feat: add release pipeline and harden Dockerfile

Author: vrdc-sap

.github/workflows/image-build-main.yaml

@@ -0,0 +1,21 @@
+name: GPU Build Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "[0-9]*"
+
+permissions:
+  id-token: write # Required for requesting the JWT token
+  contents: read # Required for actions/checkout
+
+jobs:
+  build-image:
+    uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main
+    with:
+      tags: ${{ github.ref_name }}
+      name: gpu
+      dockerfile: Dockerfile
+      export-tags: true

.github/workflows/image-build-pr.yaml

@@ -0,0 +1,49 @@
+name: GPU Build Image PR
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review, labeled]
+    paths-ignore:
+      - .github/workflows/stale.yml
+      - docs/**
+
+permissions:
+  id-token: write # Required for requesting the JWT token
+  contents: read # Required for actions/checkout
+
+jobs:
+  approve-image-build:
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'pr-build-image') }}
+    environment: pr-image-build
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Build approved"
+
+  build-image:
+    needs: approve-image-build
+    uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main
+    with:
+      name: gpu
+      dockerfile: Dockerfile
+      export-tags: true
+
+  local-build:
+    name: Build Image Locally
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'pr-build-image') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Image Locally
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          outputs: type=cacheonly
+          push: false
+          tags: gpu:${{ github.event.pull_request.head.sha }}

.github/workflows/pr-build-image.yml

@@ -0,0 +1,179 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to release - bare semver without 'v' (e.g. 0.1.0)"
+        required: true
+        type: string
+      ref:
+        description: "Branch, tag, or SHA to release from"
+        required: true
+        default: "main"
+        type: string
+
+concurrency:
+  group: release-${{ inputs.version }}
+  cancel-in-progress: false
+
+env:
+  IMAGE: europe-docker.pkg.dev/kyma-project/prod/gpu
+
+jobs:
+  validate:
+    name: Validate
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Check version format
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          if ! echo "${VERSION}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
+            echo "::error::version must be bare semver (e.g. 0.1.0 or 0.1.0-rc.1) - got '${VERSION}'"
+            exit 1
+          fi
+
+      - name: Check tag does not already exist
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          if git ls-remote --quiet --exit-code origin "refs/tags/${VERSION}" >/dev/null; then
+            echo "::error::tag ${VERSION} already exists"
+            exit 1
+          fi
+
+  build-image:
+    name: Build Image
+    needs: validate
+    permissions:
+      id-token: write
+      contents: read
+    uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main
+    with:
+      name: gpu
+      dockerfile: Dockerfile
+      context: .
+      tags: ${{ inputs.version }}
+
+  test:
+    name: Test
+    needs: validate
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Build
+        run: make build
+
+      - name: Test
+        run: make test
+
+  create-tag:
+    name: Create Tag
+    needs: [build-image, test]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Configure git identity
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Create and push annotated tag
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          git tag -a "${VERSION}" -m "Release ${VERSION}"
+          git push origin "${VERSION}"
+
+  publish-release:
+    name: Publish Release
+    needs: create-tag
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Render install.yaml
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          make build-installer IMG=${IMAGE}:${VERSION}
+
+      - name: Generate release notes
+        env:
+          VERSION: ${{ inputs.version }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          PREV_TAG=$(git describe --tags --abbrev=0 "${VERSION}^" 2>/dev/null || echo "")
+          if [ -n "$PREV_TAG" ]; then
+            CHANGES=$(git log "${PREV_TAG}..${VERSION}" \
+              --pretty=format:"- %s (%h)" --no-merges)
+          else
+            CHANGES=$(git log --pretty=format:"- %s (%h)" --no-merges)
+          fi
+          {
+            echo "## Changes"
+            echo ""
+            echo "${CHANGES}"
+            echo ""
+            echo "## Installation"
+            echo ""
+            echo '```bash'
+            echo "# Install the GPU operator (CRD, RBAC, and controller)"
+            echo "kubectl apply -f https://github.com/${REPOSITORY}/releases/download/${VERSION}/install.yaml"
+            echo ""
+            echo "# Create a Gpu resource to enable GPU support on your cluster"
+            echo "kubectl apply -f https://github.com/${REPOSITORY}/releases/download/${VERSION}/instance.yaml"
+            echo '```'
+            echo ""
+            echo "## Image"
+            echo ""
+            echo "\`${IMAGE}:${VERSION}\`"
+          } > /tmp/release-notes.md
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ inputs.version }}
+        run: |
+          gh release create "${VERSION}" \
+            --title "${VERSION}" \
+            --notes-file /tmp/release-notes.md \
+            dist/install.yaml \
+            dist/instance.yaml

.github/workflows/release.yml

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.25 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -11,21 +11,25 @@ COPY go.sum go.sum
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
-# Copy the Go source (relies on .dockerignore to filter)
-COPY . .
+# Copy the go source
+COPY cmd/ cmd/
+COPY api/ api/
+COPY internal/ internal/
 
 # Build
 # the GOARCH has no default value to allow the binary to be built according to the host where the command
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} GOFIPS140=v1.0.0 go build -ldflags="-s -w" -o manager cmd/main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --chown=65532:65532 --from=builder /workspace/manager .
 USER 65532:65532
 
+ENV GODEBUG=fips140=only,tlsmlkem=0
+
 ENTRYPOINT ["/manager"]

Dockerfile

@@ -149,6 +149,7 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi
 	mkdir -p dist
 	cd config/manager && "$(KUSTOMIZE)" edit set image controller=${IMG}
 	"$(KUSTOMIZE)" build config/default > dist/install.yaml
+	cp config/samples/gpu_v1beta1_gpu.yaml dist/instance.yaml
 
 ##@ Deployment
 

Makefile

@@ -15,7 +15,7 @@ namePrefix: gpu-
 #    someName: someValue
 
 resources:
-#- ../crd
+- ../crd
 - ../rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in

config/default/kustomization.yaml

@@ -1,6 +1,6 @@
 module github.com/kyma-project/gpu
 
-go 1.25.3
+go 1.26.3
 
 require (
 	github.com/Masterminds/semver/v3 v3.4.0

go.mod

@@ -8,7 +8,9 @@ mend:
   language: golang-mod
   exclude:
     - "**/*_test.go"
+    - "**/test/**"
 checkmarx-one:
   preset: go-default
   exclude:
     - '**/*_test.go'
+    - '**/test/**'