From f3fcbf90ea7960c83f1da4dd07f4eaff6dcd3060 Mon Sep 17 00:00:00 2001 From: Yun Wang Date: Tue, 23 Jun 2026 18:52:01 +0200 Subject: [PATCH 1/3] ci: publish forked KubeBlocks operator chart to GHCR OCI Add a workflow_dispatch workflow that packages deploy/helm and pushes it to oci://ghcr.io/getstream/charts/kubeblocks at the given version. Keep that version in lockstep with the fork controller image tag (e.g. 1.0.2-serial.2); chat's rocky installer pins the operator chart by it. Stop ignoring crds/ in the chart's .helmignore: upstream excludes it and installs CRDs via kbcli, but we ship a self-contained OCI chart, so the fork's CRDs (including externallyManaged) must travel with the chart. --- .github/workflows/getstream-publish-chart.yml | 40 +++++++++++++++++++ deploy/helm/.helmignore | 7 +++- 2 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/getstream-publish-chart.yml diff --git a/.github/workflows/getstream-publish-chart.yml b/.github/workflows/getstream-publish-chart.yml new file mode 100644 index 00000000000..7392415feaf --- /dev/null +++ b/.github/workflows/getstream-publish-chart.yml @@ -0,0 +1,40 @@ +name: Publish KubeBlocks chart (GetStream fork) + +# Packages the forked operator chart (deploy/helm, including its CRDs) and +# pushes it to GHCR as an OCI artifact: oci://ghcr.io/getstream/charts/kubeblocks. +# chat's rocky installer pins the operator chart by this version, so keep it in +# lockstep with the fork controller image tag (e.g. 1.0.2-serial.2). +# +# Manual (workflow_dispatch) by design: it mirrors how the fork image is built +# and pushed, the operator runs this with the version of the image they built. + +on: + workflow_dispatch: + inputs: + version: + description: 'Chart version, match the fork image tag (e.g. 1.0.2-serial.2)' + required: true + +permissions: + contents: read + packages: write + +jobs: + publish: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: azure/setup-helm@v4 + with: + version: v3.16.4 + + - name: Log in to GHCR + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: echo "$GH_TOKEN" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin + + - name: Package and push chart + run: | + helm package deploy/helm --version "${{ inputs.version }}" --app-version "${{ inputs.version }}" + helm push "kubeblocks-${{ inputs.version }}.tgz" oci://ghcr.io/getstream/charts diff --git a/deploy/helm/.helmignore b/deploy/helm/.helmignore index 90549187b2f..59e76c6de8a 100644 --- a/deploy/helm/.helmignore +++ b/deploy/helm/.helmignore @@ -28,5 +28,8 @@ depend-charts/ # dashboards dashboards/ -# crds, need to separate installation -crds/ \ No newline at end of file +# GetStream fork: crds/ is intentionally NOT ignored. Upstream excludes it and +# installs CRDs via kbcli, but we ship this operator chart as a self-contained +# OCI artifact, so its CRDs (including the fork's externallyManaged field) must +# travel with the chart. chat's rocky installer pulls this chart and applies +# crds/ directly (helm only auto-applies crds/ on install, never on upgrade). \ No newline at end of file From 3644b03461b676d208b3a30452b682f89d1f6c8b Mon Sep 17 00:00:00 2001 From: Yun Wang Date: Tue, 23 Jun 2026 19:03:21 +0200 Subject: [PATCH 2/3] ci: publish fork image + chart together at one version Rework the publish workflow to build+push the operator IMAGE and package+push the CHART under one workflow_dispatch version input, so the two never drift. Default to the org-namespaced baseline 1.0.2-getstream.1 (no feature word). Image tag == chart version; chat's rocky installer pins both by it. Existing serial.* artifacts are left untouched. --- .github/workflows/getstream-publish-chart.yml | 40 ----------- .github/workflows/getstream-publish.yml | 66 +++++++++++++++++++ 2 files changed, 66 insertions(+), 40 deletions(-) delete mode 100644 .github/workflows/getstream-publish-chart.yml create mode 100644 .github/workflows/getstream-publish.yml diff --git a/.github/workflows/getstream-publish-chart.yml b/.github/workflows/getstream-publish-chart.yml deleted file mode 100644 index 7392415feaf..00000000000 --- a/.github/workflows/getstream-publish-chart.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Publish KubeBlocks chart (GetStream fork) - -# Packages the forked operator chart (deploy/helm, including its CRDs) and -# pushes it to GHCR as an OCI artifact: oci://ghcr.io/getstream/charts/kubeblocks. -# chat's rocky installer pins the operator chart by this version, so keep it in -# lockstep with the fork controller image tag (e.g. 1.0.2-serial.2). -# -# Manual (workflow_dispatch) by design: it mirrors how the fork image is built -# and pushed, the operator runs this with the version of the image they built. - -on: - workflow_dispatch: - inputs: - version: - description: 'Chart version, match the fork image tag (e.g. 1.0.2-serial.2)' - required: true - -permissions: - contents: read - packages: write - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: azure/setup-helm@v4 - with: - version: v3.16.4 - - - name: Log in to GHCR - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: echo "$GH_TOKEN" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin - - - name: Package and push chart - run: | - helm package deploy/helm --version "${{ inputs.version }}" --app-version "${{ inputs.version }}" - helm push "kubeblocks-${{ inputs.version }}.tgz" oci://ghcr.io/getstream/charts diff --git a/.github/workflows/getstream-publish.yml b/.github/workflows/getstream-publish.yml new file mode 100644 index 00000000000..8f92c31675f --- /dev/null +++ b/.github/workflows/getstream-publish.yml @@ -0,0 +1,66 @@ +name: Publish KubeBlocks (GetStream fork) + +# Publishes the forked operator IMAGE and CHART to GHCR at one version, so the +# two never drift. Run with the org-namespaced baseline tag (e.g. +# 1.0.2-getstream.1); image tag == chart version, and chat's rocky installer +# pins both by it. +# +# Manual (workflow_dispatch) by design. Existing serial.* artifacts are left +# untouched; this publishes new tags only. + +on: + workflow_dispatch: + inputs: + version: + description: 'GetStream baseline version (image tag == chart version), e.g. 1.0.2-getstream.1' + required: true + default: '1.0.2-getstream.1' + +permissions: + contents: read + packages: write + +jobs: + image: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + # arm64 emulation; the make target's install-docker-buildx creates the + # multi-arch builder. + - uses: docker/setup-qemu-action@v3 + + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push operator image (linux/amd64,linux/arm64) + run: make push-manager-image IMG=ghcr.io/getstream/kubeblocks VERSION=${{ inputs.version }} BUILDX_ENABLED=true + + chart: + needs: image + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: azure/setup-helm@v4 + with: + version: v3.16.4 + + - name: Log in to GHCR + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: echo "$GH_TOKEN" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin + + # The chart's crds/ are no longer .helmignored, so the fork CRDs travel + # with the chart. + - name: Package and push chart + run: | + helm package deploy/helm --version "${{ inputs.version }}" --app-version "${{ inputs.version }}" + helm push "kubeblocks-${{ inputs.version }}.tgz" oci://ghcr.io/getstream/charts From fec750b03c13e93af58442be04c329e5fe3abf76 Mon Sep 17 00:00:00 2001 From: Yun Wang Date: Tue, 23 Jun 2026 19:08:16 +0200 Subject: [PATCH 3/3] ci: codify the getstream fork version format Document the canonical scheme in the workflow header and enforce it with a validate job: -getstream. (e.g. 1.0.2-getstream.1). A feature-named or malformed tag now fails fast before any build. Bump per build; move only on a real upstream rebase. --- .github/workflows/getstream-publish.yml | 41 +++++++++++++++++++------ 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/.github/workflows/getstream-publish.yml b/.github/workflows/getstream-publish.yml index 8f92c31675f..f772554b63c 100644 --- a/.github/workflows/getstream-publish.yml +++ b/.github/workflows/getstream-publish.yml @@ -1,18 +1,27 @@ name: Publish KubeBlocks (GetStream fork) # Publishes the forked operator IMAGE and CHART to GHCR at one version, so the -# two never drift. Run with the org-namespaced baseline tag (e.g. -# 1.0.2-getstream.1); image tag == chart version, and chat's rocky installer -# pins both by it. +# two never drift. Manual (workflow_dispatch); existing serial.* artifacts are +# left untouched, this publishes new tags only. # -# Manual (workflow_dispatch) by design. Existing serial.* artifacts are left -# untouched; this publishes new tags only. +# Version format (canonical, enforced by the validate job below): +# +# -getstream. e.g. 1.0.2-getstream.1 +# +# the exact upstream KubeBlocks release this fork is rebased +# on. Bump only on a real rebase (1.0.3, 1.1.0, ...). +# getstream fixed org namespace. It is a SemVer PRERELEASE suffix, so +# use '-' (not '+build', which OCI image tags reject). +# fork build counter: increments per build, resets to 1 when +# changes. +# +# The image tag and the chart version are always this same string. on: workflow_dispatch: inputs: version: - description: 'GetStream baseline version (image tag == chart version), e.g. 1.0.2-getstream.1' + description: 'Fork version -getstream., e.g. 1.0.2-getstream.1' required: true default: '1.0.2-getstream.1' @@ -21,7 +30,21 @@ permissions: packages: write jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Enforce version format + env: + VERSION: ${{ inputs.version }} + run: | + re='^[0-9]+\.[0-9]+\.[0-9]+-getstream\.[0-9]+$' + if [[ ! "$VERSION" =~ $re ]]; then + echo "::error::version '$VERSION' must be -getstream., e.g. 1.0.2-getstream.1" + exit 1 + fi + image: + needs: validate runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -30,8 +53,7 @@ jobs: with: go-version-file: go.mod - # arm64 emulation; the make target's install-docker-buildx creates the - # multi-arch builder. + # arm64 emulation; the make target creates the multi-arch buildx builder. - uses: docker/setup-qemu-action@v3 - uses: docker/login-action@v3 @@ -58,8 +80,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: echo "$GH_TOKEN" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin - # The chart's crds/ are no longer .helmignored, so the fork CRDs travel - # with the chart. + # crds/ is no longer .helmignored, so the fork CRDs ship inside the chart. - name: Package and push chart run: | helm package deploy/helm --version "${{ inputs.version }}" --app-version "${{ inputs.version }}"