This directory contains the complete CI/CD pipeline configuration for the Helm charts repository, including workflows, scripts, and configuration files that ensure chart quality, security, and reliability.
Our GitHub Actions setup provides:
- Automated Testing: Comprehensive chart validation and testing
- Security Scanning: Vulnerability detection and best practices validation
- Quality Assurance: Code quality checks and documentation validation
- Automated Releases: Streamlined chart publishing process
- Dependency Management: Automated dependency updates
Triggers: Pull requests to stable/**
What it does:
- Lints Helm charts with strict validation
- Generates and validates documentation
- Scans for security vulnerabilities using Trivy
- Validates Kubernetes manifests against multiple K8s versions
- Tests chart installation on kind clusters
Jobs:
lint-chart: Helm chart linting and validationlint-docs: Documentation generation and validationsecurity-scan: Trivy vulnerability scanningvalidate-manifests: Kubernetes manifest validation (K8s 1.26-1.29)install-chart: Chart installation testing
Triggers: Push to main branch with changes in stable/**
What it does:
- Creates GitHub releases for updated charts
- Publishes charts to GitHub Pages
- Generates release notes automatically
- Updates the chart repository index
Triggers: Pull requests and pushes to main branches
What it does:
- YAML linting for consistent formatting
- Chart schema validation
- Security best practices validation with Checkov
- Documentation completeness checks
- Version consistency validation
- License compliance verification
Triggers: Weekly schedule (Mondays at 2 AM) and manual dispatch
What it does:
- Updates Helm chart dependencies automatically
- Creates pull requests with dependency updates
- Provides detailed change summaries
Generates and validates chart documentation using helm-docs.
Features:
- Automatic tool installation with caching
- Validation of documentation completeness
- Clear error reporting
Validates Kubernetes manifests using kubeconform (replaces deprecated kubeval).
Features:
- Multi-version Kubernetes validation
- CRD support via external schema sources
- Comprehensive error reporting
Comprehensive local testing script for developers.
Usage:
# Run all tests
./.github/workflow-extras/test-local.sh
# Quick tests only
./.github/workflow-extras/test-local.sh -q
# Specific tests
./.github/workflow-extras/test-local.sh chart-lint docs
# Show help
./.github/workflow-extras/test-local.sh -hChart testing configuration with enhanced validation settings.
Chart releaser configuration for automated releases.
YAML linting rules optimized for Helm charts.
- Docker
- Git
- Python 3.x (for yamllint)
-
Run Local Tests:
./.github/workflow-extras/test-local.sh -q
-
Full Validation:
./.github/workflow-extras/test-local.sh
-
Generate Documentation:
./.github/workflow-extras/helm-docs.sh
-
Before Making Changes:
- Run
test-local.sh -qfor quick validation - Ensure your environment meets the prerequisites
- Run
-
During Development:
- Use
helm lintfor immediate feedback - Run
helm templateto validate templating - Check YAML formatting with
yamllint
- Use
-
Before Committing:
- Run full test suite:
test-local.sh - Generate documentation:
helm-docs.sh - Commit generated documentation changes
- Run full test suite:
-
Pull Request Guidelines:
- All CI checks must pass
- Documentation must be current
- Security scans must be clean
- Chart version must be incremented
- Trivy: Scans for known vulnerabilities in configurations
- Checkov: Validates security best practices
- SARIF Integration: Results appear in GitHub Security tab
- Never commit secrets or credentials
- Use least-privilege permissions
- Regularly update dependencies
- Follow Kubernetes security guidelines
- Validate all external inputs
# Make scripts executable
chmod +x .github/workflow-extras/*.sh# Use the local test script to install tools
./.github/workflow-extras/test-local.sh deps# Check YAML formatting
yamllint -c .yamllint.yaml .# Test specific chart
helm lint stable/your-chart --strict
helm template stable/your-chartEnable debug output in workflows by setting:
env:
ACTIONS_STEP_DEBUG: true- Helm Dependencies: Cached by
Chart.yamlhash - Tool Binaries: Cached by version number
- Repository Data: Helm repositories cached per workflow
- Security scanning runs parallel to validation
- Multiple Kubernetes versions tested concurrently
- Independent jobs execute simultaneously
- Create workflow file in
.github/workflows/ - Follow existing naming conventions
- Include appropriate triggers and permissions
- Add comprehensive job descriptions
- Test thoroughly before merging
- Test changes locally when possible
- Use workflow dispatch for testing
- Monitor execution times and resource usage
- Update documentation accordingly
- Maintain backward compatibility
- Include error handling and validation
- Add appropriate logging and output
- Test on multiple platforms if applicable
Monitor workflow execution in the Actions tab:
- Green checkmarks indicate successful runs
- Red X marks indicate failures requiring attention
- Yellow dots indicate workflows in progress
Check the Security tab for:
- Vulnerability scan results
- Security best practice violations
- Dependency security issues
Track workflow performance:
- Execution time trends
- Cache hit rates
- Resource utilization
- Failure rates
For issues with the GitHub Actions setup:
- Check Recent Changes: Review recent commits for breaking changes
- Review Logs: Examine workflow logs for specific errors
- Local Testing: Use
test-local.shto reproduce issues - Create Issues: Open GitHub issues with detailed error information
- v2.0: Complete modernization with security scanning and enhanced validation
- v1.5: Added dependency update automation
- v1.4: Introduced code quality workflows
- v1.3: Enhanced caching and performance optimizations
- v1.2: Updated to modern GitHub Actions
- v1.1: Added local testing capabilities
- v1.0: Initial GitHub Actions implementation