diff --git a/.github/workflows/chart-release-steps.yaml b/.github/workflows/chart-release-steps.yaml index 6eea4128..4d7be56a 100644 --- a/.github/workflows/chart-release-steps.yaml +++ b/.github/workflows/chart-release-steps.yaml @@ -63,6 +63,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: src + persist-credentials: false - name: Install Helm uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 @@ -100,9 +101,11 @@ jobs: - name: Format changelog id: format-changelog uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + INPUTS_CHANGES: ${{ steps.chart-details.outputs.changes }} with: script: | - let input = '${{ steps.chart-details.outputs.changes }}'; + let input = process.env.INPUTS_CHANGES ?? ''; let changelog = "## Changelog:"; let inputParsed = JSON.parse(input); @@ -157,6 +160,7 @@ jobs: with: path: gh-pages ref: gh-pages + persist-credentials: false - name: Copy package to gh-pages structure id: copy-package @@ -237,6 +241,7 @@ jobs: CHART_VERSION: ${{ steps.chart-details.outputs.version }} CHART_TAG_BASE: ghcr.io/bjw-s-labs/helm CHART_TAG: ${{ steps.chart-details.outputs.name }}:${{ steps.chart-details.outputs.version }} + GITHUB_REF: ${{ github.ref }} run: | helm push "${PACKAGE_FILE}" oci://${CHART_TAG_BASE} &> push-metadata.txt cat push-metadata.txt @@ -244,4 +249,4 @@ jobs: cosign sign --yes "${CHART_TAG_BASE}/${CHART_TAG}@${CHART_DIGEST}" cosign verify "${CHART_TAG_BASE}/${CHART_TAG}@${CHART_DIGEST}" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/chart-release-steps.yaml@${{ github.ref }}" + --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/chart-release-steps.yaml@${GITHUB_REF}" diff --git a/.github/workflows/charts-lint.yaml b/.github/workflows/charts-lint.yaml index 0805ebbb..37ac5797 100644 --- a/.github/workflows/charts-lint.yaml +++ b/.github/workflows/charts-lint.yaml @@ -38,12 +38,14 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: pull + persist-credentials: false - name: Checkout default branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: "${{ github.event.repository.default_branch }}" path: default + persist-credentials: false - name: Get chart details for PR id: chart-details-pr @@ -104,6 +106,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install Kubernetes tools uses: yokawasa/action-setup-kube-tools@9e25a4277af127b60011c95b6ed2da7e3b3613b1 # v0.11.2 @@ -116,7 +120,7 @@ jobs: uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 - name: Dereference JSON schema - uses: bjw-s/helm-charts-actions/dereference-json-schema@main + uses: bjw-s-labs/helm-charts-actions/dereference-json-schema@5f5c177be4f535e18c145dcbddcf819aab199b47 with: schemaFile: "charts/${{ matrix.chart }}/values.schema.json" outputFile: "charts/${{ matrix.chart }}/values.schema.json" @@ -128,13 +132,15 @@ jobs: working-directory: charts/${{ matrix.chart }} run: | yq -i '. |= .dependencies |= map(select(.name == "common" and .repository == "https://bjw-s-labs.github.io/helm-charts").version = ">0.0.0-0")' Chart.yaml - yq -i '. |= .dependencies |= map(select(.name == "common" and .repository == "https://bjw-s-labs.github.io/helm-charts").repository = "file://${{ env.COMMON_LIBRARY_LOCATION }}")' Chart.yaml + yq -i '. |= .dependencies |= map(select(.name == "common" and .repository == "https://bjw-s-labs.github.io/helm-charts").repository = "file://${COMMON_LIBRARY_LOCATION}")' Chart.yaml echo "::group::Modified Chart.yaml" cat Chart.yaml echo "::endgroup::" - name: Run chart-testing (lint) - run: ct lint --config .ci/ct/ct.yaml --charts "charts/${{ matrix.chart }}" + env: + MATRIX_CHART: ${{ matrix.chart }} + run: ct lint --config .ci/ct/ct.yaml --charts "charts/${MATRIX_CHART}" lint_success: needs: diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml index 01cd8993..750bd65c 100644 --- a/.github/workflows/charts-release.yaml +++ b/.github/workflows/charts-release.yaml @@ -34,7 +34,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - fetch-depth: 0 + persist-credentials: false - name: Grab repository configuration id: repo-config @@ -45,35 +45,35 @@ jobs: - name: Get changed library charts id: changed-library-charts if: ${{ github.event_name != 'workflow_dispatch' }} - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 + uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2 with: - matrix: true path: charts - dir_names: true - dir_names_max_depth: 2 - files: | + include_only_directories: true + max_depth: 2 + patterns: | library/** - - name: Get changed charts + - name: Get changed library charts id: changed-charts if: ${{ github.event_name != 'workflow_dispatch' }} - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 + uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2 with: - matrix: true path: charts - dir_names: true - dir_names_max_depth: 2 - files_ignore: | - library/** + include_only_directories: true + max_depth: 2 + patterns: | + !library/** - name: Get specified charts id: specified-charts if: ${{ github.event_name == 'workflow_dispatch' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + INPUTS_CHARTS: ${{ inputs.charts }} with: script: | const fs = require('fs'); - let input = '${{ inputs.charts }}'; + let input = process.env.INPUTS_CHARTS ?? '[]'; let cwd = process.cwd(); let tmpCharts = [] @@ -109,16 +109,33 @@ jobs: - name: Filter out excluded charts id: filtered-charts uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + SPECIFIED_LIBRARY_CHARTS: ${{ steps.specified-charts.outputs.libraryChartsToRelease }} + CHANGED_LIBRARY_CHARTS: ${{ steps.changed-library-charts.outputs.changed_files }} + SPECIFIED_CHARTS: ${{ steps.specified-charts.outputs.otherChartsToRelease }} + CHANGED_CHARTS: ${{ steps.changed-charts.outputs.changed_files }} + REPO_SETTINGS: ${{ steps.repo-config.outputs.config }} with: script: | - let libraryChartsInput = ${{ github.event_name == 'workflow_dispatch' && steps.specified-charts.outputs.libraryChartsToRelease || steps.changed-library-charts.outputs.all_changed_files }}; - let otherChartsInput = ${{ github.event_name == 'workflow_dispatch' && steps.specified-charts.outputs.otherChartsToRelease || steps.changed-charts.outputs.all_changed_files }}; - let excludedFromRelease = ${{ steps.repo-config.outputs.config }}['excluded-charts-release']; + const SPECIFIED_LIBRARY_CHARTS = process.env.SPECIFIED_LIBRARY_CHARTS ?? '[]'; + const CHANGED_LIBRARY_CHARTS = process.env.CHANGED_LIBRARY_CHARTS ?? '[]'; + const SPECIFIED_CHARTS = process.env.SPECIFIED_CHARTS ?? '[]'; + const CHANGED_CHARTS = process.env.CHANGED_CHARTS ?? '[]'; + const REPO_SETTINGS = process.env.REPO_SETTINGS ?? '{}'; - let libraryCharts = libraryChartsInput.filter(item => excludedFromRelease.indexOf(item) < 0); + const eventName = '${{ github.event_name }}'; + const repoSettings = JSON.parse(REPO_SETTINGS); + + const libraryChartsInput = JSON.parse(eventName === 'workflow_dispatch' ? SPECIFIED_LIBRARY_CHARTS : CHANGED_LIBRARY_CHARTS); + const otherChartsInput = JSON.parse(eventName === 'workflow_dispatch' ? SPECIFIED_CHARTS : CHANGED_CHARTS); + const excludedFromRelease = repoSettings['excluded-charts-release']; + + const libraryCharts = libraryChartsInput.filter(item => excludedFromRelease.indexOf(item) < 0); core.setOutput('libraryChartsToRelease', JSON.stringify(libraryCharts)); - let otherCharts = otherChartsInput.filter(item => excludedFromRelease.indexOf(item) < 0); + console.log('Library charts to release:', JSON.stringify(libraryCharts, null, 2)); + const otherCharts = otherChartsInput.filter(item => excludedFromRelease.indexOf(item) < 0); core.setOutput('otherChartsToRelease', JSON.stringify(otherCharts)); + console.log('Other charts to release:', JSON.stringify(otherCharts, null, 2)); release-library-charts: name: Release library charts diff --git a/.github/workflows/charts-test.yaml b/.github/workflows/charts-test.yaml index df080ef2..83ee84c7 100644 --- a/.github/workflows/charts-test.yaml +++ b/.github/workflows/charts-test.yaml @@ -31,14 +31,16 @@ jobs: k8s_version: [ "v1.29.13", - "v1.30.9", - "v1.31.5", - "v1.32.1", + "v1.30.11", + "v1.31.7", + "v1.32.3", ] fail-fast: false steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Validate prerequisite folders working-directory: "charts/${{ matrix.chart }}" @@ -59,8 +61,6 @@ jobs: kubectl: "${{ matrix.k8s_version }}" - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: "3.13" - name: Set up chart-testing uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 @@ -75,7 +75,7 @@ jobs: kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true - name: Dereference JSON schema - uses: bjw-s/helm-charts-actions/dereference-json-schema@main + uses: bjw-s-labs/helm-charts-actions/dereference-json-schema@5f5c177be4f535e18c145dcbddcf819aab199b47 with: schemaFile: "charts/${{ matrix.chart }}/values.schema.json" outputFile: "charts/${{ matrix.chart }}/values.schema.json" @@ -87,7 +87,7 @@ jobs: working-directory: charts/${{ matrix.chart }} run: | yq -i '. |= .dependencies |= map(select(.name == "common" and .repository == "https://bjw-s-labs.github.io/helm-charts").version = ">0.0.0-0")' Chart.yaml - yq -i '. |= .dependencies |= map(select(.name == "common" and .repository == "https://bjw-s-labs.github.io/helm-charts").repository = "file://${{ env.COMMON_LIBRARY_LOCATION }}")' Chart.yaml + yq -i '. |= .dependencies |= map(select(.name == "common" and .repository == "https://bjw-s-labs.github.io/helm-charts").repository = "file://${COMMON_LIBRARY_LOCATION}")' Chart.yaml echo "::group::Modified Chart.yaml" cat Chart.yaml echo "::endgroup::" @@ -99,7 +99,7 @@ jobs: cd "test-chart" fi - ct install --config "$GITHUB_WORKSPACE/.ci/ct/ct.yaml" --charts . + ct install --config "${GITHUB_WORKSPACE}/.ci/ct/ct.yaml" --charts . install_success: needs: @@ -127,6 +127,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Validate prerequisite folders working-directory: "charts/${{ matrix.chart }}" @@ -153,13 +155,15 @@ jobs: - name: Run tests working-directory: "charts/${{ matrix.chart }}" + env: + MATRIX_CHART: ${{ matrix.chart }} run: | if [[ -d "test-chart" ]]; then cd "test-chart" fi if [[ ! -d "unittests" ]]; then - echo "No unit tests found for chart ${{ matrix.chart }}" + echo "No unit tests found for chart ${MATRIX_CHART}" exit 0 fi diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e22dca49..2cfd0112 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,6 +39,8 @@ jobs: - name: Checkout id: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Initialize CodeQL id: initialize diff --git a/.github/workflows/docs-release.yaml b/.github/workflows/docs-release.yaml index d1102280..d496e729 100644 --- a/.github/workflows/docs-release.yaml +++ b/.github/workflows/docs-release.yaml @@ -23,22 +23,12 @@ jobs: permissions: contents: write steps: - - name: Generate Token - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 - id: app-token - with: - app-id: ${{ secrets.LAB_ASSISTANT_APP_ID }} - private-key: ${{ secrets.LAB_ASSISTANT_APP_KEY }} - - name: Checkout main branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - token: ${{ steps.app-token.outputs.token }} - fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: 3.x - name: Install requirements run: pip install -r docs/requirements.txt @@ -46,6 +36,13 @@ jobs: - name: Build and publish docs run: mkdocs build -f .ci/mkdocs/mkdocs.yml + - name: Generate Token + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + id: app-token + with: + app-id: ${{ secrets.LAB_ASSISTANT_APP_ID }} + private-key: ${{ secrets.LAB_ASSISTANT_APP_KEY }} + - name: Deploy uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 if: ${{ github.ref == 'refs/heads/main' }} @@ -71,14 +68,16 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: src + persist-credentials: false - name: Checkout gh-pages branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: gh-pages path: gh-pages + persist-credentials: false - - name: Deploy changes to GitHub Pages + - name: Deploy to GitHub Pages uses: ./src/.github/actions/publish-folder-to-pages with: path: gh-pages/ diff --git a/.github/workflows/pr-validate.yaml b/.github/workflows/pr-validate.yaml index 07bbe1c2..bf0d872a 100644 --- a/.github/workflows/pr-validate.yaml +++ b/.github/workflows/pr-validate.yaml @@ -21,14 +21,14 @@ jobs: runs-on: ubuntu-24.04 outputs: repoConfiguration: ${{ steps.repo-config.outputs.config }} - addedOrModifiedFiles: ${{ steps.added-modified-files.outputs.all_changed_files }} + addedOrModifiedFiles: ${{ steps.added-modified-files.outputs.changed_files }} chartsToLint: ${{ steps.charts-to-lint.outputs.filteredCharts }} chartsToInstall: ${{ steps.charts-to-install.outputs.filteredCharts }} steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - fetch-depth: 0 + persist-credentials: false - name: Grab repository configuration id: repo-config @@ -38,36 +38,47 @@ jobs: - name: Get all added or modified files id: added-modified-files - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 + uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2 - - name: Get changed charts + - name: Get all added or modified charts id: changed-charts - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 + uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2 with: - matrix: true path: charts - dir_names: true - dir_names_max_depth: 2 + include_only_directories: true + max_depth: 2 - name: Determine charts to lint id: charts-to-lint uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + CHANGED_CHARTS: ${{ steps.changed-charts.outputs.changed_files }} + REPO_SETTINGS: ${{ steps.repo-config.outputs.config }} with: script: | - var changedCharts = ${{ steps.changed-charts.outputs.all_changed_files }}; - var chartsToFilter = ${{ toJSON(fromJSON(steps.repo-config.outputs.config).excluded-charts-lint) }}; + const { CHANGED_CHARTS, REPO_SETTINGS } = process.env; + const changedCharts = JSON.parse(CHANGED_CHARTS); + const repoSettings = JSON.parse(REPO_SETTINGS); + const chartsToFilter = repoSettings['excluded-charts-lint']; let filteredCharts = changedCharts.filter(item => chartsToFilter.indexOf(item) < 0); core.setOutput("filteredCharts", filteredCharts); + console.log('charts to lint:', JSON.stringify(filteredCharts, null, 2)); - name: Determine charts to install id: charts-to-install uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + CHANGED_CHARTS: ${{ steps.changed-charts.outputs.changed_files }} + REPO_SETTINGS: ${{ steps.repo-config.outputs.config }} with: script: | - var changedCharts = ${{ steps.changed-charts.outputs.all_changed_files }}; - var chartsToFilter = ${{ toJSON(fromJSON(steps.repo-config.outputs.config).excluded-charts-install) }}; + const { CHANGED_CHARTS, REPO_SETTINGS } = process.env; + const changedCharts = JSON.parse(CHANGED_CHARTS); + const repoSettings = JSON.parse(REPO_SETTINGS); + const chartsToFilter = repoSettings['excluded-charts-install']; let filteredCharts = changedCharts.filter(item => chartsToFilter.indexOf(item) < 0); core.setOutput("filteredCharts", filteredCharts); + console.log('charts to install:', JSON.stringify(filteredCharts, null, 2)); pre-commit-check: name: Perform Pre-Commit check @@ -77,11 +88,13 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Run against changes uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 with: - extra_args: --files ${{ needs.prepare.outputs.addedOrModifiedFiles }} --config .ci/pre-commit/config.yaml + extra_args: --files ${{ join(fromJSON(needs.prepare.outputs.addedOrModifiedFiles), ' ') }} --config .ci/pre-commit/config.yaml charts-lint: name: Lint charts