From b9270650d1b78480b4a155aa50fa06683fe9abc0 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 16:26:02 +0600 Subject: [PATCH 01/11] ci(helm): auto public Helm chart after PR merged --- .github/workflows/publish-chart.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index 3a7db4970065..eab0552d7a7c 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -8,9 +8,7 @@ on: - main paths: - 'helm/trivy/**' - push: - tags: - - "v*" + env: HELM_REP: helm-charts GH_OWNER: aquasecurity @@ -49,7 +47,7 @@ jobs: ct lint-and-install --validate-maintainers=false --charts helm/trivy publish-chart: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' needs: - test-chart runs-on: ubuntu-20.04 From a2792b309d34909918d1f5433df1fa6312ca6793 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 17:07:14 +0600 Subject: [PATCH 02/11] auto update version --- .github/workflows/publish-chart.yaml | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index eab0552d7a7c..f8a76df065e5 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -8,7 +8,9 @@ on: - main paths: - 'helm/trivy/**' - + push: + tags: + - "v*" env: HELM_REP: helm-charts GH_OWNER: aquasecurity @@ -45,7 +47,22 @@ jobs: run: | sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml ct lint-and-install --validate-maintainers=false --charts helm/trivy - + update-chart-version: + if: github.event_name == 'push' + needs: + - test-chart + runs-on: ubuntu-20.04 + steps: + - name: Checkout + uses: actions/checkout@v4.1.6 + with: + fetch-depth: 0 + - name: Update version in file + run: | + TAG=${GITHUB_REF#refs/tags/v} + echo "appVersion: $TAG" + sed -i "s/appVersion: [0-9]\+\.[0-9]\+\.[0-9]\+/appVersion: $TAG/" helm/trivy/Chart.yaml + publish-chart: if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' needs: From 5eeb8b5654ec082149a58eaa1d851e76339c139a Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 18:23:47 +0600 Subject: [PATCH 03/11] add auto bumping Trivy version --- .github/workflows/publish-chart.yaml | 7 +++++- misc/helm-chart/create-pr.sh | 37 ++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100755 misc/helm-chart/create-pr.sh diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index f8a76df065e5..69dfaa8d9170 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -47,6 +47,7 @@ jobs: run: | sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml ct lint-and-install --validate-maintainers=false --charts helm/trivy + update-chart-version: if: github.event_name == 'push' needs: @@ -57,11 +58,15 @@ jobs: uses: actions/checkout@v4.1.6 with: fetch-depth: 0 + - name: Get the tag without the 'v' prefix + run: echo "TAG=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV - name: Update version in file run: | - TAG=${GITHUB_REF#refs/tags/v} echo "appVersion: $TAG" + sed -i "s/version: [0-9]\+\.[0-9]\+\.[0-9]\+/version: $TAG/" helm/trivy/Chart.yaml sed -i "s/appVersion: [0-9]\+\.[0-9]\+\.[0-9]\+/appVersion: $TAG/" helm/trivy/Chart.yaml + - name: Create a PR + run: ./misc/helm-chart/create-pr.sh ${{ env.TAG }} publish-chart: if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' diff --git a/misc/helm-chart/create-pr.sh b/misc/helm-chart/create-pr.sh new file mode 100755 index 000000000000..ce30cef685a6 --- /dev/null +++ b/misc/helm-chart/create-pr.