Merge branch 'main' into renovate/ghcr.io-gethomepage-homepage-0.x

.github/workflows/flux-hr-sync.yaml → .github/workflows/helm-repository-sync.yaml

@@ -1,6 +1,6 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: "Flux Helm Repository Sync"
+name: "Helm Repository Sync"
 
 on:
   workflow_dispatch:
@@ -22,7 +22,7 @@ on:
 
 jobs:
   sync:
-    name: Flux Helm Repository Sync
+    name: Helm Repository Sync
     runs-on: ["gha-runner-scale-set"]
     steps:
       - name: Configure 1password
@@ -52,12 +52,13 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
           fetch-depth: 0
 
-      - name: Setup Homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-
-      - name: Setup Workflow Tools
-        shell: bash
-        run: brew install fluxcd/tap/flux yq
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+        with:
+          mise_toml: |
+            [tools]
+            "aqua:fluxcd/flux2" = "latest"
+            "aqua:mikefarah/yq" = "latest"
 
       - name: Write kubeconfig
         id: kubeconfig

.github/workflows/nas-restart.yaml

@@ -15,12 +15,15 @@
         matrix:
           cluster: ["main", "utility"]
       steps:
+        - name: Configure 1password
+          uses: 1password/load-secrets-action/configure@v2
+          with:
+            service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
         - name: Get Secrets
           uses: 1password/load-secrets-action@v2
           with:
             export-env: true
           env:
-            OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.ONEPASS_SA_TOKEN }}
             BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
             BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
             KUBECONFIG: op://Kubernetes/kubernetes/KUBECONFIG_BASE64

.github/workflows/flux-image-test.yaml → .github/workflows/pre-pull-images.yaml

@@ -1,6 +1,6 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: "Flux Image Test"
+name: "Pre-pull Images"
 
 on:
   pull_request:
@@ -91,12 +91,12 @@ jobs:
           app-id: ${{ env.BOT_APP_ID }}
           private-key: ${{ env.BOT_APP_PRIVATE_KEY }}
 
-      - name: Setup Homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-
-      - name: Setup Workflow Tools
-        shell: bash
-        run: brew install jo yq
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+        with:
+          mise_toml: |
+            [tools]
+            "aqua:mikefarah/yq" = "latest"
 
       - name: Checkout Default Branch
         uses: actions/checkout@v4
@@ -147,31 +147,98 @@ jobs:
         id: extract-images
         shell: bash
         run: |
-          images=$(jo -a $(grep -vf default.txt pull.txt))
+          images=$(jq --compact-output --raw-input --null-input '[inputs]' < <(grep -vf default.txt pull.txt))
           echo "images=${images}" >> $GITHUB_OUTPUT
           echo "${images}"
           echo "### Images" >> $GITHUB_STEP_SUMMARY
-          echo "${images}" | jq -r 'to_entries[] | "* \(.value)"' >> $GITHUB_STEP_SUMMARY
+          echo "${images}" | jq --raw-output 'to_entries[] | "* \(.value)"' >> $GITHUB_STEP_SUMMARY
 
-  test-images:
-    if: ${{ needs.extract-images.outputs.matrix != '[]' }}
-    name: Test images
+  generate-matrix:
+    name: Generate Matrix
     runs-on: ubuntu-latest
-    needs: ["extract-images"]
+    needs: ["changed-clusters", "extract-images"]
+    outputs:
+      matrix: ${{ steps.generate-matrix.outputs.matrix }}
+    steps:
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+        with:
+          mise_toml: |
+            [tools]
+            "aqua:mikefarah/yq" = "latest"
+
+      - name: Generate Combined Matrix
+        id: generate-matrix
+        run: |
+          images=${{ needs.extract-images.outputs.matrix }}
+          clusters=${{ needs.changed-clusters.outputs.matrix }}
+
+          # Map clusters to their corresponding talosconfig files
+          configs=$(jq -n '
+            {
+              "kubernetes/main": "op://Kubernetes/kubernetes/TALOSCONFIG_MAIN",
+              "kubernetes/utility": "op://Kubernetes/kubernetes/TALOSCONFIG_UTILITY"
+            }
+          ')
+
+          # Combine images with cluster and talosconfig mappings
+          combined=$(jq -n '
+            inputs as $images |
+            inputs as $clusters |
+            inputs as $configs |
+            [
+              $images[] as $image |
+              $clusters[] as $cluster |
+              {
+                image: $image,
+                cluster: $cluster,
+                talosconfig: $configs[$cluster]
+              }
+            ]
+          ' <<<"$images" <<<"$clusters" <<<"$configs")
+
+          echo "matrix=$combined" >> $GITHUB_OUTPUT
+
+      - name: Debug Combined Matrix
+        run: echo "${{ steps.generate-matrix.outputs.matrix }}"
+
+  pre-pull-images:
+    if: ${{ needs.extract-images.outputs.matrix != '[]' }}
+    name: Pre-pull Images
+    runs-on: ["gha-runner-scale-set"]
+    needs: ["generate-matrix"]
     strategy:
-      matrix:
-        images: ${{ fromJSON(needs.extract-images.outputs.matrix) }}
+      matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }}
       max-parallel: 4
       fail-fast: false
     steps:
-      - name: Inspect Image
-        run: docker manifest inspect ${{ matrix.images }}
+      - name: Configure 1password
+        uses: 1password/load-secrets-action/configure@v2
+        with:
+          service-account-token: ${{ secrets.ONEPASS_SA_TOKEN }}
+
+      - name: Get Secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          TALOSCONFIG: ${{ matrix.talosconfig }}
+
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+        with:
+          mise_toml: |
+            [tools]
+            "aqua:siderolabs/talos" = "latest"
+
+      - name: Pre-pull Image
+        run: talosctl -n $NODE_IP image pull ${{ matrix.images }}
 
   # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
-  test-images-success:
+  pre-pull-images-success:
     if: ${{ always() }}
-    needs: ["test-images"]
-    name: Test Images Successful
+    needs: ["pre-pull-images"]
+    name: Pre-pull Images Successful
     runs-on: ubuntu-latest
     steps:
       - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}

.github/workflows/schemas.yaml

@@ -8,7 +8,7 @@ on:
     - cron: "0 0 * * *" # Every day at midnight
   push:
     branches: ["main"]
-    paths: [".github/workflows/publish-schemas.yaml"]
+    paths: [".github/workflows/schemas.yaml"]
 
 jobs:
   publish:
@@ -31,7 +31,7 @@ jobs:
           BOT_APP_ID: op://Kubernetes/github-bot/BOT_APP_ID
           BOT_APP_PRIVATE_KEY: op://Kubernetes/github-bot/BOT_APP_PRIVATE_KEY
           KUBECONFIG: op://Kubernetes/kubernetes/KUBECONFIG_BASE4
-          CLOUDFLARE_API_KEY: op://Kubernetes/cloudflare/CLOUDFLARE_API_KEY_GHA
+          CLOUDFLARE_API_TOKEN: op://Kubernetes/cloudflare/CLOUDFLARE_API_TOKEN_GHA
           CLOUDFLARE_ACCOUNT_ID: op://Kubernetes/cloudflare/CLOUDFLARE_ACCOUNT_TAG
 
       - name: Generate Token
@@ -46,12 +46,12 @@ jobs:
         with:
           token: ${{ steps.app-token.outputs.token }}
 
-      - name: Setup Homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-
-      - name: Setup Workflow Tools
-        shell: bash
-        run: brew install kubernetes-cli
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+        with:
+          mise_toml: |
+            [tools]
+            "aqua:kubernetes/kubectl" = "latest"
 
       - name: Setup Python
         uses: actions/setup-python@v5
@@ -83,7 +83,7 @@ jobs:
       - name: Deploy to Cloudflare Pages
         uses: cloudflare/wrangler-action@v3
         with:
-          apiToken: ${{ env.CLOUDFLARE_API_KEY }}
+          apiToken: ${{ env.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ env.CLOUDFLARE_ACCOUNT_ID }}
           workingDirectory: /home/runner/.datree/crdSchemas
           command: pages deploy --project-name=kube-schemas --branch main .

.github/workflows/flux-ks-sync.yaml → .github/workflows/utility-ks-sync.yaml

@@ -40,13 +40,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
+          fetch-depth: 0
 
-      - name: Setup Homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-
-      - name: Setup Workflow Tools
-        shell: bash
-        run: brew install fluxcd/tap/flux
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+        with:
+          mise_toml: |
+            [tools]
+            "aqua:fluxcd/flux2" = "latest"
+            "aqua:mikefarah/yq" = "latest"
 
       - name: Write kubeconfig
         id: kubeconfig

kubernetes/main/apps/actions-runner-system/gha-runner-scale-set/app/helmrelease.yaml

@@ -42,7 +42,7 @@ spec:
       spec:
         containers:
           - name: runner
-            image: ghcr.io/joryirving/actions-runner:2.321.0@sha256:81f64a94e65c70c676d29e1779d1cc4069665abb970803c76beb08ca234638b6
+            image: ghcr.io/joryirving/actions-runner:2.321.0@sha256:4a11ad0cda33fba7e3fc76effdfdb1ae74b054cd0376e1fbe0b9c9f4e1440da6
             command: ["/home/runner/run.sh"]
     controllerServiceAccount:
       name: gha-runner-scale-set-controller

kubernetes/main/apps/self-hosted/atuin/app/helmrelease.yaml

@@ -33,7 +33,7 @@ spec:
           app:
             image:
               repository: ghcr.io/atuinsh/atuin
-              tag: 18.3.0@sha256:678def8e9d59652a502759ca431f9c5b54ebdd5e9361507c7fcf24705c9862e0
+              tag: 18.4.0@sha256:8c6fa0aea944bf2a39665c9c69df1c2c0f9c05207bda5b942d450142285e3ee1
             env:
               ATUIN_HOST: 0.0.0.0
               ATUIN_PORT: &port 80