stackabletech · sbernauer · May 6, 2025 · May 6, 2025
diff --git a/.github/ISSUE_TEMPLATE/01-normal-issue.md b/.github/ISSUE_TEMPLATE/01-normal-issue.md
@@ -0,0 +1,17 @@
+---
+name: Normal issue
+about: This is just a normal empty issue with a simple checklist
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+## Issue checklist
+
+This is a simple checklist of things to bear in mind when creating a new issue.
+
+- [ ] **Describe the use-case**: As far as possible, use the pattern "As a [type of user], I would like [feature/functionality] to be able to do [specific action]." This helps identify the feature and the problem it addresses.
+- [ ] **Indicate importance and urgency**: Use a scale (e.g., low, medium, high) to indicate the level of importance and urgency.
+- [ ] **Work-around**: If there is a known work-around, describe it briefly.
+- [ ] **Environment**: Describe the environment where the issue occurs (e.g., SDP version, K8S version, etc.).
diff --git a/.github/ISSUE_TEMPLATE/02-bug_report.yml b/.github/ISSUE_TEMPLATE/02-bug_report.yml
@@ -0,0 +1,54 @@
+---
+name: "🐛 Bug Report"
+description: "If something isn't working as expected 🤔."
+labels: ["type/bug"]
+body:
+  - type: markdown
+    attributes:
+      value: Thanks for taking the time to file a bug report! Please fill out this form as completely as possible.
+
+  - type: input
+    attributes:
+      label: Affected Stackable version
+      description: Which version of the Stackable Operator do you see this bug in?
+
+#   - type: input
+    attributes:
+      label: Affected Apache NiFi version
+      description: Which version of Apache NiFi do you see this bug in?
+# 
+  - type: textarea
+    attributes:
+      label: Current and expected behavior
+      description: A clear and concise description of what the operator is doing and what you would expect.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Possible solution
+      description: "If you have suggestions on a fix for the bug."
+
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: "Add any other context about the problem here. Or a screenshot if applicable."
+
+  - type: textarea
+    attributes:
+      label: Environment
+      description: |
+        What type of kubernetes cluster you are running aginst (k3s/eks/aks/gke/other) and any other information about your environment?
+      placeholder: |
+        Examples:
+        Output of `kubectl version --short`
+
+  - type: dropdown
+    attributes:
+      label: Would you like to work on fixing this bug?
+      description: |
+        **NOTE**: Let us know if you would like to submit a PR for this. We are more than happy to help you through the process.
+      options:
+        - "yes"
+        - "no"
+        - "maybe"
diff --git a/.github/PULL_REQUEST_TEMPLATE/pre-release-getting-started-script.md b/.github/PULL_REQUEST_TEMPLATE/pre-release-getting-started-script.md
@@ -1,4 +1,4 @@
-# Check and Update Getting Started Script
+## Check and Update Getting Started Script
 
 <!--
     Make sure to update the link in 'issues/.github/ISSUE_TEMPLATE/pre-release-getting-started-scripts.md'

diff --git a/.github/PULL_REQUEST_TEMPLATE/pre-release-rust-deps.md b/.github/PULL_REQUEST_TEMPLATE/pre-release-rust-deps.md
@@ -1,4 +1,4 @@
-# Bump Rust Dependencies for Stackable Release YY.M.X
+## Bump Rust Dependencies for Stackable Release YY.M.X
 
 <!--
     Make sure to update the link in 'issues/.github/ISSUE_TEMPLATE/pre-release-operator-rust-deps.md'
@@ -17,11 +17,10 @@ Part of <https://github.com/stackabletech/issues/issues/TRACKING_ISSUE>
 > crates. These bumps also include previously updated and released crates from
 > the `operator-rs` repository.
 
-```[tasklist]
 ### Tasks
+
 - [ ] Bump Rust Dependencies, see below for more details.
 - [ ] Add changelog entry stating which important crates were bumped (including the version).
-```
 
 > [!NOTE]
 > The bumping / updating of Rust dependencies is done in multiple steps:
@@ -30,9 +29,8 @@ Part of <https://github.com/stackabletech/issues/issues/TRACKING_ISSUE>
 > 2. Run the `cargo update` command, which also updates the `Cargo.lock` file.
 > 3. Lastly, run `make regenerate-nix` to update the `Cargo.nix` file.
 
-```[tasklist]
 ### Bump Rust Dependencies
+
 - [ ] Bump `stackable-operator` and friends
 - [ ] Bump `product-config`
 - [ ] Bump all other dependencies
-```
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,4 +1,4 @@
-# Description
+## Description
 
 *Please add a description here. This will become the commit message of the merge request later.*
 
@@ -7,29 +7,26 @@
 - Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
 - Please make sure all these things are done and tick the boxes
 
-```[tasklist]
-# Author
+### Author
+
 - [ ] Changes are OpenShift compatible
 - [ ] CRD changes approved
 - [ ] CRD documentation for all fields, following the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs/style-guide).
 - [ ] Helm chart can be installed and deployed operator works
 - [ ] Integration tests passed (for non trivial changes)
 - [ ] Changes need to be "offline" compatible
-```
 
-```[tasklist]
-# Reviewer
+### Reviewer
+
 - [ ] Code contains useful comments
 - [ ] Code contains useful logging statements
 - [ ] (Integration-)Test cases added
 - [ ] Documentation added or updated. Follows the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs/style-guide).
 - [ ] Changelog updated
 - [ ] Cargo.toml only contains references to git tags (not specific commits or branches)
-```
 
-```[tasklist]
-# Acceptance
+### Acceptance
+
 - [ ] Feature Tracker has been updated
 - [ ] Proper release label has been added
 - [ ] [Roadmap](https://github.com/orgs/stackabletech/projects/25/views/1) has been updated
-```
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -50,10 +50,10 @@
         with:
           persist-credentials: false
           submodules: recursive
-      - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c
+      - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           key: udeps
           cache-all-crates: "true"
@@ -114,7 +114,7 @@
         with:
           persist-credentials: false
           submodules: recursive
-      - uses: EmbarkStudios/cargo-deny-action@8d73959fce1cdc8989f23fdf03bec6ae6a6576ef # v2.0.7
+      - uses: EmbarkStudios/cargo-deny-action@34899fc7ba81ca6268d5947a7a16b4649013fea1 # v2.0.11
         with:
           command: check ${{ matrix.checks }}
 
@@ -126,7 +126,7 @@
         with:
           persist-credentials: false
           submodules: recursive
-      - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c
+      - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0
         with:
           toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }}
           components: rustfmt
@@ -147,14 +147,15 @@
         with:
           persist-credentials: false
           submodules: recursive
-      - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c
+      - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
           components: clippy
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           key: clippy
           cache-all-crates: "true"
+        # TODO (@Techassi): Remove this step (unmaintained action, kinda useless step anyway)
       - name: Run clippy action to produce annotations
         uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1
         env:
@@ -164,12 +165,14 @@
           clippy_flags: --all-targets -- -D warnings
           reporter: 'github-pr-review'
           github_token: ${{ secrets.GITHUB_TOKEN }}
+        # TODO (@Techassi): Remove, done by pre-commit
       - name: Run clippy manually without annotations
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: env.GITHUB_TOKEN == null
         run: cargo clippy --color never -q --all-targets -- -D warnings
 
+  # TODO (@Techassi): Can be done by pre-commit
   run_rustdoc:
     name: Run RustDoc
     runs-on: ubuntu-latest
@@ -182,16 +185,17 @@
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: recursive
-      - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c
+      - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
           components: rustfmt
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           key: doc
           cache-all-crates: "true"
       - run: cargo doc --document-private-items
 
