Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-27 15:27:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7266bc31c6161abf4a07909a37daaae5c576e9cd
charts/.github/workflows/ci-verify.yml
dependabot[bot] 7266bc31c6 ⬆️ Bump actions/checkout from 5.0.0 to 6.0.0 (#36390) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](08c6903cd8...1af3b93b68)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-25 07:54:34 +01:00

191 lines
7.9 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
name: '[CI/CD] Verify'
on: # rebuild any PRs and main branch changes
pull_request:
types:
- opened
- reopened
- synchronize
- labeled
branches:
- main
- bitnami:main
# Remove all permissions by default
permissions: {}
# Avoid concurrency over the same PR
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
jobs:
get-chart:
runs-on: ubuntu-latest
name: Get modified charts
permissions:
pull-requests: read
outputs:
chart: ${{ steps.get-chart.outputs.chart }}
result: ${{ steps.get-chart.outputs.result }}
values-updated: ${{ steps.get-chart.outputs.values-updated }}
steps:
- id: get-chart
uses: bitnami/charts/.github/actions/get-chart@main
with:
pr-url: "${{ github.event.pull_request.url }}"
pr-number: "${{ github.event.pull_request.number }}"
chart-tests:
runs-on: ubuntu-latest
needs: [get-chart]
name: Look for hardcoded images
if: needs.get-chart.outputs.result == 'ok'
steps:
- name: Checkout bitnami/charts
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
with:
path: charts
- id: check-hardcoded-images
name: Look for hardcoded images
env:
CHART: ${{ needs.get-chart.outputs.chart }}
run: |
cd "${GITHUB_WORKSPACE}/charts" || exit 1
hardcoded_images=()
while read -r image; do
if [[ -n "$image" && $image != {{*}} ]]; then
hardcoded_images+=("${image}")
fi
done <<< "$(grep --exclude "NOTES.txt" -REoh "\s*image:\s+[\"']*.+[\"']*\s*$" "bitnami/${CHART}/templates" | sed "s/image: [\"']*//" | sed "s/[\"']*$//")"
echo "${hardcoded_images[@]}"
if [[ ${#hardcoded_images[@]} -gt 0 ]] ; then
echo "error=Found hardcoded images in the chart templates: ${hardcoded_images[*]}"
exit 1
fi
- id: check-image-warning-list
name: Check image warning list
env:
CHART: ${{ needs.get-chart.outputs.chart }}
run: |
cd "${GITHUB_WORKSPACE}/charts" || exit 1
if [[ "$CHART" != "common" && "$CHART" != "fluentd" ]]; then
readarray -t tag_paths < <(yq e '.. | (path | join("."))' "bitnami/${CHART}/values.yaml" | grep -E '\.tag$' | sed 's/.tag$//g' | sort -u)
readarray -t registry_paths < <(yq e '.. | (path | join("."))' "bitnami/${CHART}/values.yaml" | grep '\.registry$' | sed 's/.registry$//g' | sort -u)
# We assume that image objects are those that contain both keys 'tag' and 'registry'
images_paths=()
for path in "${tag_paths[@]}"; do
if echo "${registry_paths[@]}" | grep -w -q "$path"; then
[[ -n "$path" ]] && images_paths+=("$path")
fi
done
# Get the images defined in the image warning helper
readarray -d ' ' -t images_list_tmp < <(grep -E 'common.warnings.modifiedImages' "bitnami/${CHART}/templates/NOTES.txt" | sed -E 's/.*\(list (.+)\) "context".*/\1/' | sed 's/.Values.//g')
# Remove any empty element from the array
images_list=()
for i in "${images_list_tmp[@]}"; do
if echo "$i" | grep -q -E "\S+"; then
images_list+=("$i")
fi
done
# Compare the image objects and the image warning list
if [[ ${#images_list[@]} -eq ${#images_paths[@]} ]]; then
for path in "${images_list[@]}"; do
if ! echo "${images_paths[*]}" | grep -w -q "$path"; then
echo "Found inconsistencies in the images warning list: '${images_list[*]}' should be equal to '${images_paths[*]}'"
exit 1
fi
done
else
echo "Found inconsistencies in the images warning list: '${images_list[*]}' should be equal to '${images_paths[*]}'"
exit 1
fi
fi
verify:
runs-on: ubuntu-latest
needs: [get-chart]
name: Run linter and kubescape
permissions:
contents: read
if: needs.get-chart.outputs.result == 'ok'
steps:
- name: Checkout bitnami/charts
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
path: charts-pr
- name: Checkout bitnami/charts
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
with:
ref: ${{github.event.pull_request.base.ref}}
repository: ${{github.event.pull_request.base.repo.full_name}}
fetch-depth: 1
path: charts-main
- name: Install helm
run: |
HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz"
curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin
- name: Install Kubescape
run: |
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash -s -- -v v3.0.41
- name: Run helm-dep-build
env:
CHART: ${{ needs.get-chart.outputs.chart }}
run: |
charts_paths=("charts-main" "charts-pr")
for charts_path in "${charts_paths[@]}"; do
if [ -d "${charts_path}/bitnami/${CHART}" ]; then
helm dep build "${charts_path}/bitnami/${CHART}"
if [ -d "${charts_path}/bitnami/${CHART}/charts" ]; then
pushd ${charts_path}/bitnami/${CHART}/charts
for filename in *.tgz; do
tar -xf "$filename"
rm -f "$filename"
done
popd
fi
fi
done
- name: Run helm-lint
env:
CHART: ${{ needs.get-chart.outputs.chart }}
run: |
helm lint "charts-pr/bitnami/${CHART}"
- id: validate-scores
name: Validate score
# Skip step when user 'skip-score' label is used
if: |
!(
contains(github.event.pull_request.labels.*.name, 'skip-score') ||
(github.event.action == 'labeled' && github.event.label.name == 'skip-score')
)
env:
CHART: ${{ needs.get-chart.outputs.chart }}
run: |
export PATH="$PATH:$HOME/.kubescape/bin"
FRAMEWORKS="MITRE,NSA,SOC2,cis-v1.10.0"
if [ -d "charts-main/bitnami/${CHART}" ]; then
report_dir="$(mktemp -d)"
charts_paths=("charts-pr" "charts-main")
for chart_path in "${charts_paths[@]}"; do
echo "Scanning ${chart_path}/bitnami/${CHART}"
report_file="${report_dir}/${chart_path}.json"
kubescape scan framework "${FRAMEWORKS}" "${chart_path}/bitnami/${CHART}" --format json -o "${report_file}"
# Use only 2 decimals and save it wihout separator (for integer operations).
printf "%s%.2s" $(echo "$(jq .summaryDetails.complianceScore ${report_file})" | tr '.' ' ') | sed 's/\.$//' > "${report_dir}/${chart_path}.score"
done
score="$(<"${report_dir}/charts-pr.score")"
main_score="$(<"${report_dir}/charts-main.score")"
# To show the scores we need to add the decimals: 1234 > 12.34
echo "Current score: ${score:0:${#score}-2}.${score: -2}, previous one: ${main_score:0:${#main_score}-2}.${main_score: -2}"
if [[ $((score - main_score)) -lt 0 ]]; then
echo "Kubescape score has worsened"
exit 1
fi
else
echo "Chart not found at bitnami/${CHART}. It will be assumed that the upstream chart does not exist."
fi
Reference in New Issue View Git Blame Copy Permalink