automated release for helm chart#335
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Lint & template zxporter chart | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Helm | ||
| uses: azure/setup-helm@v4 | ||
| with: | ||
| version: '3.12.3' | ||
|
|
||
| - name: Update chart dependencies | ||
| run: helm dependency update helm-chart/zxporter | ||
|
|
||
| - name: Lint chart | ||
| run: helm lint helm-chart/zxporter | ||
|
|
||
| - name: Template render check | ||
| run: | | ||
| helm template zxporter helm-chart/zxporter \ | ||
| --set zxporter.clusterToken=ci-test-token \ | ||
| --set zxporter.kubeContextName=ci-test-cluster \ | ||
| --set zxporter.k8sProvider=other \ | ||
| > /dev/null | ||
| echo "zxporter chart rendered successfully" | ||
|
|
||
| validate-netmon: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, to fix this class of problem you add a permissions block either at the root of the workflow (applies to all jobs unless overridden) or per job, and set only the minimal scopes needed (typically contents: read for simple CI jobs that just check out code).
For this specific workflow, both jobs only check out the code and run Helm commands; they don’t interact with issues, PRs, or perform any repository writes. The single best fix is therefore to add a root-level permissions section right under the name: (and before on:), setting contents: read. This will apply to both validate-zxporter and validate-netmon without altering existing behavior. No additional imports or methods are required, because this is a YAML configuration change only.
Concretely, in .github/workflows/helm-chart-validation.yml, insert:
permissions:
contents: readbetween line 1 (name: Helm Chart Validation) and line 3 (on:). No other changes are necessary.
| @@ -1,5 +1,8 @@ | ||
| name: Helm Chart Validation | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: |
| name: Lint & template zxporter-netmon chart | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Helm | ||
| uses: azure/setup-helm@v4 | ||
| with: | ||
| version: '3.12.3' | ||
|
|
||
| - name: Update chart dependencies | ||
| run: helm dependency update helm-chart/zxporter-netmon | ||
|
|
||
| - name: Lint chart | ||
| run: helm lint helm-chart/zxporter-netmon | ||
|
|
||
| - name: Template render check | ||
| run: | | ||
| helm template zxporter-netmon helm-chart/zxporter-netmon > /dev/null | ||
| echo "zxporter-netmon chart rendered successfully" No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to explicitly set a restrictive permissions: block for the workflow or individual jobs so the GITHUB_TOKEN has only the minimal scopes required. For this Helm validation workflow, the jobs just need to read repository contents (to check out code and charts) and do not interact with issues, PRs, or perform any writes, so contents: read at the workflow root is sufficient.
The best fix without changing existing functionality is to add a single root-level permissions: block after the on: section. This will apply to both validate-zxporter and validate-netmon jobs since they do not define their own permissions:. No other logic, steps, or actions need to be modified. Concretely, in .github/workflows/helm-chart-validation.yml, add:
permissions:
contents: readbetween the on: block (ending at line 8) and the jobs: key (line 10). No additional imports or definitions are required because this is purely a YAML configuration change for GitHub Actions.
| @@ -7,6 +7,9 @@ | ||
| - 'helm-chart/zxporter-netmon/**' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| validate-zxporter: | ||
| name: Lint & template zxporter chart |
2 participants
this CI changes make sure to release the helm chart whenever there is a helm chart , it will automatically make a release !
Summary by Gitar
helm-auto-release.ymlto automatically releasezxporterchart on changes, bumping patch version and pushing to Docker Hub OCI registryhelm-auto-release-netmon.ymlto automatically releasezxporter-netmonchart with same automation patternhelm-chart-validation.ymlto lint and template-render both charts on pull requestsThis will update automatically on new commits.