rancher · thardeck · Mar 13, 2026 · Mar 10, 2026 · Mar 11, 2026 · Mar 12, 2026
@@ -5,6 +5,7 @@
   ],
   "baseBranchPatterns": [
     "main",
+    "release/v0.15",
     "release/v0.14",
     "release/v0.13",
     "release/v0.12",
@@ -14,6 +15,14 @@
     "**/assets/**"
   ],
   "packageRules": [
+    {
+      "matchBaseBranches": [
+        "release/v0.15"
+      ],
+      "extends": [
+        "github>rancher/renovate-config//rancher-2.14#release"
+      ]
+    },
     {
       "matchBaseBranches": [
         "release/v0.14"

@@ -1,11 +1,11 @@
-#!/bin/sh
-set -ue
+#!/bin/bash
+set -euo pipefail
 
 go generate
 ginkgo unfocus
 
 if [ -n "$(git status --porcelain)" ]; then
-    echo "Generated files have either been changed manually or were not updated.\n"
+    printf 'Generated files have either been changed manually or were not updated.\n\n'
 
     echo "The following generated files did differ after regeneration:"
     git status --porcelain

@@ -0,0 +1,74 @@
+#!/bin/bash
+#
+# Compute the Fleet and Rancher versions needed to open a release PR.
+#
+# Environment variables:
+#   FLEET_BRANCH     Fleet branch to release (e.g. release/v0.15 or main)
+#   GH_TOKEN         GitHub token for API calls
+#   FLEET_REPO_DIR   Path to the fleet checkout (default: ./fleet)
+#   GITHUB_OUTPUT    Path to the GitHub Actions output file
+
+set -euo pipefail
+
+FLEET_REPO_DIR="${FLEET_REPO_DIR:-./fleet}"
+
+# Derive the Fleet minor version from the branch name.
+# For main, compute it as (highest release branch minor) + 1.
+if [ "$FLEET_BRANCH" = "main" ]; then
+    highest_minor=$(git -C "$FLEET_REPO_DIR" ls-remote --heads origin 'refs/heads/release/v0.*' \
+        | grep -oE 'v0\.[0-9]+' | cut -d. -f2 | sort -n | tail -1)
+    if [ -z "$highest_minor" ]; then
+        printf 'ERROR: No release/v0.* branches found in fleet repo\n' >&2
+        exit 1
+    fi
+    fleet_minor=$((highest_minor + 1))
+else
+    fleet_minor=$(printf '%s' "$FLEET_BRANCH" | grep -oE '[0-9]+$')
+fi
+
+rancher_minor=$((fleet_minor - 1))
+charts_branch="dev-v2.${rancher_minor}"
+
+# Fetch the Fleet chart directory listing from the rancher/charts dev branch.
+chart_response=$(curl -fsSL \
+    -H "Authorization: Bearer ${GH_TOKEN}" \
+    "https://api.github.com/repos/rancher/charts/contents/charts/fleet?ref=${charts_branch}") || {
+    printf 'ERROR: Could not list Fleet charts in rancher/charts branch %s\n' "$charts_branch" >&2
+    exit 1
+}
+
+latest_chart=$(printf '%s' "$chart_response" \
+    | jq -r '.[] | select(.type == "dir") | .name' \
+    | sort -V | tail -1)
+
+if [ -z "$latest_chart" ]; then
+    printf 'ERROR: No Fleet chart directories found in rancher/charts branch %s\n' "$charts_branch" >&2
+    exit 1
+fi
+
+# Chart directory names follow the pattern <chart-version>+up<fleet-version>,
+# e.g. 110.0.1+up0.15.1.
+new_fleet="${latest_chart##*+up}"
+new_chart="${latest_chart%%+*}"
+
+# Target the Rancher release branch when it exists; fall back to main.
+rancher_ref="release/v2.${rancher_minor}"
+http_status=$(curl -s -o /dev/null -w "%{http_code}" \
+    -H "Authorization: Bearer ${GH_TOKEN}" \
+    "https://api.github.com/repos/rancher/rancher/branches/release%2Fv2.${rancher_minor}")
+case "$http_status" in
+    200) ;;
+    404) rancher_ref="main" ;;
+    *) printf 'ERROR: GitHub API returned HTTP %s while checking Rancher branch\n' "$http_status" >&2; exit 1 ;;
+esac
+
+printf 'Charts branch:     %s\n' "$charts_branch"
+printf 'New Fleet version: %s\n' "$new_fleet"
+printf 'New chart version: %s\n' "$new_chart"
+printf 'Rancher ref:       %s\n' "$rancher_ref"
+
+{
+    printf 'new_fleet=%s\n' "$new_fleet"
+    printf 'new_chart=%s\n' "$new_chart"
+    printf 'rancher_ref=%s\n' "$rancher_ref"
+} >> "${GITHUB_OUTPUT:?GITHUB_OUTPUT is not set}"
@@ -1,21 +1,18 @@
 #!/bin/bash
 #
-# Submit new Fleet version against rancher/rancher
+# Submit new Fleet version against rancher/rancher.
 
