charts/.github/workflows/ci-pipeline.yml

# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0

name: '[CI/CD] CI Pipeline'
on: # rebuild any PRs and main branch changes
  pull_request_target:
    types:
      - opened
      - reopened
      - synchronize
      - labeled
    branches:
      - main
      - bitnami:main
# Remove all permissions by default
permissions: {}
# Avoid concurrency over the same PR
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
jobs:
  get-chart:
    runs-on: ubuntu-latest
    name: Get modified charts
    permissions:
      pull-requests: read
    outputs:
      chart: ${{ steps.get-chart.outputs.chart }}
      result: ${{ steps.get-chart.outputs.result }}
      values-updated: ${{ steps.get-chart.outputs.values-updated }}
    steps:
      - id: get-chart
        name: Get modified charts
        env:
          PULL_REQUEST_NUMBER: "${{ github.event.pull_request.number }}"
          PULL_REQUEST_URL: "${{ github.event.pull_request.url }}"
          GITHUB_TOKEN: "${{ github.token }}"
        run: |
          # Using the Github API to detect the files changed as git merge-base stops working when the branch is behind
          files_changed_data="$(gh api --paginate "/repos/${GITHUB_REPOSITORY}/pulls/${PULL_REQUEST_NUMBER}/files")"
          files_changed="$(echo "$files_changed_data" | jq -r '.[] | .filename')"
          # Adding || true to avoid "Process exited with code 1" errors
          charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "bitnami/[^/]*" | sort | uniq || true)"
          # Using grep -c as a better alternative to wc -l when dealing with empty strings."
          num_charts_changed="$(echo "$charts_dirs_changed" | grep -c "bitnami" || true)"
          num_version_bumps="$(echo "$files_changed_data" | jq -r '[.[] | select(.filename|match("bitnami/[^/]+/Chart.yaml")) | select(.patch|contains("+version")) ] | length' )"
          non_readme_files=$(echo "$files_changed" | grep -vc "\.md" || true)

          if [[ $(curl -Lks "${PULL_REQUEST_URL}" | jq '.state | index("closed")') != *null* ]]; then
            # The PR for which this workflow run was launched is now closed -> SKIP
            echo "error=The PR for which this workflow run was launched is now closed. The tests will be skipped." >> "$GITHUB_OUTPUT"
            echo "result=skip" >> "$GITHUB_OUTPUT"
          elif [[ "$non_readme_files" -le "0" ]]; then
            # The only changes are .md files -> SKIP
            echo "result=skip" >> "$GITHUB_OUTPUT"
          elif [[ "$num_charts_changed" -ne "$num_version_bumps" ]]; then
            # Changes done in charts but version not bumped -> ERROR
            echo "error=Detected changes in charts without version bump in Chart.yaml. Charts changed: ${num_charts_changed}. Version bumps detected: ${num_version_bumps}" >> "$GITHUB_OUTPUT"
            echo "result=fail" >> "$GITHUB_OUTPUT"
          elif [[ "$num_charts_changed" -eq "1" ]]; then
            # Changes done in only one chart -> OK
            echo "result=ok" >> "$GITHUB_OUTPUT"
            # Extra output: chart name
            chart_name="${charts_dirs_changed//bitnami\/}"
            echo "chart=${chart_name}" >> "$GITHUB_OUTPUT"
            # Extra output: values-updated
            # shellcheck disable=SC2076
            if [[ "${files_changed[*]}" =~ "bitnami/${chart_name}/values.yaml" ]]; then
              echo "values-updated=true" >> "$GITHUB_OUTPUT"
            fi
          elif [[ "$num_charts_changed" -le "0" ]]; then
            # Changes done in the bitnami/ folder but not inside a chart subfolder -> SKIP
            echo "error=No changes detected in charts. The rest of the tests will be skipped." >> "$GITHUB_OUTPUT"
            echo "result=skip" >> "$GITHUB_OUTPUT"
          else
            # Changes done in more than chart -> SKIP
            echo "error=Changes detected in more than one chart directory. It is strongly advised to change only one chart in a PR. The rest of the tests will be skipped." >> "$GITHUB_OUTPUT"
            echo "result=skip" >> "$GITHUB_OUTPUT"
          fi
      # Using actions/github-scripts because using exit 1 in the script above would not provide any output
      # Source: https://github.community/t/no-output-on-process-completed-with-exit-code-1/123821/3
      - id: show-error
        name: Show error
        if: ${{ steps.get-chart.outputs.result != 'ok' }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        with:
          script: |
            let message='${{ steps.get-chart.outputs.error }}';
            if ('${{ steps.get-chart.outputs.result }}' === 'fail' ) {
              core.setFailed(message);
            } else {
              core.warning(message);
            }
  chart-tests:
    runs-on: ubuntu-latest
    needs: [get-chart]
    name: Look for hardcoded images
    if: needs.get-chart.outputs.result == 'ok'
    steps:
      - name: Checkout bitnami/charts
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          ref: ${{github.event.pull_request.head.ref}}
          repository: ${{github.event.pull_request.head.repo.full_name}}
          path: charts
      - id: check-hardcoded-images
        name: Look for hardcoded images
        env:
          CHART: ${{ needs.get-chart.outputs.chart }}
        run: |
          cd "${GITHUB_WORKSPACE}/charts" || exit 1

          hardcoded_images=()
          while read -r image; do
            if [[ -n "$image" && $image != {{*}} ]]; then
              hardcoded_images+=("${image}")
            fi
          done <<< "$(grep --exclude "NOTES.txt" -REoh "\s*image:\s+[\"']*.+[\"']*\s*$" "bitnami/${CHART}/templates" | sed "s/image: [\"']*//" | sed "s/[\"']*$//")"
          echo "${hardcoded_images[@]}"
          if [[ ${#hardcoded_images[@]} -gt 0 ]] ; then
            echo "error=Found hardcoded images in the chart templates: ${hardcoded_images[*]}"
            exit 1
          fi
      - id: check-image-warning-list
        name: Check image warning list
        env:
          CHART: ${{ needs.get-chart.outputs.chart }}
        run: |
          cd "${GITHUB_WORKSPACE}/charts" || exit 1

          if [[ "$CHART" != "common" && "$CHART" != "fluentd" ]]; then
            readarray -t tag_paths < <(yq e '.. | (path | join("."))' "bitnami/${CHART}/values.yaml" | grep -E '\.tag$' | sed 's/.tag$//g' | sort -u)
            readarray -t registry_paths < <(yq e '.. | (path | join("."))' "bitnami/${CHART}/values.yaml" | grep '\.registry$' | sed 's/.registry$//g' | sort -u)

            # We assume that image objects are those that contain both keys 'tag' and 'registry'
            images_paths=()
            for path in "${tag_paths[@]}"; do
              if echo "${registry_paths[@]}" | grep -w -q "$path"; then
               [[ -n "$path" ]] && images_paths+=("$path")
              fi
            done

            # Get the images defined in the image warning helper
            readarray -d ' ' -t images_list_tmp < <(grep -E 'common.warnings.modifiedImages' "bitnami/${CHART}/templates/NOTES.txt" | sed -E 's/.*\(list (.+)\) "context".*/\1/' | sed 's/.Values.//g')

            # Remove any empty element from the array
            images_list=()
            for i in "${images_list_tmp[@]}"; do
              if echo "$i" | grep -q -E "\S+"; then
                images_list+=("$i")
              fi
            done

