Initial commit

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# See https://help.github.com/en/articles/about-code-owners
+# for more info about CODEOWNERS file.
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence.
+* @GoogleCloudPlatform/devrel-flagship-app-maintainers @yoshi-approver

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,43 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project,
+and in the interest of fostering an open and welcoming community,
+we pledge to respect all people who contribute through reporting issues,
+posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project
+a harassment-free experience for everyone,
+regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information,
+such as physical or electronic
+addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct,
+project maintainers commit themselves to fairly and consistently
+applying these principles to every aspect of managing this project.
+Project maintainers who do not follow or enforce the Code of Conduct
+may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported by opening an issue
+or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0,
+available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

.github/CONTRIBUTING.md

@@ -0,0 +1,34 @@
+# How to Contribute
+
+Thank you so much for your interest in contributing to Online Boutique.
+Before contributing, you must:
+* Sign the [Contributor License Agreement (CLA)](#contributor-license-agreement).
+* Follow the [Google Open Source Community Guidelines](https://opensource.google.com/conduct/).
+* Follow the [Contribution Process](#contribution-process).
+
+## Contributor License Agreement
+
+Contributions to Online Boutique must be accompanied by a Contributor License
+Agreement (CLA). You (or your employer) retain the copyright to your contribution.
+The CLA gives us permission to use and redistribute your contributions as
+part of the project. Head over to <https://cla.developers.google.com/> to see
+your current agreements on file or to sign a new one.
+
+You generally only need to submit a CLA once, so if you've already submitted one
+(even if it was for a different project), you probably don't need to do it
+again.
+
+## Contribution Process
+
+Here's the process for making a change to this repository:
+
+1. Review Online Boutique's [purpose](/docs/purpose.md) and [product requirements](/docs/product-requirements.md).
+1. If your proposed changes **do not align** with the purpose and product requirements of Online Boutique, you may be asked to instead maintain your own fork of this repository.
+1. For **small changes** (such as a bug fixes or spelling corrections):
+    1. Fork this repository and submit a [pull request](https://help.github.com/articles/about-pull-requests/).
+    1. Wait for a maintainer of this repository to review your change.
+1. For **bigger changes**:
+    1. Create a [GitHub issue](https://github.com/GoogleCloudPlatform/microservices-demo/issues/new/choose) describing the change **before** working on the implementation. This is important to avoid potentially having to discard your development efforts.
+    1. Wait for a maintainer of this repository to review your GitHub issue. For significantly complex proposals, you may be asked to start a Google Doc to discuss design decisions.
+
+If you have any questions, please [create a GitHub issue](https://github.com/GoogleCloudPlatform/microservices-demo/issues/new/choose).

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,34 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+### Describe the bug 
+<!-- A clear and concise description of what the bug is. -->
+
+### To Reproduce 
+<!-- Steps to reproduce the behavior: -->
+<!-- 1. Built image '...' -->
+<!-- 2. Ran command '....' -->
+<!-- 3. See error -->
+
+### Logs  
+<!-- Add logs to help explain your problem -->
+
+### Screenshots 
+<!-- If applicable, add screenshots to help explain your problem -->
+
+### Environment 
+<!--  - OS: [e.g. MacOS Big Sur v11.6] -->
+<!--  - Kubernetes distribution, version: [e.g. minikube, GKE (Standard or Autopilot), EKS, AWS ... ] -->
+<!--  - Any relevant tool version: [e.g. Docker v20.10.8] -->
+
+### Additional context 
+<!-- Add any other context about the problem here -->
+
+### Exposure 
+<!-- Is the bug intermittent, persistent? Is it widespread, local? -->

.github/ISSUE_TEMPLATE/feature-request.md

@@ -0,0 +1,14 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+### Describe request or inquiry 
+<!-- Add any other context about the problem or helpful links here! -->
+
+### What purpose/environment will this feature serve? 
+<!-- Add reasoning -->

.github/ISSUE_TEMPLATE/other.md

@@ -0,0 +1,10 @@
+---
+name: Other
+about: Have a question or need clarification?
+title: ''
+labels: ''
+assignees: ''
+
+---
+### Write down your inquiry 
+<!-- Write your question/inquiry here and any addition context -->

.github/SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+To report a security issue, please use [g.co/vulnz](https://g.co/vulnz).
+
+The Google Security Team will respond within 5 working days of your report on g.co/vulnz.
+
+We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue.

.github/auto-approve.yml

@@ -0,0 +1,23 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# https://github.com/googleapis/repo-automation-bots/tree/main/packages/auto-approve
+processes:
+  - "PythonDependency"
+  - "PythonSampleAppDependency"
+  - "JavaDependency"
+  - "JavaSampleAppDependency"
+  - "GoDependency"
+  - "NodeDependency"
+  - "DockerDependency"

.github/header-checker-lint.yml

@@ -0,0 +1,47 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file configures a GitHub Bot called "License Header Lint GCF": https://github.com/apps/license-header-lint-gcf
+# The bot runs a GitHub check called "header-check" (inside pull-requests) that warns us about invalid/missing license headers.
+# The schema for this configutation file is documented at https://github.com/googleapis/repo-automation-bots/tree/main/packages/header-checker-lint#header-checker-lint.
+
+allowedCopyrightHolders:
+  - 'Google LLC'
+
+allowedLicenses:
+  - 'Apache-2.0'
+
+# If you want to ignore certain files/folders, use ignoreFiles.
+# ignoreFiles:
+#  - '**/requirements.txt'
+
+# If you want to ignore checking the license year, use ignoreLicenseYear.
+# ignoreLicenseYear: true # Useful when migrating in code licensed at previous years.
+
+sourceFileExtensions:
+  - 'cs'
+  - 'css'
+  - 'Dockerfile'
+  - 'dockerignore'
+  - 'gitignore'
+  - 'go'
+  - 'html'
+  - 'java'
+  - 'js'
+  - 'proto'
+  - 'py'
+  - 'sh'
+  - 'tf'
+  - 'yaml'
+  - 'yml'

.github/pull_request_template.md

@@ -0,0 +1,16 @@
+### Background 
+<!-- What was happening before this PR, and the problem(s) it solves -->
+
+### Fixes 
+<!-- Link the issue(s) this PR fixes-->
+### Change Summary
+<!-- Short summary of the changes submitted -->
+
+### Additional Notes
+<!-- Any remaining concerns -->
+
+### Testing Procedure
+<!-- If applicable, write how to test for reviewers-->
+
+### Related PRs or Issues 
+<!-- Dependent PRs, or any relevant linked issues -->

.github/release-cluster/README.md

@@ -0,0 +1,75 @@
+# cymbal-shops.retail.cymbal.dev manifests
+
+This directory contains extra deploy manifests for configuring Online Boutique solution on GKE for cymbal-shops.retail.cymbal.dev.
+
+_Note: before moving forward, the Online Boutique apps should already be deployed [on the online-boutique-release GKE cluster](/docs/releasing#10-deploy-releasekubernetes-manifestsyaml-to-our-online-boutique-release-gke-cluster)._
+
+## Public static IP address
+
+Create the static public IP address:
+```
+STATIC_IP_NAME=online-boutique-ip # name hard-coded in: frontend-ingress.yaml
+gcloud compute addresses create $STATIC_IP_NAME --global
+```
+
+When ready to do so, you could grab this public IP address and update your DNS:
+```
+gcloud compute addresses describe $STATIC_IP_NAME \
+    --global \
+    --format "value(address)"
+```
+
+## Cloud Armor
+
+Set up Cloud Armor:
+```
+SECURITY_POLICY_NAME=online-boutique-security-policy # Name hard-coded in: backendconfig.yaml
+gcloud compute security-policies create $SECURITY_POLICY_NAME \
+    --description "Block various attacks"
+gcloud compute security-policies rules create 1000 \
+    --security-policy $SECURITY_POLICY_NAME \
+    --expression "evaluatePreconfiguredExpr('xss-stable')" \
+    --action "deny-403" \
+    --description "XSS attack filtering"
+gcloud compute security-policies rules create 12345 \
+    --security-policy $SECURITY_POLICY_NAME \
+    --expression "evaluatePreconfiguredExpr('cve-canary')" \
+    --action "deny-403" \
+    --description "CVE-2021-44228 and CVE-2021-45046"
+gcloud compute security-policies update $SECURITY_POLICY_NAME \
+    --enable-layer7-ddos-defense
+gcloud compute security-policies update $SECURITY_POLICY_NAME \
+    --log-level=VERBOSE
+```
+
+## SSL Policy
+
+Set up an SSL policy in order to later set up a redirect from HTTP to HTTPs:
+```
+SSL_POLICY_NAME=online-boutique-ssl-policy # Name hard-coded in: frontendconfig.yaml
+gcloud compute ssl-policies create $SSL_POLICY_NAME \
+    --profile COMPATIBLE  \
+    --min-tls-version 1.0
+```
+
+## Deploy Kubernetes manifests
+
+Deploy the Kubernetes manifests in this current folder:
+```
+kubectl apply -f .
+```
+
+Wait for the `ManagedCertificate` to be provisioned. This usually takes about 30 minutes.
+```
+kubectl get managedcertificates
+```
+
+Remove the default `LoadBalancer` `Service` not used at this point:
+```
+kubectl delete service frontend-external
+```
+
+Remove the `loadgenerator` `Deployment` not used at this point:
+```
+kubectl delete deployment loadgenerator
+```

.github/release-cluster/backend-config.yaml

@@ -0,0 +1,21 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+  name: frontend-backend-config
+spec:
+  securityPolicy:
+    name: online-boutique-security-policy

