refactor(ci): general updates about linting

Signed-off-by: Sebastian Gaiser <sebastian.gaiser@hetzner-cloud.de>

Author: sebastiangaiser

.github/ct.yaml .github/linters/ct.yaml.github/ct.yaml renamed to .github/linters/ct.yaml

@@ -6,3 +6,5 @@ chart-dirs:
 chart-repos:
   - postgres-operator-charts=https://opensource.zalando.com/postgres-operator/charts/postgres-operator
 helm-extra-args: --timeout 600s
+use-helmignore: true
+validate-maintainers: false

.github/renovate.json5

@@ -4,27 +4,12 @@
   commitBody: 'Signed-off-by: Sebastian Gaiser <sebastiangaiser@users.noreply.github.com>',
   extends: [
     'config:recommended',
-    'customManagers:helmChartYamlAppVersions',
+    'github>prometheus-community/helm-charts//renovate.json',
     'github>sebastiangaiser/helm-charts//.github/renovate/customManagers.json5',
   ],
-  rebaseWhen: 'conflicted',
-  customManagers: [
-    {
-      customType: 'regex',
-      managerFilePatterns: [
-        '/(^|/)Chart\\.yaml$/',
-        '/(^|/)values\\.yaml$/',
-      ],
-      matchStrings: [
-        '#\\s?renovate: image=(?<depName>.*?)\\s?appVersion:\\s?\\"?(?<currentValue>[\\w+\\.\\-]*)',
-      ],
-      datasourceTemplate: 'docker',
-    },
-  ],
   semanticCommits: 'enabled',
   timezone: 'Europe/Berlin',
   'pre-commit': {
     enabled: true,
   },
-  bumpVersion: 'patch',
 }

.github/workflows/commitlint.yml

@@ -1,72 +1,110 @@
 name: Lint and Test Charts
+permissions: {}
 
-on: pull_request
+on:
+  pull_request:
+    branches:
+      - main
 
 jobs:
   lint-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
-        k8s:
-          - v1.30.13
-          - v1.31.9
-          - v1.32.5
-          # # renovate: image=docker.io/kindest/node
-          - v1.33.2
+        k8s-version:
+          - "kindest/node:v1.31.12"
+          - "kindest/node:v1.32.8"
+          - "kindest/node:v1.33.4"
+          - "kindest/node:v1.34.0"
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
         with:
-          version: v3.9.4
+          # renovate: github=helm/helm
+          version: v3.19.0
 
-      - uses: actions/setup-python@v6
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: 3.14.0
+          python-version: '3.13'
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.8.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
+        with:
+          # renovate: github=helm/chart-testing
+          version: v3.14.0
 
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
-          changed=$(ct list-changed --config .github/ct.yaml)
+          changed=$(ct list-changed --config .github/linters/ct.yaml)
           if [[ -n "$changed" ]]; then
-            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+            echo "changed_list=\"${changed//$'\n'/ }\"" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Run chart-testing (lint)
-        run: ct lint --config .github/ct.yaml
+        run: ct lint --config .github/linters/ct.yaml
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.13.0
-        with:
-          node_image: "kindest/node:${{ matrix.k8s }}"
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
         if: steps.list-changed.outputs.changed == 'true'
+        with:
+          node_image: ${{ matrix.k8s-version }}
 
       - name: Apply Gateway API CRDs
         run: |
           kubectl apply -k https://github.com/kubernetes-sigs/gateway-api/config/crd
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Install Zalando's postgres-operator
+      - name: Apply Prometheus Operator CRDs
+        env:
+          CHANGED_LIST: ${{ steps.list-changed.outputs.changed_list }}
         run: |
-          helm install postgres-operator postgres-operator-charts/postgres-operator
+          helm install prometheus-operator-crds oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Install CNPG
-        run: |
-          helm install --atomic --namespace cnpg-system --create-namespace --repo https://cloudnative-pg.github.io/charts cnpg cloudnative-pg
-        if: steps.list-changed.outputs.changed == 'true'
+      - name: Run chart-testing (install)
+        run: ct install --config .github/linters/ct.yaml
 
-      - name: Install prometheus-operator-crds
-        run: |
-          helm install --repo https://prometheus-community.github.io/helm-charts prometheus-operator-crds prometheus-operator-crds
-        if: steps.list-changed.outputs.changed == 'true'
+  super-linter:
+    name: Lint Code Base
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
 
-      - name: Run chart-testing (install)
-        run: ct install --config .github/ct.yaml
+      - name: Lint Code Base
+        uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LINTER_RULES_PATH: .github/linters
+          ENABLE_COMMITLINT_STRICT_MODE: true
+          ENFORCE_COMMITLINT_CONFIGURATION_CHECK: true
+          MULTI_STATUS: false
+          VALIDATE_ALL_CODEBASE: false
+          VALIDATE_BASH: true
+          VALIDATE_BASH_EXEC: true
+          # VALIDATE_CHECKOV: true - always scans everything and all charts have too much errors
+          VALIDATE_EDITORCONFIG: true
+          VALIDATE_ENV: true
+          VALIDATE_GITHUB_ACTIONS: true
+          VALIDATE_GITLEAKS: true
+          VALIDATE_JSON: true
+          VALIDATE_MARKDOWN: true
+          VALIDATE_NATURAL_LANGUAGE: true
+          VALIDATE_PYTHON: true
+          VALIDATE_RENOVATE: true
+          VALIDATE_SHELL_SHFMT: true
+          VALIDATE_XML: true

.github/workflows/editorconfig.yml

@@ -0,0 +1,22 @@
+name: pre-commit
+permissions: {}
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: '3.13'
+      - name: Run pre-commit
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/helm-docs.yml

@@ -13,13 +13,12 @@ jobs:
       packages: write # needed for ghcr access
       id-token: write # needed for keyless signing
 
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
-      - name: Checkout Code
+      - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      - name: Fetch history
-        run: git fetch --prune --unshallow
+        with:
+          fetch-depth: 0
 
       - name: Configure Git
         run: |
@@ -29,11 +28,8 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
         with:
-          version: v3.12.0
-
-      - name: Add dependency chart repos
-        run: |
-          helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+          # renovate: github=helm/helm
+          version: v3.19.0
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0

.github/workflows/lint-test.yaml

@@ -1,14 +1,5 @@
 repos:
   - repo: https://github.com/norwoodj/helm-docs
-    rev: 1.14.2
+    rev: v1.14.2
     hooks:
-      - id: helm-docs
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
-    hooks:
-      - id: check-json
-#      - id: check-yaml
-  - repo: https://github.com/jumanjihouse/pre-commit-hooks
-    rev: 3.0.0
-    hooks:
-      - id: shellcheck
+      - id: helm-docs-container

.github/workflows/pre-commit.yml

@@ -2,8 +2,6 @@ apiVersion: v2
 name: capacitor
 description: A Helm chart for deploying capacitor, a general purpose UI for FluxCD
 type: application
-version: 0.2.1
-# renovate: image=ghcr.io/gimlet-io/capacitor
+version: 0.2.2
+# renovate: github=gimlet-io/capacitor
 appVersion: v0.4.8
-maintainers:
-  - name: sebastiangaiser