System tests pipeline on GitHub Actions (#11331)

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

Author: Frawless

.github/actions/add-comment/action.yml

@@ -0,0 +1,51 @@
+name: Add Comment
+description: "Posts a comment on the pull-request"
+
+inputs:
+  commentMessage:
+    description: "Message that will be put as a comment"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Add comment
+      id: comment-and-check
+      uses: actions/github-script@v7
+      env:
+        MESSAGE: ${{ inputs.commentMessage }}
+      with:
+        script: |
+          const {owner, repo} = context.repo;
+
+          const msg       = process.env.MESSAGE
+          let   sha       = undefined
+          let   prNumber  = undefined;
+
+          //------------------------------------------------------------------
+          // 1) Work out PR number & HEAD SHA
+          //------------------------------------------------------------------
+          if (context.payload.pull_request) {
+            prNumber = context.payload.pull_request.number;
+            sha    ||= context.payload.pull_request.head.sha;
+          } else if (context.payload.issue?.pull_request) {
+            prNumber = context.payload.issue.number;
+            if (!sha) {
+              const pr = await github.request(
+                context.payload.issue.pull_request.url);
+              sha = pr.data.head.sha;
+            }
+          } else {
+            sha ||= context.sha;
+          }
+          
+          core.info(`Going to put a comment to PR “${prNumber}” (“${sha}”) - ”${msg}”`);
+
+          //------------------------------------------------------------------
+          // 2) Add / update PR comment
+          //------------------------------------------------------------------
+          if (prNumber) {
+            await github.rest.issues.createComment({
+              owner, repo, issue_number: prNumber, body: msg
+            });
+          }

.github/actions/build-strimzi-binaries/action.yml

@@ -0,0 +1,64 @@
+name: "Build Strimzi jars"
+description: "Build and archive Strimzi jars"
+
+inputs:
+  mvnArgs:
+    description: "Maven arguments for the build"
+    required: false
+    default: ""
+  runnerArch:
+    description: "Architecture of GitHub runner"
+    required: false
+    default: "arm64"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install yq
+      uses: ./.github/actions/install-yq
+      with:
+        architecture: ${{ inputs.runnerArch }}
+    - name: Install Shellcheck
+      uses: ./.github/actions/install-shellcheck
+      with:
+        architecture: ${{ inputs.runnerArch }}
+    - name: Install Helm
+      uses: ./.github/actions/install-helm
+    - uses: actions/setup-java@v5
+      with:
+        distribution: "temurin"
+        java-version: "17"
+        cache: 'maven'
+
+    # Caches for Maven and Kafka
+    - name: Cache local Maven repository
+      uses: actions/cache@v4
+      with:
+        path: ~/.m2/repository
+        key: "maven-cache | **/pom.xml"
+        restore-keys: |
+          maven | ${{ github.job }}
+          maven
+    - name: Cache Kafka binaries
+      uses: actions/cache@v4
+      with:
+        path: docker-images/artifacts/binaries/kafka/archives
+        key: '"kafka-binaries" | kafka-versions.yaml'
+
+    # Building the artifacts
+    - name: Build artifacts
+      shell: bash
+      run: |
+        make java_install
+      env:
+        MVN_ARGS: ${{ inputs.mvnArgs }}
+
+    - name: Create tarball with artifact
+      shell: bash
+      run: "tar -cvpf strimzi-binaries.tar ./docker-images/artifacts/binaries"
+
+    - name: Upload containers artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: strimzi-binaries.tar
+        path: strimzi-binaries.tar

