From c5dbcd0019ab10095768bd10ee4f44bbe0da3d15 Mon Sep 17 00:00:00 2001
From: upbound-bot <null>
Date: Thu, 25 Sep 2025 06:24:07 +0000
Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=94=84=20synced=20local=20'.github/wo?=
 =?UTF-8?q?rkflows'=20with=20remote=20'shared/configurations-new-devex/wor?=
 =?UTF-8?q?kflows'?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/ci.yaml                | 94 ++++++++++--------------
 .github/workflows/composition-tests.yaml | 26 +++++++
 .github/workflows/e2e.yaml               | 56 +++++++++++---
 .github/workflows/tag.yml                |  2 +-
 .github/workflows/yamllint.yaml          |  2 +-
 5 files changed, 113 insertions(+), 67 deletions(-)
 create mode 100644 .github/workflows/composition-tests.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index df1b755..a4cd942 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -4,69 +4,53 @@ on:
   push:
     branches:
       - main
-      - release-*
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Package version (e.g. v0.1.0)
+        required: false
 
 env:
-  DOCKER_BUILDX_VERSION: 'v0.8.2'
-
-  XPKG_ACCESS_ID: ${{ secrets.XPKG_ACCESS_ID }}
+  UP_API_TOKEN: ${{ secrets.UP_API_TOKEN }}
+  UP_ROBOT_ID: ${{ secrets.UP_ROBOT_ID }}
+  UP_ORG: ${{ secrets.UP_ORG }}
+  XPKG_REGISTRY: xpkg.upbound.io
 
 jobs:
-  detect-noop:
-    runs-on: ubuntu-24.04
-    outputs:
-      noop: ${{ steps.noop.outputs.should_skip }}
-    steps:
-      - name: Detect No-op Changes
-        id: noop
-        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          paths_ignore: '["**.md", "**.png", "**.jpg"]'
-          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-
-  publish-artifacts:
-    runs-on: ubuntu-24.04
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true'
-
+  deploy:
+    runs-on: ubuntu-latest
     steps:
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-        with:
-          version: ${{ env.DOCKER_BUILDX_VERSION }}
-          install: true
-
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          submodules: true
-
-      - name: Fetch History
-        run: git fetch --prune --unshallow
+        id: checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
-      - name: Build Artifacts
-        run: make -j2 build.all
-        env:
-          # We're using docker buildx, which doesn't actually load the images it
-          # builds by default. Specifying --load does so.
-          BUILD_ARGS: "--load"
-
-      - name: Publish Artifacts to GitHub
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      - name: Install and login with up
+        if: env.UP_API_TOKEN != '' && env.UP_ORG != ''
+        uses: upbound/action-up@53fe6395637d884c80d2bbc8c2d75d0ece776ced # v1
         with:
-          name: output
-          path: _output/**
+          api-token: ${{ secrets.UP_API_TOKEN }}
+          organization: ${{ secrets.UP_ORG }}
 
-      - name: Login to Upbound
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
-        if: env.XPKG_ACCESS_ID != ''
+      # doesn't work with plain token when pushing otherwise
+      - name: Login to xpkg with robot
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
         with:
-          registry: xpkg.upbound.io
-          username: ${{ secrets.XPKG_ACCESS_ID }}
-          password: ${{ secrets.XPKG_TOKEN }}
+          registry: ${{ env.XPKG_REGISTRY }}
+          username: ${{ env.UP_ROBOT_ID }}
+          password: ${{ env.UP_API_TOKEN }}
 
-      - name: Publish Artifacts
-        if: env.XPKG_ACCESS_ID != ''
-        run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/}
+      - name: Build and Push Upbound project
+        if: env.UP_API_TOKEN != ''
+        uses: upbound/action-up-project@b849ec1eb303ae4abf22b2b86c0e2afca155137b # v1
+        with:
+          push-project: true
+          tag: ${{ inputs.version || '' }}
+          # login-check does `up org list` which doesn't work with a robot-token
+          skip-login-check: true
+
+      - name: Append icon overlay to package
+        if: env.UP_API_TOKEN != '' && hashFiles('./extensions') != '' && inputs.version != ''
+        run: |
+          PROJECT_NAME=$(yq '.metadata.name' upbound.yaml)
+          PACKAGE_REF="${{ env.XPKG_REGISTRY }}/${{ env.UP_ORG }}/${PROJECT_NAME}:${{ inputs.version }}"
+          up alpha xpkg append --extensions-root=./extensions ${PACKAGE_REF}
diff --git a/.github/workflows/composition-tests.yaml b/.github/workflows/composition-tests.yaml
new file mode 100644
index 0000000..531898c
--- /dev/null
+++ b/.github/workflows/composition-tests.yaml
@@ -0,0 +1,26 @@
+name: Composition Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request: {}
+
+jobs:
+  composition-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Install up
+        uses: upbound/action-up@53fe6395637d884c80d2bbc8c2d75d0ece776ced # v1
+        with:
+          skip-login: true
+
+      - name: Build project
+        run: up project build
+
+      - name: Run composition tests
+        run: up test run tests/*
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 885d97a..313e61c 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -1,15 +1,51 @@
 name: End to End Testing
 
 on:
-  issue_comment:
-    types: [created]
-  pull_request:
-    types: [labeled]
+  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+  # pull_request_target is potentially dangerous target so we keep it strict
+  # under the label and benefit from secret propagation
+  pull_request_target:
+    types:
+      - synchronize
+      - labeled
+
+env:
+  UP_API_TOKEN: ${{ secrets.UP_E2E_API_TOKEN || secrets.UP_API_TOKEN }}
+  UP_ORG: ${{ secrets.UP_E2E_ORG || secrets.UP_ORG }}
+  UP_GROUP: ${{ secrets.UP_E2E_GROUP || secrets.UP_GROUP || 'default' }}
+  UP_ROBOT_ID: ${{ secrets.UP_E2E_ROBOT_ID || secrets.UP_ROBOT_ID }}
+
 jobs:
   e2e:
-    uses: upbound/official-providers-ci/.github/workflows/pr-comment-trigger.yml@main
-    with:
-      package-type: configuration
-    secrets:
-      UPTEST_CLOUD_CREDENTIALS: ${{ secrets.UPTEST_CLOUD_CREDENTIALS }}
-      UPTEST_DATASOURCE: ${{ secrets.UPTEST_DATASOURCE }}
+    if: contains(github.event.pull_request.labels.*.name, 'run-e2e-tests')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Install and login with up
+        if: env.UP_API_TOKEN != '' && env.UP_ORG != ''
+        uses: upbound/action-up@53fe6395637d884c80d2bbc8c2d75d0ece776ced # v1
+        with:
+          api-token: ${{ env.UP_API_TOKEN }}
+          organization: ${{ env.UP_ORG }}
+
+      # doesn't work with plain token when pushing otherwise
+      - name: Login to xpkg with robot
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
+        with:
+          registry: xpkg.upbound.io
+          username: ${{ env.UP_ROBOT_ID }}
+          password: ${{ env.UP_API_TOKEN }}
+
+      - name: Build project
+        run: up project build
+
+      - name: Switch up context
+        run: up ctx ${{ env.UP_ORG }}/upbound-gcp-us-central-1/${{ env.UP_GROUP }}
+
+      - name: Run e2e tests
+        run: up test run tests/* --e2e
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 4c9f1ea..1d2de5a 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Create Tag
         uses: negz/create-tag@39bae1e0932567a58c20dea5a1a0d18358503320 # v1
diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml
index f159c49..a796551 100644
--- a/.github/workflows/yamllint.yaml
+++ b/.github/workflows/yamllint.yaml
@@ -5,7 +5,7 @@ jobs:
     name: runner / yamllint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: yamllint
         uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0
         with:

From 3715a0bff9d3da5ec73628f34f756a247d2fc165 Mon Sep 17 00:00:00 2001
From: upbound-bot <null>
Date: Thu, 25 Sep 2025 06:24:07 +0000
Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=94=84=20synced=20local=20'.github/re?=
 =?UTF-8?q?novate.json5'=20with=20remote=20'shared/configurations-new-deve?=
 =?UTF-8?q?x/renovate.json5'?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/renovate.json5 | 36 +++---------------------------------
 1 file changed, 3 insertions(+), 33 deletions(-)

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 1bc481a..162dd92 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -39,16 +39,10 @@
     },
     {
       matchFileNames: [
-        'crossplane.yaml',
+        'upbound.yaml',
       ],
       groupName: 'crossplane dependencies',
     },
-    {
-      matchFileNames: [
-        'Makefile',
-      ],
-      groupName: 'Makefile dependencies',
-    },
     {
       matchManagers: ['crossplane'],
       matchFileNames: ['examples/**'],
@@ -58,33 +52,9 @@
   customManagers: [
     {
       customType: 'regex',
-      description: 'Bump up version in the Makefile',
-      fileMatch: [
-        '^Makefile$',
-      ],
-      matchStrings: [
-        'UP_VERSION = (?<currentValue>.*?)\\n',
-      ],
-      datasourceTemplate: 'github-releases',
-      depNameTemplate: 'upbound/up',
-    },
-    {
-      customType: 'regex',
-      description: 'Bump uptest version in the Makefile',
-      fileMatch: [
-        '^Makefile$',
-      ],
-      matchStrings: [
-        'UPTEST_VERSION = (?<currentValue>.*?)\\n',
-      ],
-      datasourceTemplate: 'github-releases',
-      depNameTemplate: 'upbound/uptest',
-    },
-    {
-      customType: 'regex',
-      description: 'Bump providers/functions/configurations in crossplane.yaml',
+      description: 'Bump providers/functions/configurations in upbound.yaml',
       fileMatch: [
-        'crossplane.yaml',
+        'upbound.yaml',
       ],
       matchStrings: [
         '#\\s*renovate:\\s*datasource=(?<datasource>[^\\s]+)\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*version:\\s*"(?<currentValue>[^"]+)"',

From eb8524f612a7576ddb4123c3a1e702f4b7e2c304 Mon Sep 17 00:00:00 2001
From: upbound-bot <null>
Date: Thu, 25 Sep 2025 06:24:07 +0000
Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=94=84=20synced=20local=20'.yamllint'?=
 =?UTF-8?q?=20with=20remote=20'shared/configurations-new-devex/.yamllint'?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .yamllint | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.yamllint b/.yamllint
index 669c864..1fd3784 100644
--- a/.yamllint
+++ b/.yamllint
@@ -3,3 +3,5 @@ extends: default
 rules:
   line-length: disable
   document-start: disable
+  indentation:
+    indent-sequences: consistent