From 9303a6aa5b9b575fddca5723bcf00dc6a19d62d3 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 12:40:30 +0100 Subject: [PATCH 01/15] ci: test ksail-cluster action integration --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c8ab973c6..45d32065d 100644 --- a/README.md +++ b/README.md @@ -139,3 +139,4 @@ This allows for a clean separation of concerns and allows for modification of th ## Star History [![Star History Chart](https://api.star-history.com/svg?repos=devantler/homelab&type=Date)](https://star-history.com/#devantler/homelab&Date) + From f8da89fbfb78db9108696e8b38377e9c92cff43b Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 12:46:53 +0100 Subject: [PATCH 02/15] ci: re-trigger CI with fixed ksail-cluster action From fa09316819ac8c7d2f498bc0b9375010319a7cc9 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 13:25:14 +0100 Subject: [PATCH 03/15] ci: re-trigger CI with updated validate workflow From fe3e26d3e5a7328c7e6722e76004d1c6b388e8e8 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 21:02:05 +0100 Subject: [PATCH 04/15] ci: add consolidated GitOps test workflow with validation Calls the ci-gitops-test reusable workflow which now includes manifest validation as an early step before cluster provisioning. --- .github/workflows/ci-gitops-test.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/ci-gitops-test.yaml diff --git a/.github/workflows/ci-gitops-test.yaml b/.github/workflows/ci-gitops-test.yaml new file mode 100644 index 000000000..6780de4d8 --- /dev/null +++ b/.github/workflows/ci-gitops-test.yaml @@ -0,0 +1,17 @@ +name: CI - GitOps Test +on: + pull_request: + merge_group: + +permissions: + contents: read + +jobs: + test: + uses: devantler-tech/reusable-workflows/.github/workflows/ci-gitops-test.yaml@main + secrets: + KSAIL_SOPS_KEY: ${{ secrets.KSAIL_SOPS_KEY }} + with: + DISTRIBUTION: Talos + PROVIDER: Docker + VALIDATE: true From 8456a8ebdbb5938fe73e348676caafb10f6e4bb3 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 21:10:53 +0100 Subject: [PATCH 05/15] ci: rename ci-gitops-test to ci.yaml, scope to main PRs --- .github/workflows/{ci-gitops-test.yaml => ci.yaml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename .github/workflows/{ci-gitops-test.yaml => ci.yaml} (88%) diff --git a/.github/workflows/ci-gitops-test.yaml b/.github/workflows/ci.yaml similarity index 88% rename from .github/workflows/ci-gitops-test.yaml rename to .github/workflows/ci.yaml index 6780de4d8..bb9f491c0 100644 --- a/.github/workflows/ci-gitops-test.yaml +++ b/.github/workflows/ci.yaml @@ -1,7 +1,7 @@ -name: CI - GitOps Test +name: CI on: pull_request: - merge_group: + branches: [main] permissions: contents: read From 63beafe2507e2b3d43d030c03752bdc83e508e71 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 21:16:08 +0100 Subject: [PATCH 06/15] ci: call ksail-cluster action directly instead of reusable workflow --- .github/workflows/ci.yaml | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index bb9f491c0..b7898cf7d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,10 +8,23 @@ permissions: jobs: test: - uses: devantler-tech/reusable-workflows/.github/workflows/ci-gitops-test.yaml@main - secrets: - KSAIL_SOPS_KEY: ${{ secrets.KSAIL_SOPS_KEY }} - with: - DISTRIBUTION: Talos - PROVIDER: Docker - VALIDATE: true + runs-on: ubuntu-latest + steps: + - name: 📑 Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: 🧪 Run GitOps test + uses: devantler-tech/ksail/.github/actions/ksail-cluster@main + with: + distribution: Talos + provider: Docker + init: "false" + validate: "true" + sops-age-key: ${{ secrets.KSAIL_SOPS_KEY }} + hosts-file: ${{ vars.HOSTS_FILE }} + root-ca-cert-file: ${{ vars.ROOT_CA_CERT_FILE }} + push: "true" + reconcile: "true" + delete: "true" From ab86e12e5e1d8b2a6e05901d703b9a646de885b3 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 21:21:20 +0100 Subject: [PATCH 07/15] Update .github/workflows/ci.