implemented linters in ci

Author: Your Name

.github/scripts/check-helm-golden-renders.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CHART_DIR="${CHART_DIR:-otel-integration/k8s-helm}"
+GOLDEN_DIR="${GOLDEN_DIR:-${CHART_DIR}/tests/golden}"
+RELEASE_NAME="${HELM_GOLDEN_RELEASE_NAME:-render-check}"
+DOMAIN="${HELM_GOLDEN_DOMAIN:-eu2.coralogix.com}"
+CLUSTER_NAME="${HELM_GOLDEN_CLUSTER_NAME:-golden-render}"
+
+cases=(
+  "tail-sampling:tail-sampling-values.yaml"
+  "windows:values-windows.yaml"
+  "eks-fargate:values-eks-fargate.yaml"
+  "ebpf-profiler:values-ebpf-profiler.yaml"
+)
+
+require_cmd() {
+  local cmd="$1"
+  if ! command -v "$cmd" >/dev/null 2>&1; then
+    echo "Missing required command: $cmd" >&2
+    exit 1
+  fi
+}
+
+render_case() {
+  local name="$1"
+  local values_file="$2"
+  local output_file="$3"
+
+  helm template "$RELEASE_NAME" "$CHART_DIR" \
+    -f "${CHART_DIR}/values.yaml" \
+    -f "${CHART_DIR}/${values_file}" \
+    --set-string "global.domain=${DOMAIN}" \
+    --set-string "global.clusterName=${CLUSTER_NAME}" |
+    sed -e 's/[[:blank:]]*$//' \
+    > "$output_file"
+}
+
+require_cmd helm
+require_cmd diff
+require_cmd sed
+
+helm repo add --force-update open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts >/dev/null
+helm repo add --force-update coralogix-charts-virtual https://cgx.jfrog.io/artifactory/coralogix-charts-virtual >/dev/null
+helm repo add --force-update coralogix-charts https://cgx.jfrog.io/artifactory/coralogix-charts >/dev/null
+helm repo update >/dev/null
+helm dependency build "$CHART_DIR"
+
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+
+failed=0
+for case in "${cases[@]}"; do
+  name="${case%%:*}"
+  values_file="${case#*:}"
+  actual="${tmpdir}/${name}.yaml"
+  expected="${GOLDEN_DIR}/${name}.yaml"
+
+  if [ ! -f "$expected" ]; then
+    echo "Missing golden render: $expected" >&2
+    failed=1
+    continue
+  fi
+
+  render_case "$name" "$values_file" "$actual"
+
+  if ! diff -u "$expected" "$actual"; then
+    echo "Golden render mismatch for ${name}. Re-render ${expected} after reviewing the manifest change." >&2
+    failed=1
+  fi
+done
+
+exit "$failed"

.github/workflows/chart-version-bump-check.yml

@@ -30,6 +30,8 @@ jobs:
             - 'otel-infrastructure-collector/k8s-helm/**'
           otel-integration:
             - 'otel-integration/k8s-helm/**'
+            - '!otel-integration/k8s-helm/tests/**'
+            - '!otel-integration/k8s-helm/e2e-test/**'
           metrics-prometheus-agent:
             - 'metrics/prometheus-agent/**'
           metrics-prometheus-operator:

.github/workflows/checks.yml

@@ -79,6 +79,8 @@ jobs:
             - 'otel-infrastructure-collector/k8s-helm/**'
           otel-integration:
             - 'otel-integration/k8s-helm/**'
+            - '!otel-integration/k8s-helm/tests/**'
+            - '!otel-integration/k8s-helm/e2e-test/**'
           metrics-prometheus-agent:
             - 'metrics/prometheus-agent/**'
           metrics-prometheus-operator:

.github/workflows/otel-infra-helm-test.yml

@@ -18,7 +18,6 @@ jobs:
         with:
           create-kind-cluster: "true"
       - name: Setup Secret
-        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=123
+        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=fake
       - name: Run chart-testing (install)
         run: ct lint-and-install --namespace default --charts otel-infrastructure-collector/k8s-helm
-

.github/workflows/otel-integration-e2e-test.yml

@@ -35,7 +35,7 @@ jobs:
           chmod +x ./get_host_endpoint.sh
           ./get_host_endpoint.sh
       - name: Setup Secret
-        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=123
+        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=fake
       - name: Install chart for testing
         env:
           HOSTENDPOINT: ${{ env.HOSTENDPOINT }}
@@ -125,7 +125,7 @@ jobs:
           chmod +x ./get_host_endpoint.sh
           ./get_host_endpoint.sh
       - name: Setup Secret
-        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=123
+        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=fake
       - name: Install chart for supervisor testing
         env:
           HOSTENDPOINT: ${{ env.HOSTENDPOINT }}
@@ -205,7 +205,7 @@ jobs:
           chmod +x ./get_host_endpoint.sh
           ./get_host_endpoint.sh
       - name: Setup Secret
-        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=123
+        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=fake
       - name: Install chart for tail-sampling test
         env:
           HOSTENDPOINT: ${{ env.HOSTENDPOINT }}
@@ -267,7 +267,7 @@ jobs:
           chmod +x ./get_host_endpoint.sh
           ./get_host_endpoint.sh
       - name: Setup Secret
-        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=123
+        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=fake
       - name: Install chart for span-metrics test
         env:
           HOSTENDPOINT: ${{ env.HOSTENDPOINT }}
@@ -327,7 +327,7 @@ jobs:
           chmod +x ./get_host_endpoint.sh
           ./get_host_endpoint.sh
       - name: Setup Secret
-        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=123
+        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=fake
       - name: Install cert-manager
         run: |
           helm repo add jetstack https://charts.jetstack.io

.github/workflows/otel-integration-helm-test.yml

@@ -18,6 +18,6 @@ jobs:
         with:
           create-kind-cluster: "true"
       - name: Setup Secret
-        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=123
+        run: kubectl create secret generic coralogix-keys --from-literal=PRIVATE_KEY=fake
       - name: Run chart-testing (install)
         run: ct lint-and-install --namespace default --charts otel-integration/k8s-helm

.github/workflows/security-hygiene.yml

@@ -0,0 +1,93 @@
+name: Security and Hygiene
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+env:
+  GITLEAKS_VERSION: 8.24.3
+  SHELLCHECK_VERSION: 0.10.0
+  HADOLINT_VERSION: 2.12.0
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    name: gitleaks PR secret scan
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install gitleaks
+        run: |
+          set -euo pipefail
+          mkdir -p "${RUNNER_TEMP}/bin"
+          curl -sSfL \
+            -o "${RUNNER_TEMP}/gitleaks.tar.gz" \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          tar -xzf "${RUNNER_TEMP}/gitleaks.tar.gz" -C "${RUNNER_TEMP}/bin" gitleaks
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+
+      - name: Scan current tree
+        run: gitleaks detect --no-git --source . --redact --verbose
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    name: shellcheck checked-in scripts
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install shellcheck
+        run: |
+          set -euo pipefail
+          mkdir -p "${RUNNER_TEMP}/bin"
+          curl -sSfL \
+            -o "${RUNNER_TEMP}/shellcheck.tar.xz" \
+            "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz"
+          tar -xJf "${RUNNER_TEMP}/shellcheck.tar.xz" \
+            -C "${RUNNER_TEMP}/bin" \
+            --strip-components=1 \
+            "shellcheck-v${SHELLCHECK_VERSION}/shellcheck"
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+
+      - name: Lint checked-in shell scripts
+        run: |
+          set -euo pipefail
+          mapfile -d '' scripts < <(find . -type f -name '*.sh' -not -path './tmp/*' -print0)
+          shellcheck "${scripts[@]}"
+
+  hadolint:
+    runs-on: ubuntu-latest
+    name: hadolint Dockerfiles
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install hadolint
+        run: |
+          set -euo pipefail
+          mkdir -p "${RUNNER_TEMP}/bin"
+          curl -sSfL \
+            -o "${RUNNER_TEMP}/bin/hadolint" \
+            "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64"
+          chmod +x "${RUNNER_TEMP}/bin/hadolint"
+          echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
+
+      - name: Lint Dockerfiles
+        run: |
+          set -euo pipefail
+          mapfile -d '' dockerfiles < <(find . -type f \( -name 'Dockerfile' -o -name 'Dockerfile.*' \) -print0)
+          hadolint "${dockerfiles[@]}"
+
+  helm-golden-render:
+    runs-on: ubuntu-latest
+    name: Helm golden renders
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.12.1
+
+      - name: Check high-risk preset renders
+        run: .github/scripts/check-helm-golden-renders.sh

logs/fluent-bit/image/Dockerfile

@@ -1,6 +1,8 @@
 FROM fluent/fluent-bit:3.2.10
 ARG TARGETARCH
+# hadolint ignore=DL3048 # Invalid label key.
 LABEL Maintainer="Coralogix Inc. <info@coralogix.com>"
+# hadolint ignore=DL3048 # Invalid label key.
 LABEL Description="Special Fluent-Bit image for Coralogix integration" Vendor="Coralogix Inc." Version="3.2.10"
 COPY ./functions.lua /fluent-bit/etc/
 CMD ["/fluent-bit/bin/fluent-bit", "-c", "/fluent-bit/etc/fluent-bit.yaml"]

logs/fluentd/aws-ecs/image/Dockerfile

@@ -1,7 +1,11 @@
 FROM coralogixrepo/coralogix-fluentd-multiarch:v1.18.0-4
+# hadolint ignore=DL3002 # Last USER should not be root.
 USER root
+# hadolint ignore=DL3028 # Pin versions in gem install.
 RUN gem install fluent-plugin-docker_metadata_filter
+# hadolint ignore=DL3028,DL3059 # Pin versions in gem install; multiple consecutive RUN instructions.
 RUN gem install fluent-plugin-script
+# hadolint ignore=DL3008,DL3009,DL3015,DL3027,DL3059 # Pin apt packages; delete apt lists; use no-install-recommends; use apt-get; multiple RUNs.
 RUN apt update && apt install -y curl
 COPY fargate.rb /fluentd/etc/
 COPY fluent.conf /fluentd/etc/

logs/fluentd/image/Dockerfile

@@ -1,18 +1,22 @@
             ARG IMAGE_VERSION=v1.18.0-debian-forward-1.4
+            # hadolint ignore=DL3006 # Always tag the version of an image explicitly.
             FROM fluent/fluentd-kubernetes-daemonset:${IMAGE_VERSION}
 
 # Image description labels
+# hadolint ignore=DL3048 # Invalid label key.
 LABEL Description="Multi-Arch FluentD image for Coralogix integration" \
       Vendor="Coralogix Inc." \
       Version="1.18.0-4" \
       Maintainer="Coralogix Inc. <info@coralogix.com>"
 
 # Change user
+# hadolint ignore=DL3002 # Last USER should not be root.
 USER root
 
 # Installing dependencies and plugins
 RUN gem install elasticsearch -v 8.11
 
+# hadolint ignore=DL3028,DL3059 # Pin versions in gem install; multiple consecutive RUN instructions.
 RUN gem install fluent-plugin-coralogix \
       fluent-plugin-parser-cri \
       fluent-plugin-sampling-filter \
@@ -22,5 +26,7 @@ RUN gem install fluent-plugin-coralogix \
       fluent-plugin-elasticsearch
 
 
+# hadolint ignore=DL3059 # Multiple consecutive RUN instructions.
 RUN gem install fluent-plugin-kubernetes_metadata_filter -v 3.4.0
+# hadolint ignore=DL3059 # Multiple consecutive RUN instructions.
 RUN gem install fluent-plugin-prometheus -v 2.1.0