From 8c5d2bfa2a852ce86b19fad9a63c697a31e1b10f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 10:15:58 +0100 Subject: [PATCH 001/121] Added support fir build-args for container-ci workflow --- .github/workflows/container-ci.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index d7b6fd2..4a086f1 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -12,6 +12,11 @@ on: description: "Image name" required: true type: string + build-args: + description: "Build args as JSON array of objects [{'name':'ARG1','value':'val1'},...]" + required: false + default: '[]' + type: string jobs: hadolint: @@ -70,6 +75,14 @@ jobs: type=semver,pattern={{major}} type=sha + - name: Parse build-args + id: args + run: | + echo "${{ inputs.build-args }}" > args.json + + BUILD_ARGS=$(jq -r 'map("--build-arg \(.name)=\(.value)") | join(" ")' args.json) + echo "build_args=$BUILD_ARGS" >> $GITHUB_OUTPUT + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -82,6 +95,8 @@ jobs: file: ${{ inputs.dockerfile-path }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build_args: | + ${{ steps.args.outputs.flags }} push: false outputs: type=docker,dest=/tmp/container-image.${{github.run_id}}.tar From 119c0c89c7740f7bb781ad02fa0f6a69d1fbe73a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 10:32:14 +0100 Subject: [PATCH 002/121] Added default build-args logic, and renamed the build-args input parameter ti extra-build-args --- .github/workflows/container-ci.yml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 4a086f1..c6a170e 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -12,8 +12,8 @@ on: description: "Image name" required: true type: string - build-args: - description: "Build args as JSON array of objects [{'name':'ARG1','value':'val1'},...]" + extra-build-args: + description: "Extra build args as JSON array of objects [{'name':'ARG1','value':'val1'},...]" required: false default: '[]' type: string @@ -78,9 +78,25 @@ jobs: - name: Parse build-args id: args run: | - echo "${{ inputs.build-args }}" > args.json - BUILD_ARGS=$(jq -r 'map("--build-arg \(.name)=\(.value)") | join(" ")' args.json) + # Setup default build-args, to be exposed to all builds + DEFAULT_BUILD_ARGS=$(cat < args.json + + # Combining default and extra build args to a single var exposed as step output, + # to be reused in the build step + BUILD_ARGS=$(jq -s 'add' <(echo "$DEFAULT_BUILD_ARGS") input-args.json) + echo "build_args=$BUILD_ARGS" >> $GITHUB_OUTPUT - name: Set up Docker Buildx From 85fab7cc7f84684c392a4c9b877c7e63f2718d85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 10:49:22 +0100 Subject: [PATCH 003/121] Added custom user-defined tags support --- .github/workflows/container-ci.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index c6a170e..93e845f 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -11,7 +11,12 @@ on: image-name: description: "Image name" required: true - type: string + type: string + image-custom-tag: + description: "Custom image tag, to be added to the ones generated by default" + required: false + default: '' + type: string extra-build-args: description: "Extra build args as JSON array of objects [{'name':'ARG1','value':'val1'},...]" required: false @@ -65,7 +70,7 @@ jobs: # list of Docker images to use as base name for tags images: | ${{ inputs.image-name }} - # generate Docker tags based on the following events/attributes + # Generate Docker tags based on the following events/attributes tags: | type=schedule type=ref,event=branch @@ -74,6 +79,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha + type=raw,value=${{ inputs.image-custom-tag }},enable=${{ inputs.image-custom-tag != '' }} - name: Parse build-args id: args From f45af9ef32ca9868b2c550b7fc0270c45d61971a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 11:33:51 +0100 Subject: [PATCH 004/121] Added support for ignoring hadolint rules --- .github/workflows/container-ci.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 93e845f..7f1658a 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -8,6 +8,11 @@ on: required: false type: string default: "Dockerfile" + ignore_hadolint_rules: + description: "Comma separated list of Hadolint rules to ignore (for scan only, will still be present in the generated report)" + required: false + default: '' + type: string image-name: description: "Image name" required: true @@ -32,7 +37,7 @@ jobs: uses: actions/checkout@v4 - name: Build Hadolint report - uses: hadolint/hadolint-action@v3.1.0 + uses: hadolint/hadolint-action@v3.3.0 with: dockerfile: ${{ inputs.dockerfile-path }} no-fail: true @@ -51,7 +56,7 @@ jobs: uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: ${{ inputs.dockerfile-path }} - override-info: DL3008,DL3018,DL3041,SC2046 + ignore: ${{ inputs.ignore_hadolint_rules }} failure-threshold: warning format: tty From 1add8ab67ab0b36a06033d89c24ed6f526b0550d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 11:51:18 +0100 Subject: [PATCH 005/121] Added missing git metadata step --- .github/workflows/container-ci.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 7f1658a..99826ae 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -86,6 +86,12 @@ jobs: type=sha type=raw,value=${{ inputs.image-custom-tag }},enable=${{ inputs.image-custom-tag != '' }} + - name: Get Git metadata + id: git_metadata + run: | + echo "author=$(git log -1 --pretty=format:'%an')" >> $GITHUB_OUTPUT + echo "repo=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT + - name: Parse build-args id: args run: | @@ -93,9 +99,9 @@ jobs: # Setup default build-args, to be exposed to all builds DEFAULT_BUILD_ARGS=$(cat < Date: Tue, 2 Dec 2025 11:56:55 +0100 Subject: [PATCH 006/121] Modified author injection for commit vars --- .github/workflows/container-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 99826ae..8447ba7 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -89,9 +89,11 @@ jobs: - name: Get Git metadata id: git_metadata run: | - echo "author=$(git log -1 --pretty=format:'%an')" >> $GITHUB_OUTPUT + AUTHOR=$(git log -1 --pretty=format:'%an') + echo "author=$AUTHOR" >> $GITHUB_OUTPUT + echo "repo=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT - + - name: Parse build-args id: args run: | From 163177246c758d9fd5843fbf52d921aab112f625 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 11:58:32 +0100 Subject: [PATCH 007/121] Added debug step for commit author --- .github/workflows/container-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 8447ba7..293ca6f 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -90,6 +90,7 @@ jobs: id: git_metadata run: | AUTHOR=$(git log -1 --pretty=format:'%an') + echo "author=$AUTHOR" echo "author=$AUTHOR" >> $GITHUB_OUTPUT echo "repo=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT From c3d6cebbb64a8cf0dc6503b9f58b4843304d5231 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 12:01:29 +0100 Subject: [PATCH 008/121] Added missing git fetch info --- .github/workflows/container-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 293ca6f..4f30187 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -86,11 +86,13 @@ jobs: type=sha type=raw,value=${{ inputs.image-custom-tag }},enable=${{ inputs.image-custom-tag != '' }} + - name: Checkout code + uses: actions/checkout@v4 + - name: Get Git metadata id: git_metadata run: | AUTHOR=$(git log -1 --pretty=format:'%an') - echo "author=$AUTHOR" echo "author=$AUTHOR" >> $GITHUB_OUTPUT echo "repo=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT From 9c3d6b849665abf1b93d5f1db205bb3bec1c34cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 12:07:22 +0100 Subject: [PATCH 009/121] Updated git tech depth --- .github/workflows/container-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 4f30187..fbe7df2 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -35,6 +35,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Build Hadolint report uses: hadolint/hadolint-action@v3.3.0 From f8741b6a5a2400d3f9a367ba38f4ef4e713c0747 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 13:19:19 +0100 Subject: [PATCH 010/121] Updated fetch depth --- .github/workflows/container-ci.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index fbe7df2..587a3a5 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -33,11 +33,6 @@ jobs: name: Hadolint - Dockerfile Lint runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Build Hadolint report uses: hadolint/hadolint-action@v3.3.0 with: @@ -90,6 +85,8 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Get Git metadata id: git_metadata From b86d25b0b82adbb9f629f67e220eed0ec10d98bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 13:32:43 +0100 Subject: [PATCH 011/121] Fixed steps order in docker image build step --- .github/workflows/container-ci.yml | 44 ++++++++++++++++-------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 587a3a5..a369db3 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -63,26 +63,6 @@ jobs: runs-on: ubuntu-latest needs: hadolint steps: - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - env: - DOCKER_METADATA_SHORT_SHA_LENGTH: 7 - with: - # list of Docker images to use as base name for tags - images: | - ${{ inputs.image-name }} - # Generate Docker tags based on the following events/attributes - tags: | - type=schedule - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - type=raw,value=${{ inputs.image-custom-tag }},enable=${{ inputs.image-custom-tag != '' }} - - name: Checkout code uses: actions/checkout@v4 with: @@ -116,10 +96,32 @@ jobs: # Combining default and extra build args to a single var exposed as step output, # to be reused in the build step - BUILD_ARGS=$(jq -s 'add' <(echo "$DEFAULT_BUILD_ARGS") input-args.json) + BUILD_ARGS=$(jq -s 'add' <(echo "$DEFAULT_BUILD_ARGS") args.json) + + echo -e "[INFO] Setting the following build_args for this Dockerfile build : \n $(echo "$BUILD_ARGS")" echo "build_args=$BUILD_ARGS" >> $GITHUB_OUTPUT + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_SHORT_SHA_LENGTH: 7 + with: + # list of Docker images to use as base name for tags + images: | + ${{ inputs.image-name }} + # Generate Docker tags based on the following events/attributes + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + type=raw,value=${{ inputs.image-custom-tag }},enable=${{ inputs.image-custom-tag != '' }} + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 From 3ce26bc684bbba01ed05a0d71899b9e154d8e8bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 13:39:01 +0100 Subject: [PATCH 012/121] Fixed formatting issues with args --- .github/workflows/container-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index a369db3..ba50061 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -92,7 +92,7 @@ jobs: ) # Adding user-supplied default build-args - echo "${{ inputs.extra-build-args }}" > args.json + printf '%s' '${{ inputs.extra-build-args }}' | jq . > args.json # Combining default and extra build args to a single var exposed as step output, # to be reused in the build step @@ -135,7 +135,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build_args: | - ${{ steps.args.outputs.flags }} + ${{ steps.args.outputs.build-args }} push: false outputs: type=docker,dest=/tmp/container-image.${{github.run_id}}.tar From 4aa8789d01fd6222d04ec1afe243abe29eaa77ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 14:14:14 +0100 Subject: [PATCH 013/121] Refactored arg parse for docker build --- .github/workflows/container-ci.yml | 63 ++++++++++++++++++------------ 1 file changed, 37 insertions(+), 26 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index ba50061..4e6e257 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -67,40 +67,51 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - - name: Get Git metadata - id: git_metadata - run: | - AUTHOR=$(git log -1 --pretty=format:'%an') - echo "author=$AUTHOR" >> $GITHUB_OUTPUT - - echo "repo=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT - name: Parse build-args id: args + shell: bash run: | - - # Setup default build-args, to be exposed to all builds - DEFAULT_BUILD_ARGS=$(cat < args.json - # Combining default and extra build args to a single var exposed as step output, - # to be reused in the build step - BUILD_ARGS=$(jq -s 'add' <(echo "$DEFAULT_BUILD_ARGS") args.json) + echo "[DEBUG] BUILD_ARGS_JSON = $BUILD_ARGS_JSON" + + BUILD_ARGS_LINES=$( + jq -r '.[] | "\(.name)=\(.value)"' <<< "$BUILD_ARGS_JSON" + ) - echo -e "[INFO] Setting the following build_args for this Dockerfile build : \n $(echo "$BUILD_ARGS")" + echo "[DEBUG] BUILD_ARGS_LINES:" + printf '%s\n' "$BUILD_ARGS_LINES" - echo "build_args=$BUILD_ARGS" >> $GITHUB_OUTPUT + { + echo "build_args<> "$GITHUB_OUTPUT" - name: Docker meta id: meta From 1dcd93bdb84f83ee650470f780b1233909df8047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 14:34:58 +0100 Subject: [PATCH 014/121] Rationalized build args steps --- .github/workflows/container-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 4e6e257..7b7d517 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -108,7 +108,7 @@ jobs: printf '%s\n' "$BUILD_ARGS_LINES" { - echo "build_args<> "$GITHUB_OUTPUT" @@ -145,7 +145,7 @@ jobs: file: ${{ inputs.dockerfile-path }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - build_args: | + build-args: | ${{ steps.args.outputs.build-args }} push: false outputs: type=docker,dest=/tmp/container-image.${{github.run_id}}.tar From b0a12d7090bae2f240ef0d841b96cf5cac010018 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 14:40:33 +0100 Subject: [PATCH 015/121] Added missing checkout step --- .github/workflows/container-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 7b7d517..06e1237 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -33,6 +33,9 @@ jobs: name: Hadolint - Dockerfile Lint runs-on: ubuntu-latest steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Build Hadolint report uses: hadolint/hadolint-action@v3.3.0 with: From 65637442119bc747efcdca558a4c95aee04ee3f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 14:47:07 +0100 Subject: [PATCH 016/121] Trimmed arg-json command --- .github/workflows/container-ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 06e1237..f262973 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - + - name: Build Hadolint report uses: hadolint/hadolint-action@v3.3.0 with: @@ -89,7 +89,6 @@ jobs: --arg git_branch "${{ github.ref_name }}" \ --arg git_commit_author "$(git log -1 --pretty=format:'%an')" \ --arg git_commit_sha "${{ github.sha }}" \ - --argjson extra "$EXTRA_ARGS" ' [ { "name": "GIT_PROJECT", "value": $git_project }, From d925b1e3371ab8cde837194b3f2705e5e3405df2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 14:49:01 +0100 Subject: [PATCH 017/121] Updated args json for build-args phase --- .github/workflows/container-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index f262973..4f68762 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -89,7 +89,7 @@ jobs: --arg git_branch "${{ github.ref_name }}" \ --arg git_commit_author "$(git log -1 --pretty=format:'%an')" \ --arg git_commit_sha "${{ github.sha }}" \ - --argjson extra "$EXTRA_ARGS" ' + --jsonargs extra "$EXTRA_ARGS" ' [ { "name": "GIT_PROJECT", "value": $git_project }, { "name": "GIT_BRANCH", "value": $git_branch }, From 51cd1845a114a882834069d6e83e2e1223d7e01b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 14:52:02 +0100 Subject: [PATCH 018/121] Updated build-args logic --- .github/workflows/container-ci.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 4f68762..19b39b6 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -84,24 +84,25 @@ jobs: fi BUILD_ARGS_JSON=$( - jq -n -c \ + jq -nc \ --arg git_project "${{ github.repository }}" \ --arg git_branch "${{ github.ref_name }}" \ --arg git_commit_author "$(git log -1 --pretty=format:'%an')" \ --arg git_commit_sha "${{ github.sha }}" \ - --jsonargs extra "$EXTRA_ARGS" ' - [ - { "name": "GIT_PROJECT", "value": $git_project }, - { "name": "GIT_BRANCH", "value": $git_branch }, - { "name": "GIT_COMMIT_AUTHOR", "value": $git_commit_author }, - { "name": "GIT_COMMIT_SHA", "value": $git_commit_sha } - ] - + ($extra // []) - ' + --arg extra "$EXTRA_ARGS" ' + [ + { "name": "GIT_PROJECT", "value": $git_project }, + { "name": "GIT_BRANCH", "value": $git_branch }, + { "name": "GIT_COMMIT_AUTHOR", "value": $git_commit_author }, + { "name": "GIT_COMMIT_SHA", "value": $git_commit_sha } + ] + + ( ($extra | fromjson) // [] ) + ' ) echo "[DEBUG] BUILD_ARGS_JSON = $BUILD_ARGS_JSON" + # Transforme en lignes "KEY=VALUE" pour docker/build-push-action BUILD_ARGS_LINES=$( jq -r '.[] | "\(.name)=\(.value)"' <<< "$BUILD_ARGS_JSON" ) From 91dcc9b10f5cbd2bc1bbd66c880bf712f1955841 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 15:02:19 +0100 Subject: [PATCH 019/121] Updated build-args logic --- .github/workflows/container-ci.yml | 51 ++++++++---------------------- 1 file changed, 13 insertions(+), 38 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 19b39b6..f8d160c 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -23,9 +23,9 @@ on: default: '' type: string extra-build-args: - description: "Extra build args as JSON array of objects [{'name':'ARG1','value':'val1'},...]" + description: "Extra build args as KEY=VALUE, one per line, in a YAML scalar bloc" required: false - default: '[]' + default: '' type: string jobs: @@ -75,44 +75,19 @@ jobs: id: args shell: bash run: | - set -euo pipefail - - EXTRA_ARGS='${{ inputs.extra-build-args }}' - - if [[ -z "${EXTRA_ARGS//[[:space:]]/}" ]]; then - EXTRA_ARGS='[]' - fi - - BUILD_ARGS_JSON=$( - jq -nc \ - --arg git_project "${{ github.repository }}" \ - --arg git_branch "${{ github.ref_name }}" \ - --arg git_commit_author "$(git log -1 --pretty=format:'%an')" \ - --arg git_commit_sha "${{ github.sha }}" \ - --arg extra "$EXTRA_ARGS" ' - [ - { "name": "GIT_PROJECT", "value": $git_project }, - { "name": "GIT_BRANCH", "value": $git_branch }, - { "name": "GIT_COMMIT_AUTHOR", "value": $git_commit_author }, - { "name": "GIT_COMMIT_SHA", "value": $git_commit_sha } - ] - + ( ($extra | fromjson) // [] ) - ' - ) - - echo "[DEBUG] BUILD_ARGS_JSON = $BUILD_ARGS_JSON" - - # Transforme en lignes "KEY=VALUE" pour docker/build-push-action - BUILD_ARGS_LINES=$( - jq -r '.[] | "\(.name)=\(.value)"' <<< "$BUILD_ARGS_JSON" - ) - - echo "[DEBUG] BUILD_ARGS_LINES:" - printf '%s\n' "$BUILD_ARGS_LINES" - { echo "build-args<> "$GITHUB_OUTPUT" From 46abfa5abfc624cc204759f6c9d34b77fbaab674 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 16:20:37 +0100 Subject: [PATCH 020/121] Updated and refactored : - Added support for Dockles Ignore - Added support for Trivy Ignores - Optimized workflow by removing duplicated steps qs much as possible whilst keeping parallelization - Renamed a few steps for clarity --- .github/workflows/container-ci.yml | 170 +++++++++++++++++++---------- 1 file changed, 110 insertions(+), 60 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index f8d160c..02dc905 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -27,10 +27,39 @@ on: required: false default: '' type: string + dockle-ignore: + description: "Comma separated list of Dockle rule IDs to ignore" + required: false + default: 'CIS-DI-0001,DKL-DI-0006,DKL-LI-0001' + type: string + dockle-accept-file: + description: "Comma separated list of filenames to accept (Dockle accept-file)" + required: false + default: 'credentials.json' + type: string + dockle-accept-key: + description: "Comma separated list of keys to accept (Dockle accept-key)" + required: false + default: 'MYSQL_PASSWD' + type: string + trivy-ignore-vuln-ids: + description: | + List of vulnerability IDs (CVE-..., GHSA-..., AVD-...) to ignore in Trivy. + One per line (recommended) or comma-separated. + required: false + default: '' + type: string + trivy-ignore-license-ids: + description: | + List of license IDs to ignore in Trivy (ex: GPL-3.0-only, MIT, Apache-2.0 WITH LLVM-exception). + One per line (recommended) or comma-separated. + required: false + default: '' + type: string jobs: - hadolint: - name: Hadolint - Dockerfile Lint + dockerfile-lint: + name: Dockerfile Lint runs-on: ubuntu-latest steps: - name: Checkout code @@ -61,10 +90,10 @@ jobs: format: tty - build-image: - name: Buildx - Image Build + image-build: + name: Image Build runs-on: ubuntu-latest - needs: hadolint + needs: dockerfile-lint steps: - name: Checkout code uses: actions/checkout@v4 @@ -135,9 +164,9 @@ jobs: path: /tmp/container-image.${{github.run_id}}.tar - dockle: - name: Dockle - Image Scan - needs: build-image + image-audit: + name: Image Audit + needs: image-build runs-on: ubuntu-latest steps: - name: Download image tarball @@ -159,11 +188,11 @@ jobs: length: 7 - name: Build Dockle report - uses: erzz/dockle-action@v1.4.0 + uses: goodwithtech/dockle-action@0.4.15 with: image: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" - report-format: sarif - failure-threshold: fatal + format: sarif + output: 'dockle-report.sarif' exit-code: 0 - name: Upload Dockle report to GitHub Security tab @@ -176,13 +205,15 @@ jobs: uses: erzz/dockle-action@v1.4.0 with: image: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" - failure-threshold: fatal + failure-threshold: warn exit-code: 1 + ignore: ${{ inputs.dockle-ignore }} + accept-file: ${{ inputs.dockle-accept-file }} + accept-key: ${{ inputs.dockle-accept-key }} - - trivy-vulns: - name: Trivy - Vulnerability Scan - needs: build-image + image-scan: + name: Image Scan + needs: image-build runs-on: ubuntu-latest steps: - name: Download image tarball @@ -203,8 +234,45 @@ jobs: with: length: 7 + - name: Generate Trivy ignore file from inputs + env: + TRIVY_IGNORE_VULN_IDS: ${{ inputs.trivy-ignore-vuln-ids }} + TRIVY_IGNORE_LICENSE_IDS: ${{ inputs.trivy-ignore-license-ids }} + run: | + IGNORE_FILE="ci-trivy-ignore.txt" + echo "# Generated by reusable build workflow" > "$IGNORE_FILE" + + if [ -n "$TRIVY_IGNORE_VULN_IDS" ]; then + echo "" >> "$IGNORE_FILE" + echo "# Vulnerabilities" >> "$IGNORE_FILE" + printf '%s\n' "$TRIVY_IGNORE_VULN_IDS" | tr ',' '\n' >> "$IGNORE_FILE" + fi + + if [ -n "$TRIVY_IGNORE_LICENSE_IDS" ]; then + echo "" >> "$IGNORE_FILE" + echo "# Licenses" >> "$IGNORE_FILE" + printf '%s\n' "$TRIVY_IGNORE_LICENSE_IDS" | tr ',' '\n' >> "$IGNORE_FILE" + fi + + echo "[INFO] Generated $IGNORE_FILE:" + cat "$IGNORE_FILE" + + - name: Generate SBOM (SPDX JSON) + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'image' + image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" + format: 'spdx-json' + output: '_manifest/spdx_2.2/image-sbom.spdx.json' + exit-code: '0' + + - name: Submit SBOM to GitHub Dependency Graph + uses: advanced-security/spdx-dependency-submission-action@v0.1.1 + with: + filePath: "_manifest/spdx_2.2/" + - name: Build Trivy Vulnerability report - uses: aquasecurity/trivy-action@0.29.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" exit-code: '0' @@ -222,47 +290,8 @@ jobs: sarif_file: 'trivy-vuln-results.sarif' category: vulnerability - - name: Run Trivy Vulnerability scan - uses: aquasecurity/trivy-action@0.29.0 - # Overriding env vars from previous steps for them not to interfere with the scan - env: - TRIVY_FORMAT: 'table' - TRIVY_OUTPUT: '' - with: - image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" - exit-code: '1' - ignore-unfixed: true - scanners: 'vuln,secret' - vuln-type: 'os,library' - severity: 'CRITICAL' - format: 'table' - - - trivy-license: - name: Trivy - License scan - needs: build-image - runs-on: ubuntu-latest - steps: - - name: Download image tarball - uses: actions/download-artifact@v4 - with: - name: container-image.${{github.run_id}} - path: /tmp - - - name: Load image - run: | - echo "[INFO]: Importing container image from following tarball : $(ls -al /tmp/container-image.${{github.run_id}}.tar)" - docker load --input /tmp/container-image.${{github.run_id}}.tar - echo "[INFO]: The following images are now present in the local registry : $(docker image ls -a)" - - - name: Generate SHORT_SHA - id: short-sha - uses: benjlevesque/short-sha@v3.0 - with: - length: 7 - - name: Build Trivy License report - uses: aquasecurity/trivy-action@0.29.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" exit-code: '0' @@ -280,25 +309,46 @@ jobs: sarif_file: 'trivy-license-results.sarif' category: license + - name: Run Trivy Vulnerability scan + uses: aquasecurity/trivy-action@0.33.1 + # Overriding env vars from previous steps for them not to interfere with the scan + env: + TRIVY_FORMAT: 'table' + TRIVY_OUTPUT: '' + with: + image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" + skip-setup-trivy: true + exit-code: '1' + ignore-unfixed: true + scanners: 'vuln,secret' + vuln-type: 'os,library' + severity: 'CRITICAL' + format: 'table' + trivyignores: 'ci-trivy-ignore.txt' + - name: Run Trivy License scan - uses: aquasecurity/trivy-action@0.29.0 + uses: aquasecurity/trivy-action@0.33.1 # Overriding env vars from previous steps for them not to interfere with the scan env: TRIVY_FORMAT: 'table' TRIVY_OUTPUT: '' with: image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" + skip-setup-trivy: true exit-code: '1' ignore-unfixed: true scanners: 'license' vuln-type: 'os,library' severity: 'CRITICAL' format: 'table' + trivyignores: 'ci-trivy-ignore.txt' push-docker-image: - name: Docker - Image Push to GHCR - needs: [dockle, trivy-vulns, trivy-license] + name: Image Push to GHCR + needs: + - image-audit + - image-scan runs-on: ubuntu-24.04 steps: From 266a60f30c1573d83f1c66c481ff8ec0d4f79c39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 16:21:20 +0100 Subject: [PATCH 021/121] Updated defaults for a few params --- .github/workflows/container-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 02dc905..7cc42c4 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -30,17 +30,17 @@ on: dockle-ignore: description: "Comma separated list of Dockle rule IDs to ignore" required: false - default: 'CIS-DI-0001,DKL-DI-0006,DKL-LI-0001' + default: '' type: string dockle-accept-file: description: "Comma separated list of filenames to accept (Dockle accept-file)" required: false - default: 'credentials.json' + default: '' type: string dockle-accept-key: description: "Comma separated list of keys to accept (Dockle accept-key)" required: false - default: 'MYSQL_PASSWD' + default: '' type: string trivy-ignore-vuln-ids: description: | From 432467266c8f37d2a59c40cb3f4176d050498cc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 16:39:21 +0100 Subject: [PATCH 022/121] Fixed weog version definition and updated parameters --- .github/workflows/container-ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 7cc42c4..b317eb5 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -188,7 +188,7 @@ jobs: length: 7 - name: Build Dockle report - uses: goodwithtech/dockle-action@0.4.15 + uses: goodwithtech/dockle-action@v0.4.15 with: image: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" format: sarif @@ -202,7 +202,7 @@ jobs: category: code-quality - name: Run Dockle check - uses: erzz/dockle-action@v1.4.0 + uses: goodwithtech/dockle-action@v0.4.15 with: image: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" failure-threshold: warn @@ -263,13 +263,13 @@ jobs: scan-type: 'image' image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" format: 'spdx-json' - output: '_manifest/spdx_2.2/image-sbom.spdx.json' + output: 'image-sbom.spdx.json' exit-code: '0' - name: Submit SBOM to GitHub Dependency Graph uses: advanced-security/spdx-dependency-submission-action@v0.1.1 with: - filePath: "_manifest/spdx_2.2/" + filePath: 'image-sbom.spdx.json' - name: Build Trivy Vulnerability report uses: aquasecurity/trivy-action@0.33.1 From 008f2ca3e13f6817a1d2b3c02a41e50dbc420efd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 16:58:25 +0100 Subject: [PATCH 023/121] Refactored an bu,ped hadolint action version --- .github/workflows/container-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index b317eb5..2fc4c6e 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -8,7 +8,7 @@ on: required: false type: string default: "Dockerfile" - ignore_hadolint_rules: + hadolint-ignore: description: "Comma separated list of Hadolint rules to ignore (for scan only, will still be present in the generated report)" required: false default: '' @@ -82,10 +82,10 @@ jobs: category: linting - name: Run Hadolint scan - uses: hadolint/hadolint-action@v3.1.0 + uses: hadolint/hadolint-action@v3.3.0 with: dockerfile: ${{ inputs.dockerfile-path }} - ignore: ${{ inputs.ignore_hadolint_rules }} + ignore: ${{ inputs.hadolint-ignore }} failure-threshold: warning format: tty From 656aa019720630fccedd750def57fd2739ebdea6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 17:21:17 +0100 Subject: [PATCH 024/121] Added skip trivy init where it as needed --- .github/workflows/container-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 2fc4c6e..359d16a 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -275,6 +275,7 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" + skip-setup-trivy: true exit-code: '0' ignore-unfixed: false scanners: 'vuln,secret' @@ -294,6 +295,7 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" + skip-setup-trivy: true exit-code: '0' ignore-unfixed: false scanners: 'license' From cfa0f8d050eb1a4d8bf4d7ada905a71d48e47d8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 17:26:43 +0100 Subject: [PATCH 025/121] Fixed wrong dockle parameter for scan --- .github/workflows/container-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 359d16a..1578d96 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -205,7 +205,7 @@ jobs: uses: goodwithtech/dockle-action@v0.4.15 with: image: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" - failure-threshold: warn + exit-level: warn exit-code: 1 ignore: ${{ inputs.dockle-ignore }} accept-file: ${{ inputs.dockle-accept-file }} From 43f918f313f0b62b62cf81df87feb2548fa9b8e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 17:30:48 +0100 Subject: [PATCH 026/121] Updated README --- README.md | 45 +++++++++++++++++++++------------------------ 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 4fe5c78..0218b39 100644 --- a/README.md +++ b/README.md @@ -46,15 +46,19 @@ You can use the [redcap-containers project CIs](https://github.com/aphp/redcap-c #### Inputs definition This workflow's inputs are as follows : -- `dockerfile-path`: - - description: "Path to Dockerfile of your project" - - required: false - - type: string - - default: "Dockerfile" -- `image-name`: - - description: "Image name, including tag" - - required: true - - type: string + +| Input name | Type | Required | Default | Description | +|---------------------------|--------|----------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------| +| `dockerfile-path` | string | no | `Dockerfile` | Path to the Dockerfile of your project. | +| `hadolint-ignore` | string | no | `""` | Comma-separated list of Hadolint rule IDs to ignore for the **scan** (they will still appear in the generated report). | +| `image-name` | string | yes | — | Image name, including registry and repository (e.g. `ghcr.io/org/image`). | +| `image-custom-tag` | string | no | `""` | Custom image tag to be added in addition to the default tags (e.g. `x86_64-ubuntu-24.04`). | +| `extra-build-args` | string | no | `""` | Extra Docker build arguments as `KEY=VALUE`, one per line, provided in a YAML scalar block. | +| `dockle-ignore` | string | no | `""` | Comma-separated list of Dockle rule IDs to ignore **for Dockle scan only** (reports remain complete). | +| `dockle-accept-file` | string | no | `""` | Comma-separated list of file names to accept in Dockle (`--accept-file`). | +| `dockle-accept-key` | string | no | `""` | Comma-separated list of keys to accept in Dockle (`--accept-key`). | +| `trivy-ignore-vuln-ids` | string | no | `""` | List of vulnerability IDs (e.g. `CVE-…`, `GHSA-…`, `AVD-…`) to ignore in **Trivy blocking scans only**. One per line or comma-separated. | +| `trivy-ignore-license-ids`| string | no | `""` | List of license IDs to ignore in **Trivy blocking scans only** (e.g. `GPL-3.0-only`, `MIT`). One per line or comma-separated. | #### Releases management @@ -114,21 +118,14 @@ To define a job that calls a reusable workflow, just read the [the corresponding #### Inputs definition This workflow's inputs are as follows : -- `chart-dir`: - - description: "Directory holding your Chart" - - required: true - - type: string - - default: "chart" -- `chart-values`: - - description: "Chart values file that will be used for the testing and scanning steps" - - required: false - - type: string - - default: "chart/values.yaml" -- `kubernetes-version`: - - description: "Version of the target Kubernetes cluster the Chart will run on" - - required: true - - type: string - - default: "1.24.2" + + +| Input name | Type | Required | Default | Description | +|----------------------|--------|----------|----------------------|---------------------------------------------------------------------------------------------------------| +| `chart-dir` | string | yes | `chart` | Directory containing your Helm chart (expects a `Chart.yaml` file inside this directory). | +| `chart-values` | string | no | `chart/values.yaml` | Values file used for testing and scanning steps (kubeconform, Polaris, Trivy, and `ct install`). | +| `kubernetes-version` | string | no | `1.24.2` | Target Kubernetes cluster version used for validation and security scans (kubeconform and Trivy). | + #### Releases management From a2d360e582b8b0efebf6d0fad293e4751280b7a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Tue, 2 Dec 2025 19:10:13 +0100 Subject: [PATCH 027/121] Made artifacts refere,ce unique --- .github/workflows/container-ci.yml | 48 ++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 1578d96..4bc8662 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -155,13 +155,13 @@ jobs: build-args: | ${{ steps.args.outputs.build-args }} push: false - outputs: type=docker,dest=/tmp/container-image.${{github.run_id}}.tar + outputs: type=docker,dest=/tmp/container.image.${{ hashFiles(inputs.dockerfile-path) }}.tar - name: Upload artifact uses: actions/upload-artifact@v4 with: - name: container-image.${{github.run_id}} - path: /tmp/container-image.${{github.run_id}}.tar + name: container.image.${{ hashFiles(inputs.dockerfile-path) }} + path: /tmp/container.image.${{ hashFiles(inputs.dockerfile-path) }}.tar image-audit: @@ -169,17 +169,23 @@ jobs: needs: image-build runs-on: ubuntu-latest steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Download image tarball uses: actions/download-artifact@v4 with: - name: container-image.${{github.run_id}} + name: container.image.${{ hashFiles(inputs.dockerfile-path) }} path: /tmp - name: Load image run: | - echo "[INFO]: Importing container image from following tarball : $(ls -al /tmp/container-image.${{github.run_id}}.tar)" - docker load --input /tmp/container-image.${{github.run_id}}.tar - echo "[INFO]: The following images are now present in the local registry : $(docker image ls -a)" + TARBALL="/tmp/container.image.${{ hashFiles(inputs.dockerfile-path) }}.tar" + echo "[INFO]: Importing container image from following tarball :" + ls -al "$TARBALL" + docker load --input "$TARBALL" + echo "[INFO]: The following images are now present in the local registry :" + docker image ls -a - name: Generate SHORT_SHA id: short-sha @@ -216,17 +222,23 @@ jobs: needs: image-build runs-on: ubuntu-latest steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Download image tarball uses: actions/download-artifact@v4 with: - name: container-image.${{github.run_id}} + name: container.image.${{ hashFiles(inputs.dockerfile-path) }} path: /tmp - name: Load image run: | - echo "[INFO]: Importing container image from following tarball : $(ls -al /tmp/container-image.${{github.run_id}}.tar)" - docker load --input /tmp/container-image.${{github.run_id}}.tar - echo "[INFO]: The following images are now present in the local registry : $(docker image ls -a)" + TARBALL="/tmp/container.image.${{ hashFiles(inputs.dockerfile-path) }}.tar" + echo "[INFO]: Importing container image from following tarball :" + ls -al "$TARBALL" + docker load --input "$TARBALL" + echo "[INFO]: The following images are now present in the local registry :" + docker image ls -a - name: Generate SHORT_SHA id: short-sha @@ -354,17 +366,23 @@ jobs: runs-on: ubuntu-24.04 steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Download image tarball uses: actions/download-artifact@v4 with: - name: container-image.${{github.run_id}} + name: container.image.${{ hashFiles(inputs.dockerfile-path) }} path: /tmp - name: Load image run: | - echo "[INFO]: Importing container image from following tarball : $(ls -al /tmp/container-image.${{github.run_id}}.tar)" - docker load --input /tmp/container-image.${{github.run_id}}.tar - echo "[INFO]: The following images are now present in the local registry : $(docker image ls -a)" + TARBALL="/tmp/container.image.${{ hashFiles(inputs.dockerfile-path) }}.tar" + echo "[INFO]: Importing container image from following tarball :" + ls -al "$TARBALL" + docker load --input "$TARBALL" + echo "[INFO]: The following images are now present in the local registry :" + docker image ls -a - name: Login to GitHub Container Registry uses: docker/login-action@v3.3.0 From 360c205f49ee45fb69039ccd05e72364b8a9230f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Thu, 4 Dec 2025 11:14:40 +0100 Subject: [PATCH 028/121] Updated docs --- README.md | 363 ++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 271 insertions(+), 92 deletions(-) diff --git a/README.md b/README.md index 0218b39..c114488 100644 --- a/README.md +++ b/README.md @@ -1,146 +1,325 @@ # APHP CI GitHub Reusable Workflows -This directory holds the GitHub reusable workflows that you can import in your own project's CIs. +This repository hosts a collection of **reusable GitHub Actions workflows** for AP‑HP projects. -## Container Images +The goal is to **centralize CI/CD best practices** (linting, security scans, packaging and publishing) so that each project can: -### Description +- reuse the same, opinionated workflows, +- get consistent quality and security checks, +- keep CI configuration as small as possible. -This component aims to provide with security and quality checks for container images, before pushing them on your project's GHCR (GitHub Container Registry). +Current workflows mainly target: -### Tools +- **Container images** (build, scan and push to GHCR), +- **Helm charts** (lint, test, secure, document and publish). -- Hadolint - - Dockerfile linting +--- -- Buildx - - Docker Image build +## Table of contents -- Dockle - - Docker Image scan for misconfigurations and ba patterns +- [Overview](#overview) +- [Available reusable workflows](#available-reusable-workflows) + - [Container Images workflow](#container-images-workflow) + - [Helm Charts workflow](#helm-charts-workflow) +- [How to call a reusable workflow](#how-to-call-a-reusable-workflow) +- [Branching, versions and environments](#branching-versions-and-environments) +- [Contributing](#contributing) +- [License](#license) -- Trivy - - Docker Image scan for vulnerabilities - - Docker Image scan for potential licensing issues +--- -- Docker - - Pushing Docker Image to the project's GHCR +## Overview -### Reports +All workflows are stored under: -All the tools used are generating SARIF reports that are uploaded to your Github project's dashboard. You can consult the reports entries of your project under the `Security` tab -> `Code scanning` category. +```text +.github/workflows/ +``` +You **do not copy** these YAML files into your own repositories. +Instead, your project **calls them as reusable workflows** using the `uses:` syntax described in the GitHub Actions documentation. -### Prerequisites +This repository is meant to be used across all AP‑HP GitHub projects that need a **standard CI pipeline** for: -This workflow should work out-of-the-box for public projects. Execution on private projects is not supported for now, and may require some additional steps to set the correct permissions for the workflow being able to push the image in your private GHCR. +- building and scanning Docker images, +- validating, scanning and releasing Helm charts. -### How to use +--- -#### Calling this workflow +## Available reusable workflows -To define a job that calls a reusable workflow, just read the [the corresponding documentation](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#calling-a-reusable-workflow). +Below is an overview of the main families of workflows currently documented. -You can use the [redcap-containers project CIs](https://github.com/aphp/redcap-containers/tree/main/.github/workflows) as an example. +### Container Images workflow -#### Inputs definition +#### Description -This workflow's inputs are as follows : +Provides **security and quality checks** for container images before pushing them to your project’s **GitHub Container Registry (GHCR)**. -| Input name | Type | Required | Default | Description | -|---------------------------|--------|----------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------| -| `dockerfile-path` | string | no | `Dockerfile` | Path to the Dockerfile of your project. | -| `hadolint-ignore` | string | no | `""` | Comma-separated list of Hadolint rule IDs to ignore for the **scan** (they will still appear in the generated report). | -| `image-name` | string | yes | — | Image name, including registry and repository (e.g. `ghcr.io/org/image`). | -| `image-custom-tag` | string | no | `""` | Custom image tag to be added in addition to the default tags (e.g. `x86_64-ubuntu-24.04`). | -| `extra-build-args` | string | no | `""` | Extra Docker build arguments as `KEY=VALUE`, one per line, provided in a YAML scalar block. | -| `dockle-ignore` | string | no | `""` | Comma-separated list of Dockle rule IDs to ignore **for Dockle scan only** (reports remain complete). | -| `dockle-accept-file` | string | no | `""` | Comma-separated list of file names to accept in Dockle (`--accept-file`). | -| `dockle-accept-key` | string | no | `""` | Comma-separated list of keys to accept in Dockle (`--accept-key`). | -| `trivy-ignore-vuln-ids` | string | no | `""` | List of vulnerability IDs (e.g. `CVE-…`, `GHSA-…`, `AVD-…`) to ignore in **Trivy blocking scans only**. One per line or comma-separated. | -| `trivy-ignore-license-ids`| string | no | `""` | List of license IDs to ignore in **Trivy blocking scans only** (e.g. `GPL-3.0-only`, `MIT`). One per line or comma-separated. | +Typical use cases: -#### Releases management +- container images for applications (e.g. APIs, frontends, backends), +- base or runtime images (e.g. Jupyter EDS notebooks images), +- internal utilities or tools. -This workflow uses a blend of several actions and steps to handle the release process. +#### Tools -**This behavior could impact your lifecycle management practices, so be sure to read the lines below!** +The workflow chains several tools: -The releases will be handled as follow, whenever you decide to call this workflow (when tagging, pushing, etc.): -- At build, you image will be tagged and version according to the [Docker Metadata Action](https://github.com/marketplace/actions/docker-metadata-action) rules (`build-image::Buildx - Image Build` step). -- If the scanning steps ends successfully, your previously tagged image will be pushed in the GHCR repository of your project (`push-docker-image::Push Image to GitHub Container Registry` step). +- **Hadolint** + - Linting of `Dockerfile` (style, best practices, common pitfalls). +- **Buildx** + - Docker image build (supports advanced features like build kits, multi‑arch, extra build args…). +- **Dockle** + - Image scan for misconfigurations and bad patterns. +- **Trivy** + - Vulnerability scanning of images. + - License scanning of included dependencies. +- **Docker / GHCR** + - Push of validated images to your project’s GHCR repository. +#### Reports -## Helm Charts +All tools that support it produce **SARIF reports**, automatically uploaded to your repository: -### Description +- GitHub UI: `Security` tab → `Code scanning` section. +- You can browse findings by tool, severity, and impacted files. -This component aims to provide with security and quality checks for Helm charts, before pushing them a repository hosted in your project's Github Page that can be used as a Helm Repository. +#### Prerequisites -### Tools +- Works **out of the box for public repositories**. +- For **private repositories**, you may need to: + - adjust **Actions permissions** so the workflow can push to your private GHCR, + - ensure the workflow can **write packages** (GHCR). -- Linting (`lint-test` job) - - Helm ct-lint - - Kubeconform +> The exact permission model may depend on your organization policies; coordinate with your AP‑HP GitHub admins if needed. -- Security (`lint-test` job) - - Polaris - - Trivy +#### Inputs -- Documentation (`generate-doc` job) - - Helm Docs - - Helm Values Schema JSON +Inputs currently supported by the container images workflow: -- Publishing (`release` job) - - Helm chart-releaser +| Input | Type | Required | Default | Description | +|---------------------------:|:------:|:--------:|:------------------:|-------------| +| `dockerfile-path` | string | No | `Dockerfile` | Path to the Dockerfile of your project. | +| `hadolint-ignore` | string | No | `""` | Comma‑separated list of **Hadolint rule IDs** to ignore in **blocking** checks. Findings still appear in reports. | +| `image-name` | string | **Yes** | – | Full image name including registry and repository, e.g. `ghcr.io/aphp/my-service`. | +| `image-custom-tag` | string | No | `""` | Custom tag added **in addition** to automatically generated tags. Typical values: `x86_64-ubuntu-24.04`, `x86_64-ubuntu-24.04-dev`, `nightly`. | +| `extra-build-args` | string | No | `""` | Extra Docker build arguments, provided as `KEY=VALUE`. Usually passed as a multiline YAML scalar (one `KEY=VALUE` per line). | +| `dockle-ignore` | string | No | `""` | Comma‑separated list of **Dockle rule IDs** to ignore in **blocking** checks. | +| `dockle-accept-file` | string | No | `""` | Comma‑separated list of file names to accept in Dockle (`--accept-file`). | +| `dockle-accept-key` | string | No | `""` | Comma‑separated list of keys to accept in Dockle (`--accept-key`). | +| `trivy-ignore-vuln-ids` | string | No | `""` | List of vulnerability IDs (`CVE-…`, `GHSA-…`, `AVD-…`) to ignore for **blocking** Trivy checks. Can be comma‑separated or one per line. | +| `trivy-ignore-license-ids`| string | No | `""` | List of license identifiers (e.g. `GPL-3.0-only`, `MIT`) to ignore in **blocking** Trivy license checks. Can be comma‑separated or one per line. | -### Reports +Always refer to the workflow file in `.github/workflows/` for the most up‑to‑date list of inputs and defaults. -A few tools (only Trivy at this time) are generating SARIF reports that are uploaded to your Github project's dashboard. You can consult the reports entries of your project under the `Security` tab -> `Code scanning` category. +#### Release management -### Prerequisites +The workflow relies on a combination of actions and steps to handle **image tagging and publishing**: -If you want to publish your chart as an artefact in your Github project, and for it to be retrieved as a Chart by Helm, you must follow these steps : -- Create a branch names `gh-pages` in your repository -- Set this branch as the Github Page branch in the github project's page, under the `Settings` tab -> `Code and automation/Pages` category, `Branch` section -- Set the correct permissions for Github Actions, under the `Settings` tab -> `Actions/General` category : - - Set `Actions permissions` to `Allow all actions and reusable workflows` - - Set `Workflow permissions` to `Read and write permissions` -- Place your Helm Chart under a `charts` directory in the root of your repository, and push your changes +- During the build step, tags are computed according to **Docker Metadata Action** rules. +- If all scans pass successfully: + - the previously tagged image is pushed to your project’s GHCR repository. +This behavior directly impacts your **release and tagging strategy**; make sure to align it with your project’s lifecycle (branching model, tags, environments). -### How to use +--- -#### Calling this workflow +### Helm Charts workflow -To define a job that calls a reusable workflow, just read the [the corresponding documentation](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#calling-a-reusable-workflow). +#### Description -#### Inputs definition +Provides **security and quality checks for Helm charts**, and automates **publishing** to a Helm repository hosted via your project’s GitHub Pages (`gh-pages` branch). -This workflow's inputs are as follows : +Typical use cases: +- Helm charts for applications like **HELIX**, **REDCap**, etc., +- any Kubernetes deployment managed via Helm within AP‑HP projects. -| Input name | Type | Required | Default | Description | -|----------------------|--------|----------|----------------------|---------------------------------------------------------------------------------------------------------| -| `chart-dir` | string | yes | `chart` | Directory containing your Helm chart (expects a `Chart.yaml` file inside this directory). | -| `chart-values` | string | no | `chart/values.yaml` | Values file used for testing and scanning steps (kubeconform, Polaris, Trivy, and `ct install`). | -| `kubernetes-version` | string | no | `1.24.2` | Target Kubernetes cluster version used for validation and security scans (kubeconform and Trivy). | +#### Tools +The Helm charts workflow is organized by job: -#### Releases management +- **Linting (`lint-test` job)** + - `ct lint` (Helm chart-testing), + - `kubeconform` (Kubernetes manifest validation against schemas). -This workflow uses [the Helm Cr Action](https://github.com/marketplace/actions/helm-chart-releaser) to release charts. +- **Security (`lint-test` job)** + - **Polaris** (configuration and security best practices), + - **Trivy** (vulnerability scanning on rendered manifests). -**This behavior could impact your lifecycle management practices, so be sure to read the lines below!** +- **Documentation (`generate-doc` job)** + - **helm-docs** (README / values documentation from chart), + - **Values schema JSON** generation (for validation and tooling). -The releases will be handled as follow : +- **Publishing (`release` job)** + - **helm/chart-releaser** to package charts and update the Helm index. -- `dev` branch : - - Update the Chart version Chart.yaml with the `-dev` suffix (`helm-chart-releaser::Add release suffix - DEV` step) - - Create the tag with the Chart version (`helm-chart-releaser::Run chart-releaser - DEV` step) - - Create the Release with the dev Chart archive as package (`helm-chart-releaser::Run chart-releaser - DEV` step) - - Update the `index.yaml` file in the `gh-page` branch of your repo to include the reference to the new dev Chart (`helm-chart-releaser::Run chart-releaser - DEV` step) -- `main` branch : - - Create the tag with the Chart version (`helm-chart-releaser::Run chart-releaser - MAIN` step) - - Create the Release with the Chart archive as package, and mark this release as `latest` (`helm-chart-releaser::Run chart-releaser - MAIN` step) - - Update the `index.yaml` file in the `gh-page` branch of your repo to include the reference to the new Chart (`helm-chart-releaser::Run chart-releaser - MAIN` step) \ No newline at end of file +#### Reports + +Some tools (currently **Trivy**) generate **SARIF reports**, uploaded to: + +- `Security` tab → `Code scanning`. + +This allows you to track vulnerabilities and security issues directly in GitHub. + +#### Prerequisites + +To be able to **publish charts** and use the repository as a **Helm repository**, ensure: + +1. A branch named `gh-pages` exists in your repository. +2. In your repository **Settings**: + - `Code and automation / Pages` → `Branch`: select `gh-pages`. +3. In **Settings → Actions → General**: + - `Actions permissions`: set to **Allow all actions and reusable workflows**. + - `Workflow permissions`: set to **Read and write permissions**. +4. Your chart lives under a `charts` directory at the repository root: + + ```text + charts/ + mychart/ + Chart.yaml + values.yaml + templates/... + ``` + +#### Inputs + +Inputs currently supported by the Helm charts workflow: + +| Input | Type | Required | Default | Description | +|--------------------:|:------:|:--------:|:---------------------:|-------------| +| `chart-dir` | string | **Yes** | `chart` | Directory containing your Helm chart (must contain a `Chart.yaml`). | +| `chart-values` | string | No | `chart/values.yaml` | Values file used for `kubeconform`, Polaris, Trivy and `ct install` tests. | +| `kubernetes-version`| string| No | `1.24.2` | Target Kubernetes version used by kubeconform and Trivy for validations and scans. | + +Again, always check the workflow file in `.github/workflows/` for the authoritative list of inputs. + +#### Release management + +Chart releases are handled via the **Helm CR action**, with behavior depending on the branch: + +- On **`dev` branch**: + - Chart version in `Chart.yaml` is suffixed with `-dev`, + - A Git tag is created with this dev version, + - A **Release** is created containing the dev chart archive, + - `index.yaml` in the `gh-pages` branch is updated to reference the new **dev** chart. + +- On **`main` branch**: + - A Git tag is created with the chart version from `Chart.yaml`, + - A **Release** is created with the chart archive, marked as **latest**, + - `index.yaml` in `gh-pages` is updated to reference the new **stable** chart. + +This gives you a standard separation between **dev** and **stable** releases for Helm charts. + +--- + +## How to call a reusable workflow + +To use one of these workflows from another repository: + +1. Create a workflow file in your project, e.g.: + + ```text + .github/workflows/container-ci.yml + ``` + +2. In that file, define a job that **uses** one of the workflows from this repo: + + ```yaml + name: Container CI + + on: + push: + branches: [ main, dev ] + pull_request: + + jobs: + container-ci: + uses: aphp/ci-workflows/.github/workflows/.yml@dev + with: + image-name: ghcr.io/aphp/my-service + dockerfile-path: Dockerfile + image-custom-tag: x86_64-ubuntu-24.04 + ``` + +3. For Helm charts, a similar pattern applies: + + ```yaml + name: Helm Chart CI + + on: + push: + branches: [ main, dev ] + pull_request: + + jobs: + helm-ci: + uses: aphp/ci-workflows/.github/workflows/.yml@dev + with: + chart-dir: charts/mychart + chart-values: charts/mychart/values.yaml + kubernetes-version: "1.24.2" + ``` + +> Replace `.yml` and `.yml` with the actual filenames from this repository’s `.github/workflows` directory. + +For a concrete example of usage, you can refer to a project CI configuration that calls these workflows (e.g. container image or Helm chart repositories within the AP‑HP GitHub organization). + +--- + +## Branching, versions and environments + +This repository is versioned like any other Git repository: + +- **Branches** such as `dev` or `main` represent the maturity of workflows. +- In your consuming projects, you should: + - Prefer **tags** (once defined) for stable usage, e.g. `@v1`, + - Use the `dev` branch (`@dev`) when experimenting or adopting new features early. + +Examples: + +- Stable usage (recommended when available): + + ```yaml + uses: aphp/ci-workflows/.github/workflows/.yml@v1 + ``` + +- Development usage (bleeding edge): + + ```yaml + uses: aphp/ci-workflows/.github/workflows/.yml@dev + ``` + +Coordinate with the AP‑HP CI maintainers to know which refs are recommended for production usage. + +--- + +## Contributing + +Contributions, bug reports and improvement ideas are welcome. + +- See [`CONTRIBUTING.md`](CONTRIBUTING.md) for: + - coding standards, + - how to run tests/linters locally, + - the release workflow for this repository. +- Use **GitHub Issues** to: + - report problems with existing workflows, + - request new reusable workflows, + - ask for documentation improvements. + +Before opening a pull request: + +1. Check there is an existing issue (or open a new one) describing the change. +2. Update or add documentation for new inputs/behavior. +3. Run relevant tests or dry‑runs for the workflows you modify. + +--- + +## License + +This project is licensed under the **Apache License 2.0**. + +- See [`LICENSE`](LICENSE) for details. + +By contributing to this repository, you agree that your contributions will be licensed under the same terms. From 90052d6ae077b71f834cb3086f42f11e83362b39 Mon Sep 17 00:00:00 2001 From: Lajus Date: Fri, 5 Dec 2025 17:02:14 +0100 Subject: [PATCH 029/121] Cheese dockle by running it from binary --- .github/workflows/container-ci.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 4bc8662..c81d908 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -207,6 +207,17 @@ jobs: sarif_file: 'dockle-report.sarif' category: code-quality + - name: Download & Run Dockle + run: | + curl -sSL "https://github.com/goodwithtech/dockle/releases/download/v0.4.15/dockle_0.4.15_Linux-386.tar.gz" -o dockle.tar.gz + tar -xzf dockle.tar.gz + sudo mv dockle /usr/local/bin/dockle + + dockle \ + --exit-code 1 \ + --format json \ + "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" + - name: Run Dockle check uses: goodwithtech/dockle-action@v0.4.15 with: From 47b7bd128be72319b9ba5f6132305893175c934c Mon Sep 17 00:00:00 2001 From: Lajus Date: Mon, 8 Dec 2025 13:11:11 +0100 Subject: [PATCH 030/121] Clean dockle step and add argument handleling --- .github/workflows/container-ci.yml | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index c81d908..1cb930b 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -207,26 +207,27 @@ jobs: sarif_file: 'dockle-report.sarif' category: code-quality - - name: Download & Run Dockle + - name: Download Dockle run: | curl -sSL "https://github.com/goodwithtech/dockle/releases/download/v0.4.15/dockle_0.4.15_Linux-386.tar.gz" -o dockle.tar.gz tar -xzf dockle.tar.gz sudo mv dockle /usr/local/bin/dockle + - name: Run dockle + run: | + dockle_keys_formater(){ IFS=', ' read -r -a keys_list <<< "$VALUES" && \ + formated_keys="" && \ + for key in ${keys_list[@]}; do formated_keys="${formated_keys} $ARG $key" ; done && \ + echo "$formated_keys " ;} + dockle \ - --exit-code 1 \ - --format json \ - "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" + $(VALUES="${{ inputs.dockle-accept-key }}" ARG="--accept-key" dockle_keys_formater) \ + $(VALUES="${{ inputs.dockle-accept-file }}" ARG="--accept-file" dockle_keys_formater) \ + $(VALUES="${{ inputs.dockle-ignore }}" ARG="--ignore" dockle_keys_formater) \ + --exit-code 1 \ + --format json \ + "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" - - name: Run Dockle check - uses: goodwithtech/dockle-action@v0.4.15 - with: - image: "${{ inputs.image-name }}:sha-${{ steps.short-sha.outputs.sha }}" - exit-level: warn - exit-code: 1 - ignore: ${{ inputs.dockle-ignore }} - accept-file: ${{ inputs.dockle-accept-file }} - accept-key: ${{ inputs.dockle-accept-key }} image-scan: name: Image Scan From 0a5ddd4f3f3b67dedd1a58a42fe27d18efafca27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Mon, 8 Dec 2025 16:09:25 +0100 Subject: [PATCH 031/121] Fix tentative when building chart depedencies -> ignoring oci repositories --- .github/workflows/chart-ci.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 4795b30..f44fb2a 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -294,10 +294,14 @@ jobs: - name: Extract and add Helm repositories run: | - yq eval '.dependencies[] | "\(.name) \(.repository)"' ${{ inputs.chart-dir }}/Chart.yaml | \ - while read -r name repo; do - helm repo add "$name" "$repo" - done + yq eval -r ' + .dependencies[] + | select(.repository != "oci://*") + | "\(.name) \(.repository)" + ' Chart.yaml \ + | while read -r name repo; do + helm repo add "$name" "$repo" + done helm repo update ### Release steps specific to `dev` branch ### From cf77e3687ff62b50f5448963478085017eec96f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Mon, 8 Dec 2025 16:12:30 +0100 Subject: [PATCH 032/121] Added fix at frst step too --- .github/workflows/chart-ci.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index f44fb2a..87186e6 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -36,10 +36,14 @@ jobs: - name: Extract and add Helm repositories run: | - yq eval '.dependencies[] | "\(.name) \(.repository)"' ${{ inputs.chart-dir }}/Chart.yaml | \ - while read -r name repo; do - helm repo add "$name" "$repo" - done + yq eval -r ' + .dependencies[] + | select(.repository != "oci://*") + | "\(.name) \(.repository)" + ' Chart.yaml \ + | while read -r name repo; do + helm repo add "$name" "$repo" + done helm repo update - name: Install chart dependencies From f35c40912d2bd0d9667259e62b65978bab3334c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Mon, 8 Dec 2025 16:14:24 +0100 Subject: [PATCH 033/121] Added back missing chart dir as param --- .github/workflows/chart-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 87186e6..67368ff 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -40,7 +40,7 @@ jobs: .dependencies[] | select(.repository != "oci://*") | "\(.name) \(.repository)" - ' Chart.yaml \ + ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do helm repo add "$name" "$repo" done @@ -302,7 +302,7 @@ jobs: .dependencies[] | select(.repository != "oci://*") | "\(.name) \(.repository)" - ' Chart.yaml \ + ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do helm repo add "$name" "$repo" done From 0324743c753f2aec1c00c28ce0187ef8ef676191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20ZGRZENDEK?= Date: Mon, 8 Dec 2025 17:10:34 +0100 Subject: [PATCH 034/121] Doc update : calling workflows --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index c114488..35fdd2a 100644 --- a/README.md +++ b/README.md @@ -234,6 +234,10 @@ To use one of these workflows from another repository: branches: [ main, dev ] pull_request: + permissions: + contents: write + security-events: write + jobs: container-ci: uses: aphp/ci-workflows/.github/workflows/.yml@dev @@ -253,6 +257,10 @@ To use one of these workflows from another repository: branches: [ main, dev ] pull_request: + permissions: + contents: write + security-events: write + jobs: helm-ci: uses: aphp/ci-workflows/.github/workflows/.yml@dev From 2e9a41ba191916a89fd5162ccab1fe0401faa688 Mon Sep 17 00:00:00 2001 From: Nicolas-Delahaye Date: Wed, 25 Feb 2026 16:57:55 +0100 Subject: [PATCH 035/121] Change release suffix condition for dev branch --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 67368ff..0c5cc2c 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -310,7 +310,7 @@ jobs: ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' + if: github.ref != 'refs/heads/main' run: | VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml From d4d116b5abd5cbc9e7c8792d0d14d239aa85335d Mon Sep 17 00:00:00 2001 From: Nicolas-Delahaye Date: Wed, 25 Feb 2026 16:58:42 +0100 Subject: [PATCH 036/121] Change condition for running chart-releaser on branches --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 0c5cc2c..1d87772 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -316,7 +316,7 @@ jobs: yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - name: Run chart-releaser - DEV - if: github.ref == 'refs/heads/dev' + if: github.ref != 'refs/heads/main' uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From fb01c0f230bc758212bb56d7aca12cc54d34434a Mon Sep 17 00:00:00 2001 From: Nicolas-Delahaye Date: Wed, 25 Feb 2026 17:45:28 +0100 Subject: [PATCH 037/121] Add release steps for feature branch in CI workflow --- .github/workflows/chart-ci.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 1d87772..b98ecd8 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -308,6 +308,22 @@ jobs: done helm repo update + ### Release steps specific to `feature` branch ### + - name: Add release suffix - SNAPSHOT + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + - name: Run chart-releaser - SNAPSHOT + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + uses: helm/chart-releaser-action@v1.7.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skip_existing: false + mark_as_latest: false + ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV if: github.ref != 'refs/heads/main' @@ -316,7 +332,7 @@ jobs: yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - name: Run chart-releaser - DEV - if: github.ref != 'refs/heads/main' + if: github.ref == 'refs/heads/dev' uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 4f33d07a62485390d35cf5dd1dba51b99250c71b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Wed, 25 Feb 2026 19:30:33 +0100 Subject: [PATCH 038/121] add skip --- .github/workflows/chart-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index b98ecd8..14cf4d1 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -281,9 +281,9 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - git fetch --tags - latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + # git fetch --tags + # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - name: Download packaged Chart uses: actions/download-artifact@v4 @@ -321,18 +321,18 @@ jobs: env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: - skip_existing: false + skip_existing: true mark_as_latest: false ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV - if: github.ref != 'refs/heads/main' + if: github.ref == 'refs/heads/dev' run: | VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - name: Run chart-releaser - DEV - if: github.ref == 'refs/heads/dev' + uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 342928ddfdbed1ab246fe46ce282e48fa6a1b7a6 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 08:36:38 +0100 Subject: [PATCH 039/121] Comment on repository OCI definition --- .github/workflows/chart-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 14cf4d1..d837c23 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -38,7 +38,7 @@ jobs: run: | yq eval -r ' .dependencies[] - | select(.repository != "oci://*") +# | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do @@ -281,9 +281,9 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - # git fetch --tags - # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + git fetch --tags + latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - name: Download packaged Chart uses: actions/download-artifact@v4 @@ -300,7 +300,7 @@ jobs: run: | yq eval -r ' .dependencies[] - | select(.repository != "oci://*") +# | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do @@ -332,7 +332,7 @@ jobs: yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - name: Run chart-releaser - DEV - + if: github.ref == 'refs/heads/dev' uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 61a5456239edf5f7613039101f410987e249488b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 08:38:03 +0100 Subject: [PATCH 040/121] fix CI --- .github/workflows/chart-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index d837c23..a993b32 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -38,7 +38,6 @@ jobs: run: | yq eval -r ' .dependencies[] -# | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do @@ -300,7 +299,6 @@ jobs: run: | yq eval -r ' .dependencies[] -# | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do From 09ff792f29bf4c93774335bedfc12ce45e32722d Mon Sep 17 00:00:00 2001 From: Nicolas-Delahaye Date: Thu, 26 Feb 2026 09:05:09 +0100 Subject: [PATCH 041/121] Clarify release types and update workflow references Updated README to clarify release management and workflow usage. --- README.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 35fdd2a..1630024 100644 --- a/README.md +++ b/README.md @@ -199,6 +199,12 @@ Again, always check the workflow file in `.github/workflows/` for the authoritat Chart releases are handled via the **Helm CR action**, with behavior depending on the branch: +- On **`feature` branch**: + - Chart version in `Chart.yaml` is suffixed with `-snapshot`, + - A Git tag is created with this snapshot version, + - A **Release** is created containing the snapshot chart archive, + - `index.yaml` in the `gh-pages` branch is updated to reference the new **snapshot** chart. + - On **`dev` branch**: - Chart version in `Chart.yaml` is suffixed with `-dev`, - A Git tag is created with this dev version, @@ -210,7 +216,7 @@ Chart releases are handled via the **Helm CR action**, with behavior depending o - A **Release** is created with the chart archive, marked as **latest**, - `index.yaml` in `gh-pages` is updated to reference the new **stable** chart. -This gives you a standard separation between **dev** and **stable** releases for Helm charts. +This gives you a standard separation between **snapshot**,**dev** and **stable** releases for Helm charts. --- @@ -240,7 +246,7 @@ To use one of these workflows from another repository: jobs: container-ci: - uses: aphp/ci-workflows/.github/workflows/.yml@dev + uses: aphp/ci-workflows/.github/workflows/.yml@main with: image-name: ghcr.io/aphp/my-service dockerfile-path: Dockerfile @@ -263,7 +269,7 @@ To use one of these workflows from another repository: jobs: helm-ci: - uses: aphp/ci-workflows/.github/workflows/.yml@dev + uses: aphp/ci-workflows/.github/workflows/.yml@main with: chart-dir: charts/mychart chart-values: charts/mychart/values.yaml @@ -280,11 +286,13 @@ For a concrete example of usage, you can refer to a project CI configuration tha This repository is versioned like any other Git repository: -- **Branches** such as `dev` or `main` represent the maturity of workflows. +- **Branches** such as `feature`, `dev` or `main` represent the maturity of workflows. - In your consuming projects, you should: - Prefer **tags** (once defined) for stable usage, e.g. `@v1`, - Use the `dev` branch (`@dev`) when experimenting or adopting new features early. +*note: `feature` name is the name of your branch created from Issue.* + Examples: - Stable usage (recommended when available): From 4eb213b7b5b067370e832ac4aaa361d37ee25c9b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 09:30:06 +0100 Subject: [PATCH 042/121] update rules --- .github/workflows/ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d41bc8..074eb4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,4 +25,11 @@ jobs: - uses: actions/checkout@v4 - name: yaml-lint uses: ibiqlik/action-yamllint@v3.1.1 - \ No newline at end of file + config_data: | + extends: default + rules: + trailing-spaces: + level: warning + line-length: disable # don't bother me with this rule + comments-indentation: disable # don't bother me with this rule + \ No newline at end of file From 8039424274183395b56d49dd687e2530be1c62a5 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 09:33:00 +0100 Subject: [PATCH 043/121] Fix config on CI Linter --- .github/workflows/ci.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 074eb4e..3eac9f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,11 +25,12 @@ jobs: - uses: actions/checkout@v4 - name: yaml-lint uses: ibiqlik/action-yamllint@v3.1.1 - config_data: | - extends: default - rules: - trailing-spaces: - level: warning - line-length: disable # don't bother me with this rule - comments-indentation: disable # don't bother me with this rule + with: + config_data: | + extends: default + rules: + trailing-spaces: + level: warning + line-length: disable # don't bother me with this rule + comments-indentation: disable # don't bother me with this rule \ No newline at end of file From 531a718d881c702dce5d04ea544668cef3dfd7d3 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 09:40:41 +0100 Subject: [PATCH 044/121] fix Yaml Linter error --- .github/workflows/chart-ci.yml | 3 +-- .github/workflows/ci.yml | 18 +++++++++--------- .github/workflows/container-ci.yml | 7 +++---- 3 files changed, 13 insertions(+), 15 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index a993b32..3b9c528 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -1,3 +1,4 @@ +--- name: Chart CI on: @@ -19,7 +20,6 @@ on: type: string default: "1.24.2" - jobs: helm-build-chart: runs-on: ubuntu-latest @@ -132,7 +132,6 @@ jobs: --strict \ --summary - polaris: name: Polaris - Chart Scan needs: helm-ct-lint diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3eac9f3..6af7326 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,4 @@ +--- name: CI # Controls when the workflow will run @@ -7,7 +8,7 @@ on: branches-ignore: - "main" pull_request: - branches: [ "main", "dev" ] + branches: ["main","dev"] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -26,11 +27,10 @@ jobs: - name: yaml-lint uses: ibiqlik/action-yamllint@v3.1.1 with: - config_data: | - extends: default - rules: - trailing-spaces: - level: warning - line-length: disable # don't bother me with this rule - comments-indentation: disable # don't bother me with this rule - \ No newline at end of file + config_data: | + extends: default + rules: + trailing-spaces: + level: warning + line-length: disable # don't bother me with this rule + comments-indentation: disable # don't bother me with this rule \ No newline at end of file diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml index 1cb930b..7f890cf 100644 --- a/.github/workflows/container-ci.yml +++ b/.github/workflows/container-ci.yml @@ -1,3 +1,4 @@ +--- name: build on: @@ -369,14 +370,12 @@ jobs: format: 'table' trivyignores: 'ci-trivy-ignore.txt' - push-docker-image: name: Image Push to GHCR needs: - - image-audit - - image-scan + - image-audit + - image-scan runs-on: ubuntu-24.04 - steps: - name: Checkout code uses: actions/checkout@v4 From f0a1de0ee9463026749039dddb5fa9e364f5c7fb Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 09:42:29 +0100 Subject: [PATCH 045/121] Fix Linter Errors --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6af7326..263834c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ on: branches-ignore: - "main" pull_request: - branches: ["main","dev"] + branches: [ "main","dev" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -33,4 +33,4 @@ jobs: trailing-spaces: level: warning line-length: disable # don't bother me with this rule - comments-indentation: disable # don't bother me with this rule \ No newline at end of file + comments-indentation: disable # don't bother me with this rule From 685e910f5c992729f2ac4171acec575b6e1d7460 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 09:43:55 +0100 Subject: [PATCH 046/121] Fix : Error: ub/workflows/ci.yml:11:16: [error] too many spaces inside brackets (brackets) Error: ub/workflows/ci.yml:11:24: [error] too few spaces after comma (commas) Error: ub/workflows/ci.yml:11:29: [error] too many spaces inside brackets (brackets) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 263834c..75a32aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ on: branches-ignore: - "main" pull_request: - branches: [ "main","dev" ] + branches: ["main", "dev"] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: From 6c23585a761c519dbb9745d59a121ba964102497 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 12:13:51 +0100 Subject: [PATCH 047/121] add exclusion OCI helm repository --- .github/workflows/chart-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 3b9c528..f7f476f 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -38,6 +38,7 @@ jobs: run: | yq eval -r ' .dependencies[] + | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do @@ -298,6 +299,7 @@ jobs: run: | yq eval -r ' .dependencies[] + | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do From 60d508b0a3b162a758d540deb35df23282311aa3 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 12:24:45 +0100 Subject: [PATCH 048/121] refactoring + set path --- .github/workflows/chart-ci.yml | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index f7f476f..c44b0a1 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -314,15 +314,6 @@ jobs: VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - name: Run chart-releaser - SNAPSHOT - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - uses: helm/chart-releaser-action@v1.7.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skip_existing: true - mark_as_latest: false - ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV if: github.ref == 'refs/heads/dev' @@ -330,21 +321,12 @@ jobs: VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - name: Run chart-releaser - DEV - if: github.ref == 'refs/heads/dev' - uses: helm/chart-releaser-action@v1.7.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skip_existing: true - mark_as_latest: false - - ### Release steps specific to `main` branch ### - - name: Run chart-releaser - MAIN - if: github.ref == 'refs/heads/main' + ### Release steps + - name: Run chart-releaser uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: skip_existing: true mark_as_latest: true + charts_dir: ${{ inputs.chart-dir }} From 0b90f3a48f273a1a7f740d335acae2cb695ebb2f Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 13:35:32 +0100 Subject: [PATCH 049/121] rebuild DEV / SNAPSHOT every time called --- .github/workflows/chart-ci.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index c44b0a1..2a59892 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -321,8 +321,20 @@ jobs: VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + - name: Run chart-releaser - DEV or SNAPSHOT + if: github.ref != 'refs/heads/main' + uses: helm/chart-releaser-action@v1.7.