.github/release-cluster/frontend-config.yaml

@@ -0,0 +1,23 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: frontend-frontend-config
+spec:
+  sslPolicy: online-boutique-ssl-policy
+  redirectToHttps:
+    enabled: true
+    responseCodeName: MOVED_PERMANENTLY_DEFAULT

.github/release-cluster/frontend-ingress.yaml

@@ -0,0 +1,38 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: frontend-ingress
+  annotations:
+    kubernetes.io/ingress.global-static-ip-name: online-boutique-ip
+    networking.gke.io/managed-certificates: online-boutique-certificate
+    networking.gke.io/v1beta1.FrontendConfig: frontend-frontend-config
+spec:
+  defaultBackend:
+    service:
+      name: frontend
+      port:
+        number: 80
+  rules:
+  - http:
+      paths:
+      - path: /*
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: frontend
+            port:
+              number: 80

.github/release-cluster/frontend-service.yaml

@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  annotations:
+    cloud.google.com/neg: '{"ingress": true}'
+    cloud.google.com/backend-config: '{"default": "frontend-backend-config"}'
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080

.github/release-cluster/managed-cert.yaml

@@ -0,0 +1,21 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: online-boutique-certificate
+spec:
+  domains:
+    - cymbal-shops.retail.cymbal.dev

.github/renovate.json5

@@ -0,0 +1,27 @@
+{
+  extends: [
+    'github>GoogleCloudPlatform/kubernetes-engine-samples//.github/renovate-configs/dee-platform-ops.json5',
+    'schedule:earlyMondays',
+  ],
+  'pip-compile': {
+    enabled: true,
+    managerFilePatterns: [
+      '/(^|/)requirements\\.txt$/',
+    ],
+  },
+  pip_requirements: {
+    enabled: false,
+  },
+  constraints: {
+    python: '~=3.11.0',
+  },
+  kubernetes: {
+    managerFilePatterns: [
+      '/\\.yaml$/',
+    ],
+    ignorePaths: [
+      'release/**',
+      'kustomize/base/**',
+    ],
+  },
+}

.github/snippet-bot.yml

@@ -0,0 +1,14 @@
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

.github/terraform/README.md

@@ -0,0 +1,15 @@
+This folder contains the Terraform for some of the infrastructure used by the CICD (continuous integration and continuous delivery/continuous deployment) of this repository.
+
+## Update this Terraform
+
+To make changes to this Terraform, follow these steps:
+
+1. Make sure you have access to the `online-boutique-ci` Google Cloud project.
+1. Move into this folder: `cd .github/terraform`
+1. Set the PROJECT_ID environment variable: `export PROJECT_ID=online-boutique-ci`
+1. Prepare Terraform and download the necessary Terraform dependencies (such as the "hashicorp/google" Terraform provider): `terraform init`
+1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}`
+    * Ideally, you would see `Apply complete! Resources: 0 added, 0 changed, 0 destroyed.` in the output.
+1. Make your desired changes to the Terraform code.
+1. Apply the Terraform: `terraform apply -var project_id=${PROJECT_ID}`
+    * This time, Terraform will prompt you confirm your changes before applying them.

.github/terraform/main.tf

@@ -0,0 +1,116 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# Set defaults for the google Terraform provider.
+provider "google" {
+  project = var.project_id
+  region  = "us-central1"
+  zone    = "us-central1-a"
+}
+
+terraform {
+  # Store the state inside a Google Cloud Storage bucket.
+  backend "gcs" {
+    bucket = "cicd-terraform-state"
+    prefix = "terraform-state"
+  }
+}
+
+# Enable Google Cloud APIs.
+module "enable_google_apis" {
+  source                      = "terraform-google-modules/project-factory/google//modules/project_services"
+  version                     = "~> 18.0"
+  disable_services_on_destroy = false
+  activate_apis = [
+    "cloudresourcemanager.googleapis.com",
+    "container.googleapis.com",
+    "iam.googleapis.com",
+    "storage.googleapis.com",
+  ]
+  project_id = var.project_id
+}
+
+# Google Cloud Storage for storing Terraform state (.tfstate).
+resource "google_storage_bucket" "terraform_state_storage_bucket" {
+  name                        = "cicd-terraform-state"
+  location                    = "us"
+  storage_class               = "STANDARD"
+  force_destroy               = false
+  public_access_prevention    = "enforced"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = true
+  }
+}
+
+# Google Cloud IAM service account for GKE clusters.
+# We avoid using the Compute Engine default service account because it's too permissive.
+resource "google_service_account" "gke_clusters_service_account" {
+  account_id   = "gke-clusters-service-account"
+  display_name = "My Service Account"
+  depends_on = [
+    module.enable_google_apis
+  ]
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_metric_writer" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_logging_writer" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_monitoring_viewer" {
+  project = var.project_id
+  role    = "roles/monitoring.viewer"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
+resource "google_project_iam_member" "gke_clusters_service_account_role_stackdriver_writer" {
+  project = var.project_id
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.gke_clusters_service_account.email}"
+}
+
+# The GKE cluster used for pull-request (PR) staging deployments.
+resource "google_container_cluster" "prs_gke_cluster" {
+  name                = "prs-gke-cluster"
+  location            = "us-central1"
+  enable_autopilot    = true
+  project             = var.project_id
+  deletion_protection = true
+  depends_on = [
+    module.enable_google_apis
+  ]
+  cluster_autoscaling {
+    auto_provisioning_defaults {
+      service_account = google_service_account.gke_clusters_service_account.email
+    }
+  }
+  # Need an empty ip_allocation_policy to overcome an error related to autopilot node pool constraints.
+  # Workaround from https://github.com/hashicorp/terraform-provider-google/issues/10782#issuecomment-1024488630
+  ip_allocation_policy {
+  }
+}

.github/terraform/variables.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# This file lists variables that you can set using the -var flag during "terraform apply".
+# Example: terraform apply -var project_id="${PROJECT_ID}"
+
+variable "project_id" {
+  type        = string
+  description = "The Google Cloud project ID."
+}

.github/terraform/versions.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 7.0"
+    }
+  }
+}

.github/workflows/README.md

@@ -0,0 +1,65 @@
+# GitHub Actions Workflows
+
+This page describes the CI/CD workflows for the Online Boutique app, which run in [Github Actions](https://github.com/GoogleCloudPlatform/microservices-demo/actions).
+
+## Infrastructure
+
+The CI/CD pipelines for Online Boutique run in Github Actions, using a pool of two [self-hosted runners]((https://help.github.com/en/actions/automating-your-workflow-with-github-actions/about-self-hosted-runners)). These runners are GCE instances (virtual machines) that, for every open Pull Request in the repo, run the code test pipeline, deploy test pipeline, and (on main) deploy the latest version of the app to [cymbal-shops.retail.cymbal.dev](https://cymbal-shops.retail.cymbal.dev)
+
+We also host a test GKE cluster, which is where the deploy tests run. Every PR has its own namespace in the cluster.
+
+## Workflows
+
+**Note**: In order for the current CI/CD setup to work on your pull request, you must branch directly off the repo (no forks). This is because the Github secrets necessary for these tests aren't copied over when you fork.
+
+### Code Tests - [ci-pr.yaml](ci-pr.yaml)
+
+These tests run on every commit for every open PR, as well as any commit to main / any release branch. Currently, this workflow runs only Go unit tests.
+
+
+### Deploy Tests- [ci-pr.yaml](ci-pr.yaml)
+
+These tests run on every commit for every open PR, as well as any commit to main / any release branch. This workflow:
+
+1. Creates a dedicated GKE namespace for that PR, if it doesn't already exist, in the PR GKE cluster.
+2. Uses `skaffold run` to build and push the images specific to that PR commit. Then skaffold deploys those images, via `kubernetes-manifests`, to the PR namespace in the test cluster.
+3. Tests to make sure all the pods start up and become ready.
+4. Gets the LoadBalancer IP for the frontend service.
+5. Comments that IP in the pull request, for staging.
+
+### Push and Deploy Latest - [push-deploy](push-deploy.yml)
+
+This is the Continuous Deployment workflow, and it runs on every commit to the main branch. This workflow:
+
+1. Builds the container images for every service, tagging as `latest`.
+2. Pushes those images to Google Container Registry.
+
+Note that this workflow does not update the image tags used in `release/kubernetes-manifests.yaml` - these release manifests are tied to a stable `v0.x.x` release.
+
+### Cleanup - [cleanup.yaml](cleanup.yaml)
+
+This workflow runs when a PR closes, regardless of whether it was merged into main. This workflow deletes the PR-specific GKE namespace in the test cluster.
+
+## Appendix - Creating a new Actions runner
+
+Should one of the two self-hosted Github Actions runners (GCE instances) fail, or you want to add more runner capacity, this is how to provision a new runner. Note that you need IAM access to the admin Online Boutique GCP project in order to do this.
+
+1. Create a GCE instance.
+    - VM should be at least n1-standard-4 with 50GB persistent disk
+    - VM should use custom service account with permissions to: access a GKE cluster, create GCS storage buckets, and push to GCR.
+2. SSH into new VM through the Google Cloud Console.
+3. Install project-specific dependencies, including go, docker, skaffold, and kubectl:
+
+```
+wget -O - https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/main/.github/workflows/install-dependencies.sh | bash
+```
+
+The instance will restart when the script completes in order to finish the Docker install.
+
+4. SSH back into the VM.
+
+5. Follow the instructions to add a new runner on the [Actions Settings page](https://github.com/GoogleCloudPlatform/microservices-demo/settings/actions) to authenticate the new runner
+6. Start GitHub Actions as a background service:
+```
+sudo ~/actions-runner/svc.sh install ; sudo ~/actions-runner/svc.sh start
+```

.github/workflows/ci-main.yaml

@@ -0,0 +1,122 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Continuous Integration - Main/Release"
+on:
+  push:
+    # run on pushes to main or release/*
+    branches:
+      - main
+      - release/*
+    paths-ignore:
+      - '**/README.md'
+      - 'kustomize/**'
+      - '.github/workflows/kustomize-build-ci.yaml'
+      - 'terraform/**'
+      - '.github/workflows/terraform-validate-ci.yaml'
+      - 'helm-chart/**'
+      - '.github/workflows/helm-chart-ci.yaml'
+jobs:
+  code-tests:
+    runs-on: [self-hosted, is-enabled]
+    steps:
+    - uses: actions/checkout@v6
+    - uses: actions/setup-dotnet@v5
+      env:
+        DOTNET_INSTALL_DIR: "./.dotnet"
+      with:
+        dotnet-version: '10.0'
+    - uses: actions/setup-go@v6
+      with:
+        go-version: '1.25'
+    - name: Go Unit Tests
+      timeout-minutes: 10
+      run: |
+        for SERVICE in "shippingservice" "productcatalogservice"; do
+          echo "testing $SERVICE..."
+          pushd src/$SERVICE
+          go test
+          popd
+        done
+    - name: C# Unit Tests
+      timeout-minutes: 10
+      run: |
+        dotnet test src/cartservice/
+  deployment-tests:
+    runs-on: [self-hosted, is-enabled]
+    needs: code-tests
+    strategy:
+      matrix:
+        profile: ["local-code"]
+      fail-fast: true
+    steps:
+    - uses: actions/checkout@v6
+    - name: Build + Deploy PR images to GKE
+      timeout-minutes: 20
+      run: |
+        PR_NUMBER=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
+        NAMESPACE="pr${PR_NUMBER}"
+        echo "::set-env name=NAMESPACE::$NAMESPACE"
+        echo "::set-env name=PR_NUMBER::$PR_NUMBER"
+
+        yes | gcloud auth configure-docker us-docker.pkg.dev
+        gcloud container clusters get-credentials $PR_CLUSTER --region $REGION --project $PROJECT_ID
+        cat <<EOF | kubectl apply -f -
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: $NAMESPACE
+        EOF
+        echo Deploying application
+        skaffold config set --global local-cluster false
+        skaffold run --default-repo=us-docker.pkg.dev/$PROJECT_ID/$GITHUB_REF --tag=$GITHUB_SHA --namespace=$NAMESPACE -p network-policies
+      env:
+        ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+        PROJECT_ID: "online-boutique-ci"
+        PR_CLUSTER: "prs-gke-cluster"
+        REGION: "us-central1"
+    - name: Wait For Pods
+      timeout-minutes: 20
+      run: |
+        set -x
+        kubectl config set-context --current --namespace=$NAMESPACE
+        kubectl wait --for=condition=available --timeout=1000s deployment/redis-cart
+        kubectl wait --for=condition=available --timeout=1000s deployment/adservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/cartservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/checkoutservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/currencyservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/emailservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/frontend
+        kubectl wait --for=condition=available --timeout=1000s deployment/loadgenerator
+        kubectl wait --for=condition=available --timeout=1000s deployment/paymentservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/productcatalogservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/recommendationservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/shippingservice
+    - name: Smoke Test
+      timeout-minutes: 5
+      run: |
+        set -x
+        # start fresh loadgenerator pod
+        kubectl delete pod -l app=loadgenerator
+        # wait for requests to come in
+        REQUEST_COUNT="0"
+        while [[ "$REQUEST_COUNT"  -lt "50"  ]]; do
+            sleep 5
+            REQUEST_COUNT=$(kubectl logs -l app=loadgenerator | grep Aggregated | awk '{print $2}')
+        done
+        # ensure there are no errors hitting endpoints
+        ERROR_COUNT=$(kubectl logs -l app=loadgenerator | grep Aggregated | awk '{print $3}' | sed "s/[(][^)]*[)]//g")
+        if [[ "$ERROR_COUNT" -gt "0" ]]; then
+          exit 1
+        fi

