Configure GitHub Actions and e2e test scripts

- Add unified GitHub Actions workflows with path filters
- Configure dependabot for all package ecosystems
- Remove old .github directories from subdirectories
- Install e2e test scripts (setup-e2e.sh, run-e2e.sh, tests.bats)

Author: mangelajo

.github/dependabot.yml

@@ -0,0 +1,34 @@
+# Dependabot configuration for monorepo
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Go modules for controller
+  - package-ecosystem: "gomod"
+    directory: "/controller"
+    schedule:
+      interval: weekly
+
+  # Go modules for operator
+  - package-ecosystem: "gomod"
+    directory: "/controller/deploy/operator"
+    schedule:
+      interval: weekly
+
+  # Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/python"
+    schedule:
+      interval: weekly
+
+  # Devcontainers
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: weekly
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly

e2e/.github/workflows/backport.yml .github/workflows/backport.yamle2e/.github/workflows/backport.yml renamed to .github/workflows/backport.yaml

@@ -1,4 +1,5 @@
-name: Build and push container image
+name: Build and push container images
+
 on:
   workflow_dispatch:
   push:
@@ -7,8 +8,10 @@ on:
     branches:
       - main
       - 'release-*'
+  merge_group:
 
 env:
+  PUSH: ${{ github.repository_owner == 'jumpstarter-dev' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/release-')) }}
   REGISTRY: quay.io
   QUAY_ORG: quay.io/jumpstarter-dev
 
@@ -17,18 +20,35 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         include:
+          # Controller images
           - image_name: jumpstarter-dev/jumpstarter-controller
-            dockerfile: Dockerfile
-            context: .
+            dockerfile: controller/Dockerfile
+            context: controller
           - image_name: jumpstarter-dev/jumpstarter-operator
-            dockerfile: Dockerfile.operator
-            context: .
+            dockerfile: controller/Dockerfile.operator
+            context: controller
           - image_name: jumpstarter-dev/jumpstarter-operator-bundle
-            dockerfile: deploy/operator/bundle.Dockerfile
-            context: deploy/operator
+            dockerfile: controller/deploy/operator/bundle.Dockerfile
+            context: controller/deploy/operator
+          # Python images (use repo root context for .git access needed by hatch-vcs)
+          - image_name: jumpstarter-dev/jumpstarter
+            dockerfile: python/Dockerfile
+            context: .
+          - image_name: jumpstarter-dev/jumpstarter-utils
+            dockerfile: python/Dockerfile.utils
+            context: python
+          - image_name: jumpstarter-dev/jumpstarter-dev
+            dockerfile: python/.devfile/Containerfile
+            context: python
+          - image_name: jumpstarter-dev/jumpstarter-devspace
+            dockerfile: python/.devfile/Containerfile.client
+            context: .
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -41,6 +61,17 @@ jobs:
           VERSION=${VERSION#v} # remove the leading v prefix for version
           echo "VERSION=${VERSION}" >> $GITHUB_ENV
           echo "VERSION=${VERSION}"
+          
+          # Convert to PEP 440 compliant version for Python packages
+          # Format: 0.7.0-1051-g54cd2f08 -> 0.7.0.dev1051+g54cd2f08
+          if [[ "$VERSION" =~ ^([0-9]+\.[0-9]+\.[0-9]+)-([0-9]+)-g([a-f0-9]+)$ ]]; then
+            PEP440_VERSION="${BASH_REMATCH[1]}.dev${BASH_REMATCH[2]}+g${BASH_REMATCH[3]}"
+          else
+            # If it's already a clean version (e.g., 0.7.0), use as-is
+            PEP440_VERSION="$VERSION"
+          fi
+          echo "PEP440_VERSION=${PEP440_VERSION}" >> $GITHUB_ENV
+          echo "PEP440_VERSION=${PEP440_VERSION}"
 
       - name: Set build args
         id: build-args
@@ -53,6 +84,7 @@ jobs:
           echo "BUILD_DATE=${BUILD_DATE}"
 
       - name: Set image tags
+        if: ${{ env.PUSH == 'true' }}
         id: set-tags
         run: |
           TAGS="${{ env.REGISTRY }}/${{ matrix.image_name }}:${{ env.VERSION }}"
@@ -61,7 +93,7 @@ jobs:
             TAGS="$TAGS,${{ env.REGISTRY }}/${{ matrix.image_name }}:latest"
           fi
 
-          if [[ "${{ github.ref }}" == "refs/heads/release-*" ]]; then
+          if [[ "${{ github.ref }}" == refs/heads/release-* ]]; then
             RELEASE_BRANCH_NAME=$(basename "${{ github.ref }}")
             TAGS="$TAGS,${{ env.REGISTRY }}/${{ matrix.image_name }}:${RELEASE_BRANCH_NAME}"
           fi
@@ -76,29 +108,46 @@ jobs:
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
+        if: ${{ env.PUSH == 'true' }}
         with:
           registry: ${{ env.REGISTRY }}
           username: jumpstarter-dev+jumpstarter_ci
           password: ${{ secrets.QUAY_TOKEN }}
 
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ matrix.image_name }}
+
       - name: Build and push Docker image
         id: push
         uses: docker/build-push-action@v6
         with:
           context: ${{ matrix.context }}
           file: ${{ matrix.dockerfile }}
-          push: true
+          push: ${{ env.PUSH }}
           tags: ${{ steps.set-tags.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |
-            GIT_VERSION=${{ env.VERSION }}
+            GIT_VERSION=${{ env.PEP440_VERSION }}
             GIT_COMMIT=${{ steps.build-args.outputs.git_commit }}
             BUILD_DATE=${{ steps.build-args.outputs.build_date }}
 
-  publish-helm-charts-containers:
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        if: ${{ env.PUSH == 'true' }}
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ matrix.image_name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: ${{ env.PUSH }}
+
+  publish-helm-charts:
     needs: build-and-push-image
+    if: ${{ github.repository_owner == 'jumpstarter-dev' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/release-')) }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -116,8 +165,8 @@ jobs:
         run: |
           echo packaging ${VERSION}
           # patch the sub-chart app-version, because helm package won't do it
-          sed -i "s/^appVersion:.*/appVersion: $VERSION/" deploy/helm/jumpstarter/charts/jumpstarter-controller/Chart.yaml
-          helm package ./deploy/helm/jumpstarter --version "${VERSION}" --app-version "${VERSION}"
+          sed -i "s/^appVersion:.*/appVersion: $VERSION/" controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/Chart.yaml
+          helm package ./controller/deploy/helm/jumpstarter --version "${VERSION}" --app-version "${VERSION}"
 
       - name: Login helm
         env:

controller/.github/workflows/build.yaml .github/workflows/build-images.yamlcontroller/.github/workflows/build.yaml renamed to .github/workflows/build-images.yaml

@@ -1,4 +1,5 @@
 name: Build and push buildroot-based flasher OCI bundle
+
 on:
   workflow_dispatch:
 
@@ -14,17 +15,17 @@ jobs:
 
       - name: Run build_fits.sh
         run: |
-          cd packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb
+          cd python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb
           ./build_fits.sh
 
       - name: Upload FIT artifacts
         uses: actions/upload-artifact@v4
         with:
           name: FIT-images
-          path: packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/data/*.itb
+          path: python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/data/*.itb
 
       - name: Run build_bundle.sh for aarch64-itb
         run: |
-          cd packages/jumpstarter-driver-flashers/oci_bundles && dnf install -y oras
+          cd python/packages/jumpstarter-driver-flashers/oci_bundles && dnf install -y oras
           oras login quay.io -u jumpstarter-dev+jumpstarter_ci --password-stdin <<< "${{ secrets.QUAY_TOKEN }}"
           ./build_bundle.sh quay.io/jumpstarter-dev/jumpstarter-flasher-aarch64-itb:latest aarch64-itb

…/.github/workflows/build_oci_bundle.yaml .github/workflows/build-oci-bundle.yamlpython/.github/workflows/build_oci_bundle.yaml renamed to .github/workflows/build-oci-bundle.yaml python/.github/workflows/build_oci_bundle.yaml renamed to .github/workflows/build-oci-bundle.yaml

@@ -1,9 +1,12 @@
 name: Check Bundle
+
 on:
   pull_request:
     branches:
       - main
       - 'release-*'
+    paths:
+      - 'controller/**'
 
 jobs:
   check-bundle:
@@ -17,13 +20,13 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.24
+          go-version: '1.24'
 
