wip: testing

.github/workflows/ci.yml

@@ -41,12 +41,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Forge
-        uses: input-output-hk/catalyst-forge/actions/install@master
+        uses: input-output-hk/catalyst-forge/actions/install@adds-timoni-release
         if: ${{ inputs.forge_version != 'local' }}
         with:
           version: ${{ inputs.forge_version }}
       - name: Install Local Forge
-        uses: input-output-hk/catalyst-forge/actions/install-local@master
+        uses: input-output-hk/catalyst-forge/actions/install-local@adds-timoni-release
         if: ${{ inputs.forge_version == 'local' }}
         with:
           earthly_token: ${{ secrets.earthly_token }}
@@ -61,14 +61,14 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup CI
-        uses: input-output-hk/catalyst-forge/actions/setup@master
+        uses: input-output-hk/catalyst-forge/actions/setup@adds-timoni-release
         with:
           skip_docker: 'true'
           skip_github: 'true'
           skip_earthly: ${{ steps.local.outputs.skip }}
       - name: Discovery
         id: discovery
-        uses: input-output-hk/catalyst-forge/actions/discovery@master
+        uses: input-output-hk/catalyst-forge/actions/discovery@adds-timoni-release
         with:
           filters: |
             ${{ env.FORGE_REGEX_CHECK }}
@@ -80,7 +80,7 @@ jobs:
             ${{ env.FORGE_REGEX_PUBLISH }}
 
   check:
-    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master
+    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-timoni-release
     needs: [discover]
     if: (fromJson(needs.discover.outputs.earthfiles)['^check(-.*)?$'] != null) && !failure() && !cancelled()
     with:
@@ -92,7 +92,7 @@ jobs:
       earthly_token: ${{ secrets.earthly_token }}
 
   build:
-    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master
+    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-timoni-release
     needs: [discover, check]
     if: (fromJson(needs.discover.outputs.earthfiles)['^build(-.*)?$'] != null) && !failure() && !cancelled()
     with:
@@ -104,7 +104,7 @@ jobs:
       earthly_token: ${{ secrets.earthly_token }}
 
   package:
-    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master
+    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-timoni-release
     needs: [discover, check, build]
     if: (fromJson(needs.discover.outputs.earthfiles)['^package(-.*)?$'] != null) && !failure() && !cancelled()
     with:
@@ -116,7 +116,7 @@ jobs:
       earthly_token: ${{ secrets.earthly_token }}
 
   test:
-    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master
+    uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-timoni-release
     needs: [discover, check, build, package]
     if: (fromJson(needs.discover.outputs.earthfiles)['^test(-.*)?$'] != null) && !failure() && !cancelled()
     with:
@@ -128,7 +128,7 @@ jobs:
       earthly_token: ${{ secrets.earthly_token }}
 
   docs:
-    uses: input-output-hk/catalyst-forge/.github/workflows/docs.yml@master
+    uses: input-output-hk/catalyst-forge/.github/workflows/docs.yml@adds-timoni-release
     needs: [discover, check, build, test]
     if: (fromJson(needs.discover.outputs.earthfiles)['^docs(-.*)?$'] != null) && !failure() && !cancelled()
     with:
@@ -138,7 +138,7 @@ jobs:
       earthly_token: ${{ secrets.earthly_token }}
 
   release:
-    uses: input-output-hk/catalyst-forge/.github/workflows/release.yml@master
+    uses: input-output-hk/catalyst-forge/.github/workflows/release.yml@adds-timoni-release
     needs: [discover, check, build, test]
     if: (fromJson(needs.discover.outputs.releases)[0] != null) && !failure() && !cancelled()
     with:
@@ -150,7 +150,7 @@ jobs:
       earthly_token: ${{ secrets.earthly_token }}
 
   deploy:
-    uses: input-output-hk/catalyst-forge/.github/workflows/deploy.yml@master
+    uses: input-output-hk/catalyst-forge/.github/workflows/deploy.yml@adds-timoni-release
     needs: [discover, check, build, test, release]
     if: (fromJson(needs.discover.outputs.deployments)[0] != null) && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && !failure() && !cancelled()
     with:

.github/workflows/deploy.yml

@@ -41,12 +41,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Forge
-        uses: input-output-hk/catalyst-forge/actions/install@master
+        uses: input-output-hk/catalyst-forge/actions/install@adds-timoni-release
         if: ${{ inputs.forge_version != 'local' }}
         with:
           version: ${{ inputs.forge_version }}
       - name: Install Local Forge
-        uses: input-output-hk/catalyst-forge/actions/install-local@master
+        uses: input-output-hk/catalyst-forge/actions/install-local@adds-timoni-release
         if: ${{ inputs.forge_version == 'local' }}
         with:
           earthly_token: ${{ secrets.earthly_token }}
@@ -61,11 +61,11 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup CI
-        uses: input-output-hk/catalyst-forge/actions/setup@master
+        uses: input-output-hk/catalyst-forge/actions/setup@adds-timoni-release
         with:
           skip_earthly: ${{ steps.local.outputs.skip }}
       - name: Deploy
-        uses: input-output-hk/catalyst-forge/actions/run@master
+        uses: input-output-hk/catalyst-forge/actions/run@adds-timoni-release
         with:
           command: deploy push
           args: ${{ matrix.deployment }}

.github/workflows/docs.yml

@@ -44,12 +44,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Forge
-        uses: input-output-hk/catalyst-forge/actions/install@master
+        uses: input-output-hk/catalyst-forge/actions/install@adds-timoni-release
         if: ${{ inputs.forge_version != 'local' }}
         with:
           version: ${{ inputs.forge_version }}
       - name: Install Local Forge
-        uses: input-output-hk/catalyst-forge/actions/install-local@master
+        uses: input-output-hk/catalyst-forge/actions/install-local@adds-timoni-release
         if: ${{ inputs.forge_version == 'local' }}
         with:
           earthly_token: ${{ secrets.earthly_token }}
@@ -64,11 +64,11 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup CI
-        uses: input-output-hk/catalyst-forge/actions/setup@master
+        uses: input-output-hk/catalyst-forge/actions/setup@adds-timoni-release
         with:
           skip_earthly: ${{ steps.local.outputs.skip }}
       - name: Run
-        uses: input-output-hk/catalyst-forge/actions/run@master
+        uses: input-output-hk/catalyst-forge/actions/run@adds-timoni-release
         with:
           command: run
           args: --artifact ${{ env.OUTPUT }} ${{ matrix.earthfile }}

.github/workflows/release.yml

@@ -45,12 +45,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Forge
-        uses: input-output-hk/catalyst-forge/actions/install@master
+        uses: input-output-hk/catalyst-forge/actions/install@adds-timoni-release
         if: ${{ inputs.forge_version != 'local' }}
         with:
           version: ${{ inputs.forge_version }}
       - name: Install Local Forge
-        uses: input-output-hk/catalyst-forge/actions/install-local@master
+        uses: input-output-hk/catalyst-forge/actions/install-local@adds-timoni-release
         if: ${{ inputs.forge_version == 'local' }}
         with:
           earthly_token: ${{ secrets.earthly_token }}
@@ -65,11 +65,11 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup CI
-        uses: input-output-hk/catalyst-forge/actions/setup@master
+        uses: input-output-hk/catalyst-forge/actions/setup@adds-timoni-release
         with:
           skip_earthly: ${{ steps.local.outputs.skip }}
       - name: Release
-        uses: input-output-hk/catalyst-forge/actions/run@master
+        uses: input-output-hk/catalyst-forge/actions/run@adds-timoni-release
         with:
           command: release
           args: ${{ matrix.release.project }} ${{ matrix.release.name }}

.github/workflows/run.yml

@@ -42,12 +42,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Forge
-        uses: input-output-hk/catalyst-forge/actions/install@master
+        uses: input-output-hk/catalyst-forge/actions/install@adds-timoni-release
         if: ${{ inputs.forge_version != 'local' }}
         with:
           version: ${{ inputs.forge_version }}
       - name: Install Local Forge
-        uses: input-output-hk/catalyst-forge/actions/install-local@master
+        uses: input-output-hk/catalyst-forge/actions/install-local@adds-timoni-release
         if: ${{ inputs.forge_version == 'local' }}
         with:
           earthly_token: ${{ secrets.earthly_token }}
@@ -62,11 +62,11 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup CI
-        uses: input-output-hk/catalyst-forge/actions/setup@master
+        uses: input-output-hk/catalyst-forge/actions/setup@adds-timoni-release
         with:
           skip_earthly: ${{ steps.local.outputs.skip }}
       - name: Run
-        uses: input-output-hk/catalyst-forge/actions/run@master
+        uses: input-output-hk/catalyst-forge/actions/run@adds-timoni-release
         with:
           command: run
           args: ${{ matrix.earthfile }}

actions/setup/action.yml

@@ -19,6 +19,10 @@ inputs:
     description: If true, skip authenticating to GitHub Container Registry
     required: false
     default: "false"
+  skip_timoni:
+    description: If true, skips installing Timoni CLI if the provider is configured
+    required: false
+    default: "false"
 
 runs:
   using: composite
@@ -169,4 +173,26 @@ runs:
       if: steps.earthly.outputs.token != '' && steps.earthly.conclusion == 'success'
       shell: bash
       run: |
-        earthly org select "${{ steps.earthly.outputs.org }}"
+        earthly org select "${{ steps.earthly.outputs.org }}"
+
+    # Timoni Provider
+    - name: Get Timoni provider configuration
+      id: timoni
+      if: inputs.skip_timoni  == 'false'
+      shell: bash
+      run: |
+        echo "==== Timoni Setup ====="
+        BP=$(forge dump .)
+
+        TIMONI=$(echo "$BP" | jq -r .global.ci.providers.timoni.install)
+        if [[ "$TIMONI" != "true" ]]; then
+          INSTALL=1
+          echo "install=$INSTALL" >> $GITHUB_OUTPUT
+        else
+          echo "Not installing Timoni CLI"
+        fi
+    - name: Install Timoni
+      uses: stefanprodan/timoni/actions/setup@main
+      if: steps.timoni.outputs.install && steps.timoni.conclusion == 'success'
+      with:
+        version: latest

blueprint.cue

@@ -44,6 +44,12 @@ global: {
 				}
 				registry: "ghcr.io"
 			}
+			timoni: {
+				install: true
+				registries: [
+					aws.registry,
+				]
+			}
 		}
 		secrets: [
 			{

lib/project/schema/_embed/schema.cue

@@ -282,6 +282,9 @@ version: "1.0"
 
 // TimoniProvider contains the configuration for the Timoni provider.
 #TimoniProvider: {
+	// Install contains whether to install Timoni in the CI environment.
+	install?: null | bool @go(Install,*bool)
+
 	// Registries contains the registries to use for publishing Timoni modules
 	registries: [...string] @go(Registries,[]string)
 }

lib/project/schema/providers.go

@@ -85,6 +85,9 @@ type ProviderGithub struct {
 
 // TimoniProvider contains the configuration for the Timoni provider.
 type TimoniProvider struct {
+	// Install contains whether to install Timoni in the CI environment.
+	Install *bool `json:"install"`
+
 	// Registries contains the registries to use for publishing Timoni modules
 	Registries []string `json:"registries"`
 }

lib/project/schema/providers_go_gen.cue

@@ -89,6 +89,9 @@ package schema
 
 // TimoniProvider contains the configuration for the Timoni provider.
 #TimoniProvider: {
+	// Install contains whether to install Timoni in the CI environment.
+	install?: null | bool @go(Install,*bool)
+
 	// Registries contains the registries to use for publishing Timoni modules
 	registries: [...string] @go(Registries,[]string)
 }

test/README.md

@@ -0,0 +1,85 @@
+# test
+
+A [timoni.sh](http://timoni.sh) module for deploying test to Kubernetes clusters.
+
+## Install
+
+To create an instance using the default values:
+
+```shell
+timoni -n default apply test oci://<container-registry-url>
+```
+
+To change the [default configuration](#configuration),
+create one or more `values.cue` files and apply them to the instance.
+
+For example, create a file `my-values.cue` with the following content:
+
+```cue
+values: {
+	resources: requests: {
+		cpu:    "100m"
+		memory: "128Mi"
+	}
+}
+```
+
+And apply the values with:
+
+```shell
+timoni -n default apply test oci://<container-registry-url> \
+--values ./my-values.cue
+```
+
+## Uninstall
+
+To uninstall an instance and delete all its Kubernetes resources:
+
+```shell
+timoni -n default delete test
+```
+
+## Configuration
+
+### General values
+
+| Key                          | Type                                    | Default                    | Description                                                                                                                                  |
+|------------------------------|-----------------------------------------|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
+| `image: tag:`                | `string`                                | `<latest version>`         | Container image tag                                                                                                                          |
+| `image: digest:`             | `string`                                | `<latest digest>`          | Container image digest, takes precedence over `tag` when specified                                                                           |
+| `image: repository:`         | `string`                                | `cgr.dev/chainguard/nginx` | Container image repository                                                                                                                   |
+| `image: pullPolicy:`         | `string`                                | `IfNotPresent`             | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy)                                     |
+| `metadata: labels:`          | `{[ string]: string}`                   | `{}`                       | Common labels for all resources                                                                                                              |
+| `metadata: annotations:`     | `{[ string]: string}`                   | `{}`                       | Common annotations for all resources                                                                                                         |
+| `podAnnotations:`            | `{[ string]: string}`                   | `{}`                       | Annotations applied to pods                                                                                                                  |
+| `imagePullSecrets:`          | `[...timoniv1.ObjectReference]`         | `[]`                       | [Kubernetes image pull secrets](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)                 |
+| `tolerations:`               | `[ ...corev1.#Toleration]`              | `[]`                       | [Kubernetes toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration)                                        |
+| `affinity:`                  | `corev1.#Affinity`                      | `{}`                       | [Kubernetes affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| `resources:`                 | `timoniv1.#ResourceRequirements`        | `{}`                       | [Kubernetes resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers)                     |
+| `topologySpreadConstraints:` | `[...corev1.#TopologySpreadConstraint]` | `[]`                       | [Kubernetes pod topology spread constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints)            |
+| `podSecurityContext:`        | `corev1.#PodSecurityContext`            | `{}`                       | [Kubernetes pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                                 |
+| `securityContext:`           | `corev1.#SecurityContext`               | `{}`                       | [Kubernetes container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                           |
+| `service: annotations:`      | `{[ string]: string}`                   | `{}`                       | Annotations applied to the Kubernetes Service                                                                                                |
+| `service: port:`             | `int`                                   | `80`                       | Kubernetes Service HTTP port                                                                                                                 |
+| `test: enabled:`             | `bool`                                  | `false`                    | Run end-to-end tests at install and upgrades                                                                                                 |
+
+#### Recommended values
+
+Comply with the restricted [Kubernetes pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/):
+
+```cue
+values: {
+	podSecurityContext: {
+		runAsUser:  65532
+		runAsGroup: 65532
+		fsGroup:    65532
+	}
+	securityContext: {
+		allowPrivilegeEscalation: false
+		readOnlyRootFilesystem:   false
+		runAsNonRoot:             true
+		capabilities: drop: ["ALL"]
+		seccompProfile: type: "RuntimeDefault"
+	}
+}
+```

test/blueprint.cue

@@ -0,0 +1,13 @@
+version: "1.0"
+project: {
+	name: "timoni-test"
+	release: {
+		timoni: {
+			on: always: {}
+			config: {
+				container: "timoni-test"
+				tag:       "v1.0.0"
+			}
+		}
+	}
+}