Skip to content

GKESRE-1438 Rebase fork on upstream: Bazel 9 + Go 1.26, GitHub App auth, optional namespace#13

Draft
rajatvig wants to merge 12 commits into
mainfrom
claude/github-app-namespace-skip-s9ri8v
Draft

GKESRE-1438 Rebase fork on upstream: Bazel 9 + Go 1.26, GitHub App auth, optional namespace#13
rajatvig wants to merge 12 commits into
mainfrom
claude/github-app-namespace-skip-s9ri8v

Conversation

@rajatvig

@rajatvig rajatvig commented Jul 5, 2026

Copy link
Copy Markdown

Description

Rebuilds our fork on top of the latest upstream fasterci/rules_gitops (be83981, merge of upstream PR fasterci#65), keeping only the two Etsy-specific features we need as clean, individually upstreamable commits:

  1. Bazel 9 compatibility and toolchain updates (fd81871) — Bazel 9.1.1, Go 1.26.4, rules_go 0.61.1, gazelle 0.51.3, rules_shell loads for sh_binary/sh_test (removed as native rules in Bazel 9), drops the removed --noincompatible_sandbox_hermetic_tmp flag, and upgrades all Go module dependencies (k8s.io 0.36.x, protobuf 1.36.x, etc.).
  2. GitHub App authentication (922220b) — new git_server=github_app mode for create_gitops_prs: a gitops/git/github_app package that authenticates with GitHub App credentials (ghinstallation v2.19.0, go-github v88) and creates the deployment commit and PR entirely through the GitHub API, producing app-signed commits.
  3. Optional namespace / respect_resource_namespace (7d12e9e) — namespace is no longer mandatory for gitops k8s_deploy; respect_resource_namespace uses an unsetOnly NamespaceTransformer and the set_namespace tool so manifests that declare their own namespaces (including multi-namespace deployments) keep them; new app_name attribute names the gitops output directory.

Because the branch restarts from upstream history, the diff against main is effectively a fork re-baseline: it also picks up everything upstream shipped since we forked (Bazel 8/9 support, bazel_flag, .diff target, RUNFILES_DIR fix, protobuf migration, vendoring removal).

Intentionally dropped from the old fork history (cherry-pick later if needed): the Buildkite-specific create_gitops_prs.tpl.sh branch-name hack (pass --branch_name/--git_server github_app via the rule's "${@}" passthrough instead), the Etsy-only attrs on create_gitops_prs, the push_oci external-image fix, and the fork CI workflow.

Related Issue

Internal fork maintenance — no upstream issue. (GKESRE-834 covers the original GitHub App signed-commits work being preserved here.)

Motivation and Context

Our fork had diverged from upstream and was missing fixes we need, most importantly Bazel 9 support. Rebuilding from upstream with the two Etsy features isolated as minimal-diff commits keeps the fork easy to maintain and positions each feature to be proposed upstream separately.

How Has This Been Tested?

  • go build ./..., go vet ./gitops/..., and go test ./... pass at each commit (Go 1.26.4), including the new github_app package tests.
  • .bzl/BUILD changes were ported from the etsy-upstream-rebase branch (previously exercised against Bazel 9) plus syntax checks; bazel build //... && bazel test //... with Bazel 9.1.1 still needs a run on a machine with Bazel — this is why the PR is a draft. The first Bazel run will also refresh MODULE.bazel.lock, which should be committed.
  • The namespace behavior is a faithful port of the fork's production-tested logic from main.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Breaking relative to the old fork main: gitops output paths use {gitops_path}/{app_name}/{cluster} (default app_name = "myapp"), and the Buildkite tpl.sh hack is gone (flags must be passed to the rule instead). Breaking relative to upstream: none intended.

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.

🤖 Generated with Claude Code

https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F


Generated by Claude Code

ptxmac and others added 12 commits February 9, 2025 11:46
[docs] Fix broken links in README.md
* upgrade modules

* no vendor

* update tests

* update e2e

* go mod tidy

* bump go

* update k8s client

* canonical bcr name for rules_go and gazelle

* upgrade protobuf

* fix e2e

* cleanup

* upgrade k8s client
Signed-off-by: Vincent Composieux <vincent@composieux.fr>
…terci#63)

* fix: export RUNFILES_DIR for child bash scripts

Add RUNFILES_DIR=${RUNFILES} to async function so that child bash
scripts (like .push scripts) can find runfiles.bash. Without this,
child scripts fail with "runfiles.bash initializer cannot find
bazel_tools/tools/bash/runfiles/runfiles.bash" error.

