Merge branch 'main' into ha-docs

.devcontainer/pre-build.sh

@@ -1,13 +1,14 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 set -eux
 
-# install kubernetes
+# install kubernetes using the minimum tested version
+. hack/k8s-versions.sh
 wget -q -O - https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
-k3d cluster get k3s-default || k3d cluster create --image rancher/k3s:v1.29.10-k3s1 --wait
+k3d cluster get k3s-default || k3d cluster create --image "rancher/k3s:${K8S_VERSIONS[min]}-k3s1" --wait
 k3d kubeconfig merge --kubeconfig-merge-default
 
 # install kubectl
-curl -LO https://dl.k8s.io/release/v1.29.10/bin/linux/$(go env GOARCH)/kubectl
+curl -LO "https://dl.k8s.io/release/${K8S_VERSIONS[min]}/bin/linux/$(go env GOARCH)/kubectl"
 chmod +x ./kubectl
 sudo mv ./kubectl /usr/local/bin/kubectl
 kubectl cluster-info

.github/workflows/ci-build.yaml

@@ -9,8 +9,6 @@ on:
     branches:
       - "main"
       - "release-*"
-  issue_comment:
-    types: [created]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -22,15 +20,6 @@ permissions:
 jobs:
   changed-files:
     name: Get changed files
-    if: >
-      (
-        github.event_name == 'issue_comment' &&
-        github.event.issue.pull_request != null &&
-        github.event.comment.author_association == 'MEMBER' &&
-        github.event.comment.body == '/test'
-      ) || (
-        github.event_name != 'issue_comment'
-      )
     outputs:
       # reference: https://github.com/tj-actions/changed-files#outputs-
       tests: ${{ steps.changed-files.outputs.tests_any_modified == 'true' }}
@@ -271,15 +260,15 @@ jobs:
             profile: minimal
             use-api: true
           - test: test-executor
-            install_k3s_version: v1.29.13+k3s1
+            k8s_version: min
             profile: minimal
             use-api: false
           - test: test-corefunctional
-            install_k3s_version: v1.29.13+k3s1
+            k8s_version: min
             profile: minimal
             use-api: false
           - test: test-functional
-            install_k3s_version: v1.29.13+k3s1
+            k8s_version: min
             profile: minimal
             use-api: false
     steps:
@@ -316,12 +305,11 @@ jobs:
         # but it's noisy and makes the logs for "Start controller/API" hard to follow.
         run: sudo apt-get -y install socat && make kit
       - name: Install and start K3S
+        env:
+          K8S_VERSION: ${{ matrix.k8s_version || 'max' }}
         run: |
-          if ! echo "${{ matrix.install_k3s_version }}" | egrep '^v[0-9]+\.[0-9]+\.[0-9]+\+k3s1$'; then
-            export INSTALL_K3S_VERSION=v1.32.1+k3s1
-          else
-            export INSTALL_K3S_VERSION=${{ matrix.install_k3s_version }}
-          fi
+          . hack/k8s-versions.sh
+          export INSTALL_K3S_VERSION="${K8S_VERSIONS[$K8S_VERSION]}+k3s1"
 
           curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=stable \
             INSTALL_K3S_EXEC="--docker --kubelet-arg=config=${GITHUB_WORKSPACE}/test/e2e/manifests/kubelet-configuration.yaml" \

.github/workflows/docs.yaml

@@ -8,8 +8,6 @@ on:
     branches:
       - main
       - release/*
-  issue_comment:
-    types: [created]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -21,15 +19,6 @@ permissions:
 jobs:
   docs:
     runs-on: ubuntu-24.04
-    if: >
-      (
-        github.event_name == 'issue_comment' &&
-        github.event.issue.pull_request != null &&
-        github.event.comment.author_association == 'MEMBER' &&
-        github.event.comment.body == '/test'
-      ) || (
-        github.event_name != 'issue_comment'
-      )
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0

.spelling

@@ -40,6 +40,7 @@ CloudSQL
 ClusterRoleBinding
 ClusterRoles
 ClusterWorkflowTemplate
+ClusterWorkflowTemplates
 Codespaces
 ConfigMap
 ConfigMaps
@@ -127,6 +128,7 @@ VSCode
 Valasek
 Webhooks
 Welch
+WorkflowEventBinding
 WorkflowTemplate
 WorkflowTemplates
 a.m.
@@ -187,6 +189,7 @@ liveness
 localhost
 maxFailures
 maxSuccess
+md
 memoization
 memoized
 memoizing
@@ -204,6 +207,7 @@ parameterizing
 params
 pprof
 pre-commit
+qps
 rc2
 repo
 roadmap

Makefile

@@ -718,7 +718,7 @@ endif
 .PHONY: docs-spellcheck
 docs-spellcheck: /usr/local/bin/mdspell docs/metrics.md
 	# check docs for spelling mistakes
-	mdspell --ignore-numbers --ignore-acronyms --en-us --no-suggestions --report $(shell find docs -name '*.md' -not -name upgrading.md -not -name README.md -not -name fields.md -not -name upgrading.md -not -name executor_swagger.md -not -path '*/cli/*')
+	mdspell --ignore-numbers --ignore-acronyms --en-us --no-suggestions --report $(shell find docs -name '*.md' -not -name upgrading.md -not -name README.md -not -name fields.md -not -name upgrading.md -not -name executor_swagger.md -not -path '*/cli/*' -not -name tested-kubernetes-versions.md)
 	# alphabetize spelling file -- ignore first line (comment), then sort the rest case-sensitive and remove duplicates
 	$(shell cat .spelling | awk 'NR<2{ print $0; next } { print $0 | "LC_COLLATE=C sort" }' | uniq | tee .spelling > /dev/null)
 
@@ -743,7 +743,7 @@ endif
 .PHONY: docs-lint
 docs-lint: /usr/local/bin/markdownlint docs/metrics.md
 	# lint docs
-	markdownlint docs --fix --ignore docs/fields.md --ignore docs/executor_swagger.md --ignore docs/cli --ignore docs/walk-through/the-structure-of-workflow-specs.md
+	markdownlint docs --fix --ignore docs/fields.md --ignore docs/executor_swagger.md --ignore docs/cli --ignore docs/walk-through/the-structure-of-workflow-specs.md --ignore docs/tested-kubernetes-versions.md
 
 /usr/local/bin/mkdocs:
 # update this in Nix when upgrading it here
@@ -762,6 +762,9 @@ docs: /usr/local/bin/mkdocs \
 	# check environment-variables.md contains all variables mentioned in the code
 	./hack/docs/check-env-doc.sh
 	# build the docs
+ifeq ($(RELEASE_TAG),true)
+	./hack/docs/tested-versions.sh > docs/tested-kubernetes-versions.md
+endif
 	TZ=UTC mkdocs build --strict
 	# tell the user the fastest way to edit docs
 	@echo "ℹ️ If you want to preview your docs, open site/index.html. If you want to edit them with hot-reload, run 'make docs-serve' to start mkdocs on port 8000"

docs/CONTRIBUTING.md

@@ -139,8 +139,6 @@ See the [Stale Action configuration](https://github.com/argoproj/argo-workflows/
 As a member (see [roles](https://github.com/argoproj/argoproj/blob/main/community/membership.md)) of the argo-project you can use the following comments on PRs to trigger actions:
 
 * `/retest` - re-run any failing test cases
-* `/test` - trigger the full test suite.
-Only use this for PRs where the test suite has not automatically triggered - this is almost always wasteful and will not make things pass that `/retest` doesn't pass.
 * `/cherry-pick <branchname>` - will [attempt to cherry-pick](https://github.com/googleapis/repo-automation-bots/tree/main/packages/cherry-pick-bot) this commit after it has been merged to the target branch.
 This can be used prior to merging and the PR will be created after the merge, or commented after merging for an immediate attempt.
 

docs/argo-server.md

@@ -1,11 +1,10 @@
 # Argo Server
 
-> v2.5 and after
-
 !!! Warning "HTTP vs HTTPS"
-    Since v3.0 the Argo Server listens for HTTPS requests, rather than HTTP.
+    By default, the Argo Server listens for HTTPS requests, rather than HTTP.
 
-The Argo Server is a server that exposes an API and UI for workflows. You'll need to use this if you want to [offload large workflows](offloading-large-workflows.md) or the [workflow archive](workflow-archive.md).
+The Argo Server is a server that exposes an API and UI for workflows.
+You'll need to use this if you want to [offload large workflows](offloading-large-workflows.md) or the [workflow archive](workflow-archive.md).
 
 You can run this in either "hosted" or "local" mode.
 
@@ -51,20 +50,19 @@ If the server is running behind reverse proxy with a sub-path different from `/`
 `/argo`), you can set an alternative sub-path with the `--base-href` flag or the `ARGO_BASE_HREF`
 environment variable.
 
-You probably now should [read how to set-up an ingress](#ingress)
-
 ### Transport Layer Security
 
 See [TLS](tls.md).
 
 ### SSO
 
-See [SSO](argo-server-sso.md). See [here](argo-server-sso-argocd.md) about sharing Argo CD's Dex with Argo Workflows.
+See [SSO](argo-server-sso.md).
+See [here](argo-server-sso-argocd.md) about sharing Argo CD's Dex with Argo Workflows.
 
 ## Access the Argo Workflows UI
 
-By default, the Argo UI service is not exposed with an external IP. To access the UI, use one of the
-following:
+By default, the Argo UI service is not exposed with an external IP.
+To access the UI, use one of the following:
 
 ### `kubectl port-forward`
 
@@ -97,7 +95,8 @@ argo-server   LoadBalancer   10.43.43.130   172.18.0.2    2746:30008/TCP   18h
 
 You can get ingress working as follows:
 
-Add `ARGO_BASE_HREF` as environment variable to `deployment/argo-server`. Do not forget to add a trailing '/' character.
+Add `ARGO_BASE_HREF` as environment variable to `deployment/argo-server`.
+Do not forget to add a trailing `/` character.
 
 ```yaml
 ---
@@ -127,8 +126,8 @@ spec:
 
 Create a ingress, with the annotation `ingress.kubernetes.io/rewrite-target: /`:
 
->If TLS is enabled (default in v3.0 and after), the ingress controller must be told
->that the backend uses HTTPS. The method depends on the ingress controller, e.g.
+>If TLS is enabled (which it is by default), the ingress controller must be told that the backend uses HTTPS.
+>The method depends on the ingress controller, e.g.
 >Traefik expects an `ingress.kubernetes.io/protocol` annotation, while `ingress-nginx`
 >uses `nginx.ingress.kubernetes.io/backend-protocol`
 
@@ -162,17 +161,21 @@ Users should consider the following in their set-up of the Argo Server:
 
 ### API Authentication Rate Limiting
 
-Argo Server does not perform authentication directly. It delegates this to either the Kubernetes API Server (when `--auth-mode=client`) and the OAuth provider (when `--auth-mode=sso`). In each case, it is recommended that the delegate implements any authentication rate limiting you need.
+Argo Server does not perform authentication directly.
+It delegates this to either the Kubernetes API Server (when `--auth-mode=client`) and the OAuth provider (when `--auth-mode=sso`).
+In each case, it is recommended that the delegate implements any authentication rate limiting you need.
 
 ### IP Address Logging
 
-Argo Server does not log the IP addresses of API requests. We recommend you put the Argo Server behind a load balancer, and that load balancer is configured to log the IP addresses of requests that return authentication or authorization errors.
+Argo Server does not log the IP addresses of API requests.
+We recommend you put the Argo Server behind a load balancer, and that load balancer is configured to log the IP addresses of requests that return authentication or authorization errors.
 
 ### Rate Limiting
 
 > v3.4 and after
 
-Argo Server by default rate limits to 1000 per IP per minute, you can configure it through `--api-rate-limit`. You can access additional information through the following headers.
+Argo Server by default rate limits to 1000 per IP per second, you can configure it through `--api-rate-limit`.
+You can access additional information through the following headers.
 
 * `X-Rate-Limit-Limit` - the rate limit ceiling that is applicable for the current request.
 * `X-Rate-Limit-Remaining` - the number of requests left for the current rate-limit window.