Merge branch 'main' into dependabot/go_modules/k8s.io/kubernetes-1.30.10

.github/workflows/approved-for-ci-run.yml

@@ -47,6 +47,11 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"
 
   create-or-update-pr-for-ci-run:
@@ -63,6 +68,11 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"
 
       - uses: actions/checkout@v4
@@ -107,6 +117,11 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Close PR and delete `ci-run/pr-${{ env.PR_NUMBER }}` branch
         run: |
           CLOSED="$(gh pr --repo ${GITHUB_REPOSITORY} list --head ${BRANCH} --json 'closed' --jq '.[].closed')"

.github/workflows/build-images.yaml

@@ -83,6 +83,11 @@ jobs:
       cluster-autoscaler: ${{ steps.show-tags.outputs.cluster-autoscaler }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - id: show-tags
         run: |
           echo "controller=${IMG_CONTROLLER}:${{ inputs.tag }}" | tee -a $GITHUB_OUTPUT
@@ -134,6 +139,11 @@ jobs:
           - 5000:5000
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       # job level tags with arch and tag
       - id: tags
         run: |
@@ -330,6 +340,11 @@ jobs:
     needs: [build]
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: docker/setup-buildx-action@v3
 
       - name: Login to Dockerhub

.github/workflows/build-test-vm.yaml

@@ -50,6 +50,11 @@ jobs:
       vm-postgres-16-bullseye: ${{ steps.show-tags.outputs.vm-postgres-16-bullseye }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - id: show-tags
         run: |
           echo "vm-postgres-16-bullseye=${{ env.IMG_POSTGRES_16_BULLSEYE }}:${{ inputs.tag }}" >> $GITHUB_OUTPUT
@@ -65,10 +70,16 @@ jobs:
       vm-postgres-16-bullseye: ${{ steps.tags.outputs.vm-postgres-16-bullseye }}
       daemon: ${{ steps.tags.outputs.daemon }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - id: tags
         run: |
           echo "vm-postgres-16-bullseye=${{ env.IMG_POSTGRES_16_BULLSEYE }}-${{ matrix.arch }}:${{ inputs.tag }}" | tee -a $GITHUB_OUTPUT
           echo "daemon=${{ env.IMG_DAEMON }}-${{ matrix.arch }}:${{ inputs.tag }}" | tee -a $GITHUB_OUTPUT
+
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
@@ -124,6 +135,11 @@ jobs:
       ARCHS: ${{ join(fromJson(inputs.archs), ' ') }}
       TAG: ${{ inputs.tag }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: git checkout
         uses: actions/checkout@v4
 

.github/workflows/e2e-test.yaml

@@ -41,6 +41,11 @@ jobs:
       tag: ${{ inputs.tag || steps.get-tag.outputs.tag }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: get tag
         if: ${{ inputs.tag == '' }}
         id: get-tag
@@ -81,15 +86,24 @@ jobs:
       matrix:
         cluster:
           - ${{ inputs.cluster || 'k3d' }}
+        arch: [ amd64, arm64 ]
         include:
-          # TODO: when adding arm64: always set push-yamls to false -- we only need to push one at a time.
+          # we have an assumption that manifests for different architectures are the same, so we
+          # only need to push one at a time, and we push the amd64 manifests.
           - arch: amd64
             # nb: use format(..) to catch both inputs.push-yamls = true AND inputs.push-yamls = 'true'.
             push-yamls: ${{ inputs.push-yamls }}
+          - arch: arm64
+            push-yamls: false
 
     runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'huge-arm64' || 'large')) }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # fetch all, so that we also include tags
@@ -204,6 +218,9 @@ jobs:
           docker image tag "$TEST_IMAGE" "$IMG_E2E_TEST"
           make load-example-vms
 
+      - run: make arm_patch_e2e
+        if: matrix.arch == 'arm64'
+
       - run: make e2e
         timeout-minutes: 15
 