.github/workflows/ci-pr.yaml

@@ -0,0 +1,158 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Continuous Integration - Pull Request"
+on:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - '**/README.md'
+      - 'kustomize/**'
+      - '.github/workflows/kustomize-build-ci.yaml'
+      - 'terraform/**'
+      - '.github/workflows/terraform-validate-ci.yaml'
+      - 'helm-chart/**'
+      - '.github/workflows/helm-chart-ci.yaml'
+
+# Ensure this workflow only runs for the most recent commit of a pull-request
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  code-tests:
+    runs-on: [self-hosted, is-enabled]
+    steps:
+    - uses: actions/checkout@v6
+    - uses: actions/setup-dotnet@v5
+      env:
+        DOTNET_INSTALL_DIR: "./.dotnet"
+      with:
+        dotnet-version: '10.0'
+    - uses: actions/setup-go@v6
+      with:
+        go-version: '1.25'
+    - name: Go Unit Tests
+      timeout-minutes: 10
+      run: |
+        for GO_PACKAGE in "shippingservice" "productcatalogservice" "frontend/validator"; do
+          echo "Testing $GO_PACKAGE..."
+          pushd src/$GO_PACKAGE
+          go test
+          popd
+        done
+    - name: C# Unit Tests
+      timeout-minutes: 10
+      run: |
+        dotnet test src/cartservice/
+
+  deployment-tests:
+    runs-on: [self-hosted, is-enabled]
+    needs: code-tests
+    strategy:
+      matrix:
+        profile: ["local-code"]
+      fail-fast: true
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{github.event.pull_request.head.sha}}
+    - name: Build + Deploy PR images to GKE
+      timeout-minutes: 20
+      run: |
+        NAMESPACE="pr${PR_NUMBER}"
+        echo "::set-env name=NAMESPACE::$NAMESPACE"
+
+        yes | gcloud auth configure-docker us-docker.pkg.dev
+        gcloud container clusters get-credentials $PR_CLUSTER --region $REGION --project $PROJECT_ID
+        cat <<EOF | kubectl apply -f -
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: $NAMESPACE
+        EOF
+        echo Deploying application
+        skaffold config set --global local-cluster false
+        skaffold run --default-repo=us-docker.pkg.dev/$PROJECT_ID/refs/pull/$PR_NUMBER --tag=$PR_NUMBER --namespace=$NAMESPACE -p network-policies
+      env:
+        ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        PROJECT_ID: "online-boutique-ci"
+        PR_CLUSTER: "prs-gke-cluster"
+        REGION: "us-central1"
+    - name: Wait For Pods
+      timeout-minutes: 20
+      run: |
+        set -x
+        kubectl config set-context --current --namespace=$NAMESPACE
+        kubectl wait --for=condition=available --timeout=1000s deployment/redis-cart
+        kubectl wait --for=condition=available --timeout=1000s deployment/adservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/cartservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/checkoutservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/currencyservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/emailservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/frontend
+        kubectl wait --for=condition=available --timeout=1000s deployment/loadgenerator
+        kubectl wait --for=condition=available --timeout=1000s deployment/paymentservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/productcatalogservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/recommendationservice
+        kubectl wait --for=condition=available --timeout=1000s deployment/shippingservice
+    - name: Query EXTERNAL_IP for staging
+      timeout-minutes: 5
+      run: |
+        set -x
+        NAMESPACE="pr${PR_NUMBER}"
+        get_externalIP() {
+          kubectl get service frontend-external --namespace $NAMESPACE -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+        }
+        until [[ -n "$(get_externalIP)" ]]; do
+          echo "Querying for external IP for frontend-external on namespace: $NAMESPACE{}"
+        sleep 3
+        done
+        EXTERNAL_IP=$(get_externalIP)
+        echo "::set-env name=EXTERNAL_IP::$EXTERNAL_IP"
+      env:
+        ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+    - name: Smoke Test
+      timeout-minutes: 5
+      run: |
+        set -x
+        # start fresh loadgenerator pod
+        kubectl delete pod -l app=loadgenerator
+        # wait for requests to come in
+        REQUEST_COUNT="0"
+        while [[ "$REQUEST_COUNT"  -lt "50"  ]]; do
+            sleep 5
+            REQUEST_COUNT=$(kubectl logs -l app=loadgenerator | grep Aggregated | awk '{print $2}')
+        done
+        # ensure there are no errors hitting endpoints
+        ERROR_COUNT=$(kubectl logs -l app=loadgenerator | grep Aggregated | awk '{print $3}' | sed "s/[(][^)]*[)]//g")
+        if [[ "$ERROR_COUNT" -gt "0" ]]; then
+          exit 1
+        fi
+    - name: Comment EXTERNAL_IP
+      timeout-minutes: 5
+      env:
+          COMMENTS_URL: ${{ github.event.pull_request.comments_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+          curl \
+            -X POST \
+            $COMMENTS_URL \
+            -H "Content-Type: application/json" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            --data '{ "body": "🚲 PR staged at '"http://${EXTERNAL_IP}"'"}'
+          sleep 60

