[Backport] Add global.podSecurityStandards.enforced value for PSS migration.

Author: whites11

.circleci/config.yml

@@ -1,6 +1,6 @@
 version: 2.1
 orbs:
-  architect: giantswarm/architect@4.28.1
+  architect: giantswarm/architect@5.0.1
 
 workflows:
   build:
@@ -13,42 +13,12 @@ workflows:
             tags:
               only: /^v.*/
 
-      - architect/push-to-docker:
-          context: "architect"
-          name: push-app-operator-to-docker
-          image: "docker.io/giantswarm/app-operator"
-          username_envar: "DOCKER_USERNAME"
-          password_envar: "DOCKER_PASSWORD"
-          requires:
-            - go-build
-          # Needed to trigger job also on git tag.
-          filters:
-            tags:
-              only: /^v.*/
-
-      - architect/push-to-docker:
-          context: architect
-          name: push-app-operator-to-quay
-          image: "quay.io/giantswarm/app-operator"
-          username_envar: "QUAY_USERNAME"
-          password_envar: "QUAY_PASSWORD"
-          requires:
-            - go-build
-          filters:
-            # Trigger the job also on git tag.
-            tags:
-              only: /^v.*/
-
-      - architect/push-to-docker:
+      - architect/push-to-registries:
           context: architect
-          name: push-app-operator-to-aliyun
-          image: "giantswarm-registry.cn-shanghai.cr.aliyuncs.com/giantswarm/app-operator"
-          username_envar: "ALIYUN_USERNAME"
-          password_envar: "ALIYUN_PASSWORD"
+          name: push-to-registries
           requires:
             - go-build
           filters:
-            # Trigger the job also on git tag.
             tags:
               only: /^v.*/
 
@@ -59,14 +29,15 @@ workflows:
           app_catalog_test: "control-plane-test-catalog"
           chart: "app-operator"
           requires:
-            - push-app-operator-to-quay
+            - push-to-registries
           filters:
             tags:
               only: /^v.*/
 
       - architect/integration-test:
           context: architect
           name: basic-integration-test
+          install-app-platform: false
           setup-script: "integration/setup/setup.sh"
           test-dir: "integration/test/app/basic"
           requires:
@@ -106,8 +77,8 @@ workflows:
           app_name: "app-operator"
           app_collection_repo: "aws-app-collection"
           requires:
-            - push-app-operator-to-aliyun
             - push-app-operator-to-control-plane-app-catalog
+            - push-to-registries
           filters:
             branches:
               ignore: /.*/
@@ -167,6 +138,19 @@ workflows:
             tags:
               only: /^v.*/
 
+      - architect/push-to-app-collection:
+          context: architect
+          name: push-to-capz-app-collection
+          app_name: "app-operator"
+          app_collection_repo: "capz-app-collection"
+          requires:
+            - push-app-operator-to-control-plane-app-catalog
+          filters:
+            branches:
+              ignore: /.*/
+            tags:
+              only: /^v.*/
+
       - architect/push-to-app-collection:
           context: architect
           name: push-to-gcp-app-collection

.github/pull_request_template.md

@@ -0,0 +1,3 @@
+## Checklist
+
+- [ ] Update changelog in CHANGELOG.md.

.github/workflows/pre_commit_go.yaml

@@ -3,23 +3,23 @@ name: pre-commit
 on:
   pull_request:
   push:
-    branches: [master]
+    branches: [main]
 
 jobs:
   pre-commit:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-python@v4
     - uses: actions/setup-go@v3
       with:
-        go-version: "1.18.4"
+        go-version: "1.21"
     - name: Install goimports
       run: |
         go install golang.org/x/tools/cmd/goimports@latest
     - name: Install golangci-lint
       env:
-        GOLANGCI_LINT_VERSION: "v1.47.2"
+        GOLANGCI_LINT_VERSION: "v1.54.2"
       run: |
         curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | \
             sudo sh -s -- -b $GOPATH/bin ${GOLANGCI_LINT_VERSION}

.github/workflows/zz_generated.add-team-labels.yaml

@@ -14,9 +14,9 @@ jobs:
         mkdir -p artifacts
         wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \
           -O artifacts/users.yaml \
-          https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/user-mapping.yaml
+          https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml
     - name: Upload Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: users
         path: artifacts/users.yaml
@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build_user_list
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@v4
       id: download-users
       with:
         name: users
@@ -45,7 +45,7 @@ jobs:
         done
         echo "EOF" >> $GITHUB_ENV
     - name: Apply label to issue
-      if: ${{ env.LABEL != '' }}
+      if: ${{ env.LABEL != '' && env.LABEL != 'null' && env.LABEL != null }}
       uses: actions-ecosystem/action-add-labels@v1
       with:
         github_token: ${{ secrets.ISSUE_AUTOMATION }}

.github/workflows/zz_generated.add-to-project-board.yaml

@@ -16,9 +16,9 @@ jobs:
         mkdir -p artifacts
         wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \
           -O artifacts/users.yaml \
-          https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/user-mapping.yaml
+          https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml
     - name: Upload Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: users
         path: artifacts/users.yaml
@@ -28,9 +28,9 @@ jobs:
         mkdir -p artifacts
         wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \
           -O artifacts/labels.yaml \
-          https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/label-mapping.yaml
+          https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/label-mapping.yaml
     - name: Upload Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: labels
         path: artifacts/labels.yaml
@@ -42,7 +42,7 @@ jobs:
     needs: build_user_list
     if: github.event.action == 'assigned'
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@v4
       id: download-users
       with:
         name: users
@@ -56,7 +56,7 @@ jobs:
 
         echo "BOARD=${BOARD}" >> $GITHUB_ENV
     - name: Add issue to personal board
-      if: ${{ env.BOARD != 'null' && env.BOARD != '' }}
+      if: ${{ env.BOARD != 'null' && env.BOARD != ''  && env.BOARD != null }}
       uses: actions/add-to-project@main
       with:
         project-url: ${{ env.BOARD }}
@@ -68,7 +68,7 @@ jobs:
     needs: build_user_list
     if: github.event.action == 'labeled'
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@v4
       id: download-labels
       with:
         name: labels
@@ -82,7 +82,7 @@ jobs:
 
         echo "BOARD=${BOARD}" >> $GITHUB_ENV
     - name: Add issue to team board
-      if: ${{ env.BOARD != 'null' && env.BOARD != '' }}
+      if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }}
       uses: actions/add-to-project@main
       with:
         project-url: ${{ env.BOARD }}

.github/workflows/zz_generated.check_values_schema.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.22.0
+#    devctl@6.18.2
 #
 name: 'Values and schema'
 on:
@@ -13,13 +13,15 @@ on:
       - 'helm/**/values.schema.json'  # schema
       - 'helm/**/ci/ci-values.yaml'   # overrides for CI (can contain required entries)
 
+  push: {}
+
 jobs:
   check:
     name: 'validate values.yaml against values.schema.json'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -30,15 +32,22 @@ jobs:
 
       - name: 'Check if values.yaml is a valid instance of values.schema.json'
         run: |
-          HELM_DIR=$(git diff --name-only origin/${GITHUB_BASE_REF} ${GITHUB_SHA} \
-           | grep 'helm/[-a-z].*\/' | head -1 | awk -F '/' '{print $1"/"$2}')
-          VALUES=${HELM_DIR}/values.yaml
-          if [ -f ${HELM_DIR}/ci/ci-values.yaml ]; then
-            # merge ci-values.yaml into values.yaml (providing required values)
-            echo -e "\nMerged values:\n=============="
-            yq '. *= load("'${HELM_DIR}'/ci/ci-values.yaml")' ${HELM_DIR}/values.yaml | tee ${HELM_DIR}/combined-values.yaml
-            echo -e "\n==============\n"
-            VALUES=${HELM_DIR}/combined-values.yaml
-          fi
+          for chart_yaml in helm/*/Chart.yaml; do
+            helm_dir="${chart_yaml%/Chart.yaml}"
+
+            if [ ! -f ${helm_dir}/values.schema.json ]; then
+              echo "Skipping validation for '${helm_dir}' folder, because 'values.schema.json' does not exist..."
+              continue
+            fi
+
+            values=${helm_dir}/values.yaml
+            if [ -f ${helm_dir}/ci/ci-values.yaml ]; then
+              # merge ci-values.yaml into values.yaml (providing required values)
+              echo -e "\nMerged values:\n=============="
+              yq '. *= load("'${helm_dir}'/ci/ci-values.yaml")' ${helm_dir}/values.yaml | tee ${helm_dir}/combined-values.yaml
+              echo -e "\n==============\n"
+              values=${helm_dir}/combined-values.yaml
+            fi
 
-          ${HOME}/yajsv -s ${HELM_DIR}/values.schema.json ${VALUES}
+            ${HOME}/yajsv -s ${helm_dir}/values.schema.json ${values}
+          done