-set -ue
+set -euo pipefail
 
-NEW_FLEET_VERSION="$1"    # e.g. 0.6.0-rc.3
-NEW_CHART_VERSION="$2"    # e.g. 101.1.0
-BUMP_API="$3"             # bump api if `true`
+NEW_FLEET_VERSION="$1"    # e.g. 0.15.1
+NEW_CHART_VERSION="$2"    # e.g. 110.0.1
 
 bump_fleet_api() {
-    COMMIT=$1
-
-    go get -u "github.com/rancher/fleet/pkg/apis@v${NEW_FLEET_VERSION}" || go get -u "github.com/rancher/fleet/pkg/apis@${COMMIT}"
+    go get -u "github.com/rancher/fleet/pkg/apis@v${NEW_FLEET_VERSION}"
     go mod tidy
 }
 
-RANCHER_DIR=${RANCHER_DIR-"$(dirname -- "$0")/../../../rancher"}
+RANCHER_DIR="${RANCHER_DIR:-"$(dirname -- "$0")/../../../rancher"}"
 
 pushd "${RANCHER_DIR}" > /dev/null
 
@@ -24,35 +21,60 @@ if [ ! -e ~/.gitconfig ]; then
     git config --global user.email fleet@suse.de
 fi
 
-# Check if version is available online
-CHART_DEFAULT_BRANCH=$(grep "ARG CHART_DEFAULT_BRANCH=" package/Dockerfile | cut -d'=' -f2)
-if ! curl -s --head --fail "https://github.com/rancher/charts/raw/${CHART_DEFAULT_BRANCH}/assets/fleet/fleet-${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION}.tgz" > /dev/null; then
-    echo "Version ${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION} does not exist in the branch ${CHART_DEFAULT_BRANCH} in rancher/charts"
+# Guard: error if rancher/rancher already has this version or a newer one.
+if [ ! -f build.yaml ]; then
+    printf 'ERROR: build.yaml not found in %s\n' "$(pwd)" >&2
     exit 1
 fi
 
-if [ -e build.yaml ]; then
-    sed -i -e "s/fleetVersion: .*$/fleetVersion: ${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION}/" build.yaml
-    go generate
-    git add build.yaml pkg/buildconfig/constants.go
-else
-    sed -i -e "s/ENV CATTLE_FLEET_VERSION=.*$/ENV CATTLE_FLEET_VERSION=${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION}/" package/Dockerfile
-    sed -i -e "s/ENV CATTLE_FLEET_MIN_VERSION=.*$/ENV CATTLE_FLEET_MIN_VERSION=${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION}/" package/Dockerfile
-    git add package/Dockerfile
+TARGET_VERSION="${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION}"
+CURRENT_VERSION=$(grep 'fleetVersion:' build.yaml | awk '{print $2}')
+
+if [ -z "$CURRENT_VERSION" ]; then
+    printf 'ERROR: fleetVersion not found in build.yaml\n' >&2
+    exit 1
 fi
 
