From bb9a069c06248284d5dec3d4dbe8309bea663dae Mon Sep 17 00:00:00 2001
From: hc-github-team-es-release-engineering
 <82989873+hc-github-team-es-release-engineering@users.noreply.github.com>
Date: Wed, 12 Apr 2023 15:19:02 +0100
Subject: [PATCH] Convert hashicorp/vault-helm to GitHub Actions (#861)

* Add workflow hashicorp/vault-helm/update-helm-charts-index

* Add workflow hashicorp/vault-helm/manual-trigger-update-helm-charts-index

* SHA-pin all 3rd-party actions

* Restrict workflow permissions

* Add actionslint

* Add dependabot

* Add CODEOWNERS

* Replace deprecated references

* fixup: First pass at cleaning up update-helm-charts-index

* fixup: move to self-hosted for access to vault

* fixup: remove vault bits, correct GHA action

* fixup: Remove manual invocation

* fixup: update CODEOWNERS

* Update CODEOWNERS

* Fix CODEOWNERS syntax

* Use common workflow for action lint

* fixup: address review feedback

* fixup: codeowners set

* Apply suggestions from code review

Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>

* fixup: remove slack status action

* fixup: more clear error message and correct syntax

* fixup: limit actionlint trigger to GHA paths

* fixup: glob

* fixup: incorporate emily's superior syntax

---------

Co-authored-by: Daniel Kimsey <daniel.kimsey@hashicorp.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com>
Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
---
 .github/dependabot.yml                        |  7 ++++
 .github/workflows/acceptance.yaml             |  6 +--
 .github/workflows/actionlint.yml              | 16 ++++++++
 .../workflows/setup-test-tools/action.yaml    |  3 +-
 .github/workflows/tests.yaml                  |  5 +--
 .../workflows/update-helm-charts-index.yml    | 40 +++++++++++++++++++
 CODEOWNERS                                    |  1 +
 7 files changed, 70 insertions(+), 8 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/actionlint.yml
 create mode 100644 .github/workflows/update-helm-charts-index.yml
 create mode 100644 CODEOWNERS

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..8a90cca
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
\ No newline at end of file
diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml
index e3c28e3..ac1dac1 100644
--- a/.github/workflows/acceptance.yaml
+++ b/.github/workflows/acceptance.yaml
@@ -1,7 +1,5 @@
 name: Acceptance Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
   kind:
     strategy:
@@ -13,14 +11,14 @@ jobs:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup test tools
         uses: ./.github/workflows/setup-test-tools
-
       - name: Create K8s Kind Cluster
         uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
         with:
           config: test/kind/config.yaml
           node_image: kindest/node:v${{ matrix.kind-k8s-version }}
           version: v0.17.0
-
       - run: bats --tap --timing ./test/acceptance
         env:
           VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
+permissions:
+  contents: read
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000..bdee70f
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,16 @@
+# If the repository is public, be sure to change to GitHub hosted runners
+name: Lint GitHub Actions Workflows
+on:
+  push:
+    paths:
+      - .github/workflows/**.yml
+  pull_request:
+    paths:
+      - .github/workflows/**.yml
+permissions:
+  contents: read
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main
diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml
index 7683deb..d666e23 100644
--- a/.github/workflows/setup-test-tools/action.yaml
+++ b/.github/workflows/setup-test-tools/action.yaml
@@ -1,6 +1,5 @@
 name: Setup common testing tools
 description: Install bats and python-yq
-
 runs:
   using: "composite"
   steps:
@@ -18,3 +17,5 @@ runs:
         python-version: '3.10'
     - run: pip install yq
       shell: bash
+permissions:
+  contents: read
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 5bfd153..30968c8 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -1,7 +1,5 @@
 name: Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
   bats-unit-tests:
     runs-on: ubuntu-latest
@@ -9,7 +7,6 @@ jobs:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - uses: ./.github/workflows/setup-test-tools
       - run: bats --tap --timing ./test/unit
-
   chart-verifier:
     runs-on: ubuntu-latest
     env:
@@ -23,3 +20,5 @@ jobs:
           go-version: '1.19.2'
       - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
       - run: bats --tap --timing ./test/chart
+permissions:
+  contents: read
diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml
new file mode 100644
index 0000000..7a1061d
--- /dev/null
+++ b/.github/workflows/update-helm-charts-index.yml
@@ -0,0 +1,40 @@
+name: update-helm-charts-index
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: read
+
+jobs:
+  update-helm-charts-index:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: verify Chart version matches tag version
+        run: |-
+          export TAG=${{ github.ref_name }}
+          git_tag=$(echo "${TAG#v}")
+          chart_tag=$(yq r Chart.yaml version)
+          if [ "${git_tag}" != "${chart_tag}" ]; then
+            echo "chart version (${chart_tag}) did not match git version (${git_tag})"
+            exit 1
+          fi
+      - name: update helm-charts index
+        id: update
+        env:
+          GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }}
+        run: |-
+          gh workflow run publish-charts.yml \
+            --repo hashicorp/helm-charts \
+            --ref main \
+            -f SOURCE_TAG="${{ github.ref_name }}" \
+            -f SOURCE_REPO="${{ github.repository }}"
+      - uses: hashicorp/actions-slack-status@v1
+        if: ${{always()}}
+        with:
+          success-message: "vault-helm charts index update triggered successfully. View the run <https://github.com/hashicorp/helm-charts/actions/workflows/publish-charts.yml|here>."
+          failure-message: "vault-helm charts index update trigger failed."
+          status: ${{job.status}}
+          slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}}
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..af6a350
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem-foundations