release-operator.yml

name: release-operator
on:
  workflow_call:
    inputs:
      OPERATOR_SDK_VERSION:
        description: "Version of Operator SDK Binary for installation"
        # renovate: datasource=github-releases depName=operator-framework/operator-sdk
        default: "v1.42.2"
        required: false
        type: string
      BUILD_PLATFORMS:
        description: 'Comma separated list of targets for builds e.g. "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"'
        default: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
        required: false
        type: string
      GO_VERSION:
        description: "Go version to use"
        # renovate: datasource=golang-version depName=go
        default: "1.21"
        required: false
        type: string
      PR_ACTOR:
        description: "Email for Git Commit PR to Release Operator"
        required: false
        type: string
      OPERATOR_IMAGE_REPOSITORY:
        description: "Registry image e.g. quay.io/redhat-cop/repository-name"
        default: ""
        required: false
        type: string
      BUNDLE_IMAGE_REPOSITORY:
        description: "Registry image e.g. quay.io/redhat-cop/repository-name"
        default: ""
        required: false
        type: string
      RUN_UNIT_TESTS:
        description: "Run unit tests will run the test target in the Makefile"
        default: false
        required: false
        type: boolean
      RUN_INTEGRATION_TESTS:
        description: "Run integration tests will run the integration target in the Makefile"
        default: false
        required: false
        type: boolean
      RUN_HELMCHART_TEST:
        description: "Run helmchart test will run the helmchart-test target in the Makefile"
        default: false
        required: false
        type: boolean
      KUBECTL_WAIT_TIMEOUT:
        description: "kubectl wait timeout used for integration and helmchart-test targets in the Makefile (e.g. 5m)"
        default: "5m"
        required: false
        type: string
    secrets:
      COMMUNITY_OPERATOR_PAT:
        description: "Github PAT Token for Community Operator Fork Git Operations"
        required: true
      REGISTRY_USERNAME:
        description: "Username for Registry"
        required: true
      REGISTRY_PASSWORD:
        description: "Password for Registry"
        required: true

env:
  DEFAULT_BUNDLE_VERSION: "0.0.1"
  DEFAULT_BUNDLE_CHANNEL: "alpha"
  DEFAULT_OPERATOR_VERSION: "latest"
  DEFAULT_HELMCHART_VERSION: "v0.0.1"
  HELM_REPO_DIR: "./tmp/gh-pages"

jobs:
  setup:
    runs-on: ubuntu-latest
    name: setup
    steps:
      - name: Check if registry secrets are set
        run: |
          if [ "${{ secrets.REGISTRY_USERNAME }}" == "" ] || [ "${{ secrets.REGISTRY_PASSWORD }}" == "" ]; then
            echo "Required Secrets 'REGISTRY_USERNAME' or 'REGISTRY_PASSWORD' are not set!"
            exit 1
          fi

      - name: Check if community operators PAT secret is set
        run: |
          if [ "${{ secrets.COMMUNITY_OPERATOR_PAT }}" == "" ]; then
            echo "Required Secret 'COMMUNITY_OPERATOR_PAT' is not set"
            exit 1
          fi

      - name: Setting Workflow Variables
        id: set-variables
        env:
          BUILD_PLATFORMS: ${{ inputs.BUILD_PLATFORMS }}
        run: |
          echo "repository_name=$(basename $GITHUB_REPOSITORY)" >> $GITHUB_OUTPUT
          echo "bin_dir=$(pwd)/bin" >> $GITHUB_OUTPUT

          # Create Distribution Matrix
          echo "dist_matrix=$(echo -n "${{ env.BUILD_PLATFORMS }}" | jq -csR '. | split(",")')" >> $GITHUB_OUTPUT
          echo "dist_matrix_dash=$(echo -n "${{ env.BUILD_PLATFORMS }}" | tr '/' '-' | jq -csR '. | split(",")')" >> $GITHUB_OUTPUT
          # Create Image Tags
          echo "image_platform_tags=$(echo $BUILD_PLATFORMS | sed  -e 's/,/ /g' -e 's/\//-/g')" >> $GITHUB_OUTPUT

      - name: Setting Image Variables
        id: set-variables-image
        run: |
          if [ "${{ inputs.OPERATOR_IMAGE_REPOSITORY }}" == "" ]; then
            echo "operator_image_repository_name=${{ steps.set-variables.outputs.repository_name }}" >> $GITHUB_OUTPUT
            echo "operator_image_registry=quay.io/$(dirname $GITHUB_REPOSITORY)" >> $GITHUB_OUTPUT
          else
            OPERATOR_IMAGE_REPOSITORY="${{ inputs.OPERATOR_IMAGE_REPOSITORY }}"
            echo "operator_image_repository_name=${OPERATOR_IMAGE_REPOSITORY##*/}" >> $GITHUB_OUTPUT
            echo "operator_image_registry=${OPERATOR_IMAGE_REPOSITORY%/*}" >> $GITHUB_OUTPUT
          fi

          if [ "${{ inputs.BUNDLE_IMAGE_REPOSITORY }}" == "" ]; then
            echo "bundle_image_repository_name=${{ steps.set-variables.outputs.repository_name }}-bundle" >> $GITHUB_OUTPUT
            echo "bundle_image_registry=quay.io/$(dirname $GITHUB_REPOSITORY)" >> $GITHUB_OUTPUT

          else
            BUNDLE_IMAGE_REPOSITORY="${{ inputs.BUNDLE_IMAGE_REPOSITORY }}"
            echo "bundle_image_repository_name=${BUNDLE_IMAGE_REPOSITORY##*/}" >> $GITHUB_OUTPUT
            echo "bundle_image_registry=${BUNDLE_IMAGE_REPOSITORY%/*}" >> $GITHUB_OUTPUT
          fi

