ci.yml

name: CI

on:
  pull_request:
    types: [opened, synchronize, reopened]
  workflow_dispatch:
    inputs:
      pr_number:
        description: Pull request number for concurrency grouping and PR-associated reruns.
        required: false
        type: string
      force_full_e2e:
        description: Run the full PR E2E suite for the selected ref.
        required: false
        default: false
        type: boolean
      force_backup_e2e:
        description: Run the backup/restore PR E2E shard set.
        required: false
        default: false
        type: boolean
      force_upgrade_e2e:
        description: Run the upgrade PR E2E shard set.
        required: false
        default: false
        type: boolean
      force_hardened_e2e:
        description: Run the hardened/security PR E2E shard set.
        required: false
        default: false
        type: boolean
  push:
    branches:
      - main

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || inputs.pr_number || github.ref }}
  cancel-in-progress: true

jobs:
  changes:
    name: Detect Changes
    runs-on: &runner ubuntu-24.04
    outputs:
      manual_e2e_requested: ${{ steps.diff.outputs.manual_e2e_requested }}
      manual_full_e2e: ${{ steps.diff.outputs.manual_full_e2e }}
      manual_backup_e2e: ${{ steps.diff.outputs.manual_backup_e2e }}
      manual_upgrade_e2e: ${{ steps.diff.outputs.manual_upgrade_e2e }}
      manual_hardened_e2e: ${{ steps.diff.outputs.manual_hardened_e2e }}
      chart: ${{ steps.diff.outputs.chart }}
      workflow: ${{ steps.diff.outputs.workflow }}
      docs: ${{ steps.diff.outputs.docs }}
      go_quality: ${{ steps.diff.outputs.go_quality }}
      go_tests: ${{ steps.diff.outputs.go_tests }}
      config_compat: ${{ steps.diff.outputs.config_compat }}
      security_scan: ${{ steps.diff.outputs.security_scan }}
      security_image: ${{ steps.diff.outputs.security_image }}
      fuzz: ${{ steps.diff.outputs.fuzz }}
      e2e: ${{ steps.diff.outputs.e2e }}
      e2e_backup: ${{ steps.diff.outputs.e2e_backup }}
      e2e_upgrade: ${{ steps.diff.outputs.e2e_upgrade }}
      e2e_hardened: ${{ steps.diff.outputs.e2e_hardened }}
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0

      - name: Detect chart changes
        id: diff
        shell: bash
        env:
          EVENT_NAME: ${{ github.event_name }}
          MANUAL_E2E_REQUESTED: ${{ (inputs.force_full_e2e || inputs.force_backup_e2e || inputs.force_upgrade_e2e || inputs.force_hardened_e2e) && 'true' || 'false' }}
          MANUAL_FULL_E2E: ${{ inputs.force_full_e2e && 'true' || 'false' }}
          MANUAL_BACKUP_E2E: ${{ inputs.force_backup_e2e && 'true' || 'false' }}
          MANUAL_UPGRADE_E2E: ${{ inputs.force_upgrade_e2e && 'true' || 'false' }}
          MANUAL_HARDENED_E2E: ${{ inputs.force_hardened_e2e && 'true' || 'false' }}
          PR_BASE_SHA: ${{ github.event.pull_request.base.sha || '' }}
          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha || '' }}
          PUSH_BEFORE_SHA: ${{ github.event.before || '' }}
        run: |
          set -euo pipefail

          head_sha="${GITHUB_SHA}"
          base_sha=""

          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            {
              echo "manual_e2e_requested=${MANUAL_E2E_REQUESTED}"
              echo "manual_full_e2e=${MANUAL_FULL_E2E}"
              echo "manual_backup_e2e=${MANUAL_BACKUP_E2E}"
              echo "manual_upgrade_e2e=${MANUAL_UPGRADE_E2E}"
              echo "manual_hardened_e2e=${MANUAL_HARDENED_E2E}"
              for key in chart workflow docs go_quality go_tests config_compat security_scan security_image fuzz e2e e2e_backup e2e_upgrade e2e_hardened; do
                echo "${key}=false"
              done
            } >> "${GITHUB_OUTPUT}"
            echo "::notice::workflow_dispatch run: skipping diff-based routing and using manual inputs."
            exit 0
          fi

          {
            echo "manual_e2e_requested=false"
            echo "manual_full_e2e=false"
            echo "manual_backup_e2e=false"
            echo "manual_upgrade_e2e=false"
            echo "manual_hardened_e2e=false"
          } >> "${GITHUB_OUTPUT}"

          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
            base_sha="${PR_BASE_SHA}"
            head_sha="${PR_HEAD_SHA}"
          elif [[ "${EVENT_NAME}" == "push" ]]; then
            base_sha="${PUSH_BEFORE_SHA}"
          else
            echo "Unsupported event: ${EVENT_NAME}" >&2
            exit 1
          fi

          # Ensure base exists locally (checkout may not contain it for PRs).
          git fetch --no-tags --prune --depth=1 origin "${base_sha}" || true

          changed="$(git diff --name-only "${base_sha}" "${head_sha}" || true)"
          changed_matches() {
            grep -qE "$1" <<< "${changed}"
          }

          if changed_matches '^(charts/openbao-operator/|config/(crd|policy|rbac)/|hack/helm(chart|values)/)'; then
            echo "chart=true" >> "${GITHUB_OUTPUT}"
          else
            echo "chart=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(\.github/workflows/|\.github/actions/)'; then
            echo "workflow=true" >> "${GITHUB_OUTPUT}"
          else
            echo "workflow=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(docs/|releases/|website/|hack/docs/|CHANGELOG\.md|README\.md|\.github/actions/docs-build/)'; then
            echo "docs=true" >> "${GITHUB_OUTPUT}"
          else
            echo "docs=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/|cmd/|api/|config/|test/|docs/reference/api\.md|go\.(mod|sum)$|vendor/|Makefile|mk/|hack/(ci/|helm(chart|values)/|boilerplate\.go\.txt)|\.golangci\.yml|\.github/tools/)'; then
            echo "go_quality=true" >> "${GITHUB_OUTPUT}"
          else
            echo "go_quality=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/|cmd/|api/|config/|go\.(mod|sum)$|vendor/|Makefile|mk/|hack/helm(chart|values)/|test/(integration/|unit/))'; then
            echo "go_tests=true" >> "${GITHUB_OUTPUT}"
          else
            echo "go_tests=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(api/|internal/adapter/config/|internal/service/infra/|internal/app/openbaocluster/|internal/controller/openbaocluster/|go\.(mod|sum)$|Makefile|mk/)'; then
            echo "config_compat=true" >> "${GITHUB_OUTPUT}"
          else
            echo "config_compat=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/|cmd/|api/|config/|charts/|Dockerfile(\..*)?$|hack/ci/|go\.(mod|sum)$|vendor/|\.trivyignore|\.trivy\.yaml|Makefile|mk/)'; then
            echo "security_scan=true" >> "${GITHUB_OUTPUT}"
          else
            echo "security_scan=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/|cmd/|go\.(mod|sum)$|vendor/|Dockerfile(\..*)?$|\.dockerignore|Makefile|mk/|\.github/workflows/ci\.yml)'; then
            echo "security_image=true" >> "${GITHUB_OUTPUT}"
          else
            echo "security_image=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/|cmd/|go\.(mod|sum)$|hack/ci/fuzz\.sh|mk/|\.github/workflows/(ci|nightly)\.yml|Makefile)'; then
            echo "fuzz=true" >> "${GITHUB_OUTPUT}"
          else
            echo "fuzz=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/|cmd/|api/|test/e2e/|Dockerfile(\..*)?$|hack/ci/|go\.(mod|sum)$|Makefile|mk/)'; then
            echo "e2e=true" >> "${GITHUB_OUTPUT}"
          else
            echo "e2e=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/service/backup/|internal/service/restore/|cmd/bao-backup/|test/e2e/(e2e_suite_test\.go|framework/.*|helpers/.*|backup_restore_test\.go)|Makefile|mk/)'; then
            echo "e2e_backup=true" >> "${GITHUB_OUTPUT}"
          else
            echo "e2e_backup=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/service/upgrade/|cmd/bao-upgrade/|test/e2e/(e2e_suite_test\.go|framework/.*|helpers/.*|Upgrade_Strategies_test\.go|Upgrade_Target_Drift_test\.go|Upgrade_Operation_Lock_test\.go)|Makefile|mk/)'; then
            echo "e2e_upgrade=true" >> "${GITHUB_OUTPUT}"
          else
            echo "e2e_upgrade=false" >> "${GITHUB_OUTPUT}"
          fi

          if changed_matches '^(internal/adapter/security/|internal/platform/admission/|internal/service/provisioner/|cmd/provisioner/|config/policy/|internal/controller/|cmd/controller/|test/e2e/(e2e_suite_test\.go|framework/.*|helpers/.*|Cluster_Profile_Hardened_test\.go|Cluster_TLS_ACME_test\.go|GitOps_Contract_test\.go|hardened_signed_suite\.go)|Makefile|mk/)'; then
            echo "e2e_hardened=true" >> "${GITHUB_OUTPUT}"
          else
            echo "e2e_hardened=false" >> "${GITHUB_OUTPUT}"
          fi
  security:
    name: Security (vulncheck + Semgrep + Trivy FS)
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.security_scan == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Run vulncheck
        env:
          GOFLAGS: -mod=vendor
        run: make vulncheck

      - name: Run Semgrep
        run: make semgrep-ci

      - name: Install Trivy (safe pinned release)
        uses: aquasecurity/setup-trivy@81e514348e19b6112ce2a7e3ecbafe19c1e1f567 # v0.3.1
        with:
          version: v0.69.3

      - name: Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
        with:
          skip-setup-trivy: true
          scan-type: fs
          scan-ref: .
          scanners: vuln,misconfig
          severity: HIGH,CRITICAL
          ignore-unfixed: true
          exit-code: "1"
          trivyignores: .trivyignore
          skip-files: config/rbac/provisioner_minimal_role.yaml,charts/openbao-operator/templates/rbac/provisioner-clusterroles.yaml,config/rbac/single_tenant_clusterrole.yaml,config/overlays/single-tenant/single_tenant_clusterrole.yaml,config/overlays/single-tenant-custom-identity/single_tenant_clusterrole.yaml,dist/install.yaml
          skip-dirs: test/manifests,vendor,website/node_modules,.github/tools/node_modules,bin
          trivy-config: .trivy.yaml

  dependency-licenses:
    name: Dependency Licenses
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.security_scan == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Verify shipped dependency licenses
        run: make license-check

  security-image:
    name: Security (Trivy built image ${{ matrix.image_name }})
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.security_image == 'true'
    runs-on: *runner
    strategy:
      fail-fast: false
      matrix:
        include:
          - image_name: manager
            build_target: docker-build
            image_ref: local/openbao-operator-pr-scan:${{ github.sha }}
          - image_name: config-init
            build_target: docker-build-init
            image_ref: local/openbao-init-pr-scan:${{ github.sha }}
          - image_name: backup-executor
            build_target: docker-build-backup
            image_ref: local/openbao-backup-pr-scan:${{ github.sha }}
          - image_name: upgrade-executor
            build_target: docker-build-upgrade
            image_ref: local/openbao-upgrade-pr-scan:${{ github.sha }}
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Build image
        run: make ${{ matrix.build_target }} IMG="${{ matrix.image_ref }}"

      - name: Install Trivy (safe pinned release)
        uses: aquasecurity/setup-trivy@81e514348e19b6112ce2a7e3ecbafe19c1e1f567 # v0.3.1
        with:
          version: v0.69.3

      - name: Run Trivy image scan
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
        with:
          skip-setup-trivy: true
          scan-type: image
          image-ref: ${{ matrix.image_ref }}
          severity: HIGH,CRITICAL
          ignore-unfixed: true
          exit-code: "1"
          trivyignores: .trivyignore

  workflow-lint:
    name: Workflow Lint
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.workflow == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools
        with:
          cache-tools: false

      - name: Install actionlint
        env:
          GOFLAGS: -mod=mod
          GOBIN: ${{ github.workspace }}/bin
        run: go install github.com/rhysd/actionlint/cmd/actionlint@v1.7.11

      - name: Run actionlint
        run: |
          "${GITHUB_WORKSPACE}/bin/actionlint" .github/workflows/*.yml

  lint:
    name: Lint
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.go_quality == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Setup Node (for ast-grep install)
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: npm
          cache-dependency-path: .github/tools/package-lock.json

      - name: Install ast-grep
        run: npm ci --prefix .github/tools

      - name: Add local npm tools to PATH
        run: echo "${GITHUB_WORKSPACE}/.github/tools/node_modules/.bin" >> "${GITHUB_PATH}"

      - name: Verify ast-grep version
        shell: bash
        run: |
          set -euo pipefail
          version="$(ast-grep --version)"
          echo "${version}"

      - name: Run linter
        run: make lint-ci

  verify-fmt:
    name: Verify Formatting
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.go_quality == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Verify gofmt
        run: make verify-fmt

  tidy-check:
    name: Verify go.mod/go.sum
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.go_quality == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Verify tidy
        run: make verify-tidy

  verify-vendor:
    name: Verify vendor/
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.go_quality == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools
        with:
          cache-tools: false

      - name: Verify vendor tree
        run: make verify-vendor

  verify-generated:
    name: Verify Generated Artifacts
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.go_quality == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Verify generated files
        run: make verify-generated

  test-unit:
    name: Unit Tests
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.go_tests == 'true'
    runs-on: *runner
    env:
      GOFLAGS: -mod=vendor
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools
        with:
          cache-tools: false

      - name: Run unit tests
        run: make test

  test-integration:
    name: Envtest Integration
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.go_tests == 'true'
    runs-on: *runner
    env:
      GOFLAGS: -mod=vendor
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Run integration tests
        run: |
          make test-integration

  fuzz:
    name: Fuzz Smoke
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.fuzz == 'true'
    runs-on: *runner
    env:
      GOFLAGS: -mod=vendor
      FUZZ_ARTIFACT_DIR: dist/fuzz
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools
        with:
          cache-tools: false

      - name: Run fuzz smoke sweep
        run: make fuzz

      - name: Upload fuzz artifacts (failure)
        if: failure()
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: fuzz-artifacts
          path: |
            dist/fuzz/
            **/testdata/fuzz/**/*
          if-no-files-found: ignore
          retention-days: 7

  openbao-config-compat:
    name: OpenBao Config Compatibility (OpenBao >=2.4.0 <2.6.0)
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.config_compat == 'true'
    runs-on: *runner
    timeout-minutes: 25
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools
        with:
          cache-tools: false

      - name: Run OpenBao config compatibility
        uses: ./.github/actions/run-openbao-config-compat
        with:
          versions: 2.4.4 2.5.4

  docs:
    name: Docs Build
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.docs == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Build docs
        uses: ./.github/actions/docs-build

  release-line-docs:
    name: Release-line Docs Snapshot
    needs: changes
    if: github.event_name == 'pull_request' && startsWith(github.base_ref, 'release-') && needs.changes.outputs.docs == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0

      - name: Verify release-line docs snapshot changed
        env:
          BASE_REF: ${{ github.base_ref }}
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          set -euo pipefail

          if [[ ! "${BASE_REF}" =~ ^release-([0-9]+)\.([0-9]+)$ ]]; then
            echo "Release-line docs check only supports release-X.Y branches; got ${BASE_REF}" >&2
            exit 1
          fi

          docs_version="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.0"
          git fetch --no-tags --prune --depth=1 origin "${BASE_SHA}" || true

          changed="$(git diff --name-only "${BASE_SHA}" "${HEAD_SHA}")"
          docs_changed="$(grep -E '^(docs/|website/sidebars\.ts$)' <<< "${changed}" || true)"
          if [[ -z "${docs_changed}" ]]; then
            echo "No source docs changed."
            exit 0
          fi

          snapshot_changed="$(
            grep -E "^website/versioned_docs/version-${docs_version//./\\.}/|^website/versioned_sidebars/version-${docs_version//./\\.}-sidebars\\.json$|^website/versions\\.json$" <<< "${changed}" || true
          )"
          if [[ -n "${snapshot_changed}" ]]; then
            echo "Release-line docs snapshot changed for ${docs_version}."
            exit 0
          fi

          {
            echo "PRs against ${BASE_REF} that change source docs must refresh the ${docs_version} release-line docs snapshot."
            echo
            echo "Run from the release branch and commit the generated files:"
            echo "  make docs-refresh-version DOCS_VERSION=${docs_version}"
          } >&2
          exit 1

  helm:
    name: Helm Chart
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.chart == 'true'
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Verify Helm chart synced inputs
        env:
          GOFLAGS: -mod=vendor
        run: make verify-helm

      - name: Setup Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v4.1.1

      - name: Lint
        run: helm lint charts/openbao-operator --namespace openbao-operator-system

      - name: Template
        run: helm template openbao-operator charts/openbao-operator --namespace openbao-operator-system --include-crds > /dev/null

      - name: Verify OpenShift templating (SCC-compatible)
        run: bash hack/ci/verify-openshift-helm.sh

  helm-e2e-smoke:
    name: Helm E2E Smoke (kind)
    runs-on: *runner
    timeout-minutes: 20
    needs: changes
    if: needs.changes.outputs.chart == 'true'
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools

      - name: Setup Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v4.1.1

      - name: Install kind (pinned)
        uses: ./.github/actions/install-kind
        with:
          install-dir: bin/

