Update Helm release ingress-nginx to v4.15.0 #417
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| merge_group: | |
| workflow_dispatch: | |
| workflow_call: | |
| release: | |
| types: [created] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: ${{ !(github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) }} | |
| jobs: | |
| chart-fixture-test: | |
| runs-on: github-ubuntu-latest-s | |
| name: Chart Fixture Test | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| version: 2025.7.12 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: '3.x' | |
| check-latest: true | |
| - name: Set up chart-testing | |
| uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0 | |
| - name: Build chart dependencies | |
| run: | | |
| ./.github/scripts/build_chart_dependencies.sh charts/sonarqube | |
| ./.github/scripts/build_chart_dependencies.sh charts/sonarqube-dce | |
| - name: Generate Helm fixtures | |
| run: | | |
| ./.github/scripts/generate_helm_fixtures.sh | |
| git diff --exit-code | |
| chart-schema-test: | |
| runs-on: github-ubuntu-latest-s | |
| name: Chart Schema Test | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| version: 2025.7.12 | |
| - name: Install additional tools | |
| run: | | |
| pip install yamllint==1.37.1 yamale==6.0.0 | |
| - name: Build chart dependencies | |
| run: | | |
| ./.github/scripts/build_chart_dependencies.sh charts/sonarqube | |
| ./.github/scripts/build_chart_dependencies.sh charts/sonarqube-dce | |
| - name: Run schema tests | |
| run: ./.github/scripts/schema_test.sh | |
| static-compatibility-test: | |
| runs-on: github-ubuntu-latest-s | |
| name: Static Compatibility Test (${{ matrix.chart }}) | |
| strategy: | |
| matrix: | |
| chart: [sonarqube, sonarqube-dce] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| version: 2025.7.12 | |
| - name: Build chart dependencies | |
| run: ./.github/scripts/build_chart_dependencies.sh charts/${{ matrix.chart }} | |
| - name: Run unit helm compatibility test | |
| run: ./.github/scripts/unit_helm_compatibility_test.sh ${{ matrix.chart }} | |
| # Shared steps for OpenShift chart verification | |
| openshift-test: | |
| runs-on: sonar-xs-public | |
| needs: [chart-fixture-test, chart-schema-test, static-compatibility-test] | |
| name: SonarQube OpenShift Tests | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| include: | |
| - verifying_chart: sonarqube-dce | |
| report_name: sonarqube-dce-openshift-report | |
| - verifying_chart: sonarqube | |
| report_name: sonarqube-openshift-report | |
| env: | |
| OPENSHIFT_VERSION: 4.20.12 | |
| CHART_VERIFIER_VERSION: 1.14.0 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| version: 2025.7.12 | |
| - id: secrets | |
| uses: SonarSource/vault-action-wrapper@545e7cfbb5528e7009a1edcc83e073898d292627 # v3.2.0 | |
| with: | |
| secrets: | | |
| development/kv/data/docker/sonardockerrw username | DOCKER_USERNAME; | |
| development/kv/data/docker/sonardockerrw access_token_rwd | DOCKER_PASSWORD; | |
| development/team/sonarqube/kv/data/rosa-openshift url | ROSA_OPENSHIFT_URL; | |
| development/team/sonarqube/kv/data/rosa-dev username | ROSA_OPENSHIFT_USER; | |
| development/team/sonarqube/kv/data/rosa-dev password | ROSA_OPENSHIFT_PASSWORD; | |
| - name: Install chart-verifier | |
| run: | | |
| curl -LO https://github.com/redhat-certification/chart-verifier/releases/download/${{ env.CHART_VERIFIER_VERSION }}/chart-verifier-${{ env.CHART_VERIFIER_VERSION }}.tgz | |
| echo "48dc6eb859bcae7722808fa3234440562c17e074dfa698161644f7b372a260e8 chart-verifier-${{ env.CHART_VERIFIER_VERSION }}.tgz" | sha256sum -c | |
| tar -xf chart-verifier-${{ env.CHART_VERIFIER_VERSION }}.tgz | |
| mkdir -p $HOME/bin | |
| mv chart-verifier $HOME/bin/ | |
| echo "$HOME/bin" >> $GITHUB_PATH | |
| - name: Install kubectl CLI | |
| uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1 | |
| with: | |
| version: 'v1.35.0' | |
| - name: Install OpenShift CLI | |
| run: | | |
| curl -LO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${{ env.OPENSHIFT_VERSION }}/openshift-client-linux.tar.gz | |
| EXPECTED_SHA=$(curl -sL "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${{ env.OPENSHIFT_VERSION }}/sha256sum.txt" | grep "openshift-client-linux.tar.gz" | awk '{print $1}') | |
| echo "${EXPECTED_SHA} openshift-client-linux.tar.gz" | sha256sum -c | |
| mkdir -p /tmp/openshift | |
| tar -xf openshift-client-linux.tar.gz -C /tmp/openshift | |
| mkdir -p $HOME/bin | |
| mv /tmp/openshift/oc $HOME/bin/ | |
| echo "$HOME/bin" >> $GITHUB_PATH | |
| rm -rf /tmp/openshift openshift-client-linux.tar.gz | |
| - name: Authenticate to OpenShift | |
| env: | |
| ROSA_OPENSHIFT_URL: ${{ fromJSON(steps.secrets.outputs.vault).ROSA_OPENSHIFT_URL }} | |
| ROSA_OPENSHIFT_USER: ${{ fromJSON(steps.secrets.outputs.vault).ROSA_OPENSHIFT_USER }} | |
| ROSA_OPENSHIFT_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ROSA_OPENSHIFT_PASSWORD }} | |
| run: ./.github/scripts/openshift_auth.sh | |
| - name: Setup OpenShift project | |
| env: | |
| DOCKER_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).DOCKER_USERNAME }} | |
| DOCKER_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).DOCKER_PASSWORD }} | |
| run: | | |
| oc new-project ${{ matrix.verifying_chart }} --display-name="Test Project" --description="This is a test project for testing ${{ matrix.verifying_chart}} from GitHub Actions" || oc project ${{ matrix.verifying_chart }} | |
| kubectl create secret docker-registry pullsecret --namespace ${{ matrix.verifying_chart }} --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD} --dry-run=client -o yaml | kubectl apply -f - | |
| ./.github/scripts/build_chart_dependencies.sh charts/${{ matrix.verifying_chart }} | |
| chart-verifier version | |
| - name: Setup external PostgreSQL | |
| if: matrix.verifying_chart == 'sonarqube-dce' | |
| run: NAMESPACE="${{ matrix.verifying_chart }}" VALUES_FILE="charts/${{ matrix.verifying_chart }}/openshift-verifier/postgres-values.yaml" ./.github/scripts/setup_external_postgres.sh | |
| - name: Run chart verification | |
| run: | | |
| mkdir -p "$(pwd)/report-${{ matrix.verifying_chart}}" | |
| chart-verifier verify -x images-are-certified charts/${{ matrix.verifying_chart }} --helm-install-timeout 20m -F charts/${{ matrix.verifying_chart }}/openshift-verifier/values.yaml -n ${{ matrix.verifying_chart }} --openshift-version ${{ env.OPENSHIFT_VERSION }} > "$(pwd)/report-${{ matrix.verifying_chart}}/report.yaml" | |
| - name: Upload verification report | |
| if: always() && ! cancelled() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: ${{ matrix.report_name}} | |
| path: report-*/report.yaml | |
| - name: Check violations | |
| run: cat "report-${{ matrix.verifying_chart}}/report.yaml" | ./.github/scripts/verify_openshift.sh | |
| - name: Cleanup | |
| if: always() | |
| run: oc delete project ${{ matrix.verifying_chart }} || true | |
| kind-test: | |
| needs: [chart-fixture-test, chart-schema-test, static-compatibility-test] | |
| strategy: | |
| matrix: | |
| include: | |
| - chart: sonarqube | |
| config: ct-sonarqube-test.yaml | |
| runner: github-ubuntu-latest-s | |
| secrets_id: secrets | |
| - chart: sonarqube-dce | |
| config: ct-sonarqube-dce-test.yaml | |
| runner: github-ubuntu-latest-m | |
| secrets_id: dcesecrets | |
| runs-on: ${{ matrix.runner }} | |
| name: Kind Test (${{ matrix.chart }}) | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| version: 2025.7.12 | |
| - name: Set up chart-testing | |
| uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0 | |
| - name: Create kind cluster | |
| uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 | |
| - name: Setup Kind cluster | |
| run: | | |
| kubectl cluster-info --context kind-chart-testing | |
| kubectl get nodes | |
| kubectl describe node chart-testing-control-plane | |
| - name: Setup Istio | |
| run: | | |
| helm repo add istio https://istio-release.storage.googleapis.com/charts | |
| kubectl create namespace istio-system --dry-run=client -o yaml | kubectl apply -f - | |
| helm upgrade -i istio-base istio/base -n istio-system --set defaultRevision=default --set global.proxy.holdApplicationUntilProxyStarts=true --wait | |
| helm upgrade -i istiod istio/istiod --set global.proxy.holdApplicationUntilProxyStarts=true --set resources.requests.cpu=100m -n istio-system --wait | |
| kubectl create namespace test --dry-run=client -o yaml | kubectl apply -f - | |
| kubectl label namespace test istio-injection=enabled | |
| - name: Setup External PostgreSQL | |
| if: matrix.chart == 'sonarqube-dce' | |
| run: NAMESPACE=test ./.github/scripts/setup_external_postgres.sh | |
| - id: secrets | |
| uses: SonarSource/vault-action-wrapper@545e7cfbb5528e7009a1edcc83e073898d292627 # v3.2.0 | |
| with: | |
| secrets: | | |
| development/kv/data/docker/sonardockerrw username | DOCKER_USERNAME; | |
| development/kv/data/docker/sonardockerrw access_token_rwd | DOCKER_PASSWORD; | |
| - name: Setup docker registry secret | |
| env: | |
| DOCKER_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).DOCKER_USERNAME }} | |
| DOCKER_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).DOCKER_PASSWORD }} | |
| run: kubectl create secret docker-registry pullsecret --namespace test --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD} --dry-run=client -o yaml | kubectl apply -f - | |
| - name: Install ArtifactHub CLI | |
| run: | | |
| curl -LO https://github.com/artifacthub/hub/releases/download/v1.21.0/ah_1.21.0_linux_amd64.tar.gz | |
| echo "48d6b87b60baf4ee8fd5efbfec3bf5fb3ca783ab3f1dab625e64332b95df2a84 ah_1.21.0_linux_amd64.tar.gz" | sha256sum -c | |
| mkdir -p /tmp/artifacthub | |
| tar -xf ah_1.21.0_linux_amd64.tar.gz -C /tmp/artifacthub | |
| sudo mv /tmp/artifacthub/ah /usr/local/bin/ah | |
| rm -rf /tmp/artifacthub ah_1.21.0_linux_amd64.tar.gz | |
| - name: Run ArtifactHub lint | |
| run: ah lint | |
| - name: Run chart testing | |
| run: | | |
| ct lint --config ${{ matrix.config }} | |
| ct install --namespace test --config ${{ matrix.config }} --debug | |
| sonarqube-packaging: | |
| needs: [kind-test,openshift-test] | |
| runs-on: github-ubuntu-latest-s | |
| name: ${{ matrix.chart }} Packaging | |
| strategy: | |
| matrix: | |
| include: | |
| - chart: sonarqube-dce | |
| - chart: sonarqube | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| version: 2025.7.12 | |
| - uses: SonarSource/ci-github-actions/get-build-number@4ef2061ff3c9dc144a66f8a6e480d04d2d79e3bb # v1.3.25 | |
| id: build-number | |
| - id: secrets | |
| uses: SonarSource/vault-action-wrapper@545e7cfbb5528e7009a1edcc83e073898d292627 # v3.2.0 | |
| with: | |
| secrets: | | |
| development/github/token/SonarSource-helm-chart-sonarqube-releases token | GITHUB_TOKEN; | |
| development/kv/data/sign key | SONARSOURCE_SIGN_KEY; | |
| development/kv/data/sign key_id | SONARSOURCE_SIGN_KEY_ID; | |
| development/kv/data/sign passphrase | SONARSOURCE_SIGN_KEY_PASSPHRASE; | |
| - name: Setup signing key | |
| env: | |
| SONARSOURCE_SIGN_KEY: ${{ fromJSON(steps.secrets.outputs.vault).SONARSOURCE_SIGN_KEY }} | |
| run: echo "$SONARSOURCE_SIGN_KEY" > /tmp/key | |
| - name: Add Helm repositories | |
| run: | | |
| helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx | |
| helm repo add bitnami-pre2022 https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | |
| helm repo update | |
| - name: Package and sign ${{ matrix.chart }} chart | |
| env: | |
| BUILD_NUMBER: ${{ steps.build-number.outputs.BUILD_NUMBER }} | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} | |
| SONARSOURCE_SIGN_KEY_ID: ${{ fromJSON(steps.secrets.outputs.vault).SONARSOURCE_SIGN_KEY_ID }} | |
| SONARSOURCE_SIGN_KEY_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).SONARSOURCE_SIGN_KEY_PASSPHRASE }} | |
| run: | | |
| ./.github/scripts/package.sh ${{ matrix.chart }} | |
| ./.github/scripts/sign_chart.sh ${{ matrix.chart }} | |
| - name: Upload SonarQube chart artifact | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: ${{ matrix.chart }}-chart-${{ github.run_id }} | |
| path: "*.tgz*" | |
| sonarqube-push-to-repox: | |
| needs: [sonarqube-packaging] | |
| runs-on: github-ubuntu-latest-s | |
| strategy: | |
| matrix: | |
| include: | |
| - chart: sonarqube-dce | |
| - chart: sonarqube | |
| name: ${{ matrix.chart }} Push to Repox | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| cache_save: false | |
| version: 2025.7.12 | |
| - uses: SonarSource/ci-github-actions/get-build-number@4ef2061ff3c9dc144a66f8a6e480d04d2d79e3bb # v1.3.25 | |
| id: build-number | |
| - name: Download ${{ matrix.chart }} chart artifact | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| name: ${{ matrix.chart }}-chart-${{ github.run_id }} | |
| - id: secrets | |
| uses: SonarSource/vault-action-wrapper@545e7cfbb5528e7009a1edcc83e073898d292627 # v3.2.0 | |
| with: | |
| secrets: | | |
| development/kv/data/repox url | ARTIFACTORY_URL; | |
| development/artifactory/token/SonarSource-helm-chart-sonarqube-qa-deployer access_token | ARTIFACTORY_ACCESS_TOKEN; | |
| - name: Upload ${{ matrix.chart }} to Repox | |
| env: | |
| BUILD_NUMBER: ${{ steps.build-number.outputs.BUILD_NUMBER }} | |
| ARTIFACTORY_URL: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_URL }} | |
| ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} | |
| run: | | |
| ./.github/scripts/upload_chart.sh ${{ matrix.chart }} | |
| trigger-release: | |
| needs: [sonarqube-push-to-repox] | |
| runs-on: github-ubuntu-latest-s | |
| name: Trigger Release | |
| permissions: | |
| id-token: write | |
| contents: write | |
| if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 | |
| with: | |
| cache_save: false | |
| version: 2025.7.12 | |
| - uses: SonarSource/ci-github-actions/get-build-number@4ef2061ff3c9dc144a66f8a6e480d04d2d79e3bb # v1.3.25 | |
| id: build-number | |
| - name: Download SonarQube chart artifact | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| name: sonarqube-chart-${{ github.run_id }} | |
| - name: Download SonarQube DCE chart artifact | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| name: sonarqube-dce-chart-${{ github.run_id }} | |
| - id: secrets | |
| uses: SonarSource/vault-action-wrapper@545e7cfbb5528e7009a1edcc83e073898d292627 # v3.2.0 | |
| with: | |
| secrets: | | |
| development/github/token/SonarSource-helm-chart-sonarqube-releases token | GITHUB_TOKEN; | |
| development/kv/data/slack token | SLACK_TOKEN; | |
| - name: Check if charts exist | |
| id: check-charts | |
| run: | | |
| CHARTS=$(find $GITHUB_WORKSPACE -maxdepth 1 -name "*.tgz*" -type f -exec basename "{}" ";") | |
| if [[ "x$CHARTS" != "x" ]]; then | |
| echo "charts-exist=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "charts-exist=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Call release workflow | |
| if: steps.check-charts.outputs.charts-exist == 'true' | |
| env: | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} | |
| run: | | |
| gh workflow run release.yml \ | |
| -f version="${{ github.ref_name }}" \ | |
| -f buildNumber="${{ steps.build-number.outputs.BUILD_NUMBER }}" | |
| qa-validator: | |
| if: always() | |
| name: QA Validator | |
| needs: | |
| - chart-fixture-test | |
| - chart-schema-test | |
| - static-compatibility-test | |
| - openshift-test | |
| - kind-test | |
| - sonarqube-packaging | |
| - sonarqube-push-to-repox | |
| runs-on: github-ubuntu-latest-s | |
| outputs: | |
| SUCCESS: ${{ steps.alls-green.outputs.success }} | |
| steps: | |
| - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 | |
| id: alls-green | |
| with: | |
| jobs: ${{ toJSON(needs) }} | |
| allowed-skips: 'chart-fixture-test,chart-schema-test,static-compatibility-test,openshift-test,kind-test,sonarqube-packaging,sonarqube-push-to-repox' | |
| notify-slack-on-failure: | |
| name: Notify on Failure | |
| needs: [ qa-validator ] | |
| if: >- | |
| always() && | |
| (needs.qa-validator.result == 'failure') && | |
| (github.ref_name == github.event.repository.default_branch || | |
| startsWith(github.ref_name, 'release/')) | |
| permissions: | |
| id-token: write | |
| uses: ./.github/workflows/slack_notify.yml |