fix(ci): pin kwctl-installer and add manifest check

jvanz · jvanz · commit de6d5f66da21 · 2026-03-27T10:27:11.000-03:00
Pin the kwctl-installer GitHub Action to v4.6.1 for reproducible e2e
test environments. Add a CI step that runs 'make manifests' and verifies
the generated chart files are up to date. Fix autolabeler workflow
permissions to use job-level scoping.

Signed-off-by: José Guilherme Vanz &lt;jguilhermevanz@suse.com&gt;
Assited-by: Github Copilot
diff --git a/.github/workflows/autolabeler.yml b/.github/workflows/autolabeler.yml
@@ -2,6 +2,7 @@ name: Auto label
 
 on:
   pull_request:
+    # Only following types are handled by the action, but one can default to all as well
     types: [opened, reopened, synchronize, edited]
 
 permissions: {}
@@ -11,8 +12,8 @@ jobs:
     # Skip fork PRs — the GITHUB_TOKEN is read-only and cannot add labels
     if: github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
     permissions:
-      pull-requests: write
       contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter/autolabeler@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -462,14 +462,31 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-
       - name: enable git long paths on Windows
         if: matrix.os == 'windows-latest'
         run: git config --global core.longpaths true
 
       - name: Run cargo check
         run: make -C crates/kwctl check
 
+  check-manifests:
+    name: Check if the controller-gen generated manifests are up to date
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version: "1.26"
+          check-latest: true
+      - run: |
+          make manifests
+          if ! git diff --quiet -- charts/; then
+            echo "Changes detected in charts/. Please run 'make manifests' and commit the changes."
+            exit 1
+          fi
+
   # Rollup job for branch protection - single stable job name that depends on all checks
   ci-success:
     name: CI Success
@@ -496,6 +513,7 @@ jobs:
       - validate-hauler-manifest
       - kwctl-docs
       - check-kwctl-cross-platform
+      - check-manifests
     runs-on: ubuntu-latest
     steps:
       - name: Check all jobs status
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -102,7 +102,7 @@ jobs:
           persist-credentials: false
 
       - name: "Install kwctl"
-        uses: kubewarden/github-actions/kwctl-installer@f301a7874dd642510fff54a89e4329881bf871ef # v4.6.0
+        uses: kubewarden/github-actions/kwctl-installer@a03315e95ccf85c92e5d472824edeab0704f857b # v4.6.1
         with:
           KWCTL_VERSION: latest
 
