jumpstarter-dev · mangelajo · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,34 @@
+# Dependabot configuration for monorepo
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Go modules for controller
+  - package-ecosystem: "gomod"
+    directory: "/controller"
+    schedule:
+      interval: weekly
+
+  # Go modules for operator
+  - package-ecosystem: "gomod"
+    directory: "/controller/deploy/operator"
+    schedule:
+      interval: weekly
+
+  # Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/python"
+    schedule:
+      interval: weekly
+
+  # Devcontainers
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: weekly
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly
diff --git a/python/.github/workflows/backport.yml → .github/workflows/backport.yaml b/python/.github/workflows/backport.yml → .github/workflows/backport.yaml
diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images.yaml
@@ -0,0 +1,186 @@
+name: Build and push container images
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - '*'
+    branches:
+      - main
+      - 'release-*'
+  merge_group:
+
+env:
+  PUSH: ${{ github.repository_owner == 'jumpstarter-dev' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/release-')) }}
+  REGISTRY: quay.io
+  QUAY_ORG: quay.io/jumpstarter-dev
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    strategy:
+      matrix:
+        include:
+          # Controller images
+          - image_name: jumpstarter-dev/jumpstarter-controller
+            dockerfile: controller/Dockerfile
+            context: controller
+          - image_name: jumpstarter-dev/jumpstarter-operator
+            dockerfile: controller/Dockerfile.operator
+            context: controller
+          - image_name: jumpstarter-dev/jumpstarter-operator-bundle
+            dockerfile: controller/deploy/operator/bundle.Dockerfile
+            context: controller/deploy/operator
+          # Python images (use repo root context for .git access needed by hatch-vcs)
+          - image_name: jumpstarter-dev/jumpstarter
+            dockerfile: python/Dockerfile
+            context: .
+          - image_name: jumpstarter-dev/jumpstarter-utils
+            dockerfile: python/Dockerfile.utils
+            context: python
+          - image_name: jumpstarter-dev/jumpstarter-dev
+            dockerfile: python/.devfile/Containerfile
+            context: python
+          - image_name: jumpstarter-dev/jumpstarter-devspace
+            dockerfile: python/.devfile/Containerfile.client
+            context: .
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get version
+        run: |
+          VERSION=$(git describe --tags)
+          VERSION=${VERSION#v} # remove the leading v prefix for version
+          echo "VERSION=${VERSION}" >> $GITHUB_ENV
+          echo "VERSION=${VERSION}"
+
+          # Convert to PEP 440 compliant version for Python packages
+          # Format: 0.7.0-1051-g54cd2f08 -> 0.7.0.dev1051+g54cd2f08
+          if [[ "$VERSION" =~ ^([0-9]+\.[0-9]+\.[0-9]+)-([0-9]+)-g([a-f0-9]+)$ ]]; then
+            PEP440_VERSION="${BASH_REMATCH[1]}.dev${BASH_REMATCH[2]}+g${BASH_REMATCH[3]}"
+          else
+            # If it's already a clean version (e.g., 0.7.0), use as-is
+            PEP440_VERSION="$VERSION"
+          fi
+          echo "PEP440_VERSION=${PEP440_VERSION}" >> $GITHUB_ENV
+          echo "PEP440_VERSION=${PEP440_VERSION}"
+
+      - name: Set build args
+        id: build-args
+        run: |
+          GIT_COMMIT=$(git rev-parse HEAD)
+          BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+          echo "git_commit=${GIT_COMMIT}" >> $GITHUB_OUTPUT
+          echo "build_date=${BUILD_DATE}" >> $GITHUB_OUTPUT
+          echo "GIT_COMMIT=${GIT_COMMIT}"
+          echo "BUILD_DATE=${BUILD_DATE}"
+
+      - name: Set image tags
+        if: ${{ env.PUSH == 'true' }}
+        id: set-tags
+        run: |
+          TAGS="${{ env.REGISTRY }}/${{ matrix.image_name }}:${{ env.VERSION }}"
+
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            TAGS="$TAGS,${{ env.REGISTRY }}/${{ matrix.image_name }}:latest"
+          fi
+
+          if [[ "${{ github.ref }}" == refs/heads/release-* ]]; then
+            RELEASE_BRANCH_NAME=$(basename "${{ github.ref }}")
+            TAGS="$TAGS,${{ env.REGISTRY }}/${{ matrix.image_name }}:${RELEASE_BRANCH_NAME}"
+          fi
+
+          echo "tags=$TAGS" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        if: ${{ env.PUSH == 'true' }}
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: jumpstarter-dev+jumpstarter_ci
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ matrix.image_name }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ matrix.context }}
+          file: ${{ matrix.dockerfile }}
+          push: ${{ env.PUSH }}
+          tags: ${{ steps.set-tags.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            GIT_VERSION=${{ env.PEP440_VERSION }}
+            GIT_COMMIT=${{ steps.build-args.outputs.git_commit }}
+            BUILD_DATE=${{ steps.build-args.outputs.build_date }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        if: ${{ env.PUSH == 'true' }}
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ matrix.image_name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: ${{ env.PUSH }}
+
+  publish-helm-charts:
+    needs: build-and-push-image
+    if: ${{ github.repository_owner == 'jumpstarter-dev' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/release-')) }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get version
+        run: |
+          VERSION=$(git describe --tags)
+          VERSION=${VERSION#v} # remove the leading v prefix for version
+          echo "VERSION=${VERSION}" >> $GITHUB_ENV
+          echo "VERSION=${VERSION}"
+
+      - name: Build helm charts
+        run: |
+          echo packaging ${VERSION}
+          # patch the sub-chart app-version, because helm package won't do it
+          sed -i "s/^appVersion:.*/appVersion: $VERSION/" controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/Chart.yaml
+          helm package ./controller/deploy/helm/jumpstarter --version "${VERSION}" --app-version "${VERSION}"
+
+      - name: Login helm
+        env:
+          PASSWORD: ${{ secrets.QUAY_TOKEN }}
+          USER: jumpstarter-dev+jumpstarter_ci
+        run:
+          helm registry login quay.io -u ${USER} -p ${PASSWORD}
+
+      - name: Push helm charts
+        run: |
+          helm push jumpstarter-*.tgz oci://${{ env.QUAY_ORG }}/helm
+
+          if [[ "${{ github.ref }}" == "refs/heads/release-*" ]]; then
+            RELEASE_BRANCH_NAME=$(basename "${{ github.ref }}")
+            helm chart save jumpstarter-*.tgz ${{ env.QUAY_ORG }}/helm:${RELEASE_BRANCH_NAME}
+            helm chart push ${{ env.QUAY_ORG }}/helm:${RELEASE_BRANCH_NAME}
+          fi
diff --git a/...n/.github/workflows/build_oci_bundle.yaml → .github/workflows/build-oci-bundle.yaml b/...n/.github/workflows/build_oci_bundle.yaml → .github/workflows/build-oci-bundle.yaml
@@ -1,4 +1,5 @@
 name: Build and push buildroot-based flasher OCI bundle
+
 on:
   workflow_dispatch:
 
@@ -14,17 +15,17 @@ jobs:
 
       - name: Run build_fits.sh
         run: |
-          cd packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb
+          cd python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb
           ./build_fits.sh
 
       - name: Upload FIT artifacts
         uses: actions/upload-artifact@v4
         with:
           name: FIT-images
-          path: packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/data/*.itb
+          path: python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/data/*.itb
 
       - name: Run build_bundle.sh for aarch64-itb
         run: |
-          cd packages/jumpstarter-driver-flashers/oci_bundles && dnf install -y oras
+          cd python/packages/jumpstarter-driver-flashers/oci_bundles && dnf install -y oras
           oras login quay.io -u jumpstarter-dev+jumpstarter_ci --password-stdin <<< "${{ secrets.QUAY_TOKEN }}"
           ./build_bundle.sh quay.io/jumpstarter-dev/jumpstarter-flasher-aarch64-itb:latest aarch64-itb
diff --git a/.github/workflows/controller-bundle.yaml b/.github/workflows/controller-bundle.yaml
@@ -0,0 +1,97 @@
+name: Check Bundle
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'release-*'
+    paths:
+      - 'controller/**'
+
+jobs:
+  check-bundle:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+
+      - name: Cache bin directory (deploy/operator)
+        uses: actions/cache@v4
+        with:
+          path: controller/deploy/operator/bin/
+          key: ${{ runner.os }}-operator-bin-${{ hashFiles('controller/deploy/operator/go.mod') }}
+          restore-keys: |
+            ${{ runner.os }}-operator-bin-
+
+      - name: Get version
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            BASE_BRANCH="${{ github.base_ref }}"
+            if [ "$BASE_BRANCH" == "main" ]; then
+              TAG="latest"
+            elif [[ "$BASE_BRANCH" =~ ^release- ]]; then
+              TAG="$BASE_BRANCH"
+            else
+              echo "::error::Unknown base branch: $BASE_BRANCH"
+              exit 1
+            fi
+          else
+            echo "::error::Unsupported event: ${{ github.event_name }}"
+            exit 1
+          fi
+          echo "TAG=${TAG}" >> $GITHUB_ENV
+          echo "TAG=${TAG}"
+
+      - name: Run make bundle
+        working-directory: controller/deploy/operator
+        run: |
+          make bundle IMG="quay.io/jumpstarter-dev/jumpstarter-operator:${TAG}"
+
+      - name: Check for uncommitted changes
+        run: |
+          DIFF=$(git diff)
+          if [ -n "$DIFF" ]; then
+            # Filter out createdAt timestamp lines and context lines, check if any actual changes remain
+            FILTERED_DIFF=$(echo "$DIFF" | grep -vE '^(---|\+\+\+|@@|index|diff)' | grep -vE '^[+-].*createdAt:.*[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z' || true)
+            # Check if there are any non-timestamp, non-context changes
+            if [ -n "$FILTERED_DIFF" ] && [ -n "$(echo "$FILTERED_DIFF" | grep -E '^[+-]' || true)" ]; then
+              echo "::error::Uncommitted changes detected after running 'make bundle'. Please commit all bundle changes before pushing."
+              echo "::error::This can be done by running 'make bundle IMG=\"quay.io/jumpstarter-dev/jumpstarter-operator:${TAG}\""
+              git diff
+              exit 1
+            else
+              echo "Only timestamp changes detected (ignored). Bundle files are up to date."
+              # Reset the timestamp changes to keep the repo clean
+              git checkout -- .
+            fi
+          else
+            echo "No uncommitted changes detected. Bundle files are up to date."
+          fi
+
+      - name: Ensure clean state before build-installer
+        run: |
+          # Reset any remaining changes from root
+          git checkout -- . || true
+
+      - name: Run make build-installer
+        working-directory: controller/deploy/operator
+        run: |
+          make build-installer
+
+      - name: Check for uncommitted changes after build-installer
+        run: |
+          if [ -n "$(git diff)" ]; then
+            echo "::error::Uncommitted changes detected after running 'make build-installer'. Please commit all installer changes before pushing."
+            echo "::error::This can be done by running 'make build-installer'"
+            git diff
+            exit 1
+          else
+            echo "No uncommitted changes detected. Installer files are up to date."
+          fi
diff --git a/.github/workflows/controller-kind.yaml b/.github/workflows/controller-kind.yaml
@@ -0,0 +1,35 @@
+name: Kind based CI
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - 'release-*'
+    paths:
+      - 'controller/**'
+
+jobs:
+  deploy-kind:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run make deploy
+        working-directory: controller
+        run: make deploy
+
+  e2e-test-operator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run operator e2e test
+        working-directory: controller
+        run: make test-operator-e2e