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skip_existing: false + mark_as_latest: false + charts_dir: ${{ inputs.chart-dir }} + ### Release steps - name: Run chart-releaser + if: github.ref == 'refs/heads/main' uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 23af23759e85f7665dfc8c87761a22cc42a90f63 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 13:58:53 +0100 Subject: [PATCH 050/121] fix chart release that not update index.yaml --- .github/workflows/chart-ci.yml | 46 +++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 2a59892..83f0111 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -31,8 +31,8 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 +# with: +# version: v3.14.4 - name: Extract and add Helm repositories run: | @@ -51,13 +51,13 @@ jobs: helm dependency build ${{ inputs.chart-dir }} - name: Generate values schema json - uses: losisin/helm-values-schema-json-action@v1.5.3 + uses: losisin/helm-values-schema-json-action@v2.4.1 with: input: ${{ inputs.chart-dir }}/values.yaml output: ${{ inputs.chart-dir }}/values.schema.json - name: Helm-docs - uses: losisin/helm-docs-github-action@v1.3.3 + uses: losisin/helm-docs-github-action@v1.7.1 with: chart-search-root: ${{ inputs.chart-dir }} values-file: ${{ inputs.chart-dir }}/values.yaml @@ -65,8 +65,29 @@ jobs: template-files: ${{ inputs.chart-dir }}/README.md.gotpl sort-values-order: file + +#### + + ### Release steps specific to `feature` branch ### + - name: Add release suffix - SNAPSHOT + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + ### Release steps specific to `dev` branch ### + - name: Add release suffix - DEV + if: github.ref == 'refs/heads/dev' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + +#### + + + - name: Upload packaged Chart - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: packaged-chart path: ${{ inputs.chart-dir }} @@ -307,21 +328,6 @@ jobs: done helm repo update - ### Release steps specific to `feature` branch ### - - name: Add release suffix - SNAPSHOT - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps specific to `dev` branch ### - - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - - name: Run chart-releaser - DEV or SNAPSHOT if: github.ref != 'refs/heads/main' uses: helm/chart-releaser-action@v1.7.0 From d93948f68a0f37c091b6dec39e9192d41c81059b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 14:00:18 +0100 Subject: [PATCH 051/121] fix yaml lint errors --- .github/workflows/chart-ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 83f0111..1618eb2 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -64,8 +64,6 @@ jobs: output-file: ${{ inputs.chart-dir }}/README.md template-files: ${{ inputs.chart-dir }}/README.md.gotpl sort-values-order: file - - #### ### Release steps specific to `feature` branch ### @@ -84,8 +82,6 @@ jobs: #### - - - name: Upload packaged Chart uses: actions/upload-artifact@v6 with: From 9be46b500ae467ce38b58ecf820d47b2e42c4d85 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 14:13:54 +0100 Subject: [PATCH 052/121] refactor --- .github/workflows/chart-ci.yml | 130 +++++++++++++++++---------------- 1 file changed, 68 insertions(+), 62 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 1618eb2..3bb3327 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -31,8 +31,12 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4.3.1 -# with: -# version: v3.14.4 + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # - name: Install Helm + # uses: azure/setup-helm@v4.3.1 + # with: + # version: v3.14.4 - name: Extract and add Helm repositories run: | @@ -53,8 +57,9 @@ jobs: - name: Generate values schema json uses: losisin/helm-values-schema-json-action@v2.4.1 with: - input: ${{ inputs.chart-dir }}/values.yaml - output: ${{ inputs.chart-dir }}/values.schema.json + working-directory: ${{ inputs.chart-dir }} + input: values.yaml + output: values.schema.json - name: Helm-docs uses: losisin/helm-docs-github-action@v1.7.1 @@ -96,19 +101,20 @@ jobs: runs-on: ubuntu-latest needs: helm-build-chart steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} + + # - name: Set up Helm + # uses: azure/setup-helm@v4.3.1 - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -125,16 +131,16 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 + # - name: Set up Helm + # uses: azure/setup-helm@v4.3.1 + # with: + # version: v3.14.4 - name: Setup Helm plugins run: | @@ -155,11 +161,11 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - name: Setup Polaris run: | @@ -193,11 +199,11 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - name: Build Trivy Vulnerability report uses: aquasecurity/trivy-action@0.29.0 @@ -239,24 +245,24 @@ jobs: - polaris - trivy steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 + # - name: Set up Helm + # uses: azure/setup-helm@v4.3.1 + # with: + # version: v3.14.4 - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 + # - name: Set up chart-testing + # uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (list-changed) id: list-changed @@ -286,10 +292,10 @@ jobs: permissions: contents: write steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 - name: Configure Git run: | @@ -301,16 +307,16 @@ jobs: latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - - name: Install Helm - uses: azure/setup-helm@v4.3.1 - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # - name: Install Helm + # uses: azure/setup-helm@v4.3.1 + # env: + # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - name: Extract and add Helm repositories run: | From 9404755c336856901d75bc7fbe28aafd9043c292 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 14:29:51 +0100 Subject: [PATCH 053/121] update version of tools used by the workflow --- .github/workflows/chart-ci.yml | 154 +++++++++++++++------------------ 1 file changed, 68 insertions(+), 86 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 3bb3327..be6bc89 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -31,12 +31,6 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4.3.1 - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # - name: Install Helm - # uses: azure/setup-helm@v4.3.1 - # with: - # version: v3.14.4 - name: Extract and add Helm repositories run: | @@ -69,23 +63,6 @@ jobs: output-file: ${{ inputs.chart-dir }}/README.md template-files: ${{ inputs.chart-dir }}/README.md.gotpl sort-values-order: file -#### - - ### Release steps specific to `feature` branch ### - - name: Add release suffix - SNAPSHOT - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps specific to `dev` branch ### - - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - -#### - name: Upload packaged Chart uses: actions/upload-artifact@v6 @@ -95,26 +72,24 @@ jobs: if-no-files-found: error retention-days: 1 - helm-ct-lint: name: Helm CT - Chart Linting runs-on: ubuntu-latest needs: helm-build-chart steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # fetch-depth: 0 - - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - # - name: Set up Helm - # uses: azure/setup-helm@v4.3.1 + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -131,16 +106,14 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - # - name: Set up Helm - # uses: azure/setup-helm@v4.3.1 - # with: - # version: v3.14.4 + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 - name: Setup Helm plugins run: | @@ -161,11 +134,11 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - name: Setup Polaris run: | @@ -193,17 +166,16 @@ jobs: --format=pretty \ --color=true - trivy: name: Trivy - Chart Vulnerability Scan needs: helm-ct-lint runs-on: ubuntu-latest steps: - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - name: Build Trivy Vulnerability report uses: aquasecurity/trivy-action@0.29.0 @@ -236,7 +208,6 @@ jobs: ignore-unfixed: true severity: 'CRITICAL' - helm-ct-test: name: Helm CT - Chart Testing runs-on: ubuntu-latest @@ -245,24 +216,22 @@ jobs: - polaris - trivy steps: - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # fetch-depth: 0 + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - # - name: Set up Helm - # uses: azure/setup-helm@v4.3.1 - # with: - # version: v3.14.4 + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 - # - name: Set up chart-testing - # uses: helm/chart-testing-action@v2.6.1 + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (list-changed) id: list-changed @@ -284,7 +253,6 @@ jobs: --chart-dirs ${{ inputs.chart-dir }} \ --helm-extra-args "-f ${{ inputs.chart-values }}" - helm-chart-releaser: needs: helm-ct-test name: Helm CR - Chart Release @@ -292,10 +260,10 @@ jobs: permissions: contents: write steps: - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # fetch-depth: 0 + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Configure Git run: | @@ -307,16 +275,16 @@ jobs: latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - # - name: Install Helm - # uses: azure/setup-helm@v4.3.1 - # env: - # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + - name: Install Helm + uses: azure/setup-helm@v4.3.1 + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - name: Extract and add Helm repositories run: | @@ -330,6 +298,20 @@ jobs: done helm repo update + ### Release steps specific to `feature` branch ### + - name: Add release suffix - SNAPSHOT + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + ### Release steps specific to `dev` branch ### + - name: Add release suffix - DEV + if: github.ref == 'refs/heads/dev' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + - name: Run chart-releaser - DEV or SNAPSHOT if: github.ref != 'refs/heads/main' uses: helm/chart-releaser-action@v1.7.0 From 8780a1a56ff4139561f78e2650763d1089a311b7 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 14:39:27 +0100 Subject: [PATCH 054/121] add checkout --- .github/workflows/chart-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index be6bc89..164e283 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -100,12 +100,14 @@ jobs: --target-branch ${{ github.event.repository.default_branch }} \ --chart-dirs ${{ inputs.chart-dir }} - kubeconform: name: Kubeconform - Chart Validation needs: helm-ct-lint runs-on: ubuntu-latest steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Download packaged Chart uses: actions/download-artifact@v4 with: From af45ebcf9b927ee83ddcc7251d43d70c785c1459 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 14:51:41 +0100 Subject: [PATCH 055/121] set the version of helm (same in all steps) --- .github/workflows/chart-ci.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 164e283..04e8168 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -31,6 +31,8 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 - name: Extract and add Helm repositories run: | @@ -65,7 +67,7 @@ jobs: sort-values-order: file - name: Upload packaged Chart - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@v4 with: name: packaged-chart path: ${{ inputs.chart-dir }} @@ -90,6 +92,8 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -116,6 +120,8 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 - name: Setup Helm plugins run: | @@ -231,6 +237,8 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -287,6 +295,8 @@ jobs: uses: azure/setup-helm@v4.3.1 env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + version: v3.14.4 - name: Extract and add Helm repositories run: | @@ -306,6 +316,7 @@ jobs: run: | VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + cat ${{ inputs.chart-dir }}/Chart.yaml | grep $VERSION_SUFFIX ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV From 0b7ced69db112e26045f067a08ecfd53274c2446 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 15:02:36 +0100 Subject: [PATCH 056/121] Log more info for the name of the version --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 04e8168..c90d670 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -316,7 +316,7 @@ jobs: run: | VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - cat ${{ inputs.chart-dir }}/Chart.yaml | grep $VERSION_SUFFIX + cat ${{ inputs.chart-dir }}/Chart.yaml ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV From d315eafd94c22cd81a177f25786edccb5551d198 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 15:36:36 +0100 Subject: [PATCH 057/121] Update config for chart-Releaser --- .github/workflows/chart-ci.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index c90d670..2ea20c4 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -316,7 +316,6 @@ jobs: run: | VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - cat ${{ inputs.chart-dir }}/Chart.yaml ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV @@ -333,7 +332,6 @@ jobs: with: skip_existing: false mark_as_latest: false - charts_dir: ${{ inputs.chart-dir }} ### Release steps - name: Run chart-releaser @@ -344,4 +342,3 @@ jobs: with: skip_existing: true mark_as_latest: true - charts_dir: ${{ inputs.chart-dir }} From 3a88519f07f319e8147d2bfac8f61bb1136760d8 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 15:48:28 +0100 Subject: [PATCH 058/121] skip upload if it is already made --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 2ea20c4..32e9ec7 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -330,7 +330,7 @@ jobs: env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: - skip_existing: false + skip_existing: true mark_as_latest: false ### Release steps From 21e7387e664850880acd7cc7f9289a5ca07daa99 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 16:05:22 +0100 Subject: [PATCH 059/121] remove download --- .github/workflows/chart-ci.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 32e9ec7..7ddb02b 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -285,12 +285,6 @@ jobs: latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - name: Install Helm uses: azure/setup-helm@v4.3.1 env: From dcba3aa395451d29374529bb7b128843fc52d51c Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 16:11:40 +0100 Subject: [PATCH 060/121] try without upload / download at each job the chart --- .github/workflows/chart-ci.yml | 38 ---------------------------------- 1 file changed, 38 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 7ddb02b..917ca99 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -66,14 +66,6 @@ jobs: template-files: ${{ inputs.chart-dir }}/README.md.gotpl sort-values-order: file - - name: Upload packaged Chart - uses: actions/upload-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - if-no-files-found: error - retention-days: 1 - helm-ct-lint: name: Helm CT - Chart Linting runs-on: ubuntu-latest @@ -84,12 +76,6 @@ jobs: with: fetch-depth: 0 - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - name: Set up Helm uses: azure/setup-helm@v4.3.1 with: @@ -112,12 +98,6 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - name: Set up Helm uses: azure/setup-helm@v4.3.1 with: @@ -142,12 +122,6 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - name: Setup Polaris run: | mkdir -p .local/bin @@ -179,12 +153,6 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - name: Build Trivy Vulnerability report uses: aquasecurity/trivy-action@0.29.0 env: @@ -229,12 +197,6 @@ jobs: with: fetch-depth: 0 - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - name: Set up Helm uses: azure/setup-helm@v4.3.1 with: From d9ba7c274a25795865942cb2163cddc6db0900b0 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 16:21:28 +0100 Subject: [PATCH 061/121] Need source for Polaris Scan --- .github/workflows/chart-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 917ca99..af459b5 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -122,6 +122,9 @@ jobs: needs: helm-ct-lint runs-on: ubuntu-latest steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Polaris run: | mkdir -p .local/bin From dbf17b5c8a2b90362403bd05b3e68e1c27cc5f4e Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 17:00:35 +0100 Subject: [PATCH 062/121] Delete release before create it again --- .github/workflows/chart-ci.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index af459b5..05d5dba 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -54,7 +54,6 @@ jobs: uses: losisin/helm-values-schema-json-action@v2.4.1 with: working-directory: ${{ inputs.chart-dir }} - input: values.yaml output: values.schema.json - name: Helm-docs @@ -276,6 +275,27 @@ jobs: VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + - name: Delete existing snapshot release + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + CHART_VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + RELEASE_TAG="helix-${CHART_VERSION}" + + echo "Deleting release and tag: $RELEASE_TAG (if exists)" + gh release delete "$RELEASE_TAG" --yes --cleanup-tag || true + + - name: Release charts + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + uses: helm/chart-releaser-action@v1.7.0 + with: + skip_existing: false # ← important, no risk + mark_as_latest: false + charts_dir: charts + env: + CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV if: github.ref == 'refs/heads/dev' From e96af7779f01028efc5308853f7399df195119db Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 17:17:29 +0100 Subject: [PATCH 063/121] skip if existe --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 05d5dba..4206447 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -290,7 +290,7 @@ jobs: if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' uses: helm/chart-releaser-action@v1.7.0 with: - skip_existing: false # ← important, no risk + skip_existing: true mark_as_latest: false charts_dir: charts env: From 83492dfb99b59d7239ea593650f277fcf1f93ca3 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 18:20:21 +0100 Subject: [PATCH 064/121] from main --- .github/workflows/chart-ci.yml | 97 +++++++++++++++++++++------------- 1 file changed, 60 insertions(+), 37 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 4206447..a0d2f1d 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -20,6 +20,7 @@ on: type: string default: "1.24.2" + jobs: helm-build-chart: runs-on: ubuntu-latest @@ -65,6 +66,21 @@ jobs: template-files: ${{ inputs.chart-dir }}/README.md.gotpl sort-values-order: file + - name: Add release suffix - DEV + if: github.ref != 'refs/heads/main' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + - name: Upload packaged Chart + uses: actions/upload-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + if-no-files-found: error + retention-days: 1 + + helm-ct-lint: name: Helm CT - Chart Linting runs-on: ubuntu-latest @@ -75,6 +91,12 @@ jobs: with: fetch-depth: 0 + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + - name: Set up Helm uses: azure/setup-helm@v4.3.1 with: @@ -89,13 +111,17 @@ jobs: --target-branch ${{ github.event.repository.default_branch }} \ --chart-dirs ${{ inputs.chart-dir }} + kubeconform: name: Kubeconform - Chart Validation needs: helm-ct-lint runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - name: Set up Helm uses: azure/setup-helm@v4.3.1 @@ -116,13 +142,17 @@ jobs: --strict \ --summary + polaris: name: Polaris - Chart Scan needs: helm-ct-lint runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - name: Setup Polaris run: | @@ -150,11 +180,18 @@ jobs: --format=pretty \ --color=true + trivy: name: Trivy - Chart Vulnerability Scan needs: helm-ct-lint runs-on: ubuntu-latest steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + - name: Build Trivy Vulnerability report uses: aquasecurity/trivy-action@0.29.0 env: @@ -186,6 +223,7 @@ jobs: ignore-unfixed: true severity: 'CRITICAL' + helm-ct-test: name: Helm CT - Chart Testing runs-on: ubuntu-latest @@ -199,6 +237,12 @@ jobs: with: fetch-depth: 0 + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + - name: Set up Helm uses: azure/setup-helm@v4.3.1 with: @@ -227,6 +271,7 @@ jobs: --chart-dirs ${{ inputs.chart-dir }} \ --helm-extra-args "-f ${{ inputs.chart-values }}" + helm-chart-releaser: needs: helm-ct-test name: Helm CR - Chart Release @@ -249,6 +294,12 @@ jobs: latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + - name: Install Helm uses: azure/setup-helm@v4.3.1 env: @@ -268,42 +319,14 @@ jobs: done helm repo update - ### Release steps specific to `feature` branch ### - - name: Add release suffix - SNAPSHOT - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - - name: Delete existing snapshot release - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - CHART_VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - RELEASE_TAG="helix-${CHART_VERSION}" - - echo "Deleting release and tag: $RELEASE_TAG (if exists)" - gh release delete "$RELEASE_TAG" --yes --cleanup-tag || true - - - name: Release charts - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - uses: helm/chart-releaser-action@v1.7.0 - with: - skip_existing: true - mark_as_latest: false - charts_dir: charts - env: - CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' + if: github.ref != 'refs/heads/main' run: | VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - name: Run chart-releaser - DEV or SNAPSHOT + - name: Run chart-releaser - DEV if: github.ref != 'refs/heads/main' uses: helm/chart-releaser-action@v1.7.0 env: @@ -312,12 +335,12 @@ jobs: skip_existing: true mark_as_latest: false - ### Release steps - - name: Run chart-releaser + ### Release steps specific to `main` branch ### + - name: Run chart-releaser - MAIN if: github.ref == 'refs/heads/main' uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: skip_existing: true - mark_as_latest: true + mark_as_latest: true \ No newline at end of file From 3490da00bfcfde13b948abc7ac416c82f7d676dd Mon Sep 17 00:00:00 2001 From: 7066189 Date: Thu, 26 Feb 2026 18:21:45 +0100 Subject: [PATCH 065/121] new line at end of file --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index a0d2f1d..39452ae 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -343,4 +343,4 @@ jobs: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: skip_existing: true - mark_as_latest: true \ No newline at end of file + mark_as_latest: true From 214f8398b6c7f16cabdf1863722485ab652f3728 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 08:34:25 +0100 Subject: [PATCH 066/121] test option with index --- .github/workflows/chart-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 39452ae..17d5226 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -334,7 +334,8 @@ jobs: with: skip_existing: true mark_as_latest: false - + packages_with_index: true + ### Release steps specific to `main` branch ### - name: Run chart-releaser - MAIN if: github.ref == 'refs/heads/main' From 44e0c1ad20d35a9e2e3e641d8e5d78f3fb482b41 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 08:52:46 +0100 Subject: [PATCH 067/121] add feature branch in release process --- .github/workflows/chart-ci.yml | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 17d5226..e968318 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -319,15 +319,33 @@ jobs: done helm repo update + + ### Release steps specific to `feature` branch ### + - name: Add release suffix - DEV + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + - name: Run chart-releaser - DEV + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + uses: helm/chart-releaser-action@v1.7.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skip_existing: true + mark_as_latest: false + packages_with_index: true + ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV - if: github.ref != 'refs/heads/main' + if: github.ref == 'refs/heads/dev' run: | VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - name: Run chart-releaser - DEV - if: github.ref != 'refs/heads/main' + if: github.ref == 'refs/heads/dev' uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -335,7 +353,7 @@ jobs: skip_existing: true mark_as_latest: false packages_with_index: true - + ### Release steps specific to `main` branch ### - name: Run chart-releaser - MAIN if: github.ref == 'refs/heads/main' From 13cd982b1916186028d776985c0a2b5b2d66de4c Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 09:14:18 +0100 Subject: [PATCH 068/121] Choose the right package-path --- .github/workflows/chart-ci.yml | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index e968318..0b9bbb4 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -319,47 +319,43 @@ jobs: done helm repo update - ### Release steps specific to `feature` branch ### + ### Need to change the version in Chart.xml for CR ### - name: Add release suffix - DEV if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' run: | VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - name: Run chart-releaser - DEV - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - uses: helm/chart-releaser-action@v1.7.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skip_existing: true - mark_as_latest: false - packages_with_index: true - ### Release steps specific to `dev` branch ### + ### Need to change the version in Chart.xml for CR ### - name: Add release suffix - DEV if: github.ref == 'refs/heads/dev' run: | VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - name: Run chart-releaser - DEV - if: github.ref == 'refs/heads/dev' + ### Release steps (Common) + - name: Run chart-releaser + if: github.ref != 'refs/heads/main' uses: helm/chart-releaser-action@v1.7.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: skip_existing: true mark_as_latest: false packages_with_index: true + package-path: ${{ inputs.chart-dir }} + token: ${{ secrets.GITHUB_TOKEN }} ### Release steps specific to `main` branch ### - - name: Run chart-releaser - MAIN - if: github.ref == 'refs/heads/main' + ### Only relaese ;) ### + ### Release steps (Common) + - name: Run chart-releaser + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' uses: helm/chart-releaser-action@v1.7.