Migrate CI into GitHub workflows

.github/workflows/chatops_retest.yaml

@@ -0,0 +1,14 @@
+name: Rerun Failed Actions
+
+permissions:
+  contents: read
+
+on:
+  repository_dispatch:
+    types: [retest-command]
+
+jobs:
+  retest:
+    name: Rerun Failed Actions
+    uses: tektoncd/plumbing/.github/workflows/_chatops_retest.yml@8441d6ffad5bf64f631ed0e67e46192fdedaca47
+    secrets: inherit

.github/workflows/ci.yaml

@@ -0,0 +1,98 @@
+name: ci
+
+on: [pull_request] # yamllint disable-line rule:truthy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull-request.number || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+  checks: write # Used to annotate code in the PR
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: build
+      run: |
+        go build -v ./...
+  linting:
+    needs: [build]
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: gofmt
+      run: |
+        gofmt_out=$(gofmt -d $(find * -name '*.go' ! -path 'vendor/*' ! -path 'third_party/*'))
+        if [[ -n "$gofmt_out" ]]; then
+            failed=1
+        fi
+        echo "$gofmt_out"
+    - name: golangci-lint
+      uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837  # v6.5.0
+      with:
+        version: v1.64.6
+        only-new-issues: true
+        args: --timeout=10m
+    - name: yamllint
+      run: |
+        apt update && apt install -y yamllint
+        yamllint -c .yamllint $(find . -path ./vendor -prune -o -type f -regex ".*y[a]ml" -print | tr '\n' ' ')
+    - name: check-license
+      run: |
+        go install github.com/google/go-licenses@v1.0.0
+        go-licenses check ./...
+  tests:
+    needs: [build]
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: build
+      run: |
+        make test-unit-verbose-and-race
+  generated:
+    needs: [build]
+    name: Check generated code
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: generated
+      run: |
+        go install github.com/google/go-licenses@v1.0.0 # Not sure why it is needed here
+        ./hack/verify-codegen.sh
+  multi-arch-build:
+    needs: [build]
+    name: Multi-arch build
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - name: make cross
+      run: |
+        make cross
+  e2e-tests:
+    needs: [build]
+    uses: ./.github/workflows/e2e-matrix.yml

.github/workflows/codeql-analysis.yml

@@ -11,12 +11,23 @@
 #
 name: "CodeQL"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.yaml'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [main]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.yaml'
   schedule:
     - cron: '30 20 * * 2'
 
@@ -37,34 +48,32 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Setup go
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    # setup cache to speed up the action
-    - uses: actions/cache@v4
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/.cache/pip
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
-
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     # - name: Autobuild
-    #   uses: github/codeql-action/autobuild@v3
+    #   uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -81,4 +90,4 @@ jobs:
         make bin/tkn
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11

.github/workflows/e2e-matrix.yml

@@ -0,0 +1,85 @@
+name: Tekton Integration
+# Adapted from https://github.com/mattmoor/mink/blob/master/.github/workflows/minkind.yaml
+
+on: [workflow_call]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  e2e-tests:
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.k8s-name }}-${{ matrix.feature-flags }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
+    name: e2e tests
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false # Keep running if one leg fails.
+      matrix:
+        k8s-name:
+        - k8s-oldest
+        - k8s-plus-one
+
+        include:
+        - k8s-name: k8s-oldest
+          k8s-version: v1.28.x
+        - k8s-name: k8s-plus-one
+          k8s-version: v1.29.x
+    env:
+      KO_DOCKER_REPO: registry.local:5000/tekton
+      CLUSTER_DOMAIN: c${{ github.run_id }}.local
+      ARTIFACTS: ${{ github.workspace }}/artifacts
+
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34  # v5.3.0
+      with:
+        go-version-file: "go.mod"
+    - uses: ko-build/setup-ko@v0.8
+
+    - name: Install Dependencies
+      working-directory: ./
+      run: |
+        echo '::group:: install go-junit-report'
+        go install github.com/jstemmer/go-junit-report@v0.9.1
+        echo '::endgroup::'
+
+        echo '::group:: created required folders'
+        mkdir -p "${ARTIFACTS}"
+        echo '::endgroup::'
+
+        echo "${GOPATH}/bin" >> "$GITHUB_PATH"
+
+    - name: Run tests
+      run: |
+        ./hack/setup-kind.sh \
+          --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \
+          --cluster-suffix c${{ github.run_id }}.local \
+          --nodes 3 \
+          --k8s-version ${{ matrix.k8s-version }} \
+          --e2e-script ./test/e2e-tests.sh \
+          --e2e-env ./test/e2e-tests-kind-prow.env
+
+    - name: Upload test results
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}
+        path: ${{ env.ARTIFACTS }}
+
+    - uses: chainguard-dev/actions/kind-diag@main
+      if: ${{ failure() }}
+      with:
+        artifact-name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}-logs
+
+    - name: Dump Artifacts
+      if: ${{ failure() }}
+      run: |
+        if [[ -d ${{ env.ARTIFACTS }} ]]; then
+          cd ${{ env.ARTIFACTS }}
+          for x in $(find . -type f); do
+            echo "::group:: artifact $x"
+            cat $x
+            echo '::endgroup::'
+          done
+        fi

.github/workflows/slash.yml

@@ -0,0 +1,17 @@
+name: Slash Command Routing
+
+permissions:
+  contents: read
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  check_comments:
+    if: ${{ github.event.issue.pull_request }}
+    permissions:
+      issues: write # for peter-evans/slash-command-dispatch to create issue reaction
+      pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction
+    uses: tektoncd/plumbing/.github/workflows/_slash.yml@8441d6ffad5bf64f631ed0e67e46192fdedaca47
+    secrets: inherit

Makefile

@@ -118,9 +118,10 @@ lint-yaml: ${YAML_FILES}  ; $(info $(M) running yamllint…) ## runs yamllint on
 	@yamllint -c .yamllint $(YAML_FILES)
 
 ## Tests
-TEST_UNIT_TARGETS := test-unit-verbose test-unit-race
+TEST_UNIT_TARGETS := test-unit-verbose test-unit-race test-unit-verbose-and-race
 test-unit-verbose: ARGS=-v
 test-unit-race:    ARGS=-race
+test-unit-verbose-and-race: ARGS=-v -race
 $(TEST_UNIT_TARGETS): test-unit
 .PHONY: $(TEST_UNIT_TARGETS) test-unit
 test-unit: ; $(info $(M) running unit tests…) ## Run unit tests

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/tektoncd/chains v0.24.0
 	github.com/tektoncd/hub v1.20.0
 	github.com/tektoncd/pipeline v0.69.0
-	github.com/tektoncd/plumbing v0.0.0-20250116154805-bf07e665a460
+	github.com/tektoncd/plumbing v0.0.0-20250313115811-582146ce551e
 	github.com/tektoncd/triggers v0.31.0
 	github.com/theupdateframework/go-tuf v0.7.0
 	go.opencensus.io v0.24.0

go.sum

@@ -1314,8 +1314,8 @@ github.com/tektoncd/hub v1.20.0 h1:/I5QAglWk62rlfFwN8+ekmQHyaULZpB9hIjqWzyqLbs=
 github.com/tektoncd/hub v1.20.0/go.mod h1:cYjg75tI2IBHAuwmae+8lLKdriv2JoAfnxnVbx6b9+s=
 github.com/tektoncd/pipeline v0.69.0 h1:1KgeNXfsuebg/HQ0lEKO79CDFqKUPrA7gSad5ZbeiHE=
 github.com/tektoncd/pipeline v0.69.0/go.mod h1:n8pgdQTRngXJC06Rii2zunb2GxBz/ZHE5n8AZFx4MdM=
-github.com/tektoncd/plumbing v0.0.0-20250116154805-bf07e665a460 h1:J9Gk3j1x4Yi1qzcUn0w4KekxVdD7qTMdoGCChw3G32A=
-github.com/tektoncd/plumbing v0.0.0-20250116154805-bf07e665a460/go.mod h1:Ks1fp1nPnhJxxT810eOkq2skeIiDuYjq3cIgpS5Gxk4=
+github.com/tektoncd/plumbing v0.0.0-20250313115811-582146ce551e h1:3Zws3++VzABI9V2LLBjW2E7C1RcTKvI/8IHljCHf5V4=
+github.com/tektoncd/plumbing v0.0.0-20250313115811-582146ce551e/go.mod h1:KTAEcFHz49nBdj/+ZX9LjVGjP5aaXm0JFnpqNnMNPuM=
 github.com/tektoncd/triggers v0.31.0 h1:UiOn9sjavdJDEoAT+FZf+L3I1QQvzI31oJm8+GpNa7s=
 github.com/tektoncd/triggers v0.31.0/go.mod h1:Oi+Umveu/vIefYAeS6XOa907tecAvx26sW7J62005tg=
 github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=