Merge remote-tracking branch 'cncf/main' into backportMarch

Signed-off-by: Britania Rodriguez Reyes <britaniar@microsoft.com>

Author: britaniar

.github/copilot-instructions.md

@@ -2,30 +2,86 @@ name: Helm Chart Publisher
 
 on:
   push:
-    branches:
-      - main
-    paths:
-      - ".github/workflows/chart.yaml"
-      - "charts/**"
-  create:
-    # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
-
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag (e.g., v1.0.0)"
+        required: true
+        type: string
 permissions:
   contents: write
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
 
 jobs:
-  deploy:
+  export-registry:
+    uses: ./.github/workflows/setup-release.yml
+    with:
+      tag: ${{ inputs.tag || github.ref_name }}
+
+  publish-github-pages:
+    needs: export-registry
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@v6.0.2
         with:
           submodules: true
           fetch-depth: 0
-      - name: Publish Helm chart
+      - name: Publish Helm chart to GitHub Pages
         uses: stefanprodan/helm-gh-pages@v1.7.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           charts_dir: charts
           target_dir: charts
-          linting: off
+          linting: on
+
+  publish-oci:
+    needs: export-registry
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.6.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Package and push Helm charts to GHCR via Makefile
+        run: |
+          set -euo pipefail
+
+          RELEASE_VERSION="${{ needs.export-registry.outputs.version }}"
+
+          OCI_REGISTRY="${{ needs.export-registry.outputs.registry }}/charts"
+          make helm-push REGISTRY="${OCI_REGISTRY}" TAG="${RELEASE_VERSION}"
+
+      - name: Verify chart appVersion matches release tag
+        run: |
+          set -euo pipefail
+
+          RELEASE_VERSION="${{ needs.export-registry.outputs.version }}"
+          CHART_VERSION="${RELEASE_VERSION}"
+          EXPECTED_APP_VERSION="${RELEASE_VERSION}"
+
+          rm -rf .helm-verify
+          mkdir -p .helm-verify
+
+          for chart in hub-agent member-agent; do
+            helm pull "oci://${{ needs.export-registry.outputs.registry }}/charts/${chart}" --version "${CHART_VERSION}" --destination .helm-verify >/dev/null
+            packaged=".helm-verify/${chart}-${CHART_VERSION}.tgz"
+            actual_app_version=$(tar -xOf "${packaged}" "${chart}/Chart.yaml" | awk -F': ' '/^appVersion:/ {gsub(/"/, "", $2); print $2}')
+            if [[ "${actual_app_version}" != "${EXPECTED_APP_VERSION}" ]]; then
+              echo "ERROR: ${chart} appVersion (${actual_app_version}) does not match release tag (${EXPECTED_APP_VERSION})"
+              exit 1
+            fi
+            echo "✅ ${chart} appVersion=${actual_app_version} matches release tag=${EXPECTED_APP_VERSION}"
+          done
+
+          rm -rf .helm-verify

.github/workflows/chart.yml

@@ -13,7 +13,8 @@ on:
     paths-ignore: [docs/**, "**.md", "**.mdx", "**.png", "**.jpg"]
 
 env:
-  GO_VERSION: '1.24.9'
+  GO_VERSION: '1.24.13'
+  CERT_MANAGER_VERSION: 'v1.16.2'
 
 jobs:
   detect-noop:
@@ -29,7 +30,7 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
-  unit-tests:
+  unit-and-integration-tests:
     runs-on: ubuntu-latest
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true'
@@ -40,23 +41,48 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Set up Ginkgo CLI
         run: |
           go install github.com/onsi/ginkgo/v2/ginkgo@v2.19.1
 
-      - name: Run unit tests & Generate coverage
-        run: make test
+      - name: Prepare necessary environment variables
+        run: |
+          echo "CGO_ENABLED=1" >> $GITHUB_ENV
+          KUBEBUILDER_ASSETS=$(make --silent kubebuilder-assets-path)
+          echo "KUBEBUILDER_ASSETS="$KUBEBUILDER_ASSETS"" >> $GITHUB_ENV
+
+      # Certain tests that require special setup (e.g., those that should be run with Ginkgo CLI only) will
+      # be skipped in this step.
+      #
+      # Note that the skipping only applies to the CI environment.
+      - name: Run unit and integration tests with default setup & generate coverage
+        run: |
+          make test
+        env:
+          KUBEFLEET_CI_TEST_RUNNER_NAME: 'default'
+
+      # The work applier integration tests use in-memory Kubernetes environment setup; due to resource constraints
+      # and the way the tests are organized, running the suite with as many parallel Ginkgo processes as possible (i.e.,
+      # the number of all CPU cores) might not lead to the optimal outcome.
+      #
+      # Note (chenyu1): switch to test matrices if we need to test with more configuration combos in the future.
+      - name: Run work applier unit and integration tests with Ginkgo CLI & generate coverage
+        run: |
+          ginkgo -v -p --procs=4 --race --cover -coverprofile=work-applier-it-coverage.out ./pkg/controllers/workapplier/ 
+          KUBEFLEET_CI_WORK_APPLIER_RUN_WITH_PRIORITY_QUEUE=true ginkgo -v -p --procs=4 --race --cover -coverprofile=work-applier-it-no-pri-q-coverage.out ./pkg/controllers/workapplier/
+        env:
+          KUBEFLEET_CI_TEST_RUNNER_NAME: 'ginkgo'
 
       - name: Upload Codecov report
         uses: codecov/codecov-action@v5
         with:
-           ## Repository upload token - get it from codecov.io. Required only for private repositories
+          ## Repository upload token - get it from codecov.io. Required only for private repositories
           token: ${{ secrets.CODECOV_TOKEN }}
-          ## Comma-separated list of files to upload
-          files: ./ut-coverage.xml
-  
+          # The codecov action will auto-search all coverage files by default. All uploaded coverage will be
+          # merged automatically.
+
   e2e-tests:
     strategy:
       fail-fast: false
@@ -90,7 +116,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Move Docker data directory to /mnt
         # The default storage device on GitHub-hosted runners is running low during e2e tests.
@@ -143,7 +169,8 @@ jobs:
           PROPERTY_PROVIDER: 'azure'
           RESOURCE_SNAPSHOT_CREATION_MINIMUM_INTERVAL: ${{ matrix.resource-snapshot-creation-minimum-interval }}
           RESOURCE_CHANGES_COLLECTION_DURATION: ${{ matrix.resource-changes-collection-duration }}
-      
+          CERT_MANAGER_VERSION: ${{ env.CERT_MANAGER_VERSION }}
+
       - name: Collect logs
         if: always()
         # Wait for a bit before log collection; this gives the agent pods some time to shut down
@@ -157,7 +184,7 @@ jobs:
 
       - name: Upload logs
         if: always()
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: e2e-logs-${{ matrix.customized-settings }}
           path: test/e2e/logs-${{ matrix.customized-settings }}/

.github/workflows/ci.yml

@@ -14,10 +14,9 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.24.9'
+  GO_VERSION: "1.24.13"
 
 jobs:
-
   detect-noop:
     runs-on: ubuntu-latest
     outputs:
@@ -43,7 +42,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
         with:
           submodules: true
 
@@ -58,13 +57,33 @@ jobs:
       contents: read
 
     steps:
-    - name: Set up Go ${{ env.GO_VERSION }}
-      uses: actions/setup-go@v6
-      with:
-        go-version: ${{ env.GO_VERSION }}
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v6.0.1
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v6.0.2
+
+      - name: golangci-lint
+        run: make lint
+
+  helm-lint:
+    name: "Helm Lint"
+    runs-on: ubuntu-latest
+    needs: detect-noop
+    if: needs.detect-noop.outputs.noop != 'true'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6.0.2
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.17.0
 
-    - name: golangci-lint
-      run: make lint
+      - name: Lint Helm charts
+        run: |
+          helm lint charts/hub-agent
+          helm lint charts/member-agent

.github/workflows/code-lint.yml

@@ -38,7 +38,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6.0.1
+      uses: actions/checkout@v6.0.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/codeql-analysis.yml

@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.7
+      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.1.7
       - uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # master
         with:
           check_filenames: true

.github/workflows/codespell.yml

@@ -10,7 +10,7 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@v6.0.2
     - uses: tcort/github-action-markdown-link-check@v1
       with:
         # this will only show errors in the output

.github/workflows/markdown-lint.yml

@@ -0,0 +1,44 @@
+name: Setup Release
+
+on:
+    workflow_call:
+        inputs:
+            tag:
+                description: "Release tag (e.g., v1.0.0)"
+                required: true
+                type: string
+        outputs:
+            registry:
+                description: "OCI registry repository path (e.g., ghcr.io/org/repo)"
+                value: ${{ jobs.export.outputs.registry }}
+            tag:
+                description: "Release tag (e.g., v1.0.0)"
+                value: ${{ jobs.export.outputs.tag }}
+            version:
+                description: "Release version without v prefix (e.g., 1.0.0)"
+                value: ${{ jobs.export.outputs.version }}
+
+env:
+    REGISTRY: ghcr.io
+
+jobs:
+    export:
+        runs-on: ubuntu-latest
+        outputs:
+            registry: ${{ steps.setup.outputs.registry }}
+            tag: ${{ steps.setup.outputs.tag }}
+            version: ${{ steps.setup.outputs.version }}
+        steps:
+            - id: setup
+              run: |
+                  TAG="${{ inputs.tag }}"
+                  if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
+                    echo "Error: Invalid release tag '${TAG}'. Expected format: v*.*.*"
+                    exit 1
+                  fi
+
+                  # registry must be in lowercase
+                  echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+                  echo "tag=${TAG}" >> $GITHUB_OUTPUT
+                  echo "version=${TAG#v}" >> $GITHUB_OUTPUT
+                  echo "Release tag: ${TAG}, version: ${TAG#v}"

.github/workflows/release.yml

@@ -18,7 +18,7 @@ env:
   MEMBER_AGENT_IMAGE_NAME: member-agent
   REFRESH_TOKEN_IMAGE_NAME: refresh-token
 
-  GO_VERSION: '1.24.9'
+  GO_VERSION: '1.24.13'
 
 jobs:
   export-registry:
@@ -44,10 +44,10 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Checkout code
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Login to ${{ env.REGISTRY }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}