chore(infra): Makefile shards + kind-CRD bootstrap + module/ full-lint

.github/actions/kind-cluster-setup/action.yml

@@ -0,0 +1,148 @@
+name: Set up kind cluster (with optional CRD prereqs + tracecore image)
+description: >
+  Unified kind-cluster bootstrap shared by chart.yml, policy-matrix.yml,
+  install-bench.yml, and (optionally) compat-matrix.yml. Replaces the
+  prior `kind-tracecore-up` action (deleted — all callsites migrated)
+  and centralises three sources of fragmentation that recurred on every
+  chart-touching PR:
+
+    1. helm + kind version pins drifted independently per workflow.
+       Pinned here once: helm v3.16.4, kind v0.25.0, node v1.32.0.
+    2. Each workflow that talked to the chart's production preset hit
+       the same "no matches for kind ServiceMonitor in version
+       monitoring.coreos.com/v1" error on kind (regressed three PRs
+       before #494 closed it for policy-matrix only). Install the CRDs
+       in one place driven by inputs (`install-servicemonitor-crd`,
+       `install-gatekeeper-crds`, `install-cert-manager-crds`).
+    3. `docker build` + `kind load` for the tracecore image was
+       duplicated across chart.yml and install-bench.yml with
+       diverging tag names (`tracecore:ci` vs `tracecore:bench`).
+       Driven by `build-image` + `image-tag` inputs.
+
+  CRD refs are pinned to tagged releases per repo convention
+  (KYVERNO_POLICIES_REF / GATEKEEPER_VERSION in
+  scripts/policy-matrix-smoke.sh — never track `main`).
+
+inputs:
+  cluster-name:
+    description: kind cluster name (must be unique per job).
+    required: true
+  kind-config:
+    description: Optional path to a kind cluster config file (e.g. bench/install/kind-config.yaml).
+    required: false
+    default: ''
+  build-image:
+    description: When 'true', `docker build` the tracecore image and `kind load` it. When 'false', skip — kind cluster only.
+    required: false
+    default: 'true'
+  image-tag:
+    description: Image tag for the locally built tracecore image. Defaults to 'ci' (chart.yml's convention).
+    required: false
+    default: 'ci'
+  install-servicemonitor-crd:
+    description: |
+      When 'true', install the prometheus-operator ServiceMonitor CRD (pinned
+      v0.91.0). Required for `helm install --dry-run=server` against the
+      chart's production preset (serviceMonitor.enabled=true).
+    required: false
+    default: 'false'
+  install-gatekeeper-crds:
+    description: |
+      When 'true', install the Gatekeeper-library v3.18.x CRDs. Reserved
+      for future workflows that need to apply Gatekeeper Constraints
+      outside the policy-matrix flow. Today the policy-matrix-smoke.sh
+      script installs Gatekeeper itself via its own helm chart.
+    required: false
+    default: 'false'
+  install-cert-manager-crds:
+    description: |
+      When 'true', install cert-manager CRDs (pinned v1.16.1). Reserved
+      for future tls.enabled=true cert-manager-integrated install paths.
+    required: false
+    default: 'false'
+
+runs:
+  using: composite
+  steps:
+    - name: Install helm
+      uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2  # v5.0.0
+      with:
+        version: v3.16.4
+
+    - name: Build tracecore image
+      if: inputs.build-image == 'true'
+      shell: bash
+      env:
+        IMAGE_TAG: ${{ inputs.image-tag }}
+      run: |
+        docker build \
+          -f install/kubernetes/tracecore/Dockerfile \
+          -t "tracecore:${IMAGE_TAG}" \
+          .
+
+    - name: Create kind cluster
+      uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc  # v1.14.0
+      with:
+        version: v0.25.0
+        node_image: kindest/node:v1.32.0
+        cluster_name: ${{ inputs.cluster-name }}
+        config: ${{ inputs.kind-config }}
+
+    - name: Load image into kind
+      if: inputs.build-image == 'true'
+      shell: bash
+      env:
+        CLUSTER_NAME: ${{ inputs.cluster-name }}
+        IMAGE_TAG: ${{ inputs.image-tag }}
+      run: kind load docker-image "tracecore:${IMAGE_TAG}" --name "${CLUSTER_NAME}"
+
+    - name: Install prometheus-operator ServiceMonitor CRD (pinned v0.91.0)
+      # The chart's production preset flips `serviceMonitor.enabled=true`,
+      # which renders a `monitoring.coreos.com/v1 ServiceMonitor` resource.
+      # Kind does not ship that CRD, so `helm install --dry-run=server`
+      # exits 1 with "no matches for kind ServiceMonitor in version
+      # monitoring.coreos.com/v1". We install ONLY the ServiceMonitor CRD
+      # — the chart references no other monitoring.coreos.com kinds, and
+      # the slim install (~700 lines of YAML) is cheaper than the full
+      # prometheus-operator bundle (~3MB) which would also pull
+      # Prometheus, Alertmanager, ThanosRuler, PodMonitor, Probe, and
+      # PrometheusRule CRDs we do not exercise.
+      #
+      # CRD ref pinned to v0.91.0 (published 2026-05-05) per #494.
+      # Bumping this pin is a reviewed code change.
+      if: inputs.install-servicemonitor-crd == 'true'
+      shell: bash
+      run: |
+        kubectl apply -f \
+          "https://github.com/prometheus-operator/prometheus-operator/v0.91.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml"
+        kubectl wait --for=condition=established \
+          crd/servicemonitors.monitoring.coreos.com --timeout=60s
+
+    - name: Install Gatekeeper CRDs (pinned v3.18.2)
+      # Reserved for future workflows that need to apply
+      # ConstraintTemplate / Constraint resources outside the
+      # policy-matrix flow. Today the policy-matrix smoke script
+      # installs Gatekeeper itself via its own helm chart; this
+      # input is a forward-compat hook so we have ONE place that
+      # knows the Gatekeeper CRD pin.
+      if: inputs.install-gatekeeper-crds == 'true'
+      shell: bash
+      run: |
+        kubectl apply -f \
+          "https://github.com/open-policy-agent/gatekeeper/v3.18.2/deploy/gatekeeper.yaml"
+        kubectl wait --for=condition=established \
+          crd/constrainttemplates.templates.gatekeeper.sh --timeout=120s
+
+    - name: Install cert-manager CRDs (pinned v1.16.1)
+      # Reserved for future tls.enabled=true install paths that
+      # integrate with cert-manager-issued Secrets.
+      if: inputs.install-cert-manager-crds == 'true'
+      shell: bash
+      run: |
+        kubectl apply -f \
+          "https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml"
+        for crd in certificates.cert-manager.io \
+                   issuers.cert-manager.io \
+                   clusterissuers.cert-manager.io; do
+          kubectl wait --for=condition=established "crd/${crd}" --timeout=60s
+        done

.github/workflows/chart.yml

@@ -584,9 +584,10 @@ jobs:
         with:
           go-version-file: go.mod
           cache: true
-      - uses: ./.github/actions/kind-tracecore-up
+      - uses: ./.github/actions/kind-cluster-setup
         with:
           cluster-name: tracecore-m5b
+          install-servicemonitor-crd: 'true'
       - name: helm install + measure install-to-Ready
         id: install
         run: |
@@ -682,10 +683,11 @@ jobs:
         with:
           go-version-file: go.mod
           cache: true
-      - uses: ./.github/actions/kind-tracecore-up
+      - uses: ./.github/actions/kind-cluster-setup
         with:
           cluster-name: tracecore-upgrade
           kind-config: bench/install/kind-config.yaml
+          install-servicemonitor-crd: 'true'
       - name: helm install (revision 1) — baseline values
         run: |
           set -eo pipefail

.github/workflows/install-bench.yml

@@ -46,26 +46,16 @@ jobs:
         with:
           go-version-file: go.mod
           cache: true
-      - name: Install helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      - uses: ./.github/actions/kind-cluster-setup
         with:
-          version: v3.16.4
-      - name: Build tracecore image
-        run: |
-          docker build \
-            -f install/kubernetes/tracecore/Dockerfile \
-            -t tracecore:bench \
-            .
-      - name: Create kind cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
-        with:
-          version: v0.25.0
-          node_image: kindest/node:v1.32.0
-          cluster_name: tracecore-install-bench
-          config: bench/install/kind-config.yaml
-      - name: Load image into kind
-        run: |
-          kind load docker-image tracecore:bench --name tracecore-install-bench
+          cluster-name: tracecore-install-bench
+          kind-config: bench/install/kind-config.yaml
+          build-image: 'true'
+          image-tag: bench
+          # Production-preset render path needs the ServiceMonitor CRD
+          # available; install-bench renders the chart and exercises the
+          # full apply path. Same rationale as policy-matrix and chart.
+          install-servicemonitor-crd: 'true'
       - name: Run install bench
         env:
           GITHUB_RUNNER_LABEL: ubuntu-latest

.github/workflows/policy-matrix.yml

@@ -82,43 +82,23 @@ jobs:
             values_file: install/kubernetes/tracecore/values-production.yaml
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-      - name: Install helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2  # v5.0.0
+      - uses: ./.github/actions/kind-cluster-setup
         with:
-          version: v3.16.4
-      - name: Create kind cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc  # v1.14.0
-        with:
-          version: v0.25.0
-          node_image: kindest/node:v1.32.0
-          cluster_name: tracecore-policy-${{ matrix.policy_engine }}-${{ matrix.values_profile }}
+          cluster-name: tracecore-policy-${{ matrix.policy_engine }}-${{ matrix.values_profile }}
+          # policy-matrix asserts admission via `helm install
+          # --dry-run=server`; the API server never pulls the image,
+          # so no local docker build is needed.
+          build-image: 'false'
+          # Chart's production preset flips serviceMonitor.enabled=true;
+          # without this CRD the dry-run exits 1 with "no matches for
+          # kind ServiceMonitor". Applied unconditionally across every
+          # matrix row (not just production) so a future default-values
+          # flip cannot silently re-break the gate (#494).
+          install-servicemonitor-crd: 'true'
       - name: Sanity — kubectl reaches the cluster
         run: |
           kubectl cluster-info
           kubectl version
-      - name: Install prometheus-operator ServiceMonitor CRD (issue #494)
-        # The production-preset values file flips `serviceMonitor.enabled=true`,
-        # which renders a `monitoring.coreos.com/v1 ServiceMonitor` resource.
-        # Kind does not ship that CRD, so `helm install --dry-run=server`
-        # exits 1 with "no matches for kind ServiceMonitor in version
-        # monitoring.coreos.com/v1" on every chart-touching PR (regression
-        # since #475). We install ONLY the ServiceMonitor CRD — the chart's
-        # production preset references no other monitoring.coreos.com kinds,
-        # and the slim CRD install (~700 lines of YAML) is cheaper than the
-        # full prometheus-operator bundle (~3MB) which would also pull
-        # Prometheus, Alertmanager, ThanosRuler, PodMonitor, Probe, and
-        # PrometheusRule kinds we do not exercise. Applied unconditionally
-        # across every matrix row (not just production) so a future
-        # default-values flip cannot silently re-break this gate.
-        #
-        # CRD ref pinned to a tagged release (v0.91.0, published
-        # 2026-05-05) per repo convention `KYVERNO_POLICIES_REF` /
-        # `GATEKEEPER_VERSION` in scripts/policy-matrix-smoke.sh — never
-        # track `main`. Bumping this pin is a reviewed code change.
-        run: |
-          kubectl apply -f \
-            "https://github.com/prometheus-operator/prometheus-operator/v0.91.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml"
-          kubectl wait --for=condition=established crd/servicemonitors.monitoring.coreos.com --timeout=60s
       - name: Smoke — install policy engine + helm dry-run tracecore chart
         env:
           POLICY_ENGINE: ${{ matrix.policy_engine }}
@@ -177,16 +157,15 @@ jobs:
           - policy_engine: gatekeeper
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-      - name: Install helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2  # v5.0.0
-        with:
-          version: v3.16.4
-      - name: Create kind cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc  # v1.14.0
+      - uses: ./.github/actions/kind-cluster-setup
         with:
-          version: v0.25.0
-          node_image: kindest/node:v1.32.0
-          cluster_name: tracecore-policy-mutation-${{ matrix.policy_engine }}
+          cluster-name: tracecore-policy-mutation-${{ matrix.policy_engine }}
+          # Mutation job exercises `kubectl apply --dry-run=server`
+          # against a known-bad DaemonSet; the API server never pulls
+          # any image. No local docker build needed.
+          build-image: 'false'
+          # No ServiceMonitor CRD here: the mutation test applies a
+          # plain DaemonSet fixture, not the rendered chart.
       - name: Provision policy engine + restricted namespace
         env:
           POLICY_ENGINE: ${{ matrix.policy_engine }}