diff --git a/.github/workflows/actions-linting.yml b/.github/workflows/actions-linting.yml index 247cbf334..273479660 100644 --- a/.github/workflows/actions-linting.yml +++ b/.github/workflows/actions-linting.yml @@ -11,6 +11,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: action-validator: runs-on: ubuntu-latest @@ -60,3 +63,21 @@ jobs: echo "$unpinned_actions" exit 1 fi + + explicit-permissions: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Find workflows that have jobs that rely on the default permissions + run: | + workflows_with_implicit_permissions=$( + find .github/workflows -type f \( -iname \*.yaml -o -iname \*.yml \) -print0 \ + | xargs -0 -I {} yq '{filename: ([.jobs.* | has("permissions")] | all) or (. | has("permissions"))}' {} \ + | grep -E 'false$' || true) + if [ "$workflows_with_implicit_permissions" != "" ]; then + echo "There are workflows that have not set permissions either globally or for all jobs:" + echo "$workflows_with_implicit_permissions" + exit 1 + fi diff --git a/.github/workflows/artifact-hub.yml b/.github/workflows/artifact-hub.yml index ee4db97b0..43095dc0d 100644 --- a/.github/workflows/artifact-hub.yml +++ b/.github/workflows/artifact-hub.yml @@ -5,7 +5,6 @@ name: Artifact Hub Metadata on: - pull_request: push: branches: - main @@ -18,8 +17,6 @@ jobs: packages: write runs-on: ubuntu-latest steps: - # This will push the OCI artifact only on merges - # As the checkout will push the PR Target commit hash - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 4f81f9968..6ec339ce0 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -10,6 +10,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: # We build from source and commit all generated file changes so that we can see the impact in PRs # We want to ensure that the commit of built changes does happen, so fail if building creates changes @@ -91,193 +94,3 @@ jobs: for checkov_values in charts/matrix-stack/ci/*checkov*values.yaml; do scripts/checkov.sh "$checkov_values" done - - template-dyff: - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write # required to post a comment to a pull request - steps: - - name: Checkout PR - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - fetch-depth: 0 - - # helm template doesn't reliably order manifests within the same kind, so use yq to do it for us - - name: Generate manifests for PR - id: generate-manifests - run: | - mkdir -p "$RUNNER_TEMP/new" - for values in charts/matrix-stack/ci/*values.yaml; do - echo "Generating new templates with $values"; - mkdir -p "$RUNNER_TEMP/new/$(basename "$values" ".yaml")" - helm template \ - -n ess-ci \ - -a monitoring.coreos.com/v1/ServiceMonitor \ - -f "$values" charts/matrix-stack | \ - yq ea '[.] | .[] | splitDoc' | \ - yq -s "\"$RUNNER_TEMP/new/$(basename "$values" ".yaml")/\""' + ([.kind, .metadata.name] | join("-") | downcase) + ".yaml"' - done - echo "output_dir=$RUNNER_TEMP/new" | tee -a "$GITHUB_OUTPUT" - - # We want the most recent common ancestor between the target & PR branches rather than the target branch itself - # There could have been more commits to the target branch since the PR branch was created and we don't want to see - # those changes in the dyff, only what this branch is doing. - - name: Determine most recent common ancestor of target and PR branches - id: merge-base - run: | - echo "merge-base=$(git merge-base ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})" | tee -a "$GITHUB_OUTPUT" - - - name: Checkout target - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - ref: ${{ steps.merge-base.outputs.merge-base }} - - - name: Generate manifests for base - run: | - mkdir -p "$RUNNER_TEMP/old" - for values in charts/matrix-stack/ci/*values.yaml; do - echo "Generating old templates with $values"; - mkdir -p "$RUNNER_TEMP/old/$(basename "$values" ".yaml")" - helm template \ - -n ess-ci \ - -a monitoring.coreos.com/v1/ServiceMonitor \ - -f "$values" charts/matrix-stack | \ - yq ea '[.] | .[] | splitDoc' | \ - yq -s "\"$RUNNER_TEMP/old/$(basename "$values" ".yaml")/\""' + ([.kind, .metadata.name] | join("-") | downcase) + ".yaml"' - done - - - name: Install dyff with asdf - uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4 - with: - tool_versions: | - dyff 1.10.1 - - - name: Upload new manifests - id: upload-new - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: - name: new-manifests - path: ${{ steps.generate-manifests.outputs.output_dir }} - retention-days: 1 - - - name: dyff old and new manifests - id: dyff - shell: bash - env: - ARTIFACT_URL: ${{ steps.upload-new.outputs.artifact-url }} - run: | - echo "output_dir=$RUNNER_TEMP" | tee -a "$GITHUB_OUTPUT" - values_directories=$(find "$RUNNER_TEMP/old" "$RUNNER_TEMP/new" -maxdepth 1 -type d | sed -E 's|'"$RUNNER_TEMP"'/(old\|new)||' | sed -E 's|^/||' | sort | uniq) - header="# dyff of changes in rendered templates of CI manifests\n\n" - comment_body="" - while read -r values_dir; do - if [ -z "$values_dir" ]; then - continue - fi - - templates_files=$(find "$RUNNER_TEMP/old" "$RUNNER_TEMP/new" -maxdepth 2 -name '*.yaml' | grep "$values_dir" | sed -E 's|'"$RUNNER_TEMP"'/(old\|new)/||' | sort | uniq) - comment_templates_body="" - - while read -r templates_file; do - current_file="$(basename "$templates_file")" - if [[ "$current_file" == ".yaml" ]] && [ ! -s "$template_file" ]; then - continue - fi - - if [ ! -f "$RUNNER_TEMP/old/$templates_file" ]; then - api_version=$(yq '.apiVersion' "$RUNNER_TEMP/new/$templates_file") - kind=$(yq '.kind' "$RUNNER_TEMP/new/$templates_file") - name=$(yq '.metadata.name' "$RUNNER_TEMP/new/$templates_file") - namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/new/$templates_file") - metadata=$(yq '.metadata' "$RUNNER_TEMP/new/$templates_file") - comment_templates_body+="@@ $current_file @@\n" - comment_templates_body+="# $api_version/$kind/$namespace/$name\n" - comment_templates_body+="! + one file added - the full content of the file is available in ${ARTIFACT_URL}\n" - comment_templates_body+="+ apiVersion: $api_version\n" - comment_templates_body+="+ kind: $kind\n" - comment_templates_body+="+ metadata:\n" - while IFS= read -r line; do - comment_templates_body+="+ $line\n" - done <<< "$metadata" - comment_templates_body+="\n\n" - continue - fi - - if [ ! -f "$RUNNER_TEMP/new/$templates_file" ]; then - api_version=$(yq '.apiVersion' "$RUNNER_TEMP/old/$templates_file" ) - kind=$(yq '.kind' "$RUNNER_TEMP/old/$templates_file") - name=$(yq '.metadata.name' "$RUNNER_TEMP/old/$templates_file") - namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/old/$templates_file") - metadata=$(yq '.metadata' "$RUNNER_TEMP/old/$templates_file") - comment_templates_body+="@@ $current_file @@\n" - comment_templates_body+="# $api_version/$kind/$namespace/$name\n" - comment_templates_body+="! - one file removed\n" - comment_templates_body+="- apiVersion: $api_version\n" - comment_templates_body+="- kind: $kind\n" - comment_templates_body+="- metadata:\n" - while IFS= read -r line; do - comment_templates_body+="- $line\n" - done <<< "$metadata" - comment_templates_body+="\n\n" - continue - fi - - exit_code=0 - dyff_detail=$(dyff between --set-exit-code --omit-header --output=github "$RUNNER_TEMP/old/$templates_file" "$RUNNER_TEMP/new/$templates_file" 2>&1) || exit_code=$? - if [ $exit_code -ne 0 ]; then - if [[ "$dyff_detail" == *"failed to compare input files"* ]]; then - echo "failed with file $templates_file" - exit 1 - fi - - api_version=$(yq '.apiVersion' "$RUNNER_TEMP/new/$templates_file") - kind=$(yq '.kind' "$RUNNER_TEMP/new/$templates_file") - name=$(yq '.metadata.name' "$RUNNER_TEMP/new/$templates_file") - namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/new/$templates_file") - resource_metadata="# $api_version/$kind/$namespace/$name" - comment_templates_body+=$(sed -e "1d" -e "/^@@/a$resource_metadata" <<< "$dyff_detail") - comment_templates_body+="\n\n\n" - fi - done <<< "$templates_files" - - if [[ -n "$comment_templates_body" ]]; then - comment_body+="
$values_dir.yaml\n" - comment_body+='\n```diff\n' - comment_body+="$comment_templates_body" - comment_body+='```\n' - comment_body+="\n
\n" - fi - - done <<< "$values_directories" - - if [ -z "$comment_body" ]; then - comment_body="No changes in rendered templates" - fi - - echo -e "$header$comment_body" | tee "$RUNNER_TEMP/dyff-output.md" - - - name: Upload generated manifests - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - with: - name: dyff-templates - path: ${{ steps.dyff.outputs.output_dir }} - retention-days: 1 - - - name: Find dyff comment - if: github.event.pull_request.number != '' - uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 - id: find-dyff-comment - with: - issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: 'dyff of changes in rendered templates' - - - name: Create or update comment - if: github.event.pull_request.number != '' - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 - with: - comment-id: ${{ steps.find-dyff-comment.outputs.comment-id }} - issue-number: ${{ github.event.pull_request.number }} - body-path: ${{ runner.temp }}/dyff-output.md - edit-mode: replace diff --git a/.github/workflows/changelog_check.yml b/.github/workflows/changelog_check.yml index 898459dec..14926b614 100644 --- a/.github/workflows/changelog_check.yml +++ b/.github/workflows/changelog_check.yml @@ -6,6 +6,9 @@ name: Changelog on: pull_request: +permissions: + contents: read + jobs: check-newsfile: if: ${{ (github.base_ref == 'main' || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }} diff --git a/.github/workflows/licensing.yml b/.github/workflows/licensing.yml index 7d8c50d97..f7ee602ae 100644 --- a/.github/workflows/licensing.yml +++ b/.github/workflows/licensing.yml @@ -11,6 +11,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: reuse-compliance-check: runs-on: ubuntu-latest diff --git a/.github/workflows/matrix-tools.yml b/.github/workflows/matrix-tools.yml index 50ed11569..90b877b4c 100644 --- a/.github/workflows/matrix-tools.yml +++ b/.github/workflows/matrix-tools.yml @@ -17,12 +17,11 @@ env: REGISTRY_IMAGE: ghcr.io/${{ github.repository }}/matrix-tools GO_VERSION: "1.24" -permissions: - contents: read - packages: read - jobs: tests: + permissions: + contents: read + packages: read runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -60,6 +59,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Login to GHCR + if: ${{ github.ref_type == 'tag' }} uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: registry: ghcr.io diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml index 65cbadf56..e48b073c0 100644 --- a/.github/workflows/pytest.yml +++ b/.github/workflows/pytest.yml @@ -13,7 +13,6 @@ on: permissions: contents: read - packages: read env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} @@ -68,15 +67,9 @@ jobs: run: | echo "$(poetry env info -p)/bin" >> "${GITHUB_PATH}" - - name: Login to GHCR - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Login to Dockerhub uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + if: ${{ github.repository == 'element-hq/ess-helm' }} with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/releasing.yml b/.github/workflows/releasing.yml index 1a7e8bb5a..d5cf1a42c 100644 --- a/.github/workflows/releasing.yml +++ b/.github/workflows/releasing.yml @@ -50,6 +50,7 @@ jobs: fi - name: Login to GitHub Container Registry + if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: registry: ghcr.io @@ -75,7 +76,9 @@ jobs: cd charts/matrix-stack helm package . - helm push matrix-stack-*.tgz oci://ghcr.io/${{ github.repository }} + - name: Helm push + if: ${{ github.event_name != 'pull_request' }} + run: helm push matrix-stack-*.tgz oci://ghcr.io/${{ github.repository }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: diff --git a/.github/workflows/scripts-linting.yml b/.github/workflows/scripts-linting.yml index d3c8240c6..dd4daccb0 100644 --- a/.github/workflows/scripts-linting.yml +++ b/.github/workflows/scripts-linting.yml @@ -11,6 +11,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: shellcheck: runs-on: ubuntu-latest diff --git a/.github/workflows/templates-dyff-comment.yml b/.github/workflows/templates-dyff-comment.yml new file mode 100644 index 000000000..96fe92956 --- /dev/null +++ b/.github/workflows/templates-dyff-comment.yml @@ -0,0 +1,47 @@ +# Copyright 2025 New Vector Ltd +# +# SPDX-License-Identifier: AGPL-3.0-only + +name: dyff of rendered templates - comment +on: + workflow_run: + workflows: ["dyff of rendered templates"] + types: + - completed + +jobs: + manage-comment: + runs-on: ubuntu-latest + permissions: + pull-requests: write + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: Download dyff of templates + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + name: dyff-templates + run-id: ${{ github.event.workflow_run.id }} + + - name: Unpack artifact + id: artifacts + run: | + unzip dyff-templates -d "${{ runner.temp }}" + # This is already formatted as pr-number= + cat "${{ runner.temp }}/pr-number.txt" >> "$GITHUB_OUTPUT" + + - name: Find dyff comment + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3 + id: find-dyff-comment + with: + issue-number: ${{ steps.artifacts.outputs.pr-number }} + comment-author: 'github-actions[bot]' + body-includes: 'dyff of changes in rendered templates' + + - name: Create or update comment + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4 + with: + comment-id: ${{ steps.artifacts.outputs.pr-number }} + issue-number: ${{ github.event.pull_request.number }} + body-path: ${{ runner.temp }}/dyff-output.md + edit-mode: replace diff --git a/.github/workflows/templates-dyff.yml b/.github/workflows/templates-dyff.yml new file mode 100644 index 000000000..4b4277d9d --- /dev/null +++ b/.github/workflows/templates-dyff.yml @@ -0,0 +1,182 @@ +# Copyright 2025 New Vector Ltd +# +# SPDX-License-Identifier: AGPL-3.0-only + +name: dyff of rendered templates +on: + pull_request: + +permissions: + contents: read + +jobs: + generate-dyff: + runs-on: ubuntu-latest + steps: + - name: Checkout PR + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + fetch-depth: 0 + + # helm template doesn't reliably order manifests within the same kind, so use yq to do it for us + - name: Generate manifests for PR + id: generate-manifests + run: | + mkdir -p "$RUNNER_TEMP/new" + for values in charts/matrix-stack/ci/*values.yaml; do + echo "Generating new templates with $values"; + mkdir -p "$RUNNER_TEMP/new/$(basename "$values" ".yaml")" + helm template \ + -n ess-ci \ + -a monitoring.coreos.com/v1/ServiceMonitor \ + -f "$values" charts/matrix-stack | \ + yq ea '[.] | .