          # Set versions based on presence of tag
          if [[ "${{ github.ref }}" =~ ^refs/tags/ ]]; then
            TAG="${GITHUB_REF/refs\/tags\//}"
            echo "tag_event=true" >> $GITHUB_OUTPUT
            echo "operator_version=$TAG" >> $GITHUB_OUTPUT
            echo "bundle_version=${TAG:1}" >> $GITHUB_OUTPUT
            echo "helmchart_version=$TAG" >> $GITHUB_OUTPUT
          else
            echo "tag_event=false" >> $GITHUB_OUTPUT
            echo "operator_version=$DEFAULT_OPERATOR_VERSION" >> $GITHUB_OUTPUT
            echo "bundle_version=$DEFAULT_BUNDLE_VERSION" >> $GITHUB_OUTPUT
            echo "helmchart_version=$DEFAULT_HELMCHART_VERSION" >> $GITHUB_OUTPUT
          fi

      - name: Verify Semver Bundle Version
        uses: rubenesp87/semver-validation-action@8f4b9f2835a4826fbbdfe8f5dbb6ad8996cf5831 # 0.1.0
        with:
          version: "${{ steps.set-variables-image.outputs.bundle_version }}"

      - name: Verify Semver Helm Chart Version
        uses: rubenesp87/semver-validation-action@8f4b9f2835a4826fbbdfe8f5dbb6ad8996cf5831 # 0.1.0
        with:
          version: "${{ steps.set-variables-image.outputs.helmchart_version }}"

      - name: Build Go Cache Paths
        id: go-cache-paths
        run: |
          echo "go-build=$(go env GOCACHE)" >> $GITHUB_OUTPUT
          echo "go-mod=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: ${{ inputs.GO_VERSION }}
          cache: false

      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Go Build Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ steps.go-cache-paths.outputs.go-build }}
          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}

      - name: Go Mod Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ steps.go-cache-paths.outputs.go-mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

      - name: Go Dependencies
        run: go mod download

      - name: Download Binaries
        env:
          OPERATOR_SDK_VERSION: ${{ inputs.OPERATOR_SDK_VERSION }}
        run: |
          # Create Binary Directory
          mkdir -p ${{ steps.set-variables.outputs.bin_dir }}

          # Operator SDK
          curl -L -o ${{ steps.set-variables.outputs.bin_dir }}/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ env.OPERATOR_SDK_VERSION }}/operator-sdk_linux_amd64

          # Controller-gen
          make controller-gen

          # Kustomize
          make kustomize

      - name: Upload Support Binaries
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: support-binaries
          path: ${{ steps.set-variables.outputs.bin_dir }}
          retention-days: 1

    outputs:
      repository_name: ${{ steps.set-variables.outputs.repository_name }}
      bin_dir: ${{ steps.set-variables.outputs.bin_dir }}
      operator_image_repository_name: ${{ steps.set-variables-image.outputs.operator_image_repository_name}}
      operator_image_registry: ${{ steps.set-variables-image.outputs.operator_image_registry }}
      bundle_image_repository_name: ${{ steps.set-variables-image.outputs.bundle_image_repository_name }}
      bundle_image_registry: ${{ steps.set-variables-image.outputs.bundle_image_registry }}
      go_build: ${{ steps.go-cache-paths.outputs.go-build }}
      go_mod: ${{ steps.go-cache-paths.outputs.go-mod }}
      operator_version: ${{ steps.set-variables-image.outputs.operator_version }}
      bundle_version: ${{ steps.set-variables-image.outputs.bundle_version }}
      helmchart_version: ${{ steps.set-variables-image.outputs.helmchart_version }}
      tag_event: ${{ steps.set-variables-image.outputs.tag_event }}
      dist_matrix: ${{ steps.set-variables.outputs.dist_matrix }}
      dist_matrix_dash: ${{ steps.set-variables.outputs.dist_matrix_dash }}
      image_platform_tags: ${{ steps.set-variables.outputs.image_platform_tags }}

  build-operator:
    runs-on: ubuntu-latest
    name: build-operator
    needs: ["setup", "test-operator"]
    strategy:
      matrix:
        platform: ${{ fromJson(needs.setup.outputs.dist_matrix) }}
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      BUNDLE_VERSION: ${{ needs.setup.outputs.bundle_version }}
      OPERATOR_IMAGE_REPOSITORY: "${{ needs.setup.outputs.operator_image_registry }}/${{ needs.setup.outputs.operator_image_repository_name }}"
      OPERATOR_IMAGE_REGISTRY: ${{ needs.setup.outputs.operator_image_registry }}
      BUNDLE_IMAGE_REPOSITORY: "${{ needs.setup.outputs.bundle_image_registry }}/${{ needs.setup.outputs.bundle_image_repository_name }}"
      BUNDLE_IMAGE_REGISTRY: ${{ needs.setup.outputs.bundle_image_registry }}
    permissions:
      contents: read
      id-token: write

    steps:
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: ${{ inputs.GO_VERSION }}
          cache: false

