Release-1.7.4

.github/workflows/build.yml

@@ -4,11 +4,6 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, edited, ready_for_review, labeled]
 
-env:
-  # Temporary workaround. See
-  # https://github.com/redhat-actions/openshift-tools-installer/issues/105
-  ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-
 jobs:
   setup:
     name: Setup CI
@@ -392,7 +387,7 @@ jobs:
       - name: Approve PR
         id: approve_pr
         if: ${{ steps.check_report.conclusion == 'success' }}
-        uses: hmarr/auto-approve-action@v3
+        uses: hmarr/auto-approve-action@v4
         with:
           # The token we use for this changes for the Sandbox repository because the sandbox repository
           # receives PRs from the openshift-helm-charts-bot, and that same bot cannot approve its own
@@ -456,9 +451,9 @@ jobs:
 
       - name: Block until there is no running workflow
         if: ${{ needs.setup.outputs.run_build == 'true' }}
-        uses: softprops/turnstyle@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/turnstyle@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Configure Git
         if: ${{ needs.setup.outputs.run_build == 'true' }}
@@ -486,17 +481,16 @@ jobs:
       # The release tag format is <organization_name>-<chart_name>-<chart_version>
       - name: Create GitHub release
         if: ${{ needs.chart-verifier.outputs.web_catalog_only == 'False' }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           tag_name: ${{ needs.chart-verifier.outputs.release_tag }}
           files: |
               ${{ steps.prepare-chart-release.outputs.report_file }}
               ${{ steps.prepare-chart-release.outputs.public_key_file }}
               ${{ steps.prepare-chart-release.outputs.path_to_chart_tarball }}
               ${{ steps.prepare-chart-release.outputs.prov_file_name }}
-          fail_on_unmatched_files: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          fail_on_unmatched_files: true 
 
       - name: Update Helm repository index
         if: ${{ needs.setup.outputs.run_build == 'true' }}

.github/workflows/check-contributor.yml

@@ -37,7 +37,7 @@ jobs:
     outputs:
       is-repo-owner: ${{ steps.populate-output.outputs.is-repo-owner }}
     name: Contributor is repo owner
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository base
         uses: actions/checkout@v4

.github/workflows/ci-enabled.yml

@@ -18,7 +18,7 @@ name: Ensure CI is Enabled
 #
 #   next_task:
 #     needs: ensure_ci_enabled
-#     runs-on: ubuntu-latest
+#     runs-on: ubuntu-22.04
 #     steps:
 #     - ...
 
@@ -31,7 +31,7 @@ on:
 
 jobs:
   fail_if_ci_disabled:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - name: Check enablement value
       run: |

.github/workflows/mercury_bot.yml

@@ -18,7 +18,7 @@ on:
 jobs:
   owners-file-check:
     name: OWNERS file PR checker
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     if: github.event.pull_request.draft == false && github.actor == 'redhat-mercury-bot'
     steps:
       - name: Checkout
@@ -188,7 +188,7 @@ jobs:
         if: |
           steps.check_for_owners.outputs.merge_pr == 'true'
           && steps.safe-to-merge.outputs.merge_pr == 'true'
-        uses: hmarr/auto-approve-action@v3
+        uses: hmarr/auto-approve-action@v4
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/owners.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   owners-metrics:
     name: Send Owner Metrics
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     if: github.actor == 'redhat-mercury-bot'
     env:
       SEGMENT_WRITE_KEY: ${{ secrets.SEGMENT_WRITE_KEY }}

.github/workflows/python-style.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   enforce:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - name: Checkout code
       uses: actions/checkout@v4

.github/workflows/test-cluster-access.yml

@@ -6,11 +6,6 @@ name: Test Cluster Access
 on:
   workflow_dispatch:
 
-env:
-  # Temporary workaround. See
-  # https://github.com/redhat-actions/openshift-tools-installer/issues/105
-  ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-
 jobs:
   test-cluster-access:
     name: Test Cluster Access

.github/workflows/test.yml

@@ -34,7 +34,7 @@ jobs:
   workflow-test:
     name: Workflow Test
     needs: [check-contributor]
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     if: |
       github.event.pull_request.draft == false &&
       needs.check-contributor.outputs.is-repo-owner == 'true'
@@ -147,7 +147,7 @@ jobs:
       - name: Approve PR
         id: approve_pr
         if: ${{ steps.check_if_release_pr.outputs.charts_release_branch == 'true' }}
-        uses: hmarr/auto-approve-action@v3
+        uses: hmarr/auto-approve-action@v4
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/version_check.yml

@@ -28,7 +28,7 @@ on:
 jobs:
   check-ocp:
     name: Check OpenShift Version
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
 
       - name: check schedule and main repository
@@ -248,7 +248,7 @@ jobs:
     if: ${{ always() }}
     needs: check-ocp
     name: Check Chart Verifier Version
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: check schedule and main repository
         id: check_repo

scripts/requirements.txt

@@ -15,7 +15,7 @@ packaging==24.1
 parse==1.20.2
 parse-type==0.6.2
 pluggy==1.5.0
-psutil==5.9.8
+psutil==6.0.0
 PyGithub==2.3.0
 pyparsing==3.1.2
 pytest==8.2.2

scripts/src/precheck/submission.py

@@ -51,6 +51,10 @@ class ReleaseTagError(SubmissionError):
     pass
 
 
+class ChartError(Exception):
+    pass
+
+
 @dataclass
 class Chart:
     """Represents a Helm Chart
@@ -80,6 +84,17 @@ def register_chart_info(self, category, organization, name, version):
             )
             raise VersionError(msg)
 
+        # Red Hat charts must carry the Red Hat prefix.
+        if organization == "redhat":
+            if not name.startswith("redhat-"):
+                msg = f"[ERROR] Charts provided by Red Hat must have their name begin with the redhat- prefix. I.e. redhat-{name}"
+                raise ChartError(msg)
+
+        # Non Red Hat charts must not carry the Red Hat prefix.
+        if organization != "redhat" and name.startswith("redhat-"):
+            msg = f"[ERROR] The redhat- prefix is reserved for charts provided by Red Hat. Your chart: {name}"
+            raise ChartError(msg)
+
         self.category = category
         self.organization = organization
         self.name = name

scripts/src/precheck/submission_test.py

@@ -221,6 +221,22 @@ class SubmissionInitScenario:
         ],
         excepted_exception=pytest.raises(submission.VersionError),
     ),
+    # Invalid PR references a Chart from redhat without the "redhat-" prefix
+    SubmissionInitScenario(
+        api_url="https://api.github.com/repos/openshift-helm-charts/charts/pulls/103",
+        modified_files=[
+            f"charts/{expected_category}/redhat/{expected_name}/{expected_version}/report.yaml"
+        ],
+        excepted_exception=pytest.raises(submission.ChartError),
+    ),
+    # Invalid PR references a Chart with the "redhat-" prefix from another organization
+    SubmissionInitScenario(
+        api_url="https://api.github.com/repos/openshift-helm-charts/charts/pulls/103",
+        modified_files=[
+            f"charts/{expected_category}/{expected_organization}/redhat-{expected_name}/{expected_version}/report.yaml"
+        ],
+        excepted_exception=pytest.raises(submission.ChartError),
+    ),
 ]
 
 

scripts/src/saforcharttesting/saforcharttesting.py

@@ -2,7 +2,6 @@
 import base64
 import json
 import os
-import re
 import subprocess
 import sys
 import tempfile
@@ -29,7 +28,7 @@
 kind: Secret
 type: kubernetes.io/service-account-token
 metadata:
-  name: token-${name}
+  name: ${name}
   namespace: ${name}
   annotations:
     kubernetes.io/service-account.name: ${name}
@@ -242,65 +241,44 @@ def delete_clusterrolebinding(name):
         sys.exit(1)
 
 
-def write_sa_token(namespace, token):
-    secret_found = False
-    secrets = []
+def write_sa_token(namespace, token_file):
+    """Write's the service account token to token_file."""
+    token_found = False
     for i in range(7):
+        # On retry, wait a little extra time before starting to give the cluster
+        # time to process the resources created before this.
+        if i > 0:
+            time.sleep(5)
+            print(f"[INFO] looking for service account token (retry {i})")
         out = subprocess.run(
-            ["oc", "get", "serviceaccount", namespace, "-n", namespace, "-o", "json"],
+            ["oc", "get", "secret", namespace, "-n", namespace, "-o", "json"],
             capture_output=True,
         )
         stdout = out.stdout.decode("utf-8")
         if out.returncode != 0:
             stderr = out.stderr.decode("utf-8")
             if stderr.strip():
-                print("[ERROR] retrieving ServiceAccount:", namespace, stderr)
-                time.sleep(10)
-        else:
-            sa = json.loads(stdout)
-            if len(sa["secrets"]) >= 2:
-                secrets = sa["secrets"]
-                secret_found = True
-                break
-            else:
-                pattern = r"Tokens:\s+([A-Za-z0-9-]+)"
-                dout = subprocess.run(
-                    ["oc", "describe", "serviceaccount", namespace, "-n", namespace],
-                    capture_output=True,
-                )
-                dstdout = dout.stdout.decode("utf-8")
-                match = re.search(pattern, dstdout)
-                if match:
-                    token_name = match.group(1)
-                else:
-                    print("[ERROR] Token not found, Exiting")
-                    sys.exit(1)
-                secrets.append({"name": token_name})
-                secret_found = True
-                break
-        time.sleep(10)
+                print("[ERROR] retrieving token secret:", namespace, stderr)
+                continue
 
-    if not secret_found:
-        print("[ERROR] retrieving ServiceAccount:", namespace, stderr)
-        sys.exit(1)
+        secret = json.loads(stdout)
+        token = secret.get("data", {}).get("token", None)
 
-    for secret in secrets:
-        out = subprocess.run(
-            ["oc", "get", "secret", secret["name"], "-n", namespace, "-o", "json"],
-            capture_output=True,
+        if not token:
+            print("[ERROR] token not yet found in secret:", namespace)
+            continue
+
+        token_found = True
+        break
+
+    if not token_found:
+        print(
+            "[ERROR] all attempts to find service account token have failed:", namespace
         )
-        stdout = out.stdout.decode("utf-8")
-        if out.returncode != 0:
-            stderr = out.stderr.decode("utf-8")
-            if stderr.strip():
-                print("[ERROR] retrieving secret:", secret["name"], stderr)
-                continue
-        else:
-            sec = json.loads(stdout)
-            if sec["type"] == "kubernetes.io/service-account-token":
-                content = sec["data"]["token"]
-                with open(token, "w") as fd:
-                    fd.write(base64.b64decode(content).decode("utf-8"))
+        sys.exit(1)
+
+    with open(token_file, "w") as fd:
+        fd.write(base64.b64decode(token).decode("utf-8"))
 
 
 def switch_project_context(namespace, token, api_server):