Skip to content

Commit a08d810

Browse files
krancourclaude
andauthored
feat: consolidate Promotion construction in defaulting webhook (#6215)
Signed-off-by: Kent Rancourt <kent.rancourt@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent f63cbcf commit a08d810

16 files changed

Lines changed: 1540 additions & 1546 deletions

File tree

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
#!/bin/bash
2+
# PreToolUse hook: require orbstack k8s context for kubectl and helm cluster operations.
3+
#
4+
# Always allowed regardless of context:
5+
# kubectl config, kubectl version, kubectl api-resources, kubectl api-versions,
6+
# kubectl explain
7+
# helm template, helm show, helm repo, helm search, helm version, helm env,
8+
# helm lint, helm package, helm pull, helm dependency
9+
#
10+
# Everything else (kubectl get/apply/delete/..., helm install/upgrade/uninstall/...)
11+
# requires the current k8s context to be "orbstack".
12+
13+
set -euo pipefail
14+
15+
INPUT=$(cat)
16+
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
17+
18+
# Strip leading whitespace and env var assignments (e.g. FOO=bar kubectl ...)
19+
NORMALIZED=$(echo "$COMMAND" | sed 's/^[[:space:]]*\([A-Za-z_][A-Za-z0-9_]*=[^[:space:]]* \)*//')
20+
21+
# Extract the base command
22+
BASE=$(echo "$NORMALIZED" | awk '{print $1}')
23+
24+
case "$BASE" in
25+
kubectl)
26+
SUBCMD=$(echo "$NORMALIZED" | awk '{print $2}')
27+
# Always allowed kubectl subcommands
28+
case "$SUBCMD" in
29+
config|version|api-resources|api-versions|explain|completion)
30+
exit 0
31+
;;
32+
esac
33+
;;
34+
helm)
35+
SUBCMD=$(echo "$NORMALIZED" | awk '{print $2}')
36+
# Always allowed helm subcommands (read-only / local-only)
37+
case "$SUBCMD" in
38+
template|show|repo|search|version|env|lint|package|pull|dependency|completion)
39+
exit 0
40+
;;
41+
esac
42+
;;
43+
*)
44+
# Not kubectl or helm -- not our concern
45+
exit 0
46+
;;
47+
esac
48+
49+
# If we're here, it's a kubectl or helm command that requires context check
50+
CURRENT_CONTEXT=$(kubectl config current-context 2>/dev/null || echo "unknown")
51+
52+
if [ "$CURRENT_CONTEXT" != "orbstack" ]; then
53+
jq -n \
54+
--arg reason "Blocked: $BASE commands that touch the cluster require the orbstack context (current: $CURRENT_CONTEXT). Run: kubectl config set-context orbstack" \
55+
'{
56+
"hookSpecificOutput": {
57+
"hookEventName": "PreToolUse",
58+
"permissionDecision": "deny",
59+
"permissionDecisionReason": $reason
60+
}
61+
}'
62+
fi
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
---
2+
name: lock-release-docs
3+
description: Lock docs and scripts on a release branch to a specific patch version
4+
argument-hint: <release-branch> <version>
5+
disable-model-invocation: true
6+
---
7+
8+
Lock all documentation and scripts on a release branch so they reference a
9+
specific version instead of floating references like `main` or `latest`.
10+
11+
**Arguments:** `$0` = release branch (e.g. `release-1.9`), `$1` = version to
12+
lock to (e.g. `1.9.3`)./
13+
14+
## Before starting
15+
16+
1. Fetch from the `upstream` remote.
17+
2. Check out `$0` and make sure it is up to date with `upstream/$0`.
18+
3. Create a working branch (e.g. `lock-$0-docs`) off of `$0`.
19+
20+
## What to search for
21+
22+
Search `docs/` and `hack/` thoroughly for the patterns below. Do not assume a
23+
fixed set of files -- new docs or scripts may introduce new instances over time.
24+
25+
### Floating GitHub URLs pointing at `main`
26+
27+
Any `raw.githubusercontent.com/akuity/kargo/main/...` or
28+
`github.com/akuity/kargo/tree/main/...` URL should be updated to reference
29+
the release branch instead (e.g. `refs/heads/$0` for raw content URLs,
30+
`tree/$0` for tree links).
31+
32+
### Floating GitHub release URLs using `latest`
33+
34+
Any `github.com/akuity/kargo/releases/latest/download/...` URL should be
35+
pinned to the specific version: `releases/download/v$1/...`.
36+
37+
### Kargo Helm chart commands without a version pin
38+
39+
Any `helm install`, `helm upgrade`, or `helm inspect values` command that
40+
references `oci://ghcr.io/akuity/kargo-charts/kargo` without a `--version`
41+
flag needs `--version $1` added. Place it on the line immediately after the
42+
chart URL, before any `--namespace` or `--set` flags, to match the style used
43+
by nearby third-party chart installs.
44+
45+
Do **not** modify helm commands for third-party charts (cert-manager, Argo CD,
46+
Argo Rollouts, etc.) -- those manage their own version pins.
47+
48+
## After all edits
49+
50+
1. Summarize every change (file, line, what changed) and present the diff.
51+
2. Do **not** commit automatically -- wait for the user to review and approve.
Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,133 @@
1+
---
2+
name: update-versions
3+
