mirror of
https://github.com/we-promise/sure.git
synced 2026-06-01 00:39:01 +00:00
956c27df6b
* chore(ci): pin GitHub Actions to commit SHAs (#1811) Follow-up to #1810. The Node-24 upgrade left every workflow on mutable tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.) which superagent-security[bot] flagged on the ci.yml + publish.yml reviews. Pin all 18 external actions to the commit SHA they currently resolve to and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see the version. Local reusable-workflow refs (`uses: ./.github/...`) are left alone — pinning those would defeat the point. Closes #1811 * chore(ci): address review — persist-credentials + setup-node consistency (#1811) Two pieces of follow-up feedback on the SHA-pinning PR: - @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials: false' to checkout steps in jobs that don't perform authenticated git operations. Adds the line to 17 read-only checkouts across 9 workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight, llm-evals, preview-cleanup, preview-deploy, publish:build). Checkouts inside jobs that 'git push' (chart-release, mobile-build, mobile-release, helm-publish:second-checkout, publish:bump-pre_release) are intentionally left alone so they keep their token. - @jjmata: preview-deploy.yml was the only workflow on actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise on v5.0.0 to match. Dependabot config already has a github-actions ecosystem entry with a weekly schedule, so no addition needed for that point. * chore(ci): document intentional setup-node v6→5 normalization (#1811) @superagent-security flagged the v6.4.0 -> v5.0.0 change in preview-deploy.yml as a possible unintended downgrade. The downgrade was deliberate, per @jjmata's review request to normalize setup-node across all workflows. Add an inline YAML comment next to the line so future scans don't re-flag it. --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
90 lines
2.7 KiB
YAML
90 lines
2.7 KiB
YAML
name: Chart CI
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'charts/**'
|
|
- '.sure-version'
|
|
- '.github/workflows/chart-ci.yml'
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- 'charts/**'
|
|
- '.sure-version'
|
|
- '.github/workflows/chart-ci.yml'
|
|
|
|
jobs:
|
|
version-sync:
|
|
name: Verify Helm ↔ Rails version sync
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Check version alignment
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
RAILS_VERSION=$(cat .sure-version | tr -d '[:space:]')
|
|
if [ -z "$RAILS_VERSION" ]; then
|
|
echo "::error::Could not read version from .sure-version"
|
|
exit 1
|
|
fi
|
|
CHART_VERSION=$(sed -n 's/^version: //p' charts/sure/Chart.yaml | head -n 1)
|
|
APP_VERSION=$(sed -n 's/^appVersion: "\{0,1\}\([^"]*\)"\{0,1\}/\1/p' charts/sure/Chart.yaml | head -n 1)
|
|
|
|
echo "App version (.sure-version): $RAILS_VERSION"
|
|
echo "Helm chart version (Chart.yaml): $CHART_VERSION"
|
|
echo "Helm appVersion (Chart.yaml): $APP_VERSION"
|
|
|
|
ERRORS=0
|
|
|
|
if [ "$RAILS_VERSION" != "$CHART_VERSION" ]; then
|
|
echo "::error::Chart version ($CHART_VERSION) does not match Rails version ($RAILS_VERSION)"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
if [ "$RAILS_VERSION" != "$APP_VERSION" ]; then
|
|
echo "::error::Chart appVersion ($APP_VERSION) does not match Rails version ($RAILS_VERSION)"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
if [ "$ERRORS" -gt 0 ]; then
|
|
echo ""
|
|
echo "To fix: ensure version in .sure-version matches"
|
|
echo "both 'version' and 'appVersion' in charts/sure/Chart.yaml"
|
|
exit 1
|
|
fi
|
|
|
|
echo "All versions are in sync."
|
|
|
|
helm-checks:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Install Helm
|
|
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
|
|
|
|
- name: Add chart dependencies repositories
|
|
run: |
|
|
helm repo add cloudnative-pg https://cloudnative-pg.github.io/charts
|
|
helm repo add ot-helm https://ot-container-kit.github.io/helm-charts
|
|
helm repo update
|
|
|
|
- name: Build chart dependencies
|
|
run: helm dependency build charts/sure
|
|
|
|
- name: Lint chart
|
|
run: helm lint charts/sure
|
|
|
|
- name: Render templates
|
|
run: helm template sure charts/sure --kube-version 1.25.0 >/tmp/sure-chart-rendered.yaml
|