      - name: Run Helm E2E smoke
        env:
          GOFLAGS: -mod=vendor
        run: make helm-e2e-smoke

  build-artifacts:
    name: Build Artifacts
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.manual_e2e_requested == 'true' || (((needs.changes.outputs.e2e == 'true' || (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'ci:full-e2e') || contains(github.event.pull_request.labels.*.name, 'backup') || contains(github.event.pull_request.labels.*.name, 'upgrades') || contains(github.event.pull_request.labels.*.name, 'security') || contains(github.event.pull_request.labels.*.name, 'provisioner') || contains(github.event.pull_request.labels.*.name, 'admission') || contains(github.event.pull_request.labels.*.name, 'controller'))))) && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository))
    runs-on: *runner
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools
        with:
          cache-tools: false

      - name: Build Linux Binaries
        env:
          GOFLAGS: -mod=vendor
        run: make build-linux

      - name: Upload Binaries
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: operator-binaries
          path: bin/linux_amd64/
          retention-days: 1

  build-e2e-images:
    name: Build E2E Images Once
    runs-on: *runner
    needs: [changes, build-artifacts]
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.manual_e2e_requested == 'true' || (((needs.changes.outputs.e2e == 'true' || (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'ci:full-e2e') || contains(github.event.pull_request.labels.*.name, 'backup') || contains(github.event.pull_request.labels.*.name, 'upgrades') || contains(github.event.pull_request.labels.*.name, 'security') || contains(github.event.pull_request.labels.*.name, 'provisioner') || contains(github.event.pull_request.labels.*.name, 'admission') || contains(github.event.pull_request.labels.*.name, 'controller'))))) && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository))
    permissions:
      contents: read
      packages: write
    outputs:
      manager_ref: ${{ steps.refs.outputs.manager_ref }}
      config_init_ref: ${{ steps.refs.outputs.config_init_ref }}
      backup_executor_ref: ${{ steps.refs.outputs.backup_executor_ref }}
      upgrade_executor_ref: ${{ steps.refs.outputs.upgrade_executor_ref }}
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Download Binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: operator-binaries
          path: bin/linux_amd64

      - name: Prepare Binaries
        run: chmod +x bin/linux_amd64/*

      - name: Login to GHCR
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
        with:
          version: v0.31.1

      - name: Compute E2E image tag
        id: tag
        run: |
          set -euo pipefail
          echo "value=e2e-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" >> "${GITHUB_OUTPUT}"

      - name: Compute E2E image repositories
        id: image-repos
        run: |
          set -euo pipefail
          if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
            prefix="ci-e2e"
          else
            prefix="pr-e2e"
          fi

          {
            echo "manager_repo=ghcr.io/${GITHUB_REPOSITORY_OWNER}/${prefix}-openbao-operator"
            echo "config_init_repo=ghcr.io/${GITHUB_REPOSITORY_OWNER}/${prefix}-openbao-init"
            echo "backup_executor_repo=ghcr.io/${GITHUB_REPOSITORY_OWNER}/${prefix}-openbao-backup"
            echo "upgrade_executor_repo=ghcr.io/${GITHUB_REPOSITORY_OWNER}/${prefix}-openbao-upgrade"
          } >> "${GITHUB_OUTPUT}"

      - name: Build operator image
        id: build-manager
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          file: hack/ci/Dockerfile.fast.manager
          build-args: |
            BINARY=bin/linux_amd64/manager
            TARGET=/manager
          platforms: linux/amd64
          push: true
          provenance: false
          sbom: false
          tags: ${{ steps.image-repos.outputs.manager_repo }}:${{ steps.tag.outputs.value }}
          cache-from: type=gha,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-operator
          cache-to: type=gha,mode=max,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-operator

      - name: Build init image
        id: build-init
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          file: hack/ci/Dockerfile.fast.init
          platforms: linux/amd64
          push: true
          provenance: false
          sbom: false
          tags: ${{ steps.image-repos.outputs.config_init_repo }}:${{ steps.tag.outputs.value }}
          cache-from: type=gha,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-init
          cache-to: type=gha,mode=max,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-init

      - name: Build backup image
        id: build-backup
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          file: hack/ci/Dockerfile.fast.backup
          platforms: linux/amd64
          push: true
          provenance: false
          sbom: false
          tags: ${{ steps.image-repos.outputs.backup_executor_repo }}:${{ steps.tag.outputs.value }}
          cache-from: type=gha,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-backup
          cache-to: type=gha,mode=max,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-backup

      - name: Build upgrade image
        id: build-upgrade
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          file: hack/ci/Dockerfile.fast.upgrade
          platforms: linux/amd64
          push: true
          provenance: false
          sbom: false
          tags: ${{ steps.image-repos.outputs.upgrade_executor_repo }}:${{ steps.tag.outputs.value }}
          cache-from: type=gha,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-upgrade
          cache-to: type=gha,mode=max,scope=${{ github.event_name == 'push' && 'main-e2e' || 'pr-e2e' }}-openbao-upgrade

      - name: Publish image refs
        id: refs
        run: |
          set -euo pipefail
          {
            echo "manager_ref=${{ steps.image-repos.outputs.manager_repo }}:${{ steps.tag.outputs.value }}"
            echo "config_init_ref=${{ steps.image-repos.outputs.config_init_repo }}:${{ steps.tag.outputs.value }}"
            echo "backup_executor_ref=${{ steps.image-repos.outputs.backup_executor_repo }}:${{ steps.tag.outputs.value }}"
            echo "upgrade_executor_ref=${{ steps.image-repos.outputs.upgrade_executor_repo }}:${{ steps.tag.outputs.value }}"
          } >> "${GITHUB_OUTPUT}"

  e2e-matrix:
    name: Plan E2E Matrix
    runs-on: *runner
    needs: changes
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.manual_e2e_requested == 'true' || (((needs.changes.outputs.e2e == 'true' || (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'ci:full-e2e') || contains(github.event.pull_request.labels.*.name, 'backup') || contains(github.event.pull_request.labels.*.name, 'upgrades') || contains(github.event.pull_request.labels.*.name, 'security') || contains(github.event.pull_request.labels.*.name, 'provisioner') || contains(github.event.pull_request.labels.*.name, 'admission') || contains(github.event.pull_request.labels.*.name, 'controller'))))) && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository))
    outputs:
      matrix: ${{ steps.plan.outputs.matrix }}
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup repo tools
        uses: ./.github/actions/setup-repo-tools
        with:
          cache-tools: false

