Auto-push bundle manifests changes to PR branch if needed (#195)

* Make PR checks fail if bundle or manifests are not up-to-date

This is so that PR authors do not forget to regenerate those manifests.

* Update developer guide

* Save diff as patch file, so it can be downloaded and applied with Git

* Fix step names in PR Validation job

* Apply suggestions from code review

Co-authored-by: Jianrong Zhang <jianrzha@redhat.com>

* Do not error out if bundle manifests are outdated

Display warnings instead.
Also comment on the PR so that authors/reviewers are aware of that fact.

Co-authored-by: Gennady Azarenkov <gazarenkov@gmail.com>

* Update .github/workflows/pr.yaml

Co-authored-by: Nick Boldt <nboldt@redhat.com>

* Revert "Do not error out if bundle manifests are outdated"

This reverts commit ab2c12a.

* Auto-push any changes to the bundle manifests

This will alleviate the burden on contributors and maintainers.

* Run bundle diff checker in separate workflow triggered on 'pull_request_target' events

This is required to be able to write to fork PR branches

Similar to what we do already with the pull_request_target workflows, we also require manual authorization for unknown external forks, to prevent PWN requests

* Update PR template to think about eventually updating the rhdh-operator.csv.yaml file

* Update .github/workflows/pr-bundle-diff-checks.yaml

* Update docs/developer.md

Co-authored-by: Gennady Azarenkov <gazarenkov@redhat.com>

---------

Co-authored-by: Jianrong Zhang <jianrzha@redhat.com>
Co-authored-by: Gennady Azarenkov <gazarenkov@gmail.com>
Co-authored-by: Nick Boldt <nboldt@redhat.com>
Co-authored-by: Gennady Azarenkov <gazarenkov@redhat.com>

Author: 5 people

.github/PULL_REQUEST_TEMPLATE.md

@@ -15,6 +15,7 @@ Please explain the changes you made here.
 
 - [ ] Tests
 - [ ] Documentation
+- [ ] If the bundle manifests have been updated, make sure to review the [`rhdh-operator.csv.yaml`](../.rhdh/bundle/manifests/rhdh-operator.csv.yaml) file accordingly
 
 ## How to test changes / Special notes to the reviewer
 <!--

.github/workflows/pr-bundle-diff-checks.yaml

@@ -0,0 +1,97 @@
+# Copyright 2024 The Janus IDP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: PR Bundle Manifests Validator
+
+on:
+  # pull_request_target needed to be able to commit and push bundle diffs to external fork PRs.
+  # But we included a manual authorization safeguard to prevent PWN requests. See the 'authorize' job below.
+  pull_request_target:
+    branches: 
+    - main
+    - rhdh-1.[0-9]+
+    - 1.[0-9]+.x
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
+jobs:
+  authorize:
+    # The 'external' environment is configured with the maintainers team as required reviewers.
+    # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
+    # see list of approvers in OWNERS file
+    environment:
+      ${{ (github.event.pull_request.head.repo.full_name == github.repository ||
+      contains(fromJSON('["gazarenkov","jianrongzhang89","kadel","nickboldt","rm3l"]'), github.actor)) && 'internal' || 'external' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: approved
+        run: echo "✓"
+
+  pr-bundle-diff-checks:
+    name: PR Bundle Diff
+    runs-on: ubuntu-latest
+    needs: authorize
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Check for outdated bundle
+        id: bundle-diff-checker
+        run: |
+          make bundle
+          git status --porcelain
+          # Since operator-sdk 1.26.0, `make bundle` changes the `createdAt` field from the bundle every time we run it.
+          # The `git diff` below checks if only the createdAt field has changed. If is the only change, it is ignored.
+          # Inspired from https://github.com/operator-framework/operator-sdk/issues/6285#issuecomment-1415350333
+          echo "MANIFESTS_CHANGED=$(if git diff --quiet -I'^    createdAt: ' bundle; then echo "false"; else echo "true"; fi)" >> $GITHUB_OUTPUT
+
+      - name: Commit any manifest changes
+        if: ${{ steps.bundle-diff-checker.outputs.MANIFESTS_CHANGED == 'true' }}
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+          git fetch --prune
+          git pull --rebase --autostash
+          git add -A .
+          git commit \
+            -m "Regenerate bundle manifests" \
+            -m "Co-authored-by: $GITHUB_ACTOR <$GITHUB_ACTOR@users.noreply.github.com>"
+          git push
+
+      - name: Comment on PR if bundle manifests were updated
+        uses: actions/github-script@v7
+        if: ${{ !cancelled() && steps.bundle-diff-checker.outputs.MANIFESTS_CHANGED == 'true' }}
+        continue-on-error: true
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '⚠️ <b>Files changed in bundle generation<b>!<br/><br/>Those changes to the operator bundle manifests should have been pushed automatically to your PR branch.<br/>You might also need to manually update the [`.rhdh/bundle/manifests/rhdh-operator.csv.yaml`](.rhdh/bundle/manifests/rhdh-operator.csv.yaml) CSV file accordingly.'
+            })

docs/developer.md

@@ -104,11 +104,13 @@ make deploy-openshift [IMAGE_TAG_BASE=<your-registry>/backstage-operator]
 ```
 
 ### Modifying the API definitions
-If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
+If you are editing the API definitions, make sure you:
+- run `make install` before deploying the operator with `make deploy`
+- regenerate the manifests and bundle if you plan to deploy the operator with OLM using:
 ```sh
-make manifests
+make manifests bundle
 ```
-**NOTE:** Run `make --help` for more information on all potential `make` targets
+**NOTE:** Run `make help` for more information on all potential `make` targets
 
 More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html)