The existing --ignore-paths flag replaces the built-in default exclude
list (VCS files and common ignored extensions), which forces users to
re-specify every default when they only need to add one extra pattern.
This change introduces --add-ignore-paths for push/build/diff artifact,
which appends its values to whichever ignore set is currently in effect
(defaults when --ignore-paths is omitted, or the user override when it
is provided). --ignore-paths semantics are unchanged.
Signed-off-by: Ruslan Shaydullin <shaydullin.r.d@outlook.com>
Assisted-by: claude-code/claude-opus-4-7
`flux get --status-selector` only supported equality (`type=status`),
so finding objects that are not in a given state required multiple
invocations, e.g. listing everything that is not ready needed both
`Ready=False` and `Ready=Unknown`.
Add support for a negated selector `type!=status`. Since all resource
adapters delegate matching to the shared `statusMatches` helper and
filtering is centralised in `getRowsToPrint`, negation is implemented
purely in the parse/filter layer by inverting the match result. This
covers every resource type and the `--watch` path without touching the
per-resource adapters.
A missing condition is treated as not-matching by `statusMatches` (Flux
considers it "waiting to be reconciled"), so `Ready!=True` also surfaces
objects that have no Ready condition yet, i.e. the complete not-ready set:
flux get all -A --status-selector Ready!=True
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: 3uzbcqje <3uzbcqje@addy.to>
`bootstrap github` and `bootstrap gitea` generate the SSH transport
key in-process, so they have no operator-supplied key to reuse for
commit signing. Both subcommands already reject
`--ssh-signing-reuse-private-key` with a provider-specific
"not supported" error, but the check sat after `bootstrapValidate`,
which fails first with the generic
"--ssh-signing-reuse-private-key requires --private-key-file"
message. A user invoking e.g. `flux bootstrap github
--ssh-signing-reuse-private-key` is told to set a flag that the
subcommand cannot honour anyway, masking the real problem.
Move the unsupported-flag rejection to the top of each `RunE` —
before the interactive PAT prompt and before `bootstrapValidate` —
so the provider-specific error wins. The deeper, now-redundant
check is dropped. `TestBootstrapProviderRejectsReuseBeforeValidate`
exercises both subcommands with the reuse flag set and no
`--private-key-file` to lock in the precedence.
Assisted-by: claude/opus-4.7
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
`SelectOpenPGPSigningEntity` selects `keyRing[0]` when no key id is
supplied and then calls `entity.PrivateKey.Decrypt` directly. For a
keyring that contains only public keys — e.g. an armor-exported
public key file — `PrivateKey` is `nil` and the call panics with a
nil pointer dereference rather than surfacing an actionable error.
The keyed branch already guards against this; the default branch
did not.
Guard the default branch with the same nil check and return an
error pointing at `gpg --export-secret-keys` or `--gpg-key-id` so
the user knows how to recover. Cover the public-only-keyring case
in `TestSelectOpenPGPSigningEntity` so a future regression cannot
re-introduce the panic.
Assisted-by: claude/opus-4.7
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
`resetCmdArgs` in `main_test.go` rebuilds `bootstrapArgs` from
`NewBootstrapFlags`, which deliberately omits the cobra-populated
`defaultComponents`. In the `e2e` build, `TestMain` runs `flux install
…` before any test executes; that call triggers the reset and leaves
`bootstrapArgs.defaultComponents` empty for the lifetime of the
process. `bootstrapValidate` then trips on its `requiredComponents`
pre-check and fails with "component source-controller is required"
before it ever reaches the SSH/GPG signing flag validation that this
test cares about.
Save, seed, and restore `defaultComponents` per subtest so the
required-component check passes regardless of whether the test runs
under the plain or the `e2e` build tag.
Assisted-by: claude/opus-4.7
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Extends the existing TestExport 'image update' case with a signingKey
block on the seeded ImageUpdateAutomation, asserting the new field
survives the kubeClient.Get + serialize path. Parallels how the
existing fixture exercises every other field on the resource.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Adds golden-file tests for the new --signing-key-secret and
--signing-key-type flags: no-signing (baseline), default-gpg (asserts
type is omitted when only the secret is set, deferring to the
controller's gpg default), ssh, and the two validation-error cases.
Establishes cmd/flux/testdata/create_image_update/ for future
expansion of this command's coverage.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Closes a pre-existing gap where the ImageUpdateAutomation SigningKey
field was reachable only by hand-editing the rendered YAML. The two
new flags --signing-key-secret and --signing-key-type populate the
spec.git.commit.signingKey block directly.
When --signing-key-secret is set without --signing-key-type, the run
function leaves spec.git.commit.signingKey.type empty so the
controller's documented default ('gpg' when type is unset[1]) applies
server-side rather than baking the choice into the rendered YAML.
Validation rejects --signing-key-type without --signing-key-secret
and rejects values outside {gpg, ssh}, using the typed
SigningKeyType constants exported from the image-automation-
controller API so the validator and populator share a single source
of truth.
[1]: https://github.com/fluxcd/image-automation-controller/pull/1035
Signed-off-by: Hidde Beydals <hidde@hhh.computer>