feat: add helm integration tests workflow and integrate with publish and tests workflows

slntopp · slntopp · commit cc132252f3b4 · 2026-03-09T11:14:56.000+01:00
diff --git a/.github/workflows/helm-tests.yaml b/.github/workflows/helm-tests.yaml
@@ -0,0 +1,160 @@
+name: Helm integration tests
+on:
+  workflow_call:
+    inputs:
+      build-operator:
+        description: "Build operator image from source (false = use published image from chart defaults)"
+        required: false
+        type: boolean
+        default: true
+    secrets:
+      MONDOO_TEST_ORG_TOKEN:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  build-operator:
+    if: inputs.build-operator
+    runs-on: ubuntu-latest
+    name: Build operator container
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+          fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
+      - name: Import environment variables from file
+        run: cat ".github/env" >> $GITHUB_ENV
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: "${{ env.golang-version }}"
+      - name: Build operator container image
+        run: make docker-save
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: helm-operator-build
+          path: operator.tar
+          retention-days: 1
+
+  helm-tests:
+    name: Helm integration tests (${{ matrix.k8s-version }})
+    runs-on: ubuntu-latest
+    needs: [build-operator]
+    if: always() && (needs.build-operator.result == 'success' || needs.build-operator.result == 'skipped')
+
+    permissions:
+      contents: read
+      checks: write
+      statuses: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [v1.32.0, v1.35.0]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Import environment variables from file
+        run: cat ".github/env" >> $GITHUB_ENV
+
+      - name: Install Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: "${{ env.golang-version }}"
+
+      - name: Start minikube
+        uses: medyagh/setup-minikube@master
+        with:
+          memory: 4000m
+          kubernetes-version: ${{ matrix.k8s-version }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+        id: install
+
+      - name: Download operator build artifact
+        if: inputs.build-operator
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: helm-operator-build
+
+      - name: Load operator image into minikube
+        if: inputs.build-operator
+        run: minikube image load operator.tar
+
+      - name: Determine operator image tag
+        id: image-tag
+        run: |
+          if [ "${{ inputs.build-operator }}" = "true" ]; then
+            echo "tag=sha256-$(git rev-parse HEAD).sig" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Install Mondoo Operator Helm chart
+        run: |
+          HELM_ARGS=""
+          if [ "${{ inputs.build-operator }}" = "true" ]; then
+            HELM_ARGS="--set controllerManager.manager.image.tag=${{ steps.image-tag.outputs.tag }} --set controllerManager.manager.imagePullPolicy=Never"
+          fi
+          helm install mondoo-operator charts/mondoo-operator -n mondoo-operator --create-namespace --wait $HELM_ARGS
+
+      # Now that dependencies are cached the tests start almost immediately after minikube has started
+      # this makes tests fail occasionally. This sleep gives the runner some time to become more stable
+      # before the test execution starts.
+      - name: Wait a bit for the runner to become more stable
+        run: kubectl -n kube-system wait --for=condition=Ready pods --all --timeout=60s
+
+      - name: Run integration tests
+        env:
+          MONDOO_API_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
+        run: EXTERNAL_INSTALLATION=1 VERSION=${{ steps.image-tag.outputs.tag }} make test/integration/ci
+
+      - run: mv integration-tests.xml integration-tests-helm-${{ matrix.k8s-version }}.xml
+        if: success() || failure()
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: success() || failure()
+        with:
+          name: test-results-helm-${{ matrix.k8s-version }}
+          path: integration-tests-helm-${{ matrix.k8s-version }}.xml
+
+      - name: Upload test logs artifact
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: failure()
+        with:
+          name: helm-test-logs-${{ matrix.k8s-version }}
+          path: /home/runner/work/mondoo-operator/mondoo-operator/tests/integration/_output/
+
+  report-tests:
+    name: Report helm test results
+    runs-on: ubuntu-latest
+    needs: [helm-tests]
+    if: always()
+    permissions:
+      actions: read
+      contents: read
+      checks: write
+      pull-requests: write
+    steps:
+      - name: Download test results
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          pattern: test-results-helm-*
+          merge-multiple: true
+
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0
+        with:
+          commit: ${{ github.event.workflow_run.head_sha }}
+          event_file: ${{ github.event_path }}
+          event_name: ${{ github.event.workflow_run.event }}
+          files: "*.xml"
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -240,107 +240,22 @@ jobs:
       # this should ensure the manifest is tagged latest, which is required for the install automation
       - release-helm
 
-  # publish helm chart after the release of container images is complete
+  # Run helm integration tests using the published container images
   run-helm-tests:
-    name: Run helm integration tests
     if: startsWith(github.ref, 'refs/tags/v')
     needs:
       - push-virtual-tag
-    runs-on: ubuntu-latest
-
+    uses: ./.github/workflows/helm-tests.yaml
+    with:
+      build-operator: false
     permissions:
       contents: read
+      actions: read
       checks: write
       statuses: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s-version: [v1.32.0, v1.35.0]
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Import environment variables from file
-        run: cat ".github/env" >> $GITHUB_ENV
-
-      - name: Install Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: "${{ env.golang-version }}"
-
-      - name: Start minikube
-        uses: medyagh/setup-minikube@master
-        with:
-          memory: 4000m
-          kubernetes-version: ${{ matrix.k8s-version }}
-
-      - name: Install Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-        id: install
-
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      - name: Install Mondoo Operator Helm chart
-        run: helm install mondoo-operator charts/mondoo-operator -n mondoo-operator --create-namespace --wait
-
-      # Now that dependencies are cached the tests start almost immediately after minikube has started
-      # this makes tests fail occasionally. This sleep gives the runner some time to become more stable
-      # before the test execution starts.
-      - name: Wait a bit for the runner to become more stable
-        run: kubectl -n kube-system wait --for=condition=Ready pods --all --timeout=60s
-
-      - name: Run integration tests
-        env:
-          MONDOO_API_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
-        run: EXTERNAL_INSTALLATION=1 VERSION=${{ steps.meta.outputs.version }} make test/integration/ci
-
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: success() || failure()        # run this step even if previous step failed
-        with:                             # upload a combined archive with unit and integration test results
-          name: test-results-helm-${{ matrix.k8s-version }}
-          path: integration-tests-helm-${{ matrix.k8s-version }}.xml
-
-      - name: Upload test logs artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: failure()
-        with:
-          name: helm-test-logs-${{ matrix.k8s-version }}
-          path: /home/runner/work/mondoo-operator/mondoo-operator/tests/integration/_output/
-
-  report-tests:
-    name: Report test results
-    runs-on: ubuntu-latest
-    needs:
-      - run-helm-tests
-    permissions:
-      actions: read # Required to read the artifact
-      contents: read # Required to read the source
-      checks: write # Required to write the results
-      pull-requests: write # Required to write comments
-    steps:
-      - name: Download test results
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-        with:
-          pattern: test-results-*
-          merge-multiple: true
-
-      - name: Publish Test Results
-        uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0
-        with:
-          commit: ${{ github.event.workflow_run.head_sha }}
-          event_file: ${{ github.event_path }}
-          event_name: ${{ github.event.workflow_run.event }}
-          files: "*.xml"
+      pull-requests: write
+    secrets:
+      MONDOO_TEST_ORG_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
 
   release-helm:
     name: Release helm chart
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -42,3 +42,16 @@ jobs:
     with:
       cnspecImageTag: ""
     secrets: inherit
+  helm-tests:
+    name: Helm tests
+    needs: [unit-tests]
+    if: needs.unit-tests.result == 'success'
+    uses: ./.github/workflows/helm-tests.yaml
+    permissions:
+      contents: read
+      actions: read
+      checks: write
+      statuses: write
+      pull-requests: write
+    secrets:
+      MONDOO_TEST_ORG_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
