chore: backport (2026/02/19)

.github/workflows/chart.yml

@@ -5,27 +5,81 @@ on:
     branches:
       - main
     paths:
-      - ".github/workflows/chart.yaml"
+      - ".github/workflows/chart.yml"
       - "charts/**"
   create:
     # Publish semver tags as releases.
     tags: [ 'v*.*.*' ]
 
 permissions:
   contents: write
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
 
 jobs:
-  deploy:
+  publish-github-pages:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6.0.2
         with:
           submodules: true
           fetch-depth: 0
-      - name: Publish Helm chart
+      - name: Publish Helm chart to GitHub Pages
         uses: stefanprodan/helm-gh-pages@v1.7.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           charts_dir: charts
           target_dir: charts
-          linting: off
+          linting: on
+
+  publish-oci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Package and push Helm charts to GHCR
+        run: |
+          set -euo pipefail
+
+          # Convert repository name to lowercase for OCI registry
+          REPO_LOWER=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+
+          # Determine version to use
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # Use release tag as version (strip 'v' prefix)
+            CHART_VERSION=${GITHUB_REF#refs/tags/v}
+            echo "Using release tag version: ${CHART_VERSION}"
+          else
+            # Use version from Chart.yaml for non-tag pushes
+            CHART_VERSION=$(grep '^version:' charts/hub-agent/Chart.yaml | awk '{print $2}')
+            echo "Using Chart.yaml version: ${CHART_VERSION}"
+          fi
+
+          # Package and push hub-agent chart
+          echo "📦 Packaging hub-agent chart..."
+          helm package charts/hub-agent --version ${CHART_VERSION} --app-version ${CHART_VERSION}
+
+          echo "🚀 Pushing hub-agent to OCI registry..."
+          helm push hub-agent-${CHART_VERSION}.tgz oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts
+
+          # Package and push member-agent chart
+          echo "📦 Packaging member-agent chart..."
+          helm package charts/member-agent --version ${CHART_VERSION} --app-version ${CHART_VERSION}
+
+          echo "🚀 Pushing member-agent to OCI registry..."
+          helm push member-agent-${CHART_VERSION}.tgz oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts
+
+          echo ""
+          echo "✅ Helm charts published to OCI registry!"
+          echo "📍 Hub Agent: oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts/hub-agent:${CHART_VERSION}"
+          echo "📍 Member Agent: oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts/member-agent:${CHART_VERSION}"

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ on:
     paths-ignore: [docs/**, "**.md", "**.mdx", "**.png", "**.jpg"]
 
 env:
-  GO_VERSION: '1.24.12'
+  GO_VERSION: '1.24.13'
   CERT_MANAGER_VERSION: 'v1.16.2'
 
 jobs:
@@ -30,7 +30,7 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
-  unit-tests:
+  unit-and-integration-tests:
     runs-on: ubuntu-latest
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true'
@@ -46,18 +46,43 @@ jobs:
       - name: Set up Ginkgo CLI
         run: |
           go install github.com/onsi/ginkgo/v2/ginkgo@v2.19.1
+
+      - name: Prepare necessary environment variables
+        run: |
+          echo "CGO_ENABLED=1" >> $GITHUB_ENV
+          KUBEBUILDER_ASSETS=$(make --silent kubebuilder-assets-path)
+          echo "KUBEBUILDER_ASSETS="$KUBEBUILDER_ASSETS"" >> $GITHUB_ENV
 