            # Compare the image objects and the image warning list
            if [[ ${#images_list[@]} -eq ${#images_paths[@]} ]]; then
              for path in "${images_list[@]}"; do
                if ! echo "${images_paths[*]}" | grep -w -q "$path"; then
                  echo "Found inconsistencies in the images warning list: '${images_list[*]}' should be equal to '${images_paths[*]}'"
                  exit 1
                fi
              done
            else
              echo "Found inconsistencies in the images warning list: '${images_list[*]}' should be equal to '${images_paths[*]}'"
              exit 1
            fi
          fi
  update-pr:
    runs-on: ubuntu-latest
    needs: [get-chart]
    name: Automatically update README, CRDs and CHANGELOG
    permissions:
      contents: write
    outputs:
      result: ${{ steps.update-pr.outputs.result }}
    if: needs.get-chart.outputs.result == 'ok'
    steps:
      - name: Checkout bitnami/charts
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          ref: ${{github.event.pull_request.head.ref}}
          repository: ${{github.event.pull_request.head.repo.full_name}}
          token: ${{ secrets.BITNAMI_BOT_TOKEN }}
          path: charts
      - name: Clone upstream bitnami/charts repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          path: upstream-charts
      - name: Setup git configuration
        run: |
          cd $GITHUB_WORKSPACE/charts
          git config user.name "Bitnami Bot"
          git config user.email "bitnami.bot@broadcom.com"
      # In order to avoid doing a full clone (which would fetch the index branch), we
      # unshallow the clone only using the main branch. We need to get the tags to
      # regenerate the changelog too
      - name: Unshallow main branch and get tags
        run: |
          cd $GITHUB_WORKSPACE/upstream-charts
          git fetch origin main --unshallow
          git fetch --tags
      - name: Install conventional-changelog-cli
        run: npm install -g conventional-changelog-cli
      - id: generate-changelog
        name: Generate changelog
        env:
          PULL_REQUEST_NUMBER: "${{ github.event.pull_request.number }}"
          PULL_REQUEST_URL: "${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.number }}"
          GITHUB_TOKEN: "${{ github.token }}"
          CHART: ${{ needs.get-chart.outputs.chart }}
        run: |
          cd "${GITHUB_WORKSPACE}/upstream-charts" || exit 1

          # Get PR title using the API to avoid malicious string substitutions
          pr_title="$(gh api "/repos/${GITHUB_REPOSITORY}/pulls/${PULL_REQUEST_NUMBER}" | jq -r '.title')"
          # The generator needs the file to exist
          chart_version="$(yq e '.version' "${GITHUB_WORKSPACE}/charts/bitnami/${CHART}/Chart.yaml")"
          changelog_file="${GITHUB_WORKSPACE}/charts/bitnami/${CHART}/CHANGELOG.md"
          changelog_tmp="${GITHUB_WORKSPACE}/charts/bitnami/${CHART}/CHANGELOG.md.tmp"
          touch "$changelog_file"
          npx conventional-changelog-cli -i "$changelog_file" -s -t "${CHART}/" -r 0 --commit-path "bitnami/${CHART}"
          # The tool uses short sha to generate commit links. Sometimes, Github does not offer links with the short sha, so we change all commit links to use the full sha instead
          for short_sha in $(grep -Eo "/commit/[a-z0-9]+" "$changelog_file" | awk -F/ '{print $3}'); do
            long_sha="$(git rev-list @ | grep "^$short_sha" | head -n 1)";
            sed -i "s%/commit/$short_sha%/commit/$long_sha%g" "$changelog_file";
          done

          cd "${GITHUB_WORKSPACE}/charts" || exit 1
          # Remove unreleased section (includes all intermediate commits in the branch) and create future entry based on PR title
          # The unreleased section looks like this "## (YYYY-MM-DD)" whereas a released section looks like this "## 0.0.1 (YYYY-MM-DD)"
          # So we only need to find a released section to start printing in the awk script below
          awk '/^##[^(]*[0-9]/ {flag=1} flag {print}' "$changelog_file" > "$changelog_tmp"
          # Remove extra newlines so the changelog file passes the markdown linter
          sed -i -E -e '/^$/d' "$changelog_tmp" && sed -i -E -e 's/(##.*)/\n\1\n/g' "$changelog_tmp"
          # Include h1 heading and add entry for the current version. There is no tag for the current version (this will be created once merged), so we need to manually add it.
          # We know the final squashed commit title, which will be the PR title. We cannot add a link to the commit in the main branch because it has not been
          # merged yet (this will be corrected once a new version regenerates the changelog). Instead, we add the PR url which contains the exact same information.
          echo -e -n "# Changelog\n\n## $chart_version ($(date +'%Y-%m-%d'))\n\n* ${pr_title} ([#${PULL_REQUEST_NUMBER}](${PULL_REQUEST_URL}))\n" > "$changelog_file"
          cat "$changelog_tmp" >> "$changelog_file"
          rm "$changelog_tmp"

          # Commit all changes, if any
          if git status -s | grep "bitnami/${CHART}/CHANGELOG.md"; then
            git add "bitnami/${CHART}/CHANGELOG.md"
            git commit -m "Update CHANGELOG.md" --signoff
          fi
      - name: Install readme-generator-for-helm
        if: needs.get-chart.outputs.values-updated == 'true'
        run: npm install -g @bitnami/readme-generator-for-helm
      - id: update-readme
        name: 'Update README'
        if: needs.get-chart.outputs.values-updated == 'true'
        env:
          CHART: ${{ needs.get-chart.outputs.chart }}
        run: |
          exit_code=0
          cd "${GITHUB_WORKSPACE}/charts" || exit 1

          echo "Validating README.md for bitnami/${CHART}"