      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Validate variables
        run: |
          if [ "${{ needs.setup.outputs.operator_image_registry }}" == "" ]; then
            echo "Required setup outputs 'operator_image_registry' is not set. Check setup 'Complete Job' step."
            exit 1
          fi

          if [ "${{ needs.setup.outputs.bundle_image_registry }}" == "" ]; then
            echo "Required setup outputs 'bundle_image_registry' is not set. Check setup 'Complete Job' step."
            exit 1
          fi

      - name: Go Build Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_build }}
          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}

      - name: Go Mod Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

      - name: Download Support Binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: support-binaries
          path: ${{ needs.setup.outputs.bin_dir }}

      - name: Prepare Build Step
        id: setup-build-step
        run: |
          # Setup Path
          echo "${{ needs.setup.outputs.bin_dir }}" >> $GITHUB_PATH

          # Make Binaries Executable
          chmod +x ${{ needs.setup.outputs.bin_dir }}/*

          # Configure Platform Variables
          echo "platform_os=$(echo ${{ matrix.platform }} |  cut -d/ -f1)" >> $GITHUB_OUTPUT
          echo "platform_arch=$(echo ${{ matrix.platform }} |  cut -d/ -f2)" >> $GITHUB_OUTPUT

      - name: Download Dependencies
        shell: bash
        run: |
          make generate
          make fmt
          make vet

      - name: build code
        shell: bash
        env:
          VERSION: latest
          GOOS: ${{ steps.setup-build-step.outputs.platform_os }}
          GOARCH: ${{ steps.setup-build-step.outputs.platform_arch }}
        run: make

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
        with:
          buildkitd-flags: --debug

      - name: Setup cosign
        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3

      - name: Login to Operator Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ${{ env.OPERATOR_IMAGE_REGISTRY }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: "Build Operator Image"
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        id: build_push
        with:
          context: .
          file: "./ci.Dockerfile"
          provenance: false
          platforms: ${{ matrix.platform }}
          push: true
          tags: "${{ env.OPERATOR_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }},${{ env.OPERATOR_IMAGE_REPOSITORY }}:${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}"

      - name: Sign Operator Image
        id: sign_operator
        env:
          IMAGE_URI: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
        run: |
          cosign sign --yes ${IMAGE_URI}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        env:
          TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        with:
          scan-type: image
          image-ref: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
          format: "cosign-vuln"
          output: "cosign-vuln.json"

      - name: Run Trivy SBOM generator
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        env:
          TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        with:
          scan-type: image
          image-ref: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
          format: "spdx-json"
          output: "spdx-json.json"

      - name: Attach attestations for Operator Image
        env:
          IMAGE_URI: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
        run: |
          cosign attest --yes --type vuln --predicate cosign-vuln.json ${IMAGE_URI}
          cosign attest --yes --type spdx --predicate spdx-json.json ${IMAGE_URI}

      - name: Prepare Distribution Artifacts
        shell: bash
        run: |
          # Create Distribution Directory
          mkdir dist

          # Move and Rename Manager Binary
          mv bin/manager dist/${{ env.REPOSITORY_NAME }}-manager-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}

      - name: Upload Dist
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: dist-manager-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}
          path: dist
          retention-days: 1

      - name: Output digests
        id: digests
        run: |
          platform=${{ matrix.platform }}
          echo "digest-${platform/\//-}=${{ steps.build_push.outputs.digest }}" >> "$GITHUB_OUTPUT"

    # Need to be named, see: https://github.com/slsa-framework/slsa-github-generator/blob/v1.9.0/internal/builders/generic/README.md#a-different-attestation-for-each-iteration
    outputs:
      linux-amd64: ${{ steps.digests.outputs.digest-linux-amd64 }}
      linux-arm64: ${{ steps.digests.outputs.digest-linux-arm64 }}
      linux-ppc64le: ${{ steps.digests.outputs.digest-linux-ppc64le }}
      linux-s390x: ${{ steps.digests.outputs.digest-linux-s390x }}
      image_uri: ${{ env.OPERATOR_IMAGE_REPOSITORY }}

  provenance-operator:
    needs: ["setup","build-operator"]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    strategy:
      matrix:
        platform: ${{ fromJson(needs.setup.outputs.dist_matrix_dash) }}
    # https://github.com/slsa-framework/slsa-github-generator/blob/v1.9.0/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ${{ needs.build-operator.outputs.image_uri }}
      digest: ${{ needs.build-operator.outputs[format('{0}', matrix.platform)] }}
    secrets:
      registry-username: ${{ secrets.REGISTRY_USERNAME }}
      registry-password: ${{ secrets.REGISTRY_PASSWORD }}

  process-operator-image-manifest:
    runs-on: ubuntu-latest
    name: process-operator-image-manifest
    needs: ["setup", "test-operator", "build-operator"]
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      BUNDLE_VERSION: ${{ needs.setup.outputs.bundle_version }}
      OPERATOR_IMAGE_REPOSITORY: "${{ needs.setup.outputs.operator_image_registry }}/${{ needs.setup.outputs.operator_image_repository_name }}"
      OPERATOR_IMAGE_REGISTRY: ${{ needs.setup.outputs.operator_image_registry }}
      BUNDLE_IMAGE_REPOSITORY: "${{ needs.setup.outputs.bundle_image_registry }}/${{ needs.setup.outputs.bundle_image_repository_name }}"
      BUNDLE_IMAGE_REGISTRY: ${{ needs.setup.outputs.bundle_image_registry }}
    steps:
      - name: Log in to Registry
        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
          registry: ${{ env.OPERATOR_IMAGE_REGISTRY }}

