From ebdc700bc19491980c15bfab93bd170704116590 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 11:05:45 +0000
Subject: [PATCH 001/149] chore(container): update image ghcr.io/bjw-s/mdbook
 to 6533c20

---
 .github/workflows/publish-docs.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 4b187ccf7ffcd..f05c83415d79e 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -42,7 +42,7 @@ jobs:
           enablement: true
 
       - name: Build docs
-        uses: docker://ghcr.io/bjw-s/mdbook:0.4.36@sha256:fb39e02eb5bcc052e2883dad6d9dd480a4fbd2a69b4e3404682f7ac215a5d501
+        uses: docker://ghcr.io/bjw-s/mdbook:0.4.36@sha256:6533c20dc501ddc1f1747dcd99964df869befbc4f48030bd1efda9fe05ac5417
         with:
           args: mdbook build docs
 

From 834ffd9694ffe32513f7412bebb869e429b606be Mon Sep 17 00:00:00 2001
From: Devin Buhl <onedr0p@users.noreply.github.com>
Date: Tue, 19 Dec 2023 07:21:57 -0500
Subject: [PATCH 002/149] use nixpkgs-unstable

---
 .github/workflows/resources/flake.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/resources/flake.nix b/.github/workflows/resources/flake.nix
index 5c57c3b53c8b6..5d4c741b651c1 100644
--- a/.github/workflows/resources/flake.nix
+++ b/.github/workflows/resources/flake.nix
@@ -1,7 +1,7 @@
 {
   description = "CI Nix Flake";
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     flake-utils.url = "github:numtide/flake-utils";
   };
   outputs = { self, nixpkgs, flake-utils }:

From 17272456ef8d643ba006ec955a6c6785feed8ff1 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 07:47:04 -0500
Subject: [PATCH 003/149] chore: update lychee gh workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/lychee.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
index 1159eabfdc588..4bf3d8ca4fcc3 100644
--- a/.github/workflows/lychee.yaml
+++ b/.github/workflows/lychee.yaml
@@ -49,5 +49,5 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           title: Link Checker Dashboard 🔗
           issue-number: "${{ steps.issue-number.outputs.issue-number }}"
-          content-filepath: ./lychee/out.md
+          content-filepath: ./lychee/results.md
           labels: "${{ env.ISSUE_LABEL }}"

From 5a3fa7d47f86e51d4d6ff4b76e649a306ae82011 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 07:50:48 -0500
Subject: [PATCH 004/149] chore: update lychee gh workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/lychee.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
index 4bf3d8ca4fcc3..089b4a1290652 100644
--- a/.github/workflows/lychee.yaml
+++ b/.github/workflows/lychee.yaml
@@ -34,6 +34,7 @@ jobs:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
         with:
           args: --verbose --no-progress --exclude-mail './**/*.md'
+          output: /tmp/results.md
 
       - name: Find Link Checker Issue
         id: issue-number
@@ -49,5 +50,5 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           title: Link Checker Dashboard 🔗
           issue-number: "${{ steps.issue-number.outputs.issue-number }}"
-          content-filepath: ./lychee/results.md
+          content-filepath: /tmp/results.md
           labels: "${{ env.ISSUE_LABEL }}"

From b32fc5819f97c4c9639808e42da7949b923611de Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 07:52:04 -0500
Subject: [PATCH 005/149] chore: update lychee gh workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/lychee.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
index 089b4a1290652..e6b9b7ca6b8cf 100644
--- a/.github/workflows/lychee.yaml
+++ b/.github/workflows/lychee.yaml
@@ -5,7 +5,7 @@ name: "Lychee"
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 0 * * 0"
+    - cron: "0 0 * * *"
 
 env:
   ISSUE_LABEL: lint/lychee

From 7ef2b90355ef0bca6d6bf4743553b12a967d243a Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 08:48:58 -0500
Subject: [PATCH 006/149] chore: match more than just yaml in flux-diff

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 61bc667bc288d..a2d8535d30cd6 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -5,7 +5,7 @@ name: "Flux Diff"
 on:
   pull_request:
     branches: ["main"]
-    paths: ["kubernetes/**.yaml"]
+    paths: ["kubernetes/**"]
 
 env:
   DEBCONF_NONINTERACTIVE_SEEN: "true"

From 990e439f28e14413b32c8fbd1563c55b346dcf19 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 09:10:52 -0500
Subject: [PATCH 007/149] feat: expose rgw via ingress on internal ingress

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../rook-ceph/cluster/kustomization.yaml      |  1 +
 .../rook-ceph/cluster/rgw-external.yaml       | 53 +++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 kubernetes/main/apps/rook-ceph/rook-ceph/cluster/rgw-external.yaml

diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml
index 17cbc72b25c80..99974dc489025 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml
@@ -4,3 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+  - ./rgw-external.yaml
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/rgw-external.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/rgw-external.yaml
new file mode 100644
index 0000000000000..98d5cdd330d0b
--- /dev/null
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/rgw-external.yaml
@@ -0,0 +1,53 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/ceph.rook.io/cephobjectstoreuser_v1.json
+apiVersion: ceph.rook.io/v1
+kind: CephObjectStoreUser
+metadata:
+  name: cluster-admin
+spec:
+  # https://rook.io/docs/rook/v1.13/Storage-Configuration/Object-Storage-RGW/object-storage/
+  store: ceph-objectstore
+  displayName: Cluster Admin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rook-ceph-rgw-ceph-objectstore-external
+  namespace: rook-ceph
+  labels:
+    app: rook-ceph-rgw
+    rook_cluster: rook-ceph
+    rook_object_store: ceph-objectstore
+spec:
+  type: NodePort
+  selector:
+    app: rook-ceph-rgw
+    rook_cluster: rook-ceph
+    rook_object_store: ceph-objectstore
+  ports:
+    - name: rgw
+      port: 80
+      protocol: TCP
+      targetPort: 80
+  sessionAffinity: None
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: rook-ceph-rgw
+spec:
+  ingressClassName: internal
+  rules:
+    - host: &host rook-ceph-rgw.devbu.io
+      http:
+        paths:
+          - backend:
+              service:
+                name: rook-ceph-rgw-ceph-objectstore-external
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - *host

From febf1528ede8a67701eca62e48c57fb489efb207 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 09:21:33 -0500
Subject: [PATCH 008/149] chore: flux resources should not have a namespace
 resource in kustomization

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 kubernetes/main/apps/flux-system/addons/app/kustomization.yaml  | 1 -
 .../addons/app/notifications/alert-manager/notification.yaml    | 2 --
 .../addons/app/notifications/github/externalsecret.yaml         | 1 -
 .../addons/app/notifications/github/notification.yaml           | 2 --
 .../flux-system/addons/app/webhooks/github/externalsecret.yaml  | 1 -
 .../apps/flux-system/addons/app/webhooks/github/ingress.yaml    | 1 -
 .../apps/flux-system/addons/app/webhooks/github/receiver.yaml   | 1 -
 7 files changed, 9 deletions(-)

diff --git a/kubernetes/main/apps/flux-system/addons/app/kustomization.yaml b/kubernetes/main/apps/flux-system/addons/app/kustomization.yaml
index c6d032d1581ea..feb053584c4dc 100644
--- a/kubernetes/main/apps/flux-system/addons/app/kustomization.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/kustomization.yaml
@@ -2,7 +2,6 @@
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: flux-system
 resources:
   - ./monitoring
   - ./notifications
diff --git a/kubernetes/main/apps/flux-system/addons/app/notifications/alert-manager/notification.yaml b/kubernetes/main/apps/flux-system/addons/app/notifications/alert-manager/notification.yaml
index 128c06eba5f4b..fa3a51662728a 100644
--- a/kubernetes/main/apps/flux-system/addons/app/notifications/alert-manager/notification.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/notifications/alert-manager/notification.yaml
@@ -4,7 +4,6 @@ apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
   name: alert-manager
-  namespace: flux-system
 spec:
   type: alertmanager
   address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/
@@ -14,7 +13,6 @@ apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
   name: alert-manager
-  namespace: flux-system
 spec:
   providerRef:
     name: alert-manager
diff --git a/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml b/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml
index a560f1bfa78f1..e3353ed7475e6 100644
--- a/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml
@@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: github-token
-  namespace: flux-system
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
diff --git a/kubernetes/main/apps/flux-system/addons/app/notifications/github/notification.yaml b/kubernetes/main/apps/flux-system/addons/app/notifications/github/notification.yaml
index 115ebcbdb27ac..eea2b5d9fbf51 100644
--- a/kubernetes/main/apps/flux-system/addons/app/notifications/github/notification.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/notifications/github/notification.yaml
@@ -4,7 +4,6 @@ apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
   name: github
-  namespace: flux-system
 spec:
   type: github
   address: https://github.com/onedr0p/home-ops
@@ -16,7 +15,6 @@ apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
   name: github
-  namespace: flux-system
 spec:
   providerRef:
     name: github
diff --git a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml
index 29936d1c3faf3..926424b216174 100644
--- a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml
@@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: github-webhook-token
-  namespace: flux-system
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
diff --git a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/ingress.yaml b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/ingress.yaml
index 199f3da0f8e26..cabedb9505276 100644
--- a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/ingress.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/ingress.yaml
@@ -3,7 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: webhook-receiver
-  namespace: flux-system
   annotations:
     external-dns.alpha.kubernetes.io/target: external.devbu.io
 spec:
diff --git a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/receiver.yaml b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/receiver.yaml
index 156347a211bb5..fd67703a220a0 100644
--- a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/receiver.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/receiver.yaml
@@ -4,7 +4,6 @@ apiVersion: notification.toolkit.fluxcd.io/v1
 kind: Receiver
 metadata:
   name: home-ops
-  namespace: flux-system
 spec:
   type: github
   events:

From d2d1d853d2b476166a9e62316eb87e98fcd6b465 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 10:34:33 -0500
Subject: [PATCH 009/149] feat(github-action)!: Update actions/deploy-pages
 action to v4.0.0 (#6599)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .github/workflows/publish-docs.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index f05c83415d79e..8077d5822985e 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -68,7 +68,7 @@ jobs:
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@13b55b33dd8996121833dbc1db458c793a334630 # v3.0.1
+        uses: actions/deploy-pages@f33f41b675f0ab2dc5a6863c9a170fe83af3571e # v4.0.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
           artifact_name: github-pages

From 25cbac217e68a30730fc52b742576780fcc01cb7 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 10:34:42 -0500
Subject: [PATCH 010/149] feat(github-action)!: Update
 actions/upload-pages-artifact action to v3.0.0 (#6600)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .github/workflows/publish-docs.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 8077d5822985e..1482b76e717a9 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -47,7 +47,7 @@ jobs:
           args: mdbook build docs
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
+        uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v3.0.0
         with:
           path: ./docs/book
 

From 3b37947d237d4ffca56870b96cca932ae28c16ec Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 10:35:09 -0500
Subject: [PATCH 011/149] fix(terraform): update terraform http to 3.4.1
 (#6598)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 terraform/main/cloudflare/.terraform.lock.hcl | 48 +++++++++----------
 terraform/main/cloudflare/main.tf             |  2 +-
 2 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/terraform/main/cloudflare/.terraform.lock.hcl b/terraform/main/cloudflare/.terraform.lock.hcl
index eadf5c351539b..1dae4352fb6b3 100644
--- a/terraform/main/cloudflare/.terraform.lock.hcl
+++ b/terraform/main/cloudflare/.terraform.lock.hcl
@@ -60,31 +60,31 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
 }
 
 provider "registry.terraform.io/hashicorp/http" {
-  version     = "3.4.0"
-  constraints = "3.4.0"
+  version     = "3.4.1"
+  constraints = "3.4.1"
   hashes = [
-    "h1:AaRLrzxA1t02OIwO32uLp85npqRLZSwPFgrHxb9qp0c=",
-    "h1:Ebz2ySdvdNR8T1LBlKYjkUVShfDZQOeoEPwE7Kt1R3o=",
-    "h1:QXyGXwWgTmlhJZhlsZpkZ/Bz0YKzmwO8zmmRM09Jnzc=",
-    "h1:YWO/DmxRoJwzMcQavmIKO5pTavIPt0bbBRZBpBaC8MY=",
-    "h1:YifspScDMuGENA14TfTr7fByjWYq1GGNmAULIBXzHGk=",
-    "h1:ZWoE0ARqUMnujHu62cMkmjF2+FoWwUn9YbHjiKPq0e8=",
-    "h1:ZYJW4peMhgPv5SxYCCBJ9LB5tWz7Z/q2UoIBGiuDgvI=",
-    "h1:gLCUuF4yN2uNA0FjVXCJd65ZnI8VKJVsZEYKRem1JUM=",
-    "h1:h3URn6qAnP36OlSqI1tTuKgPL3GriZaJia9ZDrUvRdg=",
-    "h1:m0d6+9xK/9TJSE9Z6nM4IwHXZgod4/jkdsf7CZSpUvo=",
-    "h1:tVyo3HTmBDTeaPRhOXucb5eyRouvXlTydHXPyVLAAFA=",
-    "zh:56712497a87bc4e91bbaf1a5a2be4b3f9cfa2384baeb20fc9fad0aff8f063914",
-    "zh:6661355e1090ebacab16a40ede35b029caffc279d67da73a000b6eecf0b58eba",
-    "zh:67b92d343e808b92d7e6c3bbcb9b9d5475fecfed0836963f7feb9d9908bd4c4f",
+    "h1:0ZTpURRPf/5CZCjbo06yZhxnpqOe3YLpKXzbmyLZ0eQ=",
+    "h1:8LwXr5bVU7HepPkfzXge3fBNN6A14LeWgbtm7T1g/iA=",
+    "h1:9qCkAyW738gFicV6cSLs1EKPLxyJ//D231+eWEMGLtw=",
+    "h1:FheIljbOzcw9WXX28reLCaNrQlZuE49S6oBFeT6qoaU=",
+    "h1:LwCRujohuC7VQb6QtaZHA4BPgwkUALO7MlmZXgYTUYE=",
+    "h1:RLJ1zsc2ScUFapTANM91XHyAY7715gP3yPlBOcaBKuk=",
+    "h1:UQUGsexUBuu7mC3YG4soR66fhVYPeo6+zB7sUtR3evU=",
+    "h1:WHowkin6m5sX2+SjPVI3kMOkWpFQf8jd2cDlZa0NF/4=",
+    "h1:cRuTokLfCeRUISqxeoQBVkYyW8gWDs0+2/fVsfFVIvk=",
+    "h1:qWyzt0smtLitATspBvlcntwRlyTLnbxpkVV4INmq1PQ=",
+    "h1:uJ4vgW0m1oBYNHXrltZ9xI34EXlkaJgL2vyGssBFNv4=",
+    "zh:2a79832069a34e88ec997fb8d2c2bdad6f40bfe93a4ae5e6e7f0caf4eea2a9e5",
+    "zh:37d3611857ab207e1565e441a2df9020b1326b7df31e5656165cb6817306494b",
+    "zh:48cc974b12544be18c18bfcb5ea21a4818d03b897e96fb9b4d0d9303883cb3fa",
+    "zh:4b8da2ffe868082830173fdcc8632e2705918e0396c72158d7822650bb1d3bf6",
     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:86ebb9be9b685c96dbb5c024b55d87526d57a4b127796d6046344f8294d3f28e",
-    "zh:902be7cfca4308cba3e1e7ba6fc292629dfd150eb9a9f054a854fa1532b0ceba",
-    "zh:9ba26e0215cd53b21fe26a0a98c007de1348b7d13a75ae3cfaf7729e0f2c50bb",
-    "zh:a195c941e1f1526147134c257ff549bea4c89c953685acd3d48d9de7a38f39dc",
-    "zh:a7967b3d2a8c3e7e1dc9ae381ca753268f9fce756466fe2fc9e414ca2d85a92e",
-    "zh:bde56542e9a093434d96bea21c341285737c6d38fea2f05e12ba7b333f3e9c05",
-    "zh:c0306f76903024c497fd01f9fd9bace5854c263e87a97bc2e89dcc96d35ca3cc",
-    "zh:f9335a6c336171e85f8e3e99c3d31758811a19aeb21fa8c9013d427e155ae2a9",
+    "zh:8148614299a21be04dd11268047e110df3ce9ef585d6240bed2f196839946efa",
+    "zh:a6d583cb70b1355fbc7b1c2cffaa53e4703b04ced9d0ecf78708129ce7072128",
+    "zh:a95f770e8913dd48fde8836cf993fafdbf7da5308a6fbd3d455cb10737742990",
+    "zh:b36784e6602e6ae7ba67560ebcfd055b4448cb0edf9bf35744c2f32ddbd8fa2d",
+    "zh:c23b37fd9e481269fc55735b24c7e8877057c08b42671c796816409d54486a1c",
+    "zh:df07252b27120020d91d7ad11f7ea92832d8df2e81b55a658ac1eb93dc6b8d18",
+    "zh:e44dc5a1fd5995bfd21d385949d539c619e8b37b69875bd92ad4aa18e2435722",
   ]
 }
diff --git a/terraform/main/cloudflare/main.tf b/terraform/main/cloudflare/main.tf
index 89e6c441f7efc..624b7d2ce43c2 100644
--- a/terraform/main/cloudflare/main.tf
+++ b/terraform/main/cloudflare/main.tf
@@ -13,7 +13,7 @@ terraform {
     }
     http = {
       source  = "hashicorp/http"
-      version = "3.4.0"
+      version = "3.4.1"
     }
   }
   required_version = ">= 1.3.0"

From f198150d97684e01fb07bc9d5c4dda445be2da9e Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 10:35:24 -0500
Subject: [PATCH 012/149] feat(container): update image thanos to v12.19.0
 (#6597)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/thanos/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
index 0a9ecb6eacabd..caad7004dbc39 100644
--- a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: thanos
-      version: 12.18.0
+      version: 12.19.0
       sourceRef:
         kind: HelmRepository
         name: bitnami

From 26f3b48d1f4f1e60022ecf507e99e18e69ab2efe Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 10:36:49 -0500
Subject: [PATCH 013/149] chore: add workflow_dispatch to publish docs workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-docs.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 1482b76e717a9..82422982cbf61 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -3,6 +3,7 @@
 name: "Publish Docs"
 
 on:
+  workflow_dispatch:
   push:
     branches: ["main"]
     paths:

From a1adf39ee449001d0580f29a0afd543fbf07353d Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 10:40:22 -0500
Subject: [PATCH 014/149] chore: add new perms for docs workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-docs.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 82422982cbf61..758e45629e3ec 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -12,9 +12,10 @@ on:
       - README.md
 
 permissions:
+  actions: write
   contents: read
-  pages: write
   id-token: write
+  pages: write
 
 jobs:
   build:

From dff96d48685b9cd024e290dfbad705854f3de899 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 11:05:42 -0500
Subject: [PATCH 015/149] feat: upgrade zot to v2

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-docs.yaml                  |  1 -
 .../storage/apps/default/zot/app/helmrelease.yaml    |  4 ++--
 .../apps/default/zot/app/resources/config.json       | 12 ++++++------
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 758e45629e3ec..9c516b39992c5 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -73,4 +73,3 @@ jobs:
         uses: actions/deploy-pages@f33f41b675f0ab2dc5a6863c9a170fe83af3571e # v4.0.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
-          artifact_name: github-pages
diff --git a/kubernetes/storage/apps/default/zot/app/helmrelease.yaml b/kubernetes/storage/apps/default/zot/app/helmrelease.yaml
index 8f922bd4cb555..786f5873a6b0b 100644
--- a/kubernetes/storage/apps/default/zot/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/default/zot/app/helmrelease.yaml
@@ -32,7 +32,7 @@ spec:
           main:
             image:
               repository: ghcr.io/project-zot/zot-linux-amd64
-              tag: v1.4.3@sha256:e5a5be113155d1e0032e5d669888064209da95c107497524f8d4eac8ed50b378
+              tag: v2.0.0@sha256:a470f48aba86aa7a417dfcf11c96e13253a3cebc20b6da6e7ca93b18eff1708f
             probes:
               liveness: &probes
                 enabled: true
@@ -40,7 +40,7 @@ spec:
                 spec:
                   httpGet:
                     path: /v2/
-                    port: &port 5000
+                    port: &port 80
                   initialDelaySeconds: 30
                   periodSeconds: 30
                   timeoutSeconds: 10
diff --git a/kubernetes/storage/apps/default/zot/app/resources/config.json b/kubernetes/storage/apps/default/zot/app/resources/config.json
index 1abd66edf971b..5389c6668393c 100644
--- a/kubernetes/storage/apps/default/zot/app/resources/config.json
+++ b/kubernetes/storage/apps/default/zot/app/resources/config.json
@@ -9,20 +9,17 @@
   },
   "http": {
     "address": "0.0.0.0",
-    "port": "5000"
+    "port": "80"
   },
   "log": {
     "level": "info"
   },
   "extensions": {
     "search": {
-      "enable": true,
-      "cve": {
-        "updateInterval": "2h"
-      }
+      "enable": true
     },
     "scrub": {
-      "enable": true,
+      "enable": false,
       "interval": "24h"
     },
     "sync": {
@@ -95,6 +92,9 @@
           "tlsVerify": true
         }
       ]
+    },
+    "ui": {
+      "enable": true
     }
   }
 }

From 96e49df046fce759d8b2cee64345f80e56a26160 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 16:06:00 +0000
Subject: [PATCH 016/149] chore(container): update image ghcr.io/bjw-s/mdbook
 to 3632484

---
 .github/workflows/publish-docs.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 9c516b39992c5..e605413e4f24c 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -44,7 +44,7 @@ jobs:
           enablement: true
 
       - name: Build docs
-        uses: docker://ghcr.io/bjw-s/mdbook:0.4.36@sha256:6533c20dc501ddc1f1747dcd99964df869befbc4f48030bd1efda9fe05ac5417
+        uses: docker://ghcr.io/bjw-s/mdbook:0.4.36@sha256:36324846ce677fa4121856d4f16ea7bd18c4b5dee6e1615b97bdb453cafc94ac
         with:
           args: mdbook build docs
 

From c0be1e9bc6c4766e04355c73f3da60876b211add Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 11:11:46 -0500
Subject: [PATCH 017/149] fix(container): update image thanos to v12.19.1
 (#6602)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/thanos/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
index caad7004dbc39..45fbf65471c5e 100644
--- a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: thanos
-      version: 12.19.0
+      version: 12.19.1
       sourceRef:
         kind: HelmRepository
         name: bitnami

From c00f50ff2ea7cd0ae14be6d4a9c16bcabeca807c Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 11:38:12 -0500
Subject: [PATCH 018/149] feat: push thanos ceph rgw creds to 1password

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../thanos/app/objectbucketclaim.yaml         | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml b/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml
index 6da080c397ec0..4e71162c697c3 100644
--- a/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml
+++ b/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml
@@ -7,3 +7,25 @@ metadata:
 spec:
   bucketName: thanos-v2
   storageClassName: ceph-bucket
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/pushsecret_v1alpha1.json
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: ceph-rgw-thanos
+spec:
+  secretStoreRefs:
+    - name: onepassword-connect
+      kind: ClusterSecretStore
+  selector:
+    secret:
+      name: thanos-bucket-v2
+  data:
+    - match:
+        secretKey: AWS_ACCESS_KEY_ID
+        remoteRef:
+          remoteKey: ceph-rgw-thanos
+    - match:
+        secretKey: AWS_SECRET_ACCESS_KEY
+        remoteRef:
+          remoteKey: ceph-rgw-thanos

From d16a4173e5c931bcb12727a6446e8b134a229dbe Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 18:06:16 +0000
Subject: [PATCH 019/149] feat(github-action): update
 cloudflare/wrangler-action action to v3.4.0

---
 .github/workflows/publish-schemas.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 997ccb01d326e..1d3c206c12c9f 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -81,7 +81,7 @@ jobs:
           mv /home/runner/.datree/crdSchemas/* ${{ env.SCHEMAS_DIR }}
 
       - name: Deploy to Cloudflare Pages
-        uses: cloudflare/wrangler-action@5e8484995321734668f14981c316aa9188d76ed1 # v3.3.2
+        uses: cloudflare/wrangler-action@a8be0ea72a399752dd2735fa16ea0d424f2335ca # v3.4.0
         with:
           apiToken: "${{ secrets.CLOUDFLARE_API_TOKEN }}"
           accountId: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"

From 1c45a87d493ed80f9fc03948c47822024ecab689 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 13:41:47 -0500
Subject: [PATCH 020/149] fix(github-release): update flux group to v2.2.2
 (patch) (#6604)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/storage/bootstrap/flux/kustomization.yaml | 2 +-
 kubernetes/storage/flux/config/flux.yaml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kubernetes/storage/bootstrap/flux/kustomization.yaml b/kubernetes/storage/bootstrap/flux/kustomization.yaml
index 075093f93848c..a698904bfe1f1 100644
--- a/kubernetes/storage/bootstrap/flux/kustomization.yaml
+++ b/kubernetes/storage/bootstrap/flux/kustomization.yaml
@@ -5,7 +5,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - github.com/fluxcd/flux2/manifests/install?ref=v2.2.1
+  - github.com/fluxcd/flux2/manifests/install?ref=v2.2.2
 patches:
   # Remove the network policies that does not work with k3s
   - patch: |
diff --git a/kubernetes/storage/flux/config/flux.yaml b/kubernetes/storage/flux/config/flux.yaml
index 61bb50e3bb586..2e7c398e4f979 100644
--- a/kubernetes/storage/flux/config/flux.yaml
+++ b/kubernetes/storage/flux/config/flux.yaml
@@ -9,7 +9,7 @@ spec:
   interval: 10m
   url: oci://ghcr.io/fluxcd/flux-manifests
   ref:
-    tag: v2.2.1
+    tag: v2.2.2
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1

From f68ea09597beb2202284a9600599fd9304bbb005 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 13:41:53 -0500
Subject: [PATCH 021/149] fix(github-release): update flux group to v2.2.2
 (patch) (#6603)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/bootstrap/flux/kustomization.yaml | 2 +-
 kubernetes/main/flux/config/flux.yaml             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kubernetes/main/bootstrap/flux/kustomization.yaml b/kubernetes/main/bootstrap/flux/kustomization.yaml
index 075093f93848c..a698904bfe1f1 100644
--- a/kubernetes/main/bootstrap/flux/kustomization.yaml
+++ b/kubernetes/main/bootstrap/flux/kustomization.yaml
@@ -5,7 +5,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - github.com/fluxcd/flux2/manifests/install?ref=v2.2.1
+  - github.com/fluxcd/flux2/manifests/install?ref=v2.2.2
 patches:
   # Remove the network policies that does not work with k3s
   - patch: |
diff --git a/kubernetes/main/flux/config/flux.yaml b/kubernetes/main/flux/config/flux.yaml
index ee9e3d3d1df21..4b2a83140f5e3 100644
--- a/kubernetes/main/flux/config/flux.yaml
+++ b/kubernetes/main/flux/config/flux.yaml
@@ -9,7 +9,7 @@ spec:
   interval: 10m
   url: oci://ghcr.io/fluxcd/flux-manifests
   ref:
-    tag: v2.2.1
+    tag: v2.2.2
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1

From faf80f9752772ef64d1be4b2e52c4a2b4f30c297 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 14:54:11 -0500
Subject: [PATCH 022/149] feat: pre-create rook dashboard secret with es and
 orphan it

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../rook-ceph/app/externalsecret.yaml         | 20 +++++++++++++++++++
 .../rook-ceph/app/kustomization.yaml          |  1 +
 .../main/apps/rook-ceph/rook-ceph/ks.yaml     |  8 +++++---
 3 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml

diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
new file mode 100644
index 0000000000000..08bcd12722013
--- /dev/null
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
@@ -0,0 +1,20 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: rook-ceph-dashboard
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: rook-ceph-dashboard-password # rook expects this name
+    creationPolicy: Orphan
+    template:
+      engineVersion: v2
+      data:
+        password: "{{ .ROOK_DASHBOARD_PASSWORD }}"
+  dataFrom:
+    - extract:
+        key: rook
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml
index 17cbc72b25c80..4eed917b96fa1 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml
@@ -3,4 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml
index 64864da645014..f0a6fa7d4f32b 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml
@@ -10,12 +10,14 @@ spec:
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
   path: ./kubernetes/main/apps/rook-ceph/rook-ceph/app
-  prune: false
+  prune: false # never should be deleted
   sourceRef:
     kind: GitRepository
     name: home-kubernetes
-  wait: true
+  wait: false
   interval: 30m
   retryInterval: 1m
   timeout: 5m
@@ -32,7 +34,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   path: ./kubernetes/main/apps/rook-ceph/rook-ceph/cluster
-  prune: false
+  prune: false # never should be deleted
   sourceRef:
     kind: GitRepository
     name: home-kubernetes

From b06864bc0c832d5d977313b9b920282777bd6eae Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 14:57:26 -0500
Subject: [PATCH 023/149] feat: pre-create rook dashboard secret with es and
 orphan it

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
index 08bcd12722013..81aa23ff019c2 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
@@ -13,6 +13,7 @@ spec:
     creationPolicy: Orphan
     template:
       engineVersion: v2
+      type: kubernetes.io/rook
       data:
         password: "{{ .ROOK_DASHBOARD_PASSWORD }}"
   dataFrom:

From c51365df85069dcccb2cefd7e0e27458076819f5 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 15:02:36 -0500
Subject: [PATCH 024/149] chore: creationPolicy is owner by default