          # Validating *.registry parameters
          while read -r line; do
            echo "$line" | grep --quiet "\[default: \(REGISTRY_NAME\|\"\"\)\]" || exit_code=$?
          done < <(grep "@param\s\+[A-Za-z\.]\+\.registry\s\+" "bitnami/${CHART}/values.yaml")
          if [[ $exit_code -ne 0 ]]; then
            echo "error=Please ensure all *.registry params include the [default: REGISTRY_NAME] modifier in the chart bitnami/${CHART}/values.yaml file"
            exit "$exit_code"
          fi

          # Validating *.repository parameters
          while read -r line; do
            param=$(echo "$line" | awk '{print $3}')
            # Checking if it's a image's registry-related param
            registry_param="${param//.repository/.registry}"
            grep --quiet "@param\s\+${registry_param}" "bitnami/${CHART}/values.yaml" && ( echo "$line" | grep --quiet "\[default: \(REPOSITORY_NAME/.*\|\"\"\)\]" || exit_code=$? )
          done < <(grep "@param\s\+[A-Za-z\.]\+\.repository\s\+" "bitnami/${CHART}/values.yaml")
          if [[ $exit_code -ne 0 ]]; then
            echo "error=Please ensure all *.repository params include the [default: REPOSITORY_NAME] modifier the in the chart bitnami/${CHART}/values.yaml file"
            exit "$exit_code"
          fi

          # Validating *.tag parameters
          grep -v --quiet "@param\s\+[A-Za-z\.]\+\.tag\s\+" "bitnami/${CHART}/values.yaml" || exit_code=$?
          if [[ $exit_code -ne 0 ]]; then
            echo "error=Please ensure all *.tag params are skipped (@skip) in the bitnami/${CHART}/values.yaml file"
            exit "$exit_code"
          fi
          echo "Updating README.md for bitnami/${CHART}"
          readme-generator --values "bitnami/${CHART}/values.yaml" --readme "bitnami/${CHART}/README.md" --schema "/tmp/schema.json"

          # Commit all changes, if any
          if git status -s | grep "bitnami/${CHART}"; then
            git add "bitnami/${CHART}"
            git commit -m "Update README.md with readme-generator-for-helm" --signoff
          fi
      - id: update-crds
        name: 'Update CRDs'
        # To avoid malicious executions, only PRs performed by the bitnami-bot will perform the CRDs update
        if: github.event.pull_request.user.login == 'bitnami-bot'
        env:
          CHART: ${{ needs.get-chart.outputs.chart }}
        run: |
          cd "${GITHUB_WORKSPACE}/charts" || exit 1