description: Check for and update hard-coded tool and chart versions that dependabot does not cover
4+
disable-model-invocation: true
5+
---
6+
7+
Find hard-coded version pins in the repository that are not managed by
8+
dependabot, check whether newer versions are available, and (with user
9+
approval) update them consistently across all locations.
10+
11+
## Scope
12+
13+
Dependabot already manages Go module dependencies (`go.mod` files), GitHub
14+
Actions versions, Docker base image tags, and npm/UI dependencies. Some tool
15+
versions in `hack/tools.mk` are read from `hack/tools/go.mod` at make-time
16+
(via `$(shell grep ...)`); those are also covered. This skill targets
17+
everything else.
18+
19+
**Do NOT touch:** `**/go.mod`, `**/go.sum`, `**/package.json`, Docker `FROM`
20+
lines, or GitHub Actions workflow versions.
21+
22+
## Phase 1 -- Discovery
23+
24+
Search for version pins using the patterns below. Do NOT assume a fixed list of
25+
files or tools -- new pins may be introduced over time.
26+
27+
### Pattern A: Makefile hard-coded versions
28+
29+
Search `Makefile` and `hack/**/*.mk` for variable assignments whose values are
30+
literal version strings:
31+
32+
```
33+
<NAME>_VERSION := v1.2.3
34+
<NAME>_CHART_VERSION := 1.2.3
35+
```
36+
37+
**Skip** any line whose right-hand side contains `$(shell` -- those pull from
38+
`go.mod` and are managed by dependabot.
39+
40+
### Pattern B: Shell script version variables
41+
42+
Search `hack/**/*.sh` for assignments like:
43+
44+
```
45+
<name>_version=1.2.3
46+
<name>_chart_version=1.2.3
47+
```
48+
49+
These are typically duplicates of Makefile variables and must stay in sync.
50+
51+
### Pattern C: Inline GitHub release URLs
52+
53+
Search all non-vendored, non-generated files for URLs embedding a version:
54+
55+
```
56+
github.com/<owner>/<repo>/releases/download/v<version>/
57+
```
58+
59+
### Pattern D: Dockerfile ARG version pins
60+
61+
Search `Dockerfile*` for `ARG <NAME>_VERSION=<value>` and inline assignments
62+
like `<NAME>_VERSION=v<value>`. Skip `ARG VERSION` (the project's own build-
63+
time version) and skip base image tags (`FROM ...`) which dependabot handles.
64+
65+
### Pattern E: Helm chart versions
66+
67+
Search `Makefile`, `hack/**/*.mk`, and `hack/**/*.sh` for `--version` flags
68+
used with `helm install` or `helm upgrade`. Cross-reference with the chart
69+
version variables found in Patterns A and B to build a complete mapping of
70+
chart name, Helm repo URL, and all files where the version appears.
71+
72+
## Phase 2 -- Determine latest versions
73+
74+
For each discovered pin, determine the latest stable release. Skip pre-release,
75+
alpha, beta, and RC versions.
76+
77+
### GitHub-hosted tools
78+
79+
Map each tool to its GitHub repo by inspecting install functions in
80+
`hack/tools.mk` -- the download URLs or `go install` paths reveal the
81+
`<owner>/<repo>`. Then:
82+
83+
```bash
84+
gh api repos/<owner>/<repo>/releases/latest --jq '.tag_name'
85+
```
86+
87+
### Helm charts
88+
89+
For each chart, use the repo URL found near `helm install` commands:
90+
91+
```bash
92+
helm repo add <temp-name> <repo-url> --force-update 2>/dev/null
93+
helm search repo <temp-name>/<chart-name> --versions -o json
94+
```
95+
96+
Use the newest non-pre-release entry.
97+
98+
## Phase 3 -- Report
99+
100+
Present a table:
101+
102+
```
103+
| Tool/Chart | Current | Latest | Status | Files |
104+
|------------------|---------|---------|----------|---------------------------------------|
105+
| protoc | v25.3 | v28.1 | outdated | hack/tools.mk |
106+
| argo-cd (chart) | 8.1.4 | 8.2.0 | outdated | Makefile, install.sh, kind.sh, k3d.sh |
107+
| kind | v0.31.0 | v0.31.0 | current | hack/tools.mk |
108+
```
109+
110+
Flag any **major version bumps** prominently -- these may require build or
111+
configuration changes.
112+
113+
**Do not proceed to updates** until the user reviews this table and confirms
114+
which items to update.
115+
116+
## Phase 4 -- Apply updates
117+
118+
For each version the user approves:
119+
120+
1. Identify **all** locations where that version appears. Re-grep to confirm;
121+
do not rely on Phase 1 results alone.
122+
2. Update every location. Preserve each file's conventions:
123+
- `v` prefix vs bare number (if current is `8.1.4`, new should be `8.2.0`,
124+
not `v8.2.0`)
125+
- `UPPER_SNAKE_CASE` in Makefiles, `lower_snake_case` in shell scripts
126+
3. Grep for the **old** version string across the repo to confirm nothing was
127+
missed.
128+
129+
## Phase 5 -- Review
130+
131+
1. Show the full diff.
132+
2. Summarize what changed: which tools/charts, old → new version, which files.
133+
3. Do **not** commit automatically -- wait for the user to review and approve.

0 commit comments

Comments
 (0)