From 9f1a2b48a930241eec5d5cee2ed3e81b98076087 Mon Sep 17 00:00:00 2001 From: Quentin Joly Date: Mon, 27 Apr 2026 23:40:23 +0200 Subject: [PATCH 1/7] Create workflow for PR --- .github/workflows/omni-template-sync.yaml | 112 ++++++++++++++++++++-- 1 file changed, 106 insertions(+), 6 deletions(-) diff --git a/.github/workflows/omni-template-sync.yaml b/.github/workflows/omni-template-sync.yaml index 98a1ee09..21563e5e 100644 --- a/.github/workflows/omni-template-sync.yaml +++ b/.github/workflows/omni-template-sync.yaml @@ -9,13 +9,22 @@ on: - "turing/patches/**" - "mocha/template.yaml" - "mocha/patches/**" + pull_request: + branches: + - main + paths: + - "turing/template.yaml" + - "turing/patches/**" + - "mocha/template.yaml" + - "mocha/patches/**" permissions: contents: read + pull-requests: write jobs: # ---------------------------------------------------------------- - # Detect which clusters were actually touched in this push. + # Detect which clusters were actually touched in this push/PR. # Outputs a JSON array, e.g. ["turing"] or ["mocha"] or ["turing","mocha"]. # ---------------------------------------------------------------- detect: @@ -25,13 +34,18 @@ jobs: steps: - uses: actions/checkout@v4 with: - fetch-depth: 2 # need HEAD~1 to diff against + fetch-depth: 0 # full history needed for PR base-branch diff - name: Detect changed clusters id: detect run: | + if [ "${{ github.event_name }}" = "pull_request" ]; then + range="origin/${{ github.base_ref }}...${{ github.sha }}" + else + range="HEAD~1..HEAD" + fi clusters=$( - git diff --name-only HEAD~1 HEAD \ + git diff --name-only $range \ | grep -E '^(turing|mocha)/(template\.yaml|patches/)' \ | cut -d/ -f1 \ | sort -u \ @@ -41,12 +55,98 @@ jobs: echo "Clusters to sync: ${clusters}" # ---------------------------------------------------------------- - # Sync each changed cluster in parallel via matrix. - # Skipped entirely if no relevant cluster changed. + # Dry-run on PRs: run omnictl sync --dry-run and post the output + # as a PR comment (updated on each new commit to the PR). + # ---------------------------------------------------------------- + dry-run: + needs: detect + if: github.event_name == 'pull_request' && needs.detect.outputs.clusters != '[]' + runs-on: ubuntu-latest + strategy: + matrix: + cluster: ${{ fromJson(needs.detect.outputs.clusters) }} + fail-fast: false + + name: Dry-run ${{ matrix.cluster }} + steps: + - uses: actions/checkout@v4 + + - name: Install omnictl v1.7.1 + run: | + curl -sSL -o omnictl \ + https://github.com/siderolabs/omni/releases/download/v1.7.1/omnictl-linux-amd64 + chmod +x omnictl + sudo mv omnictl /usr/local/bin/omnictl + + - name: Dry-run ${{ matrix.cluster }} cluster template + id: dry-run + continue-on-error: true + working-directory: ${{ matrix.cluster }} + env: + OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} + OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} + run: | + omnictl cluster template sync -f template.yaml --dry-run \ + > /tmp/dry-run-output.txt 2>&1 + + - name: Post dry-run result as PR comment + if: always() + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + const cluster = '${{ matrix.cluster }}'; + const outcome = '${{ steps.dry-run.outcome }}'; + const status = outcome === 'success' ? '✅' : '❌'; + const output = fs.readFileSync('/tmp/dry-run-output.txt', 