name: lint-test-helm on: pull_request: branches: - main paths: - 'clusters/cl01tl/helm/**' push: branches: - main paths: - 'clusters/cl01tl/helm/**' env: CLUSTER: cl01tl BASE_BRANCH: "origin/${{ github.base_ref }}" # renovate: datasource=github-releases depName=yannh/kubeconform KUBECONFORM_VERSION: "v0.6.7" jobs: lint-helm: runs-on: ubuntu-js outputs: chart-dir: ${{ steps.check-dir-changes.outputs.chart-dir }} chart-dir-csv: ${{ steps.check-dir-changes.outputs.chart-dir-csv }} changes-detected: ${{ steps.check-dir-changes.outputs.changes-detected }} steps: - name: Checkout uses: actions/checkout@v6 with: fetch-depth: 0 - name: Check Branch Exists id: check-branch-exists if: github.event_name == 'pull_request' uses: GuillaumeFalourd/branch-exists@v1.1 with: branch: ${{ github.base_ref }} - name: Report Branch Exists id: branch-exists if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request' run: | if [ "${{ github.event_name }}" == "push" ]; then echo ">> Action is from a push event, will continue with linting" else echo ">> Branch ${{ github.base_ref }} exists, will continue with linting" fi echo "" echo "----" echo "exists=true" >> $GITHUB_OUTPUT - name: Set Up Helm if: steps.branch-exists.outputs.exists == 'true' uses: azure/setup-helm@v4 with: token: ${{ secrets.GITEA_TOKEN }} # renovate: datasource=github-releases depName=helm/helm version: v4.1.3 cache: true - name: Cache Helm Dependencies if: steps.branch-exists.outputs.exists == 'true' uses: actions/cache@v5 with: path: | ~/.cache/helm ~/.config/helm key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }} restore-keys: | helm-cache-${{ runner.os }}- - name: Check Directories for Changes id: check-dir-changes if: steps.branch-exists.outputs.exists == 'true' run: | echo ">> Target branch for diff is: ${BASE_BRANCH}" if [ "${{ github.event_name }}" == "pull_request" ]; then DIFF_TARGET="${BASE_BRANCH}" echo "" echo ">> Checking for changes in a pull request ..." else DIFF_TARGET="${{ github.event.before }}..HEAD" echo "" echo ">> Checking for changes from a push ..." fi CHANGED_CHARTS=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true) if [ -n "${CHANGED_CHARTS}" ]; then echo "" echo ">> Chart to Lint:" echo "" echo "${CHANGED_CHARTS}" CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -) echo "" echo "----" echo "changes-detected=true" >> $GITHUB_OUTPUT echo "chart-dir-csv=${CHANGED_CHARTS_CSV}" >> $GITHUB_OUTPUT echo "chart-dir<> $GITHUB_OUTPUT echo "${CHANGED_CHARTS}" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT else echo "" echo ">> Did not find any helm charts files to lint" echo "" echo "----" echo "changes-detected=false" >> $GITHUB_OUTPUT fi - name: Add Repositories if: steps.check-dir-changes.outputs.changes-detected == 'true' env: CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }} run: | echo ">> Adding repositories for chart dependencies ..." echo "" for DIR in ${CHANGED_CHARTS}; do helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \ | tail -n +2 \ | awk 'NF > 0 { print $1, $3 }' \ | while read -r REPO_NAME REPO_URL; do if [[ "${REPO_URL}" == oci://* ]]; then echo ">> Ignoring OCI repo: ${REPO_URL}" elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then helm repo add "${REPO_NAME}" "${REPO_URL}" fi done || true done if helm repo list > /dev/null 2>&1; then echo "" echo ">> Update repository cache ..." helm repo update fi echo "" echo "----" - name: Lint Helm Chart id: lint if: steps.check-dir-changes.outputs.changes-detected == 'true' env: CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }} run: | EXIT_CODE=0 FAILED_CHARTS="" echo ">> Running linting on changed charts ..." for DIR in ${CHANGED_CHARTS}; do CHART_PATH="clusters/${CLUSTER}/helm/${DIR}" CHART_NAME=$(basename "${CHART_PATH}") if [ -f "${CHART_PATH}/Chart.yaml" ]; then echo "" echo ">> Building helm dependency for ${CHART_NAME} ..." helm dependency build "${CHART_PATH}" --skip-refresh echo "" echo ">> Linting helm chart ${CHART_NAME} ..." if ! helm lint "${CHART_PATH}" --namespace "default"; then EXIT_CODE=1 if [ -z "${FAILED_CHARTS}" ]; then FAILED_CHARTS="${DIR}" else FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}" fi fi else echo "" echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..." fi done echo "" echo "----" echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT" exit $EXIT_CODE - name: ntfy Failed uses: niniyas/ntfy-action@master if: failure() with: url: '${{ secrets.NTFY_URL }}' topic: '${{ secrets.NTFY_TOPIC }}' title: 'Helm Test Failure' priority: 3 headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' tags: action,failed details: "Helm linting for cluster '${CLUSTER}' failed on charts: ${{ steps.lint.outputs.failed-charts }}" icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' actions: '[{"action": "view", "label": "View Run", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' image: true validate-kubeconform: needs: lint-helm runs-on: ubuntu-js if: | needs.lint-helm.result == 'success' && needs.lint-helm.outputs.changes-detected == 'true' && github.event_name == 'pull_request' steps: - name: Checkout uses: actions/checkout@v6 with: fetch-depth: 0 - name: Install Kubeconform run: | echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..." wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz echo "" echo ">> Extracting Kubeconform ..." tar xf kubeconform-linux-amd64.tar.gz echo "" echo ">> Installing Kubeconform ..." sudo mv kubeconform /usr/local/bin/ echo "" echo ">> Verifying installation ..." kubeconform -v echo "" echo "----" - name: Set Up Helm uses: azure/setup-helm@v4 with: token: ${{ secrets.GITEA_TOKEN }} # renovate: datasource=github-releases depName=helm/helm version: v4.1.3 cache: true - name: Cache Helm Dependencies uses: actions/cache@v5 with: path: | ~/.cache/helm ~/.config/helm key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }} restore-keys: | helm-cache-${{ runner.os }}- - name: Add Repositories env: CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }} run: | echo ">> Adding repositories for chart dependencies ..." echo "" for DIR in ${CHANGED_CHARTS}; do helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \ | tail -n +2 \ | awk 'NF > 0 { print $1, $3 }' \ | while read -r REPO_NAME REPO_URL; do if [[ "${REPO_URL}" == oci://* ]]; then echo ">> Ignoring OCI repo: ${REPO_URL}" elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then helm repo add "${REPO_NAME}" "${REPO_URL}" fi done || true done if helm repo list > /dev/null 2>&1; then echo "" echo ">> Update repository cache ..." helm repo update fi echo "" echo "----" - name: Validate Rendered Templates id: validate env: CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }} run: | SCHEMA_LOCATIONS="-schema-location default -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" EXIT_CODE=0 FAILED_CHARTS="" for DIR in ${CHANGED_CHARTS}; do CHART_PATH="clusters/${CLUSTER}/helm/${DIR}" echo "" echo ">> Validating: ${DIR}" helm dependency build "${CHART_PATH}" --skip-refresh if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \ kubeconform \ ${SCHEMA_LOCATIONS} \ -ignore-missing-schemas \ -strict \ -summary; then EXIT_CODE=1 if [ -z "${FAILED_CHARTS}" ]; then FAILED_CHARTS="${DIR}" else FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}" fi fi done echo "" echo "----" echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT" exit $EXIT_CODE - name: ntfy Failed uses: niniyas/ntfy-action@master if: failure() with: url: '${{ secrets.NTFY_URL }}' topic: '${{ secrets.NTFY_TOPIC }}' title: 'Kubeconform Test Failure' priority: 3 headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' tags: action,failed details: "Kubeconform for cluster '${CLUSTER}' failed on charts: ${{ steps.validate.outputs.failed-charts }}" icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' actions: '[{"action": "view", "label": "View Run", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' image: true