.github/workflows/cleanup.yaml

@@ -0,0 +1,44 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Clean up deployment"
+on:
+  pull_request:
+    # run on pull requests targeting main
+    branches:
+      - main
+    types: closed
+    paths-ignore:
+      - '**/README.md'
+      - 'kustomize/**'
+      - '.github/workflows/kustomize-build-ci.yaml'
+      - 'terraform/**'
+      - '.github/workflows/terraform-validate-ci.yaml'
+jobs:
+  cleanup-namespace:
+    runs-on: [self-hosted, is-enabled]
+    steps:
+      - name: Delete PR namespace in staging cluster
+        if: ${{ always() }}
+        timeout-minutes: 20
+        run: |
+          gcloud container clusters get-credentials $PR_CLUSTER \
+              --region $REGION --project $PROJECT_ID
+          NAMESPACE="pr${PR_NUMBER}"
+          kubectl delete namespace $NAMESPACE
+        env:
+          PROJECT_ID: "online-boutique-ci"
+          PR_CLUSTER: "prs-gke-cluster"
+          REGION: "us-central1"
+          PR_NUMBER: ${{ github.event.number }}

.github/workflows/helm-chart-ci.yaml

@@ -0,0 +1,107 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: helm-chart-ci
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'helm-chart/**'
+      - '.github/workflows/helm-chart-ci.yaml'
+  pull_request:
+    paths:
+      - 'helm-chart/**'
+      - '.github/workflows/helm-chart-ci.yaml'
+jobs:
+  helm-chart-ci:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - name: helm lint
+        run: |
+          cd helm-chart/
+          helm lint --strict
+      - name: helm template default
+        run: |
+          cd helm-chart/
+          helm template . > helm-template.yaml
+          cat helm-template.yaml 
+          kustomize create --resources helm-template.yaml
+          kustomize build .
+      - name: helm template grpc health probes
+        run: |
+          # Test related to https://medium.com/google-cloud/b5bd26253a4c
+          cd helm-chart/
+          SPANNER_CONNECTION_STRING=projects/PROJECT_ID/instances/SPANNER_INSTANCE_NAME/databases/SPANNER_DATABASE_NAME
+          helm template . \
+            --set nativeGrpcHealthCheck=true \
+            -n onlineboutique \
+            > helm-template.yaml
+          cat helm-template.yaml
+          kustomize build .
+      - name: helm template spanner
+        run: |
+          # Test related to https://medium.com/google-cloud/f7248e077339
+          cd helm-chart/
+          SPANNER_CONNECTION_STRING=projects/PROJECT_ID/instances/SPANNER_INSTANCE_NAME/databases/SPANNER_DATABASE_NAME
+          SPANNER_DB_USER_GSA_ID=spanner-db-user@my-project.iam.gserviceaccount.com
+          helm template . \
+            --set cartDatabase.inClusterRedis.create=false \
+            --set cartDatabase.type=spanner \
+            --set cartDatabase.connectionString=${SPANNER_CONNECTION_STRING} \
+            --set serviceAccounts.create=true \
+            --set serviceAccounts.annotationsOnlyForCartservice=true \
+            --set "serviceAccounts.annotations.iam\.gke\.io/gcp-service-account=${SPANNER_DB_USER_GSA_ID}" \
+            -n onlineboutique \
+            > helm-template.yaml
+          cat helm-template.yaml
+          kustomize build .
+      - name: helm template asm
+        run: |
+          # Test related to https://medium.com/google-cloud/246119e46d53
+          cd helm-chart/
+          helm template . \
+            --set networkPolicies.create=true \
+            --set sidecars.create=true \
+            --set serviceAccounts.create=true \
+            --set authorizationPolicies.create=true \
+            --set frontend.externalService=false \
+            --set frontend.virtualService.create=true \
+            --set frontend.virtualService.gateway.name=asm-ingressgateway \
+            --set frontend.virtualService.gateway.namespace=asm-ingress \
+            --set frontend.virtualService.gateway.labelKey=asm \
+            --set frontend.virtualService.gateway.labelValue=ingressgateway \
+            -n onlineboutique \
+            > helm-template.yaml
+          cat helm-template.yaml
+          kustomize build .
+      - name: helm template memorystore istio tls origination
+        run: |
+          # Test related to https://medium.com/google-cloud/64b71969318d
+          cd helm-chart/
+          REDIS_IP=0.0.0.0
+          REDIS_PORT=7378
+          REDIS_CERT=dsjfgkldsjflkdsjflksdajfkldsjkfljsdaklfjaskjfakdsjfaklsdjflskadjfklasjfkls
+          helm template . \
+            --set cartDatabase.inClusterRedis.create=false \
+            --set cartDatabase.connectionString=${REDIS_IP}:${REDIS_PORT} \
+            --set cartDatabase.externalRedisTlsOrigination.enable=true \
+            --set cartDatabase.externalRedisTlsOrigination.certificate="${REDIS_CERT}" \
+            --set cartDatabase.externalRedisTlsOrigination.endpointAddress=${REDIS_IP} \
+            --set cartDatabase.externalRedisTlsOrigination.endpointPort=${REDIS_PORT} \
+            -n onlineboutique \
+            > helm-template.yaml
+          cat helm-template.yaml
+          kustomize build .

.github/workflows/install-dependencies.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+# install wget
+sudo apt install -y wget
+
+# install dotnet CLI
+sudo apt-get update
+sudo apt-get install wget
+wget -O - https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.asc.gpg
+sudo mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/
+wget https://packages.microsoft.com/config/debian/9/prod.list
+sudo mv prod.list /etc/apt/sources.list.d/microsoft-prod.list
+sudo chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg
+sudo chown root:root /etc/apt/sources.list.d/microsoft-prod.list
+
+sudo apt-get install -y apt-transport-https && \
+sudo apt-get update && \
+sudo apt-get install -y dotnet-sdk-10.0
+echo "✅ dotnet installed"
+
+# install kubectl
+sudo apt-get install -yqq kubectl git
+echo "✅ kubectl installed"
+
+# install go
+wget https://golang.org/dl/go1.25.linux-amd64.tar.gz
+sudo tar -C /usr/local -xzf go1.25.linux-amd64.tar.gz
+echo 'export GOPATH=$HOME/go' >> ~/.profile
+echo 'export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin' >> ~/.profile
+source ~/.profile
+echo "✅ golang installed"
+
+# install build-essential (gcc, used for go test)
+sudo apt install -y build-essential
+
+# install addlicense
+go install github.com/google/addlicense@latest
+sudo ln -s $HOME/go/bin/addlicense /bin
+
+# install build-essential (gcc, used for go test)
+sudo apt install -y build-essential
+
+# install skaffold
+curl -Lo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-amd64 && \
+chmod +x skaffold && \
+sudo mv skaffold /usr/local/bin
+echo "✅ skaffold installed"
+
+# install docker
+sudo apt install -yqq apt-transport-https ca-certificates curl gnupg2 software-properties-common && \
+curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - && \
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \
+sudo apt-get update && \
+sudo apt-get install -yqq docker-ce && \
+sudo usermod -aG docker ${USER}
+echo "✅ docker installed, rebooting..."
+
+# reboot for docker setup
+sudo reboot

.github/workflows/kubevious-manifests-ci.yaml

@@ -0,0 +1,56 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: kubevious-manifests-ci
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'helm-chart/**'
+      - 'kustomize/**'
+      - '.github/workflows/kubevious-manifests-ci.yaml'
+  pull_request:
+    paths:
+      - 'helm-chart/**'
+      - 'kustomize/**'
+      - '.github/workflows/kubevious-manifests-ci.yaml'
+permissions:
+  contents: read
+jobs:
+  kubevious-manifests-ci:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 1
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Validate kubernetes-manifests
+        id: kubernetes-manifests-validation
+        uses: kubevious/cli@v1.0.64
+        with:
+          manifests: kubernetes-manifests
+          skip_rules: container-latest-image
+
+      - name: Validate helm-chart
+        id: helm-chart-validation
+        uses: kubevious/cli@v1.0.64
+        with:
+          manifests: helm-chart
+
+      - name: Validate kustomize
+        id: kustomize-validation
+        uses: kubevious/cli@v1.0.64
+        with:
+          manifests: kustomize
+          skip_rules: container-latest-image

.github/workflows/kustomize-build-ci.yaml

@@ -0,0 +1,45 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: kustomize-build-ci
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'kustomize/**'
+      - '.github/workflows/kustomize-build-ci.yaml'
+  pull_request:
+    paths:
+      - 'kustomize/**'
+      - '.github/workflows/kustomize-build-ci.yaml'
+jobs:
+  kustomize-build-ci:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - name: kustomize build base
+        run: |
+          cd kustomize/
+          kubectl kustomize .
+      # Build the different combinations of Kustomize components found in kustomize/tests.
+      - name: kustomize build tests
+        run: |
+          cd kustomize/tests
+          KUSTOMIZE_TESTS_SUBFOLDERS=$(ls -d */)
+          for test in $KUSTOMIZE_TESTS_SUBFOLDERS;
+          do
+              echo "## kustomize build for " + $test
+              kustomize build $test
+          done

.github/workflows/terraform-validate-ci.yaml

@@ -0,0 +1,37 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: terraform-validate-ci
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'terraform/**'
+      - '.github/workflows/terraform-validate-ci.yaml'
+  pull_request:
+    paths:
+      - 'terraform/**'
+      - '.github/workflows/terraform-validate-ci.yaml'
+jobs:
+  terraform-validate-ci:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - uses: hashicorp/setup-terraform@v3
+      - name: terraform init & validate
+        run: |
+          cd terraform/
+          terraform init -backend=false
+          terraform validate