V1 backport

.github/matrix.yaml

@@ -1,49 +1,50 @@
+# Changes here may need to be backported to the latest 2.x and 1.x release branches.
+# Backport if AWS is removing support for an EKS version, or if we're actively choosing to support a new k8s version on
+# an old release.
 matrix:
   cluster-type: ["eksctl"]
   arch: ["x86", "arm"]
-  family: ["AmazonLinux2", "AmazonLinux2023", "Bottlerocket"]
+  family:
+    [
+      "AmazonLinux2",
+      "AmazonLinux2023",
+      "Bottlerocket",
+      "Ubuntu2204",
+      "Ubuntu2404",
+    ]
   kubernetes-version:
-    ["1.28.13", "1.29.8", "1.30.4", "1.31.0", "1.32.1", "1.33.2"]
+    ["1.30.4", "1.31.0", "1.32.1", "1.33.2", "1.34.1", "1.35.0"]
   include:
-    # Ubuntu2004 supported for EKS <= 1.29 and Ubuntu2204 supported for EKS >= 1.29.
-    # See https://eksctl.io/usage/custom-ami-support/?h=ubuntu#setting-the-node-ami-family.
+    # Enable enforcing mode for SELinux in AL2023, it's easier to list it in "include"
+    # field rather than trying to exclude all other variants.
+    - family: "AmazonLinux2023"
+      selinux-mode: "enforcing"
+  exclude:
+    # AL2 is not supported by Kubernetes 1.33.
     - cluster-type: "eksctl"
-      arch: "x86"
-      family: "Ubuntu2004"
-      kubernetes-version: "1.28.13"
+      family: "AmazonLinux2"
+      kubernetes-version: "1.33.2"
+    # AL2 is not supported by Kubernetes 1.34.
     - cluster-type: "eksctl"
-      arch: "arm"
-      family: "Ubuntu2004"
-      kubernetes-version: "1.29.8"
+      family: "AmazonLinux2"
+      kubernetes-version: "1.34.1"
+    # AL2 is not supported by Kubernetes 1.35.
     - cluster-type: "eksctl"
-      arch: "x86"
-      family: "Ubuntu2204"
-      kubernetes-version: "1.30.4"
+      family: "AmazonLinux2"
+      kubernetes-version: "1.35.0"
+    # Ubuntu2204 is only supported on EKS >= 1.29 && EKS < 1.33.
+    # See https://eksctl.io/usage/custom-ami-support/?h=ubuntu#setting-the-node-ami-family.
     - cluster-type: "eksctl"
-      arch: "arm"
       family: "Ubuntu2204"
-      kubernetes-version: "1.31.0"
+      kubernetes-version: "1.33.2"
     - cluster-type: "eksctl"
-      arch: "arm"
       family: "Ubuntu2204"
-      kubernetes-version: "1.32.1"
-    # TODO: Enable this once EKS 1.33 Ubuntu AMI is available.
-    # - cluster-type: "eksctl"
-    #   arch: "arm"
-    #   family: "Ubuntu2204"
-    #   kubernetes-version: "1.33.2"
-    # Since we only enable enforcing mode for SELinux in AL2023, it's easier to list it in "include"
-    # field rather than trying to exclude all other variants.
-    - cluster-type: "eksctl"
-      arch: "x86"
-      family: "AmazonLinux2023"
-      kubernetes-version: "1.32.1"
-      selinux-mode: "enforcing"
-  exclude:
+      kubernetes-version: "1.34.1"
     - cluster-type: "eksctl"
-      arch: "arm"
-      family: "Bottlerocket"
-    # AL2 is not supported by Kubernetes 1.33.
+      family: "Ubuntu2204"
+      kubernetes-version: "1.35.0"
+    # Ubuntu2404 is only supported on EKS >= 1.31.
+    # See https://eksctl.io/usage/custom-ami-support/?h=ubuntu#setting-the-node-ami-family.
     - cluster-type: "eksctl"
-      family: "AmazonLinux2"
-      kubernetes-version: "1.33.2"
+      family: "Ubuntu2404"
+      kubernetes-version: "1.30.4"

.github/workflows/build_matrix.yaml

@@ -4,13 +4,17 @@ on:
       matrix:
         description: "Matrix"
         value: ${{ jobs.build_matrix.outputs.matrix }}
+
+permissions:
+  contents: read
+
 jobs:
   build_matrix:
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.parse_yaml.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Parse matrix.yaml file
         id: parse_yaml
         run: |

.github/workflows/controller-tests.yaml

@@ -4,10 +4,12 @@ on:
   push:
     branches: ["main", "feature/*"]
   pull_request:
-    branches: ["main", "feature/*"]
   merge_group:
     types: ["checks_requested"]
 
+permissions:
+  contents: read
+
 jobs:
   build_matrix:
     name: Build Matrix
@@ -26,13 +28,23 @@ jobs:
       ENVTEST_K8S_VERSION: "${K8S_VERSION%.*}"
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
 
       - name: Run Controller Tests
         run: |
           make e2e-controller
+
+  post_test:
+    name: "Controller Post Test"
+    if: always()
+    needs:
+      - controller_test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Verify jobs succeeded
+        run: echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success")'

.github/workflows/delete-cluster.yaml

@@ -8,6 +8,7 @@ on:
 
 concurrency:
   group: e2e-cluster-${{ inputs.environment }}
+  queue: max
 
 env:
   IMAGE_NAME: "s3-csi-driver"
@@ -17,6 +18,8 @@ jobs:
   build_matrix:
     name: Build Matrix
     uses: ./.github/workflows/build_matrix.yaml
+    permissions:
+      contents: read
   delete_cluster:
     needs: ["build_matrix"]
     strategy:
@@ -41,19 +44,16 @@ jobs:
       SELINUX_MODE: "${{ matrix.selinux-mode }}"
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{ github.ref }}
           persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-python@v4
-        with:
-          python-version: "3.10"
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ vars.IAM_ROLE }}
           aws-region: ${{ vars.AWS_REGION }}

.github/workflows/e2e-test-trusted.yaml

@@ -19,4 +19,13 @@ jobs:
     with:
       environment: "trusted"
       ref: ${{ (github.event_name == 'push' && github.sha) || (github.event_name == 'pull_request' && github.event.pull_request.head.sha) || github.event.merge_group.head_sha }}
-    secrets: inherit
+    secrets: inherit
+  outcome:
+    name: All E2E Tests Passed
+    if: always()
+    runs-on: ubuntu-latest
+    needs:
+      - e2e
+    steps:
+      - name: Verify jobs succeeded
+        run: echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success")'

.github/workflows/e2e-test-untrusted.yaml

@@ -18,10 +18,23 @@ jobs:
         run: |
           echo "Approved!"
   e2e:
-    name: E2E Tests
+    name: "E2E Tests (${{ matrix.region }})"
     uses: ./.github/workflows/e2e-tests.yaml
+    strategy:
+      matrix:
+        region:
+          - 'us-east-1'
     needs: approval
     with:
-      environment: "untrusted"
+      environment: "${{ matrix.region }}-untrusted"
       ref: ${{ github.event.pull_request.head.sha }}
-    secrets: inherit
+    secrets: inherit
+  outcome:
+    name: All E2E Tests Passed
+    if: ${{ always() && github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id }}
+    runs-on: ubuntu-latest
+    needs:
+      - e2e
+    steps:
+      - name: Verify jobs succeeded
+        run: echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success")'

.github/workflows/e2e-tests.yaml

@@ -12,6 +12,7 @@ on:
 
 concurrency:
   group: e2e-cluster-${{ inputs.environment }}
+  queue: max
 
 env:
   IMAGE_NAME: "s3-csi-driver"
@@ -24,6 +25,8 @@ jobs:
   build_matrix:
     name: Build Matrix
     uses: ./.github/workflows/build_matrix.yaml
+    permissions:
+      contents: read
   build:
     runs-on: ubuntu-22.04 # FIXME - https://github.com/actions/runner-images/issues/11471
     environment: ${{ inputs.environment }}
@@ -32,16 +35,16 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{ inputs.ref }}
           persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@master
         with:
@@ -79,19 +82,16 @@ jobs:
       SELINUX_MODE: "${{ matrix.selinux-mode }}"
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           ref: ${{ inputs.ref }}
           persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-python@v4
-        with:
-          python-version: "3.10"
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ vars.IAM_ROLE }}
           aws-region: ${{ vars.AWS_REGION }}
@@ -102,6 +102,7 @@ jobs:
         run: |
           tests/e2e-kubernetes/scripts/run.sh
       - name: Create cluster
+        id: create_cluster
         env:
           ACTION: "create_cluster"
         run: |
@@ -159,31 +160,34 @@ jobs:
         run: |
           tests/e2e-kubernetes/scripts/run.sh
       - name: Uninstall the driver (PodMounter)
-        if: always()
+        # Skip uninstall if cluster creation did not succeed - no cluster to communicate with
+        if: ${{ always() && steps.create_cluster.conclusion == 'success' }}
         env:
           ACTION: "uninstall_driver"
         run: |
           tests/e2e-kubernetes/scripts/run.sh
-
-      # Everything is tested, delete the cluster
       - name: Delete cluster
         if: always()
         env:
           ACTION: "delete_cluster"
         run: |
           tests/e2e-kubernetes/scripts/run.sh
   post_test:
-    needs: test
+    if: always()
+    needs:
+      - test
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write
       contents: read
     steps:
+      - name: Verify jobs succeeded
+        run: echo '${{ toJSON(needs) }}' | jq -e 'to_entries | all(.value.result == "success")'
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ vars.IAM_ROLE }}
           aws-region: ${{ vars.AWS_REGION }}