      - name: Generate E2E matrix
        id: plan
        env:
          GOFLAGS: -mod=vendor
        run: |
          set -euo pipefail
          matrix="$(go run ./hack/tools/e2e_plan --manifest test/e2e/suites.yaml --format github-matrix)"
          printf 'matrix=%s\n' "${matrix}" >> "${GITHUB_OUTPUT}"
          {
            echo "## E2E Matrix"
            echo
            echo '```json'
            echo "${matrix}"
            echo '```'
          } >> "${GITHUB_STEP_SUMMARY}"

  e2e:
    needs: [changes, e2e-matrix, build-e2e-images]
    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.manual_e2e_requested == 'true' || (((needs.changes.outputs.e2e == 'true' || (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'ci:full-e2e') || contains(github.event.pull_request.labels.*.name, 'backup') || contains(github.event.pull_request.labels.*.name, 'upgrades') || contains(github.event.pull_request.labels.*.name, 'security') || contains(github.event.pull_request.labels.*.name, 'provisioner') || contains(github.event.pull_request.labels.*.name, 'admission') || contains(github.event.pull_request.labels.*.name, 'controller'))))) && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository))
    name: E2E (${{ matrix.name }})
    runs-on: *runner
    permissions:
      contents: read
      packages: read
    timeout-minutes: ${{ matrix.timeout_minutes }}
    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(needs.e2e-matrix.outputs.matrix) }}
    env:
      KIND_NODE_IMAGE: ${{ matrix.kind_node_image }}
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Determine E2E Filter
        id: filter
        env:
          HAS_E2E_CHANGES: ${{ needs.changes.outputs.e2e == 'true' }}
          FULL_E2E: >-
            ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.changes.outputs.manual_full_e2e == 'true' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ci:full-e2e')) }}
          PR_BACKUP: >-
            ${{ needs.changes.outputs.manual_backup_e2e == 'true' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'backup')) }}
          PR_UPGRADE: >-
            ${{ needs.changes.outputs.manual_upgrade_e2e == 'true' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'upgrades')) }}
          PR_HARDENED: >-
            ${{ needs.changes.outputs.manual_hardened_e2e == 'true' || (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'security') || contains(github.event.pull_request.labels.*.name, 'provisioner') || contains(github.event.pull_request.labels.*.name, 'admission') || contains(github.event.pull_request.labels.*.name, 'controller'))) }}
          E2E_BACKUP_CHANGED: ${{ needs.changes.outputs.e2e_backup }}
          E2E_UPGRADE_CHANGED: ${{ needs.changes.outputs.e2e_upgrade }}
          E2E_HARDENED_CHANGED: ${{ needs.changes.outputs.e2e_hardened }}
          EXCLUDE_PENTEST_ON_DEFAULT_PR: ${{ matrix.exclude_pentest_on_default_pr }}
          LABEL_FILTER: ${{ matrix.label_filter }}
          PR_LABEL_FILTER: ${{ matrix.pr_label_filter }}
          PR_SCOPE: ${{ matrix.pr_scope }}
          SHARD_NAME: ${{ matrix.name }}
        run: |
          set -euo pipefail

          FULL_FILTER="${LABEL_FILTER}"
          PR_FILTER="${PR_LABEL_FILTER}"
          FILTER="${FULL_FILTER}"
          if [[ "${FULL_E2E}" != "true" ]] && [[ -n "${PR_FILTER}" ]]; then
            FILTER="${PR_FILTER}"
          fi
          SHOULD_RUN="false"

          case "${PR_SCOPE}" in
            always)
              if [[ "${FULL_E2E}" == "true" ]] || [[ "${HAS_E2E_CHANGES}" == "true" ]]; then
                SHOULD_RUN="true"
              fi
              ;;
            backup)
              if [[ "${FULL_E2E}" == "true" ]] || [[ "${PR_BACKUP}" == "true" ]] || [[ "${E2E_BACKUP_CHANGED}" == "true" ]]; then
                SHOULD_RUN="true"
              fi
              ;;
            upgrade)
              if [[ "${FULL_E2E}" == "true" ]] || [[ "${PR_UPGRADE}" == "true" ]] || [[ "${E2E_UPGRADE_CHANGED}" == "true" ]]; then
                SHOULD_RUN="true"
              fi
              ;;
            hardened)
              if [[ "${FULL_E2E}" == "true" ]] || [[ "${PR_HARDENED}" == "true" ]] || [[ "${E2E_HARDENED_CHANGED}" == "true" ]]; then
                SHOULD_RUN="true"
              fi
              ;;
          esac

          if [[ "${FULL_E2E}" != "true" ]]; then
            FILTER="(${FILTER}) && !lower-layer-covered"
          fi

          if [[ "${FULL_E2E}" != "true" ]] && [[ "${EXCLUDE_PENTEST_ON_DEFAULT_PR}" == "true" ]] && [[ "${PR_HARDENED}" != "true" ]]; then
            FILTER="(${FILTER}) && !pentest"
          fi

          echo "E2E_LABEL_FILTER=$FILTER" >> "${GITHUB_ENV}"
          echo "SHOULD_RUN=$SHOULD_RUN" >> "${GITHUB_ENV}"
          if [[ "$SHOULD_RUN" == "false" ]]; then
            echo "::notice::Skipping ${SHARD_NAME} shard (routing optimization)"
          else
            echo "::notice::Running ${SHARD_NAME} with filter: $FILTER"
          fi

      - name: Setup repo tools
        if: env.SHOULD_RUN == 'true'
        uses: ./.github/actions/setup-repo-tools

      - name: Install kind (pinned)
        if: env.SHOULD_RUN == 'true'
        uses: ./.github/actions/install-kind
        with:
          install-dir: bin/

