feat:cxar-919 quality gates

.github/workflows/build.yml

@@ -18,99 +18,90 @@
 #  SPDX-License-Identifier: Apache-2.0
 #
 
----
 name: "Build"
 
 on:
+  # Runs automatically on main and release branches
   push:
     branches:
       - main
-      - releases
-    tags:
-      - 'v*.*.*'
-      - 'v*.*.*-*'
-  release:
-    types:
-      - published
+      - 'releases/**'
+  # Runs automatically on all code-related PRs to main and release branches
   pull_request:
+    branches:
+      - main
+      - 'releases/**'
     paths-ignore:
       - 'charts/**'
       - 'docs/**'
       - '**/*.md'
-    branches:
-      - '*'
+  # Can be scheduled on all branches and version tags
   workflow_dispatch:
+    tags:
+      - 'v*.*.*'
+      - 'v*.*.*-*'
     branches:
-      - 'releases/**'
+      - '*'
 
+# the docker registry and namespace
 env:
   IMAGE_NAMESPACE: "tractusx"
 
+# If build is triggered several times, e.g., through subsequent pushes
+# into the same PR, cancel the previous runs, see below
 concurrency:
   # cancel only running jobs on pull requests
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+# Actual build/deploy logic
 jobs:
-  pre_job:
-    # continue-on-error: true # Uncomment once integration is finished
-    runs-on: ubuntu-latest
-    # Map a step output to a job output
-    outputs:
-      should_skip: ${{ steps.skip_check.outputs.should_skip }}
-    steps:
-      - id: skip_check
-        uses: fkirc/skip-duplicate-actions@v5
-        with:
-          # All of these options are optional, so you can remove them if you are happy with the defaults
-          concurrent_skipping: 'same_content'
-          skip_after_successful_duplicate: 'true'
-          do_not_skip: '["push", "pull_request", "workflow_dispatch", "schedule"]'
-
-  build_java:
-    name: Build Java
+  # Build maven stuff
+  build:
+    name: Build/Deploy Maven & Docker Artifacts
     runs-on: ubuntu-latest
     permissions: write-all
-    needs: pre_job
-    if: ${{ needs.pre_job.outputs.should_skip != 'true' }}
     strategy:
       fail-fast: false
-
     steps:
+      # Get the Code
       - name: Checkout repository
         uses: actions/checkout@v3
         with:
           submodules: recursive
 
-      # We need to manually instruct maven
+      # Setup build environment
       - uses: ./.github/actions/setup-java
 
+      # Enabled deployment access (if either running on main or a version tag on eclipse-tractusx) 
       - name: Login to GitHub Container Registry
-        if: ${{ (github.repository == 'catenax-ng/product-agents' || github.repository == 'eclipse-tractusx/knowledge-agents') && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
+        if: ${{ github.repository == 'eclipse-tractusx/knowledge-agents' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
         uses: docker/login-action@v2
         with:
           # Use existing DockerHub credentials present as secrets
           username: ${{ secrets.DOCKER_HUB_USER }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
+      # Run Maven Deploy (if either running on main or a version tag on eclipse-tractusx) 
       - name: Deploy Java via Maven
-        if: ${{ (github.repository == 'catenax-ng/product-agents' || github.repository == 'eclipse-tractusx/knowledge-agents')  && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
+        if: ${{ github.repository == 'eclipse-tractusx/knowledge-agents'  && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
         run: |
           ./mvnw -s settings.xml deploy
         env:
           GITHUB_ACTOR: ${{ github.actor }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      # Run Maven Install (otherwise)
       - name: Build Java via Maven
-        if: ${{ ( github.repository != 'catenax-ng/product-agents' && github.repository != 'eclipse-tractusx/knowledge-agents') || (github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/v')) }}
+        if: ${{ github.repository != 'eclipse-tractusx/knowledge-agents' || (github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/v')) }}
         run: |
           ./mvnw -s settings.xml install
         env:
           GITHUB_ACTOR: ${{ github.actor }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       # Create SemVer or ref tags dependent of trigger event
-      - name: Docker Meta Conforming Agent
+      - name: Docker Meta Conforming
         id: meta-conf
         uses: docker/metadata-action@v4
         with:
@@ -119,79 +110,74 @@ jobs:
           # Automatically prepare image tags; See action docs for more examples. 
           # semver patter will generate tags like these for example :1 :1.2 :1.2.3
           tags: |
-            type=ref,event=branch
-            type=ref,event=pr
+            type=sha,event=branch
+            type=sha,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
 
-      - name: Conforming Agent Container Build and push
+      # build in any case, but push only main and version tag settings
+      - name: Conforming Container Build and Push
         uses: docker/build-push-action@v3
         with:
-          context: conforming-agent/.
-          file: conforming-agent/src/main/docker/Dockerfile
+          context: conforming/.
+          file: conforming/src/main/docker/Dockerfile
           # Build image for verification purposes on every trigger event. Only push if event is not a PR
-          push: ${{ (github.repository == 'catenax-ng/product-agents' || github.repository == 'eclipse-tractusx/knowledge-agents')  && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
+          push: ${{ github.repository == 'eclipse-tractusx/knowledge-agents'  && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
           tags: ${{ steps.meta-conf.outputs.tags }}
           labels: ${{ steps.meta-conf.outputs.labels }}
 
       # Create SemVer or ref tags dependent of trigger event
-      - name: Docker Meta Provisioning Agent
-        id: meta-prov
+      - name: Docker Meta Remoting
+        id: meta-remote
         uses: docker/metadata-action@v4
         with:
           images: |
-            ${{ env.IMAGE_NAMESPACE }}/provisioning-agent
+            ${{ env.IMAGE_NAMESPACE }}/remoting-agent
           # Automatically prepare image tags; See action docs for more examples. 
           # semver patter will generate tags like these for example :1 :1.2 :1.2.3
           tags: |
-            type=ref,event=branch
-            type=ref,event=pr
+            type=sha,event=branch
+            type=sha,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
 
-      - name: Provisioning Agent Container Build and push
+      # build in any case, but push only main and version tag settings
+      - name: Remoting Container Build and Push
         uses: docker/build-push-action@v3
         with:
-          context: provisioning-agent/.
-          file: provisioning-agent/src/main/docker/Dockerfile
+          context: remoting/.
+          file: remoting/src/main/docker/Dockerfile
           # Build image for verification purposes on every trigger event. Only push if event is not a PR
-          push: ${{ (github.repository == 'catenax-ng/product-agents' || github.repository == 'eclipse-tractusx/knowledge-agents')  && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
-          tags: ${{ steps.meta-prov.outputs.tags }}
-          labels: ${{ steps.meta-prov.outputs.labels }}
+          push: ${{ github.repository == 'eclipse-tractusx/knowledge-agents'  && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
+          tags: ${{ steps.meta-remote.outputs.tags }}
+          labels: ${{ steps.meta-remote.outputs.labels }}
 
       # Create SemVer or ref tags dependent of trigger event
-      - name: Docker Meta Remoting Agent
-        id: meta-remote
+      - name: Docker Meta Provisioning
+        id: meta-prov
         uses: docker/metadata-action@v4
         with:
           images: |
-            ${{ env.IMAGE_NAMESPACE }}/remoting-agent
+            ${{ env.IMAGE_NAMESPACE }}/provisioning-agent
           # Automatically prepare image tags; See action docs for more examples. 
           # semver patter will generate tags like these for example :1 :1.2 :1.2.3
           tags: |
-            type=ref,event=branch
-            type=ref,event=pr
+            type=sha,event=branch
+            type=sha,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
 
-      - name: Remoting Agent Container Build and push
+      # build in any case, but push only main and version tag settings
+      - name: Provisioning Container Build and Push
         uses: docker/build-push-action@v3
         with:
-          context: remoting-agent/.
-          file: remoting-agent/src/main/docker/Dockerfile
+          context: provisioning/.
+          file: provisioning/src/main/docker/Dockerfile
           # Build image for verification purposes on every trigger event. Only push if event is not a PR
-          push: ${{ (github.repository == 'catenax-ng/product-agents' || github.repository == 'eclipse-tractusx/knowledge-agents')  && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
-          tags: ${{ steps.meta-remote.outputs.tags }}
-          labels: ${{ steps.meta-remote.outputs.labels }}
-
-      # Report unit test output to github job
-      - if: success() || failure()
-        name: Java Test Report
-        uses: dorny/test-reporter@v1
-        with:
-          name: Test Report Java
-          path: '**/surefire-reports/TEST-*.xml'
-          reporter: java-junit
+          push: ${{ github.repository == 'eclipse-tractusx/knowledge-agents'  && (github.ref == 'refs/heads/main' ||  startsWith(github.ref, 'refs/tags/v')) }}
+          tags: ${{ steps.meta-prov.outputs.tags }}
+          labels: ${{ steps.meta-prov.outputs.labels }}
+

.github/workflows/helm-chart-lint.yml

@@ -21,17 +21,36 @@ name: Lint and Test Charts
 
 # Run chart linting and tests on each pull request
 on:
+  # Runs automatically on pushes and PRs into main and release branches, if changes to the chart have been performed
   push:
     branches:
       - main
-      - releases
+      - 'releases/**'
     paths:
       - .github/workflows/**
       - charts/**
   pull_request:
+    branches:
+      - main
+      - 'releases/**'
     paths:
       - .github/workflows/**
       - charts/**
+  # Can be triggered to investigate upgrades
+  workflow_dispatch:
+    inputs:
+      node_image:
+        description: 'kindest/node image for k8s kind cluster'
+        # k8s version from 3.1 release as default
+        default: 'kindest/node:v1.24.6'
+        required: false
+        type: string
+      upgrade_from:
+        description: 'chart version to upgrade from'
+        # chart version from 3.2 release as default
+        default: 'x.x.x'
+        required: false
+        type: string
 
 jobs:
   lint-test:
@@ -47,14 +66,18 @@ jobs:
         with:
           version: v3.10.3
 
