Enable github actions for REL_5_8

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,60 @@
+---
+name: Report a Bug
+about: Found an issue? Let us fix it.
+---
+
+Please ensure you do the following when reporting a bug:
+
+- [ ] Provide a concise description of what the bug is.
+- [ ] Provide information about your environment.
+- [ ] Provide clear steps to reproduce the bug.
+- [ ] Attach applicable logs. Please do not attach screenshots showing logs unless you are unable to copy and paste the log data.
+- [ ] Ensure any code / output examples are [properly formatted](https://docs.github.com/en/github/writing-on-github/basic-writing-and-formatting-syntax#quoting-code) for legibility.
+
+Note that some logs needed to troubleshoot may be found in the `/pgdata/<CLUSTERNAME>/pg_log` directory on your Postgres instance.
+
+An incomplete bug report can lead to delays in resolving the issue or the closing of a ticket, so please be as detailed as possible.
+
+If you are looking for [general support](https://access.crunchydata.com/documentation/postgres-operator/latest/support/), please view the [support](https://access.crunchydata.com/documentation/postgres-operator/latest/support/) page for where you can ask questions.
+
+Thanks for reporting the issue, we're looking forward to helping you!
+
+## Overview
+
+Add a concise description of what the bug is.
+
+## Environment
+
+Please provide the following details:
+
+- Platform: (`Kubernetes`, `OpenShift`, `Rancher`, `GKE`, `EKS`, `AKS` etc.)
+- Platform Version: (e.g. `1.20.3`, `4.7.0`)
+- PGO Image Tag: (e.g. `ubi8-5.x.y-0`)
+- Postgres Version (e.g. `15`)
+- Storage: (e.g. `hostpath`, `nfs`, or the name of your storage class)
+
+## Steps to Reproduce
+
+### REPRO
+
+Provide steps to get to the error condition:
+
+1. Run `...`
+1. Do `...`
+1. Try `...`
+
+### EXPECTED
+
+1. Provide the behavior that you expected.
+
+### ACTUAL
+
+1. Describe what actually happens
+
+## Logs
+
+Please provided appropriate log output or any configuration files that may help troubleshoot the issue. **DO NOT** include sensitive information, such as passwords.
+
+## Additional Information
+
+Please provide any additional information that may be helpful.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,42 @@
+---
+name: Feature Request
+about: Help us improve PGO!
+---
+
+Have an idea to improve PGO? We'd love to hear it! We're going to need some information from you to learn more about your feature requests.
+
+Please be sure you've done the following:
+
+- [ ] Provide a concise description of your feature request.
+- [ ] Describe your use case. Detail the problem you are trying to solve.
+- [ ] Describe how you envision that the feature would work.
+- [ ] Provide general information about your current PGO environment.
+
+## Overview
+
+Provide a concise description of your feature request.
+
+## Use Case
+
+Describe your use case. Why do you want this feature? What problem will it solve? Why will it help you? Why will it make it easier to use PGO?
+
+## Desired Behavior
+
+Describe how the feature would work. How do you envision interfacing with it?
+
+## Environment
+
+Tell us about your environment:
+
+Please provide the following details:
+
+- Platform: (`Kubernetes`, `OpenShift`, `Rancher`, `GKE`, `EKS`, `AKS` etc.)
+- Platform Version: (e.g. `1.20.3`, `4.7.0`)
+- PGO Image Tag: (e.g. `ubi8-5.x.y-0`)
+- Postgres Version (e.g. `15`)
+- Storage: (e.g. `hostpath`, `nfs`, or the name of your storage class)
+- Number of Postgres clusters: (`XYZ`)
+
+## Additional Information
+
+Please provide any additional information that may be helpful.

.github/ISSUE_TEMPLATE/support---question-and-answer.md

@@ -0,0 +1,35 @@
+---
+name: Support
+about: "Learn how to interact with the PGO community"
+---
+
+If you believe you have found have found a bug, please open up [Bug Report](https://github.com/CrunchyData/postgres-operator/issues/new?template=bug_report.md)
+
+If you have a feature request, please open up a [Feature Request](https://github.com/CrunchyData/postgres-operator/issues/new?template=feature_request.md)
+
+You can find information about general PGO [support](https://access.crunchydata.com/documentation/postgres-operator/latest/support/) at:
+
+[https://access.crunchydata.com/documentation/postgres-operator/latest/support/](https://access.crunchydata.com/documentation/postgres-operator/latest/support/)
+
+## Questions
+
+For questions that are neither bugs nor feature requests, please be sure to
+
+- [ ] Provide information about your environment (see below for more information).
+- [ ] Provide any steps or other relevant details related to your question.
+- [ ] Attach logs, where applicable. Please do not attach screenshots showing logs unless you are unable to copy and paste the log data.
+- [ ] Ensure any code / output examples are [properly formatted](https://docs.github.com/en/github/writing-on-github/basic-writing-and-formatting-syntax#quoting-code) for legibility.
+
+Besides Pod logs, logs may also be found in the `/pgdata/pg<MAJOR_VERSION>/log` directory on your Postgres instance.
+
+If you are looking for [general support](https://access.crunchydata.com/documentation/postgres-operator/latest/support/), please view the [support](https://access.crunchydata.com/documentation/postgres-operator/latest/support/) page for where you can ask questions.
+
+### Environment
+
+Please provide the following details:
+
+- Platform: (`Kubernetes`, `OpenShift`, `Rancher`, `GKE`, `EKS`, `AKS` etc.)
+- Platform Version: (e.g. `1.20.3`, `4.7.0`)
+- PGO Image Tag: (e.g. `ubi8-5.x.y-0`)
+- Postgres Version (e.g. `15`)
+- Storage: (e.g. `hostpath`, `nfs`, or the name of your storage class)

.github/actions/k3d/action.yaml

@@ -0,0 +1,94 @@
+name: k3d
+description: Start k3s using k3d
+inputs:
+  k3d-tag:
+    default: latest
+    required: true
+    description: >
+      Git tag from https://github.com/k3d-io/k3d/releases or "latest"
+  k3s-channel:
+    default: latest
+    required: true
+    description: >
+      https://docs.k3s.io/upgrades/manual#release-channels
+  prefetch-images:
+    required: true
+    description: >
+      Each line is the name of an image to fetch onto all Kubernetes nodes
+  prefetch-timeout:
+    default: 3m
+    required: true
+    description: >
+      Amount of time to wait for images to be fetched
+
+outputs:
+  k3d-version:
+    value: ${{ steps.k3d.outputs.k3d }}
+    description: >
+      K3d version
+  kubernetes-version:
+    value: ${{ steps.k3s.outputs.server }}
+    description: >
+      Kubernetes server version, as reported by the Kubernetes API
+  pause-image:
+    value: ${{ steps.k3s.outputs.pause-image }}
+    description: >
+      Pause image for prefetch images DaemonSet
+
+runs:
+  using: composite
+  steps:
+    - id: k3d
+      name: Install k3d
+      shell: bash
+      env:
+        K3D_TAG: ${{ inputs.k3d-tag }}
+      run: |
+        curl --fail --silent https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh |
+          TAG="${K3D_TAG#latest}" bash
+        k3d version | awk '{ print "${tolower($1)}=${$3}" >> $GITHUB_OUTPUT }'
+
+    - id: k3s
+      name: Start k3s
+      shell: bash
+      run: |
+        k3d cluster create --image '+${{ inputs.k3s-channel }}' --no-lb --timeout=2m --wait
+        kubectl version | awk '{ print "${tolower($1)}=${$3}" >> $GITHUB_OUTPUT }'
+
+        PAUSE_IMAGE=$(docker exec $(k3d node list --output json | jq --raw-output 'first.name') \
+          k3s agent --help | awk '$1 == "--pause-image" {
+            match($0, /default: "[^"]*"/);
+            print substr($0, RSTART+10, RLENGTH-11)
+          }')
+        echo "pause-image=${PAUSE_IMAGE}" >> $GITHUB_OUTPUT
+
+    - name: Prefetch container images
+      shell: bash
+      env:
+        INPUT_IMAGES:  ${{ inputs.prefetch-images  }}
+        INPUT_TIMEOUT: ${{ inputs.prefetch-timeout }}
+      run: |
+        jq <<< "$INPUT_IMAGES" --raw-input 'select(. != "")' |
+        jq --slurp \
+          --arg pause '${{ steps.k3s.outputs.pause-image }}' \
+          --argjson labels '{"name":"image-prefetch"}' \
+          --argjson name '"image-prefetch"' \
+        '{
+          apiVersion: "apps/v1", kind: "DaemonSet",
+          metadata: { name: $name, labels: $labels },
+          spec: {
+            selector: { matchLabels: $labels },
+            template: {
+              metadata: { labels: $labels },
+              spec: {
+                initContainers: to_entries | map({
+                  name: "c\(.key)", image: .value, command: ["true"],
+                }),
+                containers: [{ name: "pause", image: $pause }]
+              }
+            }
+          }
+        }' |
+        kubectl create --filename=-
+        kubectl rollout status daemonset.apps/image-prefetch --timeout "$INPUT_TIMEOUT" ||
+        kubectl describe daemonset.apps/image-prefetch

.github/actions/trivy/action.yaml

@@ -0,0 +1,138 @@
+# Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# schema documentation: https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
+name: Trivy
+description: Scan this project using Trivy
+
+# The Trivy team maintains an action, but it has trouble caching its vulnerability data:
+# https://github.com/aquasecurity/trivy-action/issues/389
+#
+#  1. It caches vulnerability data once per calendar day, despite Trivy wanting
+#     to download more frequently than that.
+#  2. When it fails to download the data, it fails the workflow *and* caches
+#     the incomplete data.
+#  3. When (1) and (2) coincide, every following run that day *must* update the data,
+#     producing more opportunities for (2) and more failed workflows.
+#
+# The action below uses any recent cache matching `cache-prefix` and calculates a cache key
+# derived from the data Trivy downloads. An older database is better than no scans at all.
+# When a run successfully updates the data, that data is cached and available to other runs.
+
+inputs:
+  cache:
+    default: restore,success,use
+    description: >-
+      What Trivy data to cache; one or more of restore, save, success, or use.
+      The value "use" instructs Trivy to read and write to its cache.
+      The value "restore" loads the Trivy cache from GitHub.
+      The value "success" saves the Trivy cache to GitHub when Trivy succeeds.
+      The value "save" saves the Trivy cache to GitHub regardless of Trivy.
+
+  database:
+    default: update
+    description: >-
+      How Trivy should handle its data; one of update or skip.
+      The value "skip" fetches no Trivy data at all.
+
+  setup:
+    default: v0.65.0,cache
+    description: >-
+      How to install Trivy; one or more of version, none, or cache.
+      The value "none" does not install Trivy at all.
+
+  cache-directory:
+    default: ${{ github.workspace }}/.cache/trivy
+    description: >-
+      Directory where Trivy should store its data
+
+  cache-prefix:
+    default: cache-trivy
+    description: >-
+      Name (key) where Trivy data should be stored in the GitHub cache
+
+  scan-target:
+    default: .
+    description: >-
+      What Trivy should scan
+
+  scan-type:
+    default: repository
+    description: >-
+      How Trivy should interpret scan-target; one of filesystem, image, repository, or sbom.
+
+runs:
+  using: composite
+  steps:
+    # Parse list inputs as separated by commas and spaces.
+    # Select the maximum version-looking string from `inputs.setup`.
+    - id: parsed
+      shell: bash
+      run: |
+        # Validate inputs
+        (
+          <<< '${{ inputs.cache }}' jq -rRsS '"cache=\(split("[,\\s]+"; "") - [""])"'
+          <<< '${{ inputs.setup }}' jq -rRsS '
+            "setup=\(split("[,\\s]+"; "") - [""])",
+            "version=\(split("[,\\s]+"; "") | max_by(split("[v.]"; "") | map(tonumber?)))"
+          '
+        ) | tee --append "${GITHUB_OUTPUT}"
+
+    # Install Trivy as requested.
+    # NOTE: `setup-trivy` can download a "latest" version but cannot cache it.
+    - if: ${{ ! contains(fromJSON(steps.parsed.outputs.setup), 'none') }}
+      uses: aquasecurity/setup-trivy@v0.2.4
+      with:
+        cache: ${{ contains(fromJSON(steps.parsed.outputs.setup), 'cache') }}
+        version: ${{ steps.parsed.outputs.version }}
+
+    # Restore a recent cache beginning with the prefix.
+    - id: restore
+      if: ${{ contains(fromJSON(steps.parsed.outputs.cache), 'restore') }}
+      uses: actions/cache/restore@v4
+      with:
+        path: ${{ inputs.cache-directory }}
+        key: ${{ inputs.cache-prefix }}-
+
+    - id: trivy
+      shell: bash
+      env:
+        TRIVY_CACHE_DIR: >-
+          ${{ contains(fromJSON(steps.parsed.outputs.cache), 'use') && inputs.cache-directory || '' }}
+        TRIVY_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_DB_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_VEX_REPO_UPDATE: ${{ inputs.database == 'skip' }}
+      run: |
+        # Run Trivy
+        trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
+
+        checksum=$([[ -z "${TRIVY_CACHE_DIR}" ]] || cat "${TRIVY_CACHE_DIR}/"*/metadata.json | sha256sum)
+        echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> "${GITHUB_OUTPUT}"
+
+        exit "${result-0}"
+
+    # Save updated data to the cache when requested.
+    - if: >-
+        ${{
+          steps.restore.outcome == 'success' &&
+          steps.restore.outputs.cache-matched-key == steps.trivy.outputs.cache-key
+        }}
+      shell: bash
+      run: |
+        # Cache hit on ${{ steps.restore.outputs.cache-matched-key }}
+    - if: >-
+        ${{
+          steps.restore.outputs.cache-matched-key != steps.trivy.outputs.cache-key &&
+          (
+            (contains(fromJSON(steps.parsed.outputs.cache), 'save') && !cancelled()) ||
+            (contains(fromJSON(steps.parsed.outputs.cache), 'success') && success())
+          )
+        }}
+      uses: actions/cache/save@v4
+      with:
+        key: ${{ steps.trivy.outputs.cache-key }}
+        path: ${{ inputs.cache-directory }}