      - name: Login to GHCR (pull)
        if: env.SHOULD_RUN == 'true'
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Compute E2E report paths
        id: e2e-report
        if: env.SHOULD_RUN == 'true'
        run: |
          set -euo pipefail
          sanitized_name="$(printf '%s' '${{ matrix.name }}' | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
          report_dir="artifacts/e2e-reports/${sanitized_name}"
          echo "report_dir=${report_dir}" >> "${GITHUB_OUTPUT}"
          echo "artifact_name=e2e-artifacts-${sanitized_name}" >> "${GITHUB_OUTPUT}"

      - name: Prepare E2E lane
        id: prepare-e2e-lane
        if: env.SHOULD_RUN == 'true'
        uses: ./.github/actions/prepare-e2e-lane
        with:
          kind-node-image: ${{ matrix.kind_node_image }}
          kind-cluster: kind
          manager-image: ${{ needs.build-e2e-images.outputs.manager_ref }}
          config-init-image: ${{ needs.build-e2e-images.outputs.config_init_ref }}
          backup-executor-image: ${{ needs.build-e2e-images.outputs.backup_executor_ref }}
          upgrade-executor-image: ${{ needs.build-e2e-images.outputs.upgrade_executor_ref }}
          hardened-upgrade-executor-image: ${{ matrix.hardened_upgrade_executor_image }}
          load-backup-executor-image: ${{ matrix.load_backup_executor_image }}
          load-upgrade-executor-image: ${{ matrix.load_upgrade_executor_image }}
          preload-storage-emulators: ${{ matrix.preload_storage_emulators }}
          preload-rustfs-image: ${{ matrix.preload_rustfs_image }}
          preload-fake-gcs-image: ${{ matrix.preload_fake_gcs_image }}
          preload-azurite-image: ${{ matrix.preload_azurite_image }}
          rustfs-image: ${{ matrix.rustfs_image }}
          fake-gcs-image: ${{ matrix.fake_gcs_image }}
          azurite-image: ${{ matrix.azurite_image }}
          report-dir: ${{ steps.e2e-report.outputs.report_dir }}
          artifact-name: ${{ steps.e2e-report.outputs.artifact_name }}

      - name: Run E2E Tests
        if: env.SHOULD_RUN == 'true'
        env:
          GOFLAGS: -mod=vendor
          OPENBAO_REQUEUE_STANDARD: 10s
          # E2E_LABEL_FILTER is set by previous step
          E2E_PARALLEL_NODES: ${{ matrix.parallel_nodes }}
          E2E_TIMEOUT: ${{ matrix.e2e_timeout }}
          E2E_FAIL_ON_EMPTY: "true"
          E2E_POLL_PROGRESS_AFTER: "10m"
          E2E_SKIP_IMAGE_BUILD: "true"
          E2E_INSTALL_CSI_HOSTPATH: ${{ matrix.install_csi_hostpath }}
          E2E_ENABLE_HARDENED_SIGNED_SUITE: ${{ matrix.hardened_signed }}
          E2E_OPERATOR_IMAGE: ${{ needs.build-e2e-images.outputs.manager_ref }}
          E2E_OPENBAO_IMAGE: ${{ matrix.openbao_image }}
          E2E_RUSTFS_IMAGE: ${{ steps.prepare-e2e-lane.outputs['rustfs-image'] }}
          E2E_FAKE_GCS_IMAGE: ${{ steps.prepare-e2e-lane.outputs['fake-gcs-image'] }}
          E2E_AZURITE_IMAGE: ${{ steps.prepare-e2e-lane.outputs['azurite-image'] }}
          E2E_CONFIG_INIT_IMAGE: ${{ needs.build-e2e-images.outputs.config_init_ref }}
          E2E_HARDENED_CONFIG_INIT_IMAGE: ${{ matrix.hardened_init_image }}
          E2E_HARDENED_UPGRADE_EXECUTOR_IMAGE: ${{ matrix.hardened_upgrade_executor_image }}
          E2E_BACKUP_EXECUTOR_IMAGE: ${{ needs.build-e2e-images.outputs.backup_executor_ref }}
          E2E_UPGRADE_EXECUTOR_IMAGE: ${{ matrix.hardened_upgrade_executor_image != '' && matrix.hardened_upgrade_executor_image || needs.build-e2e-images.outputs.upgrade_executor_ref }}
          E2E_LOAD_BACKUP_EXECUTOR_IMAGE: ${{ matrix.load_backup_executor_image }}
          E2E_LOAD_UPGRADE_EXECUTOR_IMAGE: ${{ matrix.load_upgrade_executor_image }}
          E2E_PRELOAD_UPGRADE_IMAGES: ${{ matrix.preload_upgrade_images }}
          E2E_PRELOAD_HARDENED_ASSETS: ${{ matrix.preload_hardened_assets }}
          KIND_CLUSTER: kind
        run: make test-e2e-ci

      - name: Summarize E2E report
        if: always() && env.SHOULD_RUN == 'true'
        env:
          GOFLAGS: -mod=vendor
        run: |
          set -euo pipefail
          if [[ -z "${E2E_JSON_REPORT:-}" ]] || [[ ! -s "${E2E_JSON_REPORT}" ]]; then
            {
              echo "## E2E Report Summary"
              echo
              echo "No Ginkgo JSON report was produced for ${{ matrix.name }}."
            } > "${E2E_SUMMARY_REPORT:-e2e-summary.md}"
          else
            openbao_version='${{ matrix.openbao_image }}'
            if [[ -z "${openbao_version}" ]]; then
              openbao_version="default"
            fi
            report_status=0
            go run ./hack/tools/e2e_report \
              --json-report "${E2E_JSON_REPORT}" \
              --manifest test/e2e/suites.yaml \
              --fail-on-selected-skips \
              --markdown-out "${E2E_SUMMARY_REPORT}" \
              --json-out "${E2E_SUMMARY_JSON}" \
              --lane "${{ matrix.name }}" \
              --selector "${E2E_LABEL_FILTER}" \
              --kubernetes-version "${KIND_NODE_IMAGE}" \
              --openbao-version "${openbao_version}" || report_status=$?
          fi
          cat "${E2E_SUMMARY_REPORT}" >> "${GITHUB_STEP_SUMMARY}"
          exit "${report_status:-0}"