+  # TODO (@Techassi): Remove, done by pre-commit
   run_tests:
     name: Run Cargo Tests
     runs-on: ubuntu-latest
@@ -205,10 +209,10 @@
         with:
           persist-credentials: false
           submodules: recursive
-      - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c
+      - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           key: test
           cache-all-crates: "true"
@@ -226,7 +230,7 @@
         with:
           persist-credentials: false
           submodules: recursive
-      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install jinja2-cli
@@ -266,14 +270,14 @@
           persist-credentials: false
           submodules: recursive
       - name: Set up Helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: v3.16.1
       - name: Set up cargo
-        uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c
+        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           key: charts
           cache-all-crates: "true"
@@ -304,6 +308,8 @@
       - name: log
         run: echo All tests have passed!
 
+  # TODO (@Techassi): Most of these publishing and signing tasks can be done by our own actions.
+  # Make use of them just like we do in docker-images.
   package_and_publish:
     name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }}
     needs:
@@ -334,12 +340,12 @@
         with:
           persist-credentials: false
           submodules: recursive
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-      - uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c
+      - uses: cachix/install-nix-action@754537aaedb35f72ab11a60cc162c49ef3016495 # v31.2.0
+      - uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0
         with:
           toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
           components: rustfmt
        # This step checks if the current run was triggered by a push to a pr (or a pr being created).
        # If this is the case it changes the version of this project in all Cargo.toml files to include the suffix
        # "-pr<prnumber>" so that the published artifacts can be linked to this PR.
      - uses: stackabletech/cargo-install-action@main
@@ -370,7 +376,7 @@
 
       # Recreate charts and publish charts and docker image.
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
       - name: Install syft
         uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
       - name: Build Docker image and Helm chart
@@ -415,7 +421,7 @@
       OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build"
     steps:
       - name: Install cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

diff --git a/.github/workflows/general_daily_security.yml b/.github/workflows/general_daily_security.yml
@@ -19,6 +19,6 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - uses: rustsec/audit-check@dd51754d4e59da7395a4cd9b593f0ff2d61a9b95 # v1.4.1
+      - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml
@@ -24,7 +24,7 @@ jobs:
           persist-credentials: false
           submodules: recursive
           fetch-depth: 0
-      - uses: stackabletech/actions/run-pre-commit@2d3d7ddad981ae09901d45a0f6bf30c2658b1b78 # v0.7.0
+      - uses: stackabletech/actions/run-pre-commit@4bfd3b65f22af597fe784599c077dc34bf5894a7 # v0.8.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           rust: ${{ env.RUST_TOOLCHAIN_VERSION }}

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -59,29 +59,38 @@ repos:
         name: regenerate-charts
         language: system
         entry: make regenerate-charts
-        stages: [pre-commit, pre-merge-commit, manual]
+        stages: [pre-commit, pre-merge-commit]
         pass_filenames: false
+        files: \.rs$|Cargo\.(toml|lock)
+
+      - id: regenerate-nix
+        name: regenerate-nix
+        language: system
+        entry: make regenerate-nix
+        stages: [pre-commit, pre-merge-commit]
+        pass_filename: false
+        files: Cargo\.lock
 
       - id: cargo-test
         name: cargo-test
         language: system
         entry: cargo test
-        stages: [pre-commit, pre-merge-commit, manual]
+        stages: [pre-commit, pre-merge-commit]
         pass_filenames: false
         files: \.rs$|Cargo\.(toml|lock)
 
       - id: cargo-rustfmt
         name: cargo-rustfmt
         language: system
         entry: cargo +nightly-2025-01-15 fmt --all -- --check
-        stages: [pre-commit]
+        stages: [pre-commit, pre-merge-commit]
         pass_filenames: false
         files: \.rs$
 
       - id: cargo-clippy
         name: cargo-clippy
         language: system
         entry: cargo clippy --all-targets -- -D warnings
-        stages: [pre-commit]
+        stages: [pre-commit, pre-merge-commit]
         pass_filenames: false
         files: \.rs$