cozystack · Arsolitt · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,15 +2,17 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev]
   pull_request:
-    branches: [main]
+    branches: [main, dev]
 
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: "1.26.3"
@@ -22,10 +24,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: "1.26.3"
-      - run: go test ./api/... ./pkg/... ./internal/... -race -coverprofile=coverage.out
+      - run: go test ./api/... ./cmd/... ./pkg/... ./internal/... -race -coverprofile=coverage.out
       - uses: actions/upload-artifact@v4
         with:
           name: coverage
@@ -35,6 +39,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: "1.26.3"
@@ -47,6 +53,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: "1.26.3"
@@ -56,17 +64,59 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: azure/setup-helm@v4
-      - run: helm plugin install https://github.com/helm-unittest/helm-unittest
+      - run: helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest
       - run: helm lint charts/kilo-clustermesh-operator --strict
       - run: helm unittest charts/kilo-clustermesh-operator
 
   generate:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version: "1.26.3"
       - run: make manifests generate
       - run: git diff --exit-code
+
+  image:
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev')
+    needs: [lint, test, build, helm, generate, integration]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix=sha-,format=long
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            REVISION=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.gitignore b/.gitignore
@@ -42,3 +42,6 @@ Thumbs.db
 
 # Internal planning docs (not for public history)
 PLAN.md
+
+# Cluster-specific deployment manifests (kept local; not part of the project)
+deploy/
diff --git a/.golangci.yml b/.golangci.yml
@@ -140,6 +140,7 @@ linters:
           - revive
           - gochecknoglobals
           - noinlineerr
+          - goconst
         path: _test\.go
       - linters:
           - err113

diff --git a/Containerfile b/Containerfile
@@ -1,4 +1,4 @@
-FROM docker.io/library/golang:1.26@sha256:313faae491b410a35402c05d35e7518ae99103d957308e940e1ae2cfa0aac29b AS builder
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26@sha256:313faae491b410a35402c05d35e7518ae99103d957308e940e1ae2cfa0aac29b AS builder
 ARG TARGETOS TARGETARCH
 ARG VERSION=dev
 ARG REVISION=unknown
@@ -16,7 +16,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
 
 FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39
 
-LABEL org.opencontainers.image.source="https://github.com/squat/kilo-clustermesh-operator"
+LABEL org.opencontainers.image.source="https://github.com/cozystack/kilo-clustermesh-operator"
 LABEL org.opencontainers.image.description="Kubernetes ClusterMesh operator for Kilo"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.title="kilo-clustermesh-operator"

diff --git a/Makefile b/Makefile
@@ -45,7 +45,8 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	"$(CONTROLLER_GEN)" rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	"$(CONTROLLER_GEN)" rbac:roleName=manager-role webhook paths="./..."
+	"$(CONTROLLER_GEN)" crd paths="./api/..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
-Original file line number
+Diff line change
@@ Expand Up / @@ -42,3 +42,6 @@ Thumbs.db @@
     # Internal planning docs (not for public history)
     PLAN.md
+    # Cluster-specific deployment manifests (kept local; not part of the project)
+    deploy/