      - name: Collect E2E artifacts (failure)
        if: failure()
        run: bash hack/ci/collect-e2e-artifacts.sh

      - name: Upload E2E artifacts
        if: always() && env.SHOULD_RUN == 'true' && env.E2E_ARTIFACT_NAME != ''
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ env.E2E_ARTIFACT_NAME }}
          path: artifacts/
          retention-days: 7

  ci-required:
    name: CI Required
    runs-on: *runner
    if: always()
    needs:
      - changes
      - security
      - security-image
      - dependency-licenses
      - workflow-lint
      - lint
      - verify-fmt
      - tidy-check
      - verify-vendor
      - verify-generated
      - test-unit
      - test-integration
      - fuzz
      - openbao-config-compat
      - docs
      - release-line-docs
      - helm
      - helm-e2e-smoke
      - build-artifacts
      - build-e2e-images
      - e2e-matrix
      - e2e
    steps:
      - name: Validate required CI graph
        env:
          CHANGES: ${{ needs.changes.result }}
          SECURITY: ${{ needs.security.result }}
          SECURITY_IMAGE: ${{ needs.security-image.result }}
          DEPENDENCY_LICENSES: ${{ needs.dependency-licenses.result }}
          WORKFLOW_LINT: ${{ needs.workflow-lint.result }}
          LINT: ${{ needs.lint.result }}
          VERIFY_FMT: ${{ needs.verify-fmt.result }}
          TIDY_CHECK: ${{ needs.tidy-check.result }}
          VERIFY_VENDOR: ${{ needs.verify-vendor.result }}
          VERIFY_GENERATED: ${{ needs.verify-generated.result }}
          TEST_UNIT: ${{ needs.test-unit.result }}
          TEST_INTEGRATION: ${{ needs.test-integration.result }}
          FUZZ: ${{ needs.fuzz.result }}
          OPENBAO_CONFIG_COMPAT: ${{ needs.openbao-config-compat.result }}
          DOCS: ${{ needs.docs.result }}
          RELEASE_LINE_DOCS: ${{ needs.release-line-docs.result }}
          HELM: ${{ needs.helm.result }}
          HELM_E2E_SMOKE: ${{ needs.helm-e2e-smoke.result }}
          BUILD_ARTIFACTS: ${{ needs.build-artifacts.result }}
          BUILD_E2E_IMAGES: ${{ needs.build-e2e-images.result }}
          E2E_MATRIX: ${{ needs.e2e-matrix.result }}
          E2E: ${{ needs.e2e.result }}
        run: |
          set -euo pipefail

          failures=()
          while IFS='=' read -r job result; do
            case "${result}" in
              success|skipped)
                ;;
              *)
                failures+=("${job}:${result}")
                ;;
            esac
          done <<EOF
          changes=${CHANGES}
          security=${SECURITY}
          security-image=${SECURITY_IMAGE}
          dependency-licenses=${DEPENDENCY_LICENSES}
          workflow-lint=${WORKFLOW_LINT}
          lint=${LINT}
          verify-fmt=${VERIFY_FMT}
          tidy-check=${TIDY_CHECK}
          verify-vendor=${VERIFY_VENDOR}
          verify-generated=${VERIFY_GENERATED}
          test-unit=${TEST_UNIT}
          test-integration=${TEST_INTEGRATION}
          fuzz=${FUZZ}
          openbao-config-compat=${OPENBAO_CONFIG_COMPAT}
          docs=${DOCS}
          release-line-docs=${RELEASE_LINE_DOCS}
          helm=${HELM}
          helm-e2e-smoke=${HELM_E2E_SMOKE}
          build-artifacts=${BUILD_ARTIFACTS}
          build-e2e-images=${BUILD_E2E_IMAGES}
          e2e-matrix=${E2E_MATRIX}
          e2e=${E2E}
          EOF

          if [[ "${#failures[@]}" -gt 0 ]]; then
            printf 'Required CI graph failures:\n' >&2
            printf '  - %s\n' "${failures[@]}" >&2
            exit 1
          fi

          echo "Required CI graph completed successfully."

  prepare-edge-candidate:
    name: Prepare Edge Candidate
    runs-on: *runner
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    permissions:
      contents: read
    outputs:
      sha: ${{ steps.vars.outputs.sha }}
      short_sha: ${{ steps.vars.outputs.short_sha }}
      version: ${{ steps.vars.outputs.version }}
      chart_version: ${{ steps.vars.outputs.chart_version }}
      build_tag: ${{ steps.vars.outputs.build_tag }}
      repro_build_tag: ${{ steps.vars.outputs.repro_build_tag }}
      source_date_epoch: ${{ steps.vars.outputs.source_date_epoch }}
      manager_image: ${{ steps.vars.outputs.manager_image }}
      config_init_image: ${{ steps.vars.outputs.config_init_image }}
      backup_executor_image: ${{ steps.vars.outputs.backup_executor_image }}
      upgrade_executor_image: ${{ steps.vars.outputs.upgrade_executor_image }}
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0