[] | splitDoc' | \ + yq -s "\"$RUNNER_TEMP/new/$(basename "$values" ".yaml")/\""' + ([.kind, .metadata.name] | join("-") | downcase) + ".yaml"' + done + echo "output_dir=$RUNNER_TEMP/new" | tee -a "$GITHUB_OUTPUT" + + # We want the most recent common ancestor between the target & PR branches rather than the target branch itself + # There could have been more commits to the target branch since the PR branch was created and we don't want to see + # those changes in the dyff, only what this branch is doing. + - name: Determine most recent common ancestor of target and PR branches + id: merge-base + run: | + echo "merge-base=$(git merge-base ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})" | tee -a "$GITHUB_OUTPUT" + + - name: Checkout target + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + ref: ${{ steps.merge-base.outputs.merge-base }} + + - name: Generate manifests for base + run: | + mkdir -p "$RUNNER_TEMP/old" + for values in charts/matrix-stack/ci/*values.yaml; do + echo "Generating old templates with $values"; + mkdir -p "$RUNNER_TEMP/old/$(basename "$values" ".yaml")" + helm template \ + -n ess-ci \ + -a monitoring.coreos.com/v1/ServiceMonitor \ + -f "$values" charts/matrix-stack | \ + yq ea '[.] | .[] | splitDoc' | \ + yq -s "\"$RUNNER_TEMP/old/$(basename "$values" ".yaml")/\""' + ([.kind, .metadata.name] | join("-") | downcase) + ".yaml"' + done + + - name: Install dyff with asdf + uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4 + with: + tool_versions: | + dyff 1.10.1 + + - name: Upload new manifests + id: upload-new + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: new-manifests + path: ${{ steps.generate-manifests.outputs.output_dir }} + retention-days: 1 + + - name: dyff old and new manifests + id: dyff + shell: bash + env: + ARTIFACT_URL: ${{ steps.upload-new.outputs.artifact-url }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "output_dir=$RUNNER_TEMP" | tee -a "$GITHUB_OUTPUT" + values_directories=$(find "$RUNNER_TEMP/old" "$RUNNER_TEMP/new" -maxdepth 1 -type d | sed -E 's|'"$RUNNER_TEMP"'/(old\|new)||' | sed -E 's|^/||' | sort | uniq) + header="# dyff of changes in rendered templates of CI manifests\n\n" + comment_body="" + while read -r values_dir; do + if [ -z "$values_dir" ]; then + continue + fi + + templates_files=$(find "$RUNNER_TEMP/old" "$RUNNER_TEMP/new" -maxdepth 2 -name '*.yaml' | grep "$values_dir" | sed -E 's|'"$RUNNER_TEMP"'/(old\|new)/||' | sort | uniq) + comment_templates_body="" + + while read -r templates_file; do + current_file="$(basename "$templates_file")" + if [[ "$current_file" == ".yaml" ]] && [ ! -s "$template_file" ]; then + continue + fi + + if [ ! -f "$RUNNER_TEMP/old/$templates_file" ]; then + api_version=$(yq '.apiVersion' "$RUNNER_TEMP/new/$templates_file") + kind=$(yq '.kind' "$RUNNER_TEMP/new/$templates_file") + name=$(yq '.metadata.name' "$RUNNER_TEMP/new/$templates_file") + namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/new/$templates_file") + metadata=$(yq '.metadata' "$RUNNER_TEMP/new/$templates_file") + comment_templates_body+="@@ $current_file @@\n" + comment_templates_body+="# $api_version/$kind/$namespace/$name\n" + comment_templates_body+="! + one file added - the full content of the file is available in ${ARTIFACT_URL}\n" + comment_templates_body+="+ apiVersion: $api_version\n" + comment_templates_body+="+ kind: $kind\n" + comment_templates_body+="+ metadata:\n" + while IFS= read -r line; do + comment_templates_body+="+ $line\n" + done <<< "$metadata" + comment_templates_body+="\n\n" + continue + fi + + if [ ! -f "$RUNNER_TEMP/new/$templates_file" ]; then + api_version=$(yq '.apiVersion' "$RUNNER_TEMP/old/$templates_file" ) + kind=$(yq '.kind' "$RUNNER_TEMP/old/$templates_file") + name=$(yq '.metadata.name' "$RUNNER_TEMP/old/$templates_file") + namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/old/$templates_file") + metadata=$(yq '.metadata' "$RUNNER_TEMP/old/$templates_file") + comment_templates_body+="@@ $current_file @@\n" + comment_templates_body+="# $api_version/$kind/$namespace/$name\n" + comment_templates_body+="! - one file removed\n" + comment_templates_body+="- apiVersion: $api_version\n" + comment_templates_body+="- kind: $kind\n" + comment_templates_body+="- metadata:\n" + while IFS= read -r line; do + comment_templates_body+="- $line\n" + done <<< "$metadata" + comment_templates_body+="\n\n" + continue + fi + + exit_code=0 + dyff_detail=$(dyff between --set-exit-code --omit-header --output=github "$RUNNER_TEMP/old/$templates_file" "$RUNNER_TEMP/new/$templates_file" 2>&1) || exit_code=$? + if [ $exit_code -ne 0 ]; then + if [[ "$dyff_detail" == *"failed to compare input files"* ]]; then + echo "failed with file $templates_file" + exit 1 + fi + + api_version=$(yq '.apiVersion' "$RUNNER_TEMP/new/$templates_file") + kind=$(yq '.kind' "$RUNNER_TEMP/new/$templates_file") + name=$(yq '.metadata.name' "$RUNNER_TEMP/new/$templates_file") + namespace=$(yq '.metadata.namespace' "$RUNNER_TEMP/new/$templates_file") + resource_metadata="# $api_version/$kind/$namespace/$name" + comment_templates_body+=$(sed -e "1d" -e "/^@@/a$resource_metadata" <<< "$dyff_detail") + comment_templates_body+="\n\n\n" + fi + done <<< "$templates_files" + + if [[ -n "$comment_templates_body" ]]; then + comment_body+="
$values_dir.yaml\n" + comment_body+='\n```diff\n' + comment_body+="$comment_templates_body" + comment_body+='```\n' + comment_body+="\n
\n" + fi + + done <<< "$values_directories" + + if [ -z "$comment_body" ]; then + comment_body="No changes in rendered templates" + fi + + echo -e "$header$comment_body" | tee "$RUNNER_TEMP/dyff-output.md" + echo "pr-number=$PR_NUMBER" | tee "$RUNNER_TEMP/pr-number.txt" + + - name: Upload generated manifests + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: dyff-templates + path: ${{ steps.dyff.outputs.output_dir }} + retention-days: 1 diff --git a/newsfragments/589.changed.md b/newsfragments/589.changed.md new file mode 100644 index 000000000..39be51096 --- /dev/null +++ b/newsfragments/589.changed.md @@ -0,0 +1 @@ +Don't push chart OCI images for every PR. diff --git a/newsfragments/589.internal.1.md b/newsfragments/589.internal.1.md new file mode 100644 index 000000000..cc2291ec1 --- /dev/null +++ b/newsfragments/589.internal.1.md @@ -0,0 +1 @@ +CI: allow dyff job to work on forks. diff --git a/newsfragments/589.internal.2.md b/newsfragments/589.internal.2.md new file mode 100644 index 000000000..5e6e8e207 --- /dev/null +++ b/newsfragments/589.internal.2.md @@ -0,0 +1 @@ +CI: be explicit about what permissions are workflow/job requires. diff --git a/newsfragments/589.internal.md b/newsfragments/589.internal.md new file mode 100644 index 000000000..150f989d9 --- /dev/null +++ b/newsfragments/589.internal.md @@ -0,0 +1 @@ +CI: don't push artifacthub metadata on PRs. diff --git a/tests/integration/fixtures/helm.py b/tests/integration/fixtures/helm.py index b25728d12..751ccf2b9 100644 --- a/tests/integration/fixtures/helm.py +++ b/tests/integration/fixtures/helm.py @@ -27,8 +27,8 @@ async def helm_prerequisites( resources = [] setups: list[Awaitable] = [] - # On CI, public runners need read access to dockerhub.io - if os.environ.get("CI"): + # On CI, public runners should login to dockerhub.io to avoid rate-limits + if os.environ.get("CI") and ("DOCKERHUB_USERNAME" in os.environ) and ("DOCKERHUB_TOKEN" in os.environ): resources.append( kubernetes_docker_secret( f"{generated_data.release_name}-dockerhub",