Merge branch 'main' into use-pem-kafka

Signed-off-by: Gantigmaa Selenge <39860586+tinaselenge@users.noreply.github.com>

Author: tinaselenge

.github/actions/build/containers-load/action.yml

@@ -1,5 +1,5 @@
 name: "Load Strimzi images"
-description: "Load Strimzi images"
+description: "Load Strimzi images from Build workflow"
 
 inputs:
   architecture:
@@ -13,10 +13,6 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/download-artifact@v4
-      with:
-        name: containers-${{ inputs.architecture }}.tar
-
     - name: "Untar the ${{ inputs.architecture }} containers"
       shell: bash
       run: tar -xvf containers-${{ inputs.architecture }}.tar

.github/actions/build/containers-push/action.yml

@@ -15,31 +15,29 @@ inputs:
   quayPass:
     description: "Quay.io password"
     required: true
-  cosignPassword:
-    description: "Cosign password for signing"
-    required: true
-  cosignPrivateKey:
-    description: "Cosign private key for signing"
-    required: true
 
 runs:
   using: "composite"
   steps:
     - name: Install prerequisites
       shell: bash
-      run: |
-        .azure/scripts/install_cosign.sh
-        .azure/scripts/install_syft.sh
+      run: .azure/scripts/install_syft.sh
       env:
         ARCH: ${{ inputs.runnerArch }}
 
-    - uses: ./.github/actions/dependencies/install-docker
-    - uses: ./.github/actions/dependencies/install-yq
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3.10.0
+
+    - name: Install Docker
+      uses: ./.github/actions/dependencies/install-docker
+
+    - name: Install yq
+      uses: ./.github/actions/dependencies/install-yq
       with:
         architecture: ${{ inputs.runnerArch }}
 
     - name: Download container artifact
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@v4
       with:
         pattern: containers-*
         path: ./
@@ -85,33 +83,27 @@ runs:
         BUILD_REASON: "IndividualCI"
         BRANCH: ${{ github.ref }}
 
-    # TODO - We can use cosign in better way. See https://github.com/strimzi/strimzi-kafka-operator/issues/11826 for more details.
     - name: Sign container manifests
       shell: bash
-      run: make docker_sign_manifest
+      run: make docker_gha_sign_manifest
       env:
         BUILD_REASON: "IndividualCI"
         BRANCH: ${{ github.ref }}
         BUILD_ID: ${{ github.run_number }}
         BUILD_COMMIT: ${{ github.sha }}
-        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
-        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
 
-    # TODO - We can use existing GitHub Action for SBOMs - https://github.com/strimzi/strimzi-kafka-operator/issues/11827
-    - name: Generate SBOMs
+    - name: Generate and sign SBOMs
       shell: bash
       run: |
         IFS=',' read -ra ARCH_ARRAY <<< "${{ inputs.architectures }}"
         for arch in "${ARCH_ARRAY[@]}"; do
           echo "Generating SBOM for architecture: ${arch}"
           export DOCKER_ARCHITECTURE="${arch}"
-          make docker_sbom
+          make docker_gha_sbom
         done
       env:
         BUILD_REASON: "IndividualCI"
         BRANCH: ${{ github.ref }}
-        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
-        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
 
     - name: Create SBOM archive
       shell: bash
@@ -129,12 +121,12 @@ runs:
       run: |
         IFS=',' read -ra ARCH_ARRAY <<< "${{ inputs.architectures }}"
         for arch in "${ARCH_ARRAY[@]}"; do
-          echo "Generating SBOM for architecture: ${arch}"
+          echo "Pushing SBOM for architecture: ${arch}"
           export DOCKER_ARCHITECTURE="${arch}"
-          make docker_push_sbom
+          make docker_gha_push_sbom
         done
       env:
         BUILD_REASON: "IndividualCI"
         BRANCH: ${{ github.ref }}
-        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
-        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
+        BUILD_ID: ${{ github.run_number }}
+        BUILD_COMMIT: ${{ github.sha }}

.github/actions/build/download-build-artifacts/action.yml

@@ -0,0 +1,140 @@
+name: "Download Build Artifacts"
+description: "Downloads a specific artifact from the Build workflow for the same commit SHA"
+
+inputs:
+  # In Azure we use build ID of build pipeline to retrieve Strimzi artifacts
+  # This can be achieved here as well, but after offline discussion we agreed we will try to use just commit sha
+  # as each commit should have only one unique passed build. In case we will find it is not sufficient
+  # we can easily add another input runId and skip find-build job and directly download artifact.
+  # TODO - the comment can be removed once we agree it is sufficient for releases
+  sha:
+    description: "Commit SHA to find build artifacts for"
+    required: true
+  artifactName:
+    description: "Name of the artifact to download (e.g., 'strimzi-binaries.tar', 'containers-amd64.tar')"
+    required: true
+  waitForBuild:
+    description: "Wait for build to complete if it's still running"
+    required: false
+    default: "true"
+  maxWaitMinutes:
+    description: "Maximum time to wait for build completion (in minutes)"
+    required: false
+    default: "60"
+
+outputs:
+  buildRunId:
+    description: "The ID of the build workflow run"
+    value: ${{ steps.find-build.outputs.run_id }}
+  buildStatus:
+    description: "Status of the build workflow"
+    value: ${{ steps.find-build.outputs.status }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Find Build Workflow Run
+      id: find-build
+      uses: actions/github-script@v7
+      env:
+        INPUT_SHA: ${{ inputs.sha }}
+        WAIT_FOR_BUILD: ${{ inputs.waitForBuild }}
+        MAX_WAIT_MINUTES: ${{ inputs.maxWaitMinutes }}
+      with:
+        script: |
+          const {owner, repo} = context.repo;
+          const sha = process.env.INPUT_SHA;
+          const waitForBuild = process.env.WAIT_FOR_BUILD === 'true';
+          const maxWaitMinutes = parseInt(process.env.MAX_WAIT_MINUTES);
+
+          core.info(`🔍 Looking for Build workflow run for commit: ${sha}`);
+
+          const maxWaitSeconds = maxWaitMinutes * 60;
+          const startTime = Date.now();
+
+          // Function to find build run
+          async function findBuildRun() {
+            const runs = await github.rest.actions.listWorkflowRuns({
+              owner,
+              repo,
+              workflow_id: 'build.yml',
+              head_sha: sha,
+              per_page: 1
+            });
+            return runs.data.workflow_runs[0];
+          }
+
+          // Initial attempt to find build
+          let buildRun = await findBuildRun();
+
+          if (!buildRun) {
+            if (waitForBuild) {
+              core.info('⏳ No build found yet. Waiting for build workflow to start...');
+
+              // Wait for build to appear
+              while (!buildRun) {
+                const elapsed = Math.floor((Date.now() - startTime) / 1000);
+
+                if (elapsed >= maxWaitSeconds) {
+                  core.setFailed(`❌ Timeout: No build workflow found after waiting ${maxWaitMinutes} minutes`);
+                  core.setFailed(`Please ensure the Build workflow has been triggered for commit ${sha}`);
+                  return;
+                }
+
+                core.info(`Waiting... (${elapsed}s elapsed, max: ${maxWaitSeconds}s)`);
+                await new Promise(resolve => setTimeout(resolve, 30000)); // Sleep 30 seconds
+                buildRun = await findBuildRun();
+              }
+            } else {
+              core.setFailed(`❌ No build workflow run found for commit ${sha}`);
+              core.setFailed('Please trigger the Build workflow first or enable waitForBuild');
+              return;
+            }
+          }
+
+          core.info(`✅ Found Build workflow run: #${buildRun.id}`);
+          core.info(`📊 Status: ${buildRun.status}, Conclusion: ${buildRun.conclusion}`);
+
+          // Wait for build to complete if it's still running
+          if (buildRun.status !== 'completed' && waitForBuild) {
+            core.info('⏳ Build is still running. Waiting for completion...');
+
+            while (buildRun.status !== 'completed') {
+              const elapsed = Math.floor((Date.now() - startTime) / 1000);
+
+              if (elapsed >= maxWaitSeconds) {
+                core.setFailed(`❌ Timeout: Build did not complete within ${maxWaitMinutes} minutes`);
+                core.setFailed(`Build run: ${context.serverUrl}/${owner}/${repo}/actions/runs/${buildRun.id}`);
+                return;
+              }
+
+              core.info(`Build still running... (${elapsed}s elapsed, max: ${maxWaitSeconds}s)`);
+              await new Promise(resolve => setTimeout(resolve, 60000)); // Sleep 60 seconds
+
+              buildRun = await findBuildRun();
+            }
+
+            core.info(`✅ Build completed with status: ${buildRun.conclusion}`);
+          }
+
+          // Check if build was successful
+          if (buildRun.status === 'completed' && buildRun.conclusion !== 'success') {
+            core.setFailed(`❌ Build workflow failed with conclusion: ${buildRun.conclusion}`);
+            core.setFailed(`Build run: ${context.serverUrl}/${owner}/${repo}/actions/runs/${buildRun.id}`);
+            return;
+          }
+
+          // Output results
+          core.setOutput('run_id', buildRun.id.toString());
+          core.setOutput('status', buildRun.status);
+          core.setOutput('conclusion', buildRun.conclusion || '');
+
+          core.info(`🎯 Build workflow run #${buildRun.id} is ready for artifact download`);
+          core.info(`Build URL: ${context.serverUrl}/${owner}/${repo}/actions/runs/${buildRun.id}`);
+
+    - name: Download Artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ inputs.artifactName }}
+        run-id: ${{ steps.find-build.outputs.run_id }}
+        github-token: ${{ github.token }}

.github/actions/utils/determine-ref/action.yml

@@ -12,34 +12,44 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Determine ref
+    - name: Determine ref and SHA
       id: determine
-      shell: bash
-      run: |
-        if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-          # For PR events, use merge ref to test the merged state
-          REF="refs/pull/${{ github.event.pull_request.number }}/merge"
-          SHA="${{ github.event.pull_request.merge_commit_sha }}"
-          if [[ "$SHA" == "" || "$SHA" == "null" ]]; then
-            SHA="HEAD"
-          fi
-          echo "PR event detected: Using merge ref for PR #${{ github.event.pull_request.number }}"
-        elif [[ "${{ github.event_name }}" == "issue_comment" ]] && [[ "${{ github.event.issue.pull_request }}" != "" && "${{ github.event.issue.pull_request }}" != "null" ]]; then
-          # For PR comments, use merge ref to test against merge commit
-          REF="refs/pull/${{ github.event.issue.number }}/merge"
-          SHA="HEAD"
-          echo "PR comment detected: Using merge ref for PR #${{ github.event.issue.number }}"
-        else
-          # For workflow_dispatch and other events, use the current branch
-          REF="${{ github.ref }}"
-          SHA="${{ github.sha }}"
-          echo "Standard event: Using current ref $REF"
-        fi
-        
-        echo "ref=$REF" >> $GITHUB_OUTPUT
-        echo "sha=$SHA" >> $GITHUB_OUTPUT
-        echo "REF=$REF" >> $GITHUB_ENV
-        echo "SHA=$SHA" >> $GITHUB_ENV
-        
-        echo "Determined ref: $REF"
-        echo "Determined SHA: $SHA"
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const {owner, repo} = context.repo;
+          let ref, sha;
+
+          if (context.eventName === 'pull_request') {
+            // For PR events, use merge ref to test the merged state
+            const prNumber = context.payload.pull_request.number;
+            ref = `refs/pull/${prNumber}/merge`;
+            sha = context.payload.pull_request.head.sha;
+            core.info(`PR event detected: Using merge ref for PR #${prNumber}`);
+            core.info(`Head SHA: ${sha}`);
+          } else if (context.eventName === 'issue_comment' && context.payload.issue?.pull_request) {
+            // For PR comments, fetch the PR to get head SHA
+            const prNumber = context.payload.issue.number;
+            ref = `refs/pull/${prNumber}/merge`;
+
+            const pr = await github.rest.pulls.get({
+              owner,
+              repo,
+              pull_number: prNumber
+            });
+            sha = pr.data.head.sha;
+
+            core.info(`PR comment detected: Using merge ref for PR #${prNumber}`);
+            core.info(`Head SHA: ${sha}`);
+          } else {
+            // For workflow_dispatch and other events, use the current branch
+            ref = context.ref;
+            sha = context.sha;
+            core.info(`Standard event: Using current ref ${ref}`);
+            core.info(`SHA: ${sha}`);
+          }
+
+          core.setOutput('ref', ref);
+          core.setOutput('sha', sha);
+          core.exportVariable('REF', ref);
+          core.exportVariable('SHA', sha);

.github/docs/README.md

@@ -62,25 +62,28 @@ Build process actions:
 - [build-strimzi-binaries](../actions/build/build-strimzi-binaries)
 - [containers-build](../actions/build/containers-build)
 - [containers-load](../actions/build/containers-load)
+- [download-build-artifacts](../actions/build/download-build-artifacts)
+- [build-docs](../actions/build/build-docs)
+- [publish-docs](../actions/build/publish-docs)
+- [test-strimzi](../actions/build/test-strimzi)
 
 System tests execution actions:
 - [generate-matrix](../actions/systemtests/generate-matrix)
-- [set-defaults](../actions/utils/set-defaults)
-- [log-variables](../actions/utils/log-variables)
 - [parse-comment](../actions/systemtests/parse-comment)
-- [determine-ref](../actions/utils/determine-ref)
+- [validate-matrix](../actions/systemtests/validate-matrix)
 
 Utils actions:
 - [check-permissions](../actions/utils/check-permissions)
 - [add-comment](../actions/utils/add-comment)
 - [check-and-status](../actions/utils/check-and-status)
+- [set-defaults](../actions/utils/set-defaults)
+- [log-variables](../actions/utils/log-variables)
+- [determine-ref](../actions/utils/determine-ref)
 
 To make the build 1:1 to Azure we miss few actions that do the missing steps:
-- Run unit/integration tests
-- Build docs
-- Push docs
-- Push containers
-- Deploy Java artifacts
+- Push docs (uncomment usage & properly test)
+- Push containers (uncomment usage & properly test)
+- Deploy Java artifacts (uncomment usage & properly test)
 
 The actions also had to be put together into workflow as we have in Azure:
 - `build pipeline` -> `build workflow`