chore: bump github/codeql-action from 2.13.4 to 3.25.11

.github/workflows/chart.yml

@@ -15,7 +15,7 @@ permissions:
 jobs:
   publish-helm-chart:
     if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/codeql.yml

@@ -21,13 +21,13 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a
+        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a
+        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a
+        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c
 

.github/workflows/create-release-pull-request.yml

@@ -6,6 +6,10 @@ on:
       release_version:
         description: 'Which version are we creating a release pull request for?'
         required: true
+      init_container_version:
+        description: 'Which init container version are we creating a release pull request for?'
+        required: true
+        default: v0.3.0
       based_on_branch:
         description: 'Which branch should we base the release pull request on?'
         required: true
@@ -19,12 +23,14 @@ permissions:
 
 jobs:
   create-release-pull-request:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: validate version
         run: |
           echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$'
-          echo "${{ github.event.inputs.based_on_branch }}" | grep -E '^(master|release-[0-9]+\.[0-9]+)$'
+          echo "${{ github.event.inputs.init_container_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$'
+          echo "${{ github.event.inputs.based_on_branch }}" | grep -E '^(master|release-[0-9]+\.[0-9]+\.[0-9]+-[0-9]+\.[0-9]+\.[0-9]+)$'
+
       - uses: actions/checkout@v4
         with:
           submodules: true
@@ -37,10 +43,11 @@ jobs:
         run: make release-manifest
         env:
           VERSION: "${{ github.event.inputs.release_version }}"
+          INIT_CONTAINER_VERSION: "${{ github.event.inputs.init_container_version }}"
       - name: Create release pull request
         uses: peter-evans/create-pull-request@v6
         with:
           commit-message: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}"
           title: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}"
-          branch: "release-${{ github.event.inputs.release_version }}"
+          branch: "release-${{ github.event.inputs.release_version }}-${{ github.event.inputs.init_container_version }}"
           base: ${{ github.event.inputs.based_on_branch }}

.github/workflows/create-release.yml

@@ -1,46 +1,67 @@
-name: Create release & Publish the image
+name: Create release
 on:
-  workflow_dispatch:
   pull_request:
     branches:
-      - master
       - release-**
     types: [ closed ]
 
 permissions:
   contents: write
   packages: write
   actions: read
-  deployments: read
   pull-requests: read
 
 env:
   REGISTRY: ghcr.io
   # Common versions
   GO_VERSION: '1.20'
-  IMAGE_NAME: 'virtual-kubelet'
-  INIT_IMAGE_NAME: 'init-validation'
 
 jobs:
   create-release:
     if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.get-tag.outputs.tag }}
     steps:
       - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION  }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           submodules: true
+
       - id: get-tag
         name: Get tag
-        run: echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT
-      - name: Create tag
         run: |
-          git tag ${{ steps.get-tag.outputs.tag }}
+          echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | head -n 1)" >> $GITHUB_OUTPUT
+
+      - id: check-tag
+        name: Check for Tag
+        run: |
+          TAG=$(echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | head -n 1)" >> $GITHUB_OUTPUT
+
+          if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then
+            echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT
+          else
+            echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT
+          fi
+
+      - name: 'Create tag'
+        if: steps.check-tag.outputs.create_tag == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}',
+              sha: context.sha
+            })
+
       - name: Goreleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -50,7 +71,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   export-registry:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    needs:
+      - create-release
     outputs:
       registry: ${{ steps.export.outputs.registry }}
     steps:
@@ -59,65 +82,16 @@ jobs:
           # registry must be in lowercase
           echo "::set-output name=registry::$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])"
 
-  publish-images:
-    if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
-    needs:
-    - export-registry
-    - create-release
-    env:
-      REGISTRY: ${{ needs.export-registry.outputs.registry }}
-      INIT_IMG_TAG : 0.2.0
-    runs-on: ubuntu-20.04
-    steps:
-      - id: get-tag
-        name: Get tag
-        run: echo "tag=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-          fetch-depth: 0
-          ref: ${{ steps.get-tag.outputs.tag }}
-      - name: Login to ${{ env.REGISTRY }}
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set Image tag
-        run: |
-          ver=${{ steps.get-tag.outputs.tag }}
-          echo "IMG_TAG=${ver#"v"}" >> $GITHUB_ENV
-      - name: Build and push image
-        run: |
-          OUTPUT_TYPE=type=registry make docker-build-image
-          OUTPUT_TYPE=type=registry make docker-build-init-image
-        env:
-          VERSION: ${{ env.IMG_TAG }}
-
-      - name: Scan ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
-          timeout: '5m0s'
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+  publish-image:
+    needs: [export-registry]
+    uses: ./.github/workflows/publish-image.yml
+    with:
+      registry: ${{ needs.export-registry.outputs.registry }}
+      release_version: echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | head -n 1
 
-      - name: Scan ${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }}
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
-          timeout: '5m0s'
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+  publish-init-validation-image:
+    needs: [export-registry]
+    uses: ./.github/workflows/publish-init-container-image.yml
+    with:
+      registry: ${{ needs.export-registry.outputs.registry }}
+      init_container_version: echo ${{ github.event.pull_request.head.ref }} | tr '-' '\n' | grep 'v[0-9]\.[0-9]\.[0-9]' | sed -n '2p'

.github/workflows/lint.yml

@@ -19,7 +19,7 @@ env:
 jobs:
   lint:
     name: "Lint & Format"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions:
       contents: read

.github/workflows/publish-image.yml

@@ -0,0 +1,57 @@
+name: Publish the Azure Virtual Kubelet image
+on:
+  workflow_call:
+    inputs:
+      registry:
+        description: 'Which registry are we pushing the image to?'
+        required: true
+      release_version:
+        description: 'Which version are we creating an image for?'
+        required: true
+
+permissions:
+  contents: write
+  packages: write
+  actions: read
+
+env:
+  REGISTRY: ghcr.io
+  # Common versions
+  GO_VERSION: '1.20'
+  IMAGE_NAME: 'virtual-kubelet'
+
+jobs:
+  publish-images:
+    env:
+      REGISTRY: ${{ github.event.client_payload.registry }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to ${{ env.REGISTRY }}
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set Image tag
+        run: |
+          ver=${{ github.event.client_payload.release_version }}
+          echo "IMG_TAG=${ver#"v"}" >> $GITHUB_ENV
+      - name: Build and push image
+        run: |
+          OUTPUT_TYPE=type=registry make docker-build-image
+        env:
+          VERSION: ${{ env.IMG_TAG }}
+
+      - name: Scan ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}"
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          timeout: '5m0s'
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-init-container-image.yml

@@ -0,0 +1,65 @@
+name: Publish the init validation image
+on:
+  workflow_call:
+    inputs:
+      registry:
+        description: 'Which registry are we pushing the image to?'
+        required: true
+      init_container_version:
+        description: 'Which init container version are we creating an image for?'
+        required: true
+        default: v0.3.0
+
+permissions:
+  contents: write
+  packages: write
+  actions: read
+
+env:
+  REGISTRY: ghcr.io
+  # Common versions
+  GO_VERSION: '1.20'
+  INIT_IMAGE_NAME: 'init-validation'
+
+jobs:
+  publish-init-images:
+    env:
+      REGISTRY: ${{ github.event.client_payload.registry }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+          fetch-depth: 0
+          ref: ${{ steps.get-tag.outputs.tag }}
+
+      - name: Login to ${{ env.REGISTRY }}
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set Image tag
+        run: |
+          ver=${{ steps.get-tag.outputs.tag }}
+          echo "INIT_IMG_TAG=${ver#"v"}" >> $GITHUB_ENV
+      - name: Build and push image
+        run: |
+          OUTPUT_TYPE=type=registry make docker-build-init-image
+        env:
+          INIT_CONTAINER_VERSION: ${{ env.INIT_IMG_TAG }}
+
+      - name: Scan ${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }}
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.REGISTRY }}/${{ env.INIT_IMAGE_NAME }}:${{ env.INIT_IMG_TAG }}"
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          timeout: '5m0s'
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/tests.yml

@@ -26,7 +26,7 @@ permissions:
 
 jobs:
   unit-tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     environment: test
     steps:
       - name:  Set up Go ${{ env.GO_VERSION }}

Makefile

@@ -35,7 +35,7 @@ E2E_CLUSTER_NAME := $(CLUSTER_NAME)
 OUTPUT_TYPE ?= type=docker
 BUILDPLATFORM ?= linux/amd64
 IMG_TAG ?= $(subst v,,$(VERSION))
-INIT_IMG_TAG ?= 0.2.0
+INIT_IMG_TAG ?= $(INIT_CONTAINER_VERSION)
 
 BUILD_DATE ?= $(shell date '+%Y-%m-%dT%H:%M:%S')
 VERSION_FLAGS := "-ldflags=-X main.buildVersion=$(IMG_TAG) -X main.buildTime=$(BUILD_DATE)"
@@ -161,8 +161,11 @@ test-loganalytics-json:
 .PHONY: release-manifest
 release-manifest:
 	@sed -i -e 's/^VERSION ?= .*/VERSION ?= ${VERSION}/' ./Makefile
+	@sed -i -e 's/^INIT_IMG_TAG ?= .*/INIT_IMG_TAG ?= ${INIT_IMG_TAG}/' ./Makefile
 	@sed -i -e "s/version: .*/version: ${IMG_TAG}/" ./charts/virtual-kubelet/Chart.yaml
 	@sed -i -e "s/tag: .*/tag: ${IMG_TAG}/" ./charts/virtual-kubelet/values.yaml
+	@sed -i -e "s/initTag: .*/initTag: ${INIT_IMG_TAG}/" ./charts/virtual-kubelet/values.yaml
 	@sed -i -e 's/RELEASE_TAG=.*/RELEASE_TAG=${IMG_TAG}/' ./charts/virtual-kubelet/README.md
 	@sed -i -e 's/RELEASE_TAG=.*/RELEASE_TAG=${IMG_TAG}/' ./docs/UPGRADE-README.md
+	@sed -i -e 's/INIT_IMG_TAG=.*/INIT_IMG_TAG=${INIT_IMG_TAG}/' ./docs/UPGRADE-README.md
 	@sed -i -e 's/RELEASE_TAG=.*/RELEASE_TAG=${IMG_TAG}/' README.md