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../app/externalsecret.yaml                   |  1 -
 .../cert-manager/issuers/externalsecret.yaml  |  1 -
 .../cloudnative-pg/app/externalsecret.yaml    |  1 -
 .../default/atuin/app/externalsecret.yaml     |  1 -
 .../default/authelia/app/externalsecret.yaml  |  1 -
 .../default/autobrr/app/externalsecret.yaml   |  1 -
 .../cross-seed/app/externalsecret.yaml        |  1 -
 .../default/frigate/app/externalsecret.yaml   |  1 -
 .../home-assistant/app/externalsecret.yaml    |  1 -
 .../default/lldap/app/externalsecret.yaml     |  1 -
 .../default/miniflux/app/externalsecret.yaml  |  1 -
 .../default/mosquitto/app/externalsecret.yaml |  1 -
 .../plex/tools/off-deck/externalsecret.yaml   |  1 -
 .../default/prowlarr/app/externalsecret.yaml  |  1 -
 .../default/radarr/app/externalsecret.yaml    |  1 -
 .../default/recyclarr/app/externalsecret.yaml |  1 -
 .../rtlamr2mqtt/app/externalsecret.yaml       |  1 -
 .../default/sabnzbd/app/externalsecret.yaml   |  1 -
 .../default/shlink/app/externalsecret.yaml    |  1 -
 .../smtp-relay/app/externalsecret.yaml        |  1 -
 .../default/sonarr/app/externalsecret.yaml    |  1 -
 .../default/unpackerr/app/externalsecret.yaml |  1 -
 .../zigbee2mqtt/app/externalsecret.yaml       |  1 -
 .../notifications/github/externalsecret.yaml  |  1 -
 .../app/webhooks/github/externalsecret.yaml   |  1 -
 .../tf-controller/app/externalsecret.yaml     |  2 --
 .../flux-system/wego/app/externalsecret.yaml  |  1 -
 .../cloudflared/app/externalsecret.yaml       |  1 -
 .../external-dns/app/bind/externalsecret.yaml |  1 -
 .../app/cloudflare/externalsecret.yaml        |  1 -
 .../nginx/external/externalsecret.yaml        |  1 -
 .../gatus/app/externalsecret.yaml             |  1 -
 .../grafana/app/externalsecret.yaml           |  1 -
 .../app/externalsecret.yaml                   |  1 -
 .../thanos/app/objectbucketclaim.yaml         | 22 -------------------
 .../vector/app/aggregator/externalsecret.yaml |  1 -
 kubernetes/main/templates/volsync/minio.yaml  |  1 -
 kubernetes/main/templates/volsync/r2.yaml     |  1 -
 .../cert-manager/issuers/externalsecret.yaml  |  1 -
 .../default/kopia/app/externalsecret.yaml     |  2 --
 .../default/minio/app/externalsecret.yaml     |  1 -
 .../flux-system/wego/app/externalsecret.yaml  |  1 -
 .../external-dns/app/bind/externalsecret.yaml |  1 -
 43 files changed, 66 deletions(-)

diff --git a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
index 30563301d75f7..34bb4b2ff644b 100644
--- a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
+++ b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: actions-runner-controller-auth-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/main/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
index 8d60f7d9aadfc..da8ef0da9cec6 100644
--- a/kubernetes/main/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
+++ b/kubernetes/main/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: cloudflare-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/database/cloudnative-pg/app/externalsecret.yaml b/kubernetes/main/apps/database/cloudnative-pg/app/externalsecret.yaml
index 01f292f379ed6..4aac2e2798fa5 100644
--- a/kubernetes/main/apps/database/cloudnative-pg/app/externalsecret.yaml
+++ b/kubernetes/main/apps/database/cloudnative-pg/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: cloudnative-pg-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       metadata:
diff --git a/kubernetes/main/apps/default/atuin/app/externalsecret.yaml b/kubernetes/main/apps/default/atuin/app/externalsecret.yaml
index 2855ef267264b..f5bc2076f2a89 100644
--- a/kubernetes/main/apps/default/atuin/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/atuin/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: atuin-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/authelia/app/externalsecret.yaml b/kubernetes/main/apps/default/authelia/app/externalsecret.yaml
index 3b89a5034ad05..94676fb47deb3 100644
--- a/kubernetes/main/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/authelia/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: authelia-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/autobrr/app/externalsecret.yaml b/kubernetes/main/apps/default/autobrr/app/externalsecret.yaml
index 2a5d38a8cf835..a804066d5cb75 100644
--- a/kubernetes/main/apps/default/autobrr/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/autobrr/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: autobrr-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/cross-seed/app/externalsecret.yaml b/kubernetes/main/apps/default/cross-seed/app/externalsecret.yaml
index fba65e7464796..50904afe51bf8 100644
--- a/kubernetes/main/apps/default/cross-seed/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/cross-seed/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: cross-seed-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/frigate/app/externalsecret.yaml b/kubernetes/main/apps/default/frigate/app/externalsecret.yaml
index ef0e56859ed29..cecc34f7ea242 100644
--- a/kubernetes/main/apps/default/frigate/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/frigate/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: frigate-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/home-assistant/app/externalsecret.yaml b/kubernetes/main/apps/default/home-assistant/app/externalsecret.yaml
index 6dd081c7390a0..2662f526e1226 100644
--- a/kubernetes/main/apps/default/home-assistant/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/home-assistant/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: home-assistant-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/lldap/app/externalsecret.yaml b/kubernetes/main/apps/default/lldap/app/externalsecret.yaml
index 16205938215fc..a175620ba4749 100644
--- a/kubernetes/main/apps/default/lldap/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/lldap/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: lldap-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/miniflux/app/externalsecret.yaml b/kubernetes/main/apps/default/miniflux/app/externalsecret.yaml
index 28951e6ada55b..256cf522f4770 100644
--- a/kubernetes/main/apps/default/miniflux/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/miniflux/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: miniflux-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml b/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml
index 749ef68e4b10b..54bd04b710720 100644
--- a/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: mosquitto-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/plex/tools/off-deck/externalsecret.yaml b/kubernetes/main/apps/default/plex/tools/off-deck/externalsecret.yaml
index 9146f7712d689..dbd668a67c618 100644
--- a/kubernetes/main/apps/default/plex/tools/off-deck/externalsecret.yaml
+++ b/kubernetes/main/apps/default/plex/tools/off-deck/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: plex-off-deck-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/prowlarr/app/externalsecret.yaml b/kubernetes/main/apps/default/prowlarr/app/externalsecret.yaml
index 7a892aa46774f..57d6cfa6b383a 100644
--- a/kubernetes/main/apps/default/prowlarr/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/prowlarr/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: prowlarr-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/radarr/app/externalsecret.yaml b/kubernetes/main/apps/default/radarr/app/externalsecret.yaml
index 6f5736b5a1a7e..8c1f678dc4106 100644
--- a/kubernetes/main/apps/default/radarr/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/radarr/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: radarr-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/recyclarr/app/externalsecret.yaml b/kubernetes/main/apps/default/recyclarr/app/externalsecret.yaml
index 80f89abfdf18a..af19fc8f94d01 100644
--- a/kubernetes/main/apps/default/recyclarr/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/recyclarr/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: recyclarr-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/rtlamr2mqtt/app/externalsecret.yaml b/kubernetes/main/apps/default/rtlamr2mqtt/app/externalsecret.yaml
index ce65758533e4e..fd55ae0c793bd 100644
--- a/kubernetes/main/apps/default/rtlamr2mqtt/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/rtlamr2mqtt/app/externalsecret.yaml
@@ -11,7 +11,6 @@ spec:
     name: onepassword-connect
   target:
     name: rtlamr2mqtt-secret
-    creationPolicy: Owner
     template:
       templateFrom:
         - configMap:
diff --git a/kubernetes/main/apps/default/sabnzbd/app/externalsecret.yaml b/kubernetes/main/apps/default/sabnzbd/app/externalsecret.yaml
index 4df4f1cd1d23f..7342f416bb70d 100644
--- a/kubernetes/main/apps/default/sabnzbd/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/sabnzbd/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: sabnzbd-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/shlink/app/externalsecret.yaml b/kubernetes/main/apps/default/shlink/app/externalsecret.yaml
index d68a7e8de5768..891046f9ab255 100644
--- a/kubernetes/main/apps/default/shlink/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/shlink/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: shlink-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/smtp-relay/app/externalsecret.yaml b/kubernetes/main/apps/default/smtp-relay/app/externalsecret.yaml
index 51e8bdf32e1fb..dd8699a41ba09 100644
--- a/kubernetes/main/apps/default/smtp-relay/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/smtp-relay/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: smtp-relay-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/sonarr/app/externalsecret.yaml b/kubernetes/main/apps/default/sonarr/app/externalsecret.yaml
index 91bf74a2442d7..06b89a72ace3c 100644
--- a/kubernetes/main/apps/default/sonarr/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/sonarr/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: sonarr-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/unpackerr/app/externalsecret.yaml b/kubernetes/main/apps/default/unpackerr/app/externalsecret.yaml
index f499a6e0a6c3b..958eac8d34134 100644
--- a/kubernetes/main/apps/default/unpackerr/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/unpackerr/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: unpackerr-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/default/zigbee2mqtt/app/externalsecret.yaml b/kubernetes/main/apps/default/zigbee2mqtt/app/externalsecret.yaml
index 8ecf76c4a12e4..7d88c4db6a89c 100644
--- a/kubernetes/main/apps/default/zigbee2mqtt/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/zigbee2mqtt/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: zigbee2mqtt-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml b/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml
index e3353ed7475e6..196a36b62fc6e 100644
--- a/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/notifications/github/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: github-token-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml
index 926424b216174..8d466e6c1b873 100644
--- a/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml
+++ b/kubernetes/main/apps/flux-system/addons/app/webhooks/github/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: github-webhook-token-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/flux-system/tf-controller/app/externalsecret.yaml b/kubernetes/main/apps/flux-system/tf-controller/app/externalsecret.yaml
index 4b47be573b260..e4b64fba9af5c 100644
--- a/kubernetes/main/apps/flux-system/tf-controller/app/externalsecret.yaml
+++ b/kubernetes/main/apps/flux-system/tf-controller/app/externalsecret.yaml
@@ -11,7 +11,6 @@ spec:
     name: onepassword-connect
   target:
     name: tf-controller-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
@@ -35,7 +34,6 @@ spec:
     name: onepassword-connect
   target:
     name: tf-controller-tfrc-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/flux-system/wego/app/externalsecret.yaml b/kubernetes/main/apps/flux-system/wego/app/externalsecret.yaml
index f9fbf9d78d95c..a4031ab911456 100644
--- a/kubernetes/main/apps/flux-system/wego/app/externalsecret.yaml
+++ b/kubernetes/main/apps/flux-system/wego/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: cluster-user-auth # weave-gitops expects this name
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/network/cloudflared/app/externalsecret.yaml b/kubernetes/main/apps/network/cloudflared/app/externalsecret.yaml
index c88c191496334..73c2bb7fa1e62 100644
--- a/kubernetes/main/apps/network/cloudflared/app/externalsecret.yaml
+++ b/kubernetes/main/apps/network/cloudflared/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: cloudflared-tunnel-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/network/external-dns/app/bind/externalsecret.yaml b/kubernetes/main/apps/network/external-dns/app/bind/externalsecret.yaml
index bcc359e501b8a..5218e805832dd 100644
--- a/kubernetes/main/apps/network/external-dns/app/bind/externalsecret.yaml
+++ b/kubernetes/main/apps/network/external-dns/app/bind/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: external-dns-bind-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/network/external-dns/app/cloudflare/externalsecret.yaml b/kubernetes/main/apps/network/external-dns/app/cloudflare/externalsecret.yaml
index 26927b7a0d05d..108962da04747 100644
--- a/kubernetes/main/apps/network/external-dns/app/cloudflare/externalsecret.yaml
+++ b/kubernetes/main/apps/network/external-dns/app/cloudflare/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: external-dns-cloudflare-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/network/nginx/external/externalsecret.yaml b/kubernetes/main/apps/network/nginx/external/externalsecret.yaml
index 279d9b4d1b313..9771494538423 100644
--- a/kubernetes/main/apps/network/nginx/external/externalsecret.yaml
+++ b/kubernetes/main/apps/network/nginx/external/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: nginx-external-maxmind-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml b/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml
index 67e6b14abd079..0edaa5ba749b0 100644
--- a/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml
+++ b/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: gatus-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/observability/grafana/app/externalsecret.yaml b/kubernetes/main/apps/observability/grafana/app/externalsecret.yaml
index 5af8d563b21cf..b8ce9f57f890f 100644
--- a/kubernetes/main/apps/observability/grafana/app/externalsecret.yaml
+++ b/kubernetes/main/apps/observability/grafana/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: grafana-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/externalsecret.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
index 6f0e47c1d6e2f..e315ad331705c 100644
--- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
+++ b/kubernetes/main/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
@@ -11,7 +11,6 @@ spec:
     name: onepassword-connect
   target:
     name: alertmanager-secret
-    creationPolicy: Owner
     template:
       templateFrom:
         - configMap:
diff --git a/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml b/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml
index 4e71162c697c3..6da080c397ec0 100644
--- a/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml
+++ b/kubernetes/main/apps/observability/thanos/app/objectbucketclaim.yaml
@@ -7,25 +7,3 @@ metadata:
 spec:
   bucketName: thanos-v2
   storageClassName: ceph-bucket
----
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/pushsecret_v1alpha1.json
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
-  name: ceph-rgw-thanos
-spec:
-  secretStoreRefs:
-    - name: onepassword-connect
-      kind: ClusterSecretStore
-  selector:
-    secret:
-      name: thanos-bucket-v2
-  data:
-    - match:
-        secretKey: AWS_ACCESS_KEY_ID
-        remoteRef:
-          remoteKey: ceph-rgw-thanos
-    - match:
-        secretKey: AWS_SECRET_ACCESS_KEY
-        remoteRef:
-          remoteKey: ceph-rgw-thanos
diff --git a/kubernetes/main/apps/observability/vector/app/aggregator/externalsecret.yaml b/kubernetes/main/apps/observability/vector/app/aggregator/externalsecret.yaml
index da460eec366f7..37ca991bf3338 100644
--- a/kubernetes/main/apps/observability/vector/app/aggregator/externalsecret.yaml
+++ b/kubernetes/main/apps/observability/vector/app/aggregator/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: vector-aggregator-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/templates/volsync/minio.yaml b/kubernetes/main/templates/volsync/minio.yaml
index 24282d1e5d7e2..364734f531f59 100644
--- a/kubernetes/main/templates/volsync/minio.yaml
+++ b/kubernetes/main/templates/volsync/minio.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: "${APP}-volsync-secret"
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/main/templates/volsync/r2.yaml b/kubernetes/main/templates/volsync/r2.yaml
index f109392f5b1a9..3d12e32f115e9 100644
--- a/kubernetes/main/templates/volsync/r2.yaml
+++ b/kubernetes/main/templates/volsync/r2.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: "${APP}-volsync-r2-secret"
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/storage/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/storage/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
index 25c41dd7247e8..385b6dac40c88 100644
--- a/kubernetes/storage/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
+++ b/kubernetes/storage/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: cloudflare-secret
-    creationPolicy: Owner
   dataFrom:
     - extract:
         key: cloudflare
diff --git a/kubernetes/storage/apps/default/kopia/app/externalsecret.yaml b/kubernetes/storage/apps/default/kopia/app/externalsecret.yaml
index 0cb2895ae0eb2..f342575a47c2a 100644
--- a/kubernetes/storage/apps/default/kopia/app/externalsecret.yaml
+++ b/kubernetes/storage/apps/default/kopia/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: kopia-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
@@ -32,7 +31,6 @@ spec:
     name: onepassword-connect
   target:
     name: kopia-repository-secret
-    creationPolicy: Owner
     template:
       templateFrom:
         - configMap:
diff --git a/kubernetes/storage/apps/default/minio/app/externalsecret.yaml b/kubernetes/storage/apps/default/minio/app/externalsecret.yaml
index 02a4724de6702..9c72731db8ca6 100644
--- a/kubernetes/storage/apps/default/minio/app/externalsecret.yaml
+++ b/kubernetes/storage/apps/default/minio/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: minio-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/storage/apps/flux-system/wego/app/externalsecret.yaml b/kubernetes/storage/apps/flux-system/wego/app/externalsecret.yaml
index f9fbf9d78d95c..a4031ab911456 100644
--- a/kubernetes/storage/apps/flux-system/wego/app/externalsecret.yaml
+++ b/kubernetes/storage/apps/flux-system/wego/app/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: cluster-user-auth # weave-gitops expects this name
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:
diff --git a/kubernetes/storage/apps/network/external-dns/app/bind/externalsecret.yaml b/kubernetes/storage/apps/network/external-dns/app/bind/externalsecret.yaml
index 45db91b02f2f8..294a2d5bcf4f1 100644
--- a/kubernetes/storage/apps/network/external-dns/app/bind/externalsecret.yaml
+++ b/kubernetes/storage/apps/network/external-dns/app/bind/externalsecret.yaml
@@ -10,7 +10,6 @@ spec:
     name: onepassword-connect
   target:
     name: external-dns-bind-secret
-    creationPolicy: Owner
     template:
       engineVersion: v2
       data:

From c9f292a5909474afdb1b4244588fe6c3d8bed1ea Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 15:22:59 -0500
Subject: [PATCH 025/149] fix: test out rook dashboard password change

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml       | 2 --
 1 file changed, 2 deletions(-)

diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
index 81aa23ff019c2..e5171e7ff2f4c 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
@@ -10,10 +10,8 @@ spec:
     name: onepassword-connect
   target:
     name: rook-ceph-dashboard-password # rook expects this name
-    creationPolicy: Orphan
     template:
       engineVersion: v2
-      type: kubernetes.io/rook
       data:
         password: "{{ .ROOK_DASHBOARD_PASSWORD }}"
   dataFrom:

From 6eb2de40b161e90af6e4cd034b6526e62ddd9502 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 15:39:11 -0500
Subject: [PATCH 026/149] fix(container): update image
 ghcr.io/onedr0p/radarr-develop to v5.2.5.8361 (#6606)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/default/radarr/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/default/radarr/app/helmrelease.yaml b/kubernetes/main/apps/default/radarr/app/helmrelease.yaml
index 29866272623c7..5ad8e8789877e 100644
--- a/kubernetes/main/apps/default/radarr/app/helmrelease.yaml
+++ b/kubernetes/main/apps/default/radarr/app/helmrelease.yaml
@@ -43,7 +43,7 @@ spec:
           main:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.2.4.8328@sha256:9908d5e7ef16122cfdf80fa0d1fefef743cc598346bc12c3408e645d99012c74
+              tag: 5.2.5.8361@sha256:c6b3d06ce98faacdd2e91e70763d0c96ab1421aa4858f45957a14d91ff9490a0
             env:
               # https://github.com/Radarr/Radarr/issues/7030#issuecomment-1039689518
               # https://github.com/dotnet/runtime/issues/9336

From 46760d95efdbcfc9b5756886b5263be3d3f3dbd5 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 15:41:05 -0500
Subject: [PATCH 027/149] feat(container): update image redis to v18.6.0
 (#6607)

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/database/redis/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/database/redis/app/helmrelease.yaml b/kubernetes/main/apps/database/redis/app/helmrelease.yaml
index 037ab8b4e7db3..5bb409cc8442b 100644
--- a/kubernetes/main/apps/database/redis/app/helmrelease.yaml
+++ b/kubernetes/main/apps/database/redis/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: redis
-      version: 18.5.0
+      version: 18.6.0
       sourceRef:
         kind: HelmRepository
         name: bitnami

From da18031df02bcdf68c9d6f7a10cd5bf1bbef84ed Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 16:18:21 -0500
Subject: [PATCH 028/149] chore: update PR title in renovate

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate/semanticCommits.json5 | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/renovate/semanticCommits.json5 b/.github/renovate/semanticCommits.json5
index 62a3d7c0107ce..d2fa70ed20cde 100644
--- a/.github/renovate/semanticCommits.json5
+++ b/.github/renovate/semanticCommits.json5
@@ -4,25 +4,33 @@
     {
       "matchDatasources": ["docker"],
       "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(container)!: "
+      "commitMessagePrefix": "feat(container)!: ",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
     },
     {
       "matchDatasources": ["docker"],
       "matchUpdateTypes": ["minor"],
       "semanticCommitType": "feat",
-      "semanticCommitScope": "container"
+      "semanticCommitScope": "container",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
     },
     {
       "matchDatasources": ["docker"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
-      "semanticCommitScope": "container"
+      "semanticCommitScope": "container",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
     },
     {
       "matchDatasources": ["docker"],
       "matchUpdateTypes": ["digest"],
       "semanticCommitType": "chore",
-      "semanticCommitScope": "container"
+      "semanticCommitScope": "container",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
     },
     {
       "matchDatasources": ["helm"],

From 906d1333f09bedb26c62fad1fc77dfc6acb9fb88 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 16:21:08 -0500
Subject: [PATCH 029/149] chore: update PR title in renovate

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate/semanticCommits.json5 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/renovate/semanticCommits.json5 b/.github/renovate/semanticCommits.json5
index d2fa70ed20cde..8729df458a418 100644
--- a/.github/renovate/semanticCommits.json5
+++ b/.github/renovate/semanticCommits.json5
@@ -6,7 +6,7 @@
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(container)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
+      "commitMessageExtra": " ({{currentVersion}} ➡️ {{newVersion}})"
     },
     {
       "matchDatasources": ["docker"],
@@ -14,7 +14,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
+      "commitMessageExtra": "({{currentVersion}} ➡️ {{newVersion}})"
     },
     {
       "matchDatasources": ["docker"],
@@ -22,7 +22,7 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
+      "commitMessageExtra": "({{currentVersion}} ➡️ {{newVersion}})"
     },
     {
       "matchDatasources": ["docker"],
@@ -30,7 +30,7 @@
       "semanticCommitType": "chore",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "from {{currentVersion}} to {{newVersion}}"
+      "commitMessageExtra": "({{currentVersion}} ➡️ {{newVersion}})"
     },
     {
       "matchDatasources": ["helm"],

From aaf4942c4ebce75ad3f14a832080861f8ae138bf Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 16:27:29 -0500
Subject: [PATCH 030/149] chore: update PR title in renovate

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate/semanticCommits.json5 | 68 +++++++++++++++++++-------
 1 file changed, 49 insertions(+), 19 deletions(-)

diff --git a/.github/renovate/semanticCommits.json5 b/.github/renovate/semanticCommits.json5
index 8729df458a418..8f4521a0545ce 100644
--- a/.github/renovate/semanticCommits.json5
+++ b/.github/renovate/semanticCommits.json5
@@ -6,7 +6,7 @@
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(container)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": " ({{currentVersion}} ➡️ {{newVersion}})"
+      "commitMessageExtra": " ({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["docker"],
@@ -14,7 +14,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} ➡️ {{newVersion}})"
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["docker"],
@@ -22,7 +22,7 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} ➡️ {{newVersion}})"
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["docker"],
@@ -30,94 +30,124 @@
       "semanticCommitType": "chore",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} ➡️ {{newVersion}})"
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["helm"],
       "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(helm)!: "
+      "commitMessagePrefix": "feat(helm)!: ",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["helm"],
       "matchUpdateTypes": ["minor"],
       "semanticCommitType": "feat",
-      "semanticCommitScope": "helm"
+      "semanticCommitScope": "helm",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
 
     {
       "matchDatasources": ["helm"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
-      "semanticCommitScope": "helm"
+      "semanticCommitScope": "helm",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["galaxy", "galaxy-collection"],
       "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(ansible)!: "
+      "commitMessagePrefix": "feat(ansible)!: ",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["galaxy", "galaxy-collection"],
       "matchUpdateTypes": ["minor"],
       "semanticCommitType": "feat",
-      "semanticCommitScope": "ansible"
+      "semanticCommitScope": "ansible",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
 
     {
       "matchDatasources": ["galaxy", "galaxy-collection"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
-      "semanticCommitScope": "ansible"
+      "semanticCommitScope": "ansible",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["terraform-provider"],
       "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(terraform)!: "
+      "commitMessagePrefix": "feat(terraform)!: ",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["terraform-provider"],
       "matchUpdateTypes": ["minor"],
       "semanticCommitType": "feat",
-      "semanticCommitScope": "terraform"
+      "semanticCommitScope": "terraform",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["terraform-provider"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
-      "semanticCommitScope": "terraform"
+      "semanticCommitScope": "terraform",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["github-releases", "github-tags"],
       "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-release)!: "
+      "commitMessagePrefix": "feat(github-release)!: ",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["github-releases", "github-tags"],
       "matchUpdateTypes": ["minor"],
       "semanticCommitType": "feat",
-      "semanticCommitScope": "github-release"
+      "semanticCommitScope": "github-release",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchDatasources": ["github-releases", "github-tags"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
-      "semanticCommitScope": "github-release"
+      "semanticCommitScope": "github-release",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchManagers": ["github-actions"],
       "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-action)!: "
+      "commitMessagePrefix": "feat(github-action)!: ",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchManagers": ["github-actions"],
       "matchUpdateTypes": ["minor"],
       "semanticCommitType": "feat",
-      "semanticCommitScope": "github-action"
+      "semanticCommitScope": "github-action",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     },
     {
       "matchManagers": ["github-actions"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
-      "semanticCommitScope": "github-action"
+      "semanticCommitScope": "github-action",
+      "commitMessageTopic": "{{depName}}",
+      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
     }
   ]
 }

From c92166df9428419abbbae92bfce5d6f7257e0eb5 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 16:34:58 -0500
Subject: [PATCH 031/149] fix: downgrade zot

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 kubernetes/storage/apps/default/zot/app/helmrelease.yaml      | 2 +-
 kubernetes/storage/apps/default/zot/app/resources/config.json | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/kubernetes/storage/apps/default/zot/app/helmrelease.yaml b/kubernetes/storage/apps/default/zot/app/helmrelease.yaml
index 786f5873a6b0b..06efda95670ad 100644
--- a/kubernetes/storage/apps/default/zot/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/default/zot/app/helmrelease.yaml
@@ -32,7 +32,7 @@ spec:
           main:
             image:
               repository: ghcr.io/project-zot/zot-linux-amd64
-              tag: v2.0.0@sha256:a470f48aba86aa7a417dfcf11c96e13253a3cebc20b6da6e7ca93b18eff1708f
+              tag: v1.4.3@sha256:e5a5be113155d1e0032e5d669888064209da95c107497524f8d4eac8ed50b378
             probes:
               liveness: &probes
                 enabled: true
diff --git a/kubernetes/storage/apps/default/zot/app/resources/config.json b/kubernetes/storage/apps/default/zot/app/resources/config.json
index 5389c6668393c..cace47c2945f6 100644
--- a/kubernetes/storage/apps/default/zot/app/resources/config.json
+++ b/kubernetes/storage/apps/default/zot/app/resources/config.json
@@ -92,9 +92,6 @@
           "tlsVerify": true
         }
       ]
-    },
-    "ui": {
-      "enable": true
     }
   }
 }

From 981eef03986124d0e6fa9f4f0c6b3e136cacb4b0 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 16:51:55 -0500
Subject: [PATCH 032/149] =?UTF-8?q?feat(container):=20update=20thanos=20(1?=
 =?UTF-8?q?2.19.1=20=E2=86=92=2012.20.0)=20(#6609)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/thanos/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
index 45fbf65471c5e..258ad79739b11 100644
--- a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: thanos
-      version: 12.19.1
+      version: 12.20.0
       sourceRef:
         kind: HelmRepository
         name: bitnami

From 49ed7a514a56f6a0156a71f91af386c8ec2a88ec Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 16:52:19 -0500
Subject: [PATCH 033/149] =?UTF-8?q?fix(container):=20update=20redis=20(18.?=
 =?UTF-8?q?6.0=20=E2=86=92=2018.6.1)=20(#6608)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/database/redis/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/database/redis/app/helmrelease.yaml b/kubernetes/main/apps/database/redis/app/helmrelease.yaml
index 5bb409cc8442b..40d296ec25602 100644
--- a/kubernetes/main/apps/database/redis/app/helmrelease.yaml
+++ b/kubernetes/main/apps/database/redis/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: redis
-      version: 18.6.0
+      version: 18.6.1
       sourceRef:
         kind: HelmRepository
         name: bitnami

From a770a3917c61f6a1d93c70b6f78675c3c66796c4 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 16:53:13 -0500
Subject: [PATCH 034/149] chore: update PR title in renovate

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate/semanticCommits.json5 | 38 +++++++++++++-------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/renovate/semanticCommits.json5 b/.github/renovate/semanticCommits.json5
index 8f4521a0545ce..72f8271896ba6 100644
--- a/.github/renovate/semanticCommits.json5
+++ b/.github/renovate/semanticCommits.json5
@@ -6,7 +6,7 @@
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(container)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": " ({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": " ( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["docker"],
@@ -14,7 +14,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["docker"],
@@ -22,7 +22,7 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["docker"],
@@ -30,14 +30,14 @@
       "semanticCommitType": "chore",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["helm"],
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(helm)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["helm"],
@@ -45,7 +45,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "helm",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
 
     {
@@ -54,14 +54,14 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "helm",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["galaxy", "galaxy-collection"],
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(ansible)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["galaxy", "galaxy-collection"],
@@ -69,7 +69,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "ansible",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
 
     {
@@ -78,14 +78,14 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "ansible",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["terraform-provider"],
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(terraform)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["terraform-provider"],
@@ -93,7 +93,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "terraform",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["terraform-provider"],
@@ -101,14 +101,14 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "terraform",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["github-releases", "github-tags"],
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(github-release)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["github-releases", "github-tags"],
@@ -116,7 +116,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "github-release",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchDatasources": ["github-releases", "github-tags"],
@@ -124,14 +124,14 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "github-release",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchManagers": ["github-actions"],
       "matchUpdateTypes": ["major"],
       "commitMessagePrefix": "feat(github-action)!: ",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchManagers": ["github-actions"],
@@ -139,7 +139,7 @@
       "semanticCommitType": "feat",
       "semanticCommitScope": "github-action",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     },
     {
       "matchManagers": ["github-actions"],
@@ -147,7 +147,7 @@
       "semanticCommitType": "fix",
       "semanticCommitScope": "github-action",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "({{currentVersion}} → {{newVersion}})"
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     }
   ]
 }

From ab47e739d6fe28dd33a900276ac32f156ceeac6b Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 00:16:00 +0000
Subject: [PATCH 035/149] =?UTF-8?q?chore(container):=20update=20ghcr.io/bj?=
 =?UTF-8?q?w-s/mdbook=20(=200.4.36=20=E2=86=92=20)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/publish-docs.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index e605413e4f24c..7ab61b056cd53 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -44,7 +44,7 @@ jobs:
           enablement: true
 
       - name: Build docs
-        uses: docker://ghcr.io/bjw-s/mdbook:0.4.36@sha256:36324846ce677fa4121856d4f16ea7bd18c4b5dee6e1615b97bdb453cafc94ac
+        uses: docker://ghcr.io/bjw-s/mdbook:0.4.36@sha256:d86edc42a0d22e38f3d59d6cf517a9d93a7dbe8ec3ec80a114dfd7a99d9354cd
         with:
           args: mdbook build docs
 

From 15ac648dd8a73ea7382a79308de027f949f2e054 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 19:45:53 -0500
Subject: [PATCH 036/149] feat: use sops secret for rook dashboard

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../rook-ceph/app/externalsecret.yaml         | 19 -------------
 .../rook-ceph/app/kustomization.yaml          |  2 +-
 ...k-ceph-dashboard-password.secret.sops.yaml | 27 +++++++++++++++++++
 .../main/apps/rook-ceph/rook-ceph/ks.yaml     |  2 --
 4 files changed, 28 insertions(+), 22 deletions(-)
 delete mode 100644 kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
 create mode 100644 kubernetes/main/apps/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml

diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
deleted file mode 100644
index e5171e7ff2f4c..0000000000000
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/externalsecret.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: rook-ceph-dashboard
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: rook-ceph-dashboard-password # rook expects this name
-    template:
-      engineVersion: v2
-      data:
-        password: "{{ .ROOK_DASHBOARD_PASSWORD }}"
-  dataFrom:
-    - extract:
-        key: rook
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml
index 4eed917b96fa1..fb2f8c1206f70 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml
@@ -3,5 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./externalsecret.yaml
+  - ./rook-ceph-dashboard-password.secret.sops.yaml
   - ./helmrelease.yaml
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml
new file mode 100644
index 0000000000000..5a0af9e22d826
--- /dev/null
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml
@@ -0,0 +1,27 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: rook-ceph-dashboard-password
+stringData:
+    password: ENC[AES256_GCM,data:9uWCs4NJS0WWx8k2aeJMtBhWYlY=,iv:cER9i26H33VeAqHUOj/3BuQk07QJCLXLW2Ick1Ao94I=,tag:mdgTJQceztsSD/bje3JunA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15uzrw396e67z9wdzsxzdk7ka0g2gr3l460e0slaea563zll3hdfqwqxdta
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzLzNjRm9sdGVVdW43dDcx
+            Z043dUgvdzIrUk44QmFEdWxvdEp5b1Z4OFc0Cit0OFdTT3hmQ3VCVE12WkhvY2JH
+            RzhGY1NDd1RVOTJwQWhJQ0NjUE5hR0kKLS0tIGJuZUZHcDRORGVIYkQvYzF0SWZV
+            WmF4NjJaVXpidWh5ekY1VU9xQkZTOGMKWh2+yLXIWbAaVrlPch77cc+8zStEHA7u
+            nHVhCmX7NB2LYL8JEHg51/ElHhVowlSJDbeYvudTNAOWpdOd+Kv6iw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-20T00:21:50Z"
+    mac: ENC[AES256_GCM,data:Pc8SKRKKPnKkp21v6ibxkI9uC6vg6z1V0eEqx/DU7cB90OU3A5z/R+b5p8CfyniKT36PKSHtZ1nPrHdY5yMkd/0dqLqoJcI4CIrsew29FW2EZQD0EuS3MUBymqCNSexTpKwBFvl9SDhfN0uZLXw5IHo2jbLs6YWYBZ3+GY//jf8=,iv:2X0BwTMyKNeZqwcZBHfu9Wzw7Zb93Rg2KdGuvG57D1s=,tag:AwXqKpxNAWQB9PrRoBdjdg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml
index f0a6fa7d4f32b..f3ad1c3f74a7b 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml
@@ -10,8 +10,6 @@ spec:
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
-  dependsOn:
-    - name: external-secrets-stores
   path: ./kubernetes/main/apps/rook-ceph/rook-ceph/app
   prune: false # never should be deleted
   sourceRef:

From 8fc9a16ededa5c061aebac9fb1f7f30e429609a5 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 19:51:06 -0500
Subject: [PATCH 037/149] chore: use currentDigestShort and newDigestShort

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate/semanticCommits.json5 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/renovate/semanticCommits.json5 b/.github/renovate/semanticCommits.json5
index 72f8271896ba6..f2e01f613041d 100644
--- a/.github/renovate/semanticCommits.json5
+++ b/.github/renovate/semanticCommits.json5
@@ -30,7 +30,7 @@
       "semanticCommitType": "chore",
       "semanticCommitScope": "container",
       "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
+      "commitMessageExtra": "( {{currentDigestShort}} → {{newDigestShort}} )"
     },
     {
       "matchDatasources": ["helm"],

From 868a56ff8f7657be4eac257bd0594047e46cd00d Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Tue, 19 Dec 2023 20:02:20 -0500
Subject: [PATCH 038/149] chore: update commit message on grafana dashboards

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate/grafanaDashboards.json5 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/renovate/grafanaDashboards.json5 b/.github/renovate/grafanaDashboards.json5
index b2112a66b02a4..531da268a2666 100644
--- a/.github/renovate/grafanaDashboards.json5
+++ b/.github/renovate/grafanaDashboards.json5
@@ -26,12 +26,12 @@
   "packageRules": [
     {
       "addLabels": ["renovate/grafana-dashboard"],
-      "commitMessageExtra": "to revision {{newVersion}}",
-      "commitMessageTopic": "dashboard {{depName}}",
       "matchDatasources": ["grafana-dashboards", "custom.grafana-dashboards"],
       "matchUpdateTypes": ["major"],
       "semanticCommitScope": "grafana-dashboards",
-      "semanticCommitType": "chore"
+      "semanticCommitType": "",
+      "commitMessageTopic": "dashboard {{depName}}",
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
     }
   ]
 }

From e6fd3dade1cc46ed77b41ada7d569a501ea30f1b Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Tue, 19 Dec 2023 21:58:04 -0500
Subject: [PATCH 039/149] =?UTF-8?q?fix(container):=20update=20ghcr.io/unpo?=
 =?UTF-8?q?ller/unpoller=20(=20v2.9.4=20=E2=86=92=20v2.9.5=20)=20(#6610)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../main/apps/observability/unpoller/app/helmrelease.yaml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml b/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml
index 0a78f5743ef3c..c35880879759d 100644
--- a/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml
@@ -30,7 +30,7 @@ spec:
           main:
             image:
               repository: ghcr.io/unpoller/unpoller
-              tag: v2.9.4@sha256:20c161781ac544a7548c8dd533f13498201746efdf0853d4625a1dbfd5652a19
+              tag: v2.9.5@sha256:486a63339969fd5207697502e29e4875f4bf7d7ef5c558188b192f2f88fdd3d6
             env:
               TZ: America/New_York
               UP_UNIFI_DEFAULT_ROLE: home-ops

From 0951f28bd4790320b41ccb19bff60974a711875d Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 08:33:00 -0500
Subject: [PATCH 040/149] feat: add flux-hr-image-test workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-hr-image-test.yaml     | 101 ++++++++++++++++++
 .github/workflows/kubeconform.yaml            |   4 +-
 .../workflows/resources/extract-images.mjs    |  96 +++++++++++++++++
 .github/workflows/resources/flake.nix         |   1 +
 4 files changed, 199 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/flux-hr-image-test.yaml
 create mode 100755 .github/workflows/resources/extract-images.mjs

diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
new file mode 100644
index 0000000000000..23e2cad368970
--- /dev/null
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -0,0 +1,101 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "Flux Helm Release Image Test"
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["kubernetes/**/helmrelease.yaml"]
+
+env:
+  DEBCONF_NONINTERACTIVE_SEEN: "true"
+  DEBIAN_FRONTEND: noninteractive
+  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
+  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
+  WORKFLOW_KUBERNETES_DIR: ./kubernetes
+
+jobs:
+  changed-files:
+    name: Get Changed Files
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40.2.3
+        with:
+          files: kubernetes/**/helmrelease.yaml
+          json: true
+
+  extract-images:
+    name: Extract images from Helm Release
+    runs-on: ubuntu-latest
+    needs: ["changed-files"]
+    strategy:
+      matrix:
+        files: ${{ fromJSON(needs.changed-files.outputs.matrix) }}
+      max-parallel: 4
+      fail-fast: false
+    outputs:
+      matrix: ${{ steps.extract-images.outputs.images }}
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0
+
+      - name: Install OS Deps
+        shell: bash
+        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+        with:
+          github_access_token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Switch to Nix devShell
+        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+        with:
+          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+
+      - name: Extract Images from Helm Release
+        id: extract-images
+        run: |
+          images=$(npx zx ${{ env.WORKFLOW_RESOURCE_DIR }}/extract-images.mjs --kubernetes-dir "${{ env.WORKFLOW_KUBERNETES_DIR }}" --helmrelease "${{ matrix.files }}")
+          echo "images=${images}" >> $GITHUB_OUTPUT
+          echo "${images}"
+
+  test-images:
+    name: Test images from Helm Release
+    runs-on: ubuntu-latest
+    needs: ["extract-images"]
+    strategy:
+      matrix:
+        files: ${{ fromJSON(needs.extract-images.outputs.matrix) }}
+      max-parallel: 4
+      fail-fast: false
+    steps:
+      - name: Test Images from Helm Release
+        run: docker pull ${{ matrix.images }}
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index 177c6a61c343d..250276d201e56 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -6,9 +6,7 @@ on:
   workflow_dispatch:
   pull_request:
     branches: ["main"]
-    paths:
-      - "kubernetes/main/**"
-      - "kubernetes/storage/**"
+    paths: ["kubernetes/**"]
 
 env:
   DEBCONF_NONINTERACTIVE_SEEN: "true"
diff --git a/.github/workflows/resources/extract-images.mjs b/.github/workflows/resources/extract-images.mjs
new file mode 100755
index 0000000000000..9956ad2a5205f
--- /dev/null
+++ b/.github/workflows/resources/extract-images.mjs
@@ -0,0 +1,96 @@
+#!/usr/bin/env zx
+$.verbose = false
+
+/**
+ * * extract-images.mjs
+ * * Extracts all container images from a HelmRelease and renders them as a JSON object
+ * @param --helmrelease    : The source Flux HelmRelease to compare against the target
+ * @param --kubernetes-dir : The directory containing your Flux manifests including the HelmRepository manifests
+ */
+const HelmRelease   = argv['helmrelease']
+const KubernetesDir = argv['kubernetes-dir']
+
+const helm      = await which('helm')
+const kustomize = await which('kustomize')
+
+function extractImageValues(data) {
+  const imageValues = [];
+  function extractValues(obj) {
+    for (const key in obj) {
+      if (typeof obj[key] === 'object') {
+        extractValues(obj[key]);
+      } else if (key === 'image') {
+        imageValues.push(obj[key]);
+      }
+    }
+  }
+  extractValues(data);
+  return imageValues;
+}
+
+async function parseHelmRelease(releaseFile) {
+  const helmRelease = await fs.readFile(releaseFile, 'utf8')
+  const doc = YAML.parseAllDocuments(helmRelease).map((item) => item.toJS())
+  const release = doc.filter((item) =>
+    item.apiVersion === 'helm.toolkit.fluxcd.io/v2beta2'
+      && item.kind === 'HelmRelease'
+  )
+  return release[0]
+}
+
+async function parseHelmRepository(kubernetesDir, releaseName) {
+  const files = await globby([`${kubernetesDir}/**/*.yaml`])
+  for await (const file of files) {
+    const contents = await fs.readFile(file, 'utf8')
+    const repository = YAML.parseAllDocuments(contents).map((item) => item.toJS())
+    if (repository[0] && 'apiVersion' in repository[0] && repository[0].apiVersion === 'source.toolkit.fluxcd.io/v1beta2'
+        && 'kind' in repository[0] && repository[0].kind === 'HelmRepository'
+        && 'metadata' in repository[0] && 'name' in repository[0].metadata && repository[0].metadata.name === releaseName)
+    {
+      return repository[0]
+    }
+  }
+}
+
+async function renderKustomize(releaseBaseDir, releaseName) {
+  const build = await $`${kustomize} build --load-restrictor=LoadRestrictionsNone ${releaseBaseDir}`
+  const docs = YAML.parseAllDocuments(build.stdout).map((item) => item.toJS())
+  const release = docs.filter((item) =>
+    item.apiVersion === 'helm.toolkit.fluxcd.io/v2beta2'
+      && item.kind === 'HelmRelease'
+        && item.metadata.name === releaseName
+  )
+  return release[0]
+}
+
+async function helmTemplate(release, repository) {
+  const values = new YAML.Document()
+  values.contents = release.spec.values
+  const valuesFile = await $`mktemp`
+  await fs.writeFile(valuesFile.stdout.trim(), values.toString())
+
+  // Template out helm values into Kubernetes manifests
+  let manifests
+  if ('type' in repository.spec && repository.spec.type == 'oci') {
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+  } else {
+    await $`${helm} repo add ${release.spec.chart.spec.sourceRef.name} ${repository.spec.url}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+  }
+
+  let documents = YAML.parseAllDocuments(manifests.stdout.trim()).map((item) => item.toJS())
+
+  const images = [];
+  documents.forEach((doc) => {
+    const docImageValues = extractImageValues(doc);
+    images.push(...docImageValues);
+  });
+  return images;
+}
+
+const helmRelease    = await parseHelmRelease(HelmRelease)
+const kustomizeBuild = await renderKustomize(path.dirname(HelmRelease), helmRelease.metadata.name)
+const helmRepository = await parseHelmRepository(KubernetesDir, kustomizeBuild.spec.chart.spec.sourceRef.name)
+const images         = await helmTemplate(kustomizeBuild, helmRepository)
+
+echo(JSON.stringify({"images": images}))
diff --git a/.github/workflows/resources/flake.nix b/.github/workflows/resources/flake.nix
index 5d4c741b651c1..dc8d1b82dcf91 100644
--- a/.github/workflows/resources/flake.nix
+++ b/.github/workflows/resources/flake.nix
@@ -13,6 +13,7 @@
               buildInputs = (with pkgs; [
                 cosign
                 fluxcd
+                helm
                 kubeconform
                 kubectl
                 kustomize

From 694dd5c67b31841c90d525db1605f5466c898b70 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 08:36:08 -0500
Subject: [PATCH 041/149] feat: add flux-hr-image-test workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-hr-image-test.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 23e2cad368970..15ce63773b164 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -41,6 +41,9 @@ jobs:
           files: kubernetes/**/helmrelease.yaml
           json: true
 
+      - name: List all changed files
+        run: echo "${{ steps.changed-files.outputs.all_changed_and_modified_files }}"
+
   extract-images:
     name: Extract images from Helm Release
     runs-on: ubuntu-latest

From b995bdb63a1a4d3f05988b065e609bef951e7352 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 08:37:25 -0500
Subject: [PATCH 042/149] feat: add flux-hr-image-test workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-hr-image-test.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 15ce63773b164..12eb06e83e894 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -40,6 +40,8 @@ jobs:
         with:
           files: kubernetes/**/helmrelease.yaml
           json: true
+          quotepath: false
+          escape_json: false
 
       - name: List all changed files
         run: echo "${{ steps.changed-files.outputs.all_changed_and_modified_files }}"

From 0845f03a6b24ae50a4fe6beb27008e158249d924 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 08:45:32 -0500
Subject: [PATCH 043/149] fix: this is not the right helm lol

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/resources/flake.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/resources/flake.nix b/.github/workflows/resources/flake.nix
index dc8d1b82dcf91..3def32bc58e3b 100644
--- a/.github/workflows/resources/flake.nix
+++ b/.github/workflows/resources/flake.nix
@@ -13,7 +13,7 @@
               buildInputs = (with pkgs; [
                 cosign
                 fluxcd
-                helm
+                kubernetes-helm
                 kubeconform
                 kubectl
                 kustomize

From ab167620cbc857732c5c2e07d1ec0425ca9b8514 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 08:49:25 -0500
Subject: [PATCH 044/149] feat: add flux-hr-image-test workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/resources/extract-images.mjs | 2 +-
 .github/workflows/resources/flake.nix          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/resources/extract-images.mjs b/.github/workflows/resources/extract-images.mjs
index 9956ad2a5205f..a5c43d2a48ca5 100755
--- a/.github/workflows/resources/extract-images.mjs
+++ b/.github/workflows/resources/extract-images.mjs
@@ -93,4 +93,4 @@ const kustomizeBuild = await renderKustomize(path.dirname(HelmRelease), helmRele
 const helmRepository = await parseHelmRepository(KubernetesDir, kustomizeBuild.spec.chart.spec.sourceRef.name)
 const images         = await helmTemplate(kustomizeBuild, helmRepository)
 
-echo(JSON.stringify({"images": images}))
+echo(JSON.stringify(images))
diff --git a/.github/workflows/resources/flake.nix b/.github/workflows/resources/flake.nix
index 3def32bc58e3b..cdbbbd4421de9 100644
--- a/.github/workflows/resources/flake.nix
+++ b/.github/workflows/resources/flake.nix
@@ -13,8 +13,8 @@
               buildInputs = (with pkgs; [
                 cosign
                 fluxcd
-                kubernetes-helm
                 kubeconform
+                kubernetes-helm
                 kubectl
                 kustomize
                 jo

From 976ea234256fc4d7a09d5274f91730259544481d Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 08:52:53 -0500
Subject: [PATCH 045/149] feat: add flux-hr-image-test workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-hr-image-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 12eb06e83e894..296404733e156 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -98,7 +98,7 @@ jobs:
     needs: ["extract-images"]
     strategy:
       matrix:
-        files: ${{ fromJSON(needs.extract-images.outputs.matrix) }}
+        images: ${{ fromJSON(needs.extract-images.outputs.matrix) }}
       max-parallel: 4
       fail-fast: false
     steps:

From 4c8818153226d97adf752665a3b9b6d338b74cfe Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 12:01:47 -0500
Subject: [PATCH 046/149] fix: downgrade ingress-nginx

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 kubernetes/main/apps/network/nginx/external/helmrelease.yaml    | 2 +-
 kubernetes/main/apps/network/nginx/internal/helmrelease.yaml    | 2 +-
 kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
index a696f25541127..832dbe95b8052 100644
--- a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
+++ b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.8.4
+      version: 4.8.3
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
diff --git a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
index 7b09ffa6e6f7d..de9bd4c695048 100644
--- a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
+++ b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.8.4
+      version: 4.8.3
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
diff --git a/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml b/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml
index a1e24ed3d9f89..91dda331baad9 100644
--- a/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml
+++ b/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.8.4
+      version: 4.8.3
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx

From 758d7773a9b122e14ff362906f9e47c54b2c58bd Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 12:19:05 -0500
Subject: [PATCH 047/149] =?UTF-8?q?feat(helm):=20update=20intel-device-plu?=
 =?UTF-8?q?gins-operator=20(=200.28.0=20=E2=86=92=200.29.0=20)=20(#6617)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../main/apps/tools/intel-device-plugin/app/helmrelease.yaml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/tools/intel-device-plugin/app/helmrelease.yaml b/kubernetes/main/apps/tools/intel-device-plugin/app/helmrelease.yaml
index 7f8f61acebcce..856a031ce4130 100644
--- a/kubernetes/main/apps/tools/intel-device-plugin/app/helmrelease.yaml
+++ b/kubernetes/main/apps/tools/intel-device-plugin/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: intel-device-plugins-operator
-      version: 0.28.0
+      version: 0.29.0
       sourceRef:
         kind: HelmRepository
         name: intel

From 5d29e82b986f4e9f12521230c47c59a788ef90ab Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 12:19:15 -0500
Subject: [PATCH 048/149] =?UTF-8?q?feat(helm):=20update=20intel-device-plu?=
 =?UTF-8?q?gins-gpu=20(=200.28.1-helm.0=20=E2=86=92=200.29.0=20)=20(#6616)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../main/apps/tools/intel-device-plugin/gpu/helmrelease.yaml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/tools/intel-device-plugin/gpu/helmrelease.yaml b/kubernetes/main/apps/tools/intel-device-plugin/gpu/helmrelease.yaml
index b109562ad9e95..3b67b4db490d2 100644
--- a/kubernetes/main/apps/tools/intel-device-plugin/gpu/helmrelease.yaml
+++ b/kubernetes/main/apps/tools/intel-device-plugin/gpu/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: intel-device-plugins-gpu
-      version: 0.28.1-helm.0
+      version: 0.29.0
       sourceRef:
         kind: HelmRepository
         name: intel

From 88a6b6cabffd050bbaf18045881d5837c623e2de Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 14:48:57 -0500
Subject: [PATCH 049/149] =?UTF-8?q?fix(helm):=20update=20rook-ceph=20group?=
 =?UTF-8?q?=20(=20v1.13.0=20=E2=86=92=20v1.13.1=20)=20(patch)=20(#6562)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml   | 2 +-
 .../main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
index a452bb00b4358..fb2e475522ade 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: rook-ceph
-      version: v1.13.0
+      version: v1.13.1
       sourceRef:
         kind: HelmRepository
         name: rook-ceph
diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
index dfdd462200c2f..30a8b4a2846d7 100644
--- a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
+++ b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: rook-ceph-cluster
-      version: v1.13.0
+      version: v1.13.1
       sourceRef:
         kind: HelmRepository
         name: rook-ceph

From ce9c467c45839450199cabcca64b9a8255d614df Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:01:19 -0500
Subject: [PATCH 050/149] chore: skip tests in extract images script

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/resources/extract-images.mjs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/resources/extract-images.mjs b/.github/workflows/resources/extract-images.mjs
index a5c43d2a48ca5..06ccb2b93831b 100755
--- a/.github/workflows/resources/extract-images.mjs
+++ b/.github/workflows/resources/extract-images.mjs
@@ -72,10 +72,10 @@ async function helmTemplate(release, repository) {
   // Template out helm values into Kubernetes manifests
   let manifests
   if ('type' in repository.spec && repository.spec.type == 'oci') {
-    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${repository.spec.url}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
   } else {
     await $`${helm} repo add ${release.spec.chart.spec.sourceRef.name} ${repository.spec.url}`
-    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
+    manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${release.metadata.name} --include-crds=false --skip-tests ${release.spec.chart.spec.sourceRef.name}/${release.spec.chart.spec.chart} --version ${release.spec.chart.spec.version} --values ${valuesFile.stdout.trim()}`
   }
 
   let documents = YAML.parseAllDocuments(manifests.stdout.trim()).map((item) => item.toJS())

From b333a1641b512f4b2cb2dc698f26f9e5ee9e9b95 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 15:08:34 -0500
Subject: [PATCH 051/149] =?UTF-8?q?fix(container):=20update=20quay.io/mini?=
 =?UTF-8?q?o/minio=20(=20release.2023-12-14t18-51-57z=20=E2=86=92=20releas?=
 =?UTF-8?q?e.2023-12-20t01-00-02z=20)=20(#6611)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
Co-authored-by: Devin Buhl <onedr0p@users.noreply.github.com>
---
 kubernetes/storage/apps/default/minio/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/storage/apps/default/minio/app/helmrelease.yaml b/kubernetes/storage/apps/default/minio/app/helmrelease.yaml
index 2de3034bfbad3..722f6a30d9f34 100644
--- a/kubernetes/storage/apps/default/minio/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/default/minio/app/helmrelease.yaml
@@ -32,7 +32,7 @@ spec:
           main:
             image:
               repository: quay.io/minio/minio
-              tag: RELEASE.2023-12-14T18-51-57Z@sha256:62bffc26326ee5c841d7774b1c94712953d315ee5ca603c124206cabc77681d5
+              tag: RELEASE.2023-12-20T01-00-02Z@sha256:5702ea3614203466e8e6616469e460567dc0c82def5a024a90426b25ee4a4d23
             env:
               MINIO_API_CORS_ALLOW_ORIGIN: https://minio.turbo.ac,https://s3.turbo.ac
               MINIO_BROWSER_REDIRECT_URL: https://minio.turbo.ac

From 754e40a7565bb16db3b2d1fa439fd314761d40b1 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:39:40 -0500
Subject: [PATCH 052/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml             | 48 ++++++++++++++++++++
 .github/workflows/resources/aqua-config.yaml | 12 +++++
 aqua.yaml                                    | 12 +++++
 3 files changed, 72 insertions(+)
 create mode 100644 .github/workflows/aqua-test.yaml
 create mode 100644 .github/workflows/resources/aqua-config.yaml
 create mode 100644 aqua.yaml

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
new file mode 100644
index 0000000000000..27f6b2cbd34a2
--- /dev/null
+++ b/.github/workflows/aqua-test.yaml
@@ -0,0 +1,48 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "Aqua Test"
+
+on:
+  push:
+    branches: ["main"]
+
+env:
+  DEBCONF_NONINTERACTIVE_SEEN: "true"
+  DEBIAN_FRONTEND: noninteractive
+  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
+  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
+
+jobs:
+  sync:
+    name: Flux Kustomization Sync
+    runs-on: ["arc-runner-set-home-ops"]
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0
+
+      # - name: Install OS Deps
+      #   shell: bash
+      #   run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+
+      - name: Install Aqua
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        with:
+          aqua_version: v2.21.3
+        env:
+          AQUA_CONFIG: "${{ env.WORKFLOW_RESOURCE_DIR }}/aqua-config.yaml"
+
+      - name: Test Aqua
+        shell: bash
+        run: |
+          flux --version
+
diff --git a/.github/workflows/resources/aqua-config.yaml b/.github/workflows/resources/aqua-config.yaml
new file mode 100644
index 0000000000000..cf8f34baaf9b0
--- /dev/null
+++ b/.github/workflows/resources/aqua-config.yaml
@@ -0,0 +1,12 @@
+registries:
+  - type: standard
+    ref: v4.107.0
+
+packages:
+  - name: fluxcd/flux2@v2.2.2
+  - name: helm/helm@v3.13.3
+  - name: kubernetes-sigs/kustomize@kustomize/v5.3.0
+  - name: kubernetes/kubectl@v1.29.0
+  - name: mikefarah/yq@v4.40.5
+  - name: sigstore/cosign@v2.2.2
+  - name: yannh/kubeconform@v0.6.4
diff --git a/aqua.yaml b/aqua.yaml
new file mode 100644
index 0000000000000..7f3001a7481c7
--- /dev/null
+++ b/aqua.yaml
@@ -0,0 +1,12 @@
+---
+# aqua - Declarative CLI Version Manager
+# https://aquaproj.github.io/
+# checksum:
+#   enabled: true
+#   require_checksum: true
+#   supported_envs:
+#   - all
+registries:
+- type: standard
+  ref: v4.107.0 # renovate: depName=aquaproj/aqua-registry
+packages:

From aa7994a07d5e1ff678f98ec11302601e67c5484d Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:40:22 -0500
Subject: [PATCH 053/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 27f6b2cbd34a2..6a7347dd46145 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -30,9 +30,9 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      # - name: Install OS Deps
-      #   shell: bash
-      #   run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+      - name: Install OS Deps
+        shell: bash
+        run: sudo apt-get update && sudo apt-get install -y curl
 
       - name: Install Aqua
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0

From bd0b0293207b95fc26c20c66bb1c4c4b37d934d4 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:42:18 -0500
Subject: [PATCH 054/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 6a7347dd46145..665c588538380 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -32,7 +32,7 @@ jobs:
 
       - name: Install OS Deps
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl
+        run: sudo apt-get update && sudo apt-get install -y wget
 
       - name: Install Aqua
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0

From 3b5cdce02a3cd60ab062d1236708fbf01930537e Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:45:31 -0500
Subject: [PATCH 055/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml                           | 7 +++----
 .../workflows/resources/{aqua-config.yaml => aqua.yaml}    | 0
 2 files changed, 3 insertions(+), 4 deletions(-)
 rename .github/workflows/resources/{aqua-config.yaml => aqua.yaml} (100%)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 665c588538380..8528a10d5d56f 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -13,8 +13,8 @@ env:
   WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
 
 jobs:
-  sync:
-    name: Flux Kustomization Sync
+  aqua:
+    name: Aqua Test
     runs-on: ["arc-runner-set-home-ops"]
     steps:
       - name: Generate Token
@@ -32,7 +32,7 @@ jobs:
 
       - name: Install OS Deps
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y wget
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl
 
       - name: Install Aqua
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
@@ -45,4 +45,3 @@ jobs:
         shell: bash
         run: |
           flux --version
-
diff --git a/.github/workflows/resources/aqua-config.yaml b/.github/workflows/resources/aqua.yaml
similarity index 100%
rename from .github/workflows/resources/aqua-config.yaml
rename to .github/workflows/resources/aqua.yaml

From fd5dc5c18416ee55dc387dd86e093b2f86c08aed Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:46:09 -0500
Subject: [PATCH 056/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 8528a10d5d56f..9fea39b8348d5 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -39,7 +39,7 @@ jobs:
         with:
           aqua_version: v2.21.3
         env:
-          AQUA_CONFIG: "${{ env.WORKFLOW_RESOURCE_DIR }}/aqua-config.yaml"
+          AQUA_CONFIG: "${{ env.WORKFLOW_RESOURCE_DIR }}/aqua.yaml"
 
       - name: Test Aqua
         shell: bash

From cfab336639987cf21e51cec150ec67affe26b9fb Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:51:44 -0500
Subject: [PATCH 057/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 9fea39b8348d5..05ad0df8d16d1 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -39,9 +39,10 @@ jobs:
         with:
           aqua_version: v2.21.3
         env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
           AQUA_CONFIG: "${{ env.WORKFLOW_RESOURCE_DIR }}/aqua.yaml"
 
       - name: Test Aqua
         shell: bash
         run: |
-          flux --version
+          flux2 --version

From 28b561a6dc7d572920cf50557db62923bd3fc52f Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:55:03 -0500
Subject: [PATCH 058/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 05ad0df8d16d1..b0009e195ba15 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -38,11 +38,11 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
+          aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
           AQUA_CONFIG: "${{ env.WORKFLOW_RESOURCE_DIR }}/aqua.yaml"
 
       - name: Test Aqua
         shell: bash
-        run: |
-          flux2 --version
+        run: flux --version

From 36a4e09af871cf9f564863c50aac82cf7cf49f22 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 15:56:21 -0500
Subject: [PATCH 059/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index b0009e195ba15..d60a9a6a195b8 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -45,4 +45,4 @@ jobs:
 
       - name: Test Aqua
         shell: bash
-        run: flux --version
+        run: kubectl --version

From 5e09bf9594597d3004a5405b8f9ad66cc51fa3ff Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 16:08:39 -0500
Subject: [PATCH 060/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index d60a9a6a195b8..7ff4e1eb653d7 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -45,4 +45,4 @@ jobs:
 
       - name: Test Aqua
         shell: bash
-        run: kubectl --version
+        run: command -v kubectl

From 840ee351a65d56d85612c33b7bdafafa8e7b7817 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 16:09:33 -0500
Subject: [PATCH 061/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 7ff4e1eb653d7..636fcb05fcbc4 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -45,4 +45,4 @@ jobs:
 
       - name: Test Aqua
         shell: bash
-        run: command -v kubectl
+        run: kubectl version

From 08eefed830f82d94adc08b7cd3c0da6332cabd9b Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 16:12:35 -0500
Subject: [PATCH 062/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 636fcb05fcbc4..8ff23a5a98df1 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -10,7 +10,7 @@ env:
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
 
 jobs:
   aqua:
@@ -41,7 +41,6 @@ jobs:
           aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
-          AQUA_CONFIG: "${{ env.WORKFLOW_RESOURCE_DIR }}/aqua.yaml"
 
       - name: Test Aqua
         shell: bash

From 46bb1b269940505641ad14a2c13a69204108561a Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 16:15:11 -0500
Subject: [PATCH 063/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 8ff23a5a98df1..9c1c3e774e712 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -44,4 +44,11 @@ jobs:
 
       - name: Test Aqua
         shell: bash
-        run: kubectl version
+        run: |
+          kubectl version
+          flux --version
+          helm version
+          kustomize version
+          yq --version
+          kubeconform -v
+          cosign version

From 36b04a93985a3d01d25ec1f91e54292bda3ac9ad Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 16:31:51 -0500
Subject: [PATCH 064/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml          | 27 ++++++++++------------
 .github/workflows/flux-diff.yaml          | 24 +++++++++++--------
 .github/workflows/flux-hr-image-test.yaml | 28 ++++++++++++++---------
 .github/workflows/flux-hr-sync.yaml       | 24 +++++++++++--------
 .github/workflows/flux-ks-sync.yaml       | 23 ++++++++++++-------
 .github/workflows/kubeconform.yaml        | 23 ++++++++++++-------
 .github/workflows/publish-schemas.yaml    | 24 +++++++++++--------
 .github/workflows/publish-terraform.yaml  | 23 ++++++++++++-------
 .github/workflows/resources/aqua.yaml     |  1 +
 .github/workflows/resources/flake.nix     | 27 ----------------------
 10 files changed, 120 insertions(+), 104 deletions(-)
 delete mode 100644 .github/workflows/resources/flake.nix

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 9c1c3e774e712..5ace46717aa15 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -7,10 +7,10 @@ on:
     branches: ["main"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
 
 jobs:
   aqua:
@@ -30,25 +30,22 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
+
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Install Aqua
+      - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
           aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
-
-      - name: Test Aqua
-        shell: bash
-        run: |
-          kubectl version
-          flux --version
-          helm version
-          kustomize version
-          yq --version
-          kubeconform -v
-          cosign version
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index a2d8535d30cd6..9bf134a66acf2 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -8,10 +8,10 @@ on:
     paths: ["kubernetes/**"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
 
 jobs:
   flux-diff:
@@ -36,19 +36,25 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
-          github_access_token: "${{ steps.app-token.outputs.token }}"
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Switch to Nix devShell
-        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+          aqua_version: v2.21.3
+          aqua_opts: ""
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Diff Resources
         # uses: allenporter/flux-local/action/diff@19bfc6920e8964a479363bc230e6c329120ead02 # 3.2.0
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 296404733e156..a1f5a97548b22 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -8,11 +8,11 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
-  WORKFLOW_KUBERNETES_DIR: ./kubernetes
+  KUBERNETES_DIR: ./kubernetes
 
 jobs:
   changed-files:
@@ -71,24 +71,30 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
-          github_access_token: "${{ steps.app-token.outputs.token }}"
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Switch to Nix devShell
-        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+          aqua_version: v2.21.3
+          aqua_opts: ""
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Extract Images from Helm Release
         id: extract-images
         run: |
-          images=$(npx zx ${{ env.WORKFLOW_RESOURCE_DIR }}/extract-images.mjs --kubernetes-dir "${{ env.WORKFLOW_KUBERNETES_DIR }}" --helmrelease "${{ matrix.files }}")
+          images=$(npx zx ./.github/workflows/resources/extract-images.mjs --kubernetes-dir "${{ env.KUBERNETES_DIR }}" --helmrelease "${{ matrix.files }}")
           echo "images=${images}" >> $GITHUB_OUTPUT
           echo "${images}"
 
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index 4ab90b17586ca..3553ac0397fb2 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -21,10 +21,10 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
 
 jobs:
   sync:
@@ -44,19 +44,25 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
-          github_access_token: "${{ steps.app-token.outputs.token }}"
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Switch to Nix devShell
-        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+          aqua_version: v2.21.3
+          aqua_opts: ""
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Write kubeconfig
         id: kubeconfig
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index 7d7c7398ed322..bb7c41a3e0821 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -8,6 +8,7 @@ on:
     paths: ["kubernetes/storage/**"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -34,19 +35,25 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
-          github_access_token: "${{ steps.app-token.outputs.token }}"
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Switch to Nix devShell
-        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+          aqua_version: v2.21.3
+          aqua_opts: ""
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Write kubeconfig
         id: kubeconfig
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index 250276d201e56..d50be78f51d1e 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -9,6 +9,7 @@ on:
     paths: ["kubernetes/**"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -34,19 +35,25 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
-          github_access_token: "${{ steps.app-token.outputs.token }}"
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Switch to Nix devShell
-        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+          aqua_version: v2.21.3
+          aqua_opts: ""
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Run kubeconform
         shell: bash
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 1d3c206c12c9f..a40cb9cc6d406 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -11,10 +11,10 @@ on:
     paths: [".github/workflows/publish-schemas.yaml"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
   SCHEMAS_DIR: /home/runner/crds
 
 jobs:
@@ -37,19 +37,25 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
-          github_access_token: "${{ steps.app-token.outputs.token }}"
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Switch to Nix devShell
-        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+          aqua_version: v2.21.3
+          aqua_opts: ""
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Setup Node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index f8d0371210e49..6c2ed435bc346 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -9,6 +9,7 @@ on:
     paths: ["terraform/**"]
 
 env:
+  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -34,19 +35,25 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
-      - name: Install OS Deps
+      - name: Install System Tools
         shell: bash
-        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
-          github_access_token: "${{ steps.app-token.outputs.token }}"
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
-      - name: Switch to Nix devShell
-        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+      - name: Install Aqua and CLI Tools
+        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
-          arguments: "${{ env.WORKFLOW_RESOURCE_DIR }}"
+          aqua_version: v2.21.3
+          aqua_opts: ""
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
diff --git a/.github/workflows/resources/aqua.yaml b/.github/workflows/resources/aqua.yaml
index cf8f34baaf9b0..a838ea37b1608 100644
--- a/.github/workflows/resources/aqua.yaml
+++ b/.github/workflows/resources/aqua.yaml
@@ -1,3 +1,4 @@
+---
 registries:
   - type: standard
     ref: v4.107.0
diff --git a/.github/workflows/resources/flake.nix b/.github/workflows/resources/flake.nix
deleted file mode 100644
index cdbbbd4421de9..0000000000000
--- a/.github/workflows/resources/flake.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  description = "CI Nix Flake";
-  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-    flake-utils.url = "github:numtide/flake-utils";
-  };
-  outputs = { self, nixpkgs, flake-utils }:
-    flake-utils.lib.eachDefaultSystem(system:
-      let pkgs = import nixpkgs { inherit system; }; in {
-        devShells = {
-          default = pkgs.mkShell
-            {
-              buildInputs = (with pkgs; [
-                cosign
-                fluxcd
-                kubeconform
-                kubernetes-helm
-                kubectl
-                kustomize
-                jo
-                yq
-              ]);
-            };
-        };
-      }
-    );
-}

From a18f9c6d4f6c17eee647d08a3cea6d094cc3cd80 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 16:35:50 -0500
Subject: [PATCH 065/149] chore: test out aqua in gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index 5ace46717aa15..e322956e4f0d1 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -3,6 +3,7 @@
 name: "Aqua Test"
 
 on:
+  workflow_dispatch:
   push:
     branches: ["main"]
 

From 139f07f325d0ae5145c88c1cc60d191fb310bf18 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 16:57:35 -0500
Subject: [PATCH 066/149] feat: renovate aqua config file and move scripts to
 .github

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/{workflows/resources => }/aqua.yaml                | 0
 .github/renovate.json5                                     | 1 +
 .../{workflows/resources => scripts}/extract-images.mjs    | 0
 .github/{workflows/resources => scripts}/kubeconform.sh    | 0
 .github/workflows/aqua-test.yaml                           | 4 ++--
 .github/workflows/flux-diff.yaml                           | 4 ++--
 .github/workflows/flux-hr-image-test.yaml                  | 6 +++---
 .github/workflows/flux-hr-sync.yaml                        | 4 ++--
 .github/workflows/flux-ks-sync.yaml                        | 5 ++---
 .github/workflows/kubeconform.yaml                         | 7 +++----
 .github/workflows/publish-schemas.yaml                     | 4 ++--
 .github/workflows/publish-terraform.yaml                   | 5 ++---
 12 files changed, 19 insertions(+), 21 deletions(-)
 rename .github/{workflows/resources => }/aqua.yaml (100%)
 rename .github/{workflows/resources => scripts}/extract-images.mjs (100%)
 rename .github/{workflows/resources => scripts}/kubeconform.sh (100%)

diff --git a/.github/workflows/resources/aqua.yaml b/.github/aqua.yaml
similarity index 100%
rename from .github/workflows/resources/aqua.yaml
rename to .github/aqua.yaml
diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 98508000fca59..3f91cfe32dd49 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -11,6 +11,7 @@
     ":semanticCommits",
     ":skipStatusChecks",
     ":timezone(America/New_York)",
+    "github>aquaproj/aqua-renovate-config:file#1.13.0(.github/aqua.yaml)",
     "github>onedr0p/home-ops//.github/renovate/allowedVersions.json5",
     "github>onedr0p/home-ops//.github/renovate/autoMerge.json5",
     "github>onedr0p/home-ops//.github/renovate/clusters.json5",
diff --git a/.github/workflows/resources/extract-images.mjs b/.github/scripts/extract-images.mjs
similarity index 100%
rename from .github/workflows/resources/extract-images.mjs
rename to .github/scripts/extract-images.mjs
diff --git a/.github/workflows/resources/kubeconform.sh b/.github/scripts/kubeconform.sh
similarity index 100%
rename from .github/workflows/resources/kubeconform.sh
rename to .github/scripts/kubeconform.sh
diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index e322956e4f0d1..f0292573b816d 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -8,7 +8,7 @@ on:
     branches: ["main"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -39,7 +39,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 9bf134a66acf2..3af2967ac84e5 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -44,7 +44,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index a1f5a97548b22..37bb01d585d43 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -79,7 +79,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
@@ -94,7 +94,7 @@ jobs:
       - name: Extract Images from Helm Release
         id: extract-images
         run: |
-          images=$(npx zx ./.github/workflows/resources/extract-images.mjs --kubernetes-dir "${{ env.KUBERNETES_DIR }}" --helmrelease "${{ matrix.files }}")
+          images=$(npx zx ./.github/scripts/extract-images.mjs --kubernetes-dir "${{ env.KUBERNETES_DIR }}" --helmrelease "${{ matrix.files }}")
           echo "images=${images}" >> $GITHUB_OUTPUT
           echo "${images}"
 
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index 3553ac0397fb2..26fd7f7c97585 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -21,7 +21,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -52,7 +52,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index bb7c41a3e0821..4421c45a140c2 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -8,11 +8,10 @@ on:
     paths: ["kubernetes/storage/**"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
 
 jobs:
   sync:
@@ -43,7 +42,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index d50be78f51d1e..3d6934ccd2e83 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -9,11 +9,10 @@ on:
     paths: ["kubernetes/**"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
 
 jobs:
   kubeconform:
@@ -43,7 +42,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
@@ -57,4 +56,4 @@ jobs:
 
       - name: Run kubeconform
         shell: bash
-        run: bash ${{ env.WORKFLOW_RESOURCE_DIR }}/kubeconform.sh ${{ matrix.path }}
+        run: bash ./.github/scripts/kubeconform.sh ${{ matrix.path }}
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index a40cb9cc6d406..6dcd2820775ff 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -11,7 +11,7 @@ on:
     paths: [".github/workflows/publish-schemas.yaml"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
@@ -45,7 +45,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index 6c2ed435bc346..ad934def6bccb 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -9,11 +9,10 @@ on:
     paths: ["terraform/**"]
 
 env:
-  AQUA_CONFIG: ./.github/workflows/resources/aqua.yaml
+  AQUA_CONFIG: ./.github/aqua.yaml
   DEBCONF_NONINTERACTIVE_SEEN: "true"
   DEBIAN_FRONTEND: noninteractive
   APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
-  WORKFLOW_RESOURCE_DIR: ./.github/workflows/resources
 
 jobs:
   publish-terraform:
@@ -43,7 +42,7 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/workflows/resources/aqua.yaml')}}
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
           restore-keys: |
             v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 

From 3d486a768dc31c8b6ccd3cdd1e991b48cb174833 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:10:17 -0500
Subject: [PATCH 067/149] chore: remove deb env vars in workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml          | 3 ---
 .github/workflows/flux-diff.yaml          | 3 ---
 .github/workflows/flux-hr-image-test.yaml | 3 ---
 .github/workflows/flux-hr-sync.yaml       | 3 ---
 .github/workflows/flux-ks-sync.yaml       | 3 ---
 .github/workflows/kubeconform.yaml        | 3 ---
 .github/workflows/publish-schemas.yaml    | 5 +----
 .github/workflows/publish-terraform.yaml  | 3 ---
 8 files changed, 1 insertion(+), 25 deletions(-)

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
index f0292573b816d..b0266093d1610 100644
--- a/.github/workflows/aqua-test.yaml
+++ b/.github/workflows/aqua-test.yaml
@@ -9,9 +9,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
 
 jobs:
   aqua:
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 3af2967ac84e5..b54b0cdbd1b33 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -9,9 +9,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
 
 jobs:
   flux-diff:
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 37bb01d585d43..9f6a84e44d1a2 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -9,9 +9,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
   KUBERNETES_DIR: ./kubernetes
 
 jobs:
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index 26fd7f7c97585..f5acd656eb887 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -22,9 +22,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
 
 jobs:
   sync:
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index 4421c45a140c2..d52da99ba60ba 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -9,9 +9,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
 
 jobs:
   sync:
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index 3d6934ccd2e83..efeab5f31364b 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -10,9 +10,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
 
 jobs:
   kubeconform:
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 6dcd2820775ff..2bddec9a7e489 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -12,9 +12,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
   SCHEMAS_DIR: /home/runner/crds
 
 jobs:
@@ -82,7 +79,7 @@ jobs:
           mkdir -p ${{ env.SCHEMAS_DIR }}
           curl -fsSL -o $GITHUB_WORKSPACE/crd-extractor.sh \
               https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
-          chmod +x $GITHUB_WORKSPACE/crd-extractor.sh
+          chmod u+x $GITHUB_WORKSPACE/crd-extractor.sh
           bash $GITHUB_WORKSPACE/crd-extractor.sh
           mv /home/runner/.datree/crdSchemas/* ${{ env.SCHEMAS_DIR }}
 
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index ad934def6bccb..179cda849ef3c 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -10,9 +10,6 @@ on:
 
 env:
   AQUA_CONFIG: ./.github/aqua.yaml
-  DEBCONF_NONINTERACTIVE_SEEN: "true"
-  DEBIAN_FRONTEND: noninteractive
-  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
 
 jobs:
   publish-terraform:

From 1a0dadcd2b42ad75fafedc311b2c3b31320f13f8 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:14:39 -0500
Subject: [PATCH 068/149] chore: update schemas workflow to lazy load

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-schemas.yaml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 2bddec9a7e489..31236b897b49d 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -38,19 +38,19 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+      # - name: Cache Aqua
+      #   uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      #   with:
+      #     path: ~/.local/share/aquaproj-aqua
+      #     key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
+      #     restore-keys: |
+      #       v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          # aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 

From 0dee5c93827a81644abd101aa8540355938d2cf6 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:17:28 -0500
Subject: [PATCH 069/149] chore: update schemas workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-schemas.yaml | 37 ++++++++++++++------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 31236b897b49d..64ccb32bd4caf 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -38,38 +38,36 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      # - name: Cache Aqua
-      #   uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-      #   with:
-      #     path: ~/.local/share/aquaproj-aqua
-      #     key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-      #     restore-keys: |
-      #       v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          # aqua_opts: ""
+          aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
-      - name: Setup Node
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+      - name: Write kubeconfig
+        id: kubeconfig
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
         with:
-          node-version: 18.x
+          encodedString: "${{ secrets.KUBECONFIG }}"
+          fileName: kubeconfig
 
       - name: Setup Python
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: 3.x
 
-      - name: Write kubeconfig
-        id: kubeconfig
-        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
-        with:
-          encodedString: "${{ secrets.KUBECONFIG }}"
-          fileName: kubeconfig
+      - name: Test
+        run: command -v kubectl && kubectl version --client
 
       - name: Download and run crd-extractor
         env:
@@ -83,6 +81,11 @@ jobs:
           bash $GITHUB_WORKSPACE/crd-extractor.sh
           mv /home/runner/.datree/crdSchemas/* ${{ env.SCHEMAS_DIR }}
 
+      - name: Setup Node
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+        with:
+          node-version: 18.x
+
       - name: Deploy to Cloudflare Pages
         uses: cloudflare/wrangler-action@a8be0ea72a399752dd2735fa16ea0d424f2335ca # v3.4.0
         with:

From a4ee76ac312f8437a89c3757d9395f0dc3b67847 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:22:26 -0500
Subject: [PATCH 070/149] chore: update aqua config global

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml       | 18 +++++++++---------
 .github/workflows/publish-schemas.yaml | 18 +++++++++---------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index b54b0cdbd1b33..c17198374de43 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**"]
 
 env:
-  AQUA_CONFIG: ./.github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: ./.github/aqua.yaml
 
 jobs:
   flux-diff:
@@ -37,19 +37,19 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+      # - name: Cache Aqua
+      #   uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      #   with:
+      #     path: ~/.local/share/aquaproj-aqua
+      #     key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
+      #     restore-keys: |
+      #       v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          # aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 64ccb32bd4caf..54987ca9ceb44 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -11,7 +11,7 @@ on:
     paths: [".github/workflows/publish-schemas.yaml"]
 
 env:
-  AQUA_CONFIG: ./.github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: ./.github/aqua.yaml
   SCHEMAS_DIR: /home/runner/crds
 
 jobs:
@@ -38,19 +38,19 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+      # - name: Cache Aqua
+      #   uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      #   with:
+      #     path: ~/.local/share/aquaproj-aqua
+      #     key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
+      #     restore-keys: |
+      #       v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          # aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 

From 17dc8a1db8a8502e77b24c43bd05f32bd7275ab3 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:24:22 -0500
Subject: [PATCH 071/149] chore: update aqua config global

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml       | 2 +-
 .github/workflows/publish-schemas.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index c17198374de43..2c094de5d98ac 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -49,7 +49,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          # aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 54987ca9ceb44..83eb768b0f0b0 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -50,7 +50,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          # aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 

From af2a9a11b371c4a48e9b8301182033002f60e52b Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 17:35:08 -0500
Subject: [PATCH 072/149] =?UTF-8?q?feat(container):=20update=20docker.io/r?=
 =?UTF-8?q?ancher/kubectl=20(=20v1.28.4=20=E2=86=92=20v1.29.0=20)=20(#6619?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
Co-authored-by: Devin Buhl <onedr0p@users.noreply.github.com>
---
 .../apps/tools/system-upgrade-controller/app/helmrelease.yaml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/tools/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/main/apps/tools/system-upgrade-controller/app/helmrelease.yaml
index 13d4e7c062e63..3c22b7b3aae8d 100644
--- a/kubernetes/main/apps/tools/system-upgrade-controller/app/helmrelease.yaml
+++ b/kubernetes/main/apps/tools/system-upgrade-controller/app/helmrelease.yaml
@@ -38,7 +38,7 @@ spec:
               SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
               SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
               SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
-              SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: docker.io/rancher/kubectl:v1.28.4
+              SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: docker.io/rancher/kubectl:v1.29.0
               SYSTEM_UPGRADE_JOB_PRIVILEGED: true
               SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
               SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m

From f352d54913b6f46b2706bd1737ee0135d161af59 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 17:35:23 -0500
Subject: [PATCH 073/149] =?UTF-8?q?feat(container):=20update=20docker.io/r?=
 =?UTF-8?q?ancher/kubectl=20(=20v1.28.4=20=E2=86=92=20v1.29.0=20)=20(#6620?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../apps/tools/system-upgrade-controller/app/helmrelease.yaml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/storage/apps/tools/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/storage/apps/tools/system-upgrade-controller/app/helmrelease.yaml
index 13d4e7c062e63..3c22b7b3aae8d 100644
--- a/kubernetes/storage/apps/tools/system-upgrade-controller/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/tools/system-upgrade-controller/app/helmrelease.yaml
@@ -38,7 +38,7 @@ spec:
               SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
               SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
               SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
-              SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: docker.io/rancher/kubectl:v1.28.4
+              SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: docker.io/rancher/kubectl:v1.29.0
               SYSTEM_UPGRADE_JOB_PRIVILEGED: true
               SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
               SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m

From f23b061b26db245536a66b327592d7b03ef51bf3 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:36:13 -0500
Subject: [PATCH 074/149] chore: update aqua config global

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-schemas.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 83eb768b0f0b0..8e8f45e23694a 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -38,13 +38,13 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      # - name: Cache Aqua
-      #   uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-      #   with:
-      #     path: ~/.local/share/aquaproj-aqua
-      #     key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-      #     restore-keys: |
-      #       v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0

From 068364d24642e426e5d04e63ca17dff2c10232b2 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:37:54 -0500
Subject: [PATCH 075/149] chore: update aqua config global

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/aqua-test.yaml | 49 --------------------------------
 .github/workflows/flux-diff.yaml | 14 ++++-----
 2 files changed, 7 insertions(+), 56 deletions(-)
 delete mode 100644 .github/workflows/aqua-test.yaml

diff --git a/.github/workflows/aqua-test.yaml b/.github/workflows/aqua-test.yaml
deleted file mode 100644
index b0266093d1610..0000000000000
--- a/.github/workflows/aqua-test.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: "Aqua Test"
-
-on:
-  workflow_dispatch:
-  push:
-    branches: ["main"]
-
-env:
-  AQUA_CONFIG: ./.github/aqua.yaml
-
-jobs:
-  aqua:
-    name: Aqua Test
-    runs-on: ["arc-runner-set-home-ops"]
-    steps:
-      - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
-        id: app-token
-        with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
-
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          fetch-depth: 0
-
-      - name: Install System Tools
-        shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
-
-      - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
-
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
-        with:
-          aqua_version: v2.21.3
-          aqua_opts: ""
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 2c094de5d98ac..8b5fa9d72f65a 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -37,13 +37,13 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      # - name: Cache Aqua
-      #   uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-      #   with:
-      #     path: ~/.local/share/aquaproj-aqua
-      #     key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-      #     restore-keys: |
-      #       v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+      - name: Cache Aqua
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        with:
+          path: ~/.local/share/aquaproj-aqua
+          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
+          restore-keys: |
+            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0

From c410da7e0a9fa16affdd98f1291b6b1d9d48f071 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:45:31 -0500
Subject: [PATCH 076/149] chore: move crd-extractor to repo

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/crd-extractor.sh       | 109 +++++++++++++++++++++++++
 .github/workflows/publish-schemas.yaml |  11 +--
 2 files changed, 111 insertions(+), 9 deletions(-)
 create mode 100755 .github/scripts/crd-extractor.sh

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
new file mode 100755
index 0000000000000..12d755aff520b
--- /dev/null
+++ b/.github/scripts/crd-extractor.sh
@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+# Source: https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
+
+# Check if python3 is installed
+if ! command -v python3 &> /dev/null; then
+    printf "python3 is required for this utility, and is not installed on your machine"
+    printf "please visit https://www.python.org/downloads/ to install it"
+    exit 1
+fi
+# Check if kubectl is installed
+if ! command -v kubectl &> /dev/null; then
+    printf "kubectl is required for this utility, and is not installed on your machine"
+    printf "please visit https://kubernetes.io/docs/tasks/tools/#kubectl to install it"
+    exit 1
+fi
+
+# Check if the pyyaml module is installed
+if ! echo 'import yaml' | python3 &> /dev/null; then
+    printf "the python3 module 'yaml' is required, and is not installed on your machine.\n"
+
+    while true; do
+        read -p "Do you wish to install this program? (y/n) " yn
+        case $yn in
+            [Yy] ) pip3 install pyyaml; break;;
+            "" ) pip3 install pyyaml; break;;
+            [Nn] ) echo "Exiting..."; exit;;
+            * ) echo "Please answer 'y' (yes) or 'n' (no).";;
+        esac
+    done
+fi
+
+# Create temp folder for CRDs
+TMP_CRD_DIR=$HOME/.datree/crds
+mkdir -p $TMP_CRD_DIR
+
+# Create final schemas directory
+SCHEMAS_DIR=$HOME/.datree/crdSchemas
+mkdir -p $SCHEMAS_DIR
+cd $SCHEMAS_DIR
+
+# Create array to store CRD kinds and groups
+ORGANIZE_BY_GROUP=true
+declare -A CRD_GROUPS 2>/dev/null
+if [ $? -ne 0 ]; then
+    # Array creation failed, signal to skip organization by group
+    ORGANIZE_BY_GROUP=false
+fi
+
+# Extract CRDs from cluster
+NUM_OF_CRDS=0
+while read -r crd
+do
+    filename=${crd%% *}
+    kubectl get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1
+
+    resourceKind=$(grep "kind:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==2{print $2}' | tr '[:upper:]' '[:lower:]')
+    resourceGroup=$(grep "group:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==1{print $2}')
+
+    # Save name and group for later directory organization
+    CRD_GROUPS["$resourceKind"]="$resourceGroup"
+
+    let ++NUM_OF_CRDS
+done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2)
+
+# If no CRDs exist in the cluster, exit
+if [ $NUM_OF_CRDS == 0 ]; then
+    printf "No CRDs found in the cluster, exiting...\n"
+    exit 0
+fi
+
+# Download converter script
+curl https://raw.githubusercontent.com/yannh/kubeconform/master/scripts/openapi2jsonschema.py --output $TMP_CRD_DIR/openapi2jsonschema.py 2>/dev/null
+
+# Convert crds to jsonSchema
+python3 $TMP_CRD_DIR/openapi2jsonschema.py $TMP_CRD_DIR/*.yaml
+conversionResult=$?
+
+# Copy and rename files to support kubeval
+rm -rf $SCHEMAS_DIR/master-standalone
+mkdir -p $SCHEMAS_DIR/master-standalone
+cp $SCHEMAS_DIR/*.json $SCHEMAS_DIR/master-standalone
+find $SCHEMAS_DIR/master-standalone -name '*json' -exec bash -c ' mv -f $0 ${0/\_/-stable-}' {} \;
+
+# Organize schemas by group
+if [ $ORGANIZE_BY_GROUP == true ]; then
+    for schema in $SCHEMAS_DIR/*.json
+    do
+    crdFileName=$(basename $schema .json)
+    crdKind=${crdFileName%%_*}
+    crdGroup=${CRD_GROUPS[$crdKind]}
+    mkdir -p $crdGroup
+    mv $schema ./$crdGroup
+    done
+fi
+
+CYAN='\033[0;36m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+if [ $conversionResult == 0 ]; then
+    printf "${GREEN}Successfully converted $NUM_OF_CRDS CRDs to JSON schema${NC}\n"
+
+    printf "\nTo validate a CR using various tools, run the relevant command:\n"
+    printf "\n- ${CYAN}datree:${NC}\n\$ datree test /path/to/file\n"
+    printf "\n- ${CYAN}kubeconform:${NC}\n\$ kubeconform -summary -output json -schema-location default -schema-location '$HOME/.datree/crdSchemas/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json' /path/to/file\n"
+    printf "\n- ${CYAN}kubeval:${NC}\n\$ kubeval --additional-schema-locations file:\"$HOME/.datree/crdSchemas\" /path/to/file\n\n"
+fi
+
+rm -rf $TMP_CRD_DIR
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 8e8f45e23694a..29e21cb895cfd 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -12,7 +12,6 @@ on:
 
 env:
   AQUA_GLOBAL_CONFIG: ./.github/aqua.yaml
-  SCHEMAS_DIR: /home/runner/crds
 
 jobs:
   publish-schemas:
@@ -73,13 +72,7 @@ jobs:
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
         shell: bash
-        run: |
-          mkdir -p ${{ env.SCHEMAS_DIR }}
-          curl -fsSL -o $GITHUB_WORKSPACE/crd-extractor.sh \
-              https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
-          chmod u+x $GITHUB_WORKSPACE/crd-extractor.sh
-          bash $GITHUB_WORKSPACE/crd-extractor.sh
-          mv /home/runner/.datree/crdSchemas/* ${{ env.SCHEMAS_DIR }}
+        run: bash ./.github/scripts/crd-extractor.sh
 
       - name: Setup Node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
@@ -91,5 +84,5 @@ jobs:
         with:
           apiToken: "${{ secrets.CLOUDFLARE_API_TOKEN }}"
           accountId: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"
-          workingDirectory: "${{ env.SCHEMAS_DIR }}"
+          workingDirectory: /home/runner/.datree/crdSchemas
           command: pages deploy --project-name=kubernetes-schemas --branch main .

