Update Helm release cert-manager to v1.20.3 #1961
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Cluster CI | |
| on: | |
| pull_request: | |
| paths: | |
| - infrastructure/** | |
| - monitoring/** | |
| - my-apps/** | |
| - scripts/** | |
| - scripts/validate-argocd-apps.sh | |
| - .github/workflows/cluster-ci.yml | |
| - .github/renovate.json5 | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - infrastructure/** | |
| - monitoring/** | |
| - my-apps/** | |
| - scripts/** | |
| - scripts/validate-argocd-apps.sh | |
| - .github/workflows/cluster-ci.yml | |
| - .github/renovate.json5 | |
| permissions: | |
| contents: read | |
| jobs: | |
| argocd-structure: | |
| name: ArgoCD Structure Validation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Validate ArgoCD app topology | |
| run: bash ./scripts/validate-argocd-apps.sh | |
| truenas-csi-contract: | |
| name: TrueNAS CSI Contract | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Kustomize | |
| uses: imranismail/setup-kustomize@v2 | |
| with: | |
| kustomize-version: 5.4.2 | |
| - name: Validate official TrueNAS CSI deployment | |
| run: bash ./scripts/validate-truenas-csi.sh | |
| render-and-schema: | |
| name: Kustomize Render and Schema Validation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Kustomize | |
| uses: imranismail/setup-kustomize@v2 | |
| with: | |
| kustomize-version: 5.4.2 | |
| - name: Setup Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.16.2 | |
| - name: Install kubeconform | |
| run: | | |
| set -euo pipefail | |
| KUBECONFORM_VERSION="v0.6.7" | |
| curl -sSL -o /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" | |
| tar -xzf /tmp/kubeconform.tar.gz -C /tmp | |
| sudo mv /tmp/kubeconform /usr/local/bin/kubeconform | |
| kubeconform -v | |
| - name: Render all kustomizations | |
| run: | | |
| set -euo pipefail | |
| mapfile -t dirs < <(find infrastructure monitoring my-apps -type f -name kustomization.yaml -exec dirname {} \; | sort -u) | |
| if [ "${#dirs[@]}" -eq 0 ]; then | |
| echo "No kustomization directories found." | |
| exit 1 | |
| fi | |
| : > /tmp/all-manifests.yaml | |
| for dir in "${dirs[@]}"; do | |
| echo "Rendering ${dir}" | |
| kustomize build "${dir}" --enable-helm >> /tmp/all-manifests.yaml | |
| echo "---" >> /tmp/all-manifests.yaml | |
| done | |
| - name: Validate Kubernetes schemas | |
| run: | | |
| set -euo pipefail | |
| # Filter a known kubeconform false positive: | |
| # - Gitea Helm-rendered Service gitea-http: targetPort triggers a | |
| # oneOf ambiguity in the Kubernetes Service schema. | |
| # (kopiur CRDs are skipped via -ignore-missing-schemas below.) | |
| csplit -z -f /tmp/doc- /tmp/all-manifests.yaml '/^---$/' '{*}' > /dev/null | |
| : > /tmp/filtered-manifests.yaml | |
| for f in /tmp/doc-*; do | |
| if grep -q 'kind: Service' "$f" && grep -q 'name: gitea-http' "$f"; then | |
| continue | |
| fi | |
| cat "$f" >> /tmp/filtered-manifests.yaml | |
| done | |
| kubeconform \ | |
| -summary \ | |
| -ignore-missing-schemas \ | |
| -schema-location default \ | |
| -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \ | |
| /tmp/filtered-manifests.yaml | |
| - name: Validate kopiur backup coverage | |
| # Replaces the retired pvc-plumber validate-restore-contract.sh and the | |
| # backup-exempt-contract job. Runs on the RENDERED stream so Helm-rendered | |
| # PVCs (gitea, tubesync) are covered. Hard-fails when a backed-up PVC is | |
| # missing its dataSourceRef (recreates EMPTY in DR) or a backed-up namespace | |
| # lacks the kopiur.home-operations.com/repo label (repo creds won't fan in); | |
| # warns on missing mover securityContext, uncovered+unexempt PVCs, and | |
| # backup-exempt PVCs missing the qualified reason annotation. | |
| run: | | |
| set -euo pipefail | |
| python3 -c "import yaml" 2>/dev/null || pip3 install --quiet pyyaml | |
| python3 ./scripts/validate-kopiur-coverage.py /tmp/all-manifests.yaml | |
| # backup-exempt-contract job RETIRED 2026-06-27 (pvc-plumber removed). It | |
| # hard-failed on the bare `backup-exempt-reason` key because pvc-plumber denied | |
| # such PVCs on CREATE; with pvc-plumber gone, nothing enforces the key, so the | |
| # check is folded into validate-kopiur-coverage.py as a WARNING (grep-consistency | |
| # only). The coverage check runs as a step in the render-and-schema job above. | |
| otel-collector-validate: | |
| name: OpenTelemetry Collector Config Validation | |
| # Catches the class of bug that caused the 2026-04-20 9-hour | |
| # root-sync jam: a pipeline referencing a receiver that was removed. | |
| # Runs `otelcol validate` on each OpenTelemetryCollector's rendered | |
| # config so pipeline-receiver-exporter mismatches are rejected at | |
| # PR time instead of crashlooping in-cluster. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Kustomize | |
| uses: imranismail/setup-kustomize@v2 | |
| with: | |
| kustomize-version: 5.4.2 | |
| - name: Setup Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.16.2 | |
| - name: Validate all OpenTelemetryCollector configs | |
| run: bash ./scripts/validate-otel-configs.sh | |
| renovate-config-validate: | |
| name: Renovate Config Validation | |
| # Catches the class of bug that opened issue #1284 on 2026-05-10: | |
| # `packageRules` cannot combine `matchUpdateTypes` and `versioning`, | |
| # but the validator only flags it at runtime — Renovate stops opening | |
| # PRs cluster-wide until fixed. Run validator on every PR that touches | |
| # .github/renovate.json5 so the bad rule never reaches main. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| # Renovate >=41 requires Node >=22 and dropped Node 20. On Node 20, | |
| # `npx renovate` silently resolves to an old renovate major that | |
| # still uses `fileMatch`, so it rejects this repo's modern | |
| # `managerFilePatterns` config and fails EVERY renovate PR. | |
| node-version: '22' | |
| - name: Validate Renovate config | |
| run: | | |
| set -euo pipefail | |
| # The validator looks at the filename to decide global vs repo | |
| # config; .github/renovate.json5 is treated as global, which | |
| # surfaces the same packageRules / managers errors we care about. | |
| npx --yes --package=renovate renovate-config-validator --strict .github/renovate.json5 | |
| shellcheck: | |
| name: Shell Script Lint (Informational) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install shellcheck | |
| run: | | |
| set -euo pipefail | |
| sudo apt-get update | |
| sudo apt-get install -y shellcheck | |
| - name: Run shellcheck on scripts | |
| run: | | |
| set -euo pipefail | |
| shellcheck -S warning scripts/*.sh |