trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

ci(helm): auto public Helm chart after PR merged

Open afdesk opened this issue 1 year ago • 8 comments

Description

Trivy publishes a new Helm Chart only for major versions (ex 0.55.0).

This PR suggests next workflow:

  • if there are any changes in helm folder ('helm/trivy/**'), the test will be run.

  • if a new tag is pushed will be created a new PR with update a new version of Helm Chart.

  • Helm Chart will be published, after the PR with new version is merged. The action runs helm test before publishing again to check that everything is still OK (ex. Trivy image wasn't removed).

Tests with mage command

I've tested this update in my fork:

  • create a new tag: https://github.com/afdesk/trivy/actions/runs/11385428591/job/31675255326
  • a new PR: https://github.com/afdesk/trivy/pull/84
  • test a new PR: https://github.com/afdesk/trivy/actions/runs/11385449842/job/31675325933
  • merged PR: https://github.com/afdesk/trivy/actions/runs/11385515807

Refs:

  • https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges

Checklist

  • [ ] I've read the guidelines for contributing to this repository.
  • [ ] I've followed the conventions in the PR title.
  • [ ] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

afdesk avatar Sep 17 '24 10:09 afdesk

Trivy publishes a new Helm Chart only for major versions (ex 0.55.0).

I didn't find conditions for that.

This condition works only for major version, because backport branch usually doesn't contain a Helm Chart update.

https://github.com/aquasecurity/trivy/blob/aeb7039d7ce090e243d29f0bf16c9e4e24252a01/.github/workflows/publish-chart.yaml#L51-L52

afdesk avatar Sep 18 '24 08:09 afdesk

This condition works only for major version, because backport branch usually doesn't contain a Helm Chart update.

Oh... You said current behavior. I thought it was new logic. then I have no questions about it

DmitriyLewen avatar Sep 19 '24 08:09 DmitriyLewen

a new PR: https://github.com/afdesk/trivy/pull/72

IIUC author of PR should be aqua-bot (as for backport (e.g. https://github.com/aquasecurity/trivy/pull/7521))

DmitriyLewen avatar Sep 19 '24 08:09 DmitriyLewen

a new PR: afdesk#72

IIUC author of PR should be aqua-bot (as for backport (e.g. #7521))

it seems it depends on token owner, because I tried to keep the same workflow: https://github.com/aquasecurity/trivy/blob/5dd94ebc1ffe3f1df511dee6381f92a5daefadf2/.github/workflows/backport.yaml#L48-L58

afdesk avatar Sep 19 '24 09:09 afdesk

I had concerns about label (lifecycle/active) and about versions (that chart version is equal trivy version now).

@itaysk @knqyf263 wdyt? thanks

afdesk avatar Sep 19 '24 10:09 afdesk

it seems it depends on token owner

you said this and I realized that most likely you are right and I have already encountered this 👍

DmitriyLewen avatar Sep 19 '24 10:09 DmitriyLewen

label (lifecycle/active)

Do we need a label?

about versions (that chart version is equal trivy version now).

They should be different; otherwise, we can't update the chart version when we fix the Helm chart itself.

knqyf263 avatar Sep 23 '24 06:09 knqyf263

@knqyf263 @DmitriyLewen I've updated a version changing. Could you take a look at this PR again when you have time? thanks a lot!

afdesk avatar Oct 17 '24 13:10 afdesk

@DmitriyLewen Could take another look at this PR? thank

afdesk avatar Oct 24 '24 06:10 afdesk