sysdiglabs
diff --git a/‎.github/workflows/helm_test.yaml‎
Lines changed: 90 additions & 0 deletions b/‎.github/workflows/helm_test.yaml‎
Lines changed: 90 additions & 0 deletions
diff --git a/‎.github/workflows/publish.yaml‎
Lines changed: 62 additions & 7 deletions b/‎.github/workflows/publish.yaml‎
Lines changed: 62 additions & 7 deletions
diff --git a/‎.github/workflows/test.yaml‎
Lines changed: 63 additions & 3 deletions b/‎.github/workflows/test.yaml‎
Lines changed: 63 additions & 3 deletions
@@ -0,0 +1,90 @@
+---
+name: Lint & Test helm chart
+
+on:
+  pull_request:
+    branches:
+      - beta
+    paths:
+    - 'charts/**'
+  push:
+    branches:
+      - main
+      - beta
+    paths:
+    - 'charts/**'
+  workflow_call:
+  workflow_dispatch:
+
+concurrency:
+  group: 'helm-test-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  set-charts:
+    # Required permissions
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      charts: ${{ steps.charts.outputs.changes }}
+    name: "Set Charts"
+    runs-on: [ubuntu-latest]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v2
+        id: charts
+        with:
+          base: ${{ github.ref_name }}
+          filters: |
+            sysdig-mcp:
+              - 'charts/sysdig-mcp/**'
+  lint-charts:
+    needs: set-charts
+    name: Lint new helm charts
+    runs-on: [ubuntu-latest]
+    strategy:
+      matrix:
+        chart: ${{ fromJSON(needs.set-charts.outputs.charts) }}
+      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails.
+      fail-fast: false
+      # The maximum number of jobs that can run simultaneously
+      max-parallel: 3
+    steps:
+
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Set up Helm
+      uses: azure/setup-helm@v4
+      with:
+        version: v3.5.0
+
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
+        check-latest: true
+
+    - name: Set up chart-testing
+      uses: helm/[email protected]
+
+    - name: Run chart-testing (list-changed)
+      id: list-changed
+      run: |
+        changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts)
+        if [[ -n "$changed" ]]; then
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+        fi
+
+    - name: Run chart-testing (lint)
+      if: steps.list-changed.outputs.changed == 'true'
+      run: ct lint --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts
+
+    - name: Create kind cluster
+      if: steps.list-changed.outputs.changed == 'true'
+      uses: helm/[email protected]
+
+    - name: Run chart-testing (install)
+      if: steps.list-changed.outputs.changed == 'true'
+      run: ct install --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts
@@ -1,36 +1,54 @@
+---
 name: Publish Docker image
 
 on:
   push:
     branches:
       - main
+      - beta
     paths:
       - pyproject.toml
+      - Dockerfile
+      - '*.py'
+      - tests/**
+      - tools/**
+      - utils/**
   workflow_dispatch:
-    inputs:
-      version:
-        description: "Version to publish"
-        required: false
-        default: "latest"
-        type: string
+
+concurrency:
+  group: 'publish-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
 
 jobs:
+  tests:
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: write
+    uses: ./.github/workflows/test.yaml
+    secrets: inherit
   push_to_registry:
     name: Push Docker image to GitHub Packages
     runs-on: ubuntu-latest
+    needs: tests
     permissions:
       contents: read # required for actions/checkout
       packages: write # required for pushing to ghcr.io
       id-token: write # required for signing with cosign
+    outputs:
+      version: ${{ steps.extract_version.outputs.VERSION }}
+      tag: ${{ steps.extract_version.outputs.TAG }}
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
       - name: Extract version
         id: extract_version
         run: |
-          VERSION=$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')-$(echo $GITHUB_SHA | cut -c1-7)
+          VERSION=$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
           echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
+          TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
+          echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
 
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
@@ -61,3 +79,40 @@ jobs:
             ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ steps.extract_version.outputs.VERSION }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+  tag_release:
+    name: Tag Release
+    runs-on: ubuntu-latest
+    needs: push_to_registry
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }} # required for better experience using pre-releases
+          fetch-depth: '0' # Required due to the way Git works, without it this action won't be able to find any or the correct tags
+
+      - name: Get tag version
+        id: semantic_release
+        uses: anothrNick/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: "patch"
+          TAG_CONTEXT: 'repo'
+          WITH_V: true
+          PRERELEASE_SUFFIX: "beta"
+          PRERELEASE: ${{ (github.base_ref == 'beta') && 'true' || (github.base_ref == 'main') && 'false' || (github.base_ref == 'integration') && 'false' || 'true' }}
+
+      - name: Summary
+        run: |
+          echo "## Release Summary
+          - Tag: ${{ steps.semantic_release.outputs.tag }}
+          - Docker Image: ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ needs.push_to_registry.outputs.version }}" >> $GITHUB_STEP_SUMMARY
+
+  test_helm_chart:
+    name: Test Helm Chart
+    needs: push_to_registry
+    permissions:
+      contents: read # required for actions/checkout
+      pull-requests: write # required for creating a PR with the chart changes
+    uses: ./.github/workflows/helm_test.yaml
+    secrets: inherit
@@ -1,10 +1,21 @@
+---
 name: Test
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
+    paths:
+      - pyproject.toml
+      - Dockerfile
+      - '*.py'
+      - tests/**
+      - tools/**
+      - utils/**
+  workflow_call:
+  workflow_dispatch:
+
+concurrency:
+  group: 'tests-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
 
 jobs:
   test:
@@ -34,3 +45,52 @@ jobs:
 
       - name: Run Unit Tests
         run: make test
+
+  check_version:
+    name: Check Version
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: write # required for creating a tag
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }} # required for better experience using pre-releases
+          fetch-depth: '0' # Required due to the way Git works, without it this action won't be able to find any or the correct tags
+
+      - name: Extract current version
+        id: pyproject_version
+        run: |
+          TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
+          echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Get tag version
+        id: semantic_release
+        uses: anothrNick/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: "patch"
+          TAG_CONTEXT: 'repo'
+          WITH_V: true
+          PRERELEASE_SUFFIX: "beta"
+          PRERELEASE: ${{ (github.base_ref == 'beta') && 'true' || (github.base_ref == 'main') && 'false' || (github.base_ref == 'integration') && 'false' || 'true' }}
+          DRY_RUN: true
+
+      - name: Compare versions
+        run: |
+          echo "Current version: ${{ steps.pyproject_version.outputs.TAG }}"
+          echo "New version: ${{ steps.semantic_release.outputs.tag }}"
+          if [ "${{ steps.pyproject_version.outputs.TAG }}" != "${{ steps.semantic_release.outputs.tag }}" ]; then
+            echo "### Version mismatch detected! :warning:
+            Current pyproject version: ${{ steps.pyproject_version.outputs.TAG }}
+            New Tag version: **${{ steps.semantic_release.outputs.tag }}**
+            Current Tag: ${{ steps.semantic_release.outputs.old_tag }}
+            Please update the version in pyproject.toml." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "### Version match confirmed! :rocket:
+            Current pyproject version: ${{ steps.pyproject_version.outputs.TAG }}
+            New Tag version: **${{ steps.semantic_release.outputs.tag }}**
+            The version is up-to-date." >> $GITHUB_STEP_SUMMARY
+          fi