feat(ci): automate OperatorHub bundle submission in release workflow

Add OLM CSV template with version/date placeholders under config/olm/.
Add generate-olm-bundle Makefile target to produce versioned bundles.
Add hack/operatorhub-pr.sh to create/update PRs against
k8s-operatorhub/community-operators from the release workflow.
Add operatorhub-pr job to release.yaml (continue-on-error, never blocks).

Each version gets its own branch and PR. Older version PRs are left
open so customers on prior major/minor lines can still receive
hotfixes via OLM semver-mode upgrade graph.

Requires OPERATORHUB_TOKEN secret (PAT with public_repo scope).

Closes #131

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/release.yaml

@@ -353,6 +353,40 @@ jobs:
     secrets:
       registry-password: ${{ secrets.GITHUB_TOKEN }}
 
+  # Submit an OLM bundle PR to k8s-operatorhub/community-operators.
+  # Uses continue-on-error so OperatorHub failures never block releases.
+  operatorhub-pr:
+    name: OperatorHub PR
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: [release]
+    if: ${{ !cancelled() && needs.release.result == 'success' }}
+    continue-on-error: true
+    permissions:
+      contents: read
+    steps:
+      - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ needs.release.outputs.tag }}
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Generate OLM bundle and create PR
+        env:
+          VERSION: ${{ needs.release.outputs.tag }}
+          GH_TOKEN: ${{ secrets.OPERATORHUB_TOKEN }}
+        run: |
+          # Strip 'v' prefix from tag
+          export VERSION="${VERSION#v}"
+          hack/operatorhub-pr.sh
+
   # Sync docker/README.md to the Docker Hub repository description.
   dockerhub-readme:
     name: Docker Hub README

Makefile

@@ -390,6 +390,22 @@ build-crds: manifests ## Generate standalone CRDs bundle for manual upgrades
 	mkdir -p dist
 	cat charts/attune/crds/*.yaml > dist/crds.yaml
 
+.PHONY: generate-olm-bundle
+generate-olm-bundle: manifests ## Generate OLM bundle for OperatorHub submission
+	@VERSION=$${VERSION:-$(shell git describe --tags --abbrev=0 | sed "s/^v//")} && \
+	DATE=$$(date -u +%Y-%m-%dT00:00:00Z) && \
+	BUNDLE_DIR=dist/olm-bundle/$$VERSION && \
+	echo "Generating OLM bundle for version $$VERSION..." && \
+	mkdir -p "$$BUNDLE_DIR/manifests" "$$BUNDLE_DIR/metadata" && \
+	sed "s/__VERSION__/$$VERSION/g; s/__DATE__/$$DATE/g" \
+		config/olm/template/manifests/attune-operator.clusterserviceversion.yaml \
+		> "$$BUNDLE_DIR/manifests/attune-operator.clusterserviceversion.yaml" && \
+	cp config/olm/template/metadata/annotations.yaml "$$BUNDLE_DIR/metadata/" && \
+	cp config/crd/bases/attune.io_attunepolicies.yaml "$$BUNDLE_DIR/manifests/" && \
+	cp config/crd/bases/attune.io_attunedefaults.yaml "$$BUNDLE_DIR/manifests/" && \
+	cp config/crd/bases/attune.io_attunenamespacedefaults.yaml "$$BUNDLE_DIR/manifests/" && \
+	echo "OLM bundle generated at $$BUNDLE_DIR"
+
 ##@ Tools
 
 # Version-aware tool installs: embed version in binary filename so a version

config/olm/ci.yaml

@@ -0,0 +1,2 @@
+---
+updateGraph: semver-mode

config/olm/template/manifests/attune-operator.clusterserviceversion.yaml

@@ -0,0 +1,8 @@
+---
+annotations:
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: attune
+  operators.operatorframework.io.bundle.channels.v1: stable
+  operators.operatorframework.io.bundle.channel.default.v1: stable

config/olm/template/metadata/annotations.yaml

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# Create or update a PR to k8s-operatorhub/community-operators for a new Attune release.
+#
+# Usage: VERSION=0.1.7 GH_TOKEN=<pat> hack/operatorhub-pr.sh
+#
+# Required env vars:
+#   VERSION         - Release version without 'v' prefix (e.g., 0.1.7)
+#   GH_TOKEN        - GitHub PAT with public_repo scope for the fork owner
+#
+# Optional env vars:
+#   FORK_OWNER      - GitHub user owning the fork (default: SebTardif)
+#   GIT_USER_NAME   - Git commit author name (default: github-actions[bot])
+#   GIT_USER_EMAIL  - Git commit author email (default: 41898282+github-actions[bot]@users.noreply.github.com)
+#   BUNDLE_DIR      - Pre-generated bundle path (default: generates via make)
+
+set -Eeuo pipefail
+
+: "${VERSION:?VERSION is required (e.g., 0.1.7)}"
+: "${GH_TOKEN:?GH_TOKEN is required}"
+
+FORK_OWNER="${FORK_OWNER:-SebTardif}"
+GIT_USER_NAME="${GIT_USER_NAME:-github-actions[bot]}"
+GIT_USER_EMAIL="${GIT_USER_EMAIL:-41898282+github-actions[bot]@users.noreply.github.com}"
+UPSTREAM_REPO="k8s-operatorhub/community-operators"
+FORK_REPO="${FORK_OWNER}/community-operators"
+BRANCH="attune-v${VERSION}"
+OPERATOR_DIR="operators/attune"
+
+# Generate the OLM bundle if not pre-generated
+BUNDLE_DIR="${BUNDLE_DIR:-dist/olm-bundle/${VERSION}}"
+if [ ! -d "${BUNDLE_DIR}/manifests" ]; then
+    echo "Generating OLM bundle..."
+    make generate-olm-bundle VERSION="${VERSION}"
+fi
+
+# Verify bundle contents
+for f in \
+    "${BUNDLE_DIR}/manifests/attune-operator.clusterserviceversion.yaml" \
+    "${BUNDLE_DIR}/manifests/attune.io_attunepolicies.yaml" \
+    "${BUNDLE_DIR}/manifests/attune.io_attunedefaults.yaml" \
+    "${BUNDLE_DIR}/manifests/attune.io_attunenamespacedefaults.yaml" \
+    "${BUNDLE_DIR}/metadata/annotations.yaml"; do
+    if [ ! -f "$f" ]; then
+        echo "ERROR: Missing bundle file: $f" >&2
+        exit 1
+    fi
+done
+echo "Bundle verified: ${BUNDLE_DIR}"
+
+# Clone the fork (shallow is fine here since we reset to upstream/main)
+WORK_DIR=$(mktemp -d)
+trap 'rm -rf "${WORK_DIR}"' EXIT
+
+echo "Cloning fork ${FORK_REPO}..."
+cd "${WORK_DIR}"
+git clone --depth=1 "https://x-access-token:${GH_TOKEN}@github.com/${FORK_REPO}.git" community-operators
+cd community-operators
+
+git config user.name "${GIT_USER_NAME}"
+git config user.email "${GIT_USER_EMAIL}"
+
+# Reset to upstream main for a clean base
+git remote add upstream "https://github.com/${UPSTREAM_REPO}.git"
+git fetch upstream main --depth=1
+git checkout -B "${BRANCH}" upstream/main
+
+# Copy the bundle
+mkdir -p "${OPERATOR_DIR}/${VERSION}/manifests" "${OPERATOR_DIR}/${VERSION}/metadata"
+cp "${OLDPWD}/${BUNDLE_DIR}/manifests/"* "${OPERATOR_DIR}/${VERSION}/manifests/"
+cp "${OLDPWD}/${BUNDLE_DIR}/metadata/"* "${OPERATOR_DIR}/${VERSION}/metadata/"
+
+# Ensure ci.yaml exists at the operator root
+if [ ! -f "${OPERATOR_DIR}/ci.yaml" ]; then
+    echo "updateGraph: semver-mode" > "${OPERATOR_DIR}/ci.yaml"
+fi
+
+# Commit with DCO sign-off
+git add "${OPERATOR_DIR}/"
+git commit -s -m "operator attune (${VERSION})"
+
+# Force-push (creates or updates the branch)
+git push --force origin "${BRANCH}"
+echo "Pushed branch ${BRANCH} to ${FORK_REPO}"
+
+# Create or update the PR
+PR_TITLE="operator [U] [CI] attune (${VERSION})"
+PR_BODY="### New Submission
+
+**Operator:** attune
+**Version:** ${VERSION}
+
+Update Attune operator to version ${VERSION}.
+
+See [release notes](https://github.com/attune-io/attune/releases/tag/v${VERSION}) for changes.
+
+---
+*This PR was automatically created by the Attune release workflow.*"
+
+# Check if a PR already exists for this branch
+EXISTING_PR=$(gh pr list \
+    --repo "${UPSTREAM_REPO}" \
+    --head "${FORK_OWNER}:${BRANCH}" \
+    --state open \
+    --json number \
+    --jq '.[0].number // empty' 2>/dev/null || true)
+
+if [ -n "${EXISTING_PR}" ]; then
+    echo "Updating existing PR #${EXISTING_PR}"
+    gh pr edit "${EXISTING_PR}" \
+        --repo "${UPSTREAM_REPO}" \
+        --title "${PR_TITLE}" \
+        --body "${PR_BODY}"
+    echo "PR updated: https://github.com/${UPSTREAM_REPO}/pull/${EXISTING_PR}"
+else
+    echo "Creating new PR..."
+    PR_URL=$(gh pr create \
+        --repo "${UPSTREAM_REPO}" \
+        --head "${FORK_OWNER}:${BRANCH}" \
+        --base main \
+        --title "${PR_TITLE}" \
+        --body "${PR_BODY}")
+    echo "PR created: ${PR_URL}"
+fi