.github/actions/check-and-status/action.yml

@@ -0,0 +1,162 @@
+name: Add check & status
+description: "Sets a commit/issue status on the given (or auto-detected) SHA."
+
+inputs:
+  checkState:
+    description: "Check state: error, failure, pending, or success"
+    default: success
+  checkName:
+    description: "Status-line “context” label (appears in the PR UI)"
+    default: custom/check
+  checkDescription:
+    description: "Short description that shows next to the status"
+    default: ''
+  sha:
+    description: "Commit SHA to attach the status to (auto-detected if empty)"
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Add issue/commit check
+      id: comment-and-check
+      # Run only if action wasn't triggered by comment or manually
+      if: github.event_name == 'workflow_dispatch' || github.event_name == 'issue_comment'
+      uses: actions/github-script@v7
+      env:
+        CHECK_STATE: ${{ inputs.checkState }}
+        CHECK_NAME: ${{ inputs.checkName }}
+        CHECK_DESCRIPTION: ${{ inputs.checkDescription }}
+        SHA: ${{ inputs.sha }}
+      with:
+        script: |
+          const {owner, repo} = context.repo;
+
+          const checkState  = process.env.CHECK_STATE
+          const checkName   = process.env.CHECK_NAME
+          const desc      = process.env.CHECK_DESCRIPTION
+          let   sha       = process.env.SHA
+          let   prNumber  = undefined;
+          let   isPr  = undefined;
+
+          //------------------------------------------------------------------
+          // 1) Work out PR number & HEAD SHA
+          //------------------------------------------------------------------
+          if (context.payload.pull_request) {
+            isPr = true;
+            prNumber = context.payload.pull_request.number;
+            sha    ||= context.payload.pull_request.head.sha;
+          } else if (context.payload.issue?.pull_request) {
+            isPr = true;
+            prNumber = context.payload.issue.number;
+            if (!sha) {
+              const pr = await github.request(
+                context.payload.issue.pull_request.url);
+              sha = pr.data.head.sha;
+            }
+          } else {
+            isPr = false;
+            sha ||= context.sha;
+          }
+
+          core.info(`Going to work with the following sha: “${sha}”.`); 
+
+          if (sha) {
+            //------------------------------------------------------------------
+            // 2) Map state → conclusion
+            //------------------------------------------------------------------
+            const conclusionToState = { 
+              success: 'success', 
+              failure: 'failure',
+              pending: 'in_progress', 
+              error: 'neutral',
+              skipped: 'failure'
+            };
+            const conclusion = conclusionToState[checkState] ?? 'neutral';
+  
+            //------------------------------------------------------------------
+            // 3) Create NEW run if none is currently in progress
+            //------------------------------------------------------------------
+            const list = await github.rest.checks.listForRef({ owner, repo, ref: sha });
+  
+            let run = list.data.check_runs
+                           .find(cr => cr.name === checkName && cr.status !== 'completed');
+    
+            if (!run) {
+              core.info(`Creating a new check-run ”${checkName}”`);
+              run = (await github.rest.checks.create({
+                owner, repo,
+                name: checkName,
+                head_sha: sha,
+                status: 'in_progress',
+                output: {
+                  title: checkName,
+                  summary: [
+                    desc,
+                    '',
+                    `[See the full workflow run](${process.env.GITHUB_SERVER_URL}/` +
+                    `${process.env.GITHUB_REPOSITORY}/actions/runs/` +
+                    `${process.env.GITHUB_RUN_ID})`
+                  ].join('\n')
+                },
+                details_url:
+                  `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}` +
+                  `/actions/runs/${process.env.GITHUB_RUN_ID}`
+              })).data;
+              core.info(`Created new run: ${run.id} (status=${run.status})`)
+            } else {
+              core.info(`Re-using existing run #${run.id} (status=${run.status})`);
+            }
+  
+            //------------------------------------------------------------------
+            // 4) Finish the run when we have a final state
+            //------------------------------------------------------------------
+            core.info(`Conclusion for ”${checkName}” is ”${conclusion} (state=${checkState})”`);
+          
+            if (conclusion !== 'in_progress') {          
+              await github.rest.checks.update({
+                owner, repo, check_run_id: run.id,
+                status: 'completed',
+                name: checkName,
+                conclusion,
+                output: {
+                  title: checkName,
+                  summary: [
+                    desc,
+                    '',
+                    `[See the full workflow run](${process.env.GITHUB_SERVER_URL}/` +
+                    `${process.env.GITHUB_REPOSITORY}/actions/runs/` +
+                    `${process.env.GITHUB_RUN_ID})`
+                  ].join('\n')
+                },
+                details_url:
+                  `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}` +
+                  `/actions/runs/${process.env.GITHUB_RUN_ID}`
+              });
+            }
+          
+            //------------------------------------------------------------------
+            // 5) Set commit status as well
+            //------------------------------------------------------------------
+            if (!isPr) {
+              const stateForStatusApi =
+                checkState === 'pending' ? 'pending' :
+                checkState === 'failure' ? 'failure' :
+                checkState === 'error'   ? 'error'   : 'success';
+            
+              core.info(`Updating commit status “${checkName}”=“${stateForStatusApi}” for sha: “${sha}”.`);
+            
+              await github.rest.repos.createCommitStatus({
+                owner, repo,
+                sha,
+                state: stateForStatusApi,
+                context: checkName,
+                description: desc,
+                target_url:
+                  `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}` +
+                  `/actions/runs/${process.env.GITHUB_RUN_ID}`
+              });
+            } else {
+              core.info(`Not going to create commit status for sha: “${sha}”.`);
+            }
+          }

.github/actions/check-permissions/action.yml

@@ -0,0 +1,79 @@
+name: Verify users rights
+description: "Fails the workflow run if the triggering user lacks write permission or is not in the given organisation team."
+
+inputs:
+  message:
+    description: "Message that will be shown as comment in case of access denial"
+    default: "⚠️ You don’t have permission to run this workflow. Please ask a maintainer to trigger it for you."
+  team:
+    description: "Name of the team that contains trusted contributors"
+    default: "contributors"
+
+runs:
+  using: composite
+  steps:
+    - name: Check repository permission / team membership
+      uses: actions/github-script@v7
+      env:
+        TEAM: ${{ inputs.team }}
+        MESSAGE: ${{ inputs.message }}
+      with:
+        script: |
+          const {owner, repo} = context.repo;
+          const actor = process.env.GITHUB_ACTOR;
+          const team  = process.env.TEAM
+          const denialMessage = process.env.MESSAGE
+          
+          //------------------------------------------------------------------
+          // 1) Check collaborator permission (works for user *and* org repos)
+          //------------------------------------------------------------------
+          const perm = (await github.rest.repos.getCollaboratorPermissionLevel({
+            owner, repo, username: actor
+          })).data.permission;                // admin | maintain | write | triage | read | none
+
+          if (['admin', 'maintain', 'write'].includes(perm)) {
+            core.info(`${actor} has ${perm} permission → authorised ✅`);
+            return;
+          }
+          
+          //------------------------------------------------------------------
+          // 2) Repo is under an organisation?  Then allow specific team members
+          //------------------------------------------------------------------
+          if (context.payload.repository.owner.type === 'Organization') {
+            try {
+              await github.rest.teams.getMembershipForUserInOrg({
+                org: owner,
+                team_slug: team,
+                username: actor
+              });
+              core.info(`${actor} is in org team “${team}” → authorised ✅`);
+              return;
+            } catch (_) {
+              core.info(`${actor} is not in team “${team}”.`);
+            }
+          }
+          
+          let orgMember = true;
+          try {
+            await github.rest.orgs.getMembershipForUser({org: owner, username: actor});
+            core.info(`${actor} is in org” → authorised ✅`);
+            return;
+          } catch (_) { 
+            core.info(`${actor} is not in org “${owner}”.`); 
+          }
+
+          //------------------------------------------------------------------
+          // 3) Post PR comment if applicable, then fail
+          //------------------------------------------------------------------
+          if (context.payload.pull_request || context.payload.issue?.pull_request) {
+            const issueNumber = (context.payload.pull_request?.number)
+                              ?? (context.payload.issue.number);
+            await github.rest.issues.createComment({
+              owner, repo,
+              issue_number: issueNumber,
+              body: denialMessage
+            });
+            core.info(`Refusal comment posted to PR #${issueNumber}`);
+          }
+
+          core.setFailed(`${actor} is not authorised ❌`);