From 98880bdc1c3e2d81ef30d887ba247953f539c036 Mon Sep 17 00:00:00 2001 From: AnishMudaraddi Date: Wed, 4 Feb 2026 12:56:06 +0000 Subject: [PATCH 1/8] install yq for set-env because we now run set-env.sh first, we need to install yq in set-env.sh so it works --- set-env.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/set-env.sh b/set-env.sh index 0febd82..4a28a7c 100755 --- a/set-env.sh +++ b/set-env.sh @@ -4,6 +4,10 @@ # if we do this and run into any errors it will kill the user's # current shell (e.g. a typo) +echo "Installing required tools..." +export PATH=$PATH:/snap/bin +sudo snap install yq + # Function to convert dependencies to a valid environment variables sanitize_var_name() { echo "$1" | tr '-' '_' | tr '[:lower:]' '[:upper:]' From 0cb188870d0da6235fb12b3506ae346ef764e294 Mon Sep 17 00:00:00 2001 From: AnishMudaraddi Date: Thu, 5 Feb 2026 14:05:42 +0000 Subject: [PATCH 2/8] use apt to install yq instead of snap add check if yq is already installed for yq so we're not forced to initiate apt if it is already installed --- bootstrap.sh | 14 +++++++------- set-env.sh | 7 ++++--- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/bootstrap.sh b/bootstrap.sh index cc8b0ab..a6a72c4 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -1,13 +1,6 @@ #!/usr/bin/env bash set -euo pipefail -echo "Installing required tools..." -sudo apt-get install -y snapd python3-openstackclient -export PATH=$PATH:/snap/bin -sudo snap install kubectl --classic -sudo snap install helm --classic -sudo snap install yq - echo "Updating system to apply latest security patches..." export DEBIAN_FRONTEND=noninteractive sudo apt-get update -qq @@ -17,6 +10,13 @@ sudo apt-get -o Dpkg::Options::="--force-confold" \ -o Dpkg::Options::="--force-confdef" \ -y -qq upgrade > /dev/null +echo "Installing required tools..." +sudo apt-get install -y snapd python3-openstackclient yq + +export PATH=$PATH:/snap/bin +sudo snap install kubectl --classic +sudo snap install helm --classic + # Check a clouds.yaml file exists in the same directory as the script if [ ! -f clouds.yaml ]; then echo "A clouds.yaml file is required in the same directory as this script" diff --git a/set-env.sh b/set-env.sh index 4a28a7c..540fbaa 100755 --- a/set-env.sh +++ b/set-env.sh @@ -4,9 +4,10 @@ # if we do this and run into any errors it will kill the user's # current shell (e.g. a typo) -echo "Installing required tools..." -export PATH=$PATH:/snap/bin -sudo snap install yq +if [ ! -f "/usr/bin/yq" ]; then + echo "Installing yq..." + sudo apt-get -y install yq +fi # Function to convert dependencies to a valid environment variables sanitize_var_name() { From af4ddb73d0be7a2a382162e65a55723bca71c286 Mon Sep 17 00:00:00 2001 From: AnishMudaraddi Date: Thu, 5 Feb 2026 14:33:57 +0000 Subject: [PATCH 3/8] change base branch for PR to staging instead of master - test github action changes before promotion --- .github/workflows/update-deps.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml index 2609416..d0908b9 100644 --- a/.github/workflows/update-deps.yaml +++ b/.github/workflows/update-deps.yaml @@ -26,6 +26,8 @@ jobs: - name: Checkout uses: actions/checkout@v6 + with: + ref: staging - name: Get latest upstream chart version id: capi-helm-chart From 136eab2aeb340d82bf6d0e172f5e20cfc91d56c7 Mon Sep 17 00:00:00 2001 From: Chris Green <138027265+Chris-green-stfc@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:24:55 +0000 Subject: [PATCH 4/8] Updated monitoring addon link comment The monitoring addon comment linked to an archived stackhpc repo, rather than the azimuth-cloud repo --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 70118a0..f07cc6b 100644 --- a/values.yaml +++ b/values.yaml @@ -164,7 +164,7 @@ apiServer: addons: # Enable monitoring by default, this deploys - # https://github.com/stackhpc/capi-helm-charts/blob/main/charts/cluster-addons/README.md#monitoring-and-logging + # https://github.com/azimuth-cloud/capi-helm-charts/blob/main/charts/cluster-addons/README.md#monitoring-and-logging # and includes Loki which is required for central logging as per UKRI policy monitoring: enabled: true From ac1bf94465a173a2f7632ecd18c544ae34f7c8a6 Mon Sep 17 00:00:00 2001 From: Aziz Ahmad Date: Thu, 16 Apr 2026 14:57:34 +0100 Subject: [PATCH 5/8] ENH: Bump default Kubernetes image for CAPI clusters to the latest v1.34 release available. --- user-values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user-values.yaml b/user-values.yaml index fabb6ad..87e63a7 100644 --- a/user-values.yaml +++ b/user-values.yaml @@ -25,9 +25,9 @@ controlPlane: # The Kubernetes version of the cluster # This should match the version of kubelet and kubeadm in the image # and will be automatically updated by us -kubernetesVersion: "1.34.3" +kubernetesVersion: "1.34.6" # The name of the image to use for cluster machines -machineImage: "capi-ubuntu-2204-kube-v1.34.3" +machineImage: "capi-ubuntu-2204-kube-v1.34.6" addons: # Monitoring sets up kube-prometheus-stack and loki-stack. From 311d426b858630551cd36c2f5a2dd4f62892603b Mon Sep 17 00:00:00 2001 From: RyanH-STFC Date: Fri, 24 Apr 2026 10:56:35 +0100 Subject: [PATCH 6/8] Change tags to SHAs -Changed the tags from actions to SHAs as it is a defence against supply chain attacks --- .github/workflows/pull-request-actions.yaml | 4 ++-- .github/workflows/update-deps.yaml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pull-request-actions.yaml b/.github/workflows/pull-request-actions.yaml index cbbbd62..f67882e 100644 --- a/.github/workflows/pull-request-actions.yaml +++ b/.github/workflows/pull-request-actions.yaml @@ -11,8 +11,8 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master + uses:ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 #v2.0.0 with: check_together: 'yes' diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml index d0908b9..3cf779a 100644 --- a/.github/workflows/update-deps.yaml +++ b/.github/workflows/update-deps.yaml @@ -18,20 +18,20 @@ jobs: steps: - name: "Setup Github Token" - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 id: app-token with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.PRIVATE_KEY }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: ref: staging - name: Get latest upstream chart version id: capi-helm-chart - uses: azimuth-cloud/github-actions/helm-latest-version@master + uses: azimuth-cloud/github-actions/helm-latest-version@9ae9839de21f5dd3ede65728eda0019db8b692f5 #v0.23.0 with: repository: "https://azimuth-cloud.github.io/capi-helm-charts" chart: "openstack-cluster" @@ -39,7 +39,7 @@ jobs: # TODO: once azimuth-cloud/capi-helm-charts provides their own pinned k-orc installation method, we pick up the latest version - name: "Get latest Openstack Resource Controller (K-orc) version" id: get-k-orc-version - uses: pozetroninc/github-action-get-latest-release@master + uses: pozetroninc/github-action-get-latest-release@2a61c339ea7ef0a336d1daa35ef0cb1418e7676c #v0.8.0 with: repository: k-orc/openstack-resource-controller excludes: prerelease, draft @@ -60,7 +60,7 @@ jobs: - name: "Create Pull Request for updating dependencies if changed" id: make-pr - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0 env: pr-title: "Update Build Dependencies to match upstream" with: From 96992c3de50d184a266a48fbd736d179f687f5c6 Mon Sep 17 00:00:00 2001 From: RyanH-STFC Date: Fri, 24 Apr 2026 10:58:01 +0100 Subject: [PATCH 7/8] Add Read only permissions to actions - adding read only permissions as some actions may use token to read the repo and we shouldnt give them write permissions at the same time. --- .github/workflows/pull-request-actions.yaml | 3 +++ .github/workflows/update-deps.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/pull-request-actions.yaml b/.github/workflows/pull-request-actions.yaml index f67882e..5b8071a 100644 --- a/.github/workflows/pull-request-actions.yaml +++ b/.github/workflows/pull-request-actions.yaml @@ -1,4 +1,7 @@ +permissions: +  contents: read + name: Pull Request Jobs on: diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml index 3cf779a..a15ac40 100644 --- a/.github/workflows/update-deps.yaml +++ b/.github/workflows/update-deps.yaml @@ -1,4 +1,7 @@ +permissions: +  contents: read + name: Sync Dependencies with upstream on: From 1d500415f8f6d7a8063261b7757ec350775dae8c Mon Sep 17 00:00:00 2001 From: Aziz Ahmad Date: Tue, 19 May 2026 16:24:35 +0100 Subject: [PATCH 8/8] Bump capi image version to the latest available in OpenStack --- user-values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user-values.yaml b/user-values.yaml index 87e63a7..4865134 100644 --- a/user-values.yaml +++ b/user-values.yaml @@ -25,9 +25,9 @@ controlPlane: # The Kubernetes version of the cluster # This should match the version of kubelet and kubeadm in the image # and will be automatically updated by us -kubernetesVersion: "1.34.6" +kubernetesVersion: "1.34.8" # The name of the image to use for cluster machines -machineImage: "capi-ubuntu-2204-kube-v1.34.6" +machineImage: "capi-ubuntu-2204-kube-v1.34.8" addons: # Monitoring sets up kube-prometheus-stack and loki-stack.