      - name: "Append to Image Manifest"
        shell: bash
        run: |
          TAGS="latest"

          if [ "${{ env.OPERATOR_VERSION }}" != "latest" ]; then
            TAGS+=" ${{ env.OPERATOR_VERSION }}"
          fi

          for TAG in $TAGS; do \
            podman manifest create ${{ env.OPERATOR_IMAGE_REPOSITORY }}:$TAG
            for PLATFORM in ${{ needs.setup.outputs.image_platform_tags }}; do \
                podman manifest add ${{ env.OPERATOR_IMAGE_REPOSITORY }}:$TAG docker://${{ env.OPERATOR_IMAGE_REPOSITORY }}:${{ env.OPERATOR_VERSION }}-$PLATFORM; \
            done
            podman manifest push ${{ env.OPERATOR_IMAGE_REPOSITORY }}:$TAG docker://${{ env.OPERATOR_IMAGE_REPOSITORY }}:$TAG
          done

  build-bundle:
    runs-on: ubuntu-latest
    name: build-bundle
    needs:
      [
        "setup",
        "test-operator",
        "build-operator",
        "process-operator-image-manifest",
      ]
    strategy:
      matrix:
        platform: ${{ fromJson(needs.setup.outputs.dist_matrix) }}
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      BUNDLE_VERSION: ${{ needs.setup.outputs.bundle_version }}
      OPERATOR_IMAGE_REPOSITORY: "${{ needs.setup.outputs.operator_image_registry }}/${{ needs.setup.outputs.operator_image_repository_name }}"
      OPERATOR_IMAGE_REGISTRY: ${{ needs.setup.outputs.operator_image_registry }}
      BUNDLE_IMAGE_REPOSITORY: "${{ needs.setup.outputs.bundle_image_registry }}/${{ needs.setup.outputs.bundle_image_repository_name }}"
      BUNDLE_IMAGE_REGISTRY: ${{ needs.setup.outputs.bundle_image_registry }}
    permissions:
      contents: read
      id-token: write

    steps:
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: ${{ inputs.GO_VERSION }}
          cache: false

      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Go Build Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_build }}
          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}

      - name: Go Mod Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

      - name: Download Binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: support-binaries
          path: ${{ needs.setup.outputs.bin_dir }}

      - name: Prepare Build Step
        id: setup-build-step
        run: |
          # Setup Path
          echo "${{ needs.setup.outputs.bin_dir }}" >> $GITHUB_PATH

          # Make Binaries Executable
          chmod +x ${{ needs.setup.outputs.bin_dir }}/*

          # Configure Platform Variables
          echo "platform_os=$(echo ${{ matrix.platform }} |  cut -d/ -f1)" >> $GITHUB_OUTPUT
          echo "platform_arch=$(echo ${{ matrix.platform }} |  cut -d/ -f2)" >> $GITHUB_OUTPUT

      - name: build bundle
        shell: bash
        run: make bundle IMG=${{ env.OPERATOR_IMAGE_REPOSITORY }}:${{ env.OPERATOR_VERSION }} VERSION=${{ env.BUNDLE_VERSION }} DEFAULT_CHANNEL=${{ env.DEFAULT_BUNDLE_CHANNEL }}

      - name: Process Bundle for Disconnected Support
        uses: redhat-cop/github-actions/disconnected-csv@cc45c69b6655161f278271cd0c68ddcc1444a3f8 # v4.6
        with:
          CSV_FILE: bundle/manifests/${{ env.REPOSITORY_NAME }}.clusterserviceversion.yaml
          TAGS_TO_DIGESTS: ${OPERATOR_VERSION}

      - name: "Copy bundle dockerfile"
        shell: bash
        run: sed  's/bundle\///g' bundle.Dockerfile > bundle/Dockerfile

      - name: verify bundle
        shell: bash
        run: operator-sdk bundle validate ./bundle --select-optional name=operatorhub

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

      - name: Setup cosign
        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3

      - name: Login to Bundle Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ${{ env.BUNDLE_IMAGE_REGISTRY }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: "Build Bundle Image"
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        id: build_push
        with:
          context: .
          file: ./bundle.Dockerfile
          provenance: false
          platforms: ${{ matrix.platform }}
          push: true
          tags: "${{ env.BUNDLE_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }},${{ env.BUNDLE_IMAGE_REPOSITORY }}:${{ env.BUNDLE_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}"

      - name: Sign Bundle Image
        id: sign_bundle
        env:
          IMAGE_URI: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
        run: |
          cosign sign --yes ${IMAGE_URI}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        env:
          TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        with:
          scan-type: image
          image-ref: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
          format: "cosign-vuln"
          output: "cosign-vuln.json"

      - name: Run Trivy SBOM generator
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        env:
          TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        with:
          scan-type: image
          image-ref: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
          format: "spdx-json"
          output: "spdx-json.json"

