Updated elgohr/Publish-Docker-Github-Action to a supported version (v5)

.github/workflows/linter.yml

@@ -0,0 +1,53 @@
+---
+###########################
+###########################
+## Linter GitHub Actions ##
+###########################
+###########################
+name: Lint Code Base
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on:
+  push:
+    branches-ignore: [master]
+    # Remove the line above to run when pushing to master
+  pull_request:
+    branches: [master]
+
+###############
+# Set the Job #
+###############
+jobs:
+  build:
+    # Name the Job
+    name: Lint Code Base
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v2
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      - name: Lint Code Base
+        uses: github/super-linter@v3
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          LINTER_RULES_PATH: /
+          DEFAULT_BRANCH: master
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/push.yml

@@ -8,7 +8,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Publish to Docker Hub
-        uses: elgohr/Publish-Docker-Github-Action@2.7
+        uses: elgohr/Publish-Docker-Github-Action@v5
         with:
           name: stefanprodan/hrval
           username: ${{ secrets.DOCKER_USERNAME }}

.hadolint.yml

@@ -0,0 +1,2 @@
+ignored:
+  - DL3018

Dockerfile

@@ -1,6 +1,6 @@
-FROM garethr/kubeval:latest
+FROM garethr/kubeval:0.15.0
 
-RUN apk --no-cache add curl bash git
+RUN apk --no-cache add curl bash git openssh-client
 
 COPY LICENSE README.md /
 

README.md

@@ -2,8 +2,9 @@
 
 ![CI](https://github.com/stefanprodan/hrval-action/workflows/CI/badge.svg)
 [![Docker](https://img.shields.io/badge/Docker%20Hub-stefanprodan%2Fhrval-blue)](https://hub.docker.com/r/stefanprodan/hrval)
+[![GitHub Super-Linter](https://github.com/stefanprodan/hrval-action/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/marketplace/actions/super-linter)
 
-This GitHub action validates a Flux 
+This GitHub action validates a Flux
 [Helm Release](https://docs.fluxcd.io/projects/helm-operator/en/latest/references/helmrelease-custom-resource.html)
 Kubernetes custom resources with [kubeval](https://github.com/instrumenta/kubeval).
 
@@ -30,17 +31,17 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Validate Helm Releases in test dir
-        uses: stefanprodan/hrval-action@v3.1.0
+        uses: stefanprodan/hrval-action@master
         with:
           helmRelease: test/
       - name: Validate Helm Release from Helm Repo
-        uses: stefanprodan/hrval-action@v3.1.0
+        uses: stefanprodan/hrval-action@master
         with:
           helmRelease: test/flagger.yaml
           helmVersion: v2
           kubernetesVersion: 1.17.0
       - name: Validate Helm Release from Git Repo
-        uses: stefanprodan/hrval-action@v3.1.0
+        uses: stefanprodan/hrval-action@master
         with:
           helmRelease: test/podinfo.yaml
           helmVersion: v3
@@ -75,7 +76,10 @@ PASS - flagger/templates/deployment.yaml contains a valid Deployment
 
 ## Usage with private charts repositories
 
-To allow the action to be able to clone private charts repositories, you must [create a GitHub private access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) and [add it as a secret](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#creating-encrypted-secrets) to the target repository. NOTE: secret names *cannot* start with `GITHUB_` as these are reserved.
+### Private GitHub/GitLab repository
+To allow the action to be able to clone charts from private GitHub repositories,
+you must [create a GitHub private access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line)
+and [add it as a secret](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#creating-encrypted-secrets) to the target repository. NOTE: secret names *cannot* start with `GITHUB_` as these are reserved.
 
 You can then pass the secret (in this case, `GH_TOKEN`) into the action like so:
 ```yaml
@@ -89,13 +93,17 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Validate Helm Releases in test dir
-        uses: stefanprodan/hrval-action@v3.1.0
+        uses: stefanprodan/hrval-action@master
         with:
           helmRelease: test/
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 ```
 
+Gitlab CI Token is also possible using `GITLAB_CI_TOKEN`.
+
+### AWS S3
+
 If you set `awsS3Repo: true`,  make sure you set the appropriate environment variables for helm s3 plugin to work.  Example:
 ```yaml
 name: CI
@@ -108,7 +116,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Validate Helm Releases in test dir
-        uses: stefanprodan/hrval-action@v3.1.0
+        uses: stefanprodan/hrval-action@master
         with:
           helmRelease: test/
           awsS3Repo: true
@@ -122,11 +130,107 @@ jobs:
 
 ```
 
-Gitlab CI Token is also possible using `GITLAB_CI_TOKEN`.
+### HTTP(S) Helm chart repository
+
+To allow fetching Helm charts from private Helm chart repositories you need to
+pass a list of Helm repositories in `HTTP_PRIVATE_CHART_REPOS` environment variable as JSON.
+
+```json
+{
+  "repositories": [
+    {
+      "url": "https://raw.githubusercontent.com/username/helm-chart-repository/master/",
+      "username": "YOUR_USERNAME",
+      "password": "YOUR_PASSWORD"
+    },
+    {
+      "url": "https://raw.githubusercontent.com/username/another-helm-chart-repository/master/",
+      "username": "YOUR_USERNAME",
+      "password": "YOUR_PASSWORD"
+    }
+  ]
+}
+```
+
+It should be passed [as a secret](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets)
+to keep credentials secure.
+
+```yaml
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  hrval:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Validate Helm Releases in test dir
+        uses: stefanprodan/hrval-action@master
+        with:
+          helmRelease: test/
+        env:
+          HTTP_PRIVATE_CHART_REPOS: ${{ secrets.HTTP_PRIVATE_CHART_REPOS }}
+```
+
+
+## Usage with pull requests containing changes of Helm chart source located in base repository branch
+
+If a base repository branch of pull request is referenced in helm release,
+you need to pass `HRVAL_BASE_BRANCH` and `HRVAL_HEAD_BRANCH` environment variables
+to an action to make sure it will check out amended version of the chart
+from a head repository branch.
+
+
+```yaml
+name: CI
+
+on: [pull_request]
+
+jobs:
+  hrval:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Validate Helm Releases in test dir
+        uses: stefanprodan/hrval-action@master
+        with:
+          helmRelease: test/
+        env:
+          HRVAL_BASE_BRANCH: ${{ github.base_ref }}
+          HRVAL_HEAD_BRANCH: ${{ github.head_ref }}
+```
+
+## Usage with Helm source caching enabled
+
+Sometimes single Helm release might be referenced multiple times in a single Flux repository,
+for example if staging branch of Helm chart repository is used as a release ref across all staging releases.
+A property named `helmSourcesCacheEnabled` enables caching for such releases,
+so a single Helm repository chart version or Git repository ref
+will be retrieved only once, and cached version will be used for validation of another releases which reuse same sources.
+
+
+```yaml
+name: CI
+
+on: [pull_request]
+
+jobs:
+  hrval:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Validate Helm Releases in test dir
+        uses: stefanprodan/hrval-action@master
+        with:
+          helmRelease: test/
+          helmSourcesCacheEnabled: true
+```
+
 
 ## CI alternatives
 
-The validation scripts can be used in any CI system. 
+The validation scripts can be used in any CI system.
 
 CircleCI example:
 
@@ -135,7 +239,7 @@ version: 2.1
 jobs:
   hrval:
     docker:
-      - image: stefanprodan/hrval
+      - image: stefanprodan/hrval:latest
     steps:
       - checkout
       - run:

action.yml

@@ -26,6 +26,9 @@ inputs:
   awsS3Plugin:
     description: '(Optional) AWS S3 Plugin to be used in the helm plugin install command'
     default: ''
+  helmSourcesCacheEnabled:
+    description: '(Optional) Enabled Helm source caching, so same release or ref will not be downloaded twice.'
+    default: 'false'
 outputs:
   numFilesTested:
     description: The number of HelmRelease files which were tested
@@ -41,3 +44,4 @@ runs:
     - ${{ inputs.awsS3Repo }}
     - ${{ inputs.awsS3RepoName }}
     - ${{ inputs.awsS3RepoPlugin }}
+    - ${{ inputs.helmSourcesCacheEnabled }}

src/deps.sh

@@ -2,12 +2,12 @@
 
 set -o errexit
 
-curl -sL https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
+curl -sL "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
 
-curl -sL https://github.com/mikefarah/yq/releases/download/3.1.0/yq_linux_amd64 -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
+curl -sL https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
 
 curl -sSL https://get.helm.sh/helm-v2.16.3-linux-amd64.tar.gz | tar xz && mv linux-amd64/helm /bin/helm && rm -rf linux-amd64
-helm init --client-only --kubeconfig=$HOME/.kube/kubeconfig
+helm init --client-only --kubeconfig="${HOME}/.kube/kubeconfig"
 
 curl -sSL https://get.helm.sh/helm-v3.1.1-linux-amd64.tar.gz | tar xz && mv linux-amd64/helm /bin/helmv3 && rm -rf linux-amd64
 helmv3 version

src/hrval-all.sh

@@ -9,21 +9,62 @@ HELM_VER=${4-v2}
 HRVAL="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )/hrval.sh"
 AWS_S3_REPO=${5-false}
 AWS_S3_REPO_NAME=${6-""}
-AWS_S3_PLUGIN={$7-""}
+AWS_S3_PLUGIN="${7-""}"
+HELM_SOURCES_CACHE_ENABLED=${8-""}
+
+function configurePrivateChartRepositories() {
+
+  local tempDir
+  tempDir="$(mktemp -d)"
+  echo "$HTTP_PRIVATE_CHART_REPOS" > "$tempDir/repositories.json"
+  local numberOfRepositories
+  numberOfRepositories=$(yq r "$tempDir/repositories.json" --length repositories)
+
+  for (( i = 0; i < numberOfRepositories; i++ )); do
+      local url
+      url=$(yq r "$tempDir/repositories.json" repositories[$i].url)
+      local username
+      username=$(yq r "$tempDir/repositories.json" repositories[$i].username)
+      local password
+      password=$(yq r "$tempDir/repositories.json" repositories[$i].password)
+      local repoMD5
+      repoMD5=$(/bin/echo "$url" | /usr/bin/md5sum | cut -f1 -d" ")
+
+      >&2 echo "Adding Helm chart repository '$url'"
+      if [[ ${HELM_VER} == "v3" ]]; then
+        helmv3 repo add "$repoMD5" "${url}" --username "${username}" --password "${password}"
+        helmv3 repo update
+      else
+        helm repo add "$repoMD5" "${url}" --username "${username}" --password "${password}"
+        helm repo update
+      fi
+  done
+}
+
+if [[ -v HTTP_PRIVATE_CHART_REPOS ]]; then
+  echo "Configuring Helm chart repositories"
+  configurePrivateChartRepositories
+fi
+
+if [ "${HELM_SOURCES_CACHE_ENABLED}" == "true" ]; then
+  CACHEDIR=$(mktemp -d)
+else
+  CACHEDIR="${CACHEDIR}"
+fi
 
 if [[ ${HELM_VER} == "v2" ]]; then
     helm init --client-only
 fi
 
 if [[ ${AWS_S3_REPO} == true ]]; then
-    helm plugin install ${AWS_S3_PLUGIN}
-    helm repo add ${AWS_S3_REPO_NAME} s3:/${AWS_S3_REPO_NAME}/charts
+    helm plugin install "${AWS_S3_PLUGIN}"
+    helm repo add "${AWS_S3_REPO_NAME}" "s3:/${AWS_S3_REPO_NAME}/charts"
     helm repo update
 fi
 
 # If the path provided is actually a file, just run hrval against this one file
 if test -f "${DIR}"; then
-  ${HRVAL} ${DIR} ${IGNORE_VALUES} ${KUBE_VER} ${HELM_VER}
+  ${HRVAL} "${DIR}" "${IGNORE_VALUES}" "${KUBE_VER}" "${HELM_VER}" "${CACHEDIR}"
   exit 0
 fi
 
@@ -34,7 +75,7 @@ if [ ! -d "$DIR" ]; then
 fi
 
 function isHelmRelease {
-  KIND=$(yq r ${1} kind)
+  KIND=$(yq r "${1}" kind)
   if [[ ${KIND} == "HelmRelease" ]]; then
       echo true
   else
@@ -43,11 +84,15 @@ function isHelmRelease {
 }
 
 # Find yaml files in directory recursively
-DIR_PATH=$(echo ${DIR} | sed "s/^\///;s/\/$//")
 FILES_TESTED=0
-for f in `find ${DIR} -type f -name '*.yaml' -or -name '*.yml'`; do
-  if [[ $(isHelmRelease ${f}) == "true" ]]; then
-    ${HRVAL} ${f} ${IGNORE_VALUES} ${KUBE_VER} ${HELM_VER}
+declare -a FOUND_FILES=()
+while read -r file; do
+    FOUND_FILES+=( "$file" )
+done < <(find "${DIR}" -type f -name '*.yaml' -o -name '*.yml')
+
+for f in "${FOUND_FILES[@]}"; do
+  if [[ $(isHelmRelease "${f}") == "true" ]]; then
+    ${HRVAL} "${f}" "${IGNORE_VALUES}" "${KUBE_VER}" "${HELM_VER}" "${CACHEDIR}"
     FILES_TESTED=$(( FILES_TESTED+1 ))
   else
     echo "Ignoring ${f} not a HelmRelease"