@@ -288,6 +305,11 @@ jobs:
     if: always()
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Fail the job if any of the dependencies do not succeed or are skipped
         run: exit 1
         if: |

.github/workflows/lint.yml

@@ -15,6 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
@@ -23,7 +28,7 @@ jobs:
         with:
           # Required: the version of golangci-lint is required and
           # should be specified with patch version.
-          version: v1.62.2
+          version: v1.64.5
           args: --timeout 5m
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -32,6 +37,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
@@ -53,6 +63,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - name: make generate
         run: |
@@ -71,6 +86,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1
         with:
@@ -81,6 +101,11 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: reviewdog/action-actionlint@eaf7d6d28c81a1965d0a848128dde7c42f726097 # v1.54.0
         env:

.github/workflows/pr-format-verification.yml

@@ -24,6 +24,11 @@ jobs:
     if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Verify PR Title
         env:
           ON_FAILURE: |

.github/workflows/release.yaml

@@ -17,6 +17,11 @@ jobs:
       dry-run: ${{ steps.get-tag.outputs.dry-run }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: get tag
         id: get-tag
         env:
@@ -63,6 +68,11 @@ jobs:
     needs: [ get-tag, e2e ]
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
 
       - name: download vm-builder

.github/workflows/report-workflow-stats.yml

@@ -23,6 +23,11 @@ jobs:
     permissions:
       actions: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Export GH Workflow Stats
         uses: neondatabase/[email protected]
         with:

.github/workflows/test.yaml

@@ -25,6 +25,11 @@ jobs:
     strategy:
       fail-fast: false
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4

.github/workflows/vm-example.yaml

@@ -15,6 +15,10 @@ jobs:
   vm-example:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
 
       - name: git checkout
         uses: actions/checkout@v4

.github/workflows/vm-kernel.yaml

@@ -58,6 +58,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
 
       - name: set kernel cache tag
@@ -143,6 +148,11 @@ jobs:
       canonical: ${{ steps.get-tags.outputs.canonical }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: git checkout
         uses: actions/checkout@v4
 
@@ -182,6 +192,11 @@ jobs:
 
     runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'huge-arm64' || 'large')) }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: git checkout
         uses: actions/checkout@v4
 
@@ -253,6 +268,11 @@ jobs:
     outputs:
       image: ${{ steps.merge-kernel-images.outputs.image }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: git checkout
         uses: actions/checkout@v4
 

Makefile

@@ -522,6 +522,10 @@ endif
 KUBECTL ?= $(LOCALBIN)/kubectl
 KUBECTL_VERSION ?= v1.30.7
 
+
+YQ ?= $(LOCALBIN)/yq
+YQ_VERSION ?= v4.45.1
+
 ETCD ?= $(LOCALBIN)/etcd
 
 # Use the same version kuberentes is tested against, see
@@ -596,3 +600,15 @@ $(ETCD): $(LOCALBIN)
 			rm $(LOCALBIN)/etcd-temp; \
 		fi \
 	}
+
+.PHONY: yq
+yq: $(YQ) ## Download yq locally if necessary.
+$(YQ): $(LOCALBIN)
+	test -s $(LOCALBIN)/yq || { curl -sfSLo $(YQ) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_linux_$(TARGET_ARCH) && chmod +x $(YQ); }
+
+# modify suites to work on arm64
+# Set cpuScalingMode to SysfsScaling
+# Set targetArchitecture to arm64
+arm_patch_e2e: yq
+	@find neonvm/samples/*yaml tests/e2e -name "*.yaml" | xargs -I{} ./bin/yq eval '(select(.kind == "VirtualMachine") | .spec.cpuScalingMode = "SysfsScaling") // .' -i {}
+	@find neonvm/samples/*yaml tests/e2e -name "*.yaml" | xargs -I{} ./bin/yq eval '(select(.kind == "VirtualMachine") | .spec.targetArchitecture = "arm64") // .' -i {}