      - name: Attach attestations for Bundle Image
        env:
          IMAGE_URI: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }}
        run: |
          cosign attest --yes --type vuln --predicate cosign-vuln.json ${IMAGE_URI}
          cosign attest --yes --type spdx --predicate spdx-json.json ${IMAGE_URI}

      - name: Prepare Distribution Artifacts
        shell: bash
        run: |
          # Create Distribution Directory
          mkdir dist

          # Prepare Bundle
          cp -R bundle ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}
          tar -czvf ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}.tar.gz ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}
          mv ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}.tar.gz dist
          rm -Rf ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}

      - name: Upload Dist
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: dist-bundle-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}
          path: dist
          retention-days: 1

      - name: Output digests
        id: digests
        run: |
          platform=${{ matrix.platform }}
          echo "digest-${platform/\//-}=${{ steps.build_push.outputs.digest }}" >> "$GITHUB_OUTPUT"

    # Need to be named, see: https://github.com/slsa-framework/slsa-github-generator/blob/v1.9.0/internal/builders/generic/README.md#a-different-attestation-for-each-iteration
    outputs:
      linux-amd64: ${{ steps.digests.outputs.digest-linux-amd64 }}
      linux-arm64: ${{ steps.digests.outputs.digest-linux-arm64 }}
      linux-ppc64le: ${{ steps.digests.outputs.digest-linux-ppc64le }}
      linux-s390x: ${{ steps.digests.outputs.digest-linux-s390x }}
      image_uri: ${{ env.BUNDLE_IMAGE_REPOSITORY }}

  provenance-bundle:
    needs: ["setup","build-bundle"]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    strategy:
      matrix:
        platform: ${{ fromJson(needs.setup.outputs.dist_matrix_dash) }}
    # https://github.com/slsa-framework/slsa-github-generator/blob/v1.9.0/internal/builders/container/README.md#referencing-the-slsa-generator
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ${{ needs.build-bundle.outputs.image_uri }}
      digest: ${{ needs.build-bundle.outputs[format('{0}', matrix.platform)] }}
    secrets:
      registry-username: ${{ secrets.REGISTRY_USERNAME }}
      registry-password: ${{ secrets.REGISTRY_PASSWORD }}

  process-bundle-image-manifest:
    runs-on: ubuntu-latest
    name: process-bundle-image-manifest
    needs:
      [
        "setup",
        "test-operator",
        "build-operator",
        "process-operator-image-manifest",
        "build-bundle",
      ]
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      BUNDLE_VERSION: ${{ needs.setup.outputs.bundle_version }}
      OPERATOR_IMAGE_REPOSITORY: "${{ needs.setup.outputs.operator_image_registry }}/${{ needs.setup.outputs.operator_image_repository_name }}"
      OPERATOR_IMAGE_REGISTRY: ${{ needs.setup.outputs.operator_image_registry }}
      BUNDLE_IMAGE_REPOSITORY: "${{ needs.setup.outputs.bundle_image_registry }}/${{ needs.setup.outputs.bundle_image_repository_name }}"
      BUNDLE_IMAGE_REGISTRY: ${{ needs.setup.outputs.bundle_image_registry }}
    steps:
      - name: Log in to Registry
        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
          registry: ${{ env.OPERATOR_IMAGE_REGISTRY }}

      - name: "Append to Bundle Image Manifest"
        shell: bash
        run: |
          TAGS="latest ${{ env.BUNDLE_VERSION }}"

          for TAG in $TAGS; do \
            podman manifest create ${{ env.BUNDLE_IMAGE_REPOSITORY }}:$TAG
            for PLATFORM in ${{ needs.setup.outputs.image_platform_tags }}; do \
                podman manifest add ${{ env.BUNDLE_IMAGE_REPOSITORY }}:$TAG docker://${{ env.BUNDLE_IMAGE_REPOSITORY }}:${{ env.BUNDLE_VERSION }}-$PLATFORM; \
            done
            podman manifest push ${{ env.BUNDLE_IMAGE_REPOSITORY }}:$TAG docker://${{ env.BUNDLE_IMAGE_REPOSITORY }}:$TAG
          done

  package-helm:
    runs-on: ubuntu-latest
    name: package-helm
    needs: ["setup"]
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      HELM_RELEASE_VERSION: ${{ needs.setup.outputs.helmchart_version }}
      OPERATOR_IMAGE_REPOSITORY: "${{ needs.setup.outputs.operator_image_registry }}/${{ needs.setup.outputs.operator_image_repository_name }}"
    steps:
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: ${{ inputs.GO_VERSION }}
          cache: false

      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Go Build Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_build }}
          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}

      - name: Go Mod Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

      - name: Download Binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: support-binaries
          path: ${{ needs.setup.outputs.bin_dir }}

      - name: Prepare Build Step
        id: setup-build-step
        run: |
          # Setup Path
          echo "${{ needs.setup.outputs.bin_dir }}" >> $GITHUB_PATH

          # Make Binaries Executable
          chmod +x ${{ needs.setup.outputs.bin_dir }}/*

      - name: Build and Package Helm Chart
        shell: bash
        run: |
          # Render Helm Chart
          make helmchart VERSION=${{ env.HELM_RELEASE_VERSION }} IMG=${{ env.OPERATOR_IMAGE_REPOSITORY }}:${{ env.OPERATOR_VERSION }}

          # Package Helm Chart
          mkdir dist
          helm package -d dist ./charts/${{ env.REPOSITORY_NAME }}

      - name: Upload Dist
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: dist-charts
          path: dist
          retention-days: 1

  recombine-dist:
    runs-on: ubuntu-latest
    name: recombine-dist
    needs: [ "setup", "build-operator", "build-bundle", "package-helm" ]
    steps:
      - name: Prepare download
        run: |
          mkdir -p dist

      - name: Download all dist artifacts
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          pattern: dist-*
          merge-multiple: true
          path: dist

      - name: Upload Dist
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: dist
          path: dist

  github-release:
    runs-on: ubuntu-latest
    name: github-release
    if: ${{ needs.setup.outputs.tag_event == 'true' }}
    needs:
      [
        "setup",
        "test-operator",
        "build-operator",
        "build-bundle",
        "package-helm",
        "process-bundle-image-manifest",
        "process-operator-image-manifest",
        "recombine-dist"
      ]
    env:
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
    steps:
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Fetch Code
        run: |
          git fetch --prune --unshallow

      - name: Download Dist Directory
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: dist
          path: dist

      - name: Create Checksums for Release Artifacts
        run: for i in `ls dist/`; do sha256sum dist/$i | awk '{ print $1 }' > dist/$i.sum256; done

      - name: Create Release
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
        with:
          generate_release_notes: true
          draft: false
          prerelease: false
          files: dist/*
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  helm-release:
    runs-on: ubuntu-latest
    name: helm-release
    if: ${{ needs.setup.outputs.tag_event == 'true' }}
    needs:
      [
        "setup",
        "test-operator",
        "build-operator",
        "build-bundle",
        "package-helm",
        "process-bundle-image-manifest",
      ]
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      HELM_RELEASE_VERSION: ${{ needs.setup.outputs.helmchart_version }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      OPERATOR_IMAGE_REPOSITORY: "${{ needs.setup.outputs.operator_image_registry }}/${{ needs.setup.outputs.operator_image_repository_name }}"
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Checkout gh-pages Branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: ${{ env.HELM_REPO_DIR }}
          ref: gh-pages

      - name: Download Workspace Binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: support-binaries
          path: bin

      - name: Download Dist Directory
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: dist
          path: dist

      - name: Prepare Build Step
        id: setup-build-step
        run: |
          # Setup Path
          echo "${{ needs.setup.outputs.bin_dir }}" >> $GITHUB_PATH

          # Make Binaries Executable
          chmod +x ${{ needs.setup.outputs.bin_dir }}/*

      - name: Prepare Repository Update
        run: |
          cp dist/*.tgz ${{ env.HELM_REPO_DIR }}/${{ env.REPOSITORY_NAME }}/
          helm repo index --url https://${{ github.repository_owner }}.github.io/${{ env.REPOSITORY_NAME }} ${{ env.HELM_REPO_DIR }}

      - name: Configure Git
        shell: bash
        run: |
          git config --global user.name "$GITHUB_ACTOR"
          git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Publish Helm Repository
        run: make helmchart-repo-push VERSION=${{ env.HELM_RELEASE_VERSION }} IMG=${{ env.OPERATOR_IMAGE_REPOSITORY }}:${{ env.OPERATOR_VERSION }} CHART_REPO_URL=https://${{ github.repository_owner }}.github.io/${{ env.REPOSITORY_NAME }} HELM_REPO_DEST=${{ env. HELM_REPO_DIR }}

  operatorhub-release:
    runs-on: ubuntu-latest
    name: operatorhub-release
    if: ${{ needs.setup.outputs.tag_event == 'true' }}
    needs: ["setup", "test-operator", "github-release", "helm-release"]
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      COMMUNITY_OPERATORS_ORGANIZATION_NAME: redhat-openshift-ecosystem
      COMMUNITY_OPERATORS_REPOSITORY_NAME: community-operators-prod
      BUNDLE_VERSION: ${{ needs.setup.outputs.bundle_version }}
    steps:
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Checkout Community Operators
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: ${{ env.COMMUNITY_OPERATORS_ORGANIZATION_NAME }}/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}
          path: ./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}

      - name: Set Parameters
        shell: bash
        id: set-community-operators-parameters
        run: |
          if [ ! -d "./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}/operators/${{ env.REPOSITORY_NAME }}" ]; then
            export PR_REQUEST_BODY="$(cat config/community-operators/pr-first-release-body.txt)"
          else
            export PR_REQUEST_BODY="$(cat config/community-operators/pr-body.txt)"
          fi
          PR_REQUEST_BODY="${PR_REQUEST_BODY//'%'/'%25'}"
          PR_REQUEST_BODY="${PR_REQUEST_BODY//$'\n'/'%0A'}"
          PR_REQUEST_BODY="${PR_REQUEST_BODY//$'\r'/'%0D'}"
          echo "pull-request-body="$(echo $PR_REQUEST_BODY)"" >> $GITHUB_OUTPUT

      - name: Download Dist Directory
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: dist
          path: dist

      - name: Untar Previously Created Bundle
        shell: bash
        run: |
          # Create Bundle Directory
          mkdir bundle

          # Untar Linux amd64 bundle
          ls dist/${{ env.REPOSITORY_NAME }}-bundle*-linux-amd64.tar.gz | xargs -n1 tar -C bundle/ --strip-components=1 -xzvf

      - name: Check Whether it is First Release
        id: check-first-release
        shell: bash
        run: |
          first_release=$([[ ! -d "./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}//operators/${{ env.REPOSITORY_NAME }}" ]] && echo 'true' || echo 'false')
          echo $first_release

          echo "first_release=$first_release" >> $GITHUB_OUTPUT

      - name: Create and Copy Bundle to Community Operators
        shell: bash
        run: |
          sed -i '/replaces: '"${{ env.REPOSITORY_NAME }}"'/d' ./bundle/manifests/${{ env.REPOSITORY_NAME }}.clusterserviceversion.yaml
          mkdir -p ./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}/operators/${{ env.REPOSITORY_NAME }}/${{ env.BUNDLE_VERSION }}
          /bin/cp -v -R ./bundle/* ./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}/operators/${{ env.REPOSITORY_NAME }}/${{ env.BUNDLE_VERSION }}
          /bin/cp -v -R ./config/community-operators/ci.yaml ./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}/operators/${{ env.REPOSITORY_NAME }}

      - name: Create Pull Request (First Release)
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
        if: ${{ steps.check-first-release.outputs.first_release == 'true' }}
        with:
          path: ./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}
          commit-message: ${{ env.REPOSITORY_NAME }} release ${{ env.BUNDLE_VERSION }}
          committer: ${{ github.actor }} <${{ inputs.PR_ACTOR }}>
          author: ${{ github.actor }} <${{ inputs.PR_ACTOR }}>
          signoff: true
          branch: ${{ env.REPOSITORY_NAME }}-${{ env.BUNDLE_VERSION }}
          delete-branch: true
          push-to-fork: ${{ github.repository_owner }}/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}
          title: ${{ env.REPOSITORY_NAME }} initial version ${{ env.BUNDLE_VERSION }}
          body: |
            ### New Submissions
            * [x] Has you operator [nested directory structure](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#create-a-bundle)?
            * [x] Have you selected the Project *Community Operator Submissions* in your PR on the right-hand menu bar?
            * [x] Are you familiar with our [contribution guidelines](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md)?
            * [x] Have you [packaged and deployed](https://github.com/operator-framework/community-operators/blob/master/docs/testing-operators.md) your Operator for Operator Framework?
            * [x] Have you tested your Operator with all Custom Resource Definitions?
            * [x] Have you tested your Operator in all supported [installation modes](https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/building-your-csv.md#operator-metadata)?
            * [x] Is your submission [signed](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#sign-your-work)?
            ### Updates to existing Operators
            * [ ] Is your new CSV pointing to the previous version with the `replaces` property?
            * [ ] Is your new CSV referenced in the [appropriate channel](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#bundle-format) defined in the `package.yaml` ?
            * [ ] Have you tested an update to your Operator when deployed via OLM?
            * [ ] Is your submission [signed](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#sign-your-work)?
            ### Your submission should not
            * [x] Modify more than one operator
            * [x] Modify an Operator you don't own
            * [x] Rename an operator - please remove and add with a different name instead
            * [x] Submit operators to both `upstream-community-operators` and `community-operators` at once
            * [x] Modify any files outside the above mentioned folders
            * [x] Contain more than one commit. **Please squash your commits.**
            ### Operator Description must contain (in order)
            1. [x] Description about the managed Application and where to find more information
            2. [x] Features and capabilities of your Operator and how to use it
            3. [x] Any manual steps about potential pre-requisites for using your Operator
            ### Operator Metadata should contain
            * [x] Human readable name and 1-liner description about your Operator
            * [x] Valid [category name](https://github.com/operator-framework/community-operators/blob/master/docs/required-fields.md#categories)<sup>1</sup>
            * [x] One of the pre-defined [capability levels](https://github.com/operator-framework/operator-courier/blob/4d1a25d2c8d52f7de6297ec18d8afd6521236aa2/operatorcourier/validate.py#L556)<sup>2</sup>
            * [x] Links to the maintainer, source code and documentation
            * [x] Example templates for all Custom Resource Definitions intended to be used
            * [x] A quadratic logo
            Remember that you can preview your CSV [here](https://operatorhub.io/preview).
            --
            <sup>1</sup> If you feel your Operator does not fit any of the pre-defined categories, file a PR against this repo and explain your need
            <sup>2</sup> For more information see [here](https://github.com/operator-framework/operator-sdk/blob/master/doc/images/operator-capability-level.svg)
          token: ${{ secrets.COMMUNITY_OPERATOR_PAT }}

