Add fork-safe install CI with replicas=0#884
Open
bschwedler wants to merge 4 commits into
Open
Conversation
Fork PRs have no access to license secrets, so ct install (which waits for pods that require a valid license) cannot run as-is. Add a detect-fork job and gate the existing install steps on non-forks. For fork PRs, run ct install with --helm-extra-set-args '--set=replicas=0': Kubernetes creates all non-pod resources (Services, RBAC, ConfigMaps, PVCs) and considers the Deployment immediately rolled out, without ever scheduling a pod that needs the license.
Helm 3.18.5 changed its JSON schema parser, producing a different
error string format for schema validation failures. helm-unittest
v1.0.1 documented this as a known breaking change.
The posit-chronicle configmap_fail_test.yaml tests used errorPattern
values that matched the old format ("ServiceLogLevel: Does not match
pattern") but not the new one ("'/config/Logging/ServiceLogLevel':
'INVALID' does not match pattern"). This caused the tests to fail
locally with helm-unittest >= v1.0.1 while CI (pinned to v1.0.0)
continued to pass — a latent break waiting for the version bump.
Relax both patterns to ".*ServiceLogLevel.*does not match pattern.*"
and ".*ServiceLogFormat.*does not match pattern.*", which match both
the old and new error formats.
Go regex is case-sensitive by default. The old Helm schema error format uses uppercase 'Does not match pattern'; the new format uses lowercase. Add (?i) to both patterns so they match either wording.
Bump helm-unittest to v1.1.0, fix errorPattern regexes
bschwedler
requested review from
markrtucker,
matt-urbina and
t-margheim
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fork PRs have no access to repo secrets, so
ct install— which waits for pods that require a valid license to start — cannot run as-is against a fork PR.detect-forkjob that outputsis-forkusinggithub.event.pull_request.head.repo.full_name != github.repository. The expression is assigned viaenv:before use inrun:to prevent script injection.Create License File Secretson non-fork PRs.ct installinto two pairs: the existing pair (license-backed, non-fork only) and a new fork pair using--helm-extra-set-args "--set=replicas=0".replicas=0, Kubernetes creates all non-pod resources (Services, RBAC, ConfigMaps, PVCs) and considers the Deployment immediately rolled out — no pod is ever scheduled that would require a license.Internal PRs are completely unchanged. Fork PRs get Kubernetes resource validation without needing license secrets.