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: skip_existing: true mark_as_latest: true + packages_with_index: true + package-path: ${{ inputs.chart-dir }} + token: ${{ secrets.GITHUB_TOKEN }} + From 6435a8a66e3e8754d0858bae759c3eb4e8218175 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 09:15:55 +0100 Subject: [PATCH 069/121] fix linter error : Error: ub/workflows/chart-ci.yml:361:1: [error] too many blank lines (1 > 0) (empty-lines) --- .github/workflows/chart-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 0b9bbb4..e967540 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -358,4 +358,3 @@ jobs: packages_with_index: true package-path: ${{ inputs.chart-dir }} token: ${{ secrets.GITHUB_TOKEN }} - From a2f5aa8cf7fb63ee1d2e87928dd1e9cb9fea4763 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 09:35:05 +0100 Subject: [PATCH 070/121] remove CR releaser --- .github/workflows/chart-ci.yml | 170 ++++++++++++++++----------------- 1 file changed, 84 insertions(+), 86 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index e967540..723dc41 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -272,89 +272,87 @@ jobs: --helm-extra-args "-f ${{ inputs.chart-values }}" - helm-chart-releaser: - needs: helm-ct-test - name: Helm CR - Chart Release - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - git fetch --tags - latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Install Helm - uses: azure/setup-helm@v4.3.1 - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - version: v3.14.4 - - - name: Extract and add Helm repositories - run: | - yq eval -r ' - .dependencies[] - | select(.repository != "oci://*") - | "\(.name) \(.repository)" - ' "${{ inputs.chart-dir }}/Chart.yaml" \ - | while read -r name repo; do - helm repo add "$name" "$repo" - done - helm repo update - - ### Release steps specific to `feature` branch ### - ### Need to change the version in Chart.xml for CR ### - - name: Add release suffix - DEV - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps specific to `dev` branch ### - ### Need to change the version in Chart.xml for CR ### - - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps (Common) - - name: Run chart-releaser - if: github.ref != 'refs/heads/main' - uses: helm/chart-releaser-action@v1.7.0 - with: - skip_existing: true - mark_as_latest: false - packages_with_index: true - package-path: ${{ inputs.chart-dir }} - token: ${{ secrets.GITHUB_TOKEN }} - - ### Release steps specific to `main` branch ### - ### Only relaese ;) ### - ### Release steps (Common) - - name: Run chart-releaser - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - uses: helm/chart-releaser-action@v1.7.0 - with: - skip_existing: true - mark_as_latest: true - packages_with_index: true - package-path: ${{ inputs.chart-dir }} - token: ${{ secrets.GITHUB_TOKEN }} + # helm-chart-releaser: + # needs: helm-ct-test + # name: Helm CR - Chart Release + # runs-on: ubuntu-latest + # permissions: + # contents: write + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 + + # - name: Configure Git + # run: | + # git config user.name "$GITHUB_ACTOR" + # git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + # # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + # git fetch --tags + # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} + + # - name: Install Helm + # uses: azure/setup-helm@v4.3.1 + # env: + # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # version: v3.14.4 + + # - name: Extract and add Helm repositories + # run: | + # yq eval -r ' + # .dependencies[] + # | select(.repository != "oci://*") + # | "\(.name) \(.repository)" + # ' "${{ inputs.chart-dir }}/Chart.yaml" \ + # | while read -r name repo; do + # helm repo add "$name" "$repo" + # done + # helm repo update + + # ### Release steps specific to `feature` branch ### + # ### Need to change the version in Chart.xml for CR ### + # - name: Add release suffix - DEV + # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + # run: | + # VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + # yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + # ### Release steps specific to `dev` branch ### + # ### Need to change the version in Chart.xml for CR ### + # - name: Add release suffix - DEV + # if: github.ref == 'refs/heads/dev' + # run: | + # VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + # yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + # ### Release steps (Common) + # - name: Run chart-releaser + # if: github.ref != 'refs/heads/main' + # uses: helm/chart-releaser-action@v1.7.0 + # env: + # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # skip_existing: true + # mark_as_latest: false + + # ### Release steps specific to `main` branch ### + # ### Only relaese ;) ### + # ### Release steps (Common) + # - name: Run chart-releaser + # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + # uses: helm/chart-releaser-action@v1.7.0 + # env: + # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # skip_existing: true + # mark_as_latest: true From 22a6393c64e51b45e779df288e5f0a7839c6faa9 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 10:15:33 +0100 Subject: [PATCH 071/121] downgrade chart-releaser plugin --- .github/workflows/chart-ci.yml | 168 ++++++++++++++++----------------- 1 file changed, 84 insertions(+), 84 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 723dc41..7f9ee4a 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -272,87 +272,87 @@ jobs: --helm-extra-args "-f ${{ inputs.chart-values }}" - # helm-chart-releaser: - # needs: helm-ct-test - # name: Helm CR - Chart Release - # runs-on: ubuntu-latest - # permissions: - # contents: write - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # fetch-depth: 0 - - # - name: Configure Git - # run: | - # git config user.name "$GITHUB_ACTOR" - # git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - # # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - # git fetch --tags - # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} - - # - name: Install Helm - # uses: azure/setup-helm@v4.3.1 - # env: - # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # version: v3.14.4 - - # - name: Extract and add Helm repositories - # run: | - # yq eval -r ' - # .dependencies[] - # | select(.repository != "oci://*") - # | "\(.name) \(.repository)" - # ' "${{ inputs.chart-dir }}/Chart.yaml" \ - # | while read -r name repo; do - # helm repo add "$name" "$repo" - # done - # helm repo update - - # ### Release steps specific to `feature` branch ### - # ### Need to change the version in Chart.xml for CR ### - # - name: Add release suffix - DEV - # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - # run: | - # VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - # yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - # ### Release steps specific to `dev` branch ### - # ### Need to change the version in Chart.xml for CR ### - # - name: Add release suffix - DEV - # if: github.ref == 'refs/heads/dev' - # run: | - # VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - # yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - # ### Release steps (Common) - # - name: Run chart-releaser - # if: github.ref != 'refs/heads/main' - # uses: helm/chart-releaser-action@v1.7.0 - # env: - # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # skip_existing: true - # mark_as_latest: false - - # ### Release steps specific to `main` branch ### - # ### Only relaese ;) ### - # ### Release steps (Common) - # - name: Run chart-releaser - # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - # uses: helm/chart-releaser-action@v1.7.0 - # env: - # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # skip_existing: true - # mark_as_latest: true + helm-chart-releaser: + needs: helm-ct-test + name: Helm CR - Chart Release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + git fetch --tags + latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Install Helm + uses: azure/setup-helm@v4.3.1 + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + version: v3.14.4 + + - name: Extract and add Helm repositories + run: | + yq eval -r ' + .dependencies[] + | select(.repository != "oci://*") + | "\(.name) \(.repository)" + ' "${{ inputs.chart-dir }}/Chart.yaml" \ + | while read -r name repo; do + helm repo add "$name" "$repo" + done + helm repo update + + ### Release steps specific to `feature` branch ### + ### Need to change the version in Chart.xml for CR ### + - name: Add release suffix - DEV + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + ### Release steps specific to `dev` branch ### + ### Need to change the version in Chart.xml for CR ### + - name: Add release suffix - DEV + if: github.ref == 'refs/heads/dev' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + ### Release steps (Common) + - name: Run chart-releaser + if: github.ref != 'refs/heads/main' + uses: helm/chart-releaser-action@v1.6.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skip_existing: true + mark_as_latest: false + + ### Release steps specific to `main` branch ### + ### Only relaese ;) ### + ### Release steps (Common) + - name: Run chart-releaser + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + uses: helm/chart-releaser-action@v1.6.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skip_existing: true + mark_as_latest: true From 4e7ca7a880b8f0bc3b2829267b0b634cb6894a6b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 10:50:14 +0100 Subject: [PATCH 072/121] remove download chart --- .github/workflows/chart-ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 7f9ee4a..22657ac 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -294,11 +294,11 @@ jobs: latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - name: Install Helm uses: azure/setup-helm@v4.3.1 From fb9715105728b758885e7d0a24aede3c5183253b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 11:14:05 +0100 Subject: [PATCH 073/121] [Temporary] Disable Helm, Checkout, Downloard pakaged Chart --- .github/workflows/chart-ci.yml | 60 +++++++++++++++++----------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 22657ac..8aed1d9 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -279,20 +279,20 @@ jobs: permissions: contents: write steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + # - name: Configure Git + # run: | + # git config user.name "$GITHUB_ACTOR" + # git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - git fetch --tags - latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + # # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + # git fetch --tags + # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" # - name: Download packaged Chart # uses: actions/download-artifact@v4 @@ -300,24 +300,24 @@ jobs: # name: packaged-chart # path: ${{ inputs.chart-dir }} - - name: Install Helm - uses: azure/setup-helm@v4.3.1 - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - version: v3.14.4 - - - name: Extract and add Helm repositories - run: | - yq eval -r ' - .dependencies[] - | select(.repository != "oci://*") - | "\(.name) \(.repository)" - ' "${{ inputs.chart-dir }}/Chart.yaml" \ - | while read -r name repo; do - helm repo add "$name" "$repo" - done - helm repo update + # - name: Install Helm + # uses: azure/setup-helm@v4.3.1 + # env: + # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # version: v3.14.4 + + # - name: Extract and add Helm repositories + # run: | + # yq eval -r ' + # .dependencies[] + # | select(.repository != "oci://*") + # | "\(.name) \(.repository)" + # ' "${{ inputs.chart-dir }}/Chart.yaml" \ + # | while read -r name repo; do + # helm repo add "$name" "$repo" + # done + # helm repo update ### Release steps specific to `feature` branch ### ### Need to change the version in Chart.xml for CR ### From 4543b6d4921574dadfdb28db81a0c6b62473211d Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 11:23:18 +0100 Subject: [PATCH 074/121] Add Chechout step --- .github/workflows/chart-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 8aed1d9..f065995 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -279,8 +279,8 @@ jobs: permissions: contents: write steps: - # - name: Checkout - # uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 # with: # fetch-depth: 0 From 29c9bcf496d717c6b37f8393d1e1579a1371e93d Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 11:37:55 +0100 Subject: [PATCH 075/121] Add Helm --- .github/workflows/chart-ci.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index f065995..baf316f 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -300,24 +300,24 @@ jobs: # name: packaged-chart # path: ${{ inputs.chart-dir }} - # - name: Install Helm - # uses: azure/setup-helm@v4.3.1 - # env: - # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # version: v3.14.4 + - name: Install Helm + uses: azure/setup-helm@v4.3.1 + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + version: v3.14.4 - # - name: Extract and add Helm repositories - # run: | - # yq eval -r ' - # .dependencies[] - # | select(.repository != "oci://*") - # | "\(.name) \(.repository)" - # ' "${{ inputs.chart-dir }}/Chart.yaml" \ - # | while read -r name repo; do - # helm repo add "$name" "$repo" - # done - # helm repo update + - name: Extract and add Helm repositories + run: | + yq eval -r ' + .dependencies[] + | select(.repository != "oci://*") + | "\(.name) \(.repository)" + ' "${{ inputs.chart-dir }}/Chart.yaml" \ + | while read -r name repo; do + helm repo add "$name" "$repo" + done + helm repo update ### Release steps specific to `feature` branch ### ### Need to change the version in Chart.xml for CR ### From cfa770bf34d029908fc8524758a5c78b348b5ae8 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 11:47:48 +0100 Subject: [PATCH 076/121] All do in 1 job --- .github/workflows/chart-ci.yml | 221 ++++++++++++++++----------------- 1 file changed, 106 insertions(+), 115 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index baf316f..01ed503 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -66,41 +66,35 @@ jobs: template-files: ${{ inputs.chart-dir }}/README.md.gotpl sort-values-order: file - - name: Add release suffix - DEV - if: github.ref != 'refs/heads/main' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - - name: Upload packaged Chart - uses: actions/upload-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - if-no-files-found: error - retention-days: 1 - - - helm-ct-lint: - name: Helm CT - Chart Linting - runs-on: ubuntu-latest - needs: helm-build-chart - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 + # - name: Upload packaged Chart + # uses: actions/upload-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} + # if-no-files-found: error + # retention-days: 1 + + + # # helm-ct-lint: + # # name: Helm CT - Chart Linting + # # runs-on: ubuntu-latest + # # needs: helm-build-chart + # # steps: + # # - name: Checkout + # # uses: actions/checkout@v4 + # # with: + # # fetch-depth: 0 + + # # - name: Download packaged Chart + # # uses: actions/download-artifact@v4 + # # with: + # # name: packaged-chart + # # path: ${{ inputs.chart-dir }} + + # - name: Set up Helm + # uses: azure/setup-helm@v4.3.1 + # with: + # version: v3.14.4 - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -111,22 +105,21 @@ jobs: --target-branch ${{ github.event.repository.default_branch }} \ --chart-dirs ${{ inputs.chart-dir }} - - kubeconform: - name: Kubeconform - Chart Validation - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 + # kubeconform: + # name: Kubeconform - Chart Validation + # needs: helm-ct-lint + # runs-on: ubuntu-latest + # steps: + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} + + # - name: Set up Helm + # uses: azure/setup-helm@v4.3.1 + # with: + # version: v3.14.4 - name: Setup Helm plugins run: | @@ -142,17 +135,16 @@ jobs: --strict \ --summary - - polaris: - name: Polaris - Chart Scan - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # polaris: + # name: Polaris - Chart Scan + # needs: helm-ct-lint + # runs-on: ubuntu-latest + # steps: + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - name: Setup Polaris run: | @@ -181,16 +173,16 @@ jobs: --color=true - trivy: - name: Trivy - Chart Vulnerability Scan - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} + # trivy: + # name: Trivy - Chart Vulnerability Scan + # needs: helm-ct-lint + # runs-on: ubuntu-latest + # steps: + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} - name: Build Trivy Vulnerability report uses: aquasecurity/trivy-action@0.29.0 @@ -224,32 +216,32 @@ jobs: severity: 'CRITICAL' - helm-ct-test: - name: Helm CT - Chart Testing - runs-on: ubuntu-latest - needs: - - kubeconform - - polaris - - trivy - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 + # helm-ct-test: + # name: Helm CT - Chart Testing + # runs-on: ubuntu-latest + # needs: + # - kubeconform + # - polaris + # - trivy + # steps: + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # fetch-depth: 0 + + # - name: Download packaged Chart + # uses: actions/download-artifact@v4 + # with: + # name: packaged-chart + # path: ${{ inputs.chart-dir }} + + # - name: Set up Helm + # uses: azure/setup-helm@v4.3.1 + # with: + # version: v3.14.4 + + # - name: Set up chart-testing + # uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (list-changed) id: list-changed @@ -271,16 +263,15 @@ jobs: --chart-dirs ${{ inputs.chart-dir }} \ --helm-extra-args "-f ${{ inputs.chart-values }}" - - helm-chart-releaser: - needs: helm-ct-test - name: Helm CR - Chart Release - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout - uses: actions/checkout@v4 + # helm-chart-releaser: + # needs: helm-ct-test + # name: Helm CR - Chart Release + # runs-on: ubuntu-latest + # permissions: + # contents: write + # steps: + # - name: Checkout + # uses: actions/checkout@v4 # with: # fetch-depth: 0 @@ -300,12 +291,12 @@ jobs: # name: packaged-chart # path: ${{ inputs.chart-dir }} - - name: Install Helm - uses: azure/setup-helm@v4.3.1 - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - version: v3.14.4 + # - name: Install Helm + # uses: azure/setup-helm@v4.3.1 + # env: + # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # version: v3.14.4 - name: Extract and add Helm repositories run: | @@ -346,7 +337,7 @@ jobs: mark_as_latest: false ### Release steps specific to `main` branch ### - ### Only relaese ;) ### + ### Only release ;) ### ### Release steps (Common) - name: Run chart-releaser if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' From 89b73a7711a7ecb2b7bccc3c900f7fa4026a6184 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 12:05:19 +0100 Subject: [PATCH 077/121] Adjust task order in the job --- .github/workflows/chart-ci.yml | 60 ++++++++++++++-------------------- 1 file changed, 24 insertions(+), 36 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 01ed503..93b82ca 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -30,6 +30,22 @@ jobs: with: fetch-depth: 0 + ### Release steps specific to `feature` branch ### + ### Need to change the version in Chart.xml for CR ### + - name: Add release suffix - DEV + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + ### Release steps specific to `dev` branch ### + ### Need to change the version in Chart.xml for CR ### + - name: Add release suffix - DEV + if: github.ref == 'refs/heads/dev' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + - name: Install Helm uses: azure/setup-helm@v4.3.1 with: @@ -275,15 +291,15 @@ jobs: # with: # fetch-depth: 0 - # - name: Configure Git - # run: | - # git config user.name "$GITHUB_ACTOR" - # git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - # # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - # git fetch --tags - # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + git fetch --tags + latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" # - name: Download packaged Chart # uses: actions/download-artifact@v4 @@ -298,34 +314,6 @@ jobs: # with: # version: v3.14.4 - - name: Extract and add Helm repositories - run: | - yq eval -r ' - .dependencies[] - | select(.repository != "oci://*") - | "\(.name) \(.repository)" - ' "${{ inputs.chart-dir }}/Chart.yaml" \ - | while read -r name repo; do - helm repo add "$name" "$repo" - done - helm repo update - - ### Release steps specific to `feature` branch ### - ### Need to change the version in Chart.xml for CR ### - - name: Add release suffix - DEV - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps specific to `dev` branch ### - ### Need to change the version in Chart.xml for CR ### - - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - ### Release steps (Common) - name: Run chart-releaser if: github.ref != 'refs/heads/main' From dadbbab197ec119d70754ca1040ebbd1f247d9a7 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 13:17:55 +0100 Subject: [PATCH 078/121] Replace chart-releaser by specifics steps. --- .github/workflows/chart-ci.yml | 349 +++++++++++++++++++-------------- 1 file changed, 202 insertions(+), 147 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 93b82ca..2e9db77 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -1,4 +1,3 @@ ---- name: Chart CI on: @@ -30,22 +29,6 @@ jobs: with: fetch-depth: 0 - ### Release steps specific to `feature` branch ### - ### Need to change the version in Chart.xml for CR ### - - name: Add release suffix - DEV - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps specific to `dev` branch ### - ### Need to change the version in Chart.xml for CR ### - - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - name: Install Helm uses: azure/setup-helm@v4.3.1 with: @@ -55,7 +38,6 @@ jobs: run: | yq eval -r ' .dependencies[] - | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do @@ -68,13 +50,13 @@ jobs: helm dependency build ${{ inputs.chart-dir }} - name: Generate values schema json - uses: losisin/helm-values-schema-json-action@v2.4.1 + uses: losisin/helm-values-schema-json-action@v1.5.3 with: - working-directory: ${{ inputs.chart-dir }} - output: values.schema.json + input: ${{ inputs.chart-dir }}/values.yaml + output: ${{ inputs.chart-dir }}/values.schema.json - name: Helm-docs - uses: losisin/helm-docs-github-action@v1.7.1 + uses: losisin/helm-docs-github-action@v1.3.3 with: chart-search-root: ${{ inputs.chart-dir }} values-file: ${{ inputs.chart-dir }}/values.yaml @@ -82,35 +64,33 @@ jobs: template-files: ${{ inputs.chart-dir }}/README.md.gotpl sort-values-order: file - # - name: Upload packaged Chart - # uses: actions/upload-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} - # if-no-files-found: error - # retention-days: 1 - - - # # helm-ct-lint: - # # name: Helm CT - Chart Linting - # # runs-on: ubuntu-latest - # # needs: helm-build-chart - # # steps: - # # - name: Checkout - # # uses: actions/checkout@v4 - # # with: - # # fetch-depth: 0 - - # # - name: Download packaged Chart - # # uses: actions/download-artifact@v4 - # # with: - # # name: packaged-chart - # # path: ${{ inputs.chart-dir }} - - # - name: Set up Helm - # uses: azure/setup-helm@v4.3.1 - # with: - # version: v3.14.4 + - name: Upload packaged Chart + uses: actions/upload-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + if-no-files-found: error + retention-days: 1 + + + helm-ct-lint: + name: Helm CT - Chart Linting + runs-on: ubuntu-latest + needs: helm-build-chart + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -121,21 +101,22 @@ jobs: --target-branch ${{ github.event.repository.default_branch }} \ --chart-dirs ${{ inputs.chart-dir }} - # kubeconform: - # name: Kubeconform - Chart Validation - # needs: helm-ct-lint - # runs-on: ubuntu-latest - # steps: - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} - - # - name: Set up Helm - # uses: azure/setup-helm@v4.3.1 - # with: - # version: v3.14.4 + + kubeconform: + name: Kubeconform - Chart Validation + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 - name: Setup Helm plugins run: | @@ -151,16 +132,17 @@ jobs: --strict \ --summary - # polaris: - # name: Polaris - Chart Scan - # needs: helm-ct-lint - # runs-on: ubuntu-latest - # steps: - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + + polaris: + name: Polaris - Chart Scan + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - name: Setup Polaris run: | @@ -189,16 +171,16 @@ jobs: --color=true - # trivy: - # name: Trivy - Chart Vulnerability Scan - # needs: helm-ct-lint - # runs-on: ubuntu-latest - # steps: - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} + trivy: + name: Trivy - Chart Vulnerability Scan + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} - name: Build Trivy Vulnerability report uses: aquasecurity/trivy-action@0.29.0 @@ -232,32 +214,32 @@ jobs: severity: 'CRITICAL' - # helm-ct-test: - # name: Helm CT - Chart Testing - # runs-on: ubuntu-latest - # needs: - # - kubeconform - # - polaris - # - trivy - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # fetch-depth: 0 - - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} - - # - name: Set up Helm - # uses: azure/setup-helm@v4.3.1 - # with: - # version: v3.14.4 - - # - name: Set up chart-testing - # uses: helm/chart-testing-action@v2.6.1 + helm-ct-test: + name: Helm CT - Chart Testing + runs-on: ubuntu-latest + needs: + - kubeconform + - polaris + - trivy + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (list-changed) id: list-changed @@ -279,27 +261,28 @@ jobs: --chart-dirs ${{ inputs.chart-dir }} \ --helm-extra-args "-f ${{ inputs.chart-values }}" - # helm-chart-releaser: - # needs: helm-ct-test - # name: Helm CR - Chart Release - # runs-on: ubuntu-latest - # permissions: - # contents: write - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # fetch-depth: 0 - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + helm-chart-releaser: + needs: helm-ct-test + name: Helm CR - Chart Release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # - name: Configure Git + # run: | + # git config user.name "$GITHUB_ACTOR" + # git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - git fetch --tags - latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + # # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + # git fetch --tags + # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" # - name: Download packaged Chart # uses: actions/download-artifact@v4 @@ -311,27 +294,99 @@ jobs: # uses: azure/setup-helm@v4.3.1 # env: # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # version: v3.14.4 - ### Release steps (Common) - - name: Run chart-releaser - if: github.ref != 'refs/heads/main' - uses: helm/chart-releaser-action@v1.6.0 + # - name: Extract and add Helm repositories + # run: | + # yq eval -r ' + # .dependencies[] + # | "\(.name) \(.repository)" + # ' "${{ inputs.chart-dir }}/Chart.yaml" \ + # | while read -r name repo; do + # helm repo add "$name" "$repo" + # done + # helm repo update + + # ### Release steps specific to `feature` branch ### + # - name: Add release suffix - SNAPSHOT + # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + # run: | + # VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + # yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + - name: Run chart-releaser - SNAPSHOT + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: skip_existing: true mark_as_latest: false - ### Release steps specific to `main` branch ### - ### Only release ;) ### - ### Release steps (Common) - - name: Run chart-releaser - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - uses: helm/chart-releaser-action@v1.6.0 + ### Release steps specific to `dev` branch ### + - name: Add release suffix - DEV + if: github.ref == 'refs/heads/dev' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + # - name: Run chart-releaser - DEV + # if: github.ref == 'refs/heads/dev' + # uses: helm/chart-releaser-action@v1.7.0 + # env: + # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # skip_existing: true + # mark_as_latest: false + + # ### Release steps specific to `main` branch ### + # - name: Run chart-releaser - MAIN + # if: github.ref == 'refs/heads/main' + # uses: helm/chart-releaser-action@v1.7.0 + # env: + # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # skip_existing: true + # mark_as_latest: true + + - name: Install chart-releaser + run: | + curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz + tar -xzf cr.tar.gz + sudo mv cr /usr/local/bin/cr + + - name: Package chart + run: | + helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ + + - name: Create GitHub pre-release + tag env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skip_existing: true - mark_as_latest: true + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + TAG="helix-${VERSION}" + git tag "$TAG" + git push origin "$TAG" + gh release create "$TAG" \ + .cr-release-packages/*.tgz \ + --prerelease \ + --title "$TAG" \ + --notes "Version from ${{ github.ref_name }}" + + - name: Update index.yaml on gh-pages + env: + CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Récupère le gh-pages existant + git fetch origin gh-pages + mkdir -p .cr-index + git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml + + # Regénère l'index en mergant avec l'existant + cr index \ + --owner ${{ github.repository_owner }} \ + --git-repo ${{ github.event.repository.name }} \ + --packages-with-index \ + --index-path .cr-index/index.yaml \ + --package-path .cr-release-packages/ \ + --push \ + --token ${{ secrets.GITHUB_TOKEN }} From fd756a86b6f734b02a6e7a4fe6546fa8a78344a2 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 13:23:30 +0100 Subject: [PATCH 079/121] uncomment the right step for snapshot version name --- .github/workflows/chart-ci.