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
        if: ${{ steps.check-first-release.outputs.first_release != 'true' }}
        with:
          path: ./tmp/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}
          commit-message: ${{ env.REPOSITORY_NAME }} release ${{ env.BUNDLE_VERSION }}
          committer: ${{ github.actor }} <${{ inputs.PR_ACTOR }}>
          author: ${{ github.actor }} <${{ inputs.PR_ACTOR }}>
          signoff: true
          branch: ${{ env.REPOSITORY_NAME }}-${{ env.BUNDLE_VERSION }}
          delete-branch: true
          push-to-fork: ${{ github.repository_owner }}/${{ env.COMMUNITY_OPERATORS_REPOSITORY_NAME }}
          title: ${{ env.REPOSITORY_NAME }} new version ${{ env.BUNDLE_VERSION }}
          body: |
            ### New Submissions
            * [ ] Has you operator [nested directory structure](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#create-a-bundle)?
            * [ ] Have you selected the Project *Community Operator Submissions* in your PR on the right-hand menu bar?
            * [ ] Are you familiar with our [contribution guidelines](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md)?
            * [ ] Have you [packaged and deployed](https://github.com/operator-framework/community-operators/blob/master/docs/testing-operators.md) your Operator for Operator Framework?
            * [ ] Have you tested your Operator with all Custom Resource Definitions?
            * [ ] Have you tested your Operator in all supported [installation modes](https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/building-your-csv.md#operator-metadata)?
            * [ ] Is your submission [signed](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#sign-your-work)?
            ### Updates to existing Operators
            * [x] Is your new CSV pointing to the previous version with the `replaces` property?
            * [x] Is your new CSV referenced in the [appropriate channel](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#bundle-format) defined in the `package.yaml` ?
            * [ ] Have you tested an update to your Operator when deployed via OLM?
            * [x] Is your submission [signed](https://github.com/operator-framework/community-operators/blob/master/docs/contributing.md#sign-your-work)?
            ### Your submission should not
            * [x] Modify more than one operator
            * [x] Modify an Operator you don't own
            * [x] Rename an operator - please remove and add with a different name instead
            * [x] Submit operators to both `upstream-community-operators` and `community-operators` at once
            * [x] Modify any files outside the above mentioned folders
            * [x] Contain more than one commit. **Please squash your commits.**
            ### Operator Description must contain (in order)
            1. [x] Description about the managed Application and where to find more information
            2. [x] Features and capabilities of your Operator and how to use it
            3. [x] Any manual steps about potential pre-requisites for using your Operator
            ### Operator Metadata should contain
            * [x] Human readable name and 1-liner description about your Operator
            * [x] Valid [category name](https://github.com/operator-framework/community-operators/blob/master/docs/required-fields.md#categories)<sup>1</sup>
            * [x] One of the pre-defined [capability levels](https://github.com/operator-framework/operator-courier/blob/4d1a25d2c8d52f7de6297ec18d8afd6521236aa2/operatorcourier/validate.py#L556)<sup>2</sup>
            * [x] Links to the maintainer, source code and documentation
            * [x] Example templates for all Custom Resource Definitions intended to be used
            * [x] A quadratic logo
            Remember that you can preview your CSV [here](https://operatorhub.io/preview).
            --
            <sup>1</sup> If you feel your Operator does not fit any of the pre-defined categories, file a PR against this repo and explain your need
            <sup>2</sup> For more information see [here](https://github.com/operator-framework/operator-sdk/blob/master/doc/images/operator-capability-level.svg)
          token: ${{ secrets.COMMUNITY_OPERATOR_PAT }}

  test-operator:
    runs-on: ubuntu-latest
    name: test-operator
    if: ${{ inputs.RUN_UNIT_TESTS || inputs.RUN_INTEGRATION_TESTS }}
    needs: ["setup"]
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
    steps:
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: ${{ inputs.GO_VERSION }}
          cache: false

      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Go Build Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_build }}
          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}

      - name: Go Mod Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

      - name: Download Binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: support-binaries
          path: ${{ needs.setup.outputs.bin_dir }}

      - name: Prepare Build Step
        id: setup-build-step
        run: |
          # Setup Path
          echo "${{ needs.setup.outputs.bin_dir }}" >> $GITHUB_PATH

          # Make Binaries Executable
          chmod +x ${{ needs.setup.outputs.bin_dir }}/*

      - name: Run unit tests
        shell: bash
        if: ${{ inputs.RUN_UNIT_TESTS }}
        run: make test

      - name: Run integration tests
        shell: bash
        if: ${{ inputs.RUN_INTEGRATION_TESTS }}
        run: make integration KUBECTL_WAIT_TIMEOUT=${{ inputs.KUBECTL_WAIT_TIMEOUT }}

  test-helmchart:
    runs-on: ubuntu-latest
    name: test-helmchart
    if: ${{ inputs.RUN_HELMCHART_TEST }}
    needs: ["setup"]
    env:
      REPOSITORY_NAME: ${{ needs.setup.outputs.repository_name }}
      OPERATOR_VERSION: ${{ needs.setup.outputs.operator_version }}
      HELM_RELEASE_VERSION: ${{ needs.setup.outputs.helmchart_version }}
      OPERATOR_IMAGE_REPOSITORY: "${{ needs.setup.outputs.operator_image_registry }}/${{ needs.setup.outputs.operator_image_repository_name }}"
    steps:
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: ${{ inputs.GO_VERSION }}
          cache: false

      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Go Build Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_build }}
          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}

      - name: Go Mod Cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ${{ needs.setup.outputs.go_mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

      - name: Download Binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: support-binaries
          path: ${{ needs.setup.outputs.bin_dir }}

      - name: Prepare Build Step
        id: setup-build-step
        run: |
          # Setup Path
          echo "${{ needs.setup.outputs.bin_dir }}" >> $GITHUB_PATH

          # Make Binaries Executable
          chmod +x ${{ needs.setup.outputs.bin_dir }}/*

      - name: Test Helm Chart Deployment
        shell: bash
        run: make helmchart-test KUBECTL_WAIT_TIMEOUT=${{ inputs.KUBECTL_WAIT_TIMEOUT }}