upbound · kaessert · Jul 21, 2025 · Apr 28, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,48 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Package version (e.g. v0.1.0)
+        required: false
+
+env:
+  UP_API_TOKEN: ${{ secrets.UP_API_TOKEN }}
+  UP_ROBOT_ID: ${{ secrets.UP_ROBOT_ID }}
+  UP_ORG: ${{ secrets.UP_ORG }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Install and login with up
+        if: env.UP_API_TOKEN != '' && env.UP_ORG != ''
+        uses: upbound/action-up@53fe6395637d884c80d2bbc8c2d75d0ece776ced # v1
+        with:
+          api-token: ${{ secrets.UP_API_TOKEN }}
+          organization: ${{ secrets.UP_ORG }}
+
+      # doesn't work with plain token when pushing otherwise
+      - name: Login to xpkg with robot
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          registry: xpkg.upbound.io
+          username: ${{ env.UP_ROBOT_ID }}
+          password: ${{ env.UP_API_TOKEN }}
+
+      - name: Build and Push Upbound project
+        if: env.UP_API_TOKEN != ''
+        uses: upbound/action-up-project@87016022642d4076f1360639bdf0f04527c28983 # v1
+        with:
+          push-project: true
+          tag: ${{ inputs.version || '' }}
+          # login-check does `up org list` which doesn't work with a robot-token
+          skip-login-check: true
diff --git a/.github/workflows/composition-tests.yaml b/.github/workflows/composition-tests.yaml
@@ -0,0 +1,26 @@
+name: Composition Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request: {}
+
+jobs:
+  composition-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Install up
+        uses: upbound/action-up@53fe6395637d884c80d2bbc8c2d75d0ece776ced # v1
+        with:
+          skip-login: true
+
+      - name: Build project
+        run: up project build
+
+      - name: Run composition tests
+        run: up test run tests/*
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -0,0 +1,51 @@
+name: End to End Testing
+
+on:
+  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+  # pull_request_target is potentially dangerous target so we keep it strict
+  # under the label and benefit from secret propagation
+  pull_request_target:
+    types:
+      - synchronize
+      - labeled
+
+env:
+  UP_API_TOKEN: ${{ secrets.UP_E2E_API_TOKEN || secrets.UP_API_TOKEN }}
+  UP_ORG: ${{ secrets.UP_E2E_ORG || secrets.UP_ORG }}
+  UP_GROUP: ${{ secrets.UP_E2E_GROUP || secrets.UP_GROUP || 'default' }}
+  UP_ROBOT_ID: ${{ secrets.UP_E2E_ROBOT_ID || secrets.UP_ROBOT_ID }}
+
+jobs:
+  e2e:
+    if: contains(github.event.pull_request.labels.*.name, 'run-e2e-tests')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Install and login with up
+        if: env.UP_API_TOKEN != '' && env.UP_ORG != ''
+        uses: upbound/action-up@53fe6395637d884c80d2bbc8c2d75d0ece776ced # v1
+        with:
+          api-token: ${{ env.UP_API_TOKEN }}
+          organization: ${{ env.UP_ORG }}
+
+      # doesn't work with plain token when pushing otherwise
+      - name: Login to xpkg with robot
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          registry: xpkg.upbound.io
+          username: ${{ env.UP_ROBOT_ID }}
+          password: ${{ env.UP_API_TOKEN }}
+
+      - name: Build project
+        run: up project build
+
+      - name: Switch up context
+        run: up ctx ${{ env.UP_ORG }}/upbound-gcp-us-central-1/${{ env.UP_GROUP }}
+
+      - name: Run e2e tests
+        run: up test run tests/* --e2e
diff --git a/.github/workflows/packer-build-staging.yml b/.github/workflows/packer-build-staging.yml
@@ -14,6 +14,8 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      ami-id: ${{ steps.ami.outputs.ami-id }}
 
     steps:
       - name: Checkout code
@@ -43,3 +45,14 @@ jobs:
         run: |
           cd packer
           packer build upbox.pkr.hcl
+
+      - name: Extract and Output AMI IDs
+        run: |
+          cd packer
+          echo "### 🎉 AMI Built Successfully" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Extract all AMI IDs and their regions
+          LAST_RUN_ID=$(cat manifest.json | jq -r .last_run_uuid)
+          cat manifest.json | jq -r ".builds[] | select(.packer_run_uuid == \"$LAST_RUN_ID\") | .artifact_id | split(\",\") | .[] | split(\":\") | \"\(.[0]): \(.[1])\"" >> $GITHUB_STEP_SUMMARY
+        id: ami
diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml
@@ -15,6 +15,8 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    outputs:
+      ami-id: ${{ steps.ami.outputs.ami-id }}
 
     steps:
       - name: Checkout code
@@ -44,3 +46,14 @@ jobs:
         run: |
           cd packer
           packer build upbox.pkr.hcl
+
+      - name: Extract and Output AMI IDs
+        run: |
+          cd packer
+          echo "### 🎉 AMI Built Successfully" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Extract all AMI IDs and their regions
+          LAST_RUN_ID=$(cat manifest.json | jq -r .last_run_uuid)
+          cat manifest.json | jq -r ".builds[] | select(.packer_run_uuid == \"$LAST_RUN_ID\") | .artifact_id | split(\",\") | .[] | split(\":\") | \"\(.[0]): \(.[1])\"" >> $GITHUB_STEP_SUMMARY
+        id: ami
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -0,0 +1,26 @@
+name: Tag
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g. v0.1.0)'
+        required: true
+      message:
+        description: 'Tag message'
+        required: true
+
+jobs:
+  create-tag:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Create Tag
+        uses: negz/create-tag@39bae1e0932567a58c20dea5a1a0d18358503320 # v1
+        with:
+          version: ${{ github.event.inputs.version }}
+          message: ${{ github.event.inputs.message }}
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml
@@ -0,0 +1,15 @@
+name: yamllint
+on: [pull_request]
+jobs:
+  yamllint:
+    name: runner / yamllint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: yamllint
+        uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0
+        with:
+          reporter: github-pr-review
+          filter_mode: nofilter
+          yamllint_flags: 'apis/'
+          fail_on_error: true
diff --git a/.gitignore b/.gitignore
@@ -23,3 +23,7 @@ go.work.sum
 
 # env file
 .env
+
+_output
+.venv
+.up
diff --git a/Makefile b/Makefile
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,3 +23,7 @@ go.work.sum @@
     # env file
     .env
+    _output
+    .venv
+    .up