'utf8').trim(); + + const marker = ``; + const body = [ + marker, + `### ${status} \`omnictl\` dry-run — \`${cluster}\``, + '', + '```', + output || '(no output)', + '```', + '', + `> commit \`${{ github.sha }}\``, + ].join('\n'); + + // Update existing comment if present, otherwise create one. + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }); + const existing = comments.find(c => c.body.includes(marker)); + if (existing) { + await github.rest.issues.updateComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: existing.id, + body, + }); + } else { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body, + }); + } + + - name: Fail job if dry-run failed + if: steps.dry-run.outcome == 'failure' + run: | + echo "Dry-run failed. See comment on the PR for details." + exit 1 + + # ---------------------------------------------------------------- + # Sync each changed cluster in parallel via matrix (push to main only). # ---------------------------------------------------------------- sync: needs: detect - if: needs.detect.outputs.clusters != '[]' + if: github.event_name == 'push' && needs.detect.outputs.clusters != '[]' runs-on: ubuntu-latest strategy: matrix: From 57a4a159aa5016ba6ccee5e75b2dddbede8a8fcb Mon Sep 17 00:00:00 2001 From: Quentin Joly Date: Mon, 27 Apr 2026 23:41:44 +0200 Subject: [PATCH 2/7] Upgrade to v1.35.2 --- turing/template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/turing/template.yaml b/turing/template.yaml index 6f602038..391fa94e 100644 --- a/turing/template.yaml +++ b/turing/template.yaml @@ -1,7 +1,7 @@ kind: Cluster name: turing # Turing Pi kubernetes: - version: v1.35.1 + version: v1.35.2 talos: version: v1.13.0 features: From 005f7e14e550ee914a91912026e6f926001c3cfe Mon Sep 17 00:00:00 2001 From: Quentin Joly Date: Mon, 27 Apr 2026 23:45:35 +0200 Subject: [PATCH 3/7] Disable cilium install (will be reworked soon) --- turing/patches/extraManifests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/turing/patches/extraManifests.yml b/turing/patches/extraManifests.yml index 9ccdd927..ac01ad4d 100644 --- a/turing/patches/extraManifests.yml +++ b/turing/patches/extraManifests.yml @@ -1,8 +1,8 @@ cluster: extraManifests: # --- Cilium Installation --- - - https://raw.githubusercontent.com/qjoly/gitops/refs/heads/main/common/cilium/install-cilium.yaml - - https://raw.githubusercontent.com/qjoly/gitops/refs/heads/main/common/cilium/L2Announcement.yaml + # - https://raw.githubusercontent.com/qjoly/gitops/refs/heads/main/common/cilium/install-cilium.yaml + # - https://raw.githubusercontent.com/qjoly/gitops/refs/heads/main/common/cilium/L2Announcement.yaml # --- ArgoCD Installation --- - https://raw.githubusercontent.com/qjoly/gitops/refs/heads/main/common/argocd/argocd.namespace.yaml - https://raw.githubusercontent.com/qjoly/gitops/refs/heads/main/common/argocd/argocd.install.yaml From 00cf8b02824a2e361b11806ca2b8c4a010093faa Mon Sep 17 00:00:00 2001 From: Quentin Joly Date: Tue, 28 Apr 2026 08:23:32 +0200 Subject: [PATCH 4/7] Support Cilium in the workflow --- .github/workflows/omni-template-sync.yaml | 122 ++++++++++++++++++---- turing/helm/cilium/values.yaml | 45 ++++++++ turing/helmfile.yaml | 11 ++ 3 files changed, 155 insertions(+), 23 deletions(-) create mode 100644 turing/helm/cilium/values.yaml create mode 100644 turing/helmfile.yaml diff --git a/.github/workflows/omni-template-sync.yaml b/.github/workflows/omni-template-sync.yaml index 21563e5e..cb9518fd 100644 --- a/.github/workflows/omni-template-sync.yaml +++ b/.github/workflows/omni-template-sync.yaml @@ -7,16 +7,24 @@ on: paths: - "turing/template.yaml" - "turing/patches/**" + - "turing/helmfile.yaml" + - "turing/helm/**" - "mocha/template.yaml" - "mocha/patches/**" + - "mocha/helmfile.yaml" + - "mocha/helm/**" pull_request: branches: - main paths: - "turing/template.yaml" - "turing/patches/**" + - "turing/helmfile.yaml" + - "turing/helm/**" - "mocha/template.yaml" - "mocha/patches/**" + - "mocha/helmfile.yaml" + - "mocha/helm/**" permissions: contents: read @@ -25,6 +33,7 @@ permissions: jobs: # ---------------------------------------------------------------- # Detect which clusters were actually touched in this push/PR. + # Watches both Omni template files and Helm files. # Outputs a JSON array, e.g. ["turing"] or ["mocha"] or ["turing","mocha"]. # ---------------------------------------------------------------- detect: @@ -46,7 +55,7 @@ jobs: fi clusters=$( git diff --name-only $range \ - | grep -E '^(turing|mocha)/(template\.yaml|patches/)' \ + | grep -E '^(turing|mocha)/(template\.yaml|patches/|helmfile\.yaml|helm/)' \ | cut -d/ -f1 \ | sort -u \ | jq -Rsc 'split("\n") | map(select(length > 0))' @@ -55,8 +64,10 @@ jobs: echo "Clusters to sync: ${clusters}" # ---------------------------------------------------------------- - # Dry-run on PRs: run omnictl sync --dry-run and post the output - # as a PR comment (updated on each new commit to the PR). + # Dry-run on PRs: + # 1. omnictl cluster template sync --dry-run + # 2. helmfile diff + # Both results posted as a single PR comment per cluster. # ---------------------------------------------------------------- dry-run: needs: detect @@ -71,15 +82,30 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Install omnictl v1.7.1 + - name: Install tools (omnictl, helm, helmfile) run: | + # omnictl curl -sSL -o omnictl \ https://github.com/siderolabs/omni/releases/download/v1.7.1/omnictl-linux-amd64 - chmod +x omnictl - sudo mv omnictl /usr/local/bin/omnictl + chmod +x omnictl && sudo mv omnictl /usr/local/bin/omnictl - - name: Dry-run ${{ matrix.cluster }} cluster template - id: dry-run + # helm + curl -fsSL \ + https://get.helm.sh/helm-v3.17.0-linux-amd64.tar.gz \ + | tar xz -C /tmp linux-amd64/helm + sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm + + # helm-diff plugin (required by helmfile diff) + helm plugin install https://github.com/databus23/helm-diff + + # helmfile + curl -fsSL \ + https://github.com/helmfile/helmfile/releases/download/v0.171.0/helmfile_0.171.0_linux_amd64.tar.gz \ + | tar xz -C /tmp helmfile + sudo mv /tmp/helmfile /usr/local/bin/helmfile + + - name: omnictl dry-run — ${{ matrix.cluster }} + id: omni-dry-run continue-on-error: true working-directory: ${{ matrix.cluster }} env: @@ -87,7 +113,20 @@ jobs: OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} run: | omnictl cluster template sync -f template.yaml --dry-run \ - > /tmp/dry-run-output.txt 2>&1 + > /tmp/omni-dry-run.txt 2>&1 + + - name: helmfile diff — ${{ matrix.cluster }} + id: helm-diff + continue-on-error: true + working-directory: ${{ matrix.cluster }} + env: + OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} + OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} + run: | + omnictl kubeconfig --cluster ${{ matrix.cluster }} /tmp/${{ matrix.cluster }}.kubeconfig + KUBECONFIG=/tmp/${{ matrix.cluster }}.kubeconfig \ + helmfile diff --no-color 2>&1 \ + | tee /tmp/helm-diff.txt - name: Post dry-run result as PR comment if: always() @@ -95,24 +134,38 @@ jobs: with: script: | const fs = require('fs'); - const cluster = '${{ matrix.cluster }}'; - const outcome = '${{ steps.dry-run.outcome }}'; - const status = outcome === 'success' ? '✅' : '❌'; - const output = fs.readFileSync('/tmp/dry-run-output.txt', 'utf8').trim(); + const cluster = '${{ matrix.cluster }}'; + + const omniOk = '${{ steps.omni-dry-run.outcome }}' === 'success'; + const helmOk = '${{ steps.helm-diff.outcome }}' === 'success'; + + const omniOut = fs.existsSync('/tmp/omni-dry-run.txt') + ? fs.readFileSync('/tmp/omni-dry-run.txt', 'utf8').trim() + : '(file not found)'; + const helmOut = fs.existsSync('/tmp/helm-diff.txt') + ? fs.readFileSync('/tmp/helm-diff.txt', 'utf8').trim() + : '(file not found)'; + const s = (ok) => ok ? '✅' : '❌'; const marker = ``; + const body = [ marker, - `### ${status} \`omnictl\` dry-run — \`${cluster}\``, + `## ${s(omniOk && helmOk)} Dry-run — \`${cluster}\``, '', + `### ${s(omniOk)} \`omnictl\` template sync`, + '```', + omniOut || '(no output)', '```', - output || '(no output)', + '', + `### ${s(helmOk)} \`helmfile diff\``, + '```diff', + helmOut || '(no output)', '```', '', `> commit \`${{ github.sha }}\``, ].join('\n'); - // Update existing comment if present, otherwise create one. const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, @@ -135,14 +188,16 @@ jobs: }); } - - name: Fail job if dry-run failed - if: steps.dry-run.outcome == 'failure' + - name: Fail job if any dry-run step failed + if: steps.omni-dry-run.outcome == 'failure' || steps.helm-diff.outcome == 'failure' run: | - echo "Dry-run failed. See comment on the PR for details." + echo "One or more dry-run steps failed. See the PR comment for details." exit 1 # ---------------------------------------------------------------- - # Sync each changed cluster in parallel via matrix (push to main only). + # Sync on push to main: + # 1. omnictl cluster template sync + # 2. helmfile apply # ---------------------------------------------------------------- sync: needs: detect @@ -157,12 +212,24 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Install omnictl v1.7.1 + - name: Install tools (omnictl, helm, helmfile) run: | + # omnictl curl -sSL -o omnictl \ https://github.com/siderolabs/omni/releases/download/v1.7.1/omnictl-linux-amd64 - chmod +x omnictl - sudo mv omnictl /usr/local/bin/omnictl + chmod +x omnictl && sudo mv omnictl /usr/local/bin/omnictl + + # helm + curl -fsSL \ + https://get.helm.sh/helm-v3.17.0-linux-amd64.tar.gz \ + | tar xz -C /tmp linux-amd64/helm + sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm + + # helmfile (apply doesn't require helm-diff) + curl -fsSL \ + https://github.com/helmfile/helmfile/releases/download/v0.171.0/helmfile_0.171.0_linux_amd64.tar.gz \ + | tar xz -C /tmp helmfile + sudo mv /tmp/helmfile /usr/local/bin/helmfile - name: Sync ${{ matrix.cluster }} cluster template working-directory: ${{ matrix.cluster }} @@ -170,3 +237,12 @@ jobs: OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} run: omnictl cluster template sync -f template.yaml + + - name: helmfile apply — ${{ matrix.cluster }} + working-directory: ${{ matrix.cluster }} + env: + OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} + OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} + run: | + omnictl kubeconfig --cluster ${{ matrix.cluster }} /tmp/${{ matrix.cluster }}.kubeconfig + KUBECONFIG=/tmp/${{ matrix.cluster }}.kubeconfig helmfile apply diff --git a/turing/helm/cilium/values.yaml b/turing/helm/cilium/values.yaml new file mode 100644 index 00000000..540b0b2f --- /dev/null +++ b/turing/helm/cilium/values.yaml @@ -0,0 +1,45 @@ +# Cilium values — turing cluster (Turing Pi, home lab) +# Applied via: helmfile apply (CI) or helmfile diff (PR dry-run) + +# Kube-proxy is disabled in Talos (patches/disable-kubeproxy.yml); +# Cilium handles all service routing through eBPF. +kubeProxyReplacement: true + +# VXLAN tunnel — nodes are on different L2 segments (KubeSpan WireGuard overlay) +routingMode: tunnel +tunnelProtocol: vxlan +autoDirectNodeRoutes: false + +bpf: + masquerade: true + +ipam: + mode: kubernetes + +ipv6: + enabled: false + +# L2 announcements — exposes LoadBalancer IPs on the LAN (pool: 192.168.1.200-250) +l2announcements: + enabled: true + leaseDuration: 3s + leaseRenewDeadline: 1s + leaseRetryPeriod: 200ms + +externalIPs: + enabled: true + +operator: + # 3 control-plane nodes — keep 1 replica (bumping to 2 is safe but unnecessary) + replicas: 1 + +hubble: + enabled: true + tls: + auto: + method: helm + certValidityDuration: 1095 # 3 years + relay: + enabled: true + ui: + enabled: false diff --git a/turing/helmfile.yaml b/turing/helmfile.yaml new file mode 100644 index 00000000..8ff36560 --- /dev/null +++ b/turing/helmfile.yaml @@ -0,0 +1,11 @@ +repositories: + - name: cilium + url: https://helm.cilium.io/ + +releases: + - name: cilium + namespace: kube-system + chart: cilium/cilium + version: "1.18.2" + values: + - helm/cilium/values.yaml From bc33d7bd483a65af4b1a152c22ef42819c5dcbdb Mon Sep 17 00:00:00 2001 From: Quentin Joly Date: Tue, 28 Apr 2026 08:30:51 +0200 Subject: [PATCH 5/7] fix pipeline --- .github/workflows/omni-template-sync.yaml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/omni-template-sync.yaml b/.github/workflows/omni-template-sync.yaml index cb9518fd..bb5e03fa 100644 --- a/.github/workflows/omni-template-sync.yaml +++ b/.github/workflows/omni-template-sync.yaml @@ -95,10 +95,7 @@ jobs: | tar xz -C /tmp linux-amd64/helm sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm - # helm-diff plugin (required by helmfile diff) - helm plugin install https://github.com/databus23/helm-diff - - # helmfile + # helmfile (no helm-diff plugin needed — we use --dry-run instead) curl -fsSL \ https://github.com/helmfile/helmfile/releases/download/v0.171.0/helmfile_0.171.0_linux_amd64.tar.gz \ | tar xz -C /tmp helmfile @@ -115,7 +112,7 @@ jobs: omnictl cluster template sync -f template.yaml --dry-run \ > /tmp/omni-dry-run.txt 2>&1 - - name: helmfile diff — ${{ matrix.cluster }} + - name: helmfile dry-run — ${{ matrix.cluster }} id: helm-diff continue-on-error: true working-directory: ${{ matrix.cluster }} @@ -123,9 +120,11 @@ jobs: OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} run: | + # Skip clusters that don't have a helmfile yet + [ -f helmfile.yaml ] || { echo "(no helmfile.yaml — skipping)" > /tmp/helm-diff.txt; exit 0; } omnictl kubeconfig --cluster ${{ matrix.cluster }} /tmp/${{ matrix.cluster }}.kubeconfig KUBECONFIG=/tmp/${{ matrix.cluster }}.kubeconfig \ - helmfile diff --no-color 2>&1 \ + helmfile apply --dry-run 2>&1 \ | tee /tmp/helm-diff.txt - name: Post dry-run result as PR comment @@ -158,7 +157,7 @@ jobs: omniOut || '(no output)', '```', '', - `### ${s(helmOk)} \`helmfile diff\``, + `### ${s(helmOk)} \`helmfile dry-run\``, '```diff', helmOut || '(no output)', '```', @@ -225,7 +224,7 @@ jobs: | tar xz -C /tmp linux-amd64/helm sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm - # helmfile (apply doesn't require helm-diff) + # helmfile curl -fsSL \ https://github.com/helmfile/helmfile/releases/download/v0.171.0/helmfile_0.171.0_linux_amd64.tar.gz \ | tar xz -C /tmp helmfile @@ -244,5 +243,7 @@ jobs: OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} run: | + # Skip clusters that don't have a helmfile yet + [ -f helmfile.yaml ] || { echo "No helmfile.yaml — skipping helm apply"; exit 0; } omnictl kubeconfig --cluster ${{ matrix.cluster }} /tmp/${{ matrix.cluster }}.kubeconfig KUBECONFIG=/tmp/${{ matrix.cluster }}.kubeconfig helmfile apply From 079326fb6e891b65afc75df98d4a258d96f53402 Mon Sep 17 00:00:00 2001 From: Quentin Joly Date: Tue, 28 Apr 2026 08:54:43 +0200 Subject: [PATCH 6/7] helm diff --- .github/workflows/omni-template-sync.yaml | 42 ++++++++++++----------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/.github/workflows/omni-template-sync.yaml b/.github/workflows/omni-template-sync.yaml index bb5e03fa..b62e48ce 100644 --- a/.github/workflows/omni-template-sync.yaml +++ b/.github/workflows/omni-template-sync.yaml @@ -82,24 +82,24 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Install tools (omnictl, helm, helmfile) + - name: Install omnictl run: | - # omnictl curl -sSL -o omnictl \ https://github.com/siderolabs/omni/releases/download/v1.7.1/omnictl-linux-amd64 chmod +x omnictl && sudo mv omnictl /usr/local/bin/omnictl - # helm - curl -fsSL \ - https://get.helm.sh/helm-v3.17.0-linux-amd64.tar.gz \ - | tar xz -C /tmp linux-amd64/helm - sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm + - uses: azure/setup-helm@v4 + with: + version: '3.17.0' - # helmfile (no helm-diff plugin needed — we use --dry-run instead) + - name: Install helmfile + helm-diff plugin + run: | curl -fsSL \ https://github.com/helmfile/helmfile/releases/download/v0.171.0/helmfile_0.171.0_linux_amd64.tar.gz \ | tar xz -C /tmp helmfile sudo mv /tmp/helmfile /usr/local/bin/helmfile + # Pin to v3.9.4 — pre-dates the platformHooks field that breaks older Helm parsers + helm plugin install https://github.com/databus23/helm-diff --version v3.9.4 - name: omnictl dry-run — ${{ matrix.cluster }} id: omni-dry-run @@ -109,10 +109,10 @@ jobs: OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} run: | - omnictl cluster template sync -f template.yaml --dry-run \ + omnictl cluster template sync -f template.yaml -d \ > /tmp/omni-dry-run.txt 2>&1 - - name: helmfile dry-run — ${{ matrix.cluster }} + - name: helmfile diff — ${{ matrix.cluster }} id: helm-diff continue-on-error: true working-directory: ${{ matrix.cluster }} @@ -120,11 +120,14 @@ jobs: OMNI_ENDPOINT: ${{ secrets.OMNI_ENDPOINT }} OMNI_SERVICE_ACCOUNT_KEY: ${{ secrets.OMNI_SERVICE_ACCOUNT_KEY }} run: | - # Skip clusters that