-
Notifications
You must be signed in to change notification settings - Fork 1
automated release for helm chart #335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
Rupam-It
wants to merge
1
commit into
main
Choose a base branch
from
rupam/ci-fix
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| name: Auto Release Helm Chart (zxporter-netmon) | ||
|
|
||
| # Triggers on any merge to main that touches helm-chart/zxporter-netmon/** | ||
| # EXCEPT Chart.yaml — that file is updated by this workflow itself via PR, | ||
| # and we exclude it to prevent an infinite release loop. | ||
| on: | ||
| push: | ||
| branches: [main] | ||
| paths: | ||
| - 'helm-chart/zxporter-netmon/**' | ||
| - '!helm-chart/zxporter-netmon/Chart.yaml' | ||
|
|
||
| env: | ||
| REGISTRY: registry-1.docker.io | ||
| CHART_NAME: zxporter-netmon | ||
| ORG: devzeroinc | ||
| CHART_TAG_PREFIX: chart-netmon-v | ||
|
|
||
| jobs: | ||
| auto-release: | ||
| name: Patch release zxporter-netmon chart | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| packages: write | ||
| pull-requests: write | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Helm | ||
| uses: azure/setup-helm@v4 | ||
| with: | ||
| version: '3.12.3' | ||
|
|
||
| - name: Install yq | ||
| run: | | ||
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 | ||
| sudo chmod +x /usr/local/bin/yq | ||
|
|
||
| - name: Helm registry login | ||
| run: | | ||
| echo "${{ secrets.DOCKERHUB_ZXPORTER_BALANCE_TOKEN }}" | \ | ||
| helm registry login registry-1.docker.io \ | ||
| --username "${{ secrets.DOCKERHUB_ZXPORTER_BALANCE_USERNAME }}" \ | ||
| --password-stdin | ||
|
|
||
| - name: Enable Helm OCI support | ||
| run: echo "HELM_EXPERIMENTAL_OCI=1" >> $GITHUB_ENV | ||
|
|
||
| - name: Fetch tags | ||
| run: git fetch --tags | ||
|
|
||
| - name: Bump patch version | ||
| id: version | ||
| run: | | ||
| LAST_TAG=$(git tag --list '${{ env.CHART_TAG_PREFIX }}*' --sort=-v:refname | head -n 1) | ||
| if [ -z "$LAST_TAG" ]; then | ||
| LAST_VERSION="0.0.0" | ||
| else | ||
| LAST_VERSION="${LAST_TAG#${{ env.CHART_TAG_PREFIX }}}" | ||
| fi | ||
| IFS='.' read -r MAJOR MINOR PATCH <<< "$LAST_VERSION" | ||
| PATCH=$((PATCH + 1)) | ||
| NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}" | ||
| echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT | ||
| echo "Auto-releasing chart patch: $LAST_VERSION → $NEW_VERSION (triggered by: ${{ github.event.head_commit.message }})" | ||
|
|
||
| - name: Create and push chart tag | ||
| run: | | ||
| git config --global user.email "actions@github.com" | ||
| git config --global user.name "GitHub Actions" | ||
| git tag "${{ env.CHART_TAG_PREFIX }}${{ steps.version.outputs.new_version }}" | ||
| git push origin "${{ env.CHART_TAG_PREFIX }}${{ steps.version.outputs.new_version }}" | ||
|
|
||
| - name: Update chart dependencies | ||
| run: helm dependency update helm-chart/zxporter-netmon | ||
|
|
||
| - name: Lint Helm chart | ||
| run: helm lint helm-chart/zxporter-netmon | ||
|
|
||
| - name: Package Helm chart | ||
| run: | | ||
| mkdir -p helm-chart/packages | ||
| helm package helm-chart/zxporter-netmon \ | ||
| --version ${{ steps.version.outputs.new_version }} \ | ||
| --app-version ${{ steps.version.outputs.new_version }} \ | ||
| --destination helm-chart/packages | ||
|
|
||
| - name: Push chart to Docker Hub OCI registry | ||
| run: | | ||
| helm push helm-chart/packages/zxporter-netmon-${{ steps.version.outputs.new_version }}.tgz \ | ||
| oci://${{ env.REGISTRY }}/${{ env.ORG }} | ||
|
|
||
| - name: Update Chart.yaml version and appVersion | ||
| run: | | ||
| yq e -i '.version = "${{ steps.version.outputs.new_version }}"' helm-chart/zxporter-netmon/Chart.yaml | ||
| yq e -i '.appVersion = "${{ steps.version.outputs.new_version }}"' helm-chart/zxporter-netmon/Chart.yaml | ||
|
|
||
| - name: Create PR to update Chart.yaml | ||
| uses: peter-evans/create-pull-request@v6 | ||
| with: | ||
| commit-message: "chore(helm): update Chart.yaml version to ${{ steps.version.outputs.new_version }}" | ||
| title: "chore(helm): update zxporter-netmon Chart.yaml version to ${{ steps.version.outputs.new_version }}" | ||
| body: | | ||
| Automated patch release triggered by changes to `helm-chart/zxporter-netmon/`. | ||
|
|
||
| This PR updates `version` and `appVersion` in `helm-chart/zxporter-netmon/Chart.yaml` to `${{ steps.version.outputs.new_version }}`. | ||
