cozystack · Timofei Larkin (lllamnyp) · Jun 11, 2026 · Jun 8, 2026 · Jun 10, 2026 · Jun 10, 2026
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -0,0 +1,64 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+categories:
+  - title: 'Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+  - title: 'Bug Fixes'
+    labels:
+      - 'bugfix'
+  - title: 'Maintenance'
+    labels:
+      - 'chore'
+      - 'dependencies'
+      - 'documentation'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+exclude-labels:
+  - 'skip-changelog'
+autolabeler:
+  - label: 'api-change'
+    files:
+      - 'api/**'
+  - label: 'controllers'
+    files:
+      - 'controllers/**'
+      - 'internal/**'
+  - label: 'bugfix'
+    branch:
+      - '/fix\/.+/'
+      - '/bugfix\/.+/'
+  - label: 'feature'
+    branch:
+      - '/feature\/.+/'
+      - '/feat\/.+/'
+  - label: 'enhancement'
+    branch:
+      - '/enh\/.+/'
+  - label: 'chore'
+    branch:
+      - '/chore\/.+/'
+  - label: 'dependencies'
+    branch:
+      - '/deps\/.+/'
+      - '/renovate\/.+/'
+  - label: 'documentation'
+    files:
+      - '**/*.md'
+    branch:
+      - '/docs\/.+/'
+template: |
+  ## Changes
+  $CHANGES
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,11 +2,29 @@ name: CI
 
 on:
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
   push:
-    branches: [ master ]
+    branches: [ main ]
+
+# CI only builds and tests — no writes to the repo, releases, or packages.
+permissions:
+  contents: read
 
 jobs:
+  image-multiarch:
+    # Build-only assertion that the operator image builds for every published
+    # platform. Deliberately sets up buildx WITHOUT QEMU: the Dockerfile builder
+    # is pinned to $BUILDPLATFORM and Go cross-compiles via GOARCH, so both legs
+    # must build natively on this amd64 runner with no emulation. If the
+    # --platform=$BUILDPLATFORM pin regresses, the arm64 leg fails here (exec
+    # format error) instead of silently breaking the tag-release publish.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3.3.0
+      - name: Build multi-arch image (no push, no QEMU)
+        run: docker buildx build --platform linux/amd64,linux/arm64 -t etcd-operator:buildtest .
+
   verify:
     runs-on: ubuntu-latest
     steps:
@@ -18,10 +36,12 @@ jobs:
           cache: true
 
       - name: codegen drift
-        # If a contributor edits an API type without re-running codegen,
-        # this gate catches it before CRDs and deepcopy ship out of sync
-        # with the Go types. Runs before `make test` so the as-committed
-        # state of generated files is what we check.
+        # If a contributor edits an API type or +kubebuilder:rbac markers
+        # without re-running codegen, this gate catches it before the chart's
+        # CRDs (charts/etcd-operator/crd-bases), manager RBAC rules
+        # (charts/etcd-operator/files/manager-role-rules.yaml), or deepcopy ship
+        # out of sync. Runs before `make test` so the as-committed state of
+        # generated files is what we check.
         run: |
           make generate manifests
           if ! git diff --quiet --exit-code; then

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,79 @@
+name: Docker publish
+
+# Tag-based image release. Pushing a semver tag (e.g. v0.5.0) builds the
+# operator image multi-arch, pushes it to GHCR under this repo's name, and
+# signs it with cosign. This is the same shape as the legacy v1alpha1 release
+# process, retargeted at ghcr.io/<owner>/<repo> via the built-in GITHUB_TOKEN
+# (no Docker Hub secrets needed).
+#
+# Release order: push the tag FIRST (this builds ghcr.io/.../etcd-operator:<tag>),
+# then publish the GitHub release for that tag — release-assets.yml renders the
+# install manifests pointing at this image.
+
+on:
+  push:
+    tags: [ 'v*.*.*' ]
+
+env:
+  REGISTRY: ghcr.io
+  # github.repository is <owner>/<repo>, e.g. cozystack/etcd-operator
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+      # Needed for the keyless cosign identity challenge (sigstore/fulcio).
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.3.0
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v3.2.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # Pin the published tag to the exact git ref (e.g. v0.5.0). This is
+          # the SAME source release-assets.yml uses for the IMG it bakes into
+          # the install manifest (its RELEASE_TAG is github.ref_name too), so
+          # the image that ships and the image the manifest references are
+          # provably identical. Don't rely on metadata-action's implicit
+          # default: it also emits a moving `latest` and its default tag set is
+          # easy to misread — explicit keeps the publish/manifest contract clear.
+          tags: |
+            type=raw,value=${{ github.ref_name }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign the published Docker image
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
@@ -0,0 +1,75 @@
+name: Helm publish
+
+# Tag-based Helm chart release. Pushing a semver tag packages
+# charts/etcd-operator and pushes it as an OCI chart to GHCR under the org's
+# charts repo (ghcr.io/<owner>/charts/etcd-operator), versioned from the tag.
+# Same shape as the legacy v1alpha1 helm-publish, retargeted at this org and
+# using the built-in GITHUB_TOKEN.
+on:
+  push:
+    tags: [ 'v*.*.*' ]
+
+env:
+  REGISTRY: ghcr.io
+  CHARTS_REPOSITORY: ${{ github.repository_owner }}/charts
+  CHART_NAME: etcd-operator
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # make manifests regenerates the CRDs and manager RBAC rules (controller-gen)
+      # straight into the chart, so the published package always matches the
+      # tagged API types and +kubebuilder:rbac markers — never a stale committed
+      # copy. (ci.yml's drift gate already enforces this on PRs; this is belt-and-
+      # suspenders at publish time.)
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'v3.16.4'
+
+      - name: Regenerate CRDs and RBAC into the chart
+        run: make manifests
+
+      - name: Resolve chart versions from tag
+        env:
+          REF_NAME: ${{ github.ref_name }}
+        run: |
+          TAG="$REF_NAME"
+          echo "RELEASE_TAG=${TAG}" >> "$GITHUB_ENV"
+          # Chart version is semver without the leading v; appVersion keeps it.
+          echo "RELEASE_TAG_TRIMMED_V=${TAG#v}" >> "$GITHUB_ENV"
+
+      - name: Helm registry login
+        env:
+          ACTOR: ${{ github.actor }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          helm registry login \
+            --username "$ACTOR" \
+            --password "$TOKEN" \
+            "${{ env.REGISTRY }}"
+
+      - name: Package chart
+        working-directory: charts
+        run: |
+          helm package "${{ env.CHART_NAME }}" \
+            --version "${RELEASE_TAG_TRIMMED_V}" \
+            --app-version "${RELEASE_TAG}"
+
+      - name: Push chart
+        working-directory: charts
+        run: |
+          helm push "${{ env.CHART_NAME }}-${RELEASE_TAG_TRIMMED_V}.tgz" \
+            "oci://${{ env.REGISTRY }}/${{ env.CHARTS_REPOSITORY }}"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml