Skip to content

fix: ci dependency review #399

fix: ci dependency review

fix: ci dependency review #399

Workflow file for this run

name: charts
on:
push:
branches:
- main
paths:
- charts/**
pull_request:
branches:
- main
paths:
- charts/**
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: read-all
jobs:
chart:
runs-on: ubuntu-latest
permissions:
id-token: write
pages: write
security-events: write
contents: write
pull-requests: write
if: ${{ github.event_name == 'pull_request' || contains(github.ref, 'main') }}
steps:
- name: Checkout source code
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: 'Dependency Review'
if: ${{ github.event_name == 'pull_request' }}
uses: actions/dependency-review-action@v4
with:
allow-ghsas: true
comment-summary-in-pr: always
- name: Install Helm
uses: azure/setup-helm@v4
with:
version: v3.16.3
- name: Setup Chart Linting
if: ${{ github.event_name == 'pull_request' }}
id: lint
uses: helm/[email protected]
- name: Run chart-testing (list-changed)
if: ${{ github.event_name == 'pull_request' }}
id: list-changed
run: |
changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$changed" ]]; then
echo "::set-output name=changed::true"
fi
- name: Run chart-testing (lint)
if: ${{ github.event_name == 'pull_request' }}
run: ct lint --target-branch ${{ github.event.repository.default_branch }} --validate-maintainers=false
- name: Configure Git
if: ${{ contains(github.ref, 'main') }}
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Copy Readme and License
if: ${{ contains(github.ref, 'main') }}
run: |
cp -v *.md charts/applicationset/
- name: Run chart-releaser
if: ${{ contains(github.ref, 'main') }}
uses: helm/[email protected]
with:
charts_dir: charts
config: charts/cr.yml
mark_as_latest: true
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Initialize CodeQL
uses: github/codeql-action/[email protected]
continue-on-error: true
- name: Perform CodeQL Analysis
uses: github/codeql-action/[email protected]
continue-on-error: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
continue-on-error: true
with:
scan-type: 'config'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'trivy-results.sarif'
k8s-test:
runs-on: ubuntu-latest
needs: [chart]
if: ${{ ! contains(github.ref, 'main') }}
steps:
- name: Create k8s Kind Cluster
uses: helm/[email protected]
with:
kubectl_version: v1.29.3 # Ensure compatibility with the latest APIs
node_image: kindest/node:v1.29.2 # Match node version with kubectl for consistency
- name: Checkout
uses: actions/checkout@v4
- name: Run K8s test
run: |
kubectl create ns argocd
kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable -n argocd
helm upgrade -i appsets charts/applicationset --namespace argocd --create-namespace
helm list -A
kubectl get all -A
kubectl get applications -A -o wide
kubectl get applicationsets -A -o wide
auto-approve:
runs-on: ubuntu-latest
needs: [chart, k8s-test]
permissions:
pull-requests: write
if: ${{ github.event_name == 'pull_request' }}
steps:
- name: Auto Approve PR
uses: actions/github-script@v7
with:
script: |
github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
event: "APPROVE"
})