|
|
||
| Triggered by commit: ${{ github.event.head_commit.message }} | ||
| branch: "update/chart-version-netmon-${{ steps.version.outputs.new_version }}" | ||
| add-paths: | | ||
| helm-chart/zxporter-netmon/Chart.yaml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| name: Auto Release Helm Chart (zxporter) | ||
|
|
||
| # Triggers on any merge to main that touches helm-chart/zxporter/** | ||
| # EXCEPT Chart.yaml — that file is updated by this workflow itself via PR, | ||
| # and we exclude it to prevent an infinite release loop. | ||
| on: | ||
| push: | ||
| branches: [main] | ||
| paths: | ||
| - 'helm-chart/zxporter/**' | ||
| - '!helm-chart/zxporter/Chart.yaml' | ||
|
|
||
| env: | ||
| REGISTRY: registry-1.docker.io | ||
| CHART_NAME: zxporter | ||
| ORG: devzeroinc | ||
| CHART_TAG_PREFIX: chart-v | ||
|
|
||
| jobs: | ||
| auto-release: | ||
| name: Patch release zxporter chart | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| packages: write | ||
| pull-requests: write | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Helm | ||
| uses: azure/setup-helm@v4 | ||
| with: | ||
| version: '3.12.3' | ||
|
|
||
| - name: Install yq | ||
| run: | | ||
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 | ||
| sudo chmod +x /usr/local/bin/yq | ||
|
|
||
| - name: Helm registry login | ||
| run: | | ||
| echo "${{ secrets.DOCKERHUB_ZXPORTER_BALANCE_TOKEN }}" | \ | ||
| helm registry login registry-1.docker.io \ | ||
| --username "${{ secrets.DOCKERHUB_ZXPORTER_BALANCE_USERNAME }}" \ | ||
| --password-stdin | ||
|
|
||
| - name: Enable Helm OCI support | ||
| run: echo "HELM_EXPERIMENTAL_OCI=1" >> $GITHUB_ENV | ||
|
|
||
| - name: Fetch tags | ||
| run: git fetch --tags | ||
|
|
||
| - name: Bump patch version | ||
| id: version | ||
| run: | | ||
| LAST_TAG=$(git tag --list '${{ env.CHART_TAG_PREFIX }}*' --sort=-v:refname | head -n 1) | ||
| if [ -z "$LAST_TAG" ]; then | ||
| LAST_VERSION="0.0.0" | ||
| else | ||
| LAST_VERSION="${LAST_TAG#${{ env.CHART_TAG_PREFIX }}}" | ||
| fi | ||
| IFS='.' read -r MAJOR MINOR PATCH <<< "$LAST_VERSION" | ||
| PATCH=$((PATCH + 1)) | ||
| NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}" | ||
| echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT | ||
| echo "Auto-releasing chart patch: $LAST_VERSION → $NEW_VERSION (triggered by: ${{ github.event.head_commit.message }})" | ||
|
|
||
| - name: Create and push chart tag | ||
| run: | | ||
| git config --global user.email "actions@github.com" | ||
| git config --global user.name "GitHub Actions" | ||
| git tag "${{ env.CHART_TAG_PREFIX }}${{ steps.version.outputs.new_version }}" | ||
| git push origin "${{ env.CHART_TAG_PREFIX }}${{ steps.version.outputs.new_version }}" | ||
|
|
||
| - name: Update chart dependencies | ||
| run: helm dependency update helm-chart/zxporter | ||
|
|
||
| - name: Lint Helm chart | ||
| run: helm lint helm-chart/zxporter | ||
|
|
||
| - name: Package Helm chart | ||
| run: | | ||
| mkdir -p helm-chart/packages | ||
| helm package helm-chart/zxporter \ | ||
| --version ${{ steps.version.outputs.new_version }} \ | ||
| --app-version ${{ steps.version.outputs.new_version }} \ | ||
| --destination helm-chart/packages | ||
|
|
||
| - name: Push chart to Docker Hub OCI registry | ||
| run: | | ||
| helm push helm-chart/packages/zxporter-${{ steps.version.outputs.new_version }}.tgz \ | ||
| oci://${{ env.REGISTRY }}/${{ env.ORG }} | ||
|
|
||
| - name: Update Chart.yaml version and appVersion | ||
| run: | | ||
| yq e -i '.version = "${{ steps.version.outputs.new_version }}"' helm-chart/zxporter/Chart.yaml | ||
| yq e -i '.appVersion = "${{ steps.version.outputs.new_version }}"' helm-chart/zxporter/Chart.yaml | ||
|
|
||
| - name: Create PR to update Chart.yaml | ||
| uses: peter-evans/create-pull-request@v6 | ||
| with: | ||
| commit-message: "chore(helm): update Chart.yaml version to ${{ steps.version.outputs.new_version }}" | ||
| title: "chore(helm): update Chart.yaml version to ${{ steps.version.outputs.new_version }}" | ||
| body: | | ||
| Automated patch release triggered by changes to `helm-chart/zxporter/`. | ||
|
|
||
| This PR updates `version` and `appVersion` in `helm-chart/zxporter/Chart.yaml` to `${{ steps.version.outputs.new_version }}`. | ||
|
|
||
| Triggered by commit: ${{ github.event.head_commit.message }} | ||
| branch: "update/chart-version-${{ steps.version.outputs.new_version }}" | ||