          # Updating CRDs stored at 'bitnami/$CHART/crds', 'bitnami/$CHART/templates/crds', and "bitnami/${CHART}/charts/${CHART}-crds/crds"
          mapfile -t crd_files < <(find "bitnami/${CHART}/crds" "bitnami/${CHART}/templates/crds" "bitnami/${CHART}/charts/${CHART}-crds/crds" -name "*.yaml" -o -name "*.yml" 2>/dev/null || true)
          for file in "${crd_files[@]}"; do
            # Automatically update CRDs that use the '# Source' header
            source_url_tpl="$(head -n 1 "$file" | grep -E "^# ?Source: ?" | sed -E 's|^# ?Source: ?||' || true)"
            if [[ -n "$source_url_tpl" ]]; then
              # Validate the second line of the CRD file includes the version of the CRD
              crd_version="$(head -n 2 $file | tail -n 1 | grep -E "^# ?Version: ?" | sed -E 's|^# ?Version: ?||' || true)"
              if [[ -z "$crd_version" ]]; then
                echo "error=CRD file '${file}' does not include the '#Version: <version> header'"
                exit 1
              fi
              # Additional headers may be used for extra features
              # Conditional - Adds a conditional {{if}}/{{end}} to the downloaded upstream CRD
              # VersionOf - Name of a subcomponent, its version will be used for CRD tracking instead of the main component version
              # UseKustomize - If set to true, uses Kustomize to render the CRDs
              # RequiresFilter - If set to true, uses yq to filter resources having 'kind: CustomResourceDefinition', useful when using 'install.yaml' file as upstream source
              continue=true
              line_n=2
              extra_headers=""
              CONDITIONAL=""
              SUBCOMPONENT=""
              USE_KUSTOMIZE=""
              REQUIRES_FILTER=""
              while [ "$continue" = true ]; do
                line_n=$((line_n+1))
                line="$(head -n $line_n $file | tail -n 1)"
                if [[ $line =~ ^#\ ?[a-zA-Z]+:\ ? ]]; then
                  if [[ $line =~ ^#\ ?Conditional:\ ? ]]; then
                    CONDITIONAL="$(echo $line | sed -E 's|^# ?Conditional: ?||')"
                    CONDITIONAL="{{- if ${CONDITIONAL} }}\n"
                  elif [[ $line =~ ^#\ ?VersionOf:\ ? ]]; then
                    SUBCOMPONENT="$(echo $line | sed -E 's|^# ?VersionOf: ?||')"
                  elif [[ $line =~ ^#\ ?UseKustomize:\ ? ]]; then
                    USE_KUSTOMIZE="$(echo $line | sed -E 's|^# ?UseKustomize: ?||' || true)"
                  elif [[ $line =~ ^#\ ?RequiresFilter:\ ? ]]; then
                    REQUIRES_FILTER="$(echo $line | sed -E 's|^# ?RequiresFilter: ?||' || true)"
                  else
                    echo "error=Header ${line} not recognized'"
                    exit 1
                  fi
                  extra_headers="${extra_headers}${line}\n"
                else
                  continue=false
                fi
              done
              # Obtain the version of the subcomponent if provided, otherwise use the main component version
              if [[ -n "$SUBCOMPONENT" ]]; then
                APP_VERSION="$(cat bitnami/${CHART}/Chart.yaml | grep -E "image: \S+${SUBCOMPONENT}:" | sed -E "s|.*${SUBCOMPONENT}:([0-9\.]+)-.*|\1|")"
              else
                APP_VERSION="$(yq e '.appVersion' bitnami/${CHART}/Chart.yaml)"
              fi
              # Replace version placeholder, if present
              source_url=$(echo "$source_url_tpl" | sed "s/{version}/${APP_VERSION}/")
              # If the application version is newer, automatically update the CRD file
              if [[ "$APP_VERSION" != "$crd_version" ]]; then
                if [[ "$USE_KUSTOMIZE" = "true" ]]; then
                  kubectl kustomize "$source_url" > $file
                else
                  curl -Lks --fail -o $file "$source_url"
                fi
                if [[ "$REQUIRES_FILTER" = "true" ]]; then
                  yq -i e '. | select(.kind == "CustomResourceDefinition") | ... head_comment=""' $file
                fi
                sed -i "1s|^|# Source: ${source_url_tpl}\n# Version: ${APP_VERSION}\n${extra_headers}${CONDITIONAL}|" $file
                if [[ -n "$CONDITIONAL" ]]; then
                  echo -E "{{- end }}" >> $file
                fi
                echo "info=CRD file '${file}' automatically updated using source '$source_url'"
              fi
            else
              echo "info=CRD file '$file' does not contain the '#Source' header. Skipping..."
            fi
          done

          # Commit all changes, if any
          if git status -s | grep "bitnami/${CHART}"; then
            git add "bitnami/${CHART}"
            git commit -m "Update CRDs automatically" --signoff
          fi
      - id: update-prometheus-rules
        name: Update Prometheus rules on kube-prometheus based on upstream
        # To avoid malicious executions, only PRs performed by the bitnami-bot will perform the CRDs update
        if: github.event.pull_request.user.login == 'bitnami-bot' && needs.get-chart.outputs.chart == 'kube-prometheus'
        run: |
          cd "${GITHUB_WORKSPACE}/charts" || exit 1

          # This function returns the chart parameter name based on the rule name
          rule_parameter_from_rule_name() {
            local -r rule_name="${1:-missing rule_name}"

            kebab_to_camel() {
              IFS='-' read -r -a parts <<< "$1"
              for i in "${!parts[@]}"; do
                if [[ $i -eq 0 ]]; then
                  camelCase="${parts[i]}"
                else
                  camelCase+=$(tr '[:lower:]' '[:upper:]' <<< ${parts[i]:0:1})${parts[i]:1}
                fi
              done
              echo "$camelCase"
            }

            case "$rule_name" in
              "config-reloaders" | "etcd" | "kube-state-metrics" | "kubernetes-apps" | "kubernetes-resources" | "kubernetes-storage" | "kube-apiserver-slos" | "prometheus" | "prometheus-operator") kebab_to_camel "$rule_name" ;;
              "alertmanager.rules" | "general.rules" | "kubelet.rules" | "node.rules" | "kube-apiserver-availability.rules" | "kube-apiserver-burnrate.rules" | "kube-apiserver-histogram.rules" | "kube-prometheus-general.rules" | "kube-prometheus-node-recording.rules") kebab_to_camel "${rule_name%.rules}" ;;
              "k8s.rules.container-cpu-usage-seconds-total" | "k8s.rules.container-memory-cache" | "k8s.rules.container-memory-rss" | "k8s.rules.container-memory-swap" | "k8s.rules.container-memory-working-set-bytes" | "k8s.rules.container-resource" | "k8s.rules.pod-owner") kebab_to_camel "${rule_name//.rules./-}" ;;
              "kubernetes-system-apiserver" | "kubernetes-system-kubelet" | "kubernetes-system") echo "kubernetesSystem" ;;
              "kube-scheduler.rules") echo "kubeSchedulerAlerting" ;;
              "kubernetes-system-controller-manager") echo "kubeControllerManager" ;;
              "kubernetes-system-kube-proxy") echo "kubeProxy" ;;
              "kubernetes-system-scheduler") echo "kubeSchedulerRecording" ;;
              "node-exporter") echo "nodeExporterAlerting" ;;
              "node-exporter.rules") echo "nodeExporterRecording" ;;
              "node-network") echo "network" ;;
              *) echo "" ;;
            esac
          }

          mkdir -p "bitnami/kube-prometheus/templates/prometheus/rules"
          cd "bitnami/kube-prometheus/templates/prometheus/rules"
          helm repo add prometheus-community https://prometheus-community.github.io/helm-charts 2>&1 >/dev/null 2>&1
          helm repo update >/dev/null 2>&1
          helm template prometheus-community/kube-prometheus-stack \
            --set fullnameOverride=foo \
            --set defaultRules.create=true \
            --show-only templates/prometheus/rules-1.14/* \
            | awk 'NF' | yq --no-doc -s '.metadata.name | sub("^foo-"; "") + ".yaml"'
          for m in *.yaml; do
            rule_name="${m%.yaml}"
            rule_parameter="$(rule_parameter_from_rule_name "$rule_name")"
            # We're just interested in the .spec given we build apiVersion, kind and metadata
            # based in Bitnami standards
            spec="$(yq '{"spec": .spec}' "$m")"
            # We need to escape curly braces to avoid issues with Go templates
            spec=$(echo "$spec" | sed -E 's/\{\{/__OPEN__/g' | sed -E 's/\}\}/__CLOSE__/g' | sed -E 's/__OPEN__/{{\`{{\`}}/g' | sed -E 's/__CLOSE__/{{\`}}\`}}/g')
            cat > "$m" << EOF
          {{- /*
          Copyright Broadcom, Inc. All Rights Reserved.
          SPDX-License-Identifier: APACHE-2.0
          */}}

          {{- if and .Values.prometheus.enabled .Values.prometheus.defaultRules.create .Values.prometheus.defaultRules.rules.$rule_parameter }}
          apiVersion: monitoring.coreos.com/v1
          kind: PrometheusRule
          metadata:
            name: {{ printf "%s-$rule_name" (include "kube-prometheus.prometheus.fullname" .) }}
            namespace: {{ include "common.names.namespace" . | quote }}
            labels: {{ include "kube-prometheus.prometheus.labels" . | nindent 4 }}
            {{- if .Values.commonAnnotations }}
            annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" . ) | nindent 4 }}
            {{- end }}
          $spec
          {{- end }}
          EOF
          done

          cd "${GITHUB_WORKSPACE}/charts"
          if git status -s | grep "bitnami/kube-prometheus/templates/prometheus/rules"; then
            git add "bitnami/kube-prometheus/templates/prometheus/rules"
            git commit -m "Update Prometheus rules" --signoff
          fi
      - id: update-pr
        name: Push changes
        run: |
          cd $GITHUB_WORKSPACE/charts
          # Push all the new commits, if any
          if [[ $(git cherry -v) ]]; then
            git push
            echo "result=ok" >> $GITHUB_OUTPUT
          else
            echo "result=skip" >> $GITHUB_OUTPUT
          fi
  chart-score:
    runs-on: ubuntu-latest
    needs: [get-chart]
    name: Get chart latest Kubescape score
    permissions:
      contents: read
    outputs:
      threshold: ${{ steps.set-output.outputs.threshold }}
    if: needs.get-chart.outputs.result == 'ok'
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        name: Checkout 'main' branch
        with:
          path: charts-main
          repository: bitnami/charts
          fetch-depth: 1
      - name: Install helm
        run: |
          HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz"
          curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin
      - name: Run helm-dep-build
        env:
          CHART: ${{ needs.get-chart.outputs.chart }}
        run: |
          if [ -d "charts-main/bitnami/${CHART}" ]; then
            helm dep build charts-main/bitnami/${CHART}
            if [ -d "charts-main/bitnami/${CHART}/charts" ]; then
              cd charts-main/bitnami/${CHART}/charts
              for filename in *.tgz; do
                tar -xf "$filename"
                rm -f "$filename"
              done
            fi
          fi
      - id: get-chart-score
        uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185
        name: Get main branch kubescape score
        # Skip step when user is bitnami-bot or 'skip-score' label is used
        if: |
          !(
            github.event.pull_request.user.login == 'bitnami-bot' ||
            contains(github.event.pull_request.labels.*.name, 'skip-score') ||
            (github.event.action == 'labeled' && github.event.label.name == 'skip-score')
          )
        env:
          CHART: ${{ needs.get-chart.outputs.chart }}
        with:
          image: bitnami/kubescape:3.0.37
          options: -v  /home/runner/work/charts/charts/charts-main:/charts -v /tmp:/out -e CHART
          run: |
            if [ -d "/charts/bitnami/${CHART}" ]; then
              kubescape scan framework MITRE,NSA,SOC2,cis-v1.10.0 /charts/bitnami/${CHART} --format json -o /out/report.json
              # Truncate score to 2 decimals
              printf "%s.%.2s" $(echo "$(jq .summaryDetails.complianceScore /out/report.json)" | tr '.' ' ') | sed 's/\.$//' > /out/score
            else
              echo "Chart not found at /charts/bitnami/${CHART}. It will be assumed that the upstream chart does not exist."
            fi
      - id: set-output
        name: Set threshold score
        run: |
          if [[ -f "/tmp/score" ]]; then
            score="$(cat /tmp/score)"
          else
            echo "Skipping Kubescape score check."
            score="0"
          fi
          echo "Using threshold score: ${score}"
          echo "threshold=${score}" >> $GITHUB_OUTPUT
  vib-verify:
    runs-on: ubuntu-latest
    needs: [get-chart, update-pr, chart-score]
    permissions:
      contents: read
    # Given performance issues of the action feature on GH's side, we need to be very restrictive in the job's triggers:
    # -> The 'Get modified charts' job suceededs AND
    # -> The 'Update PR' job did not push any new changes AND
    #  ( ---> The pipeline was triggered due to a label addition and said label was the 'verify' one OR
    #    ---> the PR already contains the 'verify' label )
    if: |
      needs.get-chart.outputs.result == 'ok' &&
      needs.update-pr.outputs.result == 'skip' &&
      (
        contains(github.event.pull_request.labels.*.name, 'verify') || (github.event.action == 'labeled' && github.event.label.name == 'verify')
      )
    name: VIB Verify
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        name: Checkout Repository
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
      - id: log-chart-info
        name: Get chart version and app version
        env:
          CHART: ${{ needs.get-chart.outputs.chart }}
        run: |
          # Log chart info
          chart_version="$(yq e '.version' bitnami/${CHART}/Chart.yaml)"
          app_version="$(yq e '.appVersion' bitnami/${CHART}/Chart.yaml)"
          echo "Chart: ${CHART} ChartVersion: ${chart_version} AppVersion: ${app_version}"
      - id: get-asset-vib-config
        name: Get asset-specific configuration for VIB action
        run: |
          config_file=".vib/${{ needs.get-chart.outputs.chart }}/vib-action.config"

          # Supported configuration customizations and default values
          verification_mode="PARALLEL"

          if [[ -f $config_file ]]; then
            verification_mode="$(cat $config_file | grep 'verification-mode' | cut -d'=' -f2)"
          fi
          runtime_parameters_file=""
          if [[ -f ".vib/${{ needs.get-chart.outputs.chart }}/runtime-parameters.yaml" ]]; then
            # The path is relative to the .vib folder
            runtime_parameters_file="${{ needs.get-chart.outputs.chart }}/runtime-parameters.yaml"
          fi
          echo "verification_mode=${verification_mode}" >> $GITHUB_OUTPUT
          echo "runtime_parameters_file=${runtime_parameters_file}" >> $GITHUB_OUTPUT
      - uses: vmware-labs/vmware-image-builder-action@v0
        name: Verify ${{ needs.get-chart.outputs.chart }}
        with:
          pipeline: ${{ needs.get-chart.outputs.chart }}/vib-verify.json
          verification-mode: ${{ steps.get-asset-vib-config.outputs.verification_mode }}
          runtime-parameters-file: ${{ steps.get-asset-vib-config.outputs.runtime_parameters_file }}
        env:
          CSP_API_URL: https://console.tanzu.broadcom.com
          CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
          VIB_PUBLIC_URL: ${{ vars.VIB_PUBLIC_URL }}
          # Target-Platform used by default
          VIB_ENV_TARGET_PLATFORM: ${{ secrets.VIB_ENV_TARGET_PLATFORM }}
          # Alternative Target-Platform to be used in case of incompatibilities
          VIB_ENV_ALTERNATIVE_TARGET_PLATFORM: ${{ secrets.VIB_ENV_ALTERNATIVE_TARGET_PLATFORM }}
          # Set kubescape score threshold
          VIB_ENV_KUBESCAPE_SCORE_THRESHOLD: ${{ needs.chart-score.outputs.threshold }}
          # Set docker credentials
          VIB_ENV_CHARTS_REGISTRY: oci://registry-1.docker.io/bitnamicharts
          VIB_ENV_CHARTS_REGISTRY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          VIB_ENV_CHARTS_REGISTRY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
  auto-pr-review:
    runs-on: ubuntu-latest
    needs: vib-verify
    name: Reviewal for automated PRs
    permissions:
      pull-requests: write
    # Job to be run only when the triage for automated PRs did as well,
    # not taking into account whether 'VIB Verify' succeeded
    if: |
      always() &&
      contains(github.event.pull_request.labels.*.name, 'auto-merge') &&
      github.event.pull_request.user.login == 'bitnami-bot'
    steps:
      # Approve the CI's PR if the 'VIB Verify' job succeeded
      # Approved by the 'github-actions' user; a PR can't be approved by its author
      - name: PR approval
        if: ${{ needs.vib-verify.result == 'success' }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        with:
          result-encoding: string
          retries: 3
          script: |
            github.rest.pulls.createReview({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number,
              event: 'APPROVE',
            });
      - name: Merge
        id: merge
        if: ${{ needs.vib-verify.result == 'success' }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        with:
          result-encoding: string
          retries: 3
          github-token: ${{ secrets.BITNAMI_BOT_TOKEN }}
          script: |
            github.rest.pulls.merge({
              pull_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              merge_method: 'squash'
            })
      # If the CI did not succeed ('VIB Verify' failed or skipped),
      # post a comment on the PR and assign a maintainer agent to review it
      - name: Manual review required
        if: ${{ always() && github.run_attempt >= vars.MAX_RUNS_ATTEMPTS && needs.vib-verify.result != 'skipped' && (needs.vib-verify.result != 'success' || steps.merge.outcome != 'success' ) }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        env:
          BODY: |
            There has been an error during the automated release process. Manual revision is now required.
            Please check the related [action_run#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more information.
        with:
          retries: 3
          # Necessary to trigger support workflows
          github-token: ${{ secrets.BITNAMI_BOT_TOKEN }}
          script: |
            const {BODY} = process.env
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `${BODY}`
            })