-      # Setup python as a prerequisite for chart linting
+      - uses: ./.github/actions/setup-java
+
       - uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.9
 
       - name: Set up chart-testing
         uses: helm/[email protected]
 
+      - name: Run chart-testing (lint)
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --config charts/config/chart-testing-config.yaml
+
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
@@ -63,17 +86,53 @@ jobs:
             echo "CHART_CHANGED=true" >> $GITHUB_ENV
           fi
 
-      # run chart linting
-      - name: Run chart-testing (lint)
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --config charts/config/chart-testing-config.yaml
-
       # Preparing a kind cluster to install and test charts on
       - name: Create kind cluster
-        uses: helm/[email protected]
-        if: ${{ env.CHART_CHANGED == 'true' }}
+        uses: container-tools/kind-action@v1
+        with:
+          # upgrade version, default (v0.17.0) uses node image v1.21.1 and doesn't work with more recent node image versions
+          version: v0.19.0
+          # default value for event_name != workflow_dispatch
+          node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.24.6' }}
+        if: github.event_name != 'pull_request' || env.CHART_CHANGED == 'true'
+
+      - name: Build Java/Docker via Maven
+        run: |
+          ./mvnw -s settings.xml deploy -Drepo=kind-registry:5000/tractusx/ -Dmaven.deploy.skip -DskipTests -Pwith-docker-image 
+        if: github.event_name != 'pull_request' || env.CHART_CHANGED == 'true'
 
       # install the chart to the kind cluster and run helm test
       # define charts to test with the --charts parameter
       - name: Run chart-testing (install)
-        run: ct install --charts charts/conforming-agent,charts/provisioning-agent,charts/remoting-agent --config charts/config/chart-testing-config.yaml
-        if: ${{ env.CHART_CHANGED == 'true' }}
+        run: ct install --charts charts/conforming-agent,charts/provisioning-agent,charts/remoting-agent --config charts/config/chart-testing-config.yaml --helm-extra-set-args="--set=image.registry=kind-registry:5000/"
+        if: github.event_name != 'pull_request' || env.CHART_CHANGED == 'true'
+
+      # Upgrade the released chart version with the locally available chart
+      # default value for event_name != workflow_dispatch
+      - name: Run helm upgrade on conforming agent
+        run: |
+          helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
+          helm install conforming tractusx-dev/conforming-agent --version ${{ github.event.inputs.upgrade_from }} --set=image.registry=kind-registry:5000/
+          helm dependency update charts/conforming-agent
+          helm upgrade conforming charts/conforming-agent
+        if: (github.event_name != 'pull_request' || env.CHART_CHANGED == 'true') && github.event.inputs.upgrade_from != '' && github.event.inputs.upgrade_from != 'x.x.x'
+
+      # Upgrade the released chart version with the locally available chart
+      # default value for event_name != workflow_dispatch
+      - name: Run helm upgrade on provisioning agent 
+        run: |
+          helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
+          helm install provisioning tractusx-dev/provisioning-agent --version ${{ github.event.inputs.upgrade_from }} --set=image.registry=kind-registry:5000/
+          helm dependency update charts/provisioning-agent
+          helm upgrade provisioning charts/provisioning-agent
+        if: (github.event_name != 'pull_request' || env.CHART_CHANGED == 'true') && github.event.inputs.upgrade_from != '' && github.event.inputs.upgrade_from != 'x.x.x'
+
+      # Upgrade the released chart version with the locally available chart
+      # default value for event_name != workflow_dispatch
+      - name: Run helm upgrade on remoting agent
+        run: |
+          helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
+          helm install remoting tractusx-dev/provisioning-agent --version ${{ github.event.inputs.upgrade_from }} --set=image.registry=kind-registry:5000/
+          helm dependency update charts/remoting-agent
+          helm upgrade remoting charts/remoting-agent
+        if: (github.event_name != 'pull_request' || env.CHART_CHANGED == 'true') && github.event.inputs.upgrade_from != '' && github.event.inputs.upgrade_from != 'x.x.x'

.github/workflows/helm-chart-release.yml

@@ -20,13 +20,19 @@
 name: Release Charts
 
 on:
+  # May be invoked manually
   workflow_dispatch:
+    branches:
+      - main
+      - 'releases/**'
+  # Or by pushing to the chart dir of some dev/ release branch
   push:
     # prevent unnecessary GH action runs for files outside of charts folder
     paths:
       - 'charts/**'
     branches:
       - main
+      - 'releases/**'
 
 jobs:
   release:

.github/workflows/kics.yml

@@ -22,11 +22,17 @@ name: "KICS"
 
 on:
   push:
-    branches: [main, releases]
+    branches: 
+     - main
+     - 'releases/**'
   pull_request:
-    branches: [main, releases]
+    branches: 
+      - main
+      - 'releases/**'
+
   workflow_dispatch:
 
+  # Since rules may change should run regularily
   schedule:
     - cron: "0 0 * * *"