Update Helm charts dependencies #4261
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| workflow_call: | |
| inputs: | |
| run_all: | |
| description: "Run all checks (ignore path filtering)" | |
| required: false | |
| type: boolean | |
| default: true | |
| push: | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled] | |
| workflow_dispatch: | |
| inputs: | |
| run_all: | |
| description: "Run all checks (ignore path filtering)" | |
| required: false | |
| type: boolean | |
| default: false | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| # Detect which files changed to run appropriate checks | |
| changes: | |
| name: Detect changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| go: ${{ steps.changed-files.outputs.go }} | |
| rust: ${{ steps.changed-files.outputs.rust }} | |
| ci-full: ${{ steps.changed-files.outputs.ci-full }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Detect changed files | |
| id: changed-files | |
| run: | | |
| # If run_all input is true (from workflow_call or workflow_dispatch), run everything | |
| if [ "${{ inputs.run_all }}" = "true" ]; then | |
| echo "run_all=true, running all checks" | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| echo "ci-full=true" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| # Check for CI trigger labels on PRs | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| LABELS='${{ toJson(github.event.pull_request.labels.*.name) }}' | |
| echo "PR Labels: $LABELS" | |
| if echo "$LABELS" | grep -q "ci-full"; then | |
| echo "Label 'ci-full' found, running all checks" | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| echo "ci-full=true" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| if echo "$LABELS" | grep -q "ci-go"; then | |
| echo "Label 'ci-go' found, running Go checks" | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| fi | |
| if echo "$LABELS" | grep -q "ci-rust"; then | |
| echo "Label 'ci-rust' found, running Rust checks" | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| fi | |
| # If triggered by label event and we found a matching label, skip path detection | |
| if [ "${{ github.event.action }}" = "labeled" ]; then | |
| LABEL_NAME='${{ github.event.label.name }}' | |
| if [ "$LABEL_NAME" = "ci-full" ] || [ "$LABEL_NAME" = "ci-go" ] || [ "$LABEL_NAME" = "ci-rust" ]; then | |
| echo "Triggered by label event, skipping path detection" | |
| exit 0 | |
| fi | |
| fi | |
| fi | |
| # Determine base ref for comparison | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| BASE_REF="${{ github.event.pull_request.base.sha }}" | |
| else | |
| # For push events, compare with previous commit | |
| BASE_REF="${{ github.event.before }}" | |
| # If first push to branch, compare with parent | |
| if [ "$BASE_REF" = "0000000000000000000000000000000000000000" ]; then | |
| BASE_REF="HEAD^" | |
| fi | |
| fi | |
| echo "Comparing against base: $BASE_REF" | |
| # Check for Go file changes | |
| GO_CHANGES=$(git diff --name-only "$BASE_REF" HEAD | grep -E '\.(go)$|^go\.(mod|sum)$|^Makefile$|^\.golangci\.yml$|^cmd/|^api/|^internal/|^audit-scanner/' || true) | |
| if [ -n "$GO_CHANGES" ]; then | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "Go files changed:" | |
| echo "$GO_CHANGES" | |
| else | |
| echo "go=false" >> $GITHUB_OUTPUT | |
| echo "No Go files changed" | |
| fi | |
| # Check for Rust file changes | |
| RUST_CHANGES=$(git diff --name-only "$BASE_REF" HEAD | grep -E '^crates/.*\.rs$|^crates/.*/Cargo\.(toml|lock)$|^Cargo\.(toml|lock)$|^rust-toolchain\.toml$|^crates/Makefile$' || true) | |
| if [ -n "$RUST_CHANGES" ]; then | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| echo "Rust files changed:" | |
| echo "$RUST_CHANGES" | |
| else | |
| echo "rust=false" >> $GITHUB_OUTPUT | |
| echo "No Rust files changed" | |
| fi | |
| # Go jobs | |
| test-go: | |
| name: Go tests | |
| needs: changes | |
| if: needs.changes.outputs.go == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version: "1.25" | |
| check-latest: true # Always check for the latest patch release | |
| - run: make test-go | |
| - name: Upload Go test coverage to Codecov | |
| uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_ORG_TOKEN }} | |
| with: | |
| name: go-tests | |
| files: coverage/cover.out | |
| flags: go-tests | |
| verbose: true | |
| e2e-go: | |
| name: Go e2e tests | |
| needs: changes | |
| if: needs.changes.outputs.go == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version: "1.25" | |
| check-latest: true # Always check for the latest patch release | |
| - run: make test-e2e | |
| golangci: | |
| name: Golangci-lint | |
| needs: changes | |
| if: needs.changes.outputs.go == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version: "1.25" | |
| check-latest: true # Always check for the latest patch release | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 | |
| with: | |
| version: v2.4.0 | |
| # Rust jobs | |
| calculate-crates-matrix: | |
| name: Calculate crates matrix | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: List crate folders | |
| id: set-matrix | |
| run: | | |
| # Exclude context-aware-test-policy as it's a test fixture, not a standalone crate | |
| CRATES=$(ls -1 crates | grep -v "^Makefile$" | grep -v "^context-aware-test-policy$" | jq -R -s -c 'split("\n")[:-1]') | |
| echo "matrix={\"crate\":$CRATES}" >> $GITHUB_OUTPUT | |
| fmt-rust-per-crate: | |
| needs: calculate-crates-matrix | |
| name: Rustfmt (${{ matrix.crate }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Run cargo fmt" | |
| run: | | |
| make -C crates/${{ matrix.crate }} fmt | |
| clippy-rust-per-crate: | |
| needs: calculate-crates-matrix | |
| name: Clippy (${{ matrix.crate }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Run cargo clippy" | |
| run: | | |
| make -C crates/${{ matrix.crate }} lint | |
| unit-tests-rust-per-crate: | |
| needs: calculate-crates-matrix | |
| name: Unit tests (${{ matrix.crate }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Run cargo test" | |
| run: | | |
| make -C crates/${{ matrix.crate }} unit-tests | |
| integration-tests-burrego: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: E2E tests (burrego) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install opa | |
| uses: kubewarden/github-actions/opa-installer@f1695ca9a575bf58b85d6c3652c7ff7d1d12ec24 # v4.5.16 | |
| with: | |
| opa-version: v1.12.2 | |
| - name: Install bats | |
| run: sudo apt-get install -y bats | |
| - name: Run e2e tests | |
| run: make -C crates/burrego e2e-tests | |
| integration-tests-kwctl: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: E2E tests (kwctl) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run e2e tests | |
| run: make -C crates/kwctl e2e-tests | |
| integration-tests-policy-server: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: Integration tests (policy-server) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run integration tests | |
| run: make -C crates/policy-server integration-tests | |
| integration-tests-policy-evaluator: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: Integration tests (policy-evaluator) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Build kwctl | |
| run: make -C crates/kwctl build-release | |
| - name: Setup kwctl | |
| run: | | |
| mkdir -p $HOME/.kwctl | |
| cp target/release/kwctl $HOME/.kwctl/kwctl | |
| chmod +x $HOME/.kwctl/kwctl | |
| echo "$HOME/.kwctl" >> $GITHUB_PATH | |
| - name: Install bats | |
| run: sudo apt install -y bats | |
| - name: Run integration tests | |
| run: make -C crates/policy-evaluator integration-tests | |
| shellcheck: | |
| name: Shellcheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - run: shellcheck $(find scripts/ -name '*.sh') | |
| charts: | |
| name: Helm unittest | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| # Disable plugin verification until the following issue is addressed https://github.com/helm-unittest/helm-unittest/issues/777 | |
| - name: Install Helm-unittest | |
| run: helm plugin install https://github.com/helm-unittest/helm-unittest --verify=false | |
| - name: Verify common values | |
| run: make charts-check-common-values | |
| - name: helm unit tests | |
| run: make helm-unittest | |
| validate-hauler-manifest: | |
| name: Validate Hauler manifest | |
| needs: changes | |
| if: needs.changes.outputs.ci-full == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run validation script | |
| run: ./scripts/validate-hauler-manifest.sh | |
| # Rollup job for branch protection - single stable job name that depends on all checks | |
| ci-success: | |
| name: CI Success | |
| if: always() | |
| needs: | |
| - changes | |
| - test-go | |
| - e2e-go | |
| - golangci | |
| - calculate-crates-matrix | |
| - fmt-rust-per-crate | |
| - clippy-rust-per-crate | |
| - unit-tests-rust-per-crate | |
| - integration-tests-burrego | |
| - integration-tests-kwctl | |
| - integration-tests-policy-server | |
| - integration-tests-policy-evaluator | |
| - shellcheck | |
| - charts | |
| - validate-hauler-manifest | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check all jobs status | |
| run: | | |
| # Check if any job failed or was cancelled | |
| if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" || "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | |
| echo "One or more jobs failed or were cancelled" | |
| exit 1 | |
| fi | |
| echo "All jobs passed or were skipped" |