Use reduced IAM permissions on worker nodes instance profile #2398
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DO NOT EDIT. Generated with: | |
# | |
# devctl | |
# | |
# https://github.com/giantswarm/devctl/blob/8960b8810d2fdb97543d84baa8b50ffa40da26a9/pkg/gen/input/workflows/internal/file/helm_render_diff.yaml.template | |
# | |
name: Compare Helm Rendering | |
on: | |
pull_request: | |
push: | |
branches: [HEAD_BRANCH, main] | |
env: | |
dyff_ver: "1.7.1" | |
helm_ver: "3.11.1" | |
jobs: | |
# This job is for checking for the `/no_diffs_printing` comment in the PR. When it is found, | |
# the `get-rendering-values` job is skipped, what makes `cmp-helm-rendering` skipped as well. | |
check-cmp-state: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'pull_request' | |
steps: | |
- name: Find suspend comment | |
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 | |
continue-on-error: true | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
body-regex: '^\s*/no_diffs_printing' # on a separate line, not as Markdown `<!-- /no_diffs_printing -->` comment | |
- name: Find suspend comment in PR body # PR body isn't a comment, so the above step won't find it | |
id: pr_body | |
run: | | |
if jq -r .pull_request.body "${GITHUB_EVENT_PATH}" | grep -qE '^\s*/no_diffs_printing'; then | |
echo "Found /no_diffs_printing command in PR body" | |
echo "suspend_diffs_printing_from_pr_body=true" >> $GITHUB_OUTPUT | |
else | |
echo "Did not find /no_diffs_printing command in PR body" | |
echo "suspend_diffs_printing_from_pr_body=false" >> $GITHUB_OUTPUT | |
fi | |
outputs: | |
suspend_comment_id: ${{ steps.fc.outputs.comment-id }} | |
suspend_diffs_printing_from_pr_body: ${{ steps.pr_body.outputs.suspend_diffs_printing_from_pr_body }} | |
cmp-helm-rendering: | |
needs: check-cmp-state | |
runs-on: ubuntu-latest | |
if: github.event_name == 'pull_request' && needs.check-cmp-state.outputs.suspend_comment_id == 0 && needs.check-cmp-state.outputs.suspend_diffs_printing_from_pr_body == 'false' | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: install helm | |
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
with: | |
version: ${{ env.helm_ver }} | |
- run: which helm | |
- name: install dyff | |
uses: giantswarm/install-binary-action@c37eb401e5092993fc76d545030b1d1769e61237 # v3.0.0 | |
with: | |
binary: dyff | |
download_url: "https://github.com/homeport/dyff/releases/download/v${version}/dyff_${version}_linux_amd64.tar.gz" | |
smoke_test: "${binary} version" | |
tarball_binary_path: "${binary}" | |
version: ${{ env.dyff_ver }} | |
- run: which dyff | |
- run: ls -la /opt/hostedtoolcache | |
- name: render helm with current code | |
run: | | |
helm repo add cluster-catalog https://giantswarm.github.io/cluster-catalog/ | |
# We also add cluster-test-catalog so we can more easily test dev builds of subcharts. | |
# Charts from cluster-test-catalog should be used only for testing purposes. | |
helm repo add cluster-test-catalog https://giantswarm.github.io/cluster-test-catalog/ | |
helm dependency build helm/${{ github.event.repository.name }} | |
for test_file_path in helm/${{ github.event.repository.name }}/ci/test-*-values.yaml; do | |
echo | |
echo "Rendering Helm template for ${test_file_path} on current code" | |
mkdir -p "/tmp/${test_file_path}" | |
helm template -n org-giantswarm -f "helm/${{ github.event.repository.name }}/ci/ci-values.yaml" -f "${test_file_path}" "helm/${{ github.event.repository.name }}" > "/tmp/${test_file_path}/render-new.yaml" | |
done | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: "${{ github.event.repository.default_branch }}" | |
path: 'old' | |
- name: render helm with main branch code | |
run: | | |
helm dependency build old/helm/${{ github.event.repository.name }} | |
for test_file_path in helm/${{ github.event.repository.name }}/ci/test-*-values.yaml; do | |
echo | |
echo "Rendering Helm template for ${test_file_path} on old code" | |
if [ ! -d "/tmp/${test_file_path}" ]; then | |
echo "File ${test_file_path} does not yet exist in old code, skipping" | |
continue | |
fi | |
helm template -n org-giantswarm -f "old/helm/${{ github.event.repository.name }}/ci/ci-values.yaml" -f "${test_file_path}" "old/helm/${{ github.event.repository.name }}" > "/tmp/${test_file_path}/render-old.yaml" | |
done | |
- name: get the diffs | |
uses: mathiasvr/command-output@34408ea3d0528273faff3d9e201761ae96106cd0 # v2.0.0 | |
with: | |
run: | | |
marker="=== No differences at all ===" | |
( | |
found_differences= | |
first=1 | |
for test_file_path in helm/${{ github.event.repository.name }}/ci/test-*-values.yaml; do | |
if [ "${first}" = 1 ]; then | |
first= | |
else | |
echo | |
echo | |
fi | |
echo "=== Differences when rendered with values file ${test_file_path} ===" | |
dyff between --set-exit-code --ignore-order-changes --omit-header --use-go-patch-style "/tmp/${test_file_path}/render-old.yaml" "/tmp/${test_file_path}/render-new.yaml" && echo "No difference" || { res=$?; found_differences=1; if [[ $res -eq 255 ]]; then echo "Diff error"; fi; } | |
done | |
if [ -z "${found_differences}" ]; then | |
echo | |
echo | |
echo "${marker}" | |
fi | |
) > /tmp/diffs | |
( | |
if ! grep -qF "${marker}" /tmp/diffs ; then | |
echo "**There were differences in the rendered Helm template, please check! ⚠️**" | |
else | |
echo "There were no differences in the rendered Helm template." | |
fi | |
echo | |
echo "<details>" | |
echo "<summary>Output</summary>" | |
echo "<!-- mandatory empty line -->" | |
echo "" | |
echo '```' | |
cat /tmp/diffs | |
echo '```' | |
echo "</details>" | |
echo "<!-- mandatory empty line -->" | |
) > /tmp/comment-body | |
- name: Find diff comment | |
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 | |
continue-on-error: true | |
id: fc | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: 'github-actions[bot]' | |
body-includes: 'differences in the rendered Helm template' | |
- name: Delete old comment | |
uses: winterjung/comment@fda92dbcb5e7e79cccd55ecb107a8a3d7802a469 # v1.1.0 | |
continue-on-error: true | |
if: steps.fc.outputs.comment-id != 0 | |
with: | |
type: delete | |
comment_id: ${{ steps.fc.outputs.comment-id }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create comment | |
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
body-path: /tmp/comment-body |