       - name: Cache bin directory (deploy/operator)
         uses: actions/cache@v4
         with:
-          path: deploy/operator/bin/
-          key: ${{ runner.os }}-operator-bin-${{ hashFiles('deploy/operator/go.mod') }}
+          path: controller/deploy/operator/bin/
+          key: ${{ runner.os }}-operator-bin-${{ hashFiles('controller/deploy/operator/go.mod') }}
           restore-keys: |
             ${{ runner.os }}-operator-bin-
 
@@ -47,7 +50,7 @@ jobs:
           echo "TAG=${TAG}"
 
       - name: Run make bundle
-        working-directory: deploy/operator
+        working-directory: controller/deploy/operator
         run: |
           make bundle IMG="quay.io/jumpstarter-dev/jumpstarter-operator:${TAG}"
 
@@ -78,7 +81,7 @@ jobs:
           git checkout -- . || true
 
       - name: Run make build-installer
-        working-directory: deploy/operator
+        working-directory: controller/deploy/operator
         run: |
           make build-installer
 
@@ -92,4 +95,3 @@ jobs:
           else
             echo "No uncommitted changes detected. Installer files are up to date."
           fi
-

…ller/.github/workflows/check-bundle.yaml .github/workflows/controller-bundle.yamlcontroller/.github/workflows/check-bundle.yaml renamed to .github/workflows/controller-bundle.yaml controller/.github/workflows/check-bundle.yaml renamed to .github/workflows/controller-bundle.yaml

@@ -1,10 +1,13 @@
 name: Kind based CI
+
 on:
   workflow_dispatch:
   pull_request:
     branches:
       - main
       - 'release-*'
+    paths:
+      - 'controller/**'
 
 jobs:
   deploy-kind:
@@ -16,6 +19,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run make deploy
+        working-directory: controller
         run: make deploy
 
   e2e-test-operator:
@@ -26,5 +30,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Run make deploy
-        run: make test-operator-e2e
+      - name: Run operator e2e test
+        working-directory: controller
+        run: make test-operator-e2e

controller/.github/workflows/pr-kind.yaml .github/workflows/controller-kind.yamlcontroller/.github/workflows/pr-kind.yaml renamed to .github/workflows/controller-kind.yaml

@@ -1,10 +1,14 @@
-name: Unit/Functional tests
+name: Controller Unit/Functional tests
+
 on:
   workflow_dispatch:
   pull_request:
     branches:
       - main
       - 'release-*'
+    paths:
+      - 'controller/**'
+      - 'protocol/**'
 
 jobs:
   tests:
@@ -16,15 +20,16 @@ jobs:
           fetch-depth: 0
 
       - name: Run controller tests
+        working-directory: controller
         run: make test
 
       - name: Cache operator bin directory
         uses: actions/cache@v4
         with:
-          path: deploy/operator/bin/
-          key: ${{ runner.os }}-operator-bin-${{ hashFiles('deploy/operator/go.mod') }}
+          path: controller/deploy/operator/bin/
+          key: ${{ runner.os }}-operator-bin-${{ hashFiles('controller/deploy/operator/go.mod') }}
           restore-keys: |
             ${{ runner.os }}-operator-bin-
 
       - name: Run operator tests
-        run: make -C deploy/operator test
+        run: make -C controller/deploy/operator test

controller/.github/workflows/test.yaml .github/workflows/controller-tests.yamlcontroller/.github/workflows/test.yaml renamed to .github/workflows/controller-tests.yaml

@@ -1,10 +1,16 @@
-name: documentation
+name: Documentation
 
 on:
   # Runs on pushes targeting the default branch
   push:
     branches: ["main"]
+    paths:
+      - 'python/docs/**'
+      - 'python/packages/**'
   pull_request:
+    paths:
+      - 'python/docs/**'
+      - 'python/packages/**'
   merge_group:
 
   # Allows you to run this workflow manually from the Actions tab
@@ -25,6 +31,7 @@ concurrency:
 defaults:
   run:
     shell: bash
+    working-directory: python
 
 jobs:
   # Build job
@@ -66,7 +73,7 @@ jobs:
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          path: ./docs/build
+          path: ./python/docs/build
 
   check-warnings:
     runs-on: ubuntu-latest