strimzi · Frawless · Feb 18, 2026 · Feb 1, 2026 · Feb 2, 2026 · Feb 10, 2026
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,18 @@
+# Configuration for GitHub actions linting - docker://rhysd/actionlint:1.7.10
+# For more info see https://github.com/rhysd/actionlint/blob/main/docs/config.md
+
+# Configuration related to self-hosted runner.
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  # Add other runners if needed
+  labels:
+    # container runners
+    - oracle-2cpu-8gb-arm64
+    - oracle-2cpu-8gb-x86_64
+    # VM runners
+    - oracle-vm-2cpu-8gb-x86-64
+    - oracle-vm-2cpu-8gb-arm64
+    - oracle-vm-4cpu-16gb-x86-64
+    - oracle-vm-4cpu-16gb-arm64
+    - oracle-vm-8cpu-32gb-x86-64
+    - oracle-vm-8cpu-32gb-arm64
diff --git a/.github/actions/build/build-binaries/action.yml b/.github/actions/build/build-binaries/action.yml
@@ -0,0 +1,138 @@
+name: "Build Java Binaries"
+description: "Build and test Java binaries using standard Makefile targets"
+
+inputs:
+  mainJavaBuild:
+    description: "Whether this is the main Java version build (true) or just additional version for tests (false)"
+    required: false
+    default: "true"
+  artifactSuffix:
+    description: "Suffix/prefix for the uploaded artifact"
+    required: true
+  clusterOperatorBuild:
+    description: "Enable Strimzi Operator specific build steps (Helm charts install, CRDs install, dashboards install, docs checks, uncommitted changes check)"
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    #############################################################
+    # Common build steps
+    #############################################################
+    - name: Restore Maven cache
+      uses: actions/cache/restore@v5
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          maven-
+
+    - name: Build binaries
+      shell: bash
+      run: make java_install
+      env:
+        MVN_ARGS: '-B -DskipTests'
+
+    - name: Run SpotBugs
+      shell: bash
+      run: |
+        if make -n spotbugs &>/dev/null; then
+          echo "Target exists"
+          make spotbugs
+        else
+          # TODO - Should be everywhere
+          echo "Target 'spotbugs' not found, skipping..."
+        fi
+
+    #############################################################
+    # The following steps gated by clusterOperatorBuild check
+    # are used only by Strimzi Kafka Operator repository.
+    # The other projects shouldn't use them.
+    #############################################################
+    - name: Setup dashboards for Helm Chart
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make dashboard_install"
+
+    - name: Generate YAMLs from Helm Chart
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make helm_install"
+
+    - name: Distribute CRDs
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make crd_install"
+
+    - name: Run Helm Chart unit tests
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make helm_unittest"
+
+    - name: Generate docs version files
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make docu_versions"
+
+    - name: Check docs
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make docu_check"
+
+    - name: Run Shellcheck
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make shellcheck"
+
+    - name: Check released files
+      if: ${{ inputs.clusterOperatorBuild == 'true' }}
+      shell: bash
+      run: "make release_files_check"
+
+    - name: Check for uncommitted files
+      shell: bash
+      run: "${{ github.action_path }}/check-uncommitted-changes.sh"
+
+    #############################################################
+    # Common build steps
+    #############################################################
+    - name: Run tests and verification
+      shell: bash
+      run: |
+          make java_install
+
+    - name: Save Maven cache
+      if: ${{ inputs.mainJavaBuild == 'true' }}
+      uses: actions/cache/save@v5
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+
+    - name: Create artifact tarball
+      if: ${{ inputs.mainJavaBuild == 'true' }}
+      shell: bash
+      run: |
+        # Archive build artifacts preserving directory structure for multi-module projects
+        # Includes:
+        #   - All target/ directories (contains JARs, POMs, and other build outputs)
+        #   - docker-images/artifacts/binaries (if exists)
+        # Excludes:
+        #   - Test outputs that aren't needed for deployment
+
+        PATHS_TO_ARCHIVE=$(find . -type d -name "target")
+        if [ -d "./docker-images/artifacts/binaries" ]; then
+          PATHS_TO_ARCHIVE="$PATHS_TO_ARCHIVE ./docker-images/artifacts/binaries"
+        fi
+
+        tar -cvpf binaries-${{ inputs.artifactSuffix }}.tar \
+          --exclude='**/surefire-reports' \
+          $PATHS_TO_ARCHIVE
+
+    - name: Upload artifact
+      if: ${{ inputs.mainJavaBuild == 'true' }}
+      uses: actions/upload-artifact@v5
+      with:
+        name: binaries-${{ inputs.artifactSuffix }}.tar
+        path: binaries-${{ inputs.artifactSuffix }}.tar
+        retention-days: 7
diff --git a/.github/actions/build/build-binaries/check-uncommitted-changes.sh b/.github/actions/build/build-binaries/check-uncommitted-changes.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -e
+
+# We exclude .github and github-actions folders because in tests we copy there actions to test changes more easily
+CHANGED_FILES=$(git diff --name-status -- ':!.github' ':!github-actions')
+UNTRACKED_FILES=$(git ls-files --other --exclude-standard -- ':!.github' ':!github-actions')
+
+if [ -n "$CHANGED_FILES" ] || [ -n "$UNTRACKED_FILES" ] ; then
+    if [ -n "$CHANGED_FILES" ] ; then
+        echo "ERROR: Uncommitted changes in tracked files:"
+        echo "$CHANGED_FILES"
+    fi
+
+    if [ -n "$UNTRACKED_FILES" ] ; then
+        echo "ERROR: Untracked files:"
+        echo "$UNTRACKED_FILES"
+    fi
+
+    echo "Please, make sure you run all steps that are needed to propagate all changes to generated files and then commit the changes before push."
+    exit 1
+fi
diff --git a/.github/actions/build/build-containers/action.yml b/.github/actions/build/build-containers/action.yml
@@ -0,0 +1,79 @@
+name: "Build images"
+description: "Build and archive images"
+
+inputs:
+  architecture:
+    description: "Architecture of images built in this action"
+    required: false
+    default: "amd64"
+  buildRunId:
+    description: "Build workflow run ID for artifact download"
+    required: false
+    default: ""
+  containerRegistry:
+    description: "Container registry (e.g., quay.io, ghcr.io)"
+    required: false
+    default: "quay.io"
+  containerOrg:
+    description: "Container organization/namespace"
+    required: false
+    default: "strimzi"
+  containerTag:
+    description: "Container image tag"
+    required: false
+    default: "latest"
+  imagesDir:
+    description: "Path to directory with images tar balls"
+    required: true
+  artifactSuffix:
+    description: "Suffix of archive with images"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download binaries from this workflow
+      if: ${{ inputs.buildRunId == '' }}
+      uses: actions/download-artifact@v7
+      with:
+        name: binaries-${{ inputs.artifactSuffix }}.tar
+
+    - name: Download binaries from external build
+      if: ${{ inputs.buildRunId != '' }}
+      uses: actions/download-artifact@v7
+      with:
+        name: binaries-${{ inputs.artifactSuffix }}.tar
+        run-id: ${{ inputs.buildRunId }}
+        github-token: ${{ github.token }}
+
+    - name: "Untar binaries archive"
+      shell: bash
+      run: tar -xvf binaries-${{ inputs.artifactSuffix }}.tar
+
+    - name: Build images
+      shell: bash
+      run: |
+        make docker_build docker_save
+      env:
+        MVN_ARGS: '-B -DskipTests -Dmaven.javadoc.skip=true'
+        DOCKER_ARCHITECTURE: ${{ inputs.architecture }}
+        DOCKER_BUILDKIT: 1
+        DOCKER_REGISTRY: ${{ inputs.containerRegistry }}
+        DOCKER_ORG: ${{ inputs.containerOrg }}
+        DOCKER_TAG: ${{ inputs.containerTag }}
+
+    - name: Create tarball with images
+      shell: bash
+      run: "tar -cvpf containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar ${{ inputs.imagesDir }}"
+
+    - name: Upload containers artifact
+      uses: actions/upload-artifact@v5
+      with:
+        name: containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar
+        path: containers-${{ inputs.artifactSuffix }}-${{ inputs.architecture }}.tar
+
+    - name: List built images
+      if: ${{ always() }}
+      shell: bash
+      run: |
+        docker images -a
