-
-
Notifications
You must be signed in to change notification settings - Fork 1
138 lines (132 loc) · 4.28 KB
/
charts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: charts
on:
push:
branches:
- main
paths:
- charts/**
pull_request:
branches:
- main
paths:
- charts/**
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: read-all
jobs:
chart:
runs-on: ubuntu-latest
permissions:
id-token: write
pages: write
security-events: write
contents: write
pull-requests: write
if: ${{ github.event_name == 'pull_request' || contains(github.ref, 'main') }}
steps:
- name: Checkout source code
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: 'Dependency Review'
if: ${{ github.event_name == 'pull_request' }}
uses: actions/dependency-review-action@v4
with:
allow-ghsas: true
comment-summary-in-pr: always
- name: Install Helm
uses: azure/setup-helm@v4
with:
version: v3.16.3
- name: Setup Chart Linting
if: ${{ github.event_name == 'pull_request' }}
id: lint
uses: helm/[email protected]
- name: Run chart-testing (list-changed)
if: ${{ github.event_name == 'pull_request' }}
id: list-changed
run: |
changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$changed" ]]; then
echo "::set-output name=changed::true"
fi
- name: Run chart-testing (lint)
if: ${{ github.event_name == 'pull_request' }}
run: ct lint --target-branch ${{ github.event.repository.default_branch }} --validate-maintainers=false
- name: Configure Git
if: ${{ contains(github.ref, 'main') }}
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Copy Readme and License
if: ${{ contains(github.ref, 'main') }}
run: |
cp -v *.md charts/applicationset/
- name: Run chart-releaser
if: ${{ contains(github.ref, 'main') }}
uses: helm/[email protected]
with:
charts_dir: charts
config: charts/cr.yml
mark_as_latest: true
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Initialize CodeQL
uses: github/codeql-action/[email protected]
continue-on-error: true
- name: Perform CodeQL Analysis
uses: github/codeql-action/[email protected]
continue-on-error: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
continue-on-error: true
with:
scan-type: 'config'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
k8s-test:
runs-on: ubuntu-latest
needs: [chart]
if: ${{ ! contains(github.ref, 'main') }}
steps:
- name: Create k8s Kind Cluster
uses: helm/[email protected]
with:
kubectl_version: v1.29.3 # Ensure compatibility with the latest APIs
node_image: kindest/node:v1.29.2 # Match node version with kubectl for consistency
- name: Checkout
uses: actions/checkout@v4
- name: Run K8s test
run: |
kubectl create ns argocd
kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable -n argocd
helm upgrade -i appsets charts/applicationset --namespace argocd --create-namespace
helm list -A
kubectl get all -A
kubectl get applications -A -o wide
kubectl get applicationsets -A -o wide
auto-approve:
runs-on: ubuntu-latest
needs: [chart, k8s-test]
permissions:
pull-requests: write
if: ${{ github.event_name == 'pull_request' }}
steps:
- name: Auto Approve PR
uses: actions/github-script@v7
with:
script: |
github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
event: "APPROVE"
})