Add CI to enforce version bumps in pull requests

.github/workflows/version-check.yml

@@ -0,0 +1,76 @@
+name: Version Bump Check
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  check-version-bump:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Check for version bumps
+        run: |
+          set -e
+
+          # Get the base branch
+          BASE_BRANCH="${{ github.base_ref }}"
+          echo "Base branch: $BASE_BRANCH"
+
+          # Fetch the base branch
+          git fetch origin "$BASE_BRANCH"
+
+          # Find all top-level Chart.yaml files (exclude subcharts in charts/ subdirectories)
+          # The chart-releaser only releases top-level charts, so we only check those
+          CHART_FILES=$(find . -name "Chart.yaml" -not -path "*/charts/*" -type f | grep -v "/\.")
+
+          echo "Checking Chart.yaml files for version bumps..."
+
+          FAILED=0
+
+          for CHART_FILE in $CHART_FILES; do
+            echo "---"
+            echo "Checking: $CHART_FILE"
+
+            # Get current version
+            CURRENT_VERSION=$(grep "^version:" "$CHART_FILE" | awk '{print $2}' | tr -d '"' | tr -d "'")
+            echo "Current version: $CURRENT_VERSION"
+
+            # Get base version (check if file exists in base branch)
+            if git cat-file -e "origin/$BASE_BRANCH:$CHART_FILE" 2>/dev/null; then
+              BASE_VERSION=$(git show "origin/$BASE_BRANCH:$CHART_FILE" | grep "^version:" | awk '{print $2}' | tr -d '"' | tr -d "'")
+              echo "Base version: $BASE_VERSION"
+
+              # Compare versions
+              if [ "$CURRENT_VERSION" == "$BASE_VERSION" ]; then
+                echo "❌ ERROR: Version in $CHART_FILE has not been bumped!"
+                echo "   Current: $CURRENT_VERSION"
+                echo "   Base: $BASE_VERSION"
+                echo "   Please increment the version in $CHART_FILE"
+                FAILED=1
+              else
+                echo "✅ Version bumped from $BASE_VERSION to $CURRENT_VERSION"
+              fi
+            else
+              echo "ℹ️  New chart file (not in base branch), skipping version check"
+            fi
+          done
+
+          echo "---"
+
+          if [ $FAILED -eq 1 ]; then
+            echo ""
+            echo "❌ Version bump check FAILED"
+            echo "One or more Chart.yaml files need version updates."
+            echo "Please increment the version field according to semantic versioning."
+            exit 1
+          else
+            echo "✅ All Chart.yaml files have been properly versioned"
+          fi

CONTRIBUTING.md

@@ -0,0 +1,89 @@
+# Contributing to diracx-charts
+
+Thank you for your interest in contributing to diracx-charts!
+
+## Pull Request Requirements
+
+When submitting a pull request, please ensure the following:
+
+### Version Bumping
+
+**All pull requests MUST bump the chart version(s) being modified.**
+
+The repository uses automated CI checks to ensure that chart versions are incremented in every PR. This is required because:
+
+- The repository follows a "live at head" approach
+- Charts are automatically pushed to by diracx and diracx-web repositories
+- The main branch is always tagged with the current version
+
+#### Which versions need to be bumped?
+
+- **The main chart** (`diracx/Chart.yaml`): The `version` field MUST be incremented following [Semantic Versioning](https://semver.org/)
+  - MAJOR version for incompatible API changes
+  - MINOR version for backwards-compatible functionality additions
+  - PATCH version for backwards-compatible bug fixes
+
+Note: Subcharts (like `diracx/charts/cert-manager-issuer/`) are not released separately and do not require version bumps unless you're also updating the main chart version.
+
+#### Example
+
+If the current version in `diracx/Chart.yaml` is `1.0.0` and you're making a backward-compatible bug fix:
+
+```yaml
+# Before
+version: "1.0.0"
+
+# After
+version: "1.0.1"
+```
+
+### Pre-commit Checks
+
+This repository uses pre-commit hooks. Make sure to install them:
+
+```bash
+pip install pre-commit
+pre-commit install
+```
+
+### Testing
+
+Before submitting your PR, ensure that:
+
+1. Pre-commit checks pass: `pre-commit run --all-files`
+2. The demo runs successfully: `./run_demo.sh --exit-when-done`
+3. Helm linting passes: `helm lint diracx/ --set diracx.hostname=diracx.invalid`
+
+## Repository Workflow
+
+This repository follows a **"live at head"** approach with the following policies:
+
+### Branch Strategy
+
+- The `master` branch is the main development branch and should always be in a releasable state
+- All changes must go through pull requests
+- Pull requests should be kept up-to-date with the base branch before merging
+- The repository maintains a linear history (no merge commits)
+
+### Automated Updates
+
+This repository receives automated updates from:
+- [DIRACGrid/diracx](https://github.com/DIRACGrid/diracx)
+- [DIRACGrid/diracx-web](https://github.com/DIRACGrid/diracx-web)
+
+These automated updates will also need to bump the chart version appropriately.
+
+### Recommended Branch Protection Settings
+
+Repository administrators should configure the following branch protection rules for `master`:
+
+- ✅ Require pull request reviews before merging
+- ✅ Require status checks to pass before merging
+  - ✅ Require branches to be up to date before merging
+  - Required checks: `pre-commit`, `run-demo`, `run-demo-mount-sources`, `check-version-bump`
+- ✅ Require linear history (no merge commits)
+- ✅ Do not allow bypassing the above settings
+
+## Questions?
+
+If you have questions about contributing, please open an issue for discussion.

docs/REPOSITORY_CONFIGURATION.md

@@ -0,0 +1,90 @@
+# Repository Configuration Guide
+
+This document provides guidance for repository administrators on configuring the diracx-charts repository.
+
+## Branch Protection Rules
+
+To maintain code quality and enforce the "live at head" approach, configure the following branch protection rules for the `master` branch:
+
+### Required Settings
+
+1. **Navigate to Repository Settings**
+   - Go to: `Settings` → `Branches` → `Branch protection rules`
+   - Add a rule for the `master` branch
+
+2. **Configure Protection Rules**
+
+   #### Pull Request Requirements
+   - ✅ **Require a pull request before merging**
+     - Require approvals: `1` (or more, as desired)
+     - Dismiss stale pull request approvals when new commits are pushed
+     - Require review from Code Owners (if CODEOWNERS file is present)
+
+   #### Status Check Requirements
+   - ✅ **Require status checks to pass before merging**
+     - ✅ **Require branches to be up to date before merging** (critical for "live at head")
+     - Required status checks:
+       - `pre-commit` (from `.github/workflows/main.yml`)
+       - `run-demo` (from `.github/workflows/main.yml`)
+       - `run-demo-mount-sources` (from `.github/workflows/main.yml`)
+       - `check-version-bump` (from `.github/workflows/version-check.yml`)
+
+   #### Commit History
+   - ✅ **Require linear history**
+     - This prevents merge commits and keeps the git history clean
+     - Pull requests must be rebased or squashed before merging
+
+   #### Other Recommended Settings
+   - ✅ **Do not allow bypassing the above settings**
+   - ✅ **Require conversation resolution before merging**
+   - ⚠️ Consider: **Restrict who can push to matching branches** (optional, based on your team structure)
+
+### Why These Settings?
+
+#### Require branches to be up to date
+This is essential for the "live at head" approach because:
+- The repository receives automated updates from diracx and diracx-web
+- The master branch is always tagged with the current version
+- Ensures no conflicts or issues arise from stale branches being merged
+
+#### Require linear history
+Benefits include:
+- Cleaner, more readable git history
+- Easier to understand the sequence of changes
+- Simplifies troubleshooting and git bisect operations
+- Works well with automated versioning and tagging
+
+#### Version bump check
+Ensures that:
+- Every change increments the chart version
+- No conflicting versions are introduced
+- Chart releases are properly tracked
+
+## Automated Updates Configuration
+
+The repository receives automated updates from dependent repositories. Ensure that:
+
+1. **GitHub Actions has write permissions**
+   - Go to: `Settings` → `Actions` → `General` → `Workflow permissions`
+   - Set to: `Read and write permissions`
+   - This allows the release workflow to create tags and releases
+
+2. **Automated PRs are configured correctly**
+   - Automated updates from diracx and diracx-web should:
+     - Create pull requests (not push directly to master)
+     - Include version bumps in their changes
+     - Wait for CI checks to pass
+
+## Monitoring
+
+Regularly check:
+- Pull requests are being properly reviewed
+- Status checks are passing consistently
+- Version bumps are being applied correctly
+- The release workflow is creating tags/releases as expected
+
+## Questions or Issues?
+
+If you encounter problems with these settings or need clarification, please:
+- Review the GitHub documentation on [branch protection rules](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)
+- Open an issue in the repository for discussion