Merge branch 'main' into add-test-for-tw

Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>

Author: debasishbsws

.claude/settings.local.json

@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(go test:*)"
+    ]
+  }
+}

.github/workflows/c-i.yaml

@@ -23,14 +23,14 @@ jobs:
       contents: read
     runs-on: ubuntu-24.04-${{matrix.arch}}
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: chainguard-dev/actions/apt-faster@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # v1.5.10
-      - uses: chainguard-dev/actions/setup-melange@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # v1.5.10
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: chainguard-dev/actions/apt-faster@18e5e3427cf9d6bcfbefe60dca48e40292f000c5 # v1.5.13
+      - uses: chainguard-dev/actions/setup-melange@18e5e3427cf9d6bcfbefe60dca48e40292f000c5 # v1.5.13
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: './go.work'
           cache-dependency-path: '**/*.sum'

README.md

@@ -2,16 +2,15 @@
 tw (pronounced tee-dub) is a centralized repository for testing and building
 tools or helpers.
 
-## Release to Wolfi
-To release a version of tw to wolfi, run tools/release-to-wolfi.
+## Release to stereo
+To release a version of tw to stereo, run tools/release-to-stereo.
 
     $ git tag vX.Y.Z
     $ git push origin vX.Y.Z
-    $ ./tools/release-to-wolfi vX.Y.Z \
-       ~/src/wolfi-os/ ~/src/enterprise-packages ~/src/extra-packages
+    $ ./tools/release-to-stereo vX.Y.Z ~/git/cg/chainguard-dev/stereo/
 
-This takes care of updating the `tw.yaml` file from `melange.yaml`
-for wolfi, and syncs the pipeline files for other dirs.
+This takes care of updating the `tw.yaml` file from `melange.yaml`,
+and syncs the pipeline files for other dirs.
 
 That will do a commit and you just need to push and do a PR.
 
@@ -27,6 +26,14 @@ make test-melange
 ```
 
 This validates that the tw tools package builds and functions correctly.
+In order to test a tw pipeline in a local stereo repository, you need the following steps:
+
+* Build the tw tools package in this repository, `make build`.
+* If required, sync the pipeline yaml to stereo by hand.
+* If required, build the melange package with the new pipeline, in the stereo repository.
+* If required, test the melange package with the new pipeline, in the stereo repository.
+
+Most likely, you need to tell the melange build in the stereo repository to use the tw index.
 
 ### 2. Project Tests (`test-projects`)
 Tests individual project subdirectories (e.g., `ldd-check`, `package-type-check`, `gosh`, etc.).
@@ -46,6 +53,11 @@ Tests the pipeline validators located in `pipelines/test/tw/` using test package
 
 ```bash
 make test-pipelines
+user@debian:~git/tw $ make build
+user@debian:~git/tw $ cp pipelines/test/tw/something.yaml ~/git/stereo/os/pipelines/test/tw/
+user@debian:~git/tw $ cd ~/git/stereo/enterprise-packages/
+user@debian:~git/stereo/os $ make debug/somepackage
+user@debian:~git/stereo/os $ MELANGE_DEBUG_TEST_OPTS="--ignore-signatures --repository-append ~/git/tw/packages" make test-debug/somepackage
 ```
 
 This runs a complete test suite that:

chelm/Makefile

@@ -0,0 +1,18 @@
+PROJECT = chelm
+MELANGE_CONTEXTDIR ?= /tmp/melange-context/$(PROJECT)
+MELANGE_INSTALL_PATH = $(MELANGE_CONTEXTDIR)/usr/bin
+
+.PHONY: build test clean melange-install
+
+build:
+	go build -o chelm .
+
+test:
+	go test -v ./...
+
+clean:
+	rm -f chelm
+
+melange-install: build
+	mkdir -p $(MELANGE_INSTALL_PATH)
+	install -Dm755 chelm $(MELANGE_INSTALL_PATH)/chelm

chelm/chelm_test.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"testing"
+
+	"chainguard.dev/tw/chelm/cmd"
+	"github.com/rogpeppe/go-internal/testscript"
+)
+
+func TestMain(m *testing.M) {
+	testscript.Main(m, map[string]func(){
+		"chelm": chelmMain,
+	})
+}
+
+func chelmMain() {
+	if err := cmd.Execute(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+var update = flag.Bool("update", false, "update testscript golden files")
+
+func TestChelm(t *testing.T) {
+	testscript.Run(t, testscript.Params{
+		Dir:           "testdata",
+		UpdateScripts: *update,
+	})
+}

chelm/cmd/generate.go

@@ -0,0 +1,43 @@
+package cmd
+
+import (
+	"encoding/json"
+	"os"
+
+	"chainguard.dev/tw/chelm/internal/chelm"
+	"github.com/spf13/cobra"
+)
+
+var generateCmd = &cobra.Command{
+	Use:   "generate",
+	Short: "Validate and format cg.json",
+	Long: `Read Chainguard chart metadata as JSON from stdin, validate markers and test cases, and write formatted JSON.
+
+Example:
+  yq -n '.images.nginx.values.image = "${ref}"' -o=json | chelm generate -o cg.json`,
+	RunE: func(cmd *cobra.Command, _ []string) error {
+		output, _ := cmd.Flags().GetString("output")
+
+		w := cmd.OutOrStdout()
+		if output != "-" {
+			f, err := os.Create(output)
+			if err != nil {
+				return err
+			}
+			defer f.Close()
+			w = f
+		}
+
+		meta, err := chelm.Parse(cmd.InOrStdin())
+		if err != nil {
+			return err
+		}
+		enc := json.NewEncoder(w)
+		enc.SetIndent("", "  ")
+		return enc.Encode(meta)
+	},
+}
+
+func init() {
+	generateCmd.Flags().StringP("output", "o", "-", "Output file (- for stdout)")
+}

chelm/cmd/root.go

@@ -0,0 +1,22 @@
+package cmd
+
+import "github.com/spf13/cobra"
+
+var rootCmd = &cobra.Command{
+	Use:   "chelm",
+	Short: "Validate Helm chart image mappings",
+	Long: `chelm validates Helm chart image mappings for Chainguard packaging.
+
+It complements melange pipelines, composing with helm template via stdin/stdout.`,
+	SilenceUsage:  true,
+	SilenceErrors: true,
+}
+
+func Execute() error {
+	return rootCmd.Execute()
+}
+
+func init() {
+	rootCmd.AddCommand(generateCmd)
+	rootCmd.AddCommand(testCmd)
+}