-      - name: Run unit tests & Generate coverage
-        run: make test
-
+      # Certain tests that require special setup (e.g., those that should be run with Ginkgo CLI only) will
+      # be skipped in this step.
+      #
+      # Note that the skipping only applies to the CI environment.
+      - name: Run unit and integration tests with default setup & generate coverage
+        run: |
+          make test
+        env:
+          KUBEFLEET_CI_TEST_RUNNER_NAME: 'default'
+
+      # The work applier integration tests use in-memory Kubernetes environment setup; due to resource constraints
+      # and the way the tests are organized, running the suite with as many parallel Ginkgo processes as possible (i.e.,
+      # the number of all CPU cores) might not lead to the optimal outcome.
+      #
+      # Note (chenyu1): switch to test matrices if we need to test with more configuration combos in the future.
+      - name: Run work applier unit and integration tests with Ginkgo CLI & generate coverage
+        run: |
+          ginkgo -v -p --procs=4 --race --cover -coverprofile=work-applier-it-coverage.out ./pkg/controllers/workapplier/ 
+          KUBEFLEET_CI_WORK_APPLIER_RUN_WITH_PRIORITY_QUEUE=true ginkgo -v -p --procs=4 --race --cover -coverprofile=work-applier-it-no-pri-q-coverage.out ./pkg/controllers/workapplier/
+        env:
+          KUBEFLEET_CI_TEST_RUNNER_NAME: 'ginkgo'
+
       - name: Upload Codecov report
         uses: codecov/codecov-action@v5
         with:
-           ## Repository upload token - get it from codecov.io. Required only for private repositories
+          ## Repository upload token - get it from codecov.io. Required only for private repositories
           token: ${{ secrets.CODECOV_TOKEN }}
-          ## Comma-separated list of files to upload
-          files: ./ut-coverage.xml
-  
+          # The codecov action will auto-search all coverage files by default. All uploaded coverage will be
+          # merged automatically.
+
   e2e-tests:
     strategy:
       fail-fast: false

.github/workflows/code-lint.yml

@@ -14,7 +14,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.24.12'
+  GO_VERSION: '1.24.13'
 
 jobs:
 

.github/workflows/codespell.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 

.github/workflows/trivy.yml

@@ -18,7 +18,7 @@ env:
   MEMBER_AGENT_IMAGE_NAME: member-agent
   REFRESH_TOKEN_IMAGE_NAME: refresh-token
 
-  GO_VERSION: '1.24.12'
+  GO_VERSION: '1.24.13'
 
 jobs:
   export-registry:
@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Login to ${{ env.REGISTRY }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

.github/workflows/upgrade.yml

@@ -17,7 +17,7 @@ on:
     paths-ignore: [docs/**, "**.md", "**.mdx", "**.png", "**.jpg"]
 
 env:
-  GO_VERSION: '1.24.12'
+  GO_VERSION: '1.24.13'
 
 jobs:
   detect-noop:

.gitignore

@@ -35,3 +35,6 @@ ut-coverage.xml
 
 .vscode/
 .qoder/
+
+# Helm chart packaging
+.helm-packages/

.golangci.yml

@@ -1,6 +1,6 @@
 run:
   timeout: 15m
-  go: '1.24.12'
+  go: '1.24.13'
 
 linters-settings:
   stylecheck:

Makefile

@@ -36,7 +36,6 @@ ifeq ($(TARGET_ARCH),$(filter $(TARGET_ARCH),x86_64))
 else ifeq ($(TARGET_ARCH),$(filter $(TARGET_ARCH),aarch64 arm))
 	TARGET_ARCH := arm64
 endif
-$(info Auto-detected system architecture: $(TARGET_ARCH))
 endif
 endif
 
@@ -63,7 +62,7 @@ CONTROLLER_GEN_VER := v0.16.0
 CONTROLLER_GEN_BIN := controller-gen
 CONTROLLER_GEN := $(abspath $(TOOLS_BIN_DIR)/$(CONTROLLER_GEN_BIN)-$(CONTROLLER_GEN_VER))
 
-STATICCHECK_VER := master
+STATICCHECK_VER := v0.6.1
 STATICCHECK_BIN := staticcheck
 STATICCHECK := $(abspath $(TOOLS_BIN_DIR)/$(STATICCHECK_BIN)-$(STATICCHECK_VER))
 
@@ -76,9 +75,9 @@ GOLANGCI_LINT_BIN := golangci-lint
 GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
 
 # ENVTEST_K8S_VERSION refers to the version of k8s binary assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.30.0
+ENVTEST_K8S_VERSION = 1.33.0
 # ENVTEST_VER is the version of the ENVTEST binary
-ENVTEST_VER = v0.0.0-20240317073005-bd9ea79e8d18
+ENVTEST_VER = release-0.22
 ENVTEST_BIN := setup-envtest
 ENVTEST := $(abspath $(TOOLS_BIN_DIR)/$(ENVTEST_BIN)-$(ENVTEST_VER))
 
@@ -182,19 +181,26 @@ test: manifests generate fmt vet local-unit-test integration-test ## Run unit te
 
 ##
 # Set up the timeout parameters as some of the tests (rollout controller) lengths have exceeded the default 10 minute mark.
-# TO-DO (chenyu1): enable parallelization for single package integration tests.
+# Note: this recipe runs both unit tests and integration tests under the pkg/ directory.
 .PHONY: local-unit-test
 local-unit-test: $(ENVTEST) ## Run unit tests
 	export CGO_ENABLED=1 && \
 	export KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" && \
 	go test `go list ./pkg/... ./cmd/...` -race -coverpkg=./...  -coverprofile=ut-coverage.xml -covermode=atomic -v -timeout=30m
 
+# Note: this recipe runs the integration tests under the /test/scheduler and /test/apis/ directories with the Ginkgo CLI.
 .PHONY: integration-test
 integration-test: $(ENVTEST) ## Run integration tests
 	export CGO_ENABLED=1 && \
 	export KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" && \
-	ginkgo -v -p --race --cover --coverpkg=./pkg/scheduler/... ./test/scheduler && \
-	ginkgo -v -p --race --cover --coverpkg=./... ./test/apis/...
+	ginkgo -v -p --race --cover --coverpkg=./pkg/scheduler/... -coverprofile=scheduler-it.out ./test/scheduler && \
+	ginkgo -v -p --race --cover --coverpkg=./apis/ -coverprofile=api-validation-it.out ./test/apis/...
+
+.PHONY: kubebuilder-assets-path
+kubebuilder-assets-path: $(ENVTEST) ## Get the path to kubebuilder assets
+	@export CGO_ENABLED=1 && \
+	export KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" && \
+	echo $$KUBEBUILDER_ASSETS
 
 ## local tests & e2e tests
 
@@ -282,6 +288,14 @@ BUILDKIT_VERSION ?= v0.18.1
 push: ## Build and push all Docker images
 	$(MAKE) OUTPUT_TYPE="type=registry" docker-build-hub-agent docker-build-member-agent docker-build-refresh-token docker-build-crd-installer
 
+.PHONY: helm-push
+helm-push: ## Package and push Helm charts to OCI registry
+	helm package charts/hub-agent --version $(TAG) --app-version $(TAG) --destination .helm-packages
+	helm package charts/member-agent --version $(TAG) --app-version $(TAG) --destination .helm-packages
+	helm push .helm-packages/hub-agent-$(TAG).tgz oci://$(REGISTRY)
+	helm push .helm-packages/member-agent-$(TAG).tgz oci://$(REGISTRY)
+	rm -rf .helm-packages
+
 # By default, docker buildx create will pull image moby/buildkit:buildx-stable-1 and hit the too many requests error
 #
 # Note (chenyu1): the step below sets up emulation for building/running non-native binaries on the host. The original
@@ -300,6 +314,7 @@ push: ## Build and push all Docker images
 # On some systems the emulation setup might not work at all (e.g., macOS on Apple Silicon -> Rosetta 2 will be used 
 # by Docker Desktop as the default emulation option for AMD64 on ARM64 container compatibility).
 docker-buildx-builder:
+	$(info Auto-detected system architecture: $(TARGET_ARCH))
 	@if ! docker buildx ls | grep $(BUILDX_BUILDER_NAME); then \
 		if [ "$(TARGET_ARCH)" = "amd64" ] ; then \
 			echo "The target is an x86_64 platform; setting up emulation for other known architectures"; \