| add-paths: | | ||
| helm-chart/zxporter/Chart.yaml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,59 @@ | ||||||||||||||||||||||||||||||||
| name: Helm Chart Validation | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||||||||
| paths: | ||||||||||||||||||||||||||||||||
| - 'helm-chart/zxporter/**' | ||||||||||||||||||||||||||||||||
| - 'helm-chart/zxporter-netmon/**' | ||||||||||||||||||||||||||||||||
| workflow_dispatch: | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||
| validate-zxporter: | ||||||||||||||||||||||||||||||||
| name: Lint & template zxporter chart | ||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||||
| - name: Checkout code | ||||||||||||||||||||||||||||||||
| uses: actions/checkout@v4 | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Set up Helm | ||||||||||||||||||||||||||||||||
| uses: azure/setup-helm@v4 | ||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||
| version: '3.12.3' | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Update chart dependencies | ||||||||||||||||||||||||||||||||
| run: helm dependency update helm-chart/zxporter | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Lint chart | ||||||||||||||||||||||||||||||||
| run: helm lint helm-chart/zxporter | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Template render check | ||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||
| helm template zxporter helm-chart/zxporter \ | ||||||||||||||||||||||||||||||||
| --set zxporter.clusterToken=ci-test-token \ | ||||||||||||||||||||||||||||||||
| --set zxporter.kubeContextName=ci-test-cluster \ | ||||||||||||||||||||||||||||||||
| --set zxporter.k8sProvider=other \ | ||||||||||||||||||||||||||||||||
| > /dev/null | ||||||||||||||||||||||||||||||||
| echo "zxporter chart rendered successfully" | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| validate-netmon: | ||||||||||||||||||||||||||||||||
| name: Lint & template zxporter-netmon chart | ||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||||
| - name: Checkout code | ||||||||||||||||||||||||||||||||
| uses: actions/checkout@v4 | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Set up Helm | ||||||||||||||||||||||||||||||||
| uses: azure/setup-helm@v4 | ||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||
| version: '3.12.3' | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Update chart dependencies | ||||||||||||||||||||||||||||||||
| run: helm dependency update helm-chart/zxporter-netmon | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Lint chart | ||||||||||||||||||||||||||||||||
| run: helm lint helm-chart/zxporter-netmon | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| - name: Template render check | ||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||
| helm template zxporter-netmon helm-chart/zxporter-netmon > /dev/null | ||||||||||||||||||||||||||||||||
| echo "zxporter-netmon chart rendered successfully" | ||||||||||||||||||||||||||||||||
|
Comment on lines
+39
to
+59
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Copilot AutofixAI about 2 months ago In general, the fix is to explicitly set a restrictive The best fix without changing existing functionality is to add a single root-level permissions:
contents: readbetween the
Suggested changeset
1
.github/workflows/helm-chart-validation.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
||||||||||||||||||||||||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI about 2 months ago
In general, to fix this class of problem you add a
permissionsblock either at the root of the workflow (applies to all jobs unless overridden) or per job, and set only the minimal scopes needed (typicallycontents: readfor simple CI jobs that just check out code).For this specific workflow, both jobs only check out the code and run Helm commands; they don’t interact with issues, PRs, or perform any repository writes. The single best fix is therefore to add a root-level
permissionssection right under thename:(and beforeon:), settingcontents: read. This will apply to bothvalidate-zxporterandvalidate-netmonwithout altering existing behavior. No additional imports or methods are required, because this is a YAML configuration change only.Concretely, in
.github/workflows/helm-chart-validation.yml, insert:between line 1 (
name: Helm Chart Validation) and line 3 (on:). No other changes are necessary.