-
Notifications
You must be signed in to change notification settings - Fork 109
125 lines (106 loc) · 4.13 KB
/
build-test.yml
File metadata and controls
125 lines (106 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Copyright 2024-2025 New Vector Ltd
# Copyright 2025-2026 Element Creations Ltd
#
# SPDX-License-Identifier: AGPL-3.0-only
name: Helm Chart Building tests
on:
pull_request:
push:
branches:
- main
- 'maintenance/*'
workflow_dispatch:
permissions:
contents: read
jobs:
# We build from source and commit all generated file changes so that we can see the impact in PRs
# We want to ensure that the commit of built changes does happen, so fail if building creates changes
# If this gets problematic we change to not committing the built schemas/values to git
no-changes-after-building:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
enable-cache: true
activate-environment: true
- name: Set up UV environment
run: uv sync
- name: Build and check for changes
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
# Ensure all JSON files are consistently formatted
for file in $(git ls-files | grep -E "json$"); do yq -iP --indent 2 -o json '.' "$file"; done
# Rebuild the charts & test values files with from the current source
scripts/assemble_ci_values_files_from_fragments.sh
version=$(yq '.version' charts/matrix-stack/Chart.yaml)
scripts/assemble_helm_charts_from_fragments.sh
scripts/set_chart_version.sh "$version"
git diff --exit-code
helm-lint:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up chart-testing
uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
- name: Run chart-testing (lint)
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
scripts/ct-lint.sh --config ct.yaml
- name: Install uv
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
enable-cache: true
activate-environment: true
- name: Set up UV environment
run: uv sync
- name: Set up Kubeconform
uses: bmuschko/setup-kubeconform@5ccaecbbf012bcb1eeeab66e649db64a477ade8f # v1.0.0
- name: Run kubeconform
run: |
for values in charts/matrix-stack/ci/*values.yaml; do
echo "Testing matrix-stack with $values";
helm template \
-n ess-ci \
-a monitoring.coreos.com/v1/ServiceMonitor \
-a cert-manager.io/v1/Certificate \
-f "$values" charts/matrix-stack \
| kubeconform \
-schema-location default \
-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
-strict \
-summary
done
- name: Run checkov
run: |
checkov --version
for checkov_values in charts/matrix-stack/ci/*checkov*values.yaml; do
scripts/checkov.sh "$checkov_values"
done
# asdf wants to build skopeo, so use a different action
- name: Set up skopeo
uses: warjiang/setup-skopeo@71776e03c10d767c04af8924fe5a67763f9b3d34 # v0.1.3
with:
version: v1.20.0
- name: Run image verifications
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
GHCR_USERNAME: ${{ github.actor }}
GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
skopeo --version
if [[ -n ${DOCKERHUB_TOKEN} ]]; then
echo "Logging into DockerHub"
echo "${DOCKERHUB_TOKEN}" | skopeo login docker.io --username "${DOCKERHUB_USERNAME}" --password-stdin
fi
echo "Logging into GHCR"
echo "${GHCR_TOKEN}" | skopeo login ghcr.io --username "${GHCR_USERNAME}" --password-stdin
scripts/verify_images.sh