new --metrics-secure flag, while the --namespace argument was removed from the deployment template. Additionally, license headers were added to auto-generated deepcopy files. There are no review comments to address, and I have no feedback to provide.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 83-96: Replace the floating tags for the Docker actions with
immutable commit SHAs: change usages of docker/login-action@v3,
docker/setup-buildx-action@v3, docker/metadata-action@v5 (id: meta) and
docker/build-push-action@v6 to their corresponding full commit@sha values and
add the original version (e.g., v3/v5/v6) as a trailing comment for readability;
ensure each action line is updated so the workflow uses the exact commit SHA to
prevent upstream retags from changing behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b03e4b45-7a09-4f2d-a040-f682e1fb6910
📒 Files selected for processing (8)
.github/workflows/ci.yml.golangci.ymlMakefileapi/v1alpha1/zz_generated.deepcopy.gocharts/kilo-clustermesh-operator/templates/deployment.yamlcharts/kilo-clustermesh-operator/tests/deployment_test.yamlcharts/kilo-clustermesh-operator/values.yamlpkg/kilo/v1alpha1/zz_generated.deepcopy.go
| - uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - uses: docker/setup-buildx-action@v3 | ||
| - uses: docker/metadata-action@v5 | ||
| id: meta | ||
| with: | ||
| images: ghcr.io/${{ github.repository }} | ||
| tags: | | ||
| type=raw,value=main | ||
| type=sha,prefix=sha-,format=long | ||
| - uses: docker/build-push-action@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/ci.ymlRepository: cozystack/kilo-clustermesh-operator
Length of output: 3825
🌐 Web query:
GitHub Actions security best practices pin commit SHA Docker actions
💡 Result:
Pinning GitHub Actions to a full-length commit SHA is a critical security best practice for protecting your CI/CD supply chain [1][2][3]. Why Pin to a Commit SHA GitHub Actions referenced by tags (e.g., @v4) or branches (e.g., @main) are mutable [4][5][6]. This means an attacker who compromises the action's repository or the maintainer's account can force-push a new commit to that tag, silently changing the code your workflow executes [7][8][9]. Pinning to an immutable, full-length commit SHA ensures that your workflow always runs the exact, audited code you expect, preventing unauthorized code execution [5][6][3]. How to Implement SHA Pinning 1. Identify the current commit SHA: You can retrieve the full SHA for a specific tag using Git commands (e.g., git ls-remote https://github.com/owner/repo tag_name) or by viewing the commit history in the action's repository [1][7]. 2. Update your workflow: Replace the tag in your workflow file with the full SHA [7][8]. 3. Add a version comment: To maintain readability and ease of updates, include the original version tag as a comment next to the SHA [7][8][10]. Example: uses: actions/checkout@11bd719 # v4.2.2 Governance and Enforcement GitHub now supports organization-level and repository-level policies that can enforce SHA pinning [2][10][3]. When enabled, any workflow attempting to use an action referenced by a tag or branch will fail, ensuring compliance across your organization [2][5][10]. Administrators can configure these policies in the GitHub Actions settings for their organization or repository [3]. Maintaining Pinned Actions Because pinned actions do not automatically receive updates, you must manage them manually or via automation [1][9]. Tools like Dependabot or Renovate can be configured to monitor for updates to your pinned actions and automatically open pull requests to update the SHAs, allowing you to review and test changes before merging [1][2][9].
Citations:
- 1: Pin all GitHub Actions to immutable SHA commits for supply chain security github/gh-aw#5691
- 2: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 3: https://docs.github.com/en/actions/reference/security/secure-use
- 4: https://github.com/step-security/github-actions-goat/blob/main/docs/Solutions/PinGitHubActions.md
- 5: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
- 6: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 7: Pin GitHub Actions to commit SHAs in release workflow github/gh-aw#10021
- 8: Pin GitHub Actions to commit SHAs esphome/docker-base#52
- 9: https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
- 10: https://dev.to/ciberconscientes/github-actions-why-you-should-pin-your-actions-to-a-specific-version-1513
Pin the Docker actions to immutable commit SHAs.
Version refs like v3, v5, and v6 float with upstream tag updates. Since this workflow publishes release artifacts to ghcr.io on every push to main, any re-tagging of upstream actions could silently change the image contents without a PR in this repository.
Pin each Docker action to its full commit SHA and include the version tag as a comment for maintainability:
Suggested shape
- - uses: docker/login-action@v3
+ - uses: docker/login-action@<full-commit-sha> # v3
- - uses: docker/setup-buildx-action@v3
+ - uses: docker/setup-buildx-action@<full-commit-sha> # v3
- - uses: docker/metadata-action@v5
+ - uses: docker/metadata-action@<full-commit-sha> # v5
- - uses: docker/build-push-action@v6
+ - uses: docker/build-push-action@<full-commit-sha> # v6🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml around lines 83 - 96, Replace the floating tags for
the Docker actions with immutable commit SHAs: change usages of
docker/login-action@v3, docker/setup-buildx-action@v3, docker/metadata-action@v5
(id: meta) and docker/build-push-action@v6 to their corresponding full
commit@sha values and add the original version (e.g., v3/v5/v6) as a trailing
comment for readability; ensure each action line is updated so the workflow uses
the exact commit SHA to prevent upstream retags from changing behavior.
golangci-lint v2.12 flagged "kilo.squat.ai" repeated across register.go and types_test.go via goconst. Define a GroupName constant in the Kilo v1alpha1 package and use it from both call sites; this also matches the convention used by upstream Kubernetes API packages. Signed-off-by: Arsolitt <arsolitt@gmail.com>
golangci-lint v2.12 picked up another goconst occurrence: the literal "v1alpha1" repeated across register.go and types_test.go. Define a GroupVersion constant alongside GroupName and use it from both call sites. Signed-off-by: Arsolitt <arsolitt@gmail.com>
1 participant
Summary
The CI workflow was failing on every commit, and the Helm chart shipped two
runtime-blocking bugs. This PR addresses both so the project can be deployed
from a published image.
CI fixes
goconstwas firing on test fixtures (CIDRs, namespace names,cluster names). Add
goconstto the existing lint exclusions for_test\.gofiles in.golangci.yml.make manifests generateproduced a diff on a cleancheckout because
zz_generated.deepcopy.gowas committed without theboilerplate copyright header and because
manifestsgenerated a CRD forthe external
kilo.squat.ai/Peertype the operator does not own.Regenerate the deepcopy files with the header and restrict CRD generation
to
./api/....the helm-unittest source does not support. Pass
--verify=falsetohelm plugin install.Chart fixes
--namespaceflag; the chart passedone and caused the Pod to exit on startup. Remove the argument and the
matching unit test.
--metrics-bind-address=:8080but the binarydefaults
metrics-securetotrue, which started HTTPS on the HTTP portand produced an unscrapeable endpoint without a TLS setup. Add
metricsSecuretovalues.yaml(defaultfalse) and pass--metrics-secureexplicitly. Add unit-test coverage for both branches.Image publishing
imagejob to.github/workflows/ci.ymlthat builds themulti-arch Containerfile and pushes to
ghcr.io/cozystack/kilo-clustermesh-operatorwith:mainand:sha-<commit>tags on push tomain. The job gates on all precedingchecks. Tagged releases continue to use
release.yml.Out of scope
--mesh-granularity=cross.Existing cluster configs need to be adjusted separately.
release.ymlis left untouched; tagged release publishing is unchanged.Test plan
golangci-lint run—0 issuesgo test ./api/... ./pkg/... ./internal/... -race— all passgo build -o /dev/null ./cmd/main.gohelm lint charts/kilo-clustermesh-operator --stricthelm unittest charts/kilo-clustermesh-operator— 39/39 tests passmake manifests generate && git diff --exit-code— cleanghcr.io/cozystack/kilo-clustermesh-operator:mainSummary by CodeRabbit
New Features
metricsSecureoption in Helm chart values to control secure metrics endpoint behaviorTests
Chores