Convert hashicorp/vault-helm to GitHub Actions (#861)

* Add workflow hashicorp/vault-helm/update-helm-charts-index * Add workflow hashicorp/vault-helm/manual-trigger-update-helm-charts-index * SHA-pin all 3rd-party actions * Restrict workflow permissions * Add actionslint * Add dependabot * Add CODEOWNERS * Replace deprecated references * fixup: First pass at cleaning up update-helm-charts-index * fixup: move to self-hosted for access to vault * fixup: remove vault bits, correct GHA action * fixup: Remove manual invocation * fixup: update CODEOWNERS * Update CODEOWNERS * Fix CODEOWNERS syntax * Use common workflow for action lint * fixup: address review feedback * fixup: codeowners set * Apply suggestions from code review Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> * fixup: remove slack status action * fixup: more clear error message and correct syntax * fixup: limit actionlint trigger to GHA paths * fixup: glob * fixup: incorporate emily's superior syntax --------- Co-authored-by: Daniel Kimsey <daniel.kimsey@hashicorp.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
2023-04-12 15:19:02 +01:00 · 2023-04-12 15:19:02 +01:00 · bb9a069c06
commit bb9a069c06
parent 1307dbea76
7 changed files with 70 additions and 8 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
--- a/.github/workflows/acceptance.yaml
+++ b/.github/workflows/acceptance.yaml
@ -1,7 +1,5 @@
 name: Acceptance Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
  kind:
    strategy:
@ -13,14 +11,14 @@ jobs:
      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - name: Setup test tools
        uses: ./.github/workflows/setup-test-tools
-
      - name: Create K8s Kind Cluster
        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
        with:
          config: test/kind/config.yaml
          node_image: kindest/node:v${{ matrix.kind-k8s-version }}
          version: v0.17.0
-
      - run: bats --tap --timing ./test/acceptance
        env:
          VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
+permissions:
+  contents: read
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@ -0,0 +1,16 @@
+# If the repository is public, be sure to change to GitHub hosted runners
+name: Lint GitHub Actions Workflows
+on:
+  push:
+    paths:
+      - .github/workflows/**.yml
+  pull_request:
+    paths:
+      - .github/workflows/**.yml
+permissions:
+  contents: read
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main
--- a/.github/workflows/setup-test-tools/action.yaml
+++ b/.github/workflows/setup-test-tools/action.yaml
@ -1,6 +1,5 @@
 name: Setup common testing tools
 description: Install bats and python-yq
-
 runs:
  using: "composite"
  steps:
@ -18,3 +17,5 @@ runs:
        python-version: '3.10'
    - run: pip install yq
      shell: bash
+permissions:
+  contents: read
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@ -1,7 +1,5 @@
 name: Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
  bats-unit-tests:
    runs-on: ubuntu-latest
@ -9,7 +7,6 @@ jobs:
      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
      - uses: ./.github/workflows/setup-test-tools
      - run: bats --tap --timing ./test/unit
-
  chart-verifier:
    runs-on: ubuntu-latest
    env:
@ -23,3 +20,5 @@ jobs:
          go-version: '1.19.2'
      - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
      - run: bats --tap --timing ./test/chart
+permissions:
+  contents: read
--- a/.github/workflows/update-helm-charts-index.yml
+++ b/.github/workflows/update-helm-charts-index.yml
@ -0,0 +1,40 @@
+name: update-helm-charts-index
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: read
+
+jobs:
+  update-helm-charts-index:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: verify Chart version matches tag version
+        run: |-
+          export TAG=${{ github.ref_name }}
+          git_tag=$(echo "${TAG#v}")
+          chart_tag=$(yq r Chart.yaml version)
+          if [ "${git_tag}" != "${chart_tag}" ]; then
+            echo "chart version (${chart_tag}) did not match git version (${git_tag})"
+            exit 1
+          fi
+      - name: update helm-charts index
+        id: update
+        env:
+          GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }}
+        run: |-
+          gh workflow run publish-charts.yml \
+            --repo hashicorp/helm-charts \
+            --ref main \
+            -f SOURCE_TAG="${{ github.ref_name }}" \
+            -f SOURCE_REPO="${{ github.repository }}"
+      - uses: hashicorp/actions-slack-status@v1
+        if: ${{always()}}
+        with:
+          success-message: "vault-helm charts index update triggered successfully. View the run <https://github.com/hashicorp/helm-charts/actions/workflows/publish-charts.yml|here>."
+          failure-message: "vault-helm charts index update trigger failed."
+          status: ${{job.status}}
+          slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}}
--- a/1
+++ b/1
@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem-foundations