The issue occurs because:
- Parent scripts only export PYTHON_RUNFILES (Python-specific)
- Child bash scripts check RUNFILES_DIR environment variable
- Without RUNFILES_DIR, runfiles.bash initialization fails

* fix: export RUNFILES_DIR in k8s_gitops.sh.tpl for k8s_deploy

Add RUNFILES_DIR=${RUNFILES} to async function in k8s_gitops.sh.tpl.
This template is used by k8s_deploy.apply (not k8s_test_namespace.sh.tpl
which is for tests only).

* fix: export RUNFILES_DIR in kubectl.sh.tpl for k8s_deploy.apply

Add RUNFILES_DIR=${RUNFILES} to async function in kubectl.sh.tpl.
This is the actual template used by the kubectl rule which generates
the k8s_deploy.apply target.
Remove incompatible_use_toolchain_transition
- Bump Bazel to 9.1.1, rules_go to 0.61.1, gazelle to 0.51.3,
  aspect_bazel_lib to 2.21.1, rules_oci to 2.3.0
- Add rules_shell dependency and load sh_binary/sh_test from it where
  BUILD files relied on the native rules removed in Bazel 9, including
  the generated BUILD file of the downloaded kustomize repository
- Drop --noincompatible_sandbox_hermetic_tmp from .bazelrc (flag no
  longer exists in Bazel 9)
- Bump Go to 1.26 and upgrade all Go module dependencies
  (k8s.io 0.36.2, go-containerregistry 0.21.7, go-gitlab 0.115.0, ...)
- Regenerate it_manifest_filter golden files: apimachinery no longer
  serializes creationTimestamp: null
- Rename fasttemplate example funcs to satisfy the vet examples check
  (the Template type they referred to does not exist in this fork)

Signed-off-by: Rajat Vig <rvig@etsy.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F
Add a 'github_app' git server option to create_gitops_prs that
authenticates with GitHub App credentials and creates the deployment
commit and pull request entirely through the GitHub API, producing
commits signed by the app.

- New gitops/git/github_app package: installation-token transport via
  bradleyfalzon/ghinstallation, CreatePR, and CreateCommit which
  uploads the modified files as a tree, commits it, and opens the PR.
  Configured with -github_app_id, -github_installation_id,
  -private_key, -github_app_repo_owner, -github_app_repo and optional
  -github_app_enterprise_host flags.
- create_gitops_prs: with -git_server github_app, collect the files
  modified by the gitops targets and commit them via the GitHub API to
  the -branch_name branch instead of pushing the local deployment
  branches. PR title/body fall back to Buildkite pipeline metadata when
  available.
- git: add Repo.GetModifiedFiles.
- Upgrade go-github from v32 to v88 (required by ghinstallation
  v2.19.0) and migrate to its options-based client API.

Signed-off-by: Rajat Vig <rvig@etsy.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F
Allow k8s_deploy to be used with manifests that carry their own
namespaces (including manifests spanning multiple namespaces) instead
of forcing a single namespace on every resource:

- namespace is no longer mandatory for gitops k8s_deploy; when unset,
  the NAMESPACE template variable and kustomize namespace field are
  simply omitted so resource namespaces are used as-is.
- New respect_resource_namespace option: when set together with a
  namespace, kustomize uses a NamespaceTransformer with unsetOnly so
  resources that already declare a namespace keep it, and .apply pipes
  the manifests through the set_namespace tool instead of forcing the
  rule namespace.
- New app_name attribute names the gitops output directory
  ({gitops_path}/{app_name}/{cluster}) since the namespace can no
  longer be used as the directory name.

Signed-off-by: Rajat Vig <rvig@etsy.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Q72xp7ZYMA7UvaUEAkRP7F
@rajatvig rajatvig changed the title Rebase fork on upstream: Bazel 9 + Go 1.26, GitHub App auth, optional namespace GKESRE-1438 Rebase fork on upstream: Bazel 9 + Go 1.26, GitHub App auth, optional namespace Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants