Convert hashicorp/vault-helm to GitHub Actions (#861)

* Add workflow hashicorp/vault-helm/update-helm-charts-index * Add workflow hashicorp/vault-helm/manual-trigger-update-helm-charts-index * SHA-pin all 3rd-party actions * Restrict workflow permissions * Add actionslint * Add dependabot * Add CODEOWNERS * Replace deprecated references * fixup: First pass at cleaning up update-helm-charts-index * fixup: move to self-hosted for access to vault * fixup: remove vault bits, correct GHA action * fixup: Remove manual invocation * fixup: update CODEOWNERS * Update CODEOWNERS * Fix CODEOWNERS syntax * Use common workflow for action lint * fixup: address review feedback * fixup: codeowners set * Apply suggestions from code review Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com> * fixup: remove slack status action * fixup: more clear error message and correct syntax * fixup: limit actionlint trigger to GHA paths * fixup: glob * fixup: incorporate emily's superior syntax --------- Co-authored-by: Daniel Kimsey <daniel.kimsey@hashicorp.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com> Co-authored-by: Alvin Huang <17609145+alvin-huang@users.noreply.github.com>
hashicorp · Apr 12, 2023 · bb9a069 · bb9a069
1 parent 1307dbe
commit bb9a069
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 8 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml
@@ -1,7 +1,5 @@
 name: Acceptance Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
   kind:
     strategy:
@@ -13,14 +11,14 @@ jobs:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup test tools
         uses: ./.github/workflows/setup-test-tools
-
       - name: Create K8s Kind Cluster
         uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
         with:
           config: test/kind/config.yaml
           node_image: kindest/node:v${{ matrix.kind-k8s-version }}
           version: v0.17.0
-
       - run: bats --tap --timing ./test/acceptance
         env:
           VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
+permissions:
+  contents: read
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -0,0 +1,16 @@
+# If the repository is public, be sure to change to GitHub hosted runners
+name: Lint GitHub Actions Workflows
+on:
+  push:
+    paths:
+      - .github/workflows/**.yml
+  pull_request:
+    paths:
+      - .github/workflows/**.yml
+permissions:
+  contents: read
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main
diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml
@@ -1,6 +1,5 @@
 name: Setup common testing tools
 description: Install bats and python-yq
-
 runs:
   using: "composite"
   steps:
@@ -18,3 +17,5 @@ runs:
         python-version: '3.10'
     - run: pip install yq
       shell: bash
+permissions:
+  contents: read
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -1,15 +1,12 @@
 name: Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
   bats-unit-tests:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - uses: ./.github/workflows/setup-test-tools
       - run: bats --tap --timing ./test/unit
-
   chart-verifier:
     runs-on: ubuntu-latest
     env:
@@ -23,3 +20,5 @@ jobs:
           go-version: '1.19.2'
       - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
       - run: bats --tap --timing ./test/chart
+permissions:
+  contents: read
diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml
@@ -0,0 +1,40 @@
+name: update-helm-charts-index
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: read
+
+jobs:
+  update-helm-charts-index:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: verify Chart version matches tag version
+        run: |-
+          export TAG=${{ github.ref_name }}
+          git_tag=$(echo "${TAG#v}")
+          chart_tag=$(yq r Chart.yaml version)
+          if [ "${git_tag}" != "${chart_tag}" ]; then
+            echo "chart version (${chart_tag}) did not match git version (${git_tag})"
+            exit 1
+          fi
+      - name: update helm-charts index
+        id: update
+        env:
+          GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }}
+        run: |-
+          gh workflow run publish-charts.yml \
+            --repo hashicorp/helm-charts \
+            --ref main \
+            -f SOURCE_TAG="${{ github.ref_name }}" \
+            -f SOURCE_REPO="${{ github.repository }}"
+      - uses: hashicorp/actions-slack-status@v1
+        if: ${{always()}}
+        with:
+          success-message: "vault-helm charts index update triggered successfully. View the run <https://github.com/hashicorp/helm-charts/actions/workflows/publish-charts.yml|here>."
+          failure-message: "vault-helm charts index update trigger failed."
+          status: ${{job.status}}
+          slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}}
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem-foundations