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +set -e + +VERSION=$1 + +echo "Create PR for update Trivy $VERSION in the Helm Chart" + +# Create a new branch +NEW_BRANCH="ci/bump-trivy-to-$VERSION" + +echo "Creating new branch: $NEW_BRANCH" +git switch -c "$NEW_BRANCH" + +# Create the title +TITLE="ci(helm): bump Trivy version to $VERSION" + +# commit Helm Values with a new version +git add ./helm/trivy/Chart.yaml +git commit -m "$TITLE" + +# Create the pull request description +PR_DESCRIPTION="# Description + +This PR bumps Trivy up to the $VERSION version for the Helm chart." + +echo "Pushing new branch to origin: $NEW_BRANCH" +git push origin "$NEW_BRANCH" + +echo "Pull request title: $TITLE" + +echo "Pull request description:" +echo "$PR_DESCRIPTION" + +# Create a new pull request +echo "Creating pull request..." +gh pr create --base main --head "$NEW_BRANCH" --title "$TITLE" --body "$PR_DESCRIPTION" --repo "$GITHUB_REPOSITORY" --label "helm-chart" \ No newline at end of file From 4929dc9870f58fac68c373e2f5224bd4d18bdf33 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 20:35:38 +0600 Subject: [PATCH 04/11] stop test running for PRs --- .github/workflows/publish-chart.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index 69dfaa8d9170..bdbdcd7865c7 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -19,6 +19,7 @@ env: KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae" jobs: test-chart: + if: github.event_name == 'pull_request' runs-on: ubuntu-20.04 steps: - name: Checkout @@ -50,8 +51,6 @@ jobs: update-chart-version: if: github.event_name == 'push' - needs: - - test-chart runs-on: ubuntu-20.04 steps: - name: Checkout From f11fe42dec2781cd8afa994f85ebac295394d2ed Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 20:42:49 +0600 Subject: [PATCH 05/11] update scripts --- .github/workflows/publish-chart.yaml | 9 ++++----- misc/helm-chart/create-pr.sh | 5 +++++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index bdbdcd7865c7..b822b9de150d 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -57,13 +57,12 @@ jobs: uses: actions/checkout@v4.1.6 with: fetch-depth: 0 + - name: Set up Git user + run: | + git config --global user.email "actions@github.com" + git config --global user.name "GitHub Actions" - name: Get the tag without the 'v' prefix run: echo "TAG=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV - - name: Update version in file - run: | - echo "appVersion: $TAG" - sed -i "s/version: [0-9]\+\.[0-9]\+\.[0-9]\+/version: $TAG/" helm/trivy/Chart.yaml - sed -i "s/appVersion: [0-9]\+\.[0-9]\+\.[0-9]\+/appVersion: $TAG/" helm/trivy/Chart.yaml - name: Create a PR run: ./misc/helm-chart/create-pr.sh ${{ env.TAG }} diff --git a/misc/helm-chart/create-pr.sh b/misc/helm-chart/create-pr.sh index ce30cef685a6..edb3a7c4dc99 100755 --- a/misc/helm-chart/create-pr.sh +++ b/misc/helm-chart/create-pr.sh @@ -4,6 +4,11 @@ set -e VERSION=$1 +# Update version in file +echo "Update Chart.yaml with Trivy $VERSION" +sed -i "s/version: [0-9]\+\.[0-9]\+\.[0-9]\+/version: $VERSION/" ./helm/trivy/Chart.yaml +sed -i "s/appVersion: [0-9]\+\.[0-9]\+\.[0-9]\+/appVersion: $VERSION/" ./helm/trivy/Chart.yaml + echo "Create PR for update Trivy $VERSION in the Helm Chart" # Create a new branch From 2c50e8f605a17dd61f9008352351a568d27b37d5 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 20:45:59 +0600 Subject: [PATCH 06/11] ignore test for Helm Chart --- .github/workflows/bypass-test.yaml | 2 ++ .github/workflows/test.yaml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/bypass-test.yaml b/.github/workflows/bypass-test.yaml index 3a3102e3e574..3c4469ed6e62 100644 --- a/.github/workflows/bypass-test.yaml +++ b/.github/workflows/bypass-test.yaml @@ -9,6 +9,7 @@ on: - 'mkdocs.yml' - 'LICENSE' - '.release-please-manifest.json' + - './helm/trivy/Chart.yaml' pull_request: paths: - '**.md' @@ -16,6 +17,7 @@ on: - 'mkdocs.yml' - 'LICENSE' - '.release-please-manifest.json' + - './helm/trivy/Chart.yaml' jobs: test: name: Test diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 13f279b519b7..788fa52a837e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -7,6 +7,7 @@ on: - 'mkdocs.yml' - 'LICENSE' - '.release-please-manifest.json' ## don't run tests for release-please PRs + - './helm/trivy/Chart.yaml' merge_group: env: GO_VERSION: '1.22' From fc36fa7282d001b920ce528e423eba0614ecdc12 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 20:47:59 +0600 Subject: [PATCH 07/11] fix paths --- .github/workflows/bypass-test.yaml | 4 ++-- .github/workflows/test.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bypass-test.yaml b/.github/workflows/bypass-test.yaml index 3c4469ed6e62..93c5ba2869d3 100644 --- a/.github/workflows/bypass-test.yaml +++ b/.github/workflows/bypass-test.yaml @@ -9,7 +9,7 @@ on: - 'mkdocs.yml' - 'LICENSE' - '.release-please-manifest.json' - - './helm/trivy/Chart.yaml' + - 'helm/trivy/Chart.yaml' pull_request: paths: - '**.md' @@ -17,7 +17,7 @@ on: - 'mkdocs.yml' - 'LICENSE' - '.release-please-manifest.json' - - './helm/trivy/Chart.yaml' + - 'helm/trivy/Chart.yaml' jobs: test: name: Test diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 788fa52a837e..199bf1e66a2c 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -7,7 +7,7 @@ on: - 'mkdocs.yml' - 'LICENSE' - '.release-please-manifest.json' ## don't run tests for release-please PRs - - './helm/trivy/Chart.yaml' + - 'helm/trivy/Chart.yaml' merge_group: env: GO_VERSION: '1.22' From 3de2147edf4fe84d75ba30a7eb61ff951337c1f2 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 21:12:07 +0600 Subject: [PATCH 08/11] using ORG_REPO_TOKEN --- .github/workflows/publish-chart.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index b822b9de150d..07f678ff8d5f 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -65,6 +65,10 @@ jobs: run: echo "TAG=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV - name: Create a PR run: ./misc/helm-chart/create-pr.sh ${{ env.TAG }} + env: + # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN + # This allows the created PR to trigger tests and other workflows + GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} publish-chart: if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' From f3b1e56a3e7fbffb5e5832ba4d86dd2a5404b6c2 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 21:59:44 +0600 Subject: [PATCH 09/11] update PR's label --- misc/helm-chart/create-pr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/helm-chart/create-pr.sh b/misc/helm-chart/create-pr.sh index edb3a7c4dc99..9ddbdbb2356f 100755 --- a/misc/helm-chart/create-pr.sh +++ b/misc/helm-chart/create-pr.sh @@ -39,4 +39,4 @@ echo "$PR_DESCRIPTION" # Create a new pull request echo "Creating pull request..." -gh pr create --base main --head "$NEW_BRANCH" --title "$TITLE" --body "$PR_DESCRIPTION" --repo "$GITHUB_REPOSITORY" --label "helm-chart" \ No newline at end of file +gh pr create --base main --head "$NEW_BRANCH" --title "$TITLE" --body "$PR_DESCRIPTION" --repo "$GITHUB_REPOSITORY" --label "lifecycle/active" \ No newline at end of file From cde5dcf27418bfb48a958a7e6c5d2fa47d6f4db8 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 17 Sep 2024 22:09:35 +0600 Subject: [PATCH 10/11] skip test for push action --- .github/workflows/publish-chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index 07f678ff8d5f..270b767181e0 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -19,7 +19,7 @@ env: KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae" jobs: test-chart: - if: github.event_name == 'pull_request' + if: github.event_name != 'push' runs-on: ubuntu-20.04 steps: - name: Checkout From ea1ba74603772aca11e1b9b853c1e7e4717be2aa Mon Sep 17 00:00:00 2001 From: afdesk Date: Wed, 18 Sep 2024 09:16:45 +0600 Subject: [PATCH 11/11] add closed typde to default values --- .github/workflows/publish-chart.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml index 270b767181e0..c3612979590d 100644 --- a/.github/workflows/publish-chart.yaml +++ b/.github/workflows/publish-chart.yaml @@ -4,6 +4,11 @@ name: Publish Helm chart on: workflow_dispatch: pull_request: + types: + - opened + - synchronize + - reopened + - closed branches: - main paths: