feat: add helm lint/publish actions

daronco · daronco · commit 1dba8c23779c · 2026-02-12T15:40:13.000-03:00
diff --git a/.github/workflows/all-helm-lint.yml b/.github/workflows/all-helm-lint.yml
@@ -0,0 +1,79 @@
+name: Helm Chart Lint
+
+on:
+  workflow_call:
+    inputs:
+      chart_path:
+        description: 'Path to Helm chart directory'
+        required: true
+        type: string
+      helm_version:
+        description: 'Helm version to use'
+        required: false
+        type: string
+        default: 'v3.12.0'
+      chart_name:
+        description: 'Chart name for templating (defaults to chart directory name)'
+        required: false
+        type: string
+        default: ''
+      values_file:
+        description: 'Path to values file for templating validation'
+        required: false
+        type: string
+        default: ''
+      runs-on:
+        type: string
+        required: false
+        default: '["self-hosted", "ubuntu-22.04"]'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint Helm Chart
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: ${{ inputs.helm_version }}
+
+      - name: Lint chart
+        run: |
+          echo "🔍 Linting Helm chart at ${{ inputs.chart_path }}..."
+          helm lint ${{ inputs.chart_path }}
+          echo "✅ Chart linting passed"
+
+      - name: Template chart
+        run: |
+          # Determine chart name (from input or extract from directory)
+          CHART_NAME="${{ inputs.chart_name }}"
+          if [ -z "$CHART_NAME" ]; then
+            CHART_NAME=$(basename ${{ inputs.chart_path }})
+          fi
+
+          echo "📋 Templating chart '$CHART_NAME' with default values..."
+
+          # Use custom values file if provided, otherwise use default
+          VALUES_FLAG=""
+          if [ -n "${{ inputs.values_file }}" ]; then
+            VALUES_FLAG="--values ${{ inputs.values_file }}"
+          elif [ -f "${{ inputs.chart_path }}/values.yaml" ]; then
+            VALUES_FLAG="--values ${{ inputs.chart_path }}/values.yaml"
+          fi
+
+          helm template "$CHART_NAME" ${{ inputs.chart_path }} $VALUES_FLAG
+          echo "✅ Chart templating passed"
+
+      - name: Package chart (validation only)
+        run: |
+          echo "📦 Packaging chart for validation..."
+          helm package ${{ inputs.chart_path }}
+          ls -la *.tgz
+          echo "✅ Chart packaging successful"
diff --git a/.github/workflows/all-helm-publish.yml b/.github/workflows/all-helm-publish.yml
@@ -0,0 +1,138 @@
+name: Helm Chart Publish to Harbor
+
+on:
+  workflow_call:
+    inputs:
+      chart_path:
+        description: 'Path to Helm chart directory'
+        required: true
+        type: string
+      chart_name:
+        description: 'Chart name (used for extracting version from tag)'
+        required: true
+        type: string
+      organization:
+        description: 'Harbor organization name'
+        required: true
+        type: string
+      registry:
+        description: 'Harbor registry URL'
+        required: false
+        type: string
+        default: 'registry.mconf.com'
+      chart_repo:
+        description: 'Helm chart repository name in Harbor'
+        required: false
+        type: string
+        default: 'helm-charts'
+      helm_version:
+        description: 'Helm version to use'
+        required: false
+        type: string
+        default: 'v3.12.0'
+      tag_prefix:
+        description: 'Tag prefix to extract version from (e.g., "myapp-helm-chart-" from tag "myapp-helm-chart-1.0.0")'
+        required: false
+        type: string
+        default: ''
+      runs-on:
+        type: string
+        required: false
+        default: '["self-hosted", "ubuntu-22.04"]'
+    secrets:
+      HARBOR_USERNAME:
+        description: 'Harbor registry username'
+        required: true
+      HARBOR_PASSWORD:
+        description: 'Harbor registry password'
+        required: true
+    outputs:
+      chart_version:
+        description: 'Published chart version'
+        value: ${{ jobs.publish.outputs.chart_version }}
+      chart_url:
+        description: 'Full chart OCI URL'
+        value: ${{ jobs.publish.outputs.chart_url }}
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish Helm Chart
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    timeout-minutes: 15
+    outputs:
+      chart_version: ${{ steps.version.outputs.version }}
+      chart_url: ${{ steps.publish.outputs.chart_url }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: ${{ inputs.helm_version }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          # Extract version from tag
+          VERSION=${GITHUB_REF#refs/tags/}
+
+          # Remove tag prefix if provided (e.g., "myapp-helm-chart-1.0.0" -> "1.0.0")
+          if [ -n "${{ inputs.tag_prefix }}" ]; then
+            VERSION=${VERSION#${{ inputs.tag_prefix }}}
+          else
+            # Default: remove "{chart_name}-helm-chart-" prefix
+            VERSION=${VERSION#${{ inputs.chart_name }}-helm-chart-}
+          fi
+
+          echo "📋 Publishing chart version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Lint chart
+        run: |
+          echo "🔍 Linting Helm chart..."
+          helm lint ${{ inputs.chart_path }}
+          echo "✅ Chart linting passed"
+
+      - name: Package chart
+        run: |
+          echo "📦 Packaging Helm chart..."
+          helm package ${{ inputs.chart_path }}
+          ls -la *.tgz
+          echo "✅ Chart packaged successfully"
+
+      - name: Login to Harbor
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
+
+      - name: Push to Harbor
+        id: publish
+        run: |
+          CHART_FILE=$(ls ${{ inputs.chart_name }}-*.tgz)
+          CHART_URL="oci://${{ inputs.registry }}/${{ inputs.organization }}/${{ inputs.chart_repo }}"
+
+          echo "🚀 Publishing $CHART_FILE to Harbor..."
+          helm push "$CHART_FILE" "$CHART_URL"
+
+          echo "✅ Chart published successfully to Harbor"
+          echo "📋 Chart version: ${{ steps.version.outputs.version }}"
+          echo "📋 Chart repository: $CHART_URL"
+          echo "chart_url=$CHART_URL" >> $GITHUB_OUTPUT
+
+          # Add to job summary
+          echo "## 📦 Helm Chart Published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Chart:** \`${{ inputs.chart_name }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Version:** \`${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Repository:** \`$CHART_URL\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Install Command" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "helm install ${{ inputs.chart_name }} $CHART_URL/${{ inputs.chart_name }} --version ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/README.md b/README.md
@@ -6,14 +6,31 @@ Reusable GitHub Actions workflows for CI/CD pipelines across Mconf projects.
 
 This repository provides a centralized collection of reusable GitHub Actions workflows for building, testing, linting, and deploying applications across multiple programming languages and platforms. All workflows are optimized for self-hosted runners and follow security best practices.
 
+## Development Guidelines
+
+Company-wide development practices and standards are documented in the [guidelines/](guidelines/) directory. These guidelines provide:
+
+- **AI Collaboration** - Best practices for working with AI coding tools
+- **General Development** - Language-agnostic practices (linting, Makefiles, pre-commit hooks)
+- **Language-Specific** - Guidelines for Ruby, Python, Go, and JavaScript
+- **Docker** - Container best practices and multi-stage builds
+- **Testing** - Testing strategies and AI-assisted test generation
+- **Git Workflow** - Commit messages, branching, and pull requests
+
+**Templates:** The [templates/](templates/) directory contains starter configurations (Makefile, AGENTS.md, linter configs, Docker examples) that you can copy to your projects.
+
+See [guidelines/README.md](guidelines/README.md) for a complete index.
+
 ## Workflow Comparison
 
 | Workflow | Action | Language/Tool | Registry | Security | Coverage | Private Repos | AI | Key Features |
 |----------|--------|---------------|----------|----------|----------|---------------|----|--------------|
 | **all-build-push-image** | Build+Push | Docker | Harbor | | | | | Multi-platform, metadata extraction, GHA+registry caching |
-| **all-build-push-scan-harbor** | Build+Push+Scan | Docker, Trivy | Harbor | ✓ | | ✓ | | Auto-detect push/scan, SSH support, Trivy Explorer upload |
+| **all-build-push-scan-harbor** | Build+Push+Scan | Docker, Trivy | Harbor | ✓ | | ✓ | | Auto-detect push/scan, SSH support, Trivy Explorer upload, custom context/target |
 | **all-create-tag** | Release | Git | | | | | | Version validation, annotated tags |
 | **all-gen-changelog-ai** | Release | Git, Claude | | | | | ✓ | PR info gathering, Notion integration, Claude Code |
+| **all-helm-lint** | Lint | Helm | | | | | | Chart validation, templating, packaging test |
+| **all-helm-publish** | Publish | Helm | Harbor | | | | | OCI registry push, version extraction, GitHub summary |
 | **data-py-uv-lint** | Lint | Python, Flake8, Black, isort, uv | | | | | | uv-based dependency management |
 | **data-py-uv-tests** | Test | Python, pytest, uv | | | ✓ | | | uv-based dependency management, configurable pytest markers |
 | **lb-go-build** | Build | Go | | | | ✓ | | CGO, private modules, build-essential |
@@ -102,7 +119,7 @@ This repository provides a centralized collection of reusable GitHub Actions wor
   Builds and pushes Docker images to Harbor with automatic tagging and caching. Supports multi-platform builds and optional DockerHub login for base images.
   **Usage:** See [`examples/all-build-push-image.yml`](examples/all-build-push-image.yml)
 * `all-build-push-scan-harbor.yml`
-  Builds, pushes Docker images to Harbor, and scans with Trivy. Includes auto-detection for push and scan based on git refs and available secrets. Supports SSH for private dependencies.
+  Builds, pushes Docker images to Harbor, and scans with Trivy. Includes auto-detection for push and scan based on git refs and available secrets. Supports SSH for private dependencies, custom build context and multi-stage targets.
   **Usage:** See [`examples/all-build-push-scan-harbor.yml`](examples/all-build-push-scan-harbor.yml)
 * `lb-scan.yml`
   Scans repository filesystem for security vulnerabilities using Trivy. Requires `pull-requests: write` permission.
@@ -111,6 +128,15 @@ This repository provides a centralized collection of reusable GitHub Actions wor
   Builds Docker image, pushes to registry (on tags), and scans with Trivy. Includes optional SSH support for private dependencies.
   **Usage:** See [`examples/lb-push-scan-image.yml`](examples/lb-push-scan-image.yml)
 
+### Helm Workflows
+
+* `all-helm-lint.yml`
+  Lints, templates, and validates Helm charts. Auto-detects chart name and supports custom values files.
+  **Usage:** See [`examples/all-helm-lint.yml`](examples/all-helm-lint.yml)
+* `all-helm-publish.yml`
+  Packages and publishes Helm charts to Harbor OCI registry. Includes version extraction from tags and GitHub summary with install command.
+  **Usage:** See [`examples/all-helm-publish.yml`](examples/all-helm-publish.yml)
+
 ### Release & Changelog Workflows
 
 * `all-gen-changelog-ai.yml`
diff --git a/examples/all-build-push-scan-harbor.yml b/examples/all-build-push-scan-harbor.yml
@@ -12,19 +12,23 @@ jobs:
     with:
       image_name: my-app # (required) Name of the Docker image
       organization: my-org # (required) Harbor organization name
-      registry: harbor.example.com # (required) Docker registry URL
+      # registry: registry.mconf.com # (optional) Docker registry URL (default: registry.mconf.com)
+      # context_path: . # (optional) Build context directory (default: .)
       # dockerfile_path: './Dockerfile' # (optional) Path to Dockerfile (default: ./Dockerfile)
+      # build_target: '' # (optional) Docker build target stage for multi-stage builds (default: '')
       # platforms: 'linux/amd64' # (optional) Target platforms (default: linux/amd64)
       # build-args: | # (optional) Build arguments
       #   ARG1=value1
       #   ARG2=value2
       # push_enabled: true # (optional) Force enable/disable push (default: auto-detect from tags)
       # scan_enabled: true # (optional) Force enable/disable scanning (default: auto-detect from secrets)
-    secrets:
-      HARBOR_USERNAME: ${{ secrets.HARBOR_USERNAME }} # (required) Harbor registry username
-      HARBOR_PASSWORD: ${{ secrets.HARBOR_PASSWORD }} # (required) Harbor registry password
-      # DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} # (optional) DockerHub username for pulling base images
-      # DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} # (optional) DockerHub password
-      # SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} # (optional) SSH key for private dependencies
-      # TRIVY_EXPLORER_AUTH_TOKEN: ${{ secrets.TRIVY_EXPLORER_AUTH_TOKEN }} # (optional) Trivy Explorer auth token
-      # TRIVY_EXPLORER_URL: ${{ secrets.TRIVY_EXPLORER_URL }} # (optional) Trivy Explorer URL
+    secrets: inherit # Passes all secrets to the reusable workflow
+    # Or specify secrets explicitly:
+    # secrets:
+    #   HARBOR_USERNAME: ${{ secrets.HARBOR_USERNAME }} # Harbor registry username
+    #   HARBOR_PASSWORD: ${{ secrets.HARBOR_PASSWORD }} # Harbor registry password
+    #   DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} # (optional) DockerHub username for pulling base images
+    #   DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} # (optional) DockerHub password
+    #   SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} # (optional) SSH key for private dependencies
+    #   TRIVY_EXPLORER_AUTH_TOKEN: ${{ secrets.TRIVY_EXPLORER_AUTH_TOKEN }} # (optional) Trivy Explorer auth token
+    #   TRIVY_EXPLORER_URL: ${{ secrets.TRIVY_EXPLORER_URL }} # (optional) Trivy Explorer URL
diff --git a/examples/all-helm-lint.yml b/examples/all-helm-lint.yml
@@ -0,0 +1,18 @@
+name: Helm Chart Lint
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'chart/**'
+      - '.github/workflows/helm-lint.yml'
+
+jobs:
+  lint:
+    uses: mconf/mconf-ci-jobs/.github/workflows/all-helm-lint.yml@main
+    with:
+      chart_path: chart # (required) Path to Helm chart directory
+      # helm_version: v3.12.0 # (optional) Helm version to use (default: v3.12.0)
+      # chart_name: my-app # (optional) Chart name for templating (auto-detected from directory if not provided)
+      # values_file: chart/values-custom.yaml # (optional) Custom values file for templating validation
+      # runs-on: '["self-hosted", "ubuntu-22.04"]' # (optional) Runner labels (default: self-hosted ubuntu-22.04)
diff --git a/examples/all-helm-publish.yml b/examples/all-helm-publish.yml
@@ -0,0 +1,24 @@
+name: Helm Chart Publish
+
+on:
+  push:
+    tags:
+      - 'my-app-helm-chart-*' # Tag pattern: {chart_name}-helm-chart-{version}
+
+jobs:
+  publish:
+    uses: mconf/mconf-ci-jobs/.github/workflows/all-helm-publish.yml@main
+    with:
+      chart_path: chart # (required) Path to Helm chart directory
+      chart_name: my-app # (required) Chart name (used for version extraction from tag)
+      organization: my-org # (required) Harbor organization name
+      # registry: registry.mconf.com # (optional) Harbor registry URL (default: registry.mconf.com)
+      # chart_repo: helm-charts # (optional) Helm chart repository name in Harbor (default: helm-charts)
+      # helm_version: v3.12.0 # (optional) Helm version to use (default: v3.12.0)
+      # tag_prefix: my-app-helm-chart- # (optional) Custom tag prefix for version extraction (default: {chart_name}-helm-chart-)
+      # runs-on: '["self-hosted", "ubuntu-22.04"]' # (optional) Runner labels (default: self-hosted ubuntu-22.04)
+    secrets: inherit # Passes all secrets to the reusable workflow
+    # Or specify secrets explicitly:
+    # secrets:
+    #   HARBOR_USERNAME: ${{ secrets.HARBOR_USERNAME }} # (required) Harbor registry username
+    #   HARBOR_PASSWORD: ${{ secrets.HARBOR_PASSWORD }} # (required) Harbor registry password