don't have a helmfile yet - [ -f helmfile.yaml ] || { echo "(no helmfile.yaml — skipping)" > /tmp/helm-diff.txt; exit 0; } + if [ ! -f helmfile.yaml ]; then + echo "(no helmfile.yaml — helm not managed for this cluster yet)" \ + > /tmp/helm-diff.txt + exit 0 + fi omnictl kubeconfig --cluster ${{ matrix.cluster }} /tmp/${{ matrix.cluster }}.kubeconfig KUBECONFIG=/tmp/${{ matrix.cluster }}.kubeconfig \ - helmfile apply --dry-run 2>&1 \ + helmfile diff --no-color 2>&1 \ | tee /tmp/helm-diff.txt - name: Post dry-run result as PR comment @@ -157,7 +160,7 @@ jobs: omniOut || '(no output)', '```', '', - `### ${s(helmOk)} \`helmfile dry-run\``, + `### ${s(helmOk)} \`helmfile diff\``, '```diff', helmOut || '(no output)', '```', @@ -218,13 +221,12 @@ jobs: https://github.com/siderolabs/omni/releases/download/v1.7.1/omnictl-linux-amd64 chmod +x omnictl && sudo mv omnictl /usr/local/bin/omnictl - # helm - curl -fsSL \ - https://get.helm.sh/helm-v3.17.0-linux-amd64.tar.gz \ - | tar xz -C /tmp linux-amd64/helm - sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm + - uses: azure/setup-helm@v4 + with: + version: '3.17.0' - # helmfile + - name: Install helmfile + run: | curl -fsSL \ https://github.com/helmfile/helmfile/releases/download/v0.171.0/helmfile_0.171.0_linux_amd64.tar.gz \ | tar xz -C /tmp helmfile From e0dca6ff28e2a3b925a131772b3a79f7ad07fe1b Mon Sep 17 00:00:00 2001 From: Quentin Joly Date: Tue, 28 Apr 2026 13:49:31 +0200 Subject: [PATCH 7/7] Fix helm diff --- .github/workflows/omni-template-sync.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/omni-template-sync.yaml b/.github/workflows/omni-template-sync.yaml index b62e48ce..905af35c 100644 --- a/.github/workflows/omni-template-sync.yaml +++ b/.github/workflows/omni-template-sync.yaml @@ -125,7 +125,9 @@ jobs: > /tmp/helm-diff.txt exit 0 fi - omnictl kubeconfig --cluster ${{ matrix.cluster }} /tmp/${{ matrix.cluster }}.kubeconfig + # --service-account generates a static bearer-token kubeconfig (no oidc-login needed in CI) + omnictl kubeconfig --service-account --cluster ${{ matrix.cluster }} --user ci \ + /tmp/${{ matrix.cluster }}.kubeconfig KUBECONFIG=/tmp/${{ matrix.cluster }}.kubeconfig \ helmfile diff --no-color 2>&1 \ | tee /tmp/helm-diff.txt @@ -225,12 +227,14 @@ jobs: with: version: '3.17.0' - - name: Install helmfile + - name: Install helmfile + helm-diff plugin run: | curl -fsSL \ https://github.com/helmfile/helmfile/releases/download/v0.171.0/helmfile_0.171.0_linux_amd64.tar.gz \ | tar xz -C /tmp helmfile sudo mv /tmp/helmfile /usr/local/bin/helmfile + # Pin to v3.9.4 — pre-dates the platformHooks field that breaks older Helm parsers + helm plugin install https://github.com/databus23/helm-diff --version v3.9.4 - name: Sync ${{ matrix.cluster }} cluster template working-directory: ${{ matrix.cluster }} @@ -247,5 +251,7 @@ jobs: run: | # Skip clusters that don't have a helmfile yet [ -f helmfile.yaml ] || { echo "No helmfile.yaml — skipping helm apply"; exit 0; } - omnictl kubeconfig --cluster ${{ matrix.cluster }} /tmp/${{ matrix.cluster }}.kubeconfig + # --service-account generates a static bearer-token kubeconfig (no oidc-login needed in CI) + omnictl kubeconfig --service-account --cluster ${{ matrix.cluster }} --user ci \ + /tmp/${{ matrix.cluster }}.kubeconfig KUBECONFIG=/tmp/${{ matrix.cluster }}.kubeconfig helmfile apply