feat(workflows): add shared Go lint, test, build, release, and e2e reusable workflows#65
Open
onuryilmaz wants to merge 19 commits into
Open
feat(workflows): add shared Go lint, test, build, release, and e2e reusable workflows#65onuryilmaz wants to merge 19 commits into
onuryilmaz wants to merge 19 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a set of reusable (workflow_call) GitHub Actions workflows intended to standardize Go CI (lint/test/build), releases, and KinD-based e2e execution across cloudoperators/* repositories as part of GHA streamlining.
Changes:
- Introduces reusable Go lint, test, and build workflows with configurable runner, Go version (or
go.mod), working directory, and targets. - Adds a reusable release workflow that bumps Makefile
VERSION, optionally updatesChart.yaml, creates a release PR, creates a GitHub release, and optionally dispatches an event tocloudoperators/greenhouse-extensions. - Adds a reusable e2e workflow that wraps the existing
workflows/e2ecomposite action and runs a caller-providedmakee2e target.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/shared-go-lint.yaml |
Reusable Go lint workflow (golangci-lint + optional govulncheck). |
.github/workflows/shared-go-test.yaml |
Reusable Go test workflow with configurable make target and optional coverage artifact upload. |
.github/workflows/shared-go-build.yaml |
Reusable Go build workflow with optional Docker multi-arch build/push via GHCR. |
.github/workflows/shared-release.yaml |
Reusable release automation workflow (version bump, optional chart update, PR, release, optional dispatch). |
.github/workflows/shared-e2e.yaml |
Reusable e2e wrapper around the existing KinD-based workflows/e2e composite action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
3 tasks
…usable workflows Adds 5 new reusable workflows to support standardized CI/CD across cloudoperators repos (shoot-grafter, repo-guard, permission-manager, cloudctl, greenhouse-extensions): - shared-go-lint.yaml: golangci-lint + optional govulncheck - shared-go-test.yaml: parameterized make test target + optional coverage upload - shared-go-build.yaml: Go binary build + optional Docker multi-arch build/push - shared-release.yaml: semver bump, Chart.yaml update, release PR + GitHub release + optional greenhouse-extensions dispatch - shared-e2e.yaml: KinD-based e2e wrapping the existing workflows/e2e composite action Closes #2086 Signed-off-by: I313226 <onur.yilmaz@sap.com>
shared-release.yaml: - Replace non-POSIX \s with [[:space:]] in grep and sed expressions - Add -E flag to sed for portable extended regex - Add fail-fast VERSION parse validation (must match X.Y.Z) - Add environment input so callers can gate on protection rules - Fall back to release-token when dispatch-token is not provided shared-e2e.yaml: - Checkout calling repo into path: caller to avoid workspace collision with the greenhouse checkout in the e2e composite action - Run e2e make target in caller/<working-directory> - Remove unused with-remote-cluster input - Remove unused kubeconfig secret shared-go-build.yaml: - Add packages: write permission when push is true - Add early validation step when docker-build is true and image-name is empty Signed-off-by: I313226 <onur.yilmaz@sap.com>
onuryilmaz
force-pushed
the
feat/shared-go-workflows
branch
from
f2180c8 to
346f2b9
Compare
…-test job Signed-off-by: I313226 <onur.yilmaz@sap.com>
- Checkout default branch explicitly (ref: default_branch) so releases
are never cut from a feature branch
- Use github.event.repository.default_branch instead of hard-coded 'main'
for PR base and release --target, supporting non-main default branches
- Quote ${{ inputs.makefile-path }} in grep invocation
- Quote ${{ inputs.chart-path }} in both sed commands
- Create GitHub release targeting the default branch after fetching
latest, so the tag points at the correct merged commit
Signed-off-by: I313226 <onur.yilmaz@sap.com>
- shared-go-test: drop go-version input, always use go-version-file from go.mod - shared-release: add if condition to Update Makefile VERSION step (skip when makefile-path is empty) - shared-release: split Chart.yaml update into two steps with separate bump-chart-app-version input - shared-release: replace gh CLI release creation with actions/github-script@v7 - shared-release: replace dispatch-token with GitHub App token via actions/create-github-app-token@v3 and peter-evans/repository-dispatch@v4 Signed-off-by: I313226 <onur.yilmaz@sap.com>
…aller repo The composite action checks out cloudoperators/greenhouse into the workspace root with clean:true (the default), which deletes any pre-existing caller/ subdirectory. Reorder steps: composite action runs first (greenhouse fills workspace root), then the calling repo is checked out into caller/, then setup-go reads from caller/go.mod, and the test runs from caller/. Signed-off-by: I313226 <onur.yilmaz@sap.com>
- shared-go-test/build/lint: add cache-dependency-path to setup-go so the Go module cache key is correct for subdirectory modules - shared-go-test: pass extra-env via env var + printf to prevent shell expansion of command substitutions in user-supplied env values - shared-go-test/build/e2e: pass make target via env var and quote it to prevent shell metacharacter injection - shared-go-lint: add govulncheck-version input (default: latest) so callers can pin a specific govulncheck version for reproducibility Signed-off-by: I313226 <onur.yilmaz@sap.com>
- shared-release: validate plugin-name to safe char set (alphanumeric, hyphens, underscores) before use in client-payload JSON to prevent injection via string interpolation - shared-release: add Linux runner guard ($RUNNER_OS check) and update runs-on description to make GNU sed requirement explicit Signed-off-by: I313226 <onur.yilmaz@sap.com>
- shared-go-build: replace bash-specific [[ ]] glob match with POSIX case statement for ghcr.io/ prefix check; add Linux runner guard when docker-build is enabled Signed-off-by: I313226 <onur.yilmaz@sap.com>
- shared-release: append '|| true' to grep pipeline in command substitution so pipefail does not swallow the explicit parse-error message when VERSION is not found - shared-go-build: add early Validate inputs step that rejects push=true with docker-build=false to prevent unnecessary packages:write token scope being granted without Docker steps running Signed-off-by: I313226 <onur.yilmaz@sap.com>
- shared-release: add file existence check for makefile-path in Validate inputs step to fail fast with a clear message instead of a confusing grep error when the path is wrong Signed-off-by: I313226 <onur.yilmaz@sap.com>
onuryilmaz
force-pushed
the
feat/shared-go-workflows
branch
from
d8cd6c6 to
4533eba
Compare
- shared-release: add chart-path file existence check in Validate inputs step for consistent early-failure behavior with makefile-path - shared-e2e: set cache-dependency-path to caller go.sum to prevent greenhouse go.sum in workspace root from polluting the cache key Signed-off-by: I313226 <onur.yilmaz@sap.com>
abhijith-darshan
approved these changes
Jun 25, 2026
abhijith-darshan
left a comment
abhijith-darshan
left a comment
Contributor
There was a problem hiding this comment.
Thanks 🚀 let’s test this and see how it goes.
Comment on lines
+61
to
+62
| jobs: | ||
| release: |
Comment on lines
+133
to
+137
| - name: Update Makefile VERSION | ||
| if: inputs.makefile-path != '' | ||
| run: | | ||
| sed -i -E "s/^VERSION[[:space:]]*[:?]?=.*/VERSION = ${{ steps.version.outputs.new }}/" "${{ inputs.makefile-path }}" | ||
|
|
Comment on lines
+50
to
+57
| - name: Run Greenhouse E2E composite action | ||
| uses: cloudoperators/common/workflows/e2e@main | ||
| with: | ||
| admin-k8s-version: ${{ inputs.admin-k8s-version }} | ||
| remote-k8s-version: ${{ inputs.remote-k8s-version }} | ||
| scenario: ${{ inputs.scenario }} | ||
| ref: ${{ inputs.greenhouse-ref }} | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds 5 new reusable (
workflow_call) workflows tocloudoperators/commonas part of #2086 — GHA Streamlining across cloudoperators repos.shared-go-lint.yamlenable-govulncheck: true). Go version read fromgo.mod.shared-go-test.yamlmaketest target + optional coverage artifact upload. Go version read fromgo.mod.shared-go-build.yamlgo.mod.shared-release.yamlVERSIONfrom Makefile, updates Makefile + Chart.yaml, commits directly to the default branch, creates an annotated tag, creates a GitHub release viaactions/github-script@v7, and optionally dispatches togreenhouse-extensionsvia GitHub App token (actions/create-github-app-token@v3+peter-evans/repository-dispatch@v4).shared-e2e.yamlworkflows/e2ecomposite action for KinD-based Greenhouse e2e tests.Design notes
shared-release.yamlcommits directly to the default branch — no release branch, no PR. The version bump commit is tagged in-place and the GitHub release points at that exact commit.go-versioninput removed from all three Go workflows — version is always read fromgo.mod.dispatch-app-id+dispatch-app-private-key) replaces the olddispatch-tokenPAT for greenhouse-extensions dispatch.appVersionis controlled separately viabump-chart-app-versioninput (defaulttrue) to support chart-template-only bumps.shared-go-buildDocker push —image-namemust start withghcr.io/.cloudoperators/common) use@mainby convention.Consumer PRs (depend on this merging first)