[github-actions] Add index-monitor action (#31378)

* [github-actions] Add index-monitor action Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com> * Update index branch Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com> * Add permissions content: read Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com> --------- Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com>
2026-02-11 12:57:08 +08:00 · 2025-01-16 11:17:07 +01:00
parent f4b98a615b
commit 5b34d26bef
2 changed files with 162 additions and 0 deletions
--- a/.github/workflows/gchat-notification.yml
+++ b/.github/workflows/gchat-notification.yml
@@ -0,0 +1,42 @@
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
+name: 'GChat Notification'
+on:
+  workflow_call:
+    inputs:
+      workflow:
+        type: string
+        required: true
+      job-url:
+        type: string
+        required: true
+      repository:
+        type: string
+    secrets:
+      GCHAT_WEBHOOK_URL:
+        required: true
+# Remove all permissions by default
+permissions: {}
+jobs:
+  notification:
+    name: Google Chat Notification
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify
+        env:
+          JOB_URL: ${{ inputs.job-url }}
+          GH_WORKFLOW: ${{ inputs.workflow }}
+          GH_REPOSITORY: ${{ inputs.repository != '' && inputs.repository || github.repository }}
+          GCHAT_WEBHOOK_URL: ${{ secrets.GCHAT_WEBHOOK_URL }}
+        run: |
+          tmp_file=$(mktemp)
+          cat >"${tmp_file}"<<EOF
+          ⚠️ [${GH_REPOSITORY}] Failure detected on '${GH_WORKFLOW}' workflow ⚠️
+          📑 See details <${JOB_URL}|here>.
+          EOF
+
+          # Use curl to send the JSON to Google.
+          escapedText=$(sed -e 's/\n/\\n/g' -e 's/"/\\"/g' -e "s/'/\\'/g" "${tmp_file}")
+          json="{\"text\": \"$escapedText\"}"
+          curl -X POST -H 'Content-Type: application/json' -d "$json" "${GCHAT_WEBHOOK_URL}"
--- a/.github/workflows/index-monitor.yml
+++ b/.github/workflows/index-monitor.yml
@@ -0,0 +1,120 @@
+name: '[Index] Monitor remote index.yaml'
+
+on:
+  schedule:
+    # Every 10 minutes
+    - cron: '*/10 * * * *'
+
+# Remove all permissions by default
+permissions: {}
+
+jobs:
+  integrity-check:
+    name: Compare the index.yaml checksums remote and locally
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      result: ${{ steps.integrity-check.outputs.result }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: 'index'
+      - name: Check index integrity
+        id: integrity-check
+        run: |
+          status="fail"
+          attempts=0
+          # We want to check for consistent failures
+          # To do so, we will look for 3 consecutive failures with a 30 seconds wait
+          # A single success is enough to pass
+          while [[ "${status}" != "ok" && $attempts -lt 3 ]]; do
+            # Check the index.yaml integrity
+            REMOTE_MD5=($(curl -Ls https://charts.bitnami.com/bitnami/index.yaml | md5sum))
+            REPOSITORY_MD5=($(md5sum bitnami/index.yaml))
+            # Compare the index.yaml checksums remote and locally
+            if [[ "${REPOSITORY_MD5[0]}" == "${REMOTE_MD5[0]}" ]]; then
+              status='ok'
+            else
+              attempts=$((attempts+1))
+              echo "Integrity check failed. Remote checksum '${REMOTE_MD5[0]}' does not match expected '${REPOSITORY_MD5[0]}'";
+              # Refresh the 'index' branch in case it was updated
+              git fetch origin index
+              git reset --hard origin/index
+              # Wait 30 seconds
+              sleep 30
+            fi
+          done
+          echo "result=${status}" >> $GITHUB_OUTPUT
+      - name: Show messages
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          script: |
+            if ("${{ steps.integrity-check.outputs.result }}" != "ok" ) {
+              core.setFailed("Integrity check failed");
+            } else {
+              core.info("Integrity check succeeded")
+            }
+  validation-check:
+    name: Validate the helm repository can be added and updated
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      result: ${{ steps.validation-check.outputs.result }}
+    steps:
+      - name: Install helm
+        run: |
+          HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz"
+          curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin
+      - name: Validate helm repository
+        id: validation-check
+        run: |
+          repo="https://charts.bitnami.com/bitnami"
+          status="fail"
+          attempts=0
+          # We want to check for consistent failures
+          # To do so, we will look for 3 consecutive failures with a 30 seconds wait
+          # A single success is enough to pass
+          while [[ "${status}" != "ok" && $attempts -lt 3 ]]; do
+            # Validates the helm repository can be added and updated
+            if helm repo add bitnami "${repo}" && helm repo update bitnami; then
+              status="ok"
+            else
+              attempts=$((attempts+1))
+              echo "Failed to pull charts from helm repository '${repo}'"
+              # If present, remove repository to allow retries
+              if helm repo list | grep -q bitnami; then
+                helm repo remove bitnami
+              fi
+              # Wait 30 seconds
+              sleep 30
+            fi
+          done
+          echo "result=${status}" >> $GITHUB_OUTPUT
+      - name: Show messages
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          script: |
+            if ("${{ steps.validation-check.outputs.result }}" != "ok" ) {
+              core.setFailed("Validation check failed");
+            } else {
+              core.info("Validation check succeeded")
+            }
+  upload:
+    name: Re-upload index.yaml
+    needs: [validation-check, integrity-check]
+    if: ${{ always() && (needs.validation-check.outputs.result != 'ok' || needs.integrity-check.outputs.result != 'ok') }}
+    uses: bitnami/charts/.github/workflows/sync-chart-cloudflare-index.yml@index
+    secrets: inherit
+    permissions:
+      contents: read
+  notify:
+    name: Send notification
+    needs: [validation-check, integrity-check]
+    if: ${{ always() && (needs.validation-check.outputs.result != 'ok' || needs.integrity-check.outputs.result != 'ok') }}
+    uses: bitnami/charts/.github/workflows/gchat-notification.yml@main
+    with:
+      workflow: ${{ github.workflow }}
+      job-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    secrets: inherit