gha: Allow the controller to watch Secrets / ConfigMaps in the single namespace mode #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: (gha) Validate Helm Charts | |
on: | |
pull_request: | |
branches: | |
- master | |
- mercari-master | |
paths: | |
- 'charts/**' | |
- '.github/workflows/gha-validate-chart.yaml' | |
- '!charts/actions-runner-controller/**' | |
- '!**.md' | |
push: | |
branches: | |
- master | |
- mercari-master | |
paths: | |
- 'charts/**' | |
- '.github/workflows/gha-validate-chart.yaml' | |
- '!charts/actions-runner-controller/**' | |
- '!**.md' | |
workflow_dispatch: | |
env: | |
KUBE_SCORE_VERSION: 1.16.1 | |
HELM_VERSION: v3.8.0 | |
permissions: | |
contents: read | |
concurrency: | |
# This will make sure we only apply the concurrency limits on pull requests | |
# but not pushes to master branch by making the concurrency group name unique | |
# for pushes | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
validate-chart: | |
name: Lint Chart | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Helm | |
# Using https://github.com/Azure/setup-helm/releases/tag/v4.2 | |
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 | |
with: | |
version: ${{ env.HELM_VERSION }} | |
- name: Set up kube-score | |
run: | | |
wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score | |
chmod 755 kube-score | |
- name: Kube-score generated manifests | |
run: helm template --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - | |
--ignore-test pod-networkpolicy | |
--ignore-test deployment-has-poddisruptionbudget | |
--ignore-test deployment-has-host-podantiaffinity | |
--ignore-test container-security-context | |
--ignore-test pod-probes | |
--ignore-test container-image-tag | |
--enable-optional-test container-security-context-privileged | |
--enable-optional-test container-security-context-readonlyrootfilesystem | |
# python is a requirement for the chart-testing action below (supports yamllint among other tests) | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
- name: Set up chart-testing | |
uses: helm/[email protected] | |
- name: Run chart-testing (list-changed) | |
id: list-changed | |
run: | | |
ct version | |
changed=$(ct list-changed --config charts/.ci/ct-config-gha.yaml) | |
if [[ -n "$changed" ]]; then | |
echo "changed=true" >> $GITHUB_OUTPUT | |
fi | |
- name: Run chart-testing (lint) | |
run: | | |
ct lint --config charts/.ci/ct-config-gha.yaml | |
- name: Set up docker buildx | |
uses: docker/setup-buildx-action@v3 | |
if: steps.list-changed.outputs.changed == 'true' | |
with: | |
version: latest | |
- name: Build controller image | |
uses: docker/build-push-action@v5 | |
if: steps.list-changed.outputs.changed == 'true' | |
with: | |
file: Dockerfile | |
platforms: linux/amd64 | |
load: true | |
build-args: | | |
DOCKER_IMAGE_NAME=test-arc | |
VERSION=dev | |
tags: | | |
test-arc:dev | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Create kind cluster | |
uses: helm/[email protected] | |
if: steps.list-changed.outputs.changed == 'true' | |
with: | |
cluster_name: chart-testing | |
- name: Load image into cluster | |
if: steps.list-changed.outputs.changed == 'true' | |
run: | | |
export DOCKER_IMAGE_NAME=test-arc | |
export VERSION=dev | |
export IMG_RESULT=load | |
make docker-buildx | |
kind load docker-image test-arc:dev --name chart-testing | |
- name: Run chart-testing (install) | |
if: steps.list-changed.outputs.changed == 'true' | |
run: | | |
ct install --config charts/.ci/ct-config-gha.yaml |