Add helm 4 limited compatibility (#642)

Author: jkroepke

.github/workflows/ci.yaml

@@ -107,6 +107,10 @@ jobs:
             shell: bash
             jobs: 4
             helm-version: 3.16.4
+          - os: ubuntu-24.04
+            shell: bash
+            jobs: 4
+            helm-version: 4.0.0
           - os: ubuntu-24.04
             container: alpine
             shell: zsh
@@ -220,6 +224,7 @@ jobs:
           vals version
 
       - name: Run helm-secrets w/o bats
+        if: ${{ !startsWith(matrix.helm-version, '4') }}
         run: |-
           helm plugin install "${{ github.event_name == 'pull_request'
             && format('{0}/{1}', github.server_url, github.event.pull_request.head.repo.full_name)
@@ -228,6 +233,16 @@ jobs:
             && github.head_ref
             || github.ref
           }}"
+          helm plugin list
+          helm secrets -v
+
+      - name: Run helm-secrets w/o bats
+        if: ${{ startsWith(matrix.helm-version, '4') }}
+        run: |-
+          helm plugin install plugins/helm-secrets-cli
+          helm plugin install plugins/helm-secrets-getter
+          helm plugin install plugins/helm-secrets-post-renderer
+          helm plugin list
           helm secrets -v
 
       - name: HELM_SECRETS_BACKEND=sops bats --tap -r tests/unit

.github/workflows/release.yaml

@@ -10,23 +10,77 @@ jobs:
   build:
     name: Create Release
     runs-on: ubuntu-latest
+    environment: release
     permissions:
       contents: write
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
+      - name: Setup Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: v4.0.0
+
+      - name: GPG configuration
+        run: |-
+          echo "$GPG_KEY" > "$GPG_KEY_PATH"
+          mkdir -p "$HOME/.gnupg"
+          chmod 0700 "$HOME/.gnupg"
+          echo "use-agent" > "$HOME/.gnupg/gpg.conf"
+          echo "pinentry-mode loopback" >> "$HOME/.gnupg/gpg.conf"
+          echo "allow-loopback-pinentry" > "$HOME/.gnupg/gpg-agent.conf"
+          echo "max-cache-ttl 86400" >> "$HOME/.gnupg/gpg-agent.conf"
+          echo "default-cache-ttl 86400" >> "$HOME/.gnupg/gpg-agent.conf"
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+          echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 --import "$GPG_KEY_PATH"
+          echo "1F34F95B4F30BC5B06E0D7CC3F619F17002790D8:6:" | gpg --import-ownertrust
+        env:
+          GPG_KEY_ID: ${{ vars.GPG_KEY_ID }}
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_KEY_PATH: "${{ runner.temp }}/private.key"
+
       - name: Package helm-secrets
         run: tar --transform 's,^,helm-secrets/,' --exclude=contrib --exclude=examples --exclude=tests --exclude=helm-secrets.tar.gz -zcvf helm-secrets.tar.gz *
 
+      - name: Package helm-secrets-cli
+        run: |
+          rm -rf scripts
+          cp -a ../../scripts .
+          helm plugin package .
+        working-directory: plugins/helm-secrets-cli
+
+      - name: Package helm-secrets-getter
+        run: |
+          rm -rf scripts
+          cp -a ../../scripts .
+          helm plugin package .
+        working-directory: plugins/helm-secrets-getter
+
+      - name: Package helm-secrets-post-renderer
+        run: |
+          rm -rf scripts
+          cp -a ../../scripts .
+          helm plugin package .
+        working-directory: plugins/helm-secrets-post-renderer
+
+      - name: Package helm-secrets-getter
+        run: helm plugin package . --sign
+
       - name: Create Release
         run: |
+          find .
           gh release create ${{ github.ref_name }} \
             -t "Release ${{ github.ref_name }}" \
             -n "# CHANGELOG
 
           * https://github.com/jkroepke/helm-secrets/blob/${{ github.ref_name }}/CHANGELOG.md" \
             ${{ contains(github.ref_name, 'rc') && '--prerelease' || '--latest' }} \
-            helm-secrets.tar.gz
+          helm-secrets.tar.gz
+          plugins/helm-secrets-cli/secrets-*.tgz
+          plugins/helm-secrets-getter/secrets-*.tgz
+          plugins/helm-secrets-post-renderer/secrets-*.tgz
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   docs:

.gitignore

@@ -11,3 +11,5 @@ coverage
 
 test*.sh
 /vendor
+/helm
+*.tgz

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.7.0] - 2025-11-16
+
+### Added
+- Helm 4 support
+
 ## [4.6.11] - 2025-10-19
 
 ### Fixes
@@ -376,7 +381,8 @@ Started a fork of https://github.com/zendesk/helm-secrets
 - Verbose output is now on stderr
 - Support all helm sub commands and plugins
 
-[Unreleased]: https://github.com/kroepke/helm-secrets/compare/v4.6.11...HEAD
+[Unreleased]: https://github.com/kroepke/helm-secrets/compare/v4.7.0...HEAD
+[4.7.0]: https://github.com/kroepke/helm-secrets/compare/v4.6.11...v4.7.0
 [4.6.11]: https://github.com/jkroepke/helm-secrets/compare/v4.6.10...v4.6.11
 [4.6.10]: https://github.com/jkroepke/helm-secrets/compare/v4.6.9...v4.6.10
 [4.6.9]: https://github.com/jkroepke/helm-secrets/compare/v4.6.8...v4.6.9

LICENSE

@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -187,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2020 Jan-Otto Kröpke (jkroepke) <[email protected]>
+   Copyright 2019 varintdev contributors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.