From 779e43ced2324f147d7b175eb1bf91e27ed16708 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 17:50:26 -0500
Subject: [PATCH 077/149] =?UTF-8?q?fix(helm):=20update=20grafana=20(=207.0?=
 =?UTF-8?q?.17=20=E2=86=92=207.0.19=20)=20(#6595)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/grafana/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
index eb81e6faeaba2..11ed2b738ee78 100644
--- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: grafana
-      version: 7.0.17
+      version: 7.0.19
       sourceRef:
         kind: HelmRepository
         name: grafana

From 3657851d220a42b5930e9e390ef528c6dc559dbf Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 17:51:37 -0500
Subject: [PATCH 078/149] chore: move crd-extractor to repo

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate.json5                 | 1 -
 .github/scripts/crd-extractor.sh       | 2 +-
 .github/workflows/publish-schemas.yaml | 2 +-
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 3f91cfe32dd49..98508000fca59 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -11,7 +11,6 @@
     ":semanticCommits",
     ":skipStatusChecks",
     ":timezone(America/New_York)",
-    "github>aquaproj/aqua-renovate-config:file#1.13.0(.github/aqua.yaml)",
     "github>onedr0p/home-ops//.github/renovate/allowedVersions.json5",
     "github>onedr0p/home-ops//.github/renovate/autoMerge.json5",
     "github>onedr0p/home-ops//.github/renovate/clusters.json5",
diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
index 12d755aff520b..05dd523da2f57 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/crd-extractor.sh
@@ -65,7 +65,7 @@ done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2)
 # If no CRDs exist in the cluster, exit
 if [ $NUM_OF_CRDS == 0 ]; then
     printf "No CRDs found in the cluster, exiting...\n"
-    exit 0
+    exit 1
 fi
 
 # Download converter script
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 29e21cb895cfd..4cc26a8f6ab00 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -68,7 +68,7 @@ jobs:
       - name: Test
         run: command -v kubectl && kubectl version --client
 
-      - name: Download and run crd-extractor
+      - name: Run crd-extractor
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
         shell: bash

From b10bf6869c002f3a22238913c2f060c982f98907 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 17:53:44 -0500
Subject: [PATCH 079/149] =?UTF-8?q?fix(helm):=20update=20reloader=20(=201.?=
 =?UTF-8?q?0.54=20=E2=86=92=201.0.56=20)=20(#6612)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
Co-authored-by: Devin Buhl <onedr0p@users.noreply.github.com>
---
 kubernetes/main/apps/tools/reloader/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/tools/reloader/app/helmrelease.yaml b/kubernetes/main/apps/tools/reloader/app/helmrelease.yaml
index e2d4d44a802cb..e7f94e46f8ab2 100644
--- a/kubernetes/main/apps/tools/reloader/app/helmrelease.yaml
+++ b/kubernetes/main/apps/tools/reloader/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: reloader
-      version: 1.0.54
+      version: 1.0.56
       sourceRef:
         kind: HelmRepository
         name: stakater

From 3bc712668568572850ddbcc83aed224dc89e77e7 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 17:54:04 -0500
Subject: [PATCH 080/149] =?UTF-8?q?fix(helm):=20update=20reloader=20(=201.?=
 =?UTF-8?q?0.54=20=E2=86=92=201.0.56=20)=20(#6613)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
Co-authored-by: Devin Buhl <onedr0p@users.noreply.github.com>
---
 kubernetes/storage/apps/tools/reloader/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/storage/apps/tools/reloader/app/helmrelease.yaml b/kubernetes/storage/apps/tools/reloader/app/helmrelease.yaml
index e2d4d44a802cb..e7f94e46f8ab2 100644
--- a/kubernetes/storage/apps/tools/reloader/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/tools/reloader/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: reloader
-      version: 1.0.54
+      version: 1.0.56
       sourceRef:
         kind: HelmRepository
         name: stakater

From 083f3f1baf4a17ca6ee530fb91a9acecc1374472 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 19:17:27 -0500
Subject: [PATCH 081/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml          | 10 ++++------
 .github/workflows/flux-hr-image-test.yaml |  7 +++----
 .github/workflows/flux-hr-sync.yaml       |  7 +++----
 .github/workflows/flux-ks-sync.yaml       |  7 +++----
 .github/workflows/kubeconform.yaml        |  7 +++----
 .github/workflows/publish-schemas.yaml    |  7 +++----
 .github/workflows/publish-terraform.yaml  |  7 +++----
 7 files changed, 22 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 8b5fa9d72f65a..41733e0e563a3 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**"]
 
 env:
-  AQUA_GLOBAL_CONFIG: ./.github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
 
 jobs:
   flux-diff:
@@ -41,9 +41,8 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
@@ -54,8 +53,7 @@ jobs:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Diff Resources
-        # uses: allenporter/flux-local/action/diff@19bfc6920e8964a479363bc230e6c329120ead02 # 3.2.0
-        uses: allenporter/flux-local/action/diff@flux-build
+        uses: allenporter/flux-local/action/diff@e3e84e4fcdab2191de8e65acfe62b7aedd933be4 # 4.0.0
         id: diff
         with:
           sources: home-kubernetes
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 9f6a84e44d1a2..77e4d56a80539 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  AQUA_CONFIG: ./.github/aqua.yaml
+  AQUA_CONFIG: .github/aqua.yaml
   KUBERNETES_DIR: ./kubernetes
 
 jobs:
@@ -76,9 +76,8 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index f5acd656eb887..52bda677529cf 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -21,7 +21,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  AQUA_CONFIG: ./.github/aqua.yaml
+  AQUA_CONFIG: .github/aqua.yaml
 
 jobs:
   sync:
@@ -49,9 +49,8 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index d52da99ba60ba..381479ae1d5d3 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/storage/**"]
 
 env:
-  AQUA_CONFIG: ./.github/aqua.yaml
+  AQUA_CONFIG: .github/aqua.yaml
 
 jobs:
   sync:
@@ -39,9 +39,8 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index efeab5f31364b..1d8ac25dc016e 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -9,7 +9,7 @@ on:
     paths: ["kubernetes/**"]
 
 env:
-  AQUA_CONFIG: ./.github/aqua.yaml
+  AQUA_CONFIG: .github/aqua.yaml
 
 jobs:
   kubeconform:
@@ -39,9 +39,8 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 4cc26a8f6ab00..46da5b8d203a5 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -11,7 +11,7 @@ on:
     paths: [".github/workflows/publish-schemas.yaml"]
 
 env:
-  AQUA_GLOBAL_CONFIG: ./.github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
 
 jobs:
   publish-schemas:
@@ -41,9 +41,8 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index 179cda849ef3c..0c88f498a3039 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -9,7 +9,7 @@ on:
     paths: ["terraform/**"]
 
 env:
-  AQUA_CONFIG: ./.github/aqua.yaml
+  AQUA_CONFIG: .github/aqua.yaml
 
 jobs:
   publish-terraform:
@@ -39,9 +39,8 @@ jobs:
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
-          key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('./.github/aqua.yaml')}}
-          restore-keys: |
-            v1-aqua-installer-${{runner.os}}-${{runner.arch}}-
+          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
+          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0

From 66cf692bd4300a817c8993c9b17489a4c993c930 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 19:28:16 -0500
Subject: [PATCH 082/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 49 ++++++++++++++++++++++++++++----
 1 file changed, 43 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 41733e0e563a3..f9aeff24e4d47 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -11,15 +11,51 @@ env:
   AQUA_GLOBAL_CONFIG: .github/aqua.yaml
 
 jobs:
+  changed-files:
+    name: Get Changed Files
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40.2.3
+        with:
+          files: kubernetes/**
+          dir_names: true
+          dir_names_max_depth: 2
+          json: true
+          quotepath: false
+          escape_json: false
+
+      - name: List all changed files
+        run: echo "${{ steps.changed-files.outputs.all_changed_and_modified_files }}"
+
   flux-diff:
     name: Flux Diff
     runs-on: ubuntu-latest
+    needs: ["changed-files"]
     permissions:
       pull-requests: write
     strategy:
       matrix:
-        path: ["kubernetes/main", "kubernetes/storage"]
-        resource: ["helmrelease", "kustomization"]
+        paths: ${{ fromJSON(needs.changed-files.outputs.matrix) }}
+        resources: ["helmrelease", "kustomization"]
+      max-parallel: 4
+      fail-fast: false
     steps:
       - name: Generate Token
         uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
@@ -32,6 +68,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0
 
       - name: Install System Tools
         shell: bash
@@ -48,7 +85,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: -a
+          aqua_opts: ""
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
@@ -57,15 +94,15 @@ jobs:
         id: diff
         with:
           sources: home-kubernetes
-          path: "${{ matrix.path }}"
-          resource: "${{ matrix.resource }}"
+          path: "${{ matrix.paths }}"
+          resource: "${{ matrix.resources }}"
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment
         uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
         with:
           repo-token: "${{ steps.app-token.outputs.token }}"
-          message-id: "${{ github.event.pull_request.number }}/${{ matrix.path }}/${{ matrix.resource }}"
+          message-id: "${{ github.event.pull_request.number }}/${{ matrix.paths }}/${{ matrix.resources }}"
           message-failure: Diff was not successful
           message: |
             ```diff

From 4f3f5d49ac8e6bdd234bedaae06524eeae28380d Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 19:32:48 -0500
Subject: [PATCH 083/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index f9aeff24e4d47..6841ed6d23055 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -90,7 +90,8 @@ jobs:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Diff Resources
-        uses: allenporter/flux-local/action/diff@e3e84e4fcdab2191de8e65acfe62b7aedd933be4 # 4.0.0
+        # uses: allenporter/flux-local/action/diff@e3e84e4fcdab2191de8e65acfe62b7aedd933be4 # 4.0.0
+        uses: allenporter/flux-local/action/diff@main
         id: diff
         with:
           sources: home-kubernetes

From 1ddbf821f68e5a0e582ca0789e08f73429451a9a Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 19:47:10 -0500
Subject: [PATCH 084/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-schemas.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 46da5b8d203a5..d9db953d7ae22 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -65,7 +65,7 @@ jobs:
           python-version: 3.x
 
       - name: Test
-        run: command -v kubectl && kubectl version --client
+        run: kubectl get nodes
 
       - name: Run crd-extractor
         env:

From 3d0b524ffab81b81c62571629e4313234c88b8b6 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 19:48:46 -0500
Subject: [PATCH 085/149] =?UTF-8?q?feat(container):=20update=20gha-runner-?=
 =?UTF-8?q?scale-set-controller=20(=200.7.0=20=E2=86=92=200.8.0=20)=20(#66?=
 =?UTF-8?q?15)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
Co-authored-by: Devin Buhl <onedr0p@users.noreply.github.com>
---
 .../actions-runner-controller/app/helmrelease.yaml              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml
index 620b8d0c02b2f..2057ecbf518c4 100644
--- a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml
+++ b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: gha-runner-scale-set-controller
-      version: 0.7.0
+      version: 0.8.0
       sourceRef:
         kind: HelmRepository
         name: actions-runner-controller

From ef4b04fa69f8d7f0baeaf7646ed3e44028c7ed5f Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 19:48:55 -0500
Subject: [PATCH 086/149] =?UTF-8?q?feat(container):=20update=20gha-runner-?=
 =?UTF-8?q?scale-set=20(=200.7.0=20=E2=86=92=200.8.0=20)=20(#6614)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../actions-runner-controller/runners/helmrelease.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
index 122928fc20741..baf138197da79 100644
--- a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
+++ b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: gha-runner-scale-set
-      version: 0.7.0
+      version: 0.8.0
       sourceRef:
         kind: HelmRepository
         name: actions-runner-controller

From 3a6dcfa32e8ecac4d943ea460f0a5e59971aaed7 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 19:53:15 -0500
Subject: [PATCH 087/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-schemas.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index d9db953d7ae22..4ddb0665c99f9 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -65,6 +65,8 @@ jobs:
           python-version: 3.x
 
       - name: Test
+        env:
+          KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
         run: kubectl get nodes
 
       - name: Run crd-extractor

From b8104dc0869f64c96c26f82238272ab144ec5c04 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 19:59:54 -0500
Subject: [PATCH 088/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/crd-extractor.sh       | 2 ++
 .github/workflows/publish-schemas.yaml | 9 ++-------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
index 05dd523da2f57..e0abe84b59eee 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/crd-extractor.sh
@@ -32,10 +32,12 @@ fi
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds
 mkdir -p $TMP_CRD_DIR
+echo "TMP_CRD_DIR=$TMP_CRD_DIR"
 
 # Create final schemas directory
 SCHEMAS_DIR=$HOME/.datree/crdSchemas
 mkdir -p $SCHEMAS_DIR
+echo "SCHEMAS_DIR=$SCHEMAS_DIR"
 cd $SCHEMAS_DIR
 
 # Create array to store CRD kinds and groups
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 4ddb0665c99f9..0cdcf97142e16 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -64,16 +64,11 @@ jobs:
         with:
           python-version: 3.x
 
-      - name: Test
-        env:
-          KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
-        run: kubectl get nodes
-
       - name: Run crd-extractor
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
         shell: bash
-        run: bash ./.github/scripts/crd-extractor.sh
+        run: bash .github/scripts/crd-extractor.sh
 
       - name: Setup Node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
@@ -85,5 +80,5 @@ jobs:
         with:
           apiToken: "${{ secrets.CLOUDFLARE_API_TOKEN }}"
           accountId: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"
-          workingDirectory: /home/runner/.datree/crdSchemas
+          workingDirectory: ~/.datree/crdSchemas
           command: pages deploy --project-name=kubernetes-schemas --branch main .

From 4b79888a803b86350d88097e3fc38e768747411a Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:03:41 -0500
Subject: [PATCH 089/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/crd-extractor.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
index e0abe84b59eee..00b0e9b1956a4 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/crd-extractor.sh
@@ -32,12 +32,10 @@ fi
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds
 mkdir -p $TMP_CRD_DIR
-echo "TMP_CRD_DIR=$TMP_CRD_DIR"
 
 # Create final schemas directory
 SCHEMAS_DIR=$HOME/.datree/crdSchemas
 mkdir -p $SCHEMAS_DIR
-echo "SCHEMAS_DIR=$SCHEMAS_DIR"
 cd $SCHEMAS_DIR
 
 # Create array to store CRD kinds and groups
@@ -48,6 +46,8 @@ if [ $? -ne 0 ]; then
     ORGANIZE_BY_GROUP=false
 fi
 
+kubectl get crds
+
 # Extract CRDs from cluster
 NUM_OF_CRDS=0
 while read -r crd
@@ -61,7 +61,7 @@ do
     # Save name and group for later directory organization
     CRD_GROUPS["$resourceKind"]="$resourceGroup"
 
-    let ++NUM_OF_CRDS
+    ((++NUM_OF_CRDS)) || true
 done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2)
 
 # If no CRDs exist in the cluster, exit

From b92c70197244f6ce478cb8e55833a4ee26265464 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:12:52 -0500
Subject: [PATCH 090/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/crd-extractor.sh       | 4 +---
 .github/workflows/publish-schemas.yaml | 3 +--
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
index 00b0e9b1956a4..05dd523da2f57 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/crd-extractor.sh
@@ -46,8 +46,6 @@ if [ $? -ne 0 ]; then
     ORGANIZE_BY_GROUP=false
 fi
 
-kubectl get crds
-
 # Extract CRDs from cluster
 NUM_OF_CRDS=0
 while read -r crd
@@ -61,7 +59,7 @@ do
     # Save name and group for later directory organization
     CRD_GROUPS["$resourceKind"]="$resourceGroup"
 
-    ((++NUM_OF_CRDS)) || true
+    let ++NUM_OF_CRDS
 done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2)
 
 # If no CRDs exist in the cluster, exit
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 0cdcf97142e16..f36f820b55fbf 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -67,8 +67,7 @@ jobs:
       - name: Run crd-extractor
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
-        shell: bash
-        run: bash .github/scripts/crd-extractor.sh
+        run: ./.github/scripts/crd-extractor.sh
 
       - name: Setup Node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1

From 73cdd1c9ee91ae247407f1e09bda7dd4640aaa96 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:21:16 -0500
Subject: [PATCH 091/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/crd-extractor.sh       | 28 --------------------------
 .github/workflows/kubeconform.yaml     |  2 +-
 .github/workflows/publish-schemas.yaml |  7 ++++++-
 3 files changed, 7 insertions(+), 30 deletions(-)

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
index 05dd523da2f57..b8bcbfaf79ab4 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/crd-extractor.sh
@@ -1,34 +1,6 @@
 #!/usr/bin/env bash
 # Source: https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
 
-# Check if python3 is installed
-if ! command -v python3 &> /dev/null; then
-    printf "python3 is required for this utility, and is not installed on your machine"
-    printf "please visit https://www.python.org/downloads/ to install it"
-    exit 1
-fi
-# Check if kubectl is installed
-if ! command -v kubectl &> /dev/null; then
-    printf "kubectl is required for this utility, and is not installed on your machine"
-    printf "please visit https://kubernetes.io/docs/tasks/tools/#kubectl to install it"
-    exit 1
-fi
-
-# Check if the pyyaml module is installed
-if ! echo 'import yaml' | python3 &> /dev/null; then
-    printf "the python3 module 'yaml' is required, and is not installed on your machine.\n"
-
-    while true; do
-        read -p "Do you wish to install this program? (y/n) " yn
-        case $yn in
-            [Yy] ) pip3 install pyyaml; break;;
-            "" ) pip3 install pyyaml; break;;
-            [Nn] ) echo "Exiting..."; exit;;
-            * ) echo "Please answer 'y' (yes) or 'n' (no).";;
-        esac
-    done
-fi
-
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds
 mkdir -p $TMP_CRD_DIR
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index 1d8ac25dc016e..0b4f424ba9d44 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -52,4 +52,4 @@ jobs:
 
       - name: Run kubeconform
         shell: bash
-        run: bash ./.github/scripts/kubeconform.sh ${{ matrix.path }}
+        run: bash .github/scripts/kubeconform.sh ${{ matrix.path }}
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index f36f820b55fbf..b614d33837871 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -63,11 +63,16 @@ jobs:
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: 3.x
+          cache: pip
+
+      - name: Install PyYAML
+        run: pip install pyyaml
 
       - name: Run crd-extractor
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
-        run: ./.github/scripts/crd-extractor.sh
+        shell: bash
+        run: bash .github/scripts/crd-extractor.sh
 
       - name: Setup Node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1

From 07d502a2a97ba8034bf7f0c0087e2f2d08a5596a Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:24:24 -0500
Subject: [PATCH 092/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/crd-extractor.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
index b8bcbfaf79ab4..c25dc545a4483 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/crd-extractor.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 # Source: https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
+set -o errexit
 
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds

From 92e33b57b7d5b6ab4dba1b76a144963dd90fb92f Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:49:01 -0500
Subject: [PATCH 093/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/kubeconform.yaml     | 3 ++-
 .github/workflows/publish-schemas.yaml | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index 0b4f424ba9d44..d78a6bc00b797 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -14,7 +14,8 @@ env:
 jobs:
   kubeconform:
     name: Kubeconform
-    runs-on: ubuntu-latest
+    # runs-on: ubuntu-latest
+    runs-on: ["arc-runner-set-home-ops"]
     strategy:
       matrix:
         path: ["kubernetes/main", "kubernetes/storage"]
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index b614d33837871..d012ed3cabf1d 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -78,6 +78,7 @@ jobs:
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: 18.x
+          cache: npm
 
       - name: Deploy to Cloudflare Pages
         uses: cloudflare/wrangler-action@a8be0ea72a399752dd2735fa16ea0d424f2335ca # v3.4.0

From 42d732f6289636bb7deb1f4b6d4fca8b8b6acc5e Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:53:02 -0500
Subject: [PATCH 094/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/kubeconform.yaml     | 3 +--
 .github/workflows/publish-schemas.yaml | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index d78a6bc00b797..0b4f424ba9d44 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -14,8 +14,7 @@ env:
 jobs:
   kubeconform:
     name: Kubeconform
-    # runs-on: ubuntu-latest
-    runs-on: ["arc-runner-set-home-ops"]
+    runs-on: ubuntu-latest
     strategy:
       matrix:
         path: ["kubernetes/main", "kubernetes/storage"]
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index d012ed3cabf1d..b72155a2a2008 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -62,7 +62,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.x
+          python-version: "3.10"
           cache: pip
 
       - name: Install PyYAML

From af2e708ad845fc66c0e41a1190d1ca5034e09065 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:55:13 -0500
Subject: [PATCH 095/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/kubeconform.yaml     | 7 ++++---
 .github/workflows/publish-schemas.yaml | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index 0b4f424ba9d44..2f0bc5bc3db0b 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -9,12 +9,13 @@ on:
     paths: ["kubernetes/**"]
 
 env:
-  AQUA_CONFIG: .github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
 
 jobs:
   kubeconform:
     name: Kubeconform
-    runs-on: ubuntu-latest
+    # runs-on: ubuntu-latest
+    runs-on: ["arc-runner-set-home-ops"]
     strategy:
       matrix:
         path: ["kubernetes/main", "kubernetes/storage"]
@@ -46,7 +47,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index b72155a2a2008..d012ed3cabf1d 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -62,7 +62,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: "3.10"
+          python-version: 3.x
           cache: pip
 
       - name: Install PyYAML

From b9c0025fc4b7233dc1b21145c3ddd7349d574877 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:57:20 -0500
Subject: [PATCH 096/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-hr-image-test.yaml | 4 ++--
 .github/workflows/flux-hr-sync.yaml       | 4 ++--
 .github/workflows/flux-ks-sync.yaml       | 4 ++--
 .github/workflows/publish-terraform.yaml  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 77e4d56a80539..deb1419038ba5 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  AQUA_CONFIG: .github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
   KUBERNETES_DIR: ./kubernetes
 
 jobs:
@@ -83,7 +83,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index 52bda677529cf..9c84663f92b9d 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -21,7 +21,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  AQUA_CONFIG: .github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
 
 jobs:
   sync:
@@ -56,7 +56,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index 381479ae1d5d3..4e09793546fb7 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/storage/**"]
 
 env:
-  AQUA_CONFIG: .github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
 
 jobs:
   sync:
@@ -46,7 +46,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index 0c88f498a3039..624db00b96d67 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -9,7 +9,7 @@ on:
     paths: ["terraform/**"]
 
 env:
-  AQUA_CONFIG: .github/aqua.yaml
+  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
 
 jobs:
   publish-terraform:
@@ -46,7 +46,7 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 

From 024bef892c5c4f8164c22b80974026ffa4055789 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:58:46 -0500
Subject: [PATCH 097/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/crd-extractor.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/crd-extractor.sh
index c25dc545a4483..a533baffb970a 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/crd-extractor.sh
@@ -2,6 +2,8 @@
 # Source: https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
 set -o errexit
 
+kubectl get nodes
+
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds
 mkdir -p $TMP_CRD_DIR

From 43f8cca9c3f40183c89221a7d75fb010151d4550 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 20:59:36 -0500
Subject: [PATCH 098/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-schemas.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index d012ed3cabf1d..dde09d0dc3666 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -68,6 +68,12 @@ jobs:
       - name: Install PyYAML
         run: pip install pyyaml
 
+      - name: Run crd-extractor
+        env:
+          KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
+        shell: bash
+        run: kubectl get nodes
+
       - name: Run crd-extractor
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"

From 13ffbd85f0389dda60c409cf82ae26fb462e1f4b Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 21:14:27 -0500
Subject: [PATCH 099/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../{crd-extractor.sh => extract-crds.sh}     | 34 ++++++++++++++++---
 .github/workflows/publish-schemas.yaml        | 10 ++----
 2 files changed, 31 insertions(+), 13 deletions(-)
 rename .github/scripts/{crd-extractor.sh => extract-crds.sh} (71%)

diff --git a/.github/scripts/crd-extractor.sh b/.github/scripts/extract-crds.sh
similarity index 71%
rename from .github/scripts/crd-extractor.sh
rename to .github/scripts/extract-crds.sh
index a533baffb970a..e5262c7624d3f 100755
--- a/.github/scripts/crd-extractor.sh
+++ b/.github/scripts/extract-crds.sh
@@ -1,8 +1,32 @@
 #!/usr/bin/env bash
-# Source: https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
-set -o errexit
 
-kubectl get nodes
+# Check if python3 is installed
+if ! command -v python3 &> /dev/null; then
+    printf "python3 is required for this utility, and is not installed on your machine"
+    printf "please visit https://www.python.org/downloads/ to install it"
+    exit 1
+fi
+# Check if kubectl is installed
+if ! command -v kubectl &> /dev/null; then
+    printf "kubectl is required for this utility, and is not installed on your machine"
+    printf "please visit https://kubernetes.io/docs/tasks/tools/#kubectl to install it"
+    exit 1
+fi
+
+# Check if the pyyaml module is installed
+if ! echo 'import yaml' | python3 &> /dev/null; then
+    printf "the python3 module 'yaml' is required, and is not installed on your machine.\n"
+
+    while true; do
+        read -p "Do you wish to install this program? (y/n) " yn
+        case $yn in
+            [Yy] ) pip3 install pyyaml; break;;
+            "" ) pip3 install pyyaml; break;;
+            [Nn] ) echo "Exiting..."; exit;;
+            * ) echo "Please answer 'y' (yes) or 'n' (no).";;
+        esac
+    done
+fi
 
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds
@@ -34,13 +58,13 @@ do
     # Save name and group for later directory organization
     CRD_GROUPS["$resourceKind"]="$resourceGroup"
 
-    let ++NUM_OF_CRDS
+    ((++NUM_OF_CRDS)) || true
 done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2)
 
 # If no CRDs exist in the cluster, exit
 if [ $NUM_OF_CRDS == 0 ]; then
     printf "No CRDs found in the cluster, exiting...\n"
-    exit 1
+    exit 0
 fi
 
 # Download converter script
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index dde09d0dc3666..d2b126b820e5e 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -68,17 +68,11 @@ jobs:
       - name: Install PyYAML
         run: pip install pyyaml
 
-      - name: Run crd-extractor
+      - name: Extract CRDs
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
         shell: bash
-        run: kubectl get nodes
-
-      - name: Run crd-extractor
-        env:
-          KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
-        shell: bash
-        run: bash .github/scripts/crd-extractor.sh
+        run: bash .github/scripts/extract-crds.sh
 
       - name: Setup Node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1

From d697a1e1313689af57d04314cd5a60944f89e907 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 21:18:40 -0500
Subject: [PATCH 100/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/extract-crds.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/scripts/extract-crds.sh b/.github/scripts/extract-crds.sh
index e5262c7624d3f..a2bc3ac947b2d 100755
--- a/.github/scripts/extract-crds.sh
+++ b/.github/scripts/extract-crds.sh
@@ -59,7 +59,7 @@ do
     CRD_GROUPS["$resourceKind"]="$resourceGroup"
 
     ((++NUM_OF_CRDS)) || true
-done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2)
+done < <(kubectl get crds --no-headers)
 
 # If no CRDs exist in the cluster, exit
 if [ $NUM_OF_CRDS == 0 ]; then

From 451f1383d06ebb09c0e9632acb0f99f141344964 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Wed, 20 Dec 2023 21:37:04 -0500
Subject: [PATCH 101/149] chore: update github workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/extract-crds.sh | 33 ++++-----------------------------
 1 file changed, 4 insertions(+), 29 deletions(-)

diff --git a/.github/scripts/extract-crds.sh b/.github/scripts/extract-crds.sh
index a2bc3ac947b2d..a94a7b4bf47f8 100755
--- a/.github/scripts/extract-crds.sh
+++ b/.github/scripts/extract-crds.sh
@@ -1,32 +1,7 @@
 #!/usr/bin/env bash
+set -o errexit
 
-# Check if python3 is installed
-if ! command -v python3 &> /dev/null; then
-    printf "python3 is required for this utility, and is not installed on your machine"
-    printf "please visit https://www.python.org/downloads/ to install it"
-    exit 1
-fi
-# Check if kubectl is installed
-if ! command -v kubectl &> /dev/null; then
-    printf "kubectl is required for this utility, and is not installed on your machine"
-    printf "please visit https://kubernetes.io/docs/tasks/tools/#kubectl to install it"
-    exit 1
-fi
-
-# Check if the pyyaml module is installed
-if ! echo 'import yaml' | python3 &> /dev/null; then
-    printf "the python3 module 'yaml' is required, and is not installed on your machine.\n"
-
-    while true; do
-        read -p "Do you wish to install this program? (y/n) " yn
-        case $yn in
-            [Yy] ) pip3 install pyyaml; break;;
-            "" ) pip3 install pyyaml; break;;
-            [Nn] ) echo "Exiting..."; exit;;
-            * ) echo "Please answer 'y' (yes) or 'n' (no).";;
-        esac
-    done
-fi
+KUBECTL_BIN=$(command -v kubectl)
 
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds
@@ -50,7 +25,7 @@ NUM_OF_CRDS=0
 while read -r crd
 do
     filename=${crd%% *}
-    kubectl get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1
+    $KUBECTL_BIN get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1
 
     resourceKind=$(grep "kind:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==2{print $2}' | tr '[:upper:]' '[:lower:]')
     resourceGroup=$(grep "group:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==1{print $2}')
@@ -59,7 +34,7 @@ do
     CRD_GROUPS["$resourceKind"]="$resourceGroup"
 
     ((++NUM_OF_CRDS)) || true
-done < <(kubectl get crds --no-headers)
+done < <($KUBECTL_BIN get crds --no-headers)
 
 # If no CRDs exist in the cluster, exit
 if [ $NUM_OF_CRDS == 0 ]; then

From e5c9b222826dcad197cfff79a28d5c4ef7a568a2 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Wed, 20 Dec 2023 22:16:12 -0500
Subject: [PATCH 102/149] =?UTF-8?q?chore(container):=20update=20ghcr.io/au?=
 =?UTF-8?q?thelia/authelia=20(=2005b25a0=20=E2=86=92=209ad7df9=20)=20(#661?=
 =?UTF-8?q?8)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/default/authelia/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/default/authelia/app/helmrelease.yaml b/kubernetes/main/apps/default/authelia/app/helmrelease.yaml
index 96da40ce60fae..33c9c62a06fa1 100644
--- a/kubernetes/main/apps/default/authelia/app/helmrelease.yaml
+++ b/kubernetes/main/apps/default/authelia/app/helmrelease.yaml
@@ -47,7 +47,7 @@ spec:
           main:
             image:
               repository: ghcr.io/authelia/authelia
-              tag: v4.38.0-beta3@sha256:05b25a05109800cbfe969bb8634034749391e429bdf0f3d1be55f00ff421750f
+              tag: v4.38.0-beta3@sha256:9ad7df91dfec75d2f46d544e3128215b755ee78550b4ed0ed995b5a3fad35458
             env:
               AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:80
               AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"

From 57390f3eb025a3e499ec9dd794968c8ea2601b96 Mon Sep 17 00:00:00 2001
From: Devin Buhl <onedr0p@users.noreply.github.com>
Date: Thu, 21 Dec 2023 06:57:57 -0500
Subject: [PATCH 103/149] add schema to aqua config file

---
 .github/aqua.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/aqua.yaml b/.github/aqua.yaml
index a838ea37b1608..a3beaf12a2e20 100644
--- a/.github/aqua.yaml
+++ b/.github/aqua.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/aquaproj/aqua/main/json-schema/aqua-yaml.json
 registries:
   - type: standard
     ref: v4.107.0

From 348e9a14a993a7e81779d89dfb5feb5755bac1e3 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 07:21:08 -0500
Subject: [PATCH 104/149] chore: use man ref in aqua

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/aqua.yaml                      | 2 +-
 .github/scripts/extract-crds.sh        | 6 ++----
 .github/workflows/publish-schemas.yaml | 2 --
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/.github/aqua.yaml b/.github/aqua.yaml
index a3beaf12a2e20..ec5238abb097d 100644
--- a/.github/aqua.yaml
+++ b/.github/aqua.yaml
@@ -2,7 +2,7 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/aquaproj/aqua/main/json-schema/aqua-yaml.json
 registries:
   - type: standard
-    ref: v4.107.0
+    ref: main
 
 packages:
   - name: fluxcd/flux2@v2.2.2
diff --git a/.github/scripts/extract-crds.sh b/.github/scripts/extract-crds.sh
index a94a7b4bf47f8..f14343fb22f83 100755
--- a/.github/scripts/extract-crds.sh
+++ b/.github/scripts/extract-crds.sh
@@ -1,8 +1,6 @@
 #!/usr/bin/env bash
 set -o errexit
 
-KUBECTL_BIN=$(command -v kubectl)
-
 # Create temp folder for CRDs
 TMP_CRD_DIR=$HOME/.datree/crds
 mkdir -p $TMP_CRD_DIR
@@ -25,7 +23,7 @@ NUM_OF_CRDS=0
 while read -r crd
 do
     filename=${crd%% *}
-    $KUBECTL_BIN get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1
+    kubectl get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1
 
     resourceKind=$(grep "kind:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==2{print $2}' | tr '[:upper:]' '[:lower:]')
     resourceGroup=$(grep "group:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==1{print $2}')
@@ -34,7 +32,7 @@ do
     CRD_GROUPS["$resourceKind"]="$resourceGroup"
 
     ((++NUM_OF_CRDS)) || true
-done < <($KUBECTL_BIN get crds --no-headers)
+done < <(kubectl get crds --no-headers)
 
 # If no CRDs exist in the cluster, exit
 if [ $NUM_OF_CRDS == 0 ]; then
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index d2b126b820e5e..7a66854ca3a3c 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -63,7 +63,6 @@ jobs:
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: 3.x
-          cache: pip
 
       - name: Install PyYAML
         run: pip install pyyaml
@@ -78,7 +77,6 @@ jobs:
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: 18.x
-          cache: npm
 
       - name: Deploy to Cloudflare Pages
         uses: cloudflare/wrangler-action@a8be0ea72a399752dd2735fa16ea0d424f2335ca # v3.4.0

From d9f23749da1a50675261758ef2e4ba643de1976b Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 07:25:58 -0500
Subject: [PATCH 105/149] chore: use kubectl action for schemas

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/extract-crds.sh        | 81 --------------------------
 .github/workflows/publish-schemas.yaml | 27 +++------
 2 files changed, 8 insertions(+), 100 deletions(-)
 delete mode 100755 .github/scripts/extract-crds.sh

diff --git a/.github/scripts/extract-crds.sh b/.github/scripts/extract-crds.sh
deleted file mode 100755
index f14343fb22f83..0000000000000
--- a/.github/scripts/extract-crds.sh
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/usr/bin/env bash
-set -o errexit
-
-# Create temp folder for CRDs
-TMP_CRD_DIR=$HOME/.datree/crds
-mkdir -p $TMP_CRD_DIR
-
-# Create final schemas directory
-SCHEMAS_DIR=$HOME/.datree/crdSchemas
-mkdir -p $SCHEMAS_DIR
-cd $SCHEMAS_DIR
-
-# Create array to store CRD kinds and groups
-ORGANIZE_BY_GROUP=true
-declare -A CRD_GROUPS 2>/dev/null
-if [ $? -ne 0 ]; then
-    # Array creation failed, signal to skip organization by group
-    ORGANIZE_BY_GROUP=false
-fi
-
-# Extract CRDs from cluster
-NUM_OF_CRDS=0
-while read -r crd
-do
-    filename=${crd%% *}
-    kubectl get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1
-
-    resourceKind=$(grep "kind:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==2{print $2}' | tr '[:upper:]' '[:lower:]')
-    resourceGroup=$(grep "group:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==1{print $2}')
-
-    # Save name and group for later directory organization
-    CRD_GROUPS["$resourceKind"]="$resourceGroup"
-
-    ((++NUM_OF_CRDS)) || true
-done < <(kubectl get crds --no-headers)
-
-# If no CRDs exist in the cluster, exit
-if [ $NUM_OF_CRDS == 0 ]; then
-    printf "No CRDs found in the cluster, exiting...\n"
-    exit 0
-fi
-
-# Download converter script
-curl https://raw.githubusercontent.com/yannh/kubeconform/master/scripts/openapi2jsonschema.py --output $TMP_CRD_DIR/openapi2jsonschema.py 2>/dev/null
-
-# Convert crds to jsonSchema
-python3 $TMP_CRD_DIR/openapi2jsonschema.py $TMP_CRD_DIR/*.yaml
-conversionResult=$?
-
-# Copy and rename files to support kubeval
-rm -rf $SCHEMAS_DIR/master-standalone
-mkdir -p $SCHEMAS_DIR/master-standalone
-cp $SCHEMAS_DIR/*.json $SCHEMAS_DIR/master-standalone
-find $SCHEMAS_DIR/master-standalone -name '*json' -exec bash -c ' mv -f $0 ${0/\_/-stable-}' {} \;
-
-# Organize schemas by group
-if [ $ORGANIZE_BY_GROUP == true ]; then
-    for schema in $SCHEMAS_DIR/*.json
-    do
-    crdFileName=$(basename $schema .json)
-    crdKind=${crdFileName%%_*}
-    crdGroup=${CRD_GROUPS[$crdKind]}
-    mkdir -p $crdGroup
-    mv $schema ./$crdGroup
-    done
-fi
-
-CYAN='\033[0;36m'
-GREEN='\033[0;32m'
-NC='\033[0m' # No Color
-
-if [ $conversionResult == 0 ]; then
-    printf "${GREEN}Successfully converted $NUM_OF_CRDS CRDs to JSON schema${NC}\n"
-
-    printf "\nTo validate a CR using various tools, run the relevant command:\n"
-    printf "\n- ${CYAN}datree:${NC}\n\$ datree test /path/to/file\n"
-    printf "\n- ${CYAN}kubeconform:${NC}\n\$ kubeconform -summary -output json -schema-location default -schema-location '$HOME/.datree/crdSchemas/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json' /path/to/file\n"
-    printf "\n- ${CYAN}kubeval:${NC}\n\$ kubeval --additional-schema-locations file:\"$HOME/.datree/crdSchemas\" /path/to/file\n\n"
-fi
-
-rm -rf $TMP_CRD_DIR
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 7a66854ca3a3c..ab6c768f78e37 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -37,20 +37,8 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
-      - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
-          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
-
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
-        with:
-          aqua_version: v2.21.3
-          aqua_opts: -a
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - name: Install kubectl
+        uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
 
       - name: Write kubeconfig
         id: kubeconfig
@@ -64,14 +52,15 @@ jobs:
         with:
           python-version: 3.x
 
-      - name: Install PyYAML
-        run: pip install pyyaml
-
-      - name: Extract CRDs
+      - name: Download and run crd-extractor
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
         shell: bash
-        run: bash .github/scripts/extract-crds.sh
+        run: |
+          curl -fsSL -o $GITHUB_WORKSPACE/crd-extractor.sh \
+              https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh
+          chmod +x $GITHUB_WORKSPACE/crd-extractor.sh
+          bash $GITHUB_WORKSPACE/crd-extractor.sh
 
       - name: Setup Node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1

From c2ed5928294940bc722a6f0d6ecfd376a0c67394 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 07:27:49 -0500
Subject: [PATCH 106/149] chore: update workingDirectory path in schema
 workflow

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/publish-schemas.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index ab6c768f78e37..56526b8cecda3 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -10,9 +10,6 @@ on:
     branches: ["main"]
     paths: [".github/workflows/publish-schemas.yaml"]
 
-env:
-  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
-
 jobs:
   publish-schemas:
     name: Publish Schemas
@@ -72,5 +69,5 @@ jobs:
         with:
           apiToken: "${{ secrets.CLOUDFLARE_API_TOKEN }}"
           accountId: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"
-          workingDirectory: ~/.datree/crdSchemas
+          workingDirectory: /home/runner/.datree/crdSchemas
           command: pages deploy --project-name=kubernetes-schemas --branch main .

From 49a3ba627d907c718b83393151d025cff1085715 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 07:31:14 -0500
Subject: [PATCH 107/149] chore: update workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/aqua.yaml                | 1 -
 .github/workflows/flux-diff.yaml | 5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/aqua.yaml b/.github/aqua.yaml
index ec5238abb097d..e346230cc4f5d 100644
--- a/.github/aqua.yaml
+++ b/.github/aqua.yaml
@@ -10,5 +10,4 @@ packages:
   - name: kubernetes-sigs/kustomize@kustomize/v5.3.0
   - name: kubernetes/kubectl@v1.29.0
   - name: mikefarah/yq@v4.40.5
-  - name: sigstore/cosign@v2.2.2
   - name: yannh/kubeconform@v0.6.4
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 6841ed6d23055..f8129b0eb8a4b 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -85,13 +85,12 @@ jobs:
         uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
         with:
           aqua_version: v2.21.3
-          aqua_opts: ""
+          aqua_opts: -a
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Diff Resources
-        # uses: allenporter/flux-local/action/diff@e3e84e4fcdab2191de8e65acfe62b7aedd933be4 # 4.0.0
-        uses: allenporter/flux-local/action/diff@main
+        uses: allenporter/flux-local/action/diff@e3e84e4fcdab2191de8e65acfe62b7aedd933be4 # 4.0.0
         id: diff
         with:
           sources: home-kubernetes

From 2390db1281850a730155f056209cd5e89abe0a22 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 07:38:24 -0500
Subject: [PATCH 108/149] chore: do not pin digests on gh workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/renovate.json5                    |  1 -
 .github/workflows/flux-diff.yaml          | 18 +++++++++---------
 .github/workflows/flux-hr-image-test.yaml | 14 +++++++-------
 .github/workflows/flux-hr-sync.yaml       | 12 ++++++------
 .github/workflows/flux-ks-sync.yaml       | 10 +++++-----
 .github/workflows/kubeconform.yaml        |  8 ++++----
 .github/workflows/label-sync.yaml         |  6 +++---
 .github/workflows/labeler.yaml            |  4 ++--
 .github/workflows/lychee.yaml             | 10 +++++-----
 .github/workflows/publish-docs.yaml       | 12 ++++++------
 .github/workflows/publish-schemas.yaml    | 14 +++++++-------
 .github/workflows/publish-terraform.yaml  | 10 +++++-----
 .github/workflows/release.yaml            |  4 ++--
 .github/workflows/renovate.yaml           |  6 +++---
 14 files changed, 64 insertions(+), 65 deletions(-)

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 98508000fca59..1b41e11337aa5 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -3,7 +3,6 @@
   "extends": [
     "config:recommended",
     "docker:enableMajor",
-    "helpers:pinGitHubActionDigests",
     "replacements:k8s-registry-move",
     ":automergeBranch",
     ":disableRateLimiting",
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index f8129b0eb8a4b..5016a6ac35763 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -18,21 +18,21 @@ jobs:
       matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40.2.3
+        uses: tj-actions/changed-files@v40.2.3
         with:
           files: kubernetes/**
           dir_names: true
@@ -58,14 +58,14 @@ jobs:
       fail-fast: false
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
@@ -75,14 +75,14 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
       - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
           key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
           restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v2.21.3
           aqua_opts: -a
@@ -90,7 +90,7 @@ jobs:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Diff Resources
-        uses: allenporter/flux-local/action/diff@e3e84e4fcdab2191de8e65acfe62b7aedd933be4 # 4.0.0
+        uses: allenporter/flux-local/action/diff@4.0.0
         id: diff
         with:
           sources: home-kubernetes
@@ -99,7 +99,7 @@ jobs:
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment
-        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
+        uses: mshick/add-pr-comment@v2.8.1
         with:
           repo-token: "${{ steps.app-token.outputs.token }}"
           message-id: "${{ github.event.pull_request.number }}/${{ matrix.paths }}/${{ matrix.resources }}"
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index deb1419038ba5..2cc4799b8796a 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -19,21 +19,21 @@ jobs:
       matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40.2.3
+        uses: tj-actions/changed-files@v40.2.3
         with:
           files: kubernetes/**/helmrelease.yaml
           json: true
@@ -56,14 +56,14 @@ jobs:
       matrix: ${{ steps.extract-images.outputs.images }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
@@ -73,14 +73,14 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
       - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
           key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
           restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v2.21.3
           aqua_opts: -a
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index 9c84663f92b9d..ba2d2ca3c78c2 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -29,14 +29,14 @@ jobs:
     runs-on: ["arc-runner-set-home-ops"]
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
@@ -46,14 +46,14 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
       - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
           key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
           restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v2.21.3
           aqua_opts: -a
@@ -62,7 +62,7 @@ jobs:
 
       - name: Write kubeconfig
         id: kubeconfig
-        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+        uses: timheuer/base64-to-file@v1.2.4
         with:
           encodedString: "${{ secrets.KUBECONFIG }}"
           fileName: kubeconfig
@@ -70,7 +70,7 @@ jobs:
       - if: ${{ github.event.inputs.clusterName == '' && github.event.inputs.helmRepoNamespace == '' && github.event.inputs.helmRepoName == '' }}
         name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40.2.3
+        uses: tj-actions/changed-files@v40.2.3
         with:
           files: kubernetes/**/helmrelease.yaml
 
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index 4e09793546fb7..51f452bf73ed2 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -19,14 +19,14 @@ jobs:
         cluster: ["storage"]
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
@@ -36,14 +36,14 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
       - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
           key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
           restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v2.21.3
           aqua_opts: -a
@@ -52,7 +52,7 @@ jobs:
 
       - name: Write kubeconfig
         id: kubeconfig
-        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+        uses: timheuer/base64-to-file@v1.2.4
         with:
           encodedString: "${{ secrets.KUBECONFIG }}"
           fileName: kubeconfig
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index 2f0bc5bc3db0b..b610ae65f30f8 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -21,14 +21,14 @@ jobs:
         path: ["kubernetes/main", "kubernetes/storage"]
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
@@ -37,14 +37,14 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
       - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
           key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
           restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v2.21.3
           aqua_opts: -a
diff --git a/.github/workflows/label-sync.yaml b/.github/workflows/label-sync.yaml
index a60d7f698b756..67f7f5bb2f5c7 100644
--- a/.github/workflows/label-sync.yaml
+++ b/.github/workflows/label-sync.yaml
@@ -14,19 +14,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
       - name: Sync Labels
-        uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # renovate: tag=v2.3.2
+        uses: EndBug/label-sync@v2.3.2
         with:
           config-file: .github/labels.yaml
           token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
index 17a7785f5547f..df99c505c5bdb 100644
--- a/.github/workflows/labeler.yaml
+++ b/.github/workflows/labeler.yaml
@@ -17,14 +17,14 @@ jobs:
       pull-requests: write
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Labeler
-        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+        uses: actions/labeler@v5.0.0
         with:
           configuration-path: .github/labeler.yaml
           repo-token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
index e6b9b7ca6b8cf..64598bd911274 100644
--- a/.github/workflows/lychee.yaml
+++ b/.github/workflows/lychee.yaml
@@ -16,19 +16,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
       - name: Scan for broken links
-        uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 # v1.8.0
+        uses: lycheeverse/lychee-action@v1.8.0
         id: lychee
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
@@ -38,14 +38,14 @@ jobs:
 
       - name: Find Link Checker Issue
         id: issue-number
-        uses: micalevisk/last-issue-action@f5661581217cc78cc282d1351aa65bd8bd155003 # v2.2.1
+        uses: micalevisk/last-issue-action@v2.2.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           state: open
           labels: "${{ env.ISSUE_LABEL }}"
 
       - name: Update Issue
-        uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # v4.0.1
+        uses: peter-evans/create-issue-from-file@v4.0.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
           title: Link Checker Dashboard 🔗
diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 7ab61b056cd53..7d2533b0313b1 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -25,20 +25,20 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0
+        uses: actions/configure-pages@v4.0.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
           enablement: true
@@ -49,7 +49,7 @@ jobs:
           args: mdbook build docs
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v3.0.0
+        uses: actions/upload-pages-artifact@v3.0.0
         with:
           path: ./docs/book
 
@@ -62,7 +62,7 @@ jobs:
     needs: build
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
@@ -70,6 +70,6 @@ jobs:
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@f33f41b675f0ab2dc5a6863c9a170fe83af3571e # v4.0.0
+        uses: actions/deploy-pages@v4.0.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 56526b8cecda3..52379312b9ad0 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -19,14 +19,14 @@ jobs:
       packages: write
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
@@ -35,17 +35,17 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
       - name: Install kubectl
-        uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2
+        uses: azure/setup-kubectl@v3.2
 
       - name: Write kubeconfig
         id: kubeconfig
-        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+        uses: timheuer/base64-to-file@v1.2.4
         with:
           encodedString: "${{ secrets.KUBECONFIG }}"
           fileName: kubeconfig
 
       - name: Setup Python
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        uses: actions/setup-python@v5.0.0
         with:
           python-version: 3.x
 
@@ -60,12 +60,12 @@ jobs:
           bash $GITHUB_WORKSPACE/crd-extractor.sh
 
       - name: Setup Node
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+        uses: actions/setup-node@v4.0.1
         with:
           node-version: 18.x
 
       - name: Deploy to Cloudflare Pages
-        uses: cloudflare/wrangler-action@a8be0ea72a399752dd2735fa16ea0d424f2335ca # v3.4.0
+        uses: cloudflare/wrangler-action@v3.4.0
         with:
           apiToken: "${{ secrets.CLOUDFLARE_API_TOKEN }}"
           accountId: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index 624db00b96d67..67f221ea0a57d 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -20,14 +20,14 @@ jobs:
       packages: write
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
@@ -36,14 +36,14 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
 
       - name: Cache Aqua
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@v3.3.2
         with:
           path: ~/.local/share/aquaproj-aqua
           key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
           restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
 
       - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v2.21.3
           aqua_opts: -a
@@ -51,7 +51,7 @@ jobs:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@v3.0.0
         with:
           registry: ghcr.io
           username: "${{ github.actor }}"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 558f40b3f7b3d..6bb2079dd74ac 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
index 0e56bd1a803ac..80abefd699192 100644
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -48,14 +48,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2
+        uses: actions/create-github-app-token@v1.6.2
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@v4.1.1
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
@@ -66,7 +66,7 @@ jobs:
           echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.WORKFLOW_LOG_LEVEL }}" >> "${GITHUB_ENV}"
 
       - name: Renovate
-        uses: renovatebot/github-action@b8ce565a2e98de1fec9696a76fba7beb01ec29b2 # v39.2.3
+        uses: renovatebot/github-action@v39.2.3
         with:
           configurationFile: "${{ env.RENOVATE_ONBOARDING_CONFIG_FILE_NAME }}"
           token: "${{ steps.app-token.outputs.token }}"

From ed9365037585602abae3effba4b9c2ec95053578 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 08:13:02 -0500
Subject: [PATCH 109/149] chore: remove aquaproj to rtx/asdf

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/aqua.yaml                             | 13 ------
 .github/workflows/flux-diff.yaml              | 38 +++++++++--------
 .github/workflows/flux-hr-image-test.yaml     | 41 ++++++++++++-------
 .github/workflows/flux-hr-sync.yaml           | 26 ++++--------
 .github/workflows/flux-ks-sync.yaml           | 25 ++++-------
 .github/workflows/kubeconform.yaml            | 26 ++++--------
 .github/workflows/publish-schemas.yaml        | 12 ++++--
 .github/workflows/publish-terraform.yaml      | 25 ++++-------
 .../runners/helmrelease.yaml                  |  2 +-
 9 files changed, 92 insertions(+), 116 deletions(-)
 delete mode 100644 .github/aqua.yaml

diff --git a/.github/aqua.yaml b/.github/aqua.yaml
deleted file mode 100644
index e346230cc4f5d..0000000000000
--- a/.github/aqua.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/aquaproj/aqua/main/json-schema/aqua-yaml.json
-registries:
-  - type: standard
-    ref: main
-
-packages:
-  - name: fluxcd/flux2@v2.2.2
-  - name: helm/helm@v3.13.3
-  - name: kubernetes-sigs/kustomize@kustomize/v5.3.0
-  - name: kubernetes/kubectl@v1.29.0
-  - name: mikefarah/yq@v4.40.5
-  - name: yannh/kubeconform@v0.6.4
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 5016a6ac35763..d39388202a176 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -7,8 +7,9 @@ on:
     branches: ["main"]
     paths: ["kubernetes/**"]
 
-env:
-  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
 
 jobs:
   changed-files:
@@ -72,22 +73,16 @@ jobs:
 
       - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Cache Aqua
-        uses: actions/cache@v3.3.2
+      - name: Install Workflow Tools
+        uses: jdx/rtx-action@v1
         with:
-          path: ~/.local/share/aquaproj-aqua
-          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
-          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
-
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@v2.2.0
-        with:
-          aqua_version: v2.21.3
-          aqua_opts: -a
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            flux2 = "latest"
 
       - name: Diff Resources
         uses: allenporter/flux-local/action/diff@4.0.0
@@ -108,3 +103,14 @@ jobs:
             ```diff
             ${{ steps.diff.outputs.diff }}
             ```
+
+  # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
+  flux-diff-success:
+    if: ${{ always() }}
+    needs: ["flux-diff"]
+    name: Flux diff successful
+    runs-on: ubuntu-latest
+    steps:
+      - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+        name: Check matrix status
+        run: exit 1
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 2cc4799b8796a..dc0c4c442028f 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -8,9 +8,12 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
   KUBERNETES_DIR: ./kubernetes
 
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
 jobs:
   changed-files:
     name: Get Changed Files
@@ -44,6 +47,7 @@ jobs:
         run: echo "${{ steps.changed-files.outputs.all_changed_and_modified_files }}"
 
   extract-images:
+    if: ${{ needs.changed-files.outputs.matrix != '[]' }}
     name: Extract images from Helm Release
     runs-on: ubuntu-latest
     needs: ["changed-files"]
@@ -70,22 +74,17 @@ jobs:
 
       - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
-
-      - name: Cache Aqua
-        uses: actions/cache@v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
-          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@v2.2.0
+      - name: Install Workflow Tools
+        uses: jdx/rtx-action@v1
         with:
-          aqua_version: v2.21.3
-          aqua_opts: -a
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            helm = "latest"
+            kustomize = "latest"
 
       - name: Extract Images from Helm Release
         id: extract-images
@@ -95,6 +94,7 @@ jobs:
           echo "${images}"
 
   test-images:
+    if: ${{ needs.extract-images.outputs.matrix != '[]' }}
     name: Test images from Helm Release
     runs-on: ubuntu-latest
     needs: ["extract-images"]
@@ -106,3 +106,14 @@ jobs:
     steps:
       - name: Test Images from Helm Release
         run: docker pull ${{ matrix.images }}
+
+  # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
+  test-images-success:
+    if: ${{ always() }}
+    needs: ["test-images"]
+    name: Test images from Helm Release successful
+    runs-on: ubuntu-latest
+    steps:
+      - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+        name: Check matrix status
+        run: exit 1
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index ba2d2ca3c78c2..8ba2925e8a753 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -20,9 +20,6 @@ on:
     branches: ["main"]
     paths: ["kubernetes/**/helmrelease.yaml"]
 
-env:
-  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
-
 jobs:
   sync:
     name: Flux Helm Repository Sync
@@ -43,22 +40,17 @@ jobs:
 
       - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
-
-      - name: Cache Aqua
-        uses: actions/cache@v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
-          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@v2.2.0
+      - name: Install Workflow Tools
+        uses: jdx/rtx-action@v1
         with:
-          aqua_version: v2.21.3
-          aqua_opts: -a
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            flux2 = "latest"
+            yq = "latest"
 
       - name: Write kubeconfig
         id: kubeconfig
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index 51f452bf73ed2..b2555a1fa3099 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -7,9 +7,6 @@ on:
     branches: ["main"]
     paths: ["kubernetes/storage/**"]
 
-env:
-  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
-
 jobs:
   sync:
     name: Flux Kustomization Sync
@@ -33,22 +30,16 @@ jobs:
 
       - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
-
-      - name: Cache Aqua
-        uses: actions/cache@v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
-          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@v2.2.0
+      - name: Install Workflow Tools
+        uses: jdx/rtx-action@v1
         with:
-          aqua_version: v2.21.3
-          aqua_opts: -a
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            flux2 = "latest"
 
       - name: Write kubeconfig
         id: kubeconfig
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
index b610ae65f30f8..f7054601d9456 100644
--- a/.github/workflows/kubeconform.yaml
+++ b/.github/workflows/kubeconform.yaml
@@ -8,9 +8,6 @@ on:
     branches: ["main"]
     paths: ["kubernetes/**"]
 
-env:
-  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
-
 jobs:
   kubeconform:
     name: Kubeconform
@@ -34,22 +31,17 @@ jobs:
 
       - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
-
-      - name: Cache Aqua
-        uses: actions/cache@v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
-          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@v2.2.0
+      - name: Install Workflow Tools
+        uses: jdx/rtx-action@v1
         with:
-          aqua_version: v2.21.3
-          aqua_opts: -a
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            kubeconform = "latest"
+            kustomize = "latest"
 
       - name: Run kubeconform
         shell: bash
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 52379312b9ad0..0489563c43c3a 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -32,10 +32,16 @@ jobs:
 
       - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install kubectl
-        uses: azure/setup-kubectl@v3.2
+      - name: Install Workflow Tools
+        uses: jdx/rtx-action@v1
+        with:
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            kubectl = "latest"
 
       - name: Write kubeconfig
         id: kubeconfig
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index 67f221ea0a57d..992142eb4b2be 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -8,9 +8,6 @@ on:
     branches: ["main"]
     paths: ["terraform/**"]
 
-env:
-  AQUA_GLOBAL_CONFIG: .github/aqua.yaml
-
 jobs:
   publish-terraform:
     name: Publish Terraform
@@ -33,22 +30,16 @@ jobs:
 
       - name: Install System Tools
         shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git jo
-
-      - name: Cache Aqua
-        uses: actions/cache@v3.3.2
-        with:
-          path: ~/.local/share/aquaproj-aqua
-          key: aqua-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.github/aqua.yaml') }}
-          restore-keys: aqua-${{ runner.os }}-${{ runner.arch }}-
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Aqua and CLI Tools
-        uses: aquaproj/aqua-installer@v2.2.0
+      - name: Install Workflow Tools
+        uses: jdx/rtx-action@v1
         with:
-          aqua_version: v2.21.3
-          aqua_opts: -a
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            flux2 = "latest"
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3.0.0
diff --git a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
index baf138197da79..698043397cc8a 100644
--- a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
+++ b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
@@ -40,7 +40,7 @@ spec:
     runnerScaleSetName: arc-runner-set-home-ops
     githubConfigUrl: https://github.com/onedr0p/home-ops
     minRunners: 1
-    maxRunners: 3
+    maxRunners: 6
     containerMode:
       type: dind
     template:

From a12baa0c56453152697578a3b98803e523de0d48 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 08:25:48 -0500
Subject: [PATCH 110/149] chore: remove kubeconform workflow - flux-local
 replaces it

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/scripts/kubeconform.sh            | 54 -----------------------
 .github/workflows/flux-diff.yaml          |  2 +-
 .github/workflows/flux-hr-image-test.yaml |  2 +-
 .github/workflows/kubeconform.yaml        | 48 --------------------
 .github/workflows/publish-schemas.yaml    | 10 +----
 5 files changed, 4 insertions(+), 112 deletions(-)
 delete mode 100755 .github/scripts/kubeconform.sh
 delete mode 100644 .github/workflows/kubeconform.yaml

diff --git a/.github/scripts/kubeconform.sh b/.github/scripts/kubeconform.sh
deleted file mode 100755
index fe957e383f8d3..0000000000000
--- a/.github/scripts/kubeconform.sh
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/usr/bin/env bash
-set -o errexit
-
-KUBERNETES_DIR=$1
-KUBE_VERSION="${2:-1.28.0}"
-
-[[ -z "${KUBERNETES_DIR}" ]] && echo "Kubernetes location not specified" && exit 1
-
-kustomize_args=("--load-restrictor=LoadRestrictionsNone")
-kustomize_config="kustomization.yaml"
-kubeconform_args=(
-    "-strict"
-    "-ignore-missing-schemas"
-    "-kubernetes-version"
-    "${KUBE_VERSION}"
-    "-skip"
-    "ReplicationSource,ReplicationDestination,Secret"
-    "-schema-location"
-    "default"
-    "-schema-location"
-    "https://kubernetes-schemas.pages.dev/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
-    "-verbose"
-)
-
-echo "=== Validating standalone manifests in ${KUBERNETES_DIR}/flux ==="
-find "${KUBERNETES_DIR}/flux" -maxdepth 1 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file;
-  do
-    kubeconform "${kubeconform_args[@]}" "${file}"
-    if [[ ${PIPESTATUS[0]} != 0 ]]; then
-      exit 1
-    fi
-done
-
-echo "=== Validating kustomizations in ${KUBERNETES_DIR}/flux ==="
-find "${KUBERNETES_DIR}/flux" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
-  do
-    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
-    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \
-      kubeconform "${kubeconform_args[@]}"
-    if [[ ${PIPESTATUS[0]} != 0 ]]; then
-      exit 1
-    fi
-done
-
-echo "=== Validating kustomizations in ${KUBERNETES_DIR}/apps ==="
-find "${KUBERNETES_DIR}/apps" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
-  do
-    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
-    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \
-      kubeconform "${kubeconform_args[@]}"
-    if [[ ${PIPESTATUS[0]} != 0 ]]; then
-      exit 1
-    fi
-done
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index d39388202a176..7e6209531ec79 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**"]
 
 concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index dc0c4c442028f..b21a08b2f08be 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -11,7 +11,7 @@ env:
   KUBERNETES_DIR: ./kubernetes
 
 concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
deleted file mode 100644
index f7054601d9456..0000000000000
--- a/.github/workflows/kubeconform.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: "Kubeconform"
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: ["main"]
-    paths: ["kubernetes/**"]
-
-jobs:
-  kubeconform:
-    name: Kubeconform
-    # runs-on: ubuntu-latest
-    runs-on: ["arc-runner-set-home-ops"]
-    strategy:
-      matrix:
-        path: ["kubernetes/main", "kubernetes/storage"]
-    steps:
-      - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
-        id: app-token
-        with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
-
-      - name: Checkout
-        uses: actions/checkout@v4.1.1
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-
-      - name: Install System Tools
-        shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
-
-      - name: Install Workflow Tools
-        uses: jdx/rtx-action@v1
-        with:
-          install: true
-          cache: true
-          rtx_toml: |
-            [tools]
-            kubeconform = "latest"
-            kustomize = "latest"
-
-      - name: Run kubeconform
-        shell: bash
-        run: bash .github/scripts/kubeconform.sh ${{ matrix.path }}
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 0489563c43c3a..50c1d0d02d353 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -34,14 +34,8 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Workflow Tools
-        uses: jdx/rtx-action@v1
-        with:
-          install: true
-          cache: true
-          rtx_toml: |
-            [tools]
-            kubectl = "latest"
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3.2
 
       - name: Write kubeconfig
         id: kubeconfig

From cbe41a71a63974a42f0088a18f5e1c82ad95693f Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 08:34:27 -0500
Subject: [PATCH 111/149] chore: update workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml          |  4 ++--
 .github/workflows/flux-hr-image-test.yaml |  8 ++++----
 .github/workflows/flux-hr-sync.yaml       |  4 ++--
 .github/workflows/flux-ks-sync.yaml       |  4 ++--
 .github/workflows/lychee.yaml             |  6 +++---
 .github/workflows/publish-schemas.yaml    | 23 ++++++++++++-----------
 .github/workflows/publish-terraform.yaml  |  4 ++--
 .github/workflows/renovate.yaml           | 12 ++++++------
 8 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 7e6209531ec79..07a234400a816 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -71,11 +71,11 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install System Tools
+      - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Workflow Tools
+      - name: Setup Workflow Tools
         uses: jdx/rtx-action@v1
         with:
           install: true
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index b21a08b2f08be..99486720121e1 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -8,7 +8,7 @@ on:
     paths: ["kubernetes/**/helmrelease.yaml"]
 
 env:
-  KUBERNETES_DIR: ./kubernetes
+  WORKFLOW_KUBERNETES_DIR: ./kubernetes
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
@@ -72,11 +72,11 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install System Tools
+      - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Workflow Tools
+      - name: Setup Workflow Tools
         uses: jdx/rtx-action@v1
         with:
           install: true
@@ -89,7 +89,7 @@ jobs:
       - name: Extract Images from Helm Release
         id: extract-images
         run: |
-          images=$(npx zx ./.github/scripts/extract-images.mjs --kubernetes-dir "${{ env.KUBERNETES_DIR }}" --helmrelease "${{ matrix.files }}")
+          images=$(npx zx ./.github/scripts/extract-images.mjs --kubernetes-dir "${{ env.WORKFLOW_KUBERNETES_DIR }}" --helmrelease "${{ matrix.files }}")
           echo "images=${images}" >> $GITHUB_OUTPUT
           echo "${images}"
 
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index 8ba2925e8a753..aaaf095b08ac7 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -38,11 +38,11 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install System Tools
+      - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Workflow Tools
+      - name: Setup Workflow Tools
         uses: jdx/rtx-action@v1
         with:
           install: true
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index b2555a1fa3099..3eef99b5d66f1 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -28,11 +28,11 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
-      - name: Install System Tools
+      - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Workflow Tools
+      - name: Setup Workflow Tools
         uses: jdx/rtx-action@v1
         with:
           install: true
diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
index 64598bd911274..eecf53e54aee0 100644
--- a/.github/workflows/lychee.yaml
+++ b/.github/workflows/lychee.yaml
@@ -8,7 +8,7 @@ on:
     - cron: "0 0 * * *"
 
 env:
-  ISSUE_LABEL: lint/lychee
+  WORKFLOW_ISSUE_LABEL: lint/lychee
 
 jobs:
   lychee:
@@ -42,7 +42,7 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
           state: open
-          labels: "${{ env.ISSUE_LABEL }}"
+          labels: "${{ env.WORKFLOW_ISSUE_LABEL }}"
 
       - name: Update Issue
         uses: peter-evans/create-issue-from-file@v4.0.1
@@ -51,4 +51,4 @@ jobs:
           title: Link Checker Dashboard 🔗
           issue-number: "${{ steps.issue-number.outputs.issue-number }}"
           content-filepath: /tmp/results.md
-          labels: "${{ env.ISSUE_LABEL }}"
+          labels: "${{ env.WORKFLOW_ISSUE_LABEL }}"
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 50c1d0d02d353..2b58dbbceb8f6 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -30,11 +30,21 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
-      - name: Install System Tools
+      - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install kubectl
+      - name: Setup Python
+        uses: actions/setup-python@v5.0.0
+        with:
+          python-version: 3.x
+
+      - name: Setup Node
+        uses: actions/setup-node@v4.0.1
+        with:
+          node-version: 18.x
+
+      - name: Setup kubectl
         uses: azure/setup-kubectl@v3.2
 
       - name: Write kubeconfig
@@ -44,11 +54,6 @@ jobs:
           encodedString: "${{ secrets.KUBECONFIG }}"
           fileName: kubeconfig
 
-      - name: Setup Python
-        uses: actions/setup-python@v5.0.0
-        with:
-          python-version: 3.x
-
       - name: Download and run crd-extractor
         env:
           KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
@@ -59,10 +64,6 @@ jobs:
           chmod +x $GITHUB_WORKSPACE/crd-extractor.sh
           bash $GITHUB_WORKSPACE/crd-extractor.sh
 
-      - name: Setup Node
-        uses: actions/setup-node@v4.0.1
-        with:
-          node-version: 18.x
 
       - name: Deploy to Cloudflare Pages
         uses: cloudflare/wrangler-action@v3.4.0
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index 992142eb4b2be..b381d3d178cef 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -28,11 +28,11 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
-      - name: Install System Tools
+      - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Install Workflow Tools
+      - name: Setup Workflow Tools
         uses: jdx/rtx-action@v1
         with:
           install: true
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
index 80abefd699192..a0e68d303e6ce 100644
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -31,9 +31,6 @@ concurrency:
 
 # Retrieve BOT_USER_ID via `curl -s "https://api.github.com/users/${BOT_USERNAME}%5Bbot%5D" | jq .id`
 env:
-  WORKFLOW_DRY_RUN: false
-  WORKFLOW_LOG_LEVEL: debug
-  WORKFLOW_VERSION: latest # 37.59.8
   RENOVATE_PLATFORM: github
   RENOVATE_PLATFORM_COMMIT: true
   RENOVATE_ONBOARDING_CONFIG_FILE_NAME: .github/renovate.json5
@@ -41,6 +38,9 @@ env:
   RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}"
   RENOVATE_USERNAME: "${{ secrets.BOT_USERNAME }}[bot]"
   RENOVATE_GIT_AUTHOR: "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_USER_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>"
+  WORKFLOW_RENOVATE_DRY_RUN: false
+  WORKFLOW_RENOVATE_LOG_LEVEL: debug
+  WORKFLOW_RENOVATE_VERSION: latest
 
 jobs:
   renovate:
@@ -62,12 +62,12 @@ jobs:
       - name: Override default config from dispatch variables
         shell: bash
         run: |
-          echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.WORKFLOW_DRY_RUN }}" >> "${GITHUB_ENV}"
-          echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.WORKFLOW_LOG_LEVEL }}" >> "${GITHUB_ENV}"
+          echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.WORKFLOW_RENOVATE_DRY_RUN }}" >> "${GITHUB_ENV}"
+          echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.WORKFLOW_RENOVATE_LOG_LEVEL }}" >> "${GITHUB_ENV}"
 
       - name: Renovate
         uses: renovatebot/github-action@v39.2.3
         with:
           configurationFile: "${{ env.RENOVATE_ONBOARDING_CONFIG_FILE_NAME }}"
           token: "${{ steps.app-token.outputs.token }}"
-          renovate-version: "${{ github.event.inputs.version || env.WORKFLOW_VERSION }}"
+          renovate-version: "${{ github.event.inputs.version || env.WORKFLOW_RENOVATE_VERSION }}"

From 029130363b1216bafd7fcb071fb9232b0b660cc0 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 08:35:47 -0500
Subject: [PATCH 112/149] =?UTF-8?q?feat(helm):=20update=20ingress-nginx=20?=
 =?UTF-8?q?(=204.8.3=20=E2=86=92=204.9.0=20)=20(#6621)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/network/nginx/external/helmrelease.yaml | 2 +-
 kubernetes/main/apps/network/nginx/internal/helmrelease.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
index 832dbe95b8052..8898dffbb404f 100644
--- a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
+++ b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.8.3
+      version: 4.9.0
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
diff --git a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
index de9bd4c695048..919a509ff9522 100644
--- a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
+++ b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.8.3
+      version: 4.9.0
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx

From dee7b8292f532ede60fcd6b65826b62024475217 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 08:35:55 -0500
Subject: [PATCH 113/149] =?UTF-8?q?feat(helm):=20update=20ingress-nginx=20?=
 =?UTF-8?q?(=204.8.3=20=E2=86=92=204.9.0=20)=20(#6622)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml b/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml
index 91dda331baad9..a21c13f6e34da 100644
--- a/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml
+++ b/kubernetes/storage/apps/network/nginx/internal/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.8.3
+      version: 4.9.0
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx

From 93f27d36c092d1754cb0ee83b467c24ce3cc2289 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 08:41:55 -0500
Subject: [PATCH 114/149] chore: update workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml          | 10 +++++-----
 .github/workflows/flux-hr-image-test.yaml | 10 +++++-----
 .github/workflows/flux-hr-sync.yaml       |  8 ++++----
 .github/workflows/flux-ks-sync.yaml       |  6 +++---
 .github/workflows/label-sync.yaml         |  6 +++---
 .github/workflows/labeler.yaml            |  4 ++--
 .github/workflows/lychee.yaml             | 10 +++++-----
 .github/workflows/publish-docs.yaml       | 12 ++++++------
 .github/workflows/publish-schemas.yaml    | 14 +++++++-------
 .github/workflows/publish-terraform.yaml  |  6 +++---
 .github/workflows/release.yaml            |  4 ++--
 .github/workflows/renovate.yaml           |  4 ++--
 12 files changed, 47 insertions(+), 47 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 07a234400a816..c3d0c70a815fb 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -19,21 +19,21 @@ jobs:
       matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40.2.3
+        uses: tj-actions/changed-files@v40
         with:
           files: kubernetes/**
           dir_names: true
@@ -59,14 +59,14 @@ jobs:
       fail-fast: false
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
diff --git a/.github/workflows/flux-hr-image-test.yaml b/.github/workflows/flux-hr-image-test.yaml
index 99486720121e1..4bc09c748f978 100644
--- a/.github/workflows/flux-hr-image-test.yaml
+++ b/.github/workflows/flux-hr-image-test.yaml
@@ -22,21 +22,21 @@ jobs:
       matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40.2.3
+        uses: tj-actions/changed-files@v40
         with:
           files: kubernetes/**/helmrelease.yaml
           json: true
@@ -60,14 +60,14 @@ jobs:
       matrix: ${{ steps.extract-images.outputs.images }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
diff --git a/.github/workflows/flux-hr-sync.yaml b/.github/workflows/flux-hr-sync.yaml
index aaaf095b08ac7..4ec835f03cc8c 100644
--- a/.github/workflows/flux-hr-sync.yaml
+++ b/.github/workflows/flux-hr-sync.yaml
@@ -26,14 +26,14 @@ jobs:
     runs-on: ["arc-runner-set-home-ops"]
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
@@ -54,7 +54,7 @@ jobs:
 
       - name: Write kubeconfig
         id: kubeconfig
-        uses: timheuer/base64-to-file@v1.2.4
+        uses: timheuer/base64-to-file@v1
         with:
           encodedString: "${{ secrets.KUBECONFIG }}"
           fileName: kubeconfig
@@ -62,7 +62,7 @@ jobs:
       - if: ${{ github.event.inputs.clusterName == '' && github.event.inputs.helmRepoNamespace == '' && github.event.inputs.helmRepoName == '' }}
         name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40.2.3
+        uses: tj-actions/changed-files@v40
         with:
           files: kubernetes/**/helmrelease.yaml
 
diff --git a/.github/workflows/flux-ks-sync.yaml b/.github/workflows/flux-ks-sync.yaml
index 3eef99b5d66f1..d2c9308887776 100644
--- a/.github/workflows/flux-ks-sync.yaml
+++ b/.github/workflows/flux-ks-sync.yaml
@@ -16,14 +16,14 @@ jobs:
         cluster: ["storage"]
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           fetch-depth: 0
@@ -43,7 +43,7 @@ jobs:
 
       - name: Write kubeconfig
         id: kubeconfig
-        uses: timheuer/base64-to-file@v1.2.4
+        uses: timheuer/base64-to-file@v1
         with:
           encodedString: "${{ secrets.KUBECONFIG }}"
           fileName: kubeconfig
diff --git a/.github/workflows/label-sync.yaml b/.github/workflows/label-sync.yaml
index 67f7f5bb2f5c7..73724ef17c83f 100644
--- a/.github/workflows/label-sync.yaml
+++ b/.github/workflows/label-sync.yaml
@@ -14,19 +14,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
       - name: Sync Labels
-        uses: EndBug/label-sync@v2.3.2
+        uses: EndBug/label-sync@v2
         with:
           config-file: .github/labels.yaml
           token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
index df99c505c5bdb..e45e4ffd1ec09 100644
--- a/.github/workflows/labeler.yaml
+++ b/.github/workflows/labeler.yaml
@@ -17,14 +17,14 @@ jobs:
       pull-requests: write
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Labeler
-        uses: actions/labeler@v5.0.0
+        uses: actions/labeler@v5
         with:
           configuration-path: .github/labeler.yaml
           repo-token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
index eecf53e54aee0..ab62dfd3dec07 100644
--- a/.github/workflows/lychee.yaml
+++ b/.github/workflows/lychee.yaml
@@ -16,19 +16,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
       - name: Scan for broken links
-        uses: lycheeverse/lychee-action@v1.8.0
+        uses: lycheeverse/lychee-action@v1
         id: lychee
         env:
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
@@ -38,14 +38,14 @@ jobs:
 
       - name: Find Link Checker Issue
         id: issue-number
-        uses: micalevisk/last-issue-action@v2.2.1
+        uses: micalevisk/last-issue-action@v2
         with:
           token: "${{ steps.app-token.outputs.token }}"
           state: open
           labels: "${{ env.WORKFLOW_ISSUE_LABEL }}"
 
       - name: Update Issue
-        uses: peter-evans/create-issue-from-file@v4.0.1
+        uses: peter-evans/create-issue-from-file@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           title: Link Checker Dashboard 🔗
diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
index 7d2533b0313b1..23c6638c5b534 100644
--- a/.github/workflows/publish-docs.yaml
+++ b/.github/workflows/publish-docs.yaml
@@ -25,20 +25,20 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v4.0.0
+        uses: actions/configure-pages@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           enablement: true
@@ -49,7 +49,7 @@ jobs:
           args: mdbook build docs
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3.0.0
+        uses: actions/upload-pages-artifact@v3
         with:
           path: ./docs/book
 
@@ -62,7 +62,7 @@ jobs:
     needs: build
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
@@ -70,6 +70,6 @@ jobs:
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4.0.0
+        uses: actions/deploy-pages@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml
index 2b58dbbceb8f6..9c15f179b774a 100644
--- a/.github/workflows/publish-schemas.yaml
+++ b/.github/workflows/publish-schemas.yaml
@@ -19,14 +19,14 @@ jobs:
       packages: write
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
@@ -35,21 +35,21 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
       - name: Setup Python
-        uses: actions/setup-python@v5.0.0
+        uses: actions/setup-python@v5
         with:
           python-version: 3.x
 
       - name: Setup Node
-        uses: actions/setup-node@v4.0.1
+        uses: actions/setup-node@v4
         with:
           node-version: 18.x
 
       - name: Setup kubectl
-        uses: azure/setup-kubectl@v3.2
+        uses: azure/setup-kubectl@v3
 
       - name: Write kubeconfig
         id: kubeconfig
-        uses: timheuer/base64-to-file@v1.2.4
+        uses: timheuer/base64-to-file@v1
         with:
           encodedString: "${{ secrets.KUBECONFIG }}"
           fileName: kubeconfig
@@ -66,7 +66,7 @@ jobs:
 
 
       - name: Deploy to Cloudflare Pages
-        uses: cloudflare/wrangler-action@v3.4.0
+        uses: cloudflare/wrangler-action@v3
         with:
           apiToken: "${{ secrets.CLOUDFLARE_API_TOKEN }}"
           accountId: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"
diff --git a/.github/workflows/publish-terraform.yaml b/.github/workflows/publish-terraform.yaml
index b381d3d178cef..58b8a3fd6929f 100644
--- a/.github/workflows/publish-terraform.yaml
+++ b/.github/workflows/publish-terraform.yaml
@@ -17,14 +17,14 @@ jobs:
       packages: write
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
@@ -42,7 +42,7 @@ jobs:
             flux2 = "latest"
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: "${{ github.actor }}"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6bb2079dd74ac..4e0d34a9c9573 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
index a0e68d303e6ce..b9803bc799766 100644
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -48,14 +48,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@v1.6.2
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
 

From 97d868eb05410938abe2773846afd500aee6bbb9 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 08:54:34 -0500
Subject: [PATCH 115/149] chore: update workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index c3d0c70a815fb..ed7c8a9e9c601 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -65,12 +65,6 @@ jobs:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          fetch-depth: 0
-
       - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git

From c0a19178c2d0f03ee82f8733adc3dbe2f4139c6a Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 09:09:51 -0500
Subject: [PATCH 116/149] =?UTF-8?q?feat(helm):=20update=20cloudnative-pg?=
 =?UTF-8?q?=20(=200.19.1=20=E2=86=92=200.20.0=20)=20(#6623)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../main/apps/database/cloudnative-pg/app/helmrelease.yaml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml b/kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml
index 3acd6930de25f..5239ebb47b49c 100644
--- a/kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml
+++ b/kubernetes/main/apps/database/cloudnative-pg/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: cloudnative-pg
-      version: 0.19.1
+      version: 0.20.0
       sourceRef:
         kind: HelmRepository
         name: cloudnative-pg

From 1c2393bee4d30156cdba3240f427ffff74fb538e Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 16:06:08 +0000
Subject: [PATCH 117/149] =?UTF-8?q?feat(github-action):=20update=20allenpo?=
 =?UTF-8?q?rter/flux-local=20(=204.0.0=20=E2=86=92=204.1.0=20)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/flux-diff.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index ed7c8a9e9c601..c9375fc89f00c 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -79,7 +79,7 @@ jobs:
             flux2 = "latest"
 
       - name: Diff Resources
-        uses: allenporter/flux-local/action/diff@4.0.0
+        uses: allenporter/flux-local/action/diff@4.1.0
         id: diff
         with:
           sources: home-kubernetes

From 42dd65a08dbaceed4db18e6fbe12269af502b5f9 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 11:25:22 -0500
Subject: [PATCH 118/149] chore: update workflows

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index c9375fc89f00c..32b4aacf239a4 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -65,6 +65,12 @@ jobs:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0
+
       - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git

From 8b9ac1ebc1a5685cdd8a875cd408c5bb97beac91 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 11:56:33 -0500
Subject: [PATCH 119/149] =?UTF-8?q?fix(container):=20update=20thanos=20(?=
 =?UTF-8?q?=2012.20.0=20=E2=86=92=2012.20.1=20)=20(#6624)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
Co-authored-by: Devin Buhl <onedr0p@users.noreply.github.com>
---
 kubernetes/main/apps/observability/thanos/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
index 258ad79739b11..30115ecf41560 100644
--- a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: thanos
-      version: 12.20.0
+      version: 12.20.1
       sourceRef:
         kind: HelmRepository
         name: bitnami

From 98f70fa03ada21133d1b227cca712eed0843ae12 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 12:14:43 -0500
Subject: [PATCH 120/149] =?UTF-8?q?fix(container):=20update=20gha-runner-s?=
 =?UTF-8?q?cale-set-controller=20(=200.8.0=20=E2=86=92=200.8.1=20)=20(#662?=
 =?UTF-8?q?6)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../actions-runner-controller/app/helmrelease.yaml              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml
index 2057ecbf518c4..022ff5971a000 100644
--- a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml
+++ b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: gha-runner-scale-set-controller
-      version: 0.8.0
+      version: 0.8.1
       sourceRef:
         kind: HelmRepository
         name: actions-runner-controller

From bfb41ec1562dd2f6b438cc7290affcd5cdec416c Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 12:14:54 -0500
Subject: [PATCH 121/149] =?UTF-8?q?fix(container):=20update=20gha-runner-s?=
 =?UTF-8?q?cale-set=20(=200.8.0=20=E2=86=92=200.8.1=20)=20(#6625)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../actions-runner-controller/runners/helmrelease.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
index 698043397cc8a..c9c85ab0eab7a 100644
--- a/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
+++ b/kubernetes/main/apps/actions-runner-system/actions-runner-controller/runners/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: gha-runner-scale-set
-      version: 0.8.0
+      version: 0.8.1
       sourceRef:
         kind: HelmRepository
         name: actions-runner-controller

From 65deda06e4747a979d6db6d5427e8a37744e0898 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Thu, 21 Dec 2023 12:50:21 -0500
Subject: [PATCH 122/149] feat: monitor storage cluster with thanos

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../app/helmrelease.yaml                      | 15 +++++++++++
 .../app/scrapeconfigs/kustomization.yaml      |  4 +--
 .../observability/thanos/app/helmrelease.yaml |  7 ++---
 .../app/externalsecret.yaml                   | 26 +++++++++++++++++++
 .../app/helmrelease.yaml                      | 25 ++++++++++++++++--
 .../app/kustomization.yaml                    |  1 +
 6 files changed, 71 insertions(+), 7 deletions(-)
 create mode 100644 kubernetes/storage/apps/observability/kube-prometheus-stack/app/externalsecret.yaml

diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
index d7a57bd5b5da7..b43698fcc6df3 100644
--- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
@@ -189,3 +189,18 @@ spec:
           multicluster:
             etcd:
               enabled: true
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              version: v1
+              kind: ConfigMap
+              labelSelector: grafana_dashboard in (1)
+            patch: |-
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+                name: not-used
+                namespace: not-used
+                annotations:
+                  grafana_folder: Kubernetes
diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml
index 609bbcf1adde7..0358210923a9b 100644
--- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml
+++ b/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml
@@ -3,8 +3,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./expanse.yaml
-  - ./federation.yaml
+  # - ./expanse.yaml
+  # - ./federation.yaml
   - ./kube-vip.yaml
   - ./node-exporter.yaml
   - ./pikvm.yaml
diff --git a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
index 30115ecf41560..cdb193a0e0b86 100644
--- a/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/thanos/app/helmrelease.yaml
@@ -88,6 +88,7 @@ spec:
       dnsDiscovery:
         sidecarsService: kube-prometheus-stack-thanos-discovery
         sidecarsNamespace: observability
+      stores: ["thanos.turbo.ac:10901"]
     bucketweb:
       enabled: true
       replicaCount: 2
@@ -96,9 +97,9 @@ spec:
       extraFlags:
         - --compact.concurrency=4
         - --delete-delay=30m
-      retentionResolutionRaw: 30d
-      retentionResolution5m: 60d
-      retentionResolution1h: 90d
+      retentionResolutionRaw: 14d
+      retentionResolution5m: 30d
+      retentionResolution1h: 60d
       persistence:
         enabled: true
         storageClass: local-hostpath
diff --git a/kubernetes/storage/apps/observability/kube-prometheus-stack/app/externalsecret.yaml b/kubernetes/storage/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
new file mode 100644
index 0000000000000..3296a3e93a012
--- /dev/null
+++ b/kubernetes/storage/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kube-prometheus-stack
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: kube-prometheus-stack-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        objstore.yml: |-
+          type: s3
+          config:
+            bucket: thanos-v2
+            endpoint: rook-ceph-rgw.devbu.io
+            access_key: {{ .AWS_ACCESS_KEY_ID }}
+            secret_key: {{ .AWS_SECRET_ACCESS_KEY }}
+  dataFrom:
+    - extract:
+        key: thanos
diff --git a/kubernetes/storage/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/storage/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
index fbdfa98e878bf..78b1780a6ff75 100644
--- a/kubernetes/storage/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
@@ -35,8 +35,6 @@ spec:
       enabled: true
     alertmanager:
       enabled: false
-    defaultRules:
-      create: false
     kubelet:
       enabled: true
       serviceMonitor:
@@ -105,7 +103,12 @@ spec:
           - hosts:
               - *host
       prometheusSpec:
+        additionalAlertManagerConfigs:
+          - static_configs:
+              - targets:
+                  - alertmanager.devbu.io
         replicas: 1
+        replicaExternalLabelName: __replica__
         ruleSelectorNilUsesHelmValues: false
         serviceMonitorSelectorNilUsesHelmValues: false
         podMonitorSelectorNilUsesHelmValues: false
@@ -128,6 +131,24 @@ spec:
               resources:
                 requests:
                   storage: 20Gi
+        thanos:
+          image: quay.io/thanos/thanos:v0.33.0
+          objectStorageConfig:
+            existingSecret:
+              name: kube-prometheus-stack-secret
+              key: objstore.yml
+          # renovate: datasource=docker depName=quay.io/thanos/thanos
+          version: "0.33.0"
+      thanosService:
+        enabled: true
+      thanosServiceExternal:
+        enabled: true
+        type: LoadBalancer
+        annotations:
+          external-dns.alpha.kubernetes.io/hostname: thanos.turbo.ac
+        externalTrafficPolicy: Cluster
+      thanosServiceMonitor:
+        enabled: true
     nodeExporter:
       enabled: true
     prometheus-node-exporter:
diff --git a/kubernetes/storage/apps/observability/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/storage/apps/observability/kube-prometheus-stack/app/kustomization.yaml
index 17cbc72b25c80..4eed917b96fa1 100644
--- a/kubernetes/storage/apps/observability/kube-prometheus-stack/app/kustomization.yaml
+++ b/kubernetes/storage/apps/observability/kube-prometheus-stack/app/kustomization.yaml
@@ -3,4 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./externalsecret.yaml
   - ./helmrelease.yaml

From d9c82994d2cf1f257d1218fbe4c0cee723a9af83 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 19:05:41 +0000
Subject: [PATCH 123/149] =?UTF-8?q?fix(github-action):=20update=20allenpor?=
 =?UTF-8?q?ter/flux-local=20(=204.1.0=20=E2=86=92=204.1.1=20)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/flux-diff.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 32b4aacf239a4..36538f8564e97 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -85,7 +85,7 @@ jobs:
             flux2 = "latest"
 
       - name: Diff Resources
-        uses: allenporter/flux-local/action/diff@4.1.0
+        uses: allenporter/flux-local/action/diff@4.1.1
         id: diff
         with:
           sources: home-kubernetes

From 1184d123d63a8d63222f7ae82d94ce17bd511428 Mon Sep 17 00:00:00 2001
From: Devin Buhl <onedr0p@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:26:27 -0500
Subject: [PATCH 124/149] chore: update grafana dashboard regex

---
 .github/renovate/grafanaDashboards.json5 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/renovate/grafanaDashboards.json5 b/.github/renovate/grafanaDashboards.json5
index 531da268a2666..ac104a0ded1e7 100644
--- a/.github/renovate/grafanaDashboards.json5
+++ b/.github/renovate/grafanaDashboards.json5
@@ -17,7 +17,7 @@
         "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?$"
       ],
       "matchStrings": [
-        "depName=\"(?<depName>\\S+)\"\\n.*?gnetId: (?<packageName>\\d+)\\n.*?revision: (?<currentValue>\\d+)"
+        "depName=\"(?<depName>.*)\"\\n.*?gnetId: (?<packageName>\\d+)\\n.*?revision: (?<currentValue>\\d+)"
       ],
       "datasourceTemplate": "custom.grafana-dashboards",
       "versioningTemplate": "regex:^(?<major>\\d+)$"

From 339ce79355a2cc4c5d182c8ac9a38a6dc86c9f73 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:56:55 -0500
Subject: [PATCH 125/149] =?UTF-8?q?(grafana-dashboards):=20update=20dashbo?=
 =?UTF-8?q?ard=20kubernetes=20/=20views=20/=20nodes=20(=2019=20=E2=86=92?=
 =?UTF-8?q?=2023=20)=20(#6631)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/grafana/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
index 11ed2b738ee78..a8b5454cdf27f 100644
--- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
@@ -275,7 +275,7 @@ spec:
         kubernetes-nodes:
           # renovate: depName="Kubernetes / Views / Nodes"
           gnetId: 15759
-          revision: 19
+          revision: 23
           datasource: Prometheus
         kubernetes-pods:
           # renovate: depName="Kubernetes / Views / Pods"

From b9c1dbfe509f9d7d2600fe3d504f6ed8f08f42b5 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:57:16 -0500
Subject: [PATCH 126/149] =?UTF-8?q?(grafana-dashboards):=20update=20dashbo?=
 =?UTF-8?q?ard=20kubernetes=20/=20views=20/=20namespaces=20(=2027=20?=
 =?UTF-8?q?=E2=86=92=2030=20)=20(#6630)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/grafana/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
index a8b5454cdf27f..f1275c19bfe89 100644
--- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
@@ -270,7 +270,7 @@ spec:
         kubernetes-namespaces:
           # renovate: depName="Kubernetes / Views / Namespaces"
           gnetId: 15758
-          revision: 27
+          revision: 30
           datasource: Prometheus
         kubernetes-nodes:
           # renovate: depName="Kubernetes / Views / Nodes"

From c637cd34d7f6a2c1857ac37b309b93b8c780ea16 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:57:28 -0500
Subject: [PATCH 127/149] =?UTF-8?q?(grafana-dashboards):=20update=20dashbo?=
 =?UTF-8?q?ard=20kubernetes=20/=20views=20/=20global=20(=2031=20=E2=86=92?=
 =?UTF-8?q?=2033=20)=20(#6629)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/grafana/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
index f1275c19bfe89..93198a2c56e3e 100644
--- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
@@ -265,7 +265,7 @@ spec:
         kubernetes-global:
           # renovate: depName="Kubernetes / Views / Global"
           gnetId: 15757
-          revision: 31
+          revision: 33
           datasource: Prometheus
         kubernetes-namespaces:
           # renovate: depName="Kubernetes / Views / Namespaces"

From f66e3692a400c4b0c0361985ee9bdb272eb23bdb Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:58:27 -0500
Subject: [PATCH 128/149] =?UTF-8?q?(grafana-dashboards):=20update=20dashbo?=
 =?UTF-8?q?ard=20kubernetes=20/=20system=20/=20coredns=20(=2013=20?=
 =?UTF-8?q?=E2=86=92=2014=20)=20(#6628)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/observability/grafana/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
index 93198a2c56e3e..04148c7cf3ab5 100644
--- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
@@ -260,7 +260,7 @@ spec:
         kubernetes-coredns:
           # renovate: depName="Kubernetes / System / CoreDNS"
           gnetId: 15762
-          revision: 13
+          revision: 14
           datasource: Prometheus
         kubernetes-global:
           # renovate: depName="Kubernetes / Views / Global"

From 1a7fc02ac672ef235aa5b8cc24d24a0cba21949a Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:58:37 -0500
Subject: [PATCH 129/149] =?UTF-8?q?feat(container):=20update=20ghcr.io/cod?=
 =?UTF-8?q?er/code-server=20(=204.19.1=20=E2=86=92=204.20.0=20)=20(#6627)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 .../main/apps/default/home-assistant/code/helmrelease.yaml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/default/home-assistant/code/helmrelease.yaml b/kubernetes/main/apps/default/home-assistant/code/helmrelease.yaml
index 0a9d4fb3cf435..2d0651e4873d3 100644
--- a/kubernetes/main/apps/default/home-assistant/code/helmrelease.yaml
+++ b/kubernetes/main/apps/default/home-assistant/code/helmrelease.yaml
@@ -35,7 +35,7 @@ spec:
           main:
             image:
               repository: ghcr.io/coder/code-server
-              tag: 4.19.1
+              tag: 4.20.0
             env:
               TZ: America/New_York
             args:

From a9d8c62cfc614c9aebd37cd19ee392d833176e2b Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 19:29:25 -0500
Subject: [PATCH 130/149] =?UTF-8?q?feat(github-release):=20update=20k3s-io?=
 =?UTF-8?q?/k3s=20(=20v1.28.4+k3s2=20=E2=86=92=20v1.29.0+k3s1=20)=20(#6633?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 ansible/storage/inventory/group_vars/all/main.yaml              | 2 +-
 .../apps/tools/system-upgrade-controller/plans/agent.yaml       | 2 +-
 .../apps/tools/system-upgrade-controller/plans/server.yaml      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/storage/inventory/group_vars/all/main.yaml b/ansible/storage/inventory/group_vars/all/main.yaml
index 7a3115a8dcbc9..e43afa27e81e1 100644
--- a/ansible/storage/inventory/group_vars/all/main.yaml
+++ b/ansible/storage/inventory/group_vars/all/main.yaml
@@ -1,6 +1,6 @@
 ---
 # renovate: datasource=github-releases depName=k3s-io/k3s
-k3s_release_version: "v1.28.4+k3s2"
+k3s_release_version: "v1.29.0+k3s1"
 k3s_install_hard_links: true
 k3s_become: true
 k3s_registration_address: 192.168.42.80
diff --git a/kubernetes/storage/apps/tools/system-upgrade-controller/plans/agent.yaml b/kubernetes/storage/apps/tools/system-upgrade-controller/plans/agent.yaml
index 48bd808641b8e..bcb19cc0901ae 100644
--- a/kubernetes/storage/apps/tools/system-upgrade-controller/plans/agent.yaml
+++ b/kubernetes/storage/apps/tools/system-upgrade-controller/plans/agent.yaml
@@ -6,7 +6,7 @@ metadata:
   name: agent
 spec:
   # renovate: datasource=github-releases depName=k3s-io/k3s
-  version: "v1.28.4+k3s2"
+  version: "v1.29.0+k3s1"
   serviceAccountName: system-upgrade
   concurrency: 1
   nodeSelector:
diff --git a/kubernetes/storage/apps/tools/system-upgrade-controller/plans/server.yaml b/kubernetes/storage/apps/tools/system-upgrade-controller/plans/server.yaml
index d3d493a9a18f8..19cdbdc6d516a 100644
--- a/kubernetes/storage/apps/tools/system-upgrade-controller/plans/server.yaml
+++ b/kubernetes/storage/apps/tools/system-upgrade-controller/plans/server.yaml
@@ -6,7 +6,7 @@ metadata:
   name: server
 spec:
   # renovate: datasource=github-releases depName=k3s-io/k3s
-  version: "v1.28.4+k3s2"
+  version: "v1.29.0+k3s1"
   serviceAccountName: system-upgrade
   concurrency: 1
   cordon: true

From 5f46e761611e809c7aa2258f91e255770b11f9a0 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 20:02:37 -0500
Subject: [PATCH 131/149] =?UTF-8?q?feat(github-release):=20update=20k3s-io?=
 =?UTF-8?q?/k3s=20(=20v1.28.4+k3s2=20=E2=86=92=20v1.29.0+k3s1=20)=20(#6632?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 ansible/main/inventory/group_vars/all/main.yaml                 | 2 +-
 .../main/apps/tools/system-upgrade-controller/plans/agent.yaml  | 2 +-
 .../main/apps/tools/system-upgrade-controller/plans/server.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/main/inventory/group_vars/all/main.yaml b/ansible/main/inventory/group_vars/all/main.yaml
index ba46f35310280..09bb1c1532c00 100644
--- a/ansible/main/inventory/group_vars/all/main.yaml
+++ b/ansible/main/inventory/group_vars/all/main.yaml
@@ -1,6 +1,6 @@
 ---
 # renovate: datasource=github-releases depName=k3s-io/k3s
-k3s_release_version: "v1.28.4+k3s2"
+k3s_release_version: "v1.29.0+k3s1"
 k3s_install_hard_links: true
 k3s_become: true
 k3s_etcd_datastore: true
diff --git a/kubernetes/main/apps/tools/system-upgrade-controller/plans/agent.yaml b/kubernetes/main/apps/tools/system-upgrade-controller/plans/agent.yaml
index 48bd808641b8e..bcb19cc0901ae 100644
--- a/kubernetes/main/apps/tools/system-upgrade-controller/plans/agent.yaml
+++ b/kubernetes/main/apps/tools/system-upgrade-controller/plans/agent.yaml
@@ -6,7 +6,7 @@ metadata:
   name: agent
 spec:
   # renovate: datasource=github-releases depName=k3s-io/k3s
-  version: "v1.28.4+k3s2"
+  version: "v1.29.0+k3s1"
   serviceAccountName: system-upgrade
   concurrency: 1
   nodeSelector:
diff --git a/kubernetes/main/apps/tools/system-upgrade-controller/plans/server.yaml b/kubernetes/main/apps/tools/system-upgrade-controller/plans/server.yaml
index d3d493a9a18f8..19cdbdc6d516a 100644
--- a/kubernetes/main/apps/tools/system-upgrade-controller/plans/server.yaml
+++ b/kubernetes/main/apps/tools/system-upgrade-controller/plans/server.yaml
@@ -6,7 +6,7 @@ metadata:
   name: server
 spec:
   # renovate: datasource=github-releases depName=k3s-io/k3s
-  version: "v1.28.4+k3s2"
+  version: "v1.29.0+k3s1"
   serviceAccountName: system-upgrade
   concurrency: 1
   cordon: true

From a8eda7c39a8c64608abe44497a42e47fbbe7d314 Mon Sep 17 00:00:00 2001
From: Devin Buhl <onedr0p@users.noreply.github.com>
Date: Thu, 21 Dec 2023 22:36:44 -0500
Subject: [PATCH 132/149] fix: hardcode issue number for dead links dashboard

---
 .github/workflows/lychee.yaml | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/lychee.yaml b/.github/workflows/lychee.yaml
index ab62dfd3dec07..664d0a8b86fce 100644
--- a/.github/workflows/lychee.yaml
+++ b/.github/workflows/lychee.yaml
@@ -8,7 +8,7 @@ on:
     - cron: "0 0 * * *"
 
 env:
-  WORKFLOW_ISSUE_LABEL: lint/lychee
+  WORKFLOW_ISSUE_NUMBER: 6587
 
 jobs:
   lychee:
@@ -30,25 +30,15 @@ jobs:
       - name: Scan for broken links
         uses: lycheeverse/lychee-action@v1
         id: lychee
-        env:
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
         with:
+          token: "${{ steps.app-token.outputs.token }}"
           args: --verbose --no-progress --exclude-mail './**/*.md'
           output: /tmp/results.md
 
-      - name: Find Link Checker Issue
-        id: issue-number
-        uses: micalevisk/last-issue-action@v2
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          state: open
-          labels: "${{ env.WORKFLOW_ISSUE_LABEL }}"
-
       - name: Update Issue
         uses: peter-evans/create-issue-from-file@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
           title: Link Checker Dashboard 🔗
-          issue-number: "${{ steps.issue-number.outputs.issue-number }}"
+          issue-number: "${{ env.WORKFLOW_ISSUE_NUMBER }}"
           content-filepath: /tmp/results.md
-          labels: "${{ env.WORKFLOW_ISSUE_LABEL }}"

From 0a6a3e603a53afc091b42d52a1b0a88b2f660148 Mon Sep 17 00:00:00 2001
From: "bot-ross[bot]" <98030736+bot-ross[bot]@users.noreply.github.com>
Date: Fri, 22 Dec 2023 06:03:51 -0500
Subject: [PATCH 133/149] =?UTF-8?q?fix(container):=20update=20ghcr.io/zwav?=
 =?UTF-8?q?e-js/zwave-js-ui=20(=209.6.0=20=E2=86=92=209.6.2=20)=20(#6634)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: bot-ross[bot] <98030736+bot-ross[bot]@users.noreply.github.com>
---
 kubernetes/main/apps/default/zwave-js-ui/app/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/main/apps/default/zwave-js-ui/app/helmrelease.yaml b/kubernetes/main/apps/default/zwave-js-ui/app/helmrelease.yaml
index 44cd7c180505a..9f975a9edd662 100644
--- a/kubernetes/main/apps/default/zwave-js-ui/app/helmrelease.yaml
+++ b/kubernetes/main/apps/default/zwave-js-ui/app/helmrelease.yaml
@@ -37,7 +37,7 @@ spec:
           main:
             image:
               repository: ghcr.io/zwave-js/zwave-js-ui
-              tag: 9.6.0@sha256:716bd40a1ce44f66b2e362202d5eaa0da5cdaa141d7473053ace1cf0d97606e7
+              tag: 9.6.2@sha256:cf5eac533babba885390f1fd674d41299dc4e425b3ffde1a813a07af29234469
             env:
               TZ: America/New_York
             probes:

From 8b4f25b89e97bc4fdfc36feb09ff6bcee821080a Mon Sep 17 00:00:00 2001
From: Devin Buhl <onedr0p@users.noreply.github.com>
Date: Fri, 22 Dec 2023 06:11:08 -0500
Subject: [PATCH 134/149] add nfd dashboard

---
 .../main/apps/observability/grafana/app/helmrelease.yaml       | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
index 04148c7cf3ab5..c75b7e9560f48 100644
--- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml
@@ -222,6 +222,9 @@ spec:
         external-secrets:
           url: https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json
           datasource: Prometheus
+        node-feature-discovery:
+          url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json
+          datasource: Prometheus
         miniflux:
           url: https://raw.githubusercontent.com/miniflux/v2/main/contrib/grafana/dashboard.json
           datasource: Prometheus

From 9b534c48354228c3fb85d09bc4a007dfd2930403 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 07:48:41 -0500
Subject: [PATCH 135/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 37 +++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 36538f8564e97..d0bb585b5699b 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -65,32 +65,39 @@ jobs:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
-      - name: Checkout
+      - name: Checkout Live Branch
         uses: actions/checkout@v4
         with:
           token: "${{ steps.app-token.outputs.token }}"
-          fetch-depth: 0
+          path: live
+
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          path: pr
 
       - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Setup Workflow Tools
-        uses: jdx/rtx-action@v1
-        with:
-          install: true
-          cache: true
-          rtx_toml: |
-            [tools]
-            flux2 = "latest"
-
       - name: Diff Resources
-        uses: allenporter/flux-local/action/diff@4.1.1
+        uses: docker://ghcr.io/allenporter/flux-local:main
         id: diff
         with:
-          sources: home-kubernetes
-          path: "${{ matrix.paths }}"
-          resource: "${{ matrix.resources }}"
+          args: >
+            diff \
+                ${{ matrix.resources }} \
+                --unified 6 \
+                --path-orig live/${{ matrix.paths }} \
+                --path pr/${{ matrix.paths }} \
+                --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" \
+                --skip-crds \
+                --skip-secrets \
+                --limit-bytes 10000 \
+                --all-namespaces \
+                --sources "home-kubernetes" \
+            >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment

From a46726f7c24bec29f5078af4c8ec91b19000f06e Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:02:26 -0500
Subject: [PATCH 136/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index d0bb585b5699b..d850f291b098e 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -86,7 +86,8 @@ jobs:
         id: diff
         with:
           args: >
-            diff \
+            flux-local
+                diff \
                 ${{ matrix.resources }} \
                 --unified 6 \
                 --path-orig live/${{ matrix.paths }} \

From a38d305b53b860a5c5c40f356d602e71d2bb91b5 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:03:35 -0500
Subject: [PATCH 137/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index d850f291b098e..c982f331427e1 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -86,7 +86,7 @@ jobs:
         id: diff
         with:
           args: >
-            flux-local
+            flux-local \
                 diff \
                 ${{ matrix.resources }} \
                 --unified 6 \

From 22039de5d6b6287d19aacc1995933cb54b468354 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:05:32 -0500
Subject: [PATCH 138/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index c982f331427e1..50415d58e7d7c 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -86,18 +86,18 @@ jobs:
         id: diff
         with:
           args: >
-            flux-local \
-                diff \
-                ${{ matrix.resources }} \
-                --unified 6 \
-                --path-orig live/${{ matrix.paths }} \
-                --path pr/${{ matrix.paths }} \
-                --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" \
-                --skip-crds \
-                --skip-secrets \
-                --limit-bytes 10000 \
-                --all-namespaces \
-                --sources "home-kubernetes" \
+            flux-local
+                diff
+                ${{ matrix.resources }}
+                --unified 6
+                --path-orig live/${{ matrix.paths }}
+                --path pr/${{ matrix.paths }}
+                --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
+                --skip-crds
+                --skip-secrets
+                --limit-bytes 10000
+                --all-namespaces
+                --sources "home-kubernetes"
             >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}

From 610801e9e986c2abbf4ba717aeeac31e6e6c51e8 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:07:16 -0500
Subject: [PATCH 139/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 50415d58e7d7c..371b966ad5144 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -85,19 +85,19 @@ jobs:
         uses: docker://ghcr.io/allenporter/flux-local:main
         id: diff
         with:
-          args: >
-            flux-local
-                diff
-                ${{ matrix.resources }}
-                --unified 6
-                --path-orig live/${{ matrix.paths }}
-                --path pr/${{ matrix.paths }}
-                --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
-                --skip-crds
-                --skip-secrets
-                --limit-bytes 10000
-                --all-namespaces
-                --sources "home-kubernetes"
+          args: |
+            flux-local \
+                diff \
+                ${{ matrix.resources }} \
+                --unified 6 \
+                --path-orig live/${{ matrix.paths }} \
+                --path pr/${{ matrix.paths }} \
+                --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" \
+                --skip-crds \
+                --skip-secrets \
+                --limit-bytes 10000 \
+                --all-namespaces \
+                --sources "home-kubernetes" \
             >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}

From ba1b1bc63ea18d71c505f530614d126900ec6a8e Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:08:46 -0500
Subject: [PATCH 140/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 371b966ad5144..c4be8d0586ee4 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -85,20 +85,7 @@ jobs:
         uses: docker://ghcr.io/allenporter/flux-local:main
         id: diff
         with:
-          args: |
-            flux-local \
-                diff \
-                ${{ matrix.resources }} \
-                --unified 6 \
-                --path-orig live/${{ matrix.paths }} \
-                --path pr/${{ matrix.paths }} \
-                --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" \
-                --skip-crds \
-                --skip-secrets \
-                --limit-bytes 10000 \
-                --all-namespaces \
-                --sources "home-kubernetes" \
-            >> $GITHUB_OUTPUT
+          args: flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes" >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment

From 07bdac7f8dbee96d3458eac23f0811675a2f9b31 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:13:26 -0500
Subject: [PATCH 141/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index c4be8d0586ee4..9bf089c457322 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -82,10 +82,10 @@ jobs:
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
       - name: Diff Resources
-        uses: docker://ghcr.io/allenporter/flux-local:main
         id: diff
-        with:
-          args: flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes" >> $GITHUB_OUTPUT
+        shell: bash
+        run: |
+          docker run --rm ghcr.io/allenporter/flux-local:main sh -c 'flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes"' >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment

From 18b05ed088ded08bab2af351d3091bec41363e1c Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:16:27 -0500
Subject: [PATCH 142/149] revert: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 9bf089c457322..2917bb9895b74 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -65,27 +65,26 @@ jobs:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
-      - name: Checkout Live Branch
-        uses: actions/checkout@v4
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          path: live
-
-      - name: Checkout PR branch
-        uses: actions/checkout@v4
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          path: pr
-
       - name: Setup System Tools
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
+      - name: Setup Workflow Tools
+        uses: jdx/rtx-action@v1
+        with:
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            flux2 = "latest"
+
       - name: Diff Resources
+        uses: allenporter/flux-local/action/diff@4.1.1
         id: diff
-        shell: bash
-        run: |
-          docker run --rm ghcr.io/allenporter/flux-local:main sh -c 'flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes"' >> $GITHUB_OUTPUT
+        with:
+          sources: home-kubernetes
+          path: "${{ matrix.paths }}"
+          resource: "${{ matrix.resources }}"
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment

From 4e03b974cce93ef78cc6fdb9bc3a3dae1ca55e1e Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:26:36 -0500
Subject: [PATCH 143/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 54 +++++++++++++++++++++++++-------
 1 file changed, 42 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 2917bb9895b74..7d8a9fced500b 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -69,22 +69,52 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Setup Workflow Tools
-        uses: jdx/rtx-action@v1
+      # - name: Setup Workflow Tools
+      #   uses: jdx/rtx-action@v1
+      #   with:
+      #     install: true
+      #     cache: true
+      #     rtx_toml: |
+      #       [tools]
+      #       flux2 = "latest"
+
+      # - name: Diff Resources
+      #   uses: allenporter/flux-local/action/diff@4.1.1
+      #   id: diff
+      #   with:
+      #     sources: home-kubernetes
+      #     path: "${{ matrix.paths }}"
+      #     resource: "${{ matrix.resources }}"
+
+      - name: Checkout Live Branch
+        uses: actions/checkout@v4
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          path: live
+
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
         with:
-          install: true
-          cache: true
-          rtx_toml: |
-            [tools]
-            flux2 = "latest"
+          token: "${{ steps.app-token.outputs.token }}"
+          path: pr
+
+      - name: Setup System Tools
+        shell: bash
+        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
       - name: Diff Resources
-        uses: allenporter/flux-local/action/diff@4.1.1
-        id: diff
+        uses: docker://ghcr.io/allenporter/flux-local:main
         with:
-          sources: home-kubernetes
-          path: "${{ matrix.paths }}"
-          resource: "${{ matrix.resources }}"
+          args: flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes" > diff.txt
+
+      - name: Generate Diff
+        id: diff
+        run: |
+          cat diff.txt
+          delimiter="$(openssl rand -hex 8)"
+          echo "diff<<${delimiter}" >> $GITHUB_OUTPUT
+          cat diff.txt >> $GITHUB_OUTPUT
+          echo "${delimiter}" >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment

From 97d036cf1c34dd26b9d7f8fa6d28e1677693ef47 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 08:56:22 -0500
Subject: [PATCH 144/149] revert: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 80 ++++++++++++++++----------------
 1 file changed, 40 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 7d8a9fced500b..e3513c8c0434e 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -69,52 +69,52 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      # - name: Setup Workflow Tools
-      #   uses: jdx/rtx-action@v1
-      #   with:
-      #     install: true
-      #     cache: true
-      #     rtx_toml: |
-      #       [tools]
-      #       flux2 = "latest"
-
-      # - name: Diff Resources
-      #   uses: allenporter/flux-local/action/diff@4.1.1
-      #   id: diff
-      #   with:
-      #     sources: home-kubernetes
-      #     path: "${{ matrix.paths }}"
-      #     resource: "${{ matrix.resources }}"
-
-      - name: Checkout Live Branch
-        uses: actions/checkout@v4
+      - name: Setup Workflow Tools
+        uses: jdx/rtx-action@v1
         with:
-          token: "${{ steps.app-token.outputs.token }}"
-          path: live
+          install: true
+          cache: true
+          rtx_toml: |
+            [tools]
+            flux2 = "latest"
 
-      - name: Checkout PR branch
-        uses: actions/checkout@v4
+      - name: Diff Resources
+        uses: allenporter/flux-local/action/diff@4.1.1
+        id: diff
         with:
-          token: "${{ steps.app-token.outputs.token }}"
-          path: pr
+          sources: home-kubernetes
+          path: "${{ matrix.paths }}"
+          resource: "${{ matrix.resources }}"
 
-      - name: Setup System Tools
-        shell: bash
-        run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
+      # - name: Checkout Live Branch
+      #   uses: actions/checkout@v4
+      #   with:
+      #     token: "${{ steps.app-token.outputs.token }}"
+      #     path: live
 
-      - name: Diff Resources
-        uses: docker://ghcr.io/allenporter/flux-local:main
-        with:
-          args: flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes" > diff.txt
+      # - name: Checkout PR branch
+      #   uses: actions/checkout@v4
+      #   with:
+      #     token: "${{ steps.app-token.outputs.token }}"
+      #     path: pr
 
-      - name: Generate Diff
-        id: diff
-        run: |
-          cat diff.txt
-          delimiter="$(openssl rand -hex 8)"
-          echo "diff<<${delimiter}" >> $GITHUB_OUTPUT
-          cat diff.txt >> $GITHUB_OUTPUT
-          echo "${delimiter}" >> $GITHUB_OUTPUT
+      # - name: Setup System Tools
+      #   shell: bash
+      #   run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
+
+      # - name: Diff Resources
+      #   uses: docker://ghcr.io/allenporter/flux-local:main
+      #   with:
+      #     args: flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes" > diff.txt
+
+      # - name: Generate Diff
+      #   id: diff
+      #   run: |
+      #     cat diff.txt
+      #     delimiter="$(openssl rand -hex 8)"
+      #     echo "diff<<${delimiter}" >> $GITHUB_OUTPUT
+      #     cat diff.txt >> $GITHUB_OUTPUT
+      #     echo "${delimiter}" >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment

From cdd7c4c9377cd4e62ac83cea895ba18a26b4f382 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 14:30:57 -0500
Subject: [PATCH 145/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 84 +++++++++++++++++---------------
 1 file changed, 44 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index e3513c8c0434e..8f1eec3e6da6e 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -69,52 +69,56 @@ jobs:
         shell: bash
         run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
 
-      - name: Setup Workflow Tools
-        uses: jdx/rtx-action@v1
-        with:
-          install: true
-          cache: true
-          rtx_toml: |
-            [tools]
-            flux2 = "latest"
-
-      - name: Diff Resources
-        uses: allenporter/flux-local/action/diff@4.1.1
-        id: diff
-        with:
-          sources: home-kubernetes
-          path: "${{ matrix.paths }}"
-          resource: "${{ matrix.resources }}"
-
-      # - name: Checkout Live Branch
-      #   uses: actions/checkout@v4
+      # - name: Setup Workflow Tools
+      #   uses: jdx/rtx-action@v1
       #   with:
-      #     token: "${{ steps.app-token.outputs.token }}"
-      #     path: live
+      #     install: true
+      #     cache: true
+      #     rtx_toml: |
+      #       [tools]
+      #       flux2 = "latest"
 
-      # - name: Checkout PR branch
-      #   uses: actions/checkout@v4
+      # - name: Diff Resources
+      #   uses: allenporter/flux-local/action/diff@4.1.1
+      #   id: diff
       #   with:
-      #     token: "${{ steps.app-token.outputs.token }}"
-      #     path: pr
+      #     sources: home-kubernetes
+      #     path: "${{ matrix.paths }}"
+      #     resource: "${{ matrix.resources }}"
 
-      # - name: Setup System Tools
-      #   shell: bash
-      #   run: sudo apt-get -qq update && sudo apt-get -qq install --no-install-recommends -y curl git
+      - name: Checkout Live Branch
+        uses: actions/checkout@v4
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          path: live
 
-      # - name: Diff Resources
-      #   uses: docker://ghcr.io/allenporter/flux-local:main
-      #   with:
-      #     args: flux-local diff ${{ matrix.resources }} --unified 6 --path-orig live/${{ matrix.paths }} --path pr/${{ matrix.paths }} --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --skip-crds --skip-secrets --limit-bytes 10000 --all-namespaces --sources "home-kubernetes" > diff.txt
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          path: pr
 
-      # - name: Generate Diff
-      #   id: diff
-      #   run: |
-      #     cat diff.txt
-      #     delimiter="$(openssl rand -hex 8)"
-      #     echo "diff<<${delimiter}" >> $GITHUB_OUTPUT
-      #     cat diff.txt >> $GITHUB_OUTPUT
-      #     echo "${delimiter}" >> $GITHUB_OUTPUT
+      - name: Diff Resources
+        uses: docker://ghcr.io/allenporter/flux-local:main
+        with:
+          args: >
+            diff ${{ matrix.resources }}
+              --unified 6
+              --path-orig live/${{ matrix.paths }}
+              --path pr/${{ matrix.paths }}
+              --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
+              --limit-bytes 10000
+              --all-namespaces
+              --sources "home-kubernetes"
+              --output-file diff.txt
+
+      - name: Generate Diff
+        id: diff
+        run: |
+          cat diff.txt
+          echo "diff<<EOF" >> $GITHUB_OUTPUT
+          cat diff.txt >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
 
       - if: ${{ steps.diff.outputs.diff != '' }}
         name: Add comment

From 6f8ab673f6a0e5542c4c85072603ec0bad97548b Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 14:34:11 -0500
Subject: [PATCH 146/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 8f1eec3e6da6e..652fb3238263e 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -101,16 +101,16 @@ jobs:
       - name: Diff Resources
         uses: docker://ghcr.io/allenporter/flux-local:main
         with:
-          args: >
+          args: >-
             diff ${{ matrix.resources }}
-              --unified 6
-              --path-orig live/${{ matrix.paths }}
-              --path pr/${{ matrix.paths }}
-              --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
-              --limit-bytes 10000
-              --all-namespaces
-              --sources "home-kubernetes"
-              --output-file diff.txt
+            --unified 6
+            --path-orig live/${{ matrix.paths }}
+            --path pr/${{ matrix.paths }}
+            --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
+            --limit-bytes 10000
+            --all-namespaces
+            --sources "home-kubernetes"
+            --output-file diff.txt
 
       - name: Generate Diff
         id: diff

From cff6fa4da6363b32358b529a214fba4ad424a180 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 14:50:17 -0500
Subject: [PATCH 147/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 652fb3238263e..da05762a4df8c 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -98,6 +98,11 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           path: pr
 
+      - name: Set Git Permissions
+        run: |
+          git config --global --add safe.directory ${GITHUB_WORKSPACE}/live
+          git config --global --add safe.directory ${GITHUB_WORKSPACE}/pr
+
       - name: Diff Resources
         uses: docker://ghcr.io/allenporter/flux-local:main
         with:

From 786e0d62427a216c58ea23629393d25b50366e37 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 14:54:07 -0500
Subject: [PATCH 148/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index da05762a4df8c..68fc1f92fa705 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -100,8 +100,7 @@ jobs:
 
       - name: Set Git Permissions
         run: |
-          git config --global --add safe.directory ${GITHUB_WORKSPACE}/live
-          git config --global --add safe.directory ${GITHUB_WORKSPACE}/pr
+          id
 
       - name: Diff Resources
         uses: docker://ghcr.io/allenporter/flux-local:main

From 64b4f40396a4190f07f7c8f5b54f190882af5307 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Fri, 22 Dec 2023 15:07:22 -0500
Subject: [PATCH 149/149] chore: test out flux-local docker image

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/workflows/flux-diff.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
index 68fc1f92fa705..652fb3238263e 100644
--- a/.github/workflows/flux-diff.yaml
+++ b/.github/workflows/flux-diff.yaml
@@ -98,10 +98,6 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
           path: pr
 
-      - name: Set Git Permissions
-        run: |
-          id
-
       - name: Diff Resources
         uses: docker://ghcr.io/allenporter/flux-local:main
         with: