Merge branch 'main' into dependabot/pip/certifi-2024.8.30

.github/FUNDING.yml

@@ -0,0 +1,6 @@
+# These are supported funding model platforms
+
+github:
+- fredleger
+- neilime
+patreon: webofmars

.github/dependabot.yml

@@ -3,24 +3,31 @@ version: 2
 updates:
 
   - package-ecosystem: "github-actions"
-    directory: "/"
-    open-pull-requests-limit: 20
+    directories:
+      - "/"
+    open-pull-requests-limit: 3
+    labels:
+      - "github_actions"
     schedule:
       interval: "weekly"
       day: friday
       time: '04:00'
 
   - package-ecosystem: "docker"
     directory: "/"
-    open-pull-requests-limit: 20
+    open-pull-requests-limit: 3
+    labels:
+      - "docker"
     schedule:
       interval: "weekly"
       day: friday
       time: '04:10'
 
   - package-ecosystem: "pip"
     directory: "/"
-    open-pull-requests-limit: 20
+    open-pull-requests-limit: 3
+    labels:
+      - "pip"
     schedule:
       interval: "weekly"
       day: friday

.github/workflows/__shared-ci.yml

@@ -13,9 +13,21 @@ on:
 
 jobs:
 
+  init:
+    name: "prepare environment for jobs"
+    runs-on: self-hosted
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
   shellcheck:
     name: "Shell: Lint Shell Scripts"
     runs-on: self-hosted
+    needs:
+      - init
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -26,6 +38,8 @@ jobs:
   hadolint:
     name: "Docker: Lint Dockerfile"
     runs-on: self-hosted
+    needs:
+      - init
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -36,10 +50,10 @@ jobs:
   docker-build-images:
     name: "Docker: Build Images"
     needs:
+      - init
       - shellcheck
       - hadolint
-    # FIXME: use a released version of the action when it's ready
-    uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@feat/extra-buildx-cache-directives
+    uses: hoverkraft-tech/ci-github-container/.github/workflows/[email protected]
     permissions:
       actions: write
       contents: read
@@ -48,15 +62,15 @@ jobs:
       packages: write
       pull-requests: read
     secrets:
-      oci-registry-password: ${{ secrets.OCI_REGISTRY_PASSWORD }}
+      oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
     with:
       runs-on: '["self-hosted"]'
-      oci-registry: ${{ vars.OCI_REGISTRY }}
-      oci-registry-username: ${{ vars.OCI_REGISTRY_USERNAME }}
+      oci-registry: ghcr.io
+      oci-registry-username: ${{ github.actor }}
       images: |
         [{
           "name": "app",
-          "repository": "${{ vars.OCI_REGISTRY_IMAGE_REPOSITORY }}",
+          "repository": "${{ github.repository }}",
           "tag": "${{ inputs.tag }}",
           "dockerfile": "./Dockerfile",
           "platforms": [
@@ -66,9 +80,10 @@ jobs:
         }]
 
   chart-testing:
-    name: "Helm: Chart Testing"
+    name: "Tests: helm chart"
     runs-on: self-hosted
     needs:
+      - init
       - docker-build-images
     steps:
       - name: Checkout
@@ -94,13 +109,13 @@ jobs:
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/kind-action@v1.9.0
+        uses: helm/kind-action@v1.10.0
       - name: Run chart-testing (install)
         if: steps.list-changed.outputs.changed == 'true'
         run: |
           ct install \
             --target-branch ${{ github.event.repository.default_branch }} \
-            --helm-extra-args "--set image.tag=${{ needs.docker-build-images.outputs.built-images[0].tag }} --wait"
+            --helm-extra-args "--set image.tag=${{ fromJson(needs.docker-build-images.outputs.built-images).app.tags[0] }} --wait"
       - name: show pods
         if: steps.list-changed.outputs.changed == 'true'
         run: |
@@ -109,3 +124,55 @@ jobs:
           kubectl create job --from=cronjob/ovh-snapshoter -n default ovh-snapshoter-job
           sleep 10
           kubectl get pods -n default
+
+  app-testing:
+    name: "Tests: application"
+    runs-on: self-hosted
+    needs:
+      - init
+      - docker-build-images
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          echo "OS_PASSWORD length: ${#OS_PASSWORD}"
+          echo "OS_PROJECT_ID length: ${#OS_PROJECT_ID}"
+          echo "OS_REGION_NAME length: ${#OS_REGION_NAME}"
+          echo "OS_TENANT_ID length: ${#OS_TENANT_ID}"
+          echo "OS_TENANT_NAME length: ${#OS_TENANT_NAME}"
+          echo "OS_USERNAME length: ${#OS_USERNAME}"
+          echo "OS_VOLUMES length: ${#OS_VOLUMES}"
+          docker run --rm -i  \
+            -e DRY_RUN=true   \
+            -e CLEANUP=true   \
+            -e OS_PASSWORD    \
+            -e OS_PROJECT_ID  \
+            -e OS_REGION_NAME \
+            -e OS_TENANT_ID   \
+            -e OS_TENANT_NAME \
+            -e OS_USERNAME    \
+            -e OS_VOLUMES     \
+            ${IMAGE} > output
+        env:
+          OS_PASSWORD: ${{ secrets.OS_PASSWORD }}
+          OS_PROJECT_ID: ${{ secrets.OS_PROJECT_ID }}
+          OS_REGION_NAME: ${{ secrets.OS_REGION_NAME }}
+          OS_TENANT_ID: ${{ secrets.OS_TENANT_ID }}
+          OS_TENANT_NAME: ${{ secrets.OS_TENANT_NAME }}
+          OS_USERNAME: ${{ secrets.OS_USERNAME }}
+          OS_VOLUMES: ${{ secrets.OS_VOLUMES }}
+          IMAGE: ghcr.io/${{ github.repository }}/app:${{ fromJson(needs.docker-build-images.outputs.built-images).app.tags[0] }}
+      - name: show output
+        run: |
+          cat output
+      - name: check if snapshot was created
+        run: |
+          echo -n "check if snapshot was created: "
+          grep -q "would create snapshot $(date +%Y%m%d)" output && echo 'ok'
+      - name: check if old snapshot will be deleted
+        run: |
+          echo -n "check if old snapshot will be deleted: "
+          grep -q "would remove snapshot with id=" output && echo ok
+      - name: delete output file
+        run: rm output

.github/workflows/main-ci.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 

.github/workflows/merge-group-ci.yml

@@ -0,0 +1,35 @@
+name: Pull request - Continuous Integration
+
+on:
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  pull-request-labeler:
+    name: Pull request labeler
+    runs-on: self-hosted
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          disable-releaser: true
+
+  ci:
+    name: Continuous Integration
+    uses: ./.github/workflows/__shared-ci.yml
+    permissions:
+      actions: write
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
+    secrets: inherit

.github/workflows/pull-request-ci.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
 
   pull-request-labeler:
@@ -19,15 +23,3 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           disable-releaser: true
-
-  ci:
-    name: Continuous Integration
-    uses: ./.github/workflows/__shared-ci.yml
-    permissions:
-      actions: write
-      contents: read
-      id-token: write
-      issues: read
-      packages: write
-      pull-requests: read
-    secrets: inherit

.github/workflows/release.yml

@@ -3,6 +3,10 @@ name: 🚀 Release
 on:
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
 
   check-branches:
@@ -51,7 +55,7 @@ jobs:
       pull-requests: read
     secrets: inherit
 
-  helm-push:
+  helm-publish:
     name: "Helm: push chart to OCI registry"
     needs: [update_release_draft, ci]
     runs-on: self-hosted
@@ -60,20 +64,39 @@ jobs:
       - uses: actions/checkout@v4
 
       # install tools with asdf
-      - name: 📦 Install tools with asdf
+      - name: install tools with asdf
         uses: asdf-vm/actions/install@v3
 
-      - name: 🔒 Login to OCI registry
+      - name: login to OCI registry
         run: |
           echo "+ login to OCI registry"
           helm registry login ${OCI_REGISTRY} -u "${OCI_REGISTRY_USERNAME}" -p "${OCI_REGISTRY_PASSWORD}"
         env:
-          OCI_REGISTRY: ${{ vars.OCI_REGISTRY }}
-          OCI_REGISTRY_USERNAME: ${{ vars.OCI_REGISTRY_USERNAME }}
-          OCI_REGISTRY_PASSWORD: ${{ secrets.OCI_REGISTRY_PASSWORD }}
+          OCI_REGISTRY: ghcr.io
+          OCI_REGISTRY_USERNAME: ${{ github.actor }}
+          OCI_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: update helm chart version
+        run: |
+          cd "${CHART_PATH}"
+          echo "+ update helm chart version"
+          sed -i "s/version: .*/version: ${VERSION}/g" Chart.yaml
+          sed -i "s/appVersion: .*/appVersion: ${VERSION}/g" Chart.yaml
+        env:
+          CHART_PATH: ${{github.workspace}}/helm/chart
+          VERSION: ${{ needs.update_release_draft.outputs.latestRelease }}
+
+      - name: commit helm chart version changes
+        uses: stefanzweifel/git-auto-commit-action@v5
+
+      - name: update helm chart docs
+        uses: shaybentk/[email protected]
+        with:
+          working-dir: helm/chart
+          git-push: "true"
 
       # Push the chart
-      - name: ⚓ Push Helm Chart to OCI registry
+      - name: push helm chart to OCI registry
         uses: hoverkraft-tech/[email protected]
         with:
           useOCIRegistry: true
@@ -88,7 +111,7 @@ jobs:
           version: ${{ needs.update_release_draft.outputs.latestRelease }}
           appVersion: ${{ needs.update_release_draft.outputs.latestRelease }}
         env:
-          OCI_REGISTRY: ${{ vars.OCI_REGISTRY }}
-          OCI_REGISTRY_USERNAME: ${{ vars.OCI_REGISTRY_USERNAME }}
-          OCI_REGISTRY_PASSWORD: ${{ secrets.OCI_REGISTRY_PASSWORD }}
-          OCI_REGISTRY_CHART_REPOSITORY: ${{ vars.OCI_REGISTRY_CHART_REPOSITORY }}
+          OCI_REGISTRY: ghcr.io
+          OCI_REGISTRY_USERNAME: ${{ github.actor }}
+          OCI_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          OCI_REGISTRY_CHART_REPOSITORY: 'charts'

.github/workflows/stale.yml

@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   stale:
     runs-on: self-hosted

.pre-commit-config.yaml

@@ -0,0 +1,34 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+      - id: check-case-conflict
+      # - id: check-json
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: check-yaml
+        exclude: ^helm/
+      - id: detect-aws-credentials
+      - id: mixed-line-ending
+      - id: trailing-whitespace
+
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.24
+    hooks:
+      - id: helmlint
+
+  - repo: https://github.com/jtyr/kubeconform-helm
+    rev: v0.1.17
+    hooks:
+      - id: kubeconform-helm
+
+  - repo: https://github.com/norwoodj/helm-docs
+    rev:  v1.14.2
+    hooks:
+      - id: helm-docs
+        args:
+          # Make the tool search for charts only under the `charts` directory
+          - --chart-search-root=helm/chart

.tool-versions

@@ -1,2 +1,5 @@
-helm 3.12.1
-kubectl 1.28.5
+helm 3.14.3
+kubectl 1.30.5
+helm-ct 3.10.1
+kubeconform 0.6.4
+helm-docs 1.14.2