fluent · joshuabaird · May 6, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.github/.release-please-manifest.json b/.github/.release-please-manifest.json
@@ -0,0 +1,3 @@
+{
+  ".": "3.7.0"
+}
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,16 @@
+# Fluent Operator Code Owners
+# ----------------------
+# The following file list the code owners or responsibles for code
+# review on different components or extensions of Fluent Bit, applicable for
+# any original code author (not only maintainers).
+#
+# NOTE: if you are a original code author and you are not listed here, please
+# open a PR with the proper modification :)
+
+# CI
+# ------------------------------------
+/.github/ @joshuabaird @benjaminhuo @cw-Guo @marcofranssen @wanjunlei
+
+# CODEOWNERS
+# ------------------------------------
+.github/CODEOWNERS  @joshuabaird @benjaminhuo @cw-Guo @marcofranssen @wanjunlei
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,3 +1,8 @@
+<!--
+PR titles must follow Conventional Commits format: https://www.conventionalcommits.org
+Examples: feat: add X | fix: correct Y | chore: update Z | docs: improve W
+-->
+
 <!--
 Thank you for contributing to Fluent Operator!
 Your commits need to follow DCO: https://probot.github.io/apps/dco/

diff --git a/.github/release-please-config.json b/.github/release-please-config.json
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "release-type": "simple",
+  "extra-files": [
+    {
+      "type": "yaml",
+      "path": "charts/fluent-operator/Chart.yaml",
+      "jsonpath": "$.appVersion"
+    },
+    {
+      "type": "yaml",
+      "path": "charts/fluent-operator-fluent-bit-crds/Chart.yaml",
+      "jsonpath": "$.appVersion"
+    },
+    {
+      "type": "yaml",
+      "path": "charts/fluent-operator-fluentd-crds/Chart.yaml",
+      "jsonpath": "$.appVersion"
+    }
+  ]
+}
diff --git a/.github/workflows/build-fluentbit-image.yaml b/.github/workflows/build-fluentbit-image.yaml
@@ -37,9 +37,9 @@ jobs:
         run: |
           VERSION=$(cat cmd/fluent-watcher/fluentbit/VERSION)  # Read the version from the VERSION file
           VERSION_WITHOUT_V=${VERSION#v}
-          MAJOR_MINOR=$(echo $VERSION_WITHOUT_V | cut -d. -f1-2)
+          MAJOR_MINOR=$(echo "$VERSION_WITHOUT_V" | cut -d. -f1-2)
 
-          if skopeo inspect docker://${{ env.GHCR_REPO }}:${VERSION}; then
+          if skopeo inspect "docker://${{ env.GHCR_REPO }}:${VERSION}"; then
             echo "${VERSION} tag already exists, assuming we're building a patch release!"
             LATEST_PATCH_VERSION=$(skopeo list-tags docker://${{ env.GHCR_REPO }} | grep -E "${VERSION}-[0-9]+" | sort | uniq | tail -1 | tr -d \" | cut -d'-' -f2 | tr -d ',')
             NEW_PATCH_VERSION=$((LATEST_PATCH_VERSION + 1))
@@ -50,9 +50,11 @@ jobs:
             IMAGE_BASE_TAG="${VERSION}"
           fi
 
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "image-base-tag=$IMAGE_BASE_TAG" >> $GITHUB_OUTPUT
-          echo "image-major-minor=$MAJOR_MINOR" >> $GITHUB_OUTPUT
+          {
+            echo "version=$VERSION"
+            echo "image-base-tag=$IMAGE_BASE_TAG"
+            echo "image-major-minor=$MAJOR_MINOR"
+          } >> "$GITHUB_OUTPUT"
 
   build-tags:
     name: Get image tags
@@ -157,7 +159,7 @@ jobs:
           platform="${{ matrix.platform }}"
           # Convert "linux/amd64" or "linux/arm64" to just amd64 or arm64 for the output variable name
           arch=${platform#linux/}
-          echo "${arch}=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
+          echo "${arch}=${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
 
   build-debug:
     name: Build/push debug image (${{ matrix.platform }})
@@ -219,7 +221,7 @@ jobs:
           platform="${{ matrix.platform }}"
           # Convert "linux/amd64" to just amd64 for the output variable name
           arch=${platform#linux/}
-          echo "${arch}=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
+          echo "${arch}=${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
 
   manifest:
     name: Publish image manifests

diff --git a/.github/workflows/build-fluentd-image.yaml b/.github/workflows/build-fluentd-image.yaml
@@ -27,7 +27,7 @@ jobs:
         id: get-version
         run: |
           VERSION=$(cat cmd/fluent-watcher/fluentd/VERSION)
-          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
 
   determine-tags:
     needs: [get-version]
@@ -43,9 +43,9 @@ jobs:
         run: |
           VERSION=${{ needs.get-version.outputs.VERSION }}
           VERSION_WITHOUT_V=${VERSION#v}
-          MAJOR_MINOR=$(echo $VERSION_WITHOUT_V | cut -d. -f1-2)
+          MAJOR_MINOR=$(echo "$VERSION_WITHOUT_V" | cut -d. -f1-2)
 
-          if skopeo inspect docker://${{ env.GHCR_REPO }}:${VERSION}; then
+          if skopeo inspect "docker://${{ env.GHCR_REPO }}:${VERSION}"; then
             echo "${VERSION} tag already exists, assuming we're building a patch release!"
             LATEST_PATCH_VERSION=$(skopeo list-tags docker://${{ env.GHCR_REPO }} | grep -E "${VERSION}-[0-9]+" | sort | uniq | tail -1 | tr -d \" | cut -d'-' -f2 | tr -d ',')
             NEW_PATCH_VERSION=$((LATEST_PATCH_VERSION + 1))
@@ -56,8 +56,10 @@ jobs:
             IMAGE_BASE_TAG="${VERSION}"
           fi
 
-          echo "IMAGE_BASE_TAG=$IMAGE_BASE_TAG" >> $GITHUB_OUTPUT
-          echo "IMAGE_MAJOR_MINOR=$MAJOR_MINOR" >> $GITHUB_OUTPUT
+          {
+            echo "IMAGE_BASE_TAG=$IMAGE_BASE_TAG"
+            echo "IMAGE_MAJOR_MINOR=$MAJOR_MINOR"
+          } >> "$GITHUB_OUTPUT"
 
   build:
     name: Build/push image (${{ matrix.platform }})
@@ -145,7 +147,7 @@ jobs:
           platform="${{ matrix.platform }}"
           # Convert "linux/amd64" to just amd64 for the output variable name
           arch=${platform#linux/}
-          echo "${arch}=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
+          echo "${arch}=${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
 
   manifest:
     name: Publish image manifest

diff --git a/.github/workflows/build-op-image.yaml b/.github/workflows/build-op-image.yaml
@@ -157,7 +157,7 @@ jobs:
           platform="${{ matrix.platform }}"
           # Convert "linux/amd64" to just amd64 for the output variable name
           arch=${platform#linux/}
-          echo "${arch}=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
+          echo "${arch}=${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
 
   manifest:
     name: Publish image manifest

diff --git a/.github/workflows/bump-fluent-bit-version.yaml b/.github/workflows/bump-fluent-bit-version.yaml
@@ -43,8 +43,7 @@ jobs:
 
       - name: Update version in VERSION file
         run: |
-          echo ${{ github.event.inputs.version }} > cmd/fluent-watcher/fluentbit/VERSION
-          if [ $? -ne 0 ]; then
+          if ! echo "${{ github.event.inputs.version }}" > cmd/fluent-watcher/fluentbit/VERSION; then
             echo "Failed to update VERSION file"
             exit 1
           fi
@@ -60,17 +59,15 @@ jobs:
             "manifests/regex-parser/fluentbit-fluentBit.yaml"
           )
           for file in "${files[@]}"; do
-            sed -i 's|image: ghcr.io/fluent/fluent-operator/fluent-bit:.*|image: ghcr.io/fluent/fluent-operator/fluent-bit:${{ github.event.inputs.version }}|' "$file"
-            if [ $? -ne 0 ]; then
+            if ! sed -i 's|image: ghcr.io/fluent/fluent-operator/fluent-bit:.*|image: ghcr.io/fluent/fluent-operator/fluent-bit:${{ github.event.inputs.version }}|' "$file"; then
               echo "Failed to update $file"
               exit 1
             fi
           done
 
       - name: Update version in values.yaml
         run: |
-          sed -i '/repository: "ghcr.io\/fluent\/fluent-operator\/fluent-bit"/!b;n;s/tag: .*/tag: "${{ github.event.inputs.version }}"/' charts/fluent-operator/values.yaml
-          if [ $? -ne 0 ]; then
+          if ! sed -i '/repository: "ghcr.io\/fluent\/fluent-operator\/fluent-bit"/!b;n;s/tag: .*/tag: "${{ github.event.inputs.version }}"/' charts/fluent-operator/values.yaml; then
             echo "Failed to update values.yaml"
             exit 1
           fi

diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -24,7 +24,7 @@ jobs:
         run: |
           changed=$(ct list-changed --chart-dirs charts/fluent-operator --config .github/ct.yaml)
           if [[ -n "$changed" ]]; then
-            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Run chart-testing (lint)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,10 +4,14 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   lint:
     name: Run on Ubuntu
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Clone the code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -21,3 +25,15 @@ jobs:
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           version: v2.11.4
+
+  actionlint:
+    name: Lint GitHub Actions workflows
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run actionlint
+        uses: rhysd/actionlint@914e7df21a07ef503a81201c76d2b11c789d3fca # v1.7.12
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -73,7 +73,8 @@ jobs:
 
       - name: Go mod
         run: |
-          export PATH=$PATH:$(go env GOPATH)/bin
+          GOPATH=$(go env GOPATH)
+          export PATH="$PATH:$GOPATH/bin"
           go mod download
 
       - name: Install kubebuilder
@@ -134,22 +135,3 @@ jobs:
 
       - name: Run build all binaries
         run: make binary
-
-  # docker-build:
-  #   runs-on: ubuntu-22.04
-  #   timeout-minutes: 30
-  #   name: Docker amd64 build
-  #   steps:
-  #     - name: Checkout code
-  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Install Go
-  #       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-  #       with:
-  #         go-version-file: go.mod
-  #         cache-dependency-path: go.sum
-
-  #     - name: Run docker build
-  #       run: make build-amd64
diff --git a/.github/workflows/pr-title-lint.yaml b/.github/workflows/pr-title-lint.yaml
@@ -0,0 +1,54 @@
+name: Lint PR Title
+
+on:
+  # This workflow uses pull_request_target because it needs "pull_request: write" to
+  # post comments (not possible with pull_request).
+  #
+  # WARNING!
+  # We MUST ensure that code is NEVER checked out (eg, actions/checkout) in this
+  # workflow, otherwise it opens up a path for attacker-controlled PR code execution!
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+
+permissions: {}
+
+jobs:
+  lint:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        id: lint_pr_title
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
+        if: always() && (steps.lint_pr_title.outputs.error_message != null)
+        with:
+          header: pr-title-lint-error
+          message: |
+            Thank you for your pull request! :wave:
+
+            Your PR title needs to follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) format so it can be included correctly in the changelog.
+
+            **Examples of valid titles:**
+            - `feat: add support for new filter plugin`
+            - `fix: correct nil pointer in controller reconcile`
+            - `chore: update dependencies`
+            - `docs: improve installation guide`
+
+            **Details:**
+            ```
+            ${{ steps.lint_pr_title.outputs.error_message }}
+            ```
+
+      - uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
+        if: ${{ steps.lint_pr_title.outputs.error_message == null }}
+        with:
+          header: pr-title-lint-error
+          delete: true
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
@@ -0,0 +1,27 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+    inputs:
+      release-as:
+        description: 'Override the next release version (e.g. 3.8.0). Leave empty for automatic versioning from conventional commits.'
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          config-file: .github/release-please-config.json
+          manifest-file: .github/.release-please-manifest.json
+          release-as: ${{ inputs.release-as }}