      - name: Compute edge variables
        id: vars
        run: |
          set -euo pipefail
          sha="$(git rev-parse HEAD)"
          short_sha="$(git rev-parse --short=12 HEAD)"
          build_tag="edge-build-${sha}"
          repro_build_tag="edge-repro-${sha}"
          source_date_epoch="$(git show -s --format=%ct HEAD)"
          version="edge-${short_sha}"

          chart_file="charts/openbao-operator/Chart.yaml"
          chart_version="$(sed -nE 's/^version:[[:space:]]*"?([^"#[:space:]]+)"?[[:space:]]*(#.*)?$/\1/p' "${chart_file}" | head -n1)"
          if [[ -z "${chart_version}" ]]; then
            echo "failed to parse chart version from ${chart_file}" >&2
            exit 1
          fi

          owner="${GITHUB_REPOSITORY_OWNER}"
          {
            echo "sha=${sha}"
            echo "short_sha=${short_sha}"
            echo "version=${version}"
            echo "chart_version=${chart_version}"
            echo "build_tag=${build_tag}"
            echo "repro_build_tag=${repro_build_tag}"
            echo "source_date_epoch=${source_date_epoch}"
            echo "manager_image=ghcr.io/${owner}/openbao-operator"
            echo "config_init_image=ghcr.io/${owner}/openbao-init"
            echo "backup_executor_image=ghcr.io/${owner}/openbao-backup"
            echo "upgrade_executor_image=ghcr.io/${owner}/openbao-upgrade"
          } >> "${GITHUB_OUTPUT}"

  build-edge-candidate:
    name: Build + Verify Edge Candidate
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs:
      - prepare-edge-candidate
      - security
      - workflow-lint
      - lint
      - verify-fmt
      - tidy-check
      - verify-vendor
      - verify-generated
      - test-unit
      - test-integration
      - openbao-config-compat
      - docs
      - helm
      - e2e
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write
    uses: ./.github/workflows/reusable-channel-hardening.yml
    with:
      ref: ${{ github.sha }}
      source_ref: refs/heads/main
      version: ${{ needs.prepare-edge-candidate.outputs.version }}
      chart_version: ${{ needs.prepare-edge-candidate.outputs.chart_version }}
      build_tag: ${{ needs.prepare-edge-candidate.outputs.build_tag }}
      repro_build_tag: ${{ needs.prepare-edge-candidate.outputs.repro_build_tag }}
      source_date_epoch: ${{ needs.prepare-edge-candidate.outputs.source_date_epoch }}
      manager_image: ${{ needs.prepare-edge-candidate.outputs.manager_image }}
      config_init_image: ${{ needs.prepare-edge-candidate.outputs.config_init_image }}
      backup_executor_image: ${{ needs.prepare-edge-candidate.outputs.backup_executor_image }}
      upgrade_executor_image: ${{ needs.prepare-edge-candidate.outputs.upgrade_executor_image }}
      byte_artifact_name: edge-byte-verified-assets
    secrets: inherit

  assemble-edge-candidate-bundle:
    name: Assemble Edge Candidate Bundle
    runs-on: *runner
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [prepare-edge-candidate, build-edge-candidate]
    permissions:
      contents: read
    steps:
      - name: Download byte-verified edge assets
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: edge-byte-verified-assets
          path: dist/candidate

      - name: Write edge metadata
        env:
          SHA: ${{ needs.prepare-edge-candidate.outputs.sha }}
          SHORT_SHA: ${{ needs.prepare-edge-candidate.outputs.short_sha }}
          VERSION: ${{ needs.prepare-edge-candidate.outputs.version }}
          CHART_VERSION: ${{ needs.prepare-edge-candidate.outputs.chart_version }}
          SOURCE_DATE_EPOCH: ${{ needs.prepare-edge-candidate.outputs.source_date_epoch }}
          MANAGER_IMAGE: ${{ needs.prepare-edge-candidate.outputs.manager_image }}
          MANAGER_DIGEST: ${{ needs.build-edge-candidate.outputs.manager_digest }}
          CONFIG_INIT_IMAGE: ${{ needs.prepare-edge-candidate.outputs.config_init_image }}
          CONFIG_INIT_DIGEST: ${{ needs.build-edge-candidate.outputs.config_init_digest }}
          BACKUP_EXECUTOR_IMAGE: ${{ needs.prepare-edge-candidate.outputs.backup_executor_image }}
          BACKUP_EXECUTOR_DIGEST: ${{ needs.build-edge-candidate.outputs.backup_executor_digest }}
          UPGRADE_EXECUTOR_IMAGE: ${{ needs.prepare-edge-candidate.outputs.upgrade_executor_image }}
          UPGRADE_EXECUTOR_DIGEST: ${{ needs.build-edge-candidate.outputs.upgrade_executor_digest }}
        run: |
          set -euo pipefail
          python3 - <<'PY' > dist/candidate/metadata.json
          import json
          import os

          data = {
              "channel": "edge",
              "source_ref": "refs/heads/main",
              "sha": os.environ["SHA"],
              "short_sha": os.environ["SHORT_SHA"],
              "version": os.environ["VERSION"],
              "chart_version": os.environ["CHART_VERSION"],
              "source_date_epoch": os.environ["SOURCE_DATE_EPOCH"],
              "build_run_id": os.environ["GITHUB_RUN_ID"],
              "build_run_attempt": os.environ["GITHUB_RUN_ATTEMPT"],
              "artifacts": {
                  "install_yaml": "install.yaml",
                  "crds_yaml": "crds.yaml",
                  "checksums_txt": "checksums.txt",
              },
              "images": {
                  "manager": {"ref": os.environ["MANAGER_IMAGE"], "digest": os.environ["MANAGER_DIGEST"]},
                  "config_init": {"ref": os.environ["CONFIG_INIT_IMAGE"], "digest": os.environ["CONFIG_INIT_DIGEST"]},
                  "backup_executor": {"ref": os.environ["BACKUP_EXECUTOR_IMAGE"], "digest": os.environ["BACKUP_EXECUTOR_DIGEST"]},
                  "upgrade_executor": {"ref": os.environ["UPGRADE_EXECUTOR_IMAGE"], "digest": os.environ["UPGRADE_EXECUTOR_DIGEST"]},
              },
          }

          print(json.dumps(data, indent=2, sort_keys=True))
          PY

      - name: Validate edge candidate bundle contents
        run: |
          set -euo pipefail
          for path in \
            dist/candidate/install.yaml \
            dist/candidate/crds.yaml \
            dist/candidate/checksums.txt \
            dist/candidate/metadata.json; do
            test -f "${path}" || { echo "missing required edge candidate file: ${path}" >&2; exit 1; }
          done

      - name: Upload edge candidate bundle
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: edge-candidate-bundle
          path: dist/candidate/
          if-no-files-found: error
          retention-days: 7