-if [ "${BUMP_API}" == "true" ]; then
-    pushd ../fleet > /dev/null
-        COMMIT=$(git rev-list -n 1 "v${NEW_FLEET_VERSION}")
-    popd > /dev/null
+if [ "$CURRENT_VERSION" = "$TARGET_VERSION" ]; then
+    printf 'ERROR: rancher/rancher already contains Fleet %s\n' "$TARGET_VERSION" >&2
+    exit 1
+fi
+
+# Compare only the chart version numbers (before the '+') to detect downgrades.
+current_chart="${CURRENT_VERSION%%+*}"
+target_chart="${TARGET_VERSION%%+*}"
+if [ "$(printf '%s\n%s\n' "$current_chart" "$target_chart" | sort -V | tail -1)" = "$current_chart" ] \
+    && [ "$current_chart" != "$target_chart" ]; then
+    printf 'ERROR: rancher/rancher already has a newer Fleet version: %s\n' "$CURRENT_VERSION" >&2
+    exit 1
+fi
+
+# Guard against replacing a final release with a pre-release of the same or older base.
+# sort -V treats "0.11.12-rc.3" > "0.11.12" (lexicographic suffix), so pre-release
+# vs final requires an explicit check.
+current_fleet="${CURRENT_VERSION##*+up}"
+if ! printf '%s' "$current_fleet" | grep -q '-' && printf '%s' "$NEW_FLEET_VERSION" | grep -q '-'; then
+    target_fleet_base="${NEW_FLEET_VERSION%%-*}"
+    if [ "$(printf '%s\n%s\n' "$current_fleet" "$target_fleet_base" | sort -V | tail -1)" = "$current_fleet" ]; then
+        printf 'ERROR: rancher/rancher has final Fleet %s; refusing pre-release %s\n' \
+            "$current_fleet" "$NEW_FLEET_VERSION" >&2
+        exit 1
+    fi
+fi
+
+sed -i "s/fleetVersion: .*$/fleetVersion: ${TARGET_VERSION}/" build.yaml
+go generate
+git add build.yaml pkg/buildconfig/constants.go
 
-    bump_fleet_api "${COMMIT}"
+# Bump the Fleet API when a pkg/apis tag for this exact version exists in the fleet repo.
+if git -C ../fleet tag -l "pkg/apis/v${NEW_FLEET_VERSION}" | grep -q .; then
+    bump_fleet_api
 
     pushd pkg/apis > /dev/null
-        bump_fleet_api "${COMMIT}"
+    bump_fleet_api
     popd > /dev/null
 
-    git add go.* pkg/apis/go.*
+    git add go.mod go.sum pkg/apis/go.mod pkg/apis/go.sum
 fi
 
 git commit -m "Updating to Fleet v${NEW_FLEET_VERSION}"

@@ -2,31 +2,22 @@ name: Release Fleet against rancher/rancher
 on:
   workflow_dispatch:
     inputs:
-      rancher_ref:
-        description: "Submit PR against the following rancher/rancher branch (e.g. release/v2.13 or main if there is no according release branch yet)"
+      fleet_branch:
+        description: "Fleet branch to release from (main = next unreleased minor version)"
         required: true
         default: "main"
-      new_fleet:
-        description: "New Fleet version (e.g. 0.14.0-rc.1)"
-        required: true
-        default: ""
-      new_chart:
-        description: "New Rancher Chart version (e.g. 108.0.0)"
-        required: true
-        default: ""
-      should_bump_api:
-        description: "Should the Fleet api be bumped in the Rancher repo? (If the API in github.com/rancher/fleet/pkg/apis has changed or the release is for a final release, then the API needs to be bumped (set to true ), otherwise use false .)"
-        required: true
-        default: "false"
-      go_version:
-        description: "Go version used for bumping the api. This should be the same version as in the go.mod file of the project."
-        required: true
-        default: '1.25.*'
+        type: choice
+        options:
+          - main
+          - release/v0.15
+          - release/v0.14
+          - release/v0.13
+          - release/v0.12
+          - release/v0.11
 
 env:
   GOARCH: amd64
   CGO_ENABLED: 0
-  SETUP_GO_VERSION: ${{github.event.inputs.go_version}}
 
 jobs:
   create-rancher-pr:
@@ -40,26 +31,82 @@ jobs:
           fetch-depth: 0
           path: fleet
           persist-credentials: false
+
+      - name: Compute versions
+        id: versions
+        env:
+          GH_TOKEN: ${{ github.token }}
+          FLEET_BRANCH: ${{ inputs.fleet_branch }}
+        run: fleet/.github/scripts/compute-rancher-versions.sh
+
       - name: Checkout rancher/rancher
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           repository: rancher/rancher
-          ref: ${{github.event.inputs.rancher_ref}}
+          ref: ${{ steps.versions.outputs.rancher_ref }}
           path: rancher
           persist-credentials: false
+
+      - name: Pre-flight checks
+        env:
+          NEW_FLEET: ${{ steps.versions.outputs.new_fleet }}
+        run: |
+          set -euo pipefail
+
+          # Skip all checks for pre-releases.
+          if [[ "${NEW_FLEET}" =~ - ]]; then
+            echo "Pre-release version ${NEW_FLEET}; skipping pre-flight checks"
+            exit 0
+          fi
+
+          # For a new final minor version, pkg/apis must be tagged in the fleet repo.
+          if [[ "${NEW_FLEET}" =~ \.0$ ]]; then
+            if ! git -C fleet tag -l "pkg/apis/v${NEW_FLEET}" | grep -q .; then
+              {
+                printf 'ERROR: pkg/apis/v%s tag not found in the fleet repo!\n' "${NEW_FLEET}"
+                printf 'For a new final minor version, pkg/apis must be bumped first.\n'
+                printf 'Please create the tag: git tag pkg/apis/v%s\n' "${NEW_FLEET}"
+              } >&2
+              exit 1
+            fi
+          fi
+
+          # For any final version, rancher/rancher must not reference a pre-release Fleet API
+          # so there must be a Fleet `pkg/apis/v<VERSION>` tag that the api is bumped in this action
+          if ! git -C fleet tag -l "pkg/apis/v${NEW_FLEET}" | grep -q .; then
+            # Tag doesn't exist; check if rancher/rancher has a pre-release version that does not need to be bumped.
+            RANCHER_FLEET_API_VERSION=$(grep 'github.com/rancher/fleet/pkg/apis' rancher/pkg/apis/go.mod | awk '{print $NF}')
+            if [[ "${RANCHER_FLEET_API_VERSION:-}" =~ - ]]; then
+              {
+                printf 'ERROR: rancher/rancher uses pre-release Fleet API %s, but pkg/apis/v%s tag not found\n' "${RANCHER_FLEET_API_VERSION}" "${NEW_FLEET}"
+                printf 'Please create the tag: git tag pkg/apis/v%s\n' "${NEW_FLEET}"
+              } >&2
+              exit 1
+            fi
+          fi
+
       - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: ${{ env.SETUP_GO_VERSION }}
+          go-version-file: ./rancher/go.mod
+          cache-dependency-path: ./rancher/go.sum
+
       - name: Install controller-gen
         run: go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.2
+
       - name: Run release script
         run: |
-          export CHARTS_DIR="${GITHUB_WORKSPACE}/rancher"
-          ./fleet/.github/scripts/release-against-rancher.sh ${{github.event.inputs.new_fleet}} ${{github.event.inputs.new_chart}} ${{github.event.inputs.should_bump_api}}
+          ./fleet/.github/scripts/release-against-rancher.sh \
+            "${{ steps.versions.outputs.new_fleet }}" \
+            "${{ steps.versions.outputs.new_chart }}"
+
       - name: Create Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.PUSH_TO_FORKS_SUBMIT_PRS }}
         working-directory: ./rancher/
         run: |
-          ../fleet/.github/scripts/create-pr.sh ${{github.event.inputs.rancher_ref}} ${{github.event.inputs.new_fleet}} ${{github.event.inputs.new_chart}} rancher
+          ../fleet/.github/scripts/create-pr.sh \
+            "${{ steps.versions.outputs.rancher_ref }}" \
+            "${{ steps.versions.outputs.new_fleet }}" \
+            "${{ steps.versions.outputs.new_chart }}" \
+            rancher
@@ -115,7 +115,7 @@ jobs:
       - name: Run unit tests
         if: ${{ !inputs.skip_tests }}
         continue-on-error: ${{ contains(github.ref, 'rc') }}
-        run: go test -cover -tags=test $(go list ./... | grep -v -e /e2e -e /integrationtests -e /benchmarks)
+        run: go list ./... | grep -v -e /e2e -e /integrationtests -e /benchmarks | xargs go test -cover -tags=test
 
       - name: Run integration tests
         if: ${{ !inputs.skip_tests }}
@@ -276,7 +276,7 @@ jobs:
 
           find charts/ -maxdepth 1 -mindepth 1 -type d -exec helm package --version="$version" --app-version="$version" -d ./dist {} \;
 
-          find dist/ -name '*.tgz' -exec gh release upload $tag {} +
+          find dist/ -name '*.tgz' -exec gh release upload "$tag" {} +
 
       - name: Add charts to branch
         if: ${{ env.IS_HOTFIX == 'false' }}
@@ -315,5 +315,5 @@ jobs:
           git add charts/**/*
           git commit -m "Update charts to version $version"
 
-          git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
           git push origin "$charts_branch"