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 2e9db77..1d62b12 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -307,20 +307,20 @@ jobs: # helm repo update # ### Release steps specific to `feature` branch ### - # - name: Add release suffix - SNAPSHOT - # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - # run: | - # VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - # yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - - name: Run chart-releaser - SNAPSHOT + - name: Add release suffix - SNAPSHOT if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - uses: helm/chart-releaser-action@v1.7.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skip_existing: true - mark_as_latest: false + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + # - name: Run chart-releaser - SNAPSHOT + # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + # uses: helm/chart-releaser-action@v1.7.0 + # env: + # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # skip_existing: true + # mark_as_latest: false ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV From 8b5a0016aedb8dbee44381940c55d6d26f881730 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 14:19:25 +0100 Subject: [PATCH 080/121] remove tag creation --- .github/workflows/chart-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 1d62b12..1361884 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -364,8 +364,6 @@ jobs: run: | VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) TAG="helix-${VERSION}" - git tag "$TAG" - git push origin "$TAG" gh release create "$TAG" \ .cr-release-packages/*.tgz \ --prerelease \ From 90b85867f4244a05457c501003a26a45f158b929 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 14:54:42 +0100 Subject: [PATCH 081/121] add login for fetch gh-pages --- .github/workflows/chart-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 1361884..83f69ba 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -374,6 +374,9 @@ jobs: env: CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + # Récupère le gh-pages existant git fetch origin gh-pages mkdir -p .cr-index From e19d56ff20d525973fc66b07c1aa4ac4e4438872 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 15:18:43 +0100 Subject: [PATCH 082/121] Clean before MR --- .github/workflows/chart-ci.yml | 75 +++++++--------------------------- 1 file changed, 15 insertions(+), 60 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 83f69ba..dd69994 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -274,38 +274,6 @@ jobs: with: fetch-depth: 0 - # - name: Configure Git - # run: | - # git config user.name "$GITHUB_ACTOR" - # git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - # # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - # git fetch --tags - # latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - # echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - # - name: Download packaged Chart - # uses: actions/download-artifact@v4 - # with: - # name: packaged-chart - # path: ${{ inputs.chart-dir }} - - # - name: Install Helm - # uses: azure/setup-helm@v4.3.1 - # env: - # GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - # - name: Extract and add Helm repositories - # run: | - # yq eval -r ' - # .dependencies[] - # | "\(.name) \(.repository)" - # ' "${{ inputs.chart-dir }}/Chart.yaml" \ - # | while read -r name repo; do - # helm repo add "$name" "$repo" - # done - # helm repo update - # ### Release steps specific to `feature` branch ### - name: Add release suffix - SNAPSHOT if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' @@ -313,15 +281,6 @@ jobs: VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - # - name: Run chart-releaser - SNAPSHOT - # if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - # uses: helm/chart-releaser-action@v1.7.0 - # env: - # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # skip_existing: true - # mark_as_latest: false - ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV if: github.ref == 'refs/heads/dev' @@ -329,25 +288,6 @@ jobs: VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - # - name: Run chart-releaser - DEV - # if: github.ref == 'refs/heads/dev' - # uses: helm/chart-releaser-action@v1.7.0 - # env: - # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # skip_existing: true - # mark_as_latest: false - - # ### Release steps specific to `main` branch ### - # - name: Run chart-releaser - MAIN - # if: github.ref == 'refs/heads/main' - # uses: helm/chart-releaser-action@v1.7.0 - # env: - # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # skip_existing: true - # mark_as_latest: true - - name: Install chart-releaser run: | curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz @@ -358,7 +298,9 @@ jobs: run: | helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ + # ### Release steps specific to `feature` or `dev` branch ### - name: Create GitHub pre-release + tag + if: github.ref != 'refs/heads/main' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -370,6 +312,19 @@ jobs: --title "$TAG" \ --notes "Version from ${{ github.ref_name }}" + # ### Release steps specific to `main` branch ### + - name: Create GitHub release + tag + if: github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + TAG="helix-${VERSION}" + gh release create "$TAG" \ + .cr-release-packages/*.tgz \ + --title "$TAG" \ + --notes "Version from ${{ github.ref_name }}" + - name: Update index.yaml on gh-pages env: CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 04e91064e35029986008c37e082a2b4ab50fd35d Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 16:02:05 +0100 Subject: [PATCH 083/121] add merge with helm before cr index --- .github/workflows/chart-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index dd69994..1bfcf42 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -337,6 +337,10 @@ jobs: mkdir -p .cr-index git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml + helm repo index .cr-index/index.yaml \ + --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ + --merge .cr-index/index.yaml + # Regénère l'index en mergant avec l'existant cr index \ --owner ${{ github.repository_owner }} \ From 7a098c472712decc77fbb26efe4b7158bbb19c4e Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 17:07:39 +0100 Subject: [PATCH 084/121] update url in index.yaml --- .github/workflows/chart-ci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 1bfcf42..049bdd7 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -337,7 +337,7 @@ jobs: mkdir -p .cr-index git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml - helm repo index .cr-index/index.yaml \ + helm repo index .cr-index \ --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml @@ -345,8 +345,6 @@ jobs: cr index \ --owner ${{ github.repository_owner }} \ --git-repo ${{ github.event.repository.name }} \ - --packages-with-index \ --index-path .cr-index/index.yaml \ - --package-path .cr-release-packages/ \ --push \ --token ${{ secrets.GITHUB_TOKEN }} From 20843524b01b61d98909106afe37cdb0db921772 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 17:40:42 +0100 Subject: [PATCH 085/121] update index with cr_releaser 1.7.0 --- .github/workflows/chart-ci.yml | 37 ++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 049bdd7..822179c 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -332,7 +332,7 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - # Récupère le gh-pages existant + # Get gh-pages git fetch origin gh-pages mkdir -p .cr-index git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml @@ -341,10 +341,31 @@ jobs: --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml - # Regénère l'index en mergant avec l'existant - cr index \ - --owner ${{ github.repository_owner }} \ - --git-repo ${{ github.event.repository.name }} \ - --index-path .cr-index/index.yaml \ - --push \ - --token ${{ secrets.GITHUB_TOKEN }} + # # Merge Index and push to gh-pages + # cr index \ + # --git-repo ${{ github.event.repository.name }} \ + # --push \ + # --token ${{ secrets.GITHUB_TOKEN }} + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.7.0 + if: github.ref != 'refs/heads/main' + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + charts_dir: ${{ inputs.chart-dir }} + skpip_upload: true + skip_existing: true + skip_packaging: true + mark_as_latest: false + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.7.0 + if: github.ref == 'refs/heads/main' + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skpip_upload: true + skip_existing: true + skip_packaging: true + mark_as_latest: true From 5b2453a58e0a48b566e15516f54025dfa0edb345 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 17:58:52 +0100 Subject: [PATCH 086/121] Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 --- .github/workflows/chart-ci.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 822179c..67571fa 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -347,7 +347,12 @@ jobs: # --push \ # --token ${{ secrets.GITHUB_TOKEN }} - - name: Run chart-releaser + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + git fetch --tags + latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + + - name: Run chart-releaser - dev and feature branches uses: helm/chart-releaser-action@v1.7.0 if: github.ref != 'refs/heads/main' env: @@ -359,7 +364,7 @@ jobs: skip_packaging: true mark_as_latest: false - - name: Run chart-releaser + - name: Run chart-releaser - main branch uses: helm/chart-releaser-action@v1.7.0 if: github.ref == 'refs/heads/main' env: From 225266b6c2a5794de76d02cbdacf2d072a1e8aef Mon Sep 17 00:00:00 2001 From: 7066189 Date: Fri, 27 Feb 2026 18:16:46 +0100 Subject: [PATCH 087/121] same error --- .github/workflows/chart-ci.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 67571fa..96887bb 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -324,6 +324,8 @@ jobs: .cr-release-packages/*.tgz \ --title "$TAG" \ --notes "Version from ${{ github.ref_name }}" + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + echo "latest_tag=$TAG" >> "$GITHUB_OUTPUT" - name: Update index.yaml on gh-pages env: @@ -341,19 +343,8 @@ jobs: --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml - # # Merge Index and push to gh-pages - # cr index \ - # --git-repo ${{ github.event.repository.name }} \ - # --push \ - # --token ${{ secrets.GITHUB_TOKEN }} - - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - git fetch --tags - latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - name: Run chart-releaser - dev and feature branches - uses: helm/chart-releaser-action@v1.7.0 + uses: helm/chart-releaser-action@v1.6.0 if: github.ref != 'refs/heads/main' env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -365,7 +356,7 @@ jobs: mark_as_latest: false - name: Run chart-releaser - main branch - uses: helm/chart-releaser-action@v1.7.0 + uses: helm/chart-releaser-action@v1.6.0 if: github.ref == 'refs/heads/main' env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 20b7b810764bc63dbd38635b8b2ed3fd97542581 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 08:50:26 +0100 Subject: [PATCH 088/121] Put latest tag at the right step --- .github/workflows/chart-ci.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 96887bb..bfdd7dd 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -324,8 +324,6 @@ jobs: .cr-release-packages/*.tgz \ --title "$TAG" \ --notes "Version from ${{ github.ref_name }}" - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - echo "latest_tag=$TAG" >> "$GITHUB_OUTPUT" - name: Update index.yaml on gh-pages env: @@ -334,6 +332,9 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + echo "latest_tag=$TAG" >> "$GITHUB_OUTPUT" + # Get gh-pages git fetch origin gh-pages mkdir -p .cr-index @@ -344,7 +345,7 @@ jobs: --merge .cr-index/index.yaml - name: Run chart-releaser - dev and feature branches - uses: helm/chart-releaser-action@v1.6.0 + uses: helm/chart-releaser-action@v1.7.0 if: github.ref != 'refs/heads/main' env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -356,7 +357,7 @@ jobs: mark_as_latest: false - name: Run chart-releaser - main branch - uses: helm/chart-releaser-action@v1.6.0 + uses: helm/chart-releaser-action@v1.7.0 if: github.ref == 'refs/heads/main' env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 4b9a32da797ad9f32bb71fd483600717be71f3a4 Mon Sep 17 00:00:00 2001 From: Nicolas Delahaye Date: Mon, 2 Mar 2026 09:14:55 +0100 Subject: [PATCH 089/121] again : latest_tag --- .github/workflows/chart-ci.yml | 738 +++++++++++++++++---------------- 1 file changed, 370 insertions(+), 368 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index bfdd7dd..86c060f 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -1,368 +1,370 @@ -name: Chart CI - -on: - workflow_call: - inputs: - chart-dir: - description: "Directory holding your Chart" - required: true - type: string - default: "chart" - chart-values: - description: "Chart values file that will be used for the testing and scanning steps" - required: false - type: string - default: "chart/values.yaml" - kubernetes-version: - description: "Version of the target Kubernetes cluster the Chart will run on" - required: false - type: string - default: "1.24.2" - - -jobs: - helm-build-chart: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 - - - name: Extract and add Helm repositories - run: | - yq eval -r ' - .dependencies[] - | "\(.name) \(.repository)" - ' "${{ inputs.chart-dir }}/Chart.yaml" \ - | while read -r name repo; do - helm repo add "$name" "$repo" - done - helm repo update - - - name: Install chart dependencies - run: | - helm dependency build ${{ inputs.chart-dir }} - - - name: Generate values schema json - uses: losisin/helm-values-schema-json-action@v1.5.3 - with: - input: ${{ inputs.chart-dir }}/values.yaml - output: ${{ inputs.chart-dir }}/values.schema.json - - - name: Helm-docs - uses: losisin/helm-docs-github-action@v1.3.3 - with: - chart-search-root: ${{ inputs.chart-dir }} - values-file: ${{ inputs.chart-dir }}/values.yaml - output-file: ${{ inputs.chart-dir }}/README.md - template-files: ${{ inputs.chart-dir }}/README.md.gotpl - sort-values-order: file - - - name: Upload packaged Chart - uses: actions/upload-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - if-no-files-found: error - retention-days: 1 - - - helm-ct-lint: - name: Helm CT - Chart Linting - runs-on: ubuntu-latest - needs: helm-build-chart - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 - - - name: Run ct lint - run: | - ct lint \ - --target-branch ${{ github.event.repository.default_branch }} \ - --chart-dirs ${{ inputs.chart-dir }} - - - kubeconform: - name: Kubeconform - Chart Validation - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 - - - name: Setup Helm plugins - run: | - helm plugin install https://github.com/jtyr/kubeconform-helm - - - name: Run Kubeconform check - run: | - helm kubeconform ${{ inputs.chart-dir }} \ - --values ${{ inputs.chart-values }} \ - --schema-location ${{ inputs.chart-dir }}/values.schema.json \ - --output json \ - --kubernetes-version ${{ inputs.kubernetes-version }} \ - --strict \ - --summary - - - polaris: - name: Polaris - Chart Scan - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Setup Polaris - run: | - mkdir -p .local/bin - curl -s https://api.github.com/repos/FairwindsOps/polaris/releases/latest | \ - jq '.assets[] | select(.name=="polaris_linux_amd64.tar.gz")'.browser_download_url | \ - xargs curl -s -L | \ - tar xvz -C .local/bin polaris - echo "$PWD/.local/bin" >> $GITHUB_PATH - - - name: Configure Polaris - run: | - echo "checks:" > $PWD/polaris_config.yaml - echo " sensitiveContainerEnvVar: warning" >> $PWD/polaris_config.yaml - - - name: Run chart-testing (polaris) - run: | - polaris audit \ - --config=$PWD/polaris_config.yaml \ - --only-show-failed-tests \ - --set-exit-code-below-score=80 \ - --set-exit-code-on-danger=true \ - --helm-chart ${{ inputs.chart-dir }} \ - --helm-values ${{ inputs.chart-values }} \ - --format=pretty \ - --color=true - - - trivy: - name: Trivy - Chart Vulnerability Scan - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Build Trivy Vulnerability report - uses: aquasecurity/trivy-action@0.29.0 - env: - TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} - TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} - with: - scan-type: 'config' - exit-code: '0' - ignore-unfixed: false - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - format: 'sarif' - output: 'trivy-vuln-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: 'trivy-vuln-results.sarif' - - - name: Run Trivy Vulnerability scan - uses: aquasecurity/trivy-action@0.29.0 - env: - TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} - TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} - TRIVY_FORMAT: 'table' - TRIVY_OUTPUT: '' - with: - scan-type: 'config' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL' - - - helm-ct-test: - name: Helm CT - Chart Testing - runs-on: ubuntu-latest - needs: - - kubeconform - - polaris - - trivy - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 - - - name: Run chart-testing (list-changed) - id: list-changed - run: | - changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) - if [[ -n "$changed" ]]; then - echo "changed=true" >> "$GITHUB_OUTPUT" - fi - - - name: Create kind cluster - if: steps.list-changed.outputs.changed == 'true' - uses: helm/kind-action@v1.10.0 - - - name: Run chart-testing (install) - if: steps.list-changed.outputs.changed == 'true' - run: | - ct install \ - --target-branch ${{ github.event.repository.default_branch }} \ - --chart-dirs ${{ inputs.chart-dir }} \ - --helm-extra-args "-f ${{ inputs.chart-values }}" - - - helm-chart-releaser: - needs: helm-ct-test - name: Helm CR - Chart Release - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - # ### Release steps specific to `feature` branch ### - - name: Add release suffix - SNAPSHOT - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps specific to `dev` branch ### - - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - - name: Install chart-releaser - run: | - curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz - tar -xzf cr.tar.gz - sudo mv cr /usr/local/bin/cr - - - name: Package chart - run: | - helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ - - # ### Release steps specific to `feature` or `dev` branch ### - - name: Create GitHub pre-release + tag - if: github.ref != 'refs/heads/main' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - TAG="helix-${VERSION}" - gh release create "$TAG" \ - .cr-release-packages/*.tgz \ - --prerelease \ - --title "$TAG" \ - --notes "Version from ${{ github.ref_name }}" - - # ### Release steps specific to `main` branch ### - - name: Create GitHub release + tag - if: github.ref == 'refs/heads/main' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - TAG="helix-${VERSION}" - gh release create "$TAG" \ - .cr-release-packages/*.tgz \ - --title "$TAG" \ - --notes "Version from ${{ github.ref_name }}" - - - name: Update index.yaml on gh-pages - env: - CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - echo "latest_tag=$TAG" >> "$GITHUB_OUTPUT" - - # Get gh-pages - git fetch origin gh-pages - mkdir -p .cr-index - git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml - - helm repo index .cr-index \ - --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ - --merge .cr-index/index.yaml - - - name: Run chart-releaser - dev and feature branches - uses: helm/chart-releaser-action@v1.7.0 - if: github.ref != 'refs/heads/main' - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - charts_dir: ${{ inputs.chart-dir }} - skpip_upload: true - skip_existing: true - skip_packaging: true - mark_as_latest: false - - - name: Run chart-releaser - main branch - uses: helm/chart-releaser-action@v1.7.0 - if: github.ref == 'refs/heads/main' - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skpip_upload: true - skip_existing: true - skip_packaging: true - mark_as_latest: true +name: Chart CI + +on: + workflow_call: + inputs: + chart-dir: + description: "Directory holding your Chart" + required: true + type: string + default: "chart" + chart-values: + description: "Chart values file that will be used for the testing and scanning steps" + required: false + type: string + default: "chart/values.yaml" + kubernetes-version: + description: "Version of the target Kubernetes cluster the Chart will run on" + required: false + type: string + default: "1.24.2" + + +jobs: + helm-build-chart: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 + + - name: Extract and add Helm repositories + run: | + yq eval -r ' + .dependencies[] + | "\(.name) \(.repository)" + ' "${{ inputs.chart-dir }}/Chart.yaml" \ + | while read -r name repo; do + helm repo add "$name" "$repo" + done + helm repo update + + - name: Install chart dependencies + run: | + helm dependency build ${{ inputs.chart-dir }} + + - name: Generate values schema json + uses: losisin/helm-values-schema-json-action@v1.5.3 + with: + input: ${{ inputs.chart-dir }}/values.yaml + output: ${{ inputs.chart-dir }}/values.schema.json + + - name: Helm-docs + uses: losisin/helm-docs-github-action@v1.3.3 + with: + chart-search-root: ${{ inputs.chart-dir }} + values-file: ${{ inputs.chart-dir }}/values.yaml + output-file: ${{ inputs.chart-dir }}/README.md + template-files: ${{ inputs.chart-dir }}/README.md.gotpl + sort-values-order: file + + - name: Upload packaged Chart + uses: actions/upload-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + if-no-files-found: error + retention-days: 1 + + + helm-ct-lint: + name: Helm CT - Chart Linting + runs-on: ubuntu-latest + needs: helm-build-chart + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + + - name: Run ct lint + run: | + ct lint \ + --target-branch ${{ github.event.repository.default_branch }} \ + --chart-dirs ${{ inputs.chart-dir }} + + + kubeconform: + name: Kubeconform - Chart Validation + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 + + - name: Setup Helm plugins + run: | + helm plugin install https://github.com/jtyr/kubeconform-helm + + - name: Run Kubeconform check + run: | + helm kubeconform ${{ inputs.chart-dir }} \ + --values ${{ inputs.chart-values }} \ + --schema-location ${{ inputs.chart-dir }}/values.schema.json \ + --output json \ + --kubernetes-version ${{ inputs.kubernetes-version }} \ + --strict \ + --summary + + + polaris: + name: Polaris - Chart Scan + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Setup Polaris + run: | + mkdir -p .local/bin + curl -s https://api.github.com/repos/FairwindsOps/polaris/releases/latest | \ + jq '.assets[] | select(.name=="polaris_linux_amd64.tar.gz")'.browser_download_url | \ + xargs curl -s -L | \ + tar xvz -C .local/bin polaris + echo "$PWD/.local/bin" >> $GITHUB_PATH + + - name: Configure Polaris + run: | + echo "checks:" > $PWD/polaris_config.yaml + echo " sensitiveContainerEnvVar: warning" >> $PWD/polaris_config.yaml + + - name: Run chart-testing (polaris) + run: | + polaris audit \ + --config=$PWD/polaris_config.yaml \ + --only-show-failed-tests \ + --set-exit-code-below-score=80 \ + --set-exit-code-on-danger=true \ + --helm-chart ${{ inputs.chart-dir }} \ + --helm-values ${{ inputs.chart-values }} \ + --format=pretty \ + --color=true + + + trivy: + name: Trivy - Chart Vulnerability Scan + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Build Trivy Vulnerability report + uses: aquasecurity/trivy-action@0.29.0 + env: + TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} + TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} + with: + scan-type: 'config' + exit-code: '0' + ignore-unfixed: false + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + format: 'sarif' + output: 'trivy-vuln-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'trivy-vuln-results.sarif' + + - name: Run Trivy Vulnerability scan + uses: aquasecurity/trivy-action@0.29.0 + env: + TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} + TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} + TRIVY_FORMAT: 'table' + TRIVY_OUTPUT: '' + with: + scan-type: 'config' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL' + + + helm-ct-test: + name: Helm CT - Chart Testing + runs-on: ubuntu-latest + needs: + - kubeconform + - polaris + - trivy + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create kind cluster + if: steps.list-changed.outputs.changed == 'true' + uses: helm/kind-action@v1.10.0 + + - name: Run chart-testing (install) + if: steps.list-changed.outputs.changed == 'true' + run: | + ct install \ + --target-branch ${{ github.event.repository.default_branch }} \ + --chart-dirs ${{ inputs.chart-dir }} \ + --helm-extra-args "-f ${{ inputs.chart-values }}" + + + helm-chart-releaser: + needs: helm-ct-test + name: Helm CR - Chart Release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # ### Release steps specific to `feature` branch ### + - name: Add release suffix - SNAPSHOT + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + ### Release steps specific to `dev` branch ### + - name: Add release suffix - DEV + if: github.ref == 'refs/heads/dev' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + - name: Install chart-releaser + run: | + curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz + tar -xzf cr.tar.gz + sudo mv cr /usr/local/bin/cr + + - name: Package chart + run: | + helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ + + # ### Release steps specific to `feature` or `dev` branch ### + - name: Create GitHub pre-release + tag + if: github.ref != 'refs/heads/main' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + TAG="helix-${VERSION}" + gh release create "$TAG" \ + .cr-release-packages/*.tgz \ + --prerelease \ + --title "$TAG" \ + --notes "Version from ${{ github.ref_name }}" + + # ### Release steps specific to `main` branch ### + - name: Create GitHub release + tag + if: github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + TAG="helix-${VERSION}" + gh release create "$TAG" \ + .cr-release-packages/*.tgz \ + --title "$TAG" \ + --notes "Version from ${{ github.ref_name }}" + + - name: Update index.yaml on gh-pages + env: + CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + git fetch --tags + latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + + # Get gh-pages + git fetch origin gh-pages + mkdir -p .cr-index + git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml + helm repo index .cr-index \ + --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ + --merge .cr-index/index.yaml + + + - name: Run chart-releaser - dev and feature branches + uses: helm/chart-releaser-action@v1.7.0 + if: github.ref != 'refs/heads/main' + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + charts_dir: ${{ inputs.chart-dir }} + skpip_upload: true + skip_existing: true + skip_packaging: true + mark_as_latest: false + + - name: Run chart-releaser - main branch + uses: helm/chart-releaser-action@v1.7.0 + if: github.ref == 'refs/heads/main' + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skpip_upload: true + skip_existing: true + skip_packaging: true + mark_as_latest: true From 0aadd31903e75a7a84eed9d69bd6a061f9c62857 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 09:21:21 +0100 Subject: [PATCH 090/121] Latest tag --- .github/workflows/chart-ci.yml | 740 ++++++++++++++++----------------- 1 file changed, 370 insertions(+), 370 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 86c060f..d3aad03 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -1,370 +1,370 @@ -name: Chart CI - -on: - workflow_call: - inputs: - chart-dir: - description: "Directory holding your Chart" - required: true - type: string - default: "chart" - chart-values: - description: "Chart values file that will be used for the testing and scanning steps" - required: false - type: string - default: "chart/values.yaml" - kubernetes-version: - description: "Version of the target Kubernetes cluster the Chart will run on" - required: false - type: string - default: "1.24.2" - - -jobs: - helm-build-chart: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 - - - name: Extract and add Helm repositories - run: | - yq eval -r ' - .dependencies[] - | "\(.name) \(.repository)" - ' "${{ inputs.chart-dir }}/Chart.yaml" \ - | while read -r name repo; do - helm repo add "$name" "$repo" - done - helm repo update - - - name: Install chart dependencies - run: | - helm dependency build ${{ inputs.chart-dir }} - - - name: Generate values schema json - uses: losisin/helm-values-schema-json-action@v1.5.3 - with: - input: ${{ inputs.chart-dir }}/values.yaml - output: ${{ inputs.chart-dir }}/values.schema.json - - - name: Helm-docs - uses: losisin/helm-docs-github-action@v1.3.3 - with: - chart-search-root: ${{ inputs.chart-dir }} - values-file: ${{ inputs.chart-dir }}/values.yaml - output-file: ${{ inputs.chart-dir }}/README.md - template-files: ${{ inputs.chart-dir }}/README.md.gotpl - sort-values-order: file - - - name: Upload packaged Chart - uses: actions/upload-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - if-no-files-found: error - retention-days: 1 - - - helm-ct-lint: - name: Helm CT - Chart Linting - runs-on: ubuntu-latest - needs: helm-build-chart - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 - - - name: Run ct lint - run: | - ct lint \ - --target-branch ${{ github.event.repository.default_branch }} \ - --chart-dirs ${{ inputs.chart-dir }} - - - kubeconform: - name: Kubeconform - Chart Validation - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 - - - name: Setup Helm plugins - run: | - helm plugin install https://github.com/jtyr/kubeconform-helm - - - name: Run Kubeconform check - run: | - helm kubeconform ${{ inputs.chart-dir }} \ - --values ${{ inputs.chart-values }} \ - --schema-location ${{ inputs.chart-dir }}/values.schema.json \ - --output json \ - --kubernetes-version ${{ inputs.kubernetes-version }} \ - --strict \ - --summary - - - polaris: - name: Polaris - Chart Scan - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Setup Polaris - run: | - mkdir -p .local/bin - curl -s https://api.github.com/repos/FairwindsOps/polaris/releases/latest | \ - jq '.assets[] | select(.name=="polaris_linux_amd64.tar.gz")'.browser_download_url | \ - xargs curl -s -L | \ - tar xvz -C .local/bin polaris - echo "$PWD/.local/bin" >> $GITHUB_PATH - - - name: Configure Polaris - run: | - echo "checks:" > $PWD/polaris_config.yaml - echo " sensitiveContainerEnvVar: warning" >> $PWD/polaris_config.yaml - - - name: Run chart-testing (polaris) - run: | - polaris audit \ - --config=$PWD/polaris_config.yaml \ - --only-show-failed-tests \ - --set-exit-code-below-score=80 \ - --set-exit-code-on-danger=true \ - --helm-chart ${{ inputs.chart-dir }} \ - --helm-values ${{ inputs.chart-values }} \ - --format=pretty \ - --color=true - - - trivy: - name: Trivy - Chart Vulnerability Scan - needs: helm-ct-lint - runs-on: ubuntu-latest - steps: - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Build Trivy Vulnerability report - uses: aquasecurity/trivy-action@0.29.0 - env: - TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} - TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} - with: - scan-type: 'config' - exit-code: '0' - ignore-unfixed: false - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - format: 'sarif' - output: 'trivy-vuln-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: 'trivy-vuln-results.sarif' - - - name: Run Trivy Vulnerability scan - uses: aquasecurity/trivy-action@0.29.0 - env: - TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} - TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} - TRIVY_FORMAT: 'table' - TRIVY_OUTPUT: '' - with: - scan-type: 'config' - exit-code: '1' - ignore-unfixed: true - severity: 'CRITICAL' - - - helm-ct-test: - name: Helm CT - Chart Testing - runs-on: ubuntu-latest - needs: - - kubeconform - - polaris - - trivy - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Download packaged Chart - uses: actions/download-artifact@v4 - with: - name: packaged-chart - path: ${{ inputs.chart-dir }} - - - name: Set up Helm - uses: azure/setup-helm@v4.3.1 - with: - version: v3.14.4 - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 - - - name: Run chart-testing (list-changed) - id: list-changed - run: | - changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) - if [[ -n "$changed" ]]; then - echo "changed=true" >> "$GITHUB_OUTPUT" - fi - - - name: Create kind cluster - if: steps.list-changed.outputs.changed == 'true' - uses: helm/kind-action@v1.10.0 - - - name: Run chart-testing (install) - if: steps.list-changed.outputs.changed == 'true' - run: | - ct install \ - --target-branch ${{ github.event.repository.default_branch }} \ - --chart-dirs ${{ inputs.chart-dir }} \ - --helm-extra-args "-f ${{ inputs.chart-values }}" - - - helm-chart-releaser: - needs: helm-ct-test - name: Helm CR - Chart Release - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - # ### Release steps specific to `feature` branch ### - - name: Add release suffix - SNAPSHOT - if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' - run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - ### Release steps specific to `dev` branch ### - - name: Add release suffix - DEV - if: github.ref == 'refs/heads/dev' - run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ - yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - - name: Install chart-releaser - run: | - curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz - tar -xzf cr.tar.gz - sudo mv cr /usr/local/bin/cr - - - name: Package chart - run: | - helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ - - # ### Release steps specific to `feature` or `dev` branch ### - - name: Create GitHub pre-release + tag - if: github.ref != 'refs/heads/main' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - TAG="helix-${VERSION}" - gh release create "$TAG" \ - .cr-release-packages/*.tgz \ - --prerelease \ - --title "$TAG" \ - --notes "Version from ${{ github.ref_name }}" - - # ### Release steps specific to `main` branch ### - - name: Create GitHub release + tag - if: github.ref == 'refs/heads/main' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - TAG="helix-${VERSION}" - gh release create "$TAG" \ - .cr-release-packages/*.tgz \ - --title "$TAG" \ - --notes "Version from ${{ github.ref_name }}" - - - name: Update index.yaml on gh-pages - env: - CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - git fetch --tags - latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" - - # Get gh-pages - git fetch origin gh-pages - mkdir -p .cr-index - git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml - helm repo index .cr-index \ - --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ - --merge .cr-index/index.yaml - - - - name: Run chart-releaser - dev and feature branches - uses: helm/chart-releaser-action@v1.7.0 - if: github.ref != 'refs/heads/main' - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - charts_dir: ${{ inputs.chart-dir }} - skpip_upload: true - skip_existing: true - skip_packaging: true - mark_as_latest: false - - - name: Run chart-releaser - main branch - uses: helm/chart-releaser-action@v1.7.0 - if: github.ref == 'refs/heads/main' - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skpip_upload: true - skip_existing: true - skip_packaging: true - mark_as_latest: true +name: Chart CI + +on: + workflow_call: + inputs: + chart-dir: + description: "Directory holding your Chart" + required: true + type: string + default: "chart" + chart-values: + description: "Chart values file that will be used for the testing and scanning steps" + required: false + type: string + default: "chart/values.yaml" + kubernetes-version: + description: "Version of the target Kubernetes cluster the Chart will run on" + required: false + type: string + default: "1.24.2" + + +jobs: + helm-build-chart: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 + + - name: Extract and add Helm repositories + run: | + yq eval -r ' + .dependencies[] + | "\(.name) \(.repository)" + ' "${{ inputs.chart-dir }}/Chart.yaml" \ + | while read -r name repo; do + helm repo add "$name" "$repo" + done + helm repo update + + - name: Install chart dependencies + run: | + helm dependency build ${{ inputs.chart-dir }} + + - name: Generate values schema json + uses: losisin/helm-values-schema-json-action@v1.5.3 + with: + input: ${{ inputs.chart-dir }}/values.yaml + output: ${{ inputs.chart-dir }}/values.schema.json + + - name: Helm-docs + uses: losisin/helm-docs-github-action@v1.3.3 + with: + chart-search-root: ${{ inputs.chart-dir }} + values-file: ${{ inputs.chart-dir }}/values.yaml + output-file: ${{ inputs.chart-dir }}/README.md + template-files: ${{ inputs.chart-dir }}/README.md.gotpl + sort-values-order: file + + - name: Upload packaged Chart + uses: actions/upload-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + if-no-files-found: error + retention-days: 1 + + + helm-ct-lint: + name: Helm CT - Chart Linting + runs-on: ubuntu-latest + needs: helm-build-chart + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + + - name: Run ct lint + run: | + ct lint \ + --target-branch ${{ github.event.repository.default_branch }} \ + --chart-dirs ${{ inputs.chart-dir }} + + + kubeconform: + name: Kubeconform - Chart Validation + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 + + - name: Setup Helm plugins + run: | + helm plugin install https://github.com/jtyr/kubeconform-helm + + - name: Run Kubeconform check + run: | + helm kubeconform ${{ inputs.chart-dir }} \ + --values ${{ inputs.chart-values }} \ + --schema-location ${{ inputs.chart-dir }}/values.schema.json \ + --output json \ + --kubernetes-version ${{ inputs.kubernetes-version }} \ + --strict \ + --summary + + + polaris: + name: Polaris - Chart Scan + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Setup Polaris + run: | + mkdir -p .local/bin + curl -s https://api.github.com/repos/FairwindsOps/polaris/releases/latest | \ + jq '.assets[] | select(.name=="polaris_linux_amd64.tar.gz")'.browser_download_url | \ + xargs curl -s -L | \ + tar xvz -C .local/bin polaris + echo "$PWD/.local/bin" >> $GITHUB_PATH + + - name: Configure Polaris + run: | + echo "checks:" > $PWD/polaris_config.yaml + echo " sensitiveContainerEnvVar: warning" >> $PWD/polaris_config.yaml + + - name: Run chart-testing (polaris) + run: | + polaris audit \ + --config=$PWD/polaris_config.yaml \ + --only-show-failed-tests \ + --set-exit-code-below-score=80 \ + --set-exit-code-on-danger=true \ + --helm-chart ${{ inputs.chart-dir }} \ + --helm-values ${{ inputs.chart-values }} \ + --format=pretty \ + --color=true + + + trivy: + name: Trivy - Chart Vulnerability Scan + needs: helm-ct-lint + runs-on: ubuntu-latest + steps: + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Build Trivy Vulnerability report + uses: aquasecurity/trivy-action@0.29.0 + env: + TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} + TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} + with: + scan-type: 'config' + exit-code: '0' + ignore-unfixed: false + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + format: 'sarif' + output: 'trivy-vuln-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'trivy-vuln-results.sarif' + + - name: Run Trivy Vulnerability scan + uses: aquasecurity/trivy-action@0.29.0 + env: + TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} + TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} + TRIVY_FORMAT: 'table' + TRIVY_OUTPUT: '' + with: + scan-type: 'config' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL' + + + helm-ct-test: + name: Helm CT - Chart Testing + runs-on: ubuntu-latest + needs: + - kubeconform + - polaris + - trivy + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Download packaged Chart + uses: actions/download-artifact@v4 + with: + name: packaged-chart + path: ${{ inputs.chart-dir }} + + - name: Set up Helm + uses: azure/setup-helm@v4.3.1 + with: + version: v3.14.4 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create kind cluster + if: steps.list-changed.outputs.changed == 'true' + uses: helm/kind-action@v1.10.0 + + - name: Run chart-testing (install) + if: steps.list-changed.outputs.changed == 'true' + run: | + ct install \ + --target-branch ${{ github.event.repository.default_branch }} \ + --chart-dirs ${{ inputs.chart-dir }} \ + --helm-extra-args "-f ${{ inputs.chart-values }}" + + + helm-chart-releaser: + needs: helm-ct-test + name: Helm CR - Chart Release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # ### Release steps specific to `feature` branch ### + - name: Add release suffix - SNAPSHOT + if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' + run: | + VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + ### Release steps specific to `dev` branch ### + - name: Add release suffix - DEV + if: github.ref == 'refs/heads/dev' + run: | + VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml + + - name: Install chart-releaser + run: | + curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz + tar -xzf cr.tar.gz + sudo mv cr /usr/local/bin/cr + + - name: Package chart + run: | + helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ + + # ### Release steps specific to `feature` or `dev` branch ### + - name: Create GitHub pre-release + tag + if: github.ref != 'refs/heads/main' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + TAG="helix-${VERSION}" + gh release create "$TAG" \ + .cr-release-packages/*.tgz \ + --prerelease \ + --title "$TAG" \ + --notes "Version from ${{ github.ref_name }}" + + # ### Release steps specific to `main` branch ### + - name: Create GitHub release + tag + if: github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + TAG="helix-${VERSION}" + gh release create "$TAG" \ + .cr-release-packages/*.tgz \ + --title "$TAG" \ + --notes "Version from ${{ github.ref_name }}" + + - name: Update index.yaml on gh-pages + env: + CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + git fetch --tags + latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) + echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + + # Get gh-pages + git fetch origin gh-pages + mkdir -p .cr-index + git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml + helm repo index .cr-index \ + --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ + --merge .cr-index/index.yaml + + + - name: Run chart-releaser - dev and feature branches + uses: helm/chart-releaser-action@v1.7.0 + if: github.ref != 'refs/heads/main' + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + charts_dir: ${{ inputs.chart-dir }} + skpip_upload: true + skip_existing: true + skip_packaging: true + mark_as_latest: false + + - name: Run chart-releaser - main branch + uses: helm/chart-releaser-action@v1.7.0 + if: github.ref == 'refs/heads/main' + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + skpip_upload: true + skip_existing: true + skip_packaging: true + mark_as_latest: true From 8ed5c3b3a6f69580701425f1342a14bb08355603 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 09:34:04 +0100 Subject: [PATCH 091/121] Latest --- .github/workflows/chart-ci.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index d3aad03..f768a21 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -334,8 +334,13 @@ jobs: # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 git fetch --tags - latest_tag=$(git tag --sort=-creatordate | head -n 1 || true) - echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT" + + if ! latest_tag=$(git tag --sort=-creatordate | head -n 1); then + echo "⚠️ Aucun tag trouvé dans le dépôt – fallback à v0.0.0" + latest_tag="v0.0.0" + fi + + echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" # Get gh-pages git fetch origin gh-pages From 5178c5bc094c68b35f1ded6c1c887535c9450cb0 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 09:40:39 +0100 Subject: [PATCH 092/121] Latest tag from $tag --- .github/workflows/chart-ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index f768a21..9b126bc 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -336,10 +336,11 @@ jobs: git fetch --tags if ! latest_tag=$(git tag --sort=-creatordate | head -n 1); then - echo "⚠️ Aucun tag trouvé dans le dépôt – fallback à v0.0.0" - latest_tag="v0.0.0" + echo "⚠️ Aucun tag trouvé dans le dépôt – fallback à $TAG" + latest_tag="$TAG" fi + echo "✅ Latest tag = $latest_tag" echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" # Get gh-pages From 6350628e888d171b1fe01ef10c662bd8ca31f1bf Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 09:50:03 +0100 Subject: [PATCH 093/121] Latest --- .github/workflows/chart-ci.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 9b126bc..6885c22 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -333,15 +333,8 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - git fetch --tags - - if ! latest_tag=$(git tag --sort=-creatordate | head -n 1); then - echo "⚠️ Aucun tag trouvé dans le dépôt – fallback à $TAG" - latest_tag="$TAG" - fi - - echo "✅ Latest tag = $latest_tag" - echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" + latest_tag="$TAG" + echo "✅ Latest tag = $latest_tag" && echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" # Get gh-pages git fetch origin gh-pages From ed7c1dbd1c86b0c9fec42eb44d146d4c7c59928a Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 09:59:40 +0100 Subject: [PATCH 094/121] export latest --- .github/workflows/chart-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 6885c22..a4d99d4 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -305,7 +305,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - TAG="helix-${VERSION}" + export TAG="helix-${VERSION}" gh release create "$TAG" \ .cr-release-packages/*.tgz \ --prerelease \ @@ -319,7 +319,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - TAG="helix-${VERSION}" + export TAG="helix-${VERSION}" gh release create "$TAG" \ .cr-release-packages/*.tgz \ --title "$TAG" \ @@ -333,7 +333,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - latest_tag="$TAG" + export latest_tag="$TAG" echo "✅ Latest tag = $latest_tag" && echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" # Get gh-pages From de6a7113af3856a2add08f0fd6d3aaef415c758b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 10:09:04 +0100 Subject: [PATCH 095/121] CR and GH --- .github/workflows/chart-ci.yml | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index a4d99d4..81ae2b9 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -288,24 +288,19 @@ jobs: VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - - name: Install chart-releaser - run: | - curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz - tar -xzf cr.tar.gz - sudo mv cr /usr/local/bin/cr - - name: Package chart run: | helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + export TAG="helix-${VERSION}" + # ### Release steps specific to `feature` or `dev` branch ### - name: Create GitHub pre-release + tag if: github.ref != 'refs/heads/main' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - export TAG="helix-${VERSION}" gh release create "$TAG" \ .cr-release-packages/*.tgz \ --prerelease \ @@ -320,6 +315,7 @@ jobs: run: | VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) export TAG="helix-${VERSION}" + gh release create "$TAG" \ .cr-release-packages/*.tgz \ --title "$TAG" \ @@ -329,22 +325,28 @@ jobs: env: CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - export latest_tag="$TAG" - echo "✅ Latest tag = $latest_tag" && echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" - # Get gh-pages git fetch origin gh-pages mkdir -p .cr-index git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml + helm repo index .cr-index \ --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml + - name: Install chart-releaser + run: | + curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz + tar -xzf cr.tar.gz + sudo mv cr /usr/local/bin/cr + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 + export latest_tag="$TAG" + echo "✅ Latest tag = $latest_tag" && echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" + - name: Run chart-releaser - dev and feature branches uses: helm/chart-releaser-action@v1.7.0 if: github.ref != 'refs/heads/main' From 964011223c128a0a9dbe02758043672b3ae09581 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 10:21:04 +0100 Subject: [PATCH 096/121] Prepare git for chart-releaser --- .github/workflows/chart-ci.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 81ae2b9..016f1b6 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -292,15 +292,15 @@ jobs: run: | helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - export TAG="helix-${VERSION}" - # ### Release steps specific to `feature` or `dev` branch ### - name: Create GitHub pre-release + tag if: github.ref != 'refs/heads/main' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + TAG="helix-${VERSION}" + gh release create "$TAG" \ .cr-release-packages/*.tgz \ --prerelease \ @@ -334,17 +334,20 @@ jobs: --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml - - name: Install chart-releaser + # - name: Install chart-releaser + - name: Prepare git for chart-releaser action run: | - curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz - tar -xzf cr.tar.gz - sudo mv cr /usr/local/bin/cr + # curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz + # tar -xzf cr.tar.gz + # sudo mv cr /usr/local/bin/cr git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - + # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - export latest_tag="$TAG" + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + latest_tag="helix-${VERSION}" + echo "✅ Latest tag = $latest_tag" && echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" - name: Run chart-releaser - dev and feature branches From 49ef861861d69c3ebb37d0db89aa3371e3eeaf9a Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 10:37:19 +0100 Subject: [PATCH 097/121] Latest --- .github/workflows/chart-ci.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 016f1b6..5a344b8 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -334,13 +334,8 @@ jobs: --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml - # - name: Install chart-releaser - name: Prepare git for chart-releaser action run: | - # curl -sSLo cr.tar.gz https://github.com/helm/chart-releaser/releases/download/v1.7.0/chart-releaser_1.7.0_linux_amd64.tar.gz - # tar -xzf cr.tar.gz - # sudo mv cr /usr/local/bin/cr - git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" @@ -348,7 +343,8 @@ jobs: VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) latest_tag="helix-${VERSION}" - echo "✅ Latest tag = $latest_tag" && echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" + echo "✅ Latest tag = $latest_tag" + echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" - name: Run chart-releaser - dev and feature branches uses: helm/chart-releaser-action@v1.7.0 @@ -357,8 +353,7 @@ jobs: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: charts_dir: ${{ inputs.chart-dir }} - skpip_upload: true - skip_existing: true + skip-packaging: true skip_packaging: true mark_as_latest: false @@ -368,7 +363,6 @@ jobs: env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: - skpip_upload: true skip_existing: true - skip_packaging: true + skip-packaging: true mark_as_latest: true From f69207e5c9bfcbb069c0f5ad2e44f734ee90bf11 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 10:49:54 +0100 Subject: [PATCH 098/121] CR update --- .github/workflows/chart-ci.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 5a344b8..dcf045e 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -341,7 +341,9 @@ jobs: # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + latest_tag="helix-${VERSION}" + export latest_tag="helix-${VERSION}" echo "✅ Latest tag = $latest_tag" echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" @@ -353,7 +355,8 @@ jobs: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: charts_dir: ${{ inputs.chart-dir }} - skip-packaging: true + skip_upload: true + skip_existing: true skip_packaging: true mark_as_latest: false @@ -363,6 +366,7 @@ jobs: env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: + skip_upload: true skip_existing: true - skip-packaging: true + skip_packaging: true mark_as_latest: true From 294e3e7cb6dd9e74a5443ebc31911beceb7be182 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 13:49:43 +0100 Subject: [PATCH 099/121] do it by cr --- .github/workflows/chart-ci.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index dcf045e..e1758b2 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -348,6 +348,37 @@ jobs: echo "✅ Latest tag = $latest_tag" echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" + - name: CR ACTION - Update index.yaml on gh-pages and push changes + run: | + args=(-o "$owner" -r "$repo" --push) + echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" + + echo "Installing chart-releaser on $install_dir..." + curl -sSLo cr.tar.gz "https://github.com/helm/chart-releaser/releases/download/v1.8.1/chart-releaser_1.8.1_linux_amd64.tar.gz" + tar -xzf cr.tar.gz -C "/usr/local/bin/" + rm -f cr.tar.gz + + echo 'Adding cr directory to PATH...' + + if [[ "$latest_tag" == *"-snapshot"* ]]; then + MARK_AS_LATEST=false + elif [[ "$latest_tag" == *"-dev"* ]]; then + MARK_AS_LATEST=false + else + MARK_AS_LATEST=true + fi + + echo "✅ Latest ? $MARK_AS_LATEST" >> "$GITHUB_OUTPUT" + + args+=(--make-release-latest=$MARK_AS_LATEST) + + cr index "${args[@]}" + + # git add .cr-index/index.yaml + # git commit -m "Update index.yaml for $latest_tag" + # git push origin gh-pages + + - name: Run chart-releaser - dev and feature branches uses: helm/chart-releaser-action@v1.7.0 if: github.ref != 'refs/heads/main' From e41ee177625fcd16a8d85414972349849e268bca Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 14:11:05 +0100 Subject: [PATCH 100/121] Fix version in chart. --- .github/workflows/chart-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index e1758b2..cdb5611 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -278,14 +278,14 @@ jobs: - name: Add release suffix - SNAPSHOT if: github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' run: | - VERSION_SUFFIX="-snapshot.$(git rev-parse --short ${{ github.sha }})" \ + VERSION_SUFFIX="-snapshot-$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml ### Release steps specific to `dev` branch ### - name: Add release suffix - DEV if: github.ref == 'refs/heads/dev' run: | - VERSION_SUFFIX="-dev.$(git rev-parse --short ${{ github.sha }})" \ + VERSION_SUFFIX="-dev-$(git rev-parse --short ${{ github.sha }})" \ yq -i '.version |= . + env(VERSION_SUFFIX)' ${{ inputs.chart-dir }}/Chart.yaml - name: Package chart From 1ceed1275e55052b6c365179892caf7548eaa8d3 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 14:19:42 +0100 Subject: [PATCH 101/121] Update CR rags + upload release --- .github/workflows/chart-ci.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index cdb5611..35bdc3a 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -360,23 +360,21 @@ jobs: echo 'Adding cr directory to PATH...' - if [[ "$latest_tag" == *"-snapshot"* ]]; then - MARK_AS_LATEST=false - elif [[ "$latest_tag" == *"-dev"* ]]; then + if [[ "$latest_tag" == *"-snapshot-"* || "$latest_tag" == *"-dev-"* ]]; then MARK_AS_LATEST=false else MARK_AS_LATEST=true fi - echo "✅ Latest ? $MARK_AS_LATEST" >> "$GITHUB_OUTPUT" - - args+=(--make-release-latest=$MARK_AS_LATEST) + echo "✅ Latest ? $MARK_AS_LATEST" cr index "${args[@]}" - # git add .cr-index/index.yaml - # git commit -m "Update index.yaml for $latest_tag" - # git push origin gh-pages + + # Release the chart and update the index.yaml file on gh-pages + args+=(--make-release-latest=$MARK_AS_LATEST) + args+=(--skip-existing) + cr upload "${args[@]}" - name: Run chart-releaser - dev and feature branches From d345dcc6efd2cabddf06d4dcc2b3d716377636d7 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 14:22:33 +0100 Subject: [PATCH 102/121] remove upload in case : immutable release --- .github/workflows/chart-ci.yml | 50 +++++++++++++++------------------- 1 file changed, 22 insertions(+), 28 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 35bdc3a..cd65ae8 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -371,31 +371,25 @@ jobs: cr index "${args[@]}" - # Release the chart and update the index.yaml file on gh-pages - args+=(--make-release-latest=$MARK_AS_LATEST) - args+=(--skip-existing) - cr upload "${args[@]}" - - - - name: Run chart-releaser - dev and feature branches - uses: helm/chart-releaser-action@v1.7.0 - if: github.ref != 'refs/heads/main' - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - charts_dir: ${{ inputs.chart-dir }} - skip_upload: true - skip_existing: true - skip_packaging: true - mark_as_latest: false - - - name: Run chart-releaser - main branch - uses: helm/chart-releaser-action@v1.7.0 - if: github.ref == 'refs/heads/main' - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - with: - skip_upload: true - skip_existing: true - skip_packaging: true - mark_as_latest: true + # - name: Run chart-releaser - dev and feature branches + # uses: helm/chart-releaser-action@v1.7.0 + # if: github.ref != 'refs/heads/main' + # env: + # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # charts_dir: ${{ inputs.chart-dir }} + # skip_upload: true + # skip_existing: true + # skip_packaging: true + # mark_as_latest: false + + # - name: Run chart-releaser - main branch + # uses: helm/chart-releaser-action@v1.7.0 + # if: github.ref == 'refs/heads/main' + # env: + # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + # with: + # skip_upload: true + # skip_existing: true + # skip_packaging: true + # mark_as_latest: true From 183735ddfadaf243658af340f73220164cf8bd93 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 14:31:36 +0100 Subject: [PATCH 103/121] Cr args : owner and repo --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index cd65ae8..fabc8b0 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -350,7 +350,7 @@ jobs: - name: CR ACTION - Update index.yaml on gh-pages and push changes run: | - args=(-o "$owner" -r "$repo" --push) + args=(-o "${{ github.repository_owner }}" -r "${{ github.repository }}" --push) echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" echo "Installing chart-releaser on $install_dir..." From 57ac9a4dbe6b35acdbae7e0441a998007220db32 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 15:00:43 +0100 Subject: [PATCH 104/121] Remove unused instructions --- .github/workflows/chart-ci.yml | 28 ++-------------------------- 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index fabc8b0..1eb88a4 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -334,23 +334,9 @@ jobs: --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml - - name: Prepare git for chart-releaser action + - name: CR ACTION - Update index.yaml on gh-pages and push changes run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - # Fix for "chart-cr" action bug https://github.com/helm/chart-releaser-action/issues/171#issuecomment-2372464055 - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - - latest_tag="helix-${VERSION}" - export latest_tag="helix-${VERSION}" - - echo "✅ Latest tag = $latest_tag" - echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" - - - name: CR ACTION - Update index.yaml on gh-pages and push changes - run: | - args=(-o "${{ github.repository_owner }}" -r "${{ github.repository }}" --push) + args=(-o "${{ github.repository_owner }}" -r "${{ github.event.repository.name }}" --push) echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" echo "Installing chart-releaser on $install_dir..." @@ -358,16 +344,6 @@ jobs: tar -xzf cr.tar.gz -C "/usr/local/bin/" rm -f cr.tar.gz - echo 'Adding cr directory to PATH...' - - if [[ "$latest_tag" == *"-snapshot-"* || "$latest_tag" == *"-dev-"* ]]; then - MARK_AS_LATEST=false - else - MARK_AS_LATEST=true - fi - - echo "✅ Latest ? $MARK_AS_LATEST" - cr index "${args[@]}" From dc765d50a752c567db56134da9083c97fef422a4 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 15:07:33 +0100 Subject: [PATCH 105/121] Add git login --- .github/workflows/chart-ci.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 1eb88a4..f57b259 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -325,19 +325,20 @@ jobs: env: CR_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + # Get gh-pages git fetch origin gh-pages mkdir -p .cr-index git show origin/gh-pages:index.yaml > .cr-index/index.yaml 2>/dev/null || echo "apiVersion: v1\nentries: {}" > .cr-index/index.yaml + echo "Merge index.yaml with new chart version..." helm repo index .cr-index \ --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} \ --merge .cr-index/index.yaml - - name: CR ACTION - Update index.yaml on gh-pages and push changes - run: | args=(-o "${{ github.repository_owner }}" -r "${{ github.event.repository.name }}" --push) - echo "✅ Latest tag = $latest_tag" >> "$GITHUB_OUTPUT" echo "Installing chart-releaser on $install_dir..." curl -sSLo cr.tar.gz "https://github.com/helm/chart-releaser/releases/download/v1.8.1/chart-releaser_1.8.1_linux_amd64.tar.gz" From b750483e6a04727a93fd676ff8f8892910c06ddf Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 15:16:04 +0100 Subject: [PATCH 106/121] remove OCI in dependancies list --- .github/workflows/chart-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index f57b259..3cd800e 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -36,13 +36,15 @@ jobs: - name: Extract and add Helm repositories run: | - yq eval -r ' + yq eval -r ' .dependencies[] + | select(.repository != "oci://*") | "\(.name) \(.repository)" ' "${{ inputs.chart-dir }}/Chart.yaml" \ | while read -r name repo; do helm repo add "$name" "$repo" - done + done + helm repo update - name: Install chart dependencies From 0df09bc88b16312af042112513cb376e07f813b9 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 15:39:23 +0100 Subject: [PATCH 107/121] Remove Hardcode --- .github/workflows/chart-ci.yml | 32 ++++++-------------------------- 1 file changed, 6 insertions(+), 26 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 3cd800e..bb8a599 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -301,7 +301,9 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - TAG="helix-${VERSION}" + + # lowercase the tag name to avoid issues with gh cli + TAG=${"${{ github.event.repository.name }}-${VERSION}",,} gh release create "$TAG" \ .cr-release-packages/*.tgz \ @@ -316,7 +318,9 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - export TAG="helix-${VERSION}" + + # lowercase the tag name to avoid issues with gh cli + TAG=${"${{ github.event.repository.name }}-${VERSION}",,} gh release create "$TAG" \ .cr-release-packages/*.tgz \ @@ -348,27 +352,3 @@ jobs: rm -f cr.tar.gz cr index "${args[@]}" - - - # - name: Run chart-releaser - dev and feature branches - # uses: helm/chart-releaser-action@v1.7.0 - # if: github.ref != 'refs/heads/main' - # env: - # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # charts_dir: ${{ inputs.chart-dir }} - # skip_upload: true - # skip_existing: true - # skip_packaging: true - # mark_as_latest: false - - # - name: Run chart-releaser - main branch - # uses: helm/chart-releaser-action@v1.7.0 - # if: github.ref == 'refs/heads/main' - # env: - # CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - # with: - # skip_upload: true - # skip_existing: true - # skip_packaging: true - # mark_as_latest: true From 893a201aa32c79f141a3ca97911363d613927297 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 15:46:03 +0100 Subject: [PATCH 108/121] lower ? --- .github/workflows/chart-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index bb8a599..50a4716 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -303,7 +303,8 @@ jobs: VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli - TAG=${"${{ github.event.repository.name }}-${VERSION}",,} + tag_tmp="${{ github.event.repository.name }}-${VERSION}" + TAG=${tag_tmp,,} gh release create "$TAG" \ .cr-release-packages/*.tgz \ @@ -320,7 +321,8 @@ jobs: VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli - TAG=${"${{ github.event.repository.name }}-${VERSION}",,} + tag_tmp="${{ github.event.repository.name }}-${VERSION}" + TAG=${tag_tmp,,} gh release create "$TAG" \ .cr-release-packages/*.tgz \ From a6868925b8dd8ec5aa758c8dd869d6d178375a9f Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 16:34:11 +0100 Subject: [PATCH 109/121] name use for tag and for CR --- .github/workflows/chart-ci.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 50a4716..4b66192 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -300,10 +300,15 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + ref_to_keep = ${{github.ref}} + git fetch origin gh-pages + name=$(yq e '.entries | keys | .,[0],' index.yaml) + + git fetch origin ${{ github.event.repository.name }} VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli - tag_tmp="${{ github.event.repository.name }}-${VERSION}" + tag_tmp="${name}-${VERSION}" TAG=${tag_tmp,,} gh release create "$TAG" \ @@ -318,10 +323,15 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + ref_to_keep = ${{github.ref}} + git fetch origin gh-pages + name=$(yq e '.entries | keys | .,[0],' index.yaml) + git fetch origin ${{ github.event.repository.name }} + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) + # lowercase the tag name to avoid issues with gh cli - tag_tmp="${{ github.event.repository.name }}-${VERSION}" + tag_tmp="${name}-${VERSION}" TAG=${tag_tmp,,} gh release create "$TAG" \ From f44d581e91048debd4a162c7a634aefc596e8c0d Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 16:43:18 +0100 Subject: [PATCH 110/121] Name --- .github/workflows/chart-ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 4b66192..f96f711 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -300,11 +300,10 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - ref_to_keep = ${{github.ref}} git fetch origin gh-pages name=$(yq e '.entries | keys | .,[0],' index.yaml) - git fetch origin ${{ github.event.repository.name }} + git fetch origin ${{github.ref}} VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli From 007cca4e3cd32bea931e07aa1e58208f6468100b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 17:10:42 +0100 Subject: [PATCH 111/121] Name --- .github/workflows/chart-ci.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index f96f711..f7d02b4 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -303,7 +303,7 @@ jobs: git fetch origin gh-pages name=$(yq e '.entries | keys | .,[0],' index.yaml) - git fetch origin ${{github.ref}} + git fetch origin "${{ github.ref_name }}" VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli @@ -322,11 +322,10 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - ref_to_keep = ${{github.ref}} git fetch origin gh-pages name=$(yq e '.entries | keys | .,[0],' index.yaml) - git fetch origin ${{ github.event.repository.name }} + git fetch origin "${{ github.ref_name }}" VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli From 09fdf47d2488bbe48873f35ef30eb391b8b16e60 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 17:20:58 +0100 Subject: [PATCH 112/121] Name --- .github/workflows/chart-ci.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index f7d02b4..cd96238 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -322,10 +322,14 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + + REF="${{ github.ref }}" # ex. refs/heads/main + BRANCH="${REF#refs/heads/}" # remove « refs/heads/ » + git fetch origin gh-pages name=$(yq e '.entries | keys | .,[0],' index.yaml) - git fetch origin "${{ github.ref_name }}" + git fetch origin "$BRANCH" VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli From c16fa00f698c789f8f18df0b9f56ae78958aa248 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 17:24:48 +0100 Subject: [PATCH 113/121] Name --- .github/workflows/chart-ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index cd96238..a293870 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -300,10 +300,13 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + REF="${{ github.ref }}" # ex. refs/heads/main + BRANCH="${REF#refs/heads/}" # remove « refs/heads/ » + git fetch origin gh-pages name=$(yq e '.entries | keys | .,[0],' index.yaml) - git fetch origin "${{ github.ref_name }}" + git fetch origin "$BRANCH" VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) # lowercase the tag name to avoid issues with gh cli From 70d5f64594781a024148bab9c215d45feb729f8e Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 17:34:57 +0100 Subject: [PATCH 114/121] Name --- .github/workflows/chart-ci.yml | 41 ++++++++++++++-------------------- 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index a293870..07cc7cc 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -294,17 +294,15 @@ jobs: run: | helm package ${{ inputs.chart-dir }} -d .cr-release-packages/ - # ### Release steps specific to `feature` or `dev` branch ### - - name: Create GitHub pre-release + tag - if: github.ref != 'refs/heads/main' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # ### Prepare release variables ### + - name: Prepare release variables + id: prepare-release run: | REF="${{ github.ref }}" # ex. refs/heads/main BRANCH="${REF#refs/heads/}" # remove « refs/heads/ » git fetch origin gh-pages - name=$(yq e '.entries | keys | .,[0],' index.yaml) + name=$(yq e '.entries | keys | .[0]' index.yaml) git fetch origin "$BRANCH" VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) @@ -313,10 +311,19 @@ jobs: tag_tmp="${name}-${VERSION}" TAG=${tag_tmp,,} - gh release create "$TAG" \ + echo "TAG=$TAG" >> $GITHUB_OUTPUT + echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + + # ### Release steps specific to `feature` or `dev` branch ### + - name: Create GitHub pre-release + tag + if: github.ref != 'refs/heads/main' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh release create "${{ steps.prepare-release.outputs.TAG }}" \ .cr-release-packages/*.tgz \ --prerelease \ - --title "$TAG" \ + --title "${{ steps.prepare-release.outputs.TAG }}" \ --notes "Version from ${{ github.ref_name }}" # ### Release steps specific to `main` branch ### @@ -325,23 +332,9 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - - REF="${{ github.ref }}" # ex. refs/heads/main - BRANCH="${REF#refs/heads/}" # remove « refs/heads/ » - - git fetch origin gh-pages - name=$(yq e '.entries | keys | .,[0],' index.yaml) - - git fetch origin "$BRANCH" - VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - - # lowercase the tag name to avoid issues with gh cli - tag_tmp="${name}-${VERSION}" - TAG=${tag_tmp,,} - - gh release create "$TAG" \ + gh release create "${{ steps.prepare-release.outputs.TAG }}" \ .cr-release-packages/*.tgz \ - --title "$TAG" \ + --title "${{ steps.prepare-release.outputs.TAG }}" \ --notes "Version from ${{ github.ref_name }}" - name: Update index.yaml on gh-pages From efbfe2bef1f64a947aba8bee8d04c79431055424 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Mon, 2 Mar 2026 17:41:23 +0100 Subject: [PATCH 115/121] Name --- .github/workflows/chart-ci.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 07cc7cc..e4778ae 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -298,20 +298,23 @@ jobs: - name: Prepare release variables id: prepare-release run: | + + pwd + REF="${{ github.ref }}" # ex. refs/heads/main BRANCH="${REF#refs/heads/}" # remove « refs/heads/ » git fetch origin gh-pages + pwd name=$(yq e '.entries | keys | .[0]' index.yaml) git fetch origin "$BRANCH" + pwd VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) - # lowercase the tag name to avoid issues with gh cli - tag_tmp="${name}-${VERSION}" - TAG=${tag_tmp,,} + TAG_NAME="${name}-${VERSION}" - echo "TAG=$TAG" >> $GITHUB_OUTPUT + echo "TAG_NAME=$TAG_NAME" >> $GITHUB_OUTPUT echo "VERSION=$VERSION" >> $GITHUB_OUTPUT # ### Release steps specific to `feature` or `dev` branch ### @@ -320,10 +323,10 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh release create "${{ steps.prepare-release.outputs.TAG }}" \ + gh release create "${{ steps.prepare-release.outputs.TAG_NAME }}" \ .cr-release-packages/*.tgz \ --prerelease \ - --title "${{ steps.prepare-release.outputs.TAG }}" \ + --title "${{ steps.prepare-release.outputs.TAG_NAME }}" \ --notes "Version from ${{ github.ref_name }}" # ### Release steps specific to `main` branch ### @@ -332,9 +335,9 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh release create "${{ steps.prepare-release.outputs.TAG }}" \ + gh release create "${{ steps.prepare-release.outputs.TAG_NAME }}" \ .cr-release-packages/*.tgz \ - --title "${{ steps.prepare-release.outputs.TAG }}" \ + --title "${{ steps.prepare-release.outputs.TAG_NAME }}" \ --notes "Version from ${{ github.ref_name }}" - name: Update index.yaml on gh-pages From f7244522080bfec804aa0a301be8c6e3fdceb16b Mon Sep 17 00:00:00 2001 From: 7066189 Date: Tue, 3 Mar 2026 09:07:51 +0100 Subject: [PATCH 116/121] looking for folder structure load for gh-pages branch --- .github/workflows/chart-ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index e4778ae..d8c437e 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -300,16 +300,23 @@ jobs: run: | pwd + ls -als REF="${{ github.ref }}" # ex. refs/heads/main BRANCH="${REF#refs/heads/}" # remove « refs/heads/ » git fetch origin gh-pages + pwd - name=$(yq e '.entries | keys | .[0]' index.yaml) + ls -als + + name=$(yq e '.entries | keys | .[0]' index.yaml) git fetch origin "$BRANCH" + pwd + ls -als + VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) TAG_NAME="${name}-${VERSION}" From bdc67e61a542e0a36e870adb7f24299b2aa894ca Mon Sep 17 00:00:00 2001 From: 7066189 Date: Tue, 3 Mar 2026 09:19:58 +0100 Subject: [PATCH 117/121] Name --- .github/workflows/chart-ci.yml | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index d8c437e..e458176 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -298,24 +298,8 @@ jobs: - name: Prepare release variables id: prepare-release run: | - - pwd - ls -als - - REF="${{ github.ref }}" # ex. refs/heads/main - BRANCH="${REF#refs/heads/}" # remove « refs/heads/ » - git fetch origin gh-pages - - pwd - ls -als - - name=$(yq e '.entries | keys | .[0]' index.yaml) - - git fetch origin "$BRANCH" - - pwd - ls -als + name=$(git show origin/gh-pages:index.yaml | yq e '.entries | keys | .,[0],' 2>/dev/null || echo "") VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) From 89b1338582117b03d6bfc1d3a281ee070ef0b141 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Tue, 3 Mar 2026 09:26:24 +0100 Subject: [PATCH 118/121] Name . --- .github/workflows/chart-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index e458176..e21d8fd 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -299,7 +299,7 @@ jobs: id: prepare-release run: | git fetch origin gh-pages - name=$(git show origin/gh-pages:index.yaml | yq e '.entries | keys | .,[0],' 2>/dev/null || echo "") + name=$(git show origin/gh-pages:index.yaml | yq e '.entries | keys | .[0]' 2>/dev/null || echo " ??? ") VERSION=$(yq '.version' ${{ inputs.chart-dir }}/Chart.yaml) From 61089107dd987ec0912861c66634fe17331f7304 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Tue, 3 Mar 2026 10:02:47 +0100 Subject: [PATCH 119/121] Ref the commit that run the workflow --- .github/workflows/chart-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index e21d8fd..9df1eb6 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -318,6 +318,7 @@ jobs: .cr-release-packages/*.tgz \ --prerelease \ --title "${{ steps.prepare-release.outputs.TAG_NAME }}" \ + --target ${{ github.sha}} \ --notes "Version from ${{ github.ref_name }}" # ### Release steps specific to `main` branch ### @@ -328,6 +329,8 @@ jobs: run: | gh release create "${{ steps.prepare-release.outputs.TAG_NAME }}" \ .cr-release-packages/*.tgz \ + --latest \ + --target ${{ github.sha}} \ --title "${{ steps.prepare-release.outputs.TAG_NAME }}" \ --notes "Version from ${{ github.ref_name }}" From e639780f006d932b3ff99064dbf1de0d60e2e4d7 Mon Sep 17 00:00:00 2001 From: 7066189 Date: Tue, 3 Mar 2026 10:18:53 +0100 Subject: [PATCH 120/121] Add changelog.md as ref to release --- .github/workflows/chart-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 9df1eb6..987c4c4 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -319,7 +319,8 @@ jobs: --prerelease \ --title "${{ steps.prepare-release.outputs.TAG_NAME }}" \ --target ${{ github.sha}} \ - --notes "Version from ${{ github.ref_name }}" + --notes "Version from ${{ github.ref_name }}" \ + -F CHANGELOG.md # ### Release steps specific to `main` branch ### - name: Create GitHub release + tag @@ -332,7 +333,8 @@ jobs: --latest \ --target ${{ github.sha}} \ --title "${{ steps.prepare-release.outputs.TAG_NAME }}" \ - --notes "Version from ${{ github.ref_name }}" + --notes "Version from ${{ github.ref_name }}" \ + -F CHANGELOG.md - name: Update index.yaml on gh-pages env: From 138a7d66f97ea969839c063072229e77737f2ad5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Lajus?= <74196307+Superfluxx@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:07:31 +0100 Subject: [PATCH 121/121] Update trivy action to 0.35.0 (#15) --- .github/workflows/chart-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-ci.yml b/.github/workflows/chart-ci.yml index 987c4c4..9da2003 100644 --- a/.github/workflows/chart-ci.yml +++ b/.github/workflows/chart-ci.yml @@ -185,7 +185,7 @@ jobs: path: ${{ inputs.chart-dir }} - name: Build Trivy Vulnerability report - uses: aquasecurity/trivy-action@0.29.0 + uses: aquasecurity/trivy-action@0.35.0 env: TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }} @@ -203,7 +203,7 @@ jobs: sarif_file: 'trivy-vuln-results.sarif' - name: Run Trivy Vulnerability scan - uses: aquasecurity/trivy-action@0.29.0 + uses: aquasecurity/trivy-action@0.35.0 env: TRIVY_HELM_KUBE_VERSION: ${{ inputs.kubernetes-version }} TRIVY_HELM_SET_FILE: ${{ inputs.chart-values }}