diff --git a/.github/actions/build/deploy-java/action.yml b/.github/actions/build/deploy-java/action.yml
@@ -0,0 +1,68 @@
+name: "Deploy Java Artifacts"
+description: "Deploys Java artifacts to Maven Central"
+
+inputs:
+  modules:
+    description: "Maven modules to be uploaded"
+    required: true
+  artifactSuffix:
+    description: "Suffix of archive with images"
+    required: true
+  gpgPassphrase:
+    description: "GPG passphrase for signing"
+    required: true
+  gpgSigningKey:
+    description: "GPG signing key"
+    required: true
+  centralUsername:
+    description: "Maven Central username"
+    required: true
+  centralPassword:
+    description: "Maven Central password"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Restore Maven cache
+      uses: actions/cache/restore@v5
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+        restore-keys: |
+          maven-
+
+    - name: Download binaries artifact
+      uses: actions/download-artifact@v7
+      with:
+        name: binaries-${{ inputs.artifactSuffix }}.tar
+        path: ./
+
+    - name: Extract binaries artifact
+      shell: bash
+      run: |
+        # Extract the tarball preserving directory structure
+        # This restores:
+        #   - target/ directories with all build outputs
+        #   - Multi-module project structure
+        tar -xvf binaries-${{ inputs.artifactSuffix }}.tar
+
+        # Remove the tarball to clean up
+        rm binaries-${{ inputs.artifactSuffix }}.tar
+
+        # Verify extraction
+        echo "Extracted structure:"
+        find . -name "pom.xml" -o -type d -name "target" | head -20
+
+    - name: Deploy Java artifacts
+      shell: bash
+      run: ${{ github.action_path }}/push-to-central.sh
+      env:
+        BUILD_REASON: "IndividualCI"
+        BRANCH: ${{ github.ref }}
+        GPG_PASSPHRASE: ${{ inputs.gpgPassphrase }}
+        GPG_SIGNING_KEY: ${{ inputs.gpgSigningKey }}
+        CENTRAL_USERNAME: ${{ inputs.centralUsername }}
+        CENTRAL_PASSWORD: ${{ inputs.centralPassword }}
+        SETTINGS_PATH: ${{ github.action_path }}/settings.xml
+        MODULES: ${{ inputs.modules }}
diff --git a/.github/actions/build/deploy-java/push-to-central.sh b/.github/actions/build/deploy-java/push-to-central.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -e
+
+function cleanup() {
+  rm -rf signing.gpg
+  gpg --delete-keys
+  gpg --delete-secret-keys
+}
+
+# Run the cleanup on failure / exit
+trap cleanup EXIT
+
+export GPG_TTY=$(tty)
+echo $GPG_SIGNING_KEY | base64 -d > signing.gpg
+gpg --batch --import signing.gpg
+
+# Deploy to Maven Central (or custom repository) using already-built artifacts
+# Flags explanation:
+#   -DskipTests: Skip test execution
+#   -Dmaven.main.skip=true: Skip compilation of main sources (use already compiled)
+#   -Dmaven.test.skip=true: Skip compilation of test sources
+#   -Dmaven.install.skip=true: Skip install phase
+#   -P central: Always use central profile for GPG signing and plugin configuration
+
+# Deploy Maven command
+MVN_CMD="GPG_EXECUTABLE=gpg mvn $MVN_ARGS \
+  -DskipTests \
+  -Dmaven.main.skip=true \
+  -Dmaven.test.skip=true \
+  -Dmaven.install.skip=true \
+  -s $SETTINGS_PATH \
+  -pl $MODULES \
+  -P central"
+
+# Override deployment repository if custom URL provided (for testing with local Nexus)
+if [ -n "$DEPLOYMENT_URL" ]; then
+  echo "Deploying to custom repository: $DEPLOYMENT_URL"
+  # Use centralBaseUrl and centralSnapshotsUrl to override Maven Central URLs
+  # This is the proper way according to Sonatype documentation for central-publishing-maven-plugin
+  # The plugin will automatically choose the right URL based on the artifact version
+  MVN_CMD="$MVN_CMD -DcentralBaseUrl=${DEPLOYMENT_URL}/maven-releases -DcentralSnapshotsUrl=${DEPLOYMENT_URL}/maven-snapshots"
+else
+  echo "Deploying to Maven Central (default)"
+fi
+
+MVN_CMD="$MVN_CMD deploy"
+
+# Execute
+eval $MVN_CMD
+
+cleanup
diff --git a/.github/actions/build/deploy-java/settings.xml b/.github/actions/build/deploy-java/settings.xml
@@ -0,0 +1,9 @@
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0">
+    <servers>
+        <server>
+            <id>central</id>
+            <username>${env.CENTRAL_USERNAME}</username>
+            <password>${env.CENTRAL_PASSWORD}</password>
+        </server>
+    </servers>
+</settings>