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nikolai Emil Damm --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b7898cf7d..b32e14a8b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -22,7 +22,7 @@ jobs: provider: Docker init: "false" validate: "true" - sops-age-key: ${{ secrets.KSAIL_SOPS_KEY }} + sops-age-key: ${{ secrets.SOPS_AGE_KEY }} hosts-file: ${{ vars.HOSTS_FILE }} root-ca-cert-file: ${{ vars.ROOT_CA_CERT_FILE }} push: "true" From 25b95d91b3c5b16c208f71673f539874065af834 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 21:51:38 +0100 Subject: [PATCH 08/15] ci: pin ksail-cluster action to SHA and add environment - Pin devantler-tech/ksail/.github/actions/ksail-cluster from @main to @4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 - Add environment: ci to the test job for secret protection --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b32e14a8b..e08d6f622 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,6 +9,7 @@ permissions: jobs: test: runs-on: ubuntu-latest + environment: ci steps: - name: 📑 Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -16,7 +17,7 @@ jobs: persist-credentials: false - name: 🧪 Run GitOps test - uses: devantler-tech/ksail/.github/actions/ksail-cluster@main + uses: devantler-tech/ksail/.github/actions/ksail-cluster@4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 # main with: distribution: Talos provider: Docker From b3ebab88bcddad524611ac3066f93c2ebf421d43 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 26 Mar 2026 21:54:05 +0100 Subject: [PATCH 09/15] Rename GitOps test step to System Test Signed-off-by: Nikolai Emil Damm --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e08d6f622..63473c2af 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,7 +16,7 @@ jobs: with: persist-credentials: false - - name: 🧪 Run GitOps test + - name: 🧪 System Test uses: devantler-tech/ksail/.github/actions/ksail-cluster@4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 # main with: distribution: Talos From c0b4742ae22ebc309de051c598478379c221a096 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 27 Mar 2026 18:53:41 +0100 Subject: [PATCH 10/15] fix: correct Kyverno schema and update ksail action SHA - Fix schedule-based-quotas.yaml: change variable shorthand to object form with value key per Kyverno v1 ClusterPolicy schema - Update ksail-cluster action SHA to bb3c3623 which includes the patch-skip fix (PR #3417) for helm-release-patch.yaml validation --- .github/workflows/ci.yaml | 2 +- .../schedule-based-quotas/schedule-based-quotas.yaml | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 63473c2af..a59139565 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -17,7 +17,7 @@ jobs: persist-credentials: false - name: 🧪 System Test - uses: devantler-tech/ksail/.github/actions/ksail-cluster@4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 # main + uses: devantler-tech/ksail/.github/actions/ksail-cluster@bb3c36238e379bdc884820a4a8272837c9c89f9d # main with: distribution: Talos provider: Docker diff --git a/k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml b/k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml index ea7d2acec..109601ed4 100644 --- a/k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml +++ b/k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml @@ -30,10 +30,12 @@ spec: namespace: default key: time - name: currentTime - variable: >- - {{ mockTime || time.Now() | time.ParseInLocation('America/Los_Angeles') }} + variable: + value: >- + {{ mockTime || time.Now() | time.ParseInLocation('America/Los_Angeles') }} - name: isBusinessHours - variable: currentTime.Hour() >= 9 && currentTime.Hour() < 17 && (currentTime.Weekday() >= 1 && currentTime.Weekday() <= 5) + variable: + value: currentTime.Hour() >= 9 && currentTime.Hour() < 17 && (currentTime.Weekday() >= 1 && currentTime.Weekday() <= 5) mutate: patchStrategicMerge: spec: From ec4f1b9988c3b3fd3d2f7e7e0cec4aa7a1f7d789 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 27 Mar 2026 18:57:51 +0100 Subject: [PATCH 11/15] ci: pin ksail-cluster action to v5.74.3 release tag --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a59139565..e938e39c4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -17,7 +17,7 @@ jobs: persist-credentials: false - name: 🧪 System Test - uses: devantler-tech/ksail/.github/actions/ksail-cluster@bb3c36238e379bdc884820a4a8272837c9c89f9d # main + uses: devantler-tech/ksail/.github/actions/ksail-cluster@e8af568986b21cb6e1ed1b3be92ff9c8c3612363 # v5.74.3 with: distribution: Talos provider: Docker From 1bdf927a4fc9db6fae0ee5dd4a305898af3919c5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 21:35:13 +0000 Subject: [PATCH 12/15] ci: gate test job to non-fork PRs to prevent secrets access failures Agent-Logs-Url: https://github.com/devantler-tech/platform/sessions/ed897546-6b67-47af-bdda-ca1a94c212c0 Co-authored-by: devantler <26203420+devantler@users.noreply.github.com> --- .github/workflows/ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e938e39c4..25ea6d2d7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,6 +8,7 @@ permissions: jobs: test: + if: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest environment: ci steps: From 568ea5d3f994e36395d319aef5638d0064f81f0c Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 28 Mar 2026 10:56:25 +0100 Subject: [PATCH 13/15] fix: exclude cost-optimization from policy sync to fix validation The Datree CRD catalog schema for kyverno.io/clusterpolicy_v1 rejects the configMap.key field with additionalProperties: false, causing kubeconform to fail on the synced schedule-based-quotas sample. Since this is a schema bug and the sample is not deployed, exclude the cost-optimization category from sync and remove the existing file. --- .policyignore | 1 + .../schedule-based-quotas.yaml | 44 ------------------- 2 files changed, 1 insertion(+), 44 deletions(-) delete mode 100644 k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml diff --git a/.policyignore b/.policyignore index 4ab3f1eaa..4330818c6 100644 --- a/.policyignore +++ b/.policyignore @@ -12,6 +12,7 @@ castai* cert-manager* cleanup* consul* +cost-optimization* external-secret-operator* flux-cel* flux* diff --git a/k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml b/k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml deleted file mode 100644 index 109601ed4..000000000 --- a/k8s/bases/infrastructure/cluster-policies/samples/cost-optimization/schedule-based-quotas/schedule-based-quotas.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: schedule-based-quotas - annotations: - policies.kyverno.io/title: Schedule-based Resource Quotas - policies.kyverno.io/category: Resource Management - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: ResourceQuota, Namespace - policies.kyverno.io/description: >- - Automatically adjusts resource quotas based on time schedules to optimize cloud costs. - During non-business hours, the policy reduces resource quotas to prevent overprovisioning - while ensuring essential services remain operational. - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.23-1.28" -spec: - background: true - rules: - - name: update-quotas-by-schedule - match: - any: - - resources: - kinds: - - ResourceQuota - context: - - name: mockTime - configMap: - name: time-mock - namespace: default - key: time - - name: currentTime - variable: - value: >- - {{ mockTime || time.Now() | time.ParseInLocation('America/Los_Angeles') }} - - name: isBusinessHours - variable: - value: currentTime.Hour() >= 9 && currentTime.Hour() < 17 && (currentTime.Weekday() >= 1 && currentTime.Weekday() <= 5) - mutate: - patchStrategicMerge: - spec: - hard: - cpu: "{{ isBusinessHours ? '20' : '10' }}" - memory: "{{ isBusinessHours ? '40Gi' : '20Gi' }}" From 14423fedccc7d64a8ac7b1c6567fbe89c1557097 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 28 Mar 2026 11:32:49 +0100 Subject: [PATCH 14/15] ci: re-trigger after adding SOPS_AGE_KEY to ci environment From a56f3ca53d65366bf4810ec7c6d1189e87cc9528 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 28 Mar 2026 12:05:29 +0100 Subject: [PATCH 15/15] ci: skip system test in merge queue --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 25ea6d2d7..a1af4606f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,13 +2,14 @@ name: CI on: pull_request: branches: [main] + merge_group: permissions: contents: read jobs: test: - if: github.event.pull_request.head.repo.full_name == github.repository + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest environment: ci steps: