From 058f63a8fd08cc5bdc58f2b4da83013dfd5a39df Mon Sep 17 00:00:00 2001 From: tstollin Date: Fri, 15 May 2026 09:31:12 +0200 Subject: [PATCH] chore: add codegen-check and helm-chart-update workflows, move post-helmify templates Restructure workflow files. --- .github/workflows/ci.yml | 134 ++++++++++++++++++ .github/workflows/commitlint.yml | 30 ---- .github/workflows/helm-chart-update.yml | 134 ++++++++++++++++++ .github/workflows/lint.yml | 27 ---- .github/workflows/release.yml | 18 --- .github/workflows/test-e2e.yml | 32 ----- .github/workflows/test.yml | 24 ---- .gitignore | 7 + CONTRIBUTING.md | 26 ++++ Makefile | 27 ++-- cmd/main.go | 6 +- commitlint.config.js | 2 +- docs/techdocs/crds.md | 9 +- docs/techdocs/packaging.md | 2 +- hack/post-helmify/main.go | 13 +- .../templates}/envs.configmap.yaml | 0 .../post-helmify/templates}/manager-rbac.yaml | 0 .../templates}/poddisruptionbudget.yaml | 0 .../post-helmify/templates}/serving-cert.yaml | 0 hack/post-helmify/transformations.go | 9 +- 20 files changed, 343 insertions(+), 157 deletions(-) create mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/commitlint.yml create mode 100644 .github/workflows/helm-chart-update.yml delete mode 100644 .github/workflows/lint.yml delete mode 100644 .github/workflows/test-e2e.yml delete mode 100644 .github/workflows/test.yml rename {config/tmp => hack/post-helmify/templates}/envs.configmap.yaml (100%) rename {config/tmp => hack/post-helmify/templates}/manager-rbac.yaml (100%) rename {config/tmp => hack/post-helmify/templates}/poddisruptionbudget.yaml (100%) rename {config/tmp => hack/post-helmify/templates}/serving-cert.yaml (100%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..b44a605 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,134 @@ +name: CI +# Jobs in this workflow are enforced as required status checks via branch protection on main. + +on: + push: + pull_request: + # 'edited' is included so commitlint re-runs when PR title changes (used as squash commit message) + types: [opened, edited, synchronize, reopened] + +permissions: + contents: read + pull-requests: read + + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Setup Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Check linter configuration + run: make lint-config + + - name: Run linter + uses: golangci/golangci-lint-action@v9 + with: + version: v2.11.4 + + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Setup Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Run tests + run: | + go mod tidy + make test + + codegen-check: + name: Verify Generated Code + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Setup Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Run code generation + run: | + make manifests + make generate + make crd-docs + + - name: Check for uncommitted changes + run: | + if [ -n "$(git status --porcelain)" ]; then + echo "::error::Generated code is out of date. Please run 'make manifests generate crd-docs' and commit the changes." + echo "" + echo "Changed files:" + git status --short + echo "" + echo "Diff:" + git diff + exit 1 + fi + echo "Generated code is up to date." + + commitlint: + name: Validate Commit Messages + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version-file: .node-version + + - name: Install commitlint + run: npm ci + + - name: Lint commits + run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose + + test-e2e: + name: Test E2E + runs-on: ubuntu-latest + if: false # disabled until fixed + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Setup Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Install kind + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH) + chmod +x ./kind + sudo mv ./kind /usr/local/bin/kind + + - name: Verify kind installation + run: kind version + + - name: Run E2E tests + run: | + go mod tidy + make test-e2e + + + diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml deleted file mode 100644 index 11b51da..0000000 --- a/.github/workflows/commitlint.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Commit Lint - -on: - pull_request: - types: [opened, edited, synchronize, reopened] - -permissions: - contents: read - pull-requests: read - -jobs: - commitlint: - name: Validate Commit Messages - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version-file: .node-version - - - name: Install commitlint - run: npm ci - - - name: Lint commits - run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose diff --git a/.github/workflows/helm-chart-update.yml b/.github/workflows/helm-chart-update.yml new file mode 100644 index 0000000..184d9f0 --- /dev/null +++ b/.github/workflows/helm-chart-update.yml @@ -0,0 +1,134 @@ +name: Update Helm Chart + +on: + workflow_run: + workflows: ["Build & Release"] + types: + - completed + workflow_dispatch: + +permissions: + contents: read + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + HELM_REPO: Interhyp/git-hubby-helm + +jobs: + update-helm-chart: + name: Update Helm Chart + runs-on: ubuntu-latest + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} + steps: + - name: Determine source branch + id: source + run: | + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo "branch=${{ github.ref_name }}" >> "$GITHUB_OUTPUT" + echo "sha=${{ github.sha }}" >> "$GITHUB_OUTPUT" + else + echo "branch=${{ github.event.workflow_run.head_branch }}" >> "$GITHUB_OUTPUT" + echo "sha=${{ github.event.workflow_run.head_sha }}" >> "$GITHUB_OUTPUT" + fi + + - name: Checkout source repository + uses: actions/checkout@v6 + with: + ref: ${{ steps.source.outputs.branch }} + fetch-depth: 0 + + - name: Setup Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Lowercase image name + run: echo "IMAGE_NAME=${IMAGE_NAME,,}" >> "$GITHUB_ENV" + + - name: Determine image version + id: version + run: | + if [[ "${{ steps.source.outputs.branch }}" == "main" ]]; then + git fetch --tags + LATEST_TAG=$(git tag --sort=-v:refname | head -1) + if [[ -n "$LATEST_TAG" ]]; then + VERSION="${LATEST_TAG#v}" + else + SHORT_SHA="$(git rev-parse --short HEAD)" + VERSION="main-${SHORT_SHA}" + fi + else + BRANCH="$(echo '${{ steps.source.outputs.branch }}' | sed 's|[^a-zA-Z0-9._-]|-|g' | cut -c1-50)" + SHORT_SHA="$(git rev-parse --short ${{ steps.source.outputs.sha }})" + VERSION="snapshot-${BRANCH}-${SHORT_SHA}" + fi + echo "version=${VERSION}" >> "$GITHUB_OUTPUT" + echo "Image version: ${VERSION}" + + - name: Checkout Helm chart repository + uses: actions/checkout@v6 + with: + repository: ${{ env.HELM_REPO }} + token: ${{ secrets.HELM_CHART_PAT }} + path: helm-repo + + - name: Generate Helm chart + run: make helm CHART_DIR=helm-repo/chart + + - name: Update image tag in Helm chart + run: | + if [[ -f helm-repo/chart/values.yaml ]]; then + sed -i "s|tag:.*|tag: \"${{ steps.version.outputs.version }}\"|" helm-repo/chart/values.yaml + sed -i "s|repository:.*|repository: ${REGISTRY}/${IMAGE_NAME}|" helm-repo/chart/values.yaml + fi + if [[ -f helm-repo/chart/Chart.yaml ]]; then + sed -i "s|^appVersion:.*|appVersion: \"${{ steps.version.outputs.version }}\"|" helm-repo/chart/Chart.yaml + fi + + - name: Determine target branch + id: branch + run: | + if [[ "${{ steps.source.outputs.branch }}" == "main" ]]; then + echo "name=update/v${{ steps.version.outputs.version }}" >> "$GITHUB_OUTPUT" + else + BRANCH="$(echo '${{ steps.source.outputs.branch }}' | sed 's|[^a-zA-Z0-9._-]|-|g' | cut -c1-50)" + echo "name=snapshot/${BRANCH}" >> "$GITHUB_OUTPUT" + fi + + + - name: Commit and push changes + working-directory: helm-repo + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git checkout -b "${{ steps.branch.outputs.name }}" + git add -A + git diff --cached --quiet && echo "No changes to commit" && exit 0 + git commit -m "chore: update helm chart to version ${{ steps.version.outputs.version }}" + git push --force origin "${{ steps.branch.outputs.name }}" + + - name: Create Pull Request for main branch + if: steps.source.outputs.branch == 'main' + env: + GH_TOKEN: ${{ secrets.HELM_CHART_PAT }} + run: | + cd helm-repo + EXISTING_PR=$(gh pr list --head "${{ steps.branch.outputs.name }}" --json number --jq '.[0].number' 2>/dev/null || true) + if [[ -n "$EXISTING_PR" ]]; then + echo "PR #${EXISTING_PR} already exists, updating..." + gh pr edit "$EXISTING_PR" \ + --title "chore: update helm chart to v${{ steps.version.outputs.version }}" \ + --body "Automated Helm chart update from [git-hubby release v${{ steps.version.outputs.version }}](https://github.com/${{ github.repository }}/releases/tag/v${{ steps.version.outputs.version }})" + else + gh pr create \ + --repo "${{ env.HELM_REPO }}" \ + --head "${{ steps.branch.outputs.name }}" \ + --base main \ + --title "chore: update helm chart to v${{ steps.version.outputs.version }}" \ + --body "Automated Helm chart update from [git-hubby release v${{ steps.version.outputs.version }}](https://github.com/${{ github.repository }}/releases/tag/v${{ steps.version.outputs.version }})" \ + --label "automatic-update" \ + --draft + fi + + diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index 81de245..0000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Lint -# used as pull request required check - -on: - push: - pull_request: - -jobs: - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - name: Clone the code - uses: actions/checkout@v6 - - - name: Setup Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Check linter configuration - run: make lint-config - - - name: Run linter - uses: golangci/golangci-lint-action@v9 - with: - version: v2.11.4 \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe40f6d..e3902fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,27 +15,9 @@ env: IMAGE_NAME: ${{ github.repository }} jobs: - test: - name: Pre-Release Test - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Setup Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Running Tests - run: | - go mod tidy - make test - build-and-publish: name: Build & Publish Image runs-on: ubuntu-latest - needs: test steps: - name: Checkout code uses: actions/checkout@v6 diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml deleted file mode 100644 index 0401f6b..0000000 --- a/.github/workflows/test-e2e.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: E2E Tests - -on: - push: - pull_request: - -jobs: - test-e2e: - name: Test e2e - runs-on: ubuntu-latest - if: false # disabled until fixed - steps: - - name: Clone the code - uses: actions/checkout@v6 - - - name: Setup Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Install the latest version of kind - run: | - curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH) - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - - name: Verify kind installation - run: kind version - - - name: Running Test e2e - run: | - go mod tidy - make test-e2e diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 25c4da5..0000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Tests -# used as pull request required check - -on: - push: - pull_request: - -jobs: - test: - name: Test - runs-on: ubuntu-latest - steps: - - name: Clone the code - uses: actions/checkout@v6 - - - name: Setup Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Running Tests - run: | - go mod tidy - make test diff --git a/.gitignore b/.gitignore index 71d280b..c20acc5 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,10 @@ build-output/ node_modules/ + +# Generated Helm chart (output of make helm) +chart/ + +# post-helmify binary (built by go build ./hack/post-helmify/) +/post-helmify + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b43051a..dc9c234 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -11,6 +11,7 @@ Thank you for your interest in contributing to git-hubby! This guide covers ever - [Code Conventions](#code-conventions) - [Testing](#testing) - [Submitting Changes](#submitting-changes) +- [CI/CD Workflows](#cicd-workflows) ## Prerequisites @@ -267,6 +268,31 @@ Edit `.env` freely — it won't be committed. The template (`.env.tmpl`) contain 5. Commit using [Conventional Commits](https://www.conventionalcommits.org/) format. This is enforced by CI on pull requests. 6. Open a **Pull Request** against `main` with a description of what changed and why. +## CI/CD Workflows + +### Codegen Check + +The **Codegen Check** workflow verifies that generated code is up to date on every PR. It runs `make manifests`, `make generate`, and `make crd-docs`, then fails if there are uncommitted changes. Always run these before pushing: + +```bash +make manifests generate crd-docs +``` + +### Helm Chart Update + +The **Update Helm Chart** workflow manages the Helm chart in [Interhyp/git-hubby-helm](https://github.com/Interhyp/git-hubby-helm): + +- **Automatic (main only)**: After a successful release on `main`, the workflow regenerates the Helm chart, updates the image tag to the released version, pushes a branch to `git-hubby-helm`, and creates a draft PR labeled `automatic-update`. +- **Manual (any branch)**: You can trigger the workflow manually via `workflow_dispatch` to test Helm chart generation from your feature branch. The result is pushed to a `snapshot/` branch in `git-hubby-helm` (no PR is created). + +To manually trigger from your branch: + +```bash +gh workflow run "Update Helm Chart" --ref +``` + +This lets you verify Helm chart changes before merging to `main`. + ### Commit Message Format This project uses **Conventional Commits** for automated semantic versioning and changelog generation. diff --git a/Makefile b/Makefile index b5123a8..1b13d5d 100644 --- a/Makefile +++ b/Makefile @@ -287,20 +287,19 @@ $(GINKGO): $(LOCALBIN) # Generate helm chart from kustomize using helmify -## TODO needs update to update github.com/Interhyp/git-hubby-helm instead of local update - -#HELMIFY ?= $(LOCALBIN)/helmify -# -#.PHONY: helmify -#helmify: $(HELMIFY) ## Download helmify locally if necessary. -#$(HELMIFY): $(LOCALBIN) -# test -s $(LOCALBIN)/helmify || GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@latest -# -#.PHONY: helm -#helm: manifests generate kustomize crd-docs helmify -# $(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir && \ -# cp config/tmp/envs.configmap.yaml chart/templates/envs.configmap.yaml && \ -# go run ./hack/post-helmify chart +HELMIFY ?= $(LOCALBIN)/helmify + +.PHONY: helmify +helmify: $(HELMIFY) ## Download helmify locally if necessary. +$(HELMIFY): $(LOCALBIN) + test -s $(LOCALBIN)/helmify || GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@latest + +CHART_DIR ?= chart + +.PHONY: helm +helm: manifests generate kustomize crd-docs helmify + $(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir $(CHART_DIR) && \ + go run ./hack/post-helmify $(CHART_DIR) # Generate CRD Documentation using crd-ref-docs diff --git a/cmd/main.go b/cmd/main.go index 0d4e851..78620db 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -391,6 +391,8 @@ func main() { K8sClient: mgr.GetClient(), } + webhooksEnabled := os.Getenv("ENABLE_WEBHOOKS") != "false" + globalLimiter := ratelimit.NewGitHubRateLimiter(ratelimit.GitHubRateLimiterConfig{ RequestsPerHour: 15000, // GitHub's rate limit BurstSize: 500, // Allow some burst @@ -424,10 +426,8 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "Team") os.Exit(1) } - - webhooksEnabled := os.Getenv("ENABLE_WEBHOOKS") != "false" if webhooksEnabled { - setupLog.Info("Webhooks enabled") + setupLog.V(1).Info("Webhooks enabled") if err := webhookv1alpha1.SetupOrganizationWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "Organization") os.Exit(1) diff --git a/commitlint.config.js b/commitlint.config.js index a7bfe3d..17710b5 100644 --- a/commitlint.config.js +++ b/commitlint.config.js @@ -20,4 +20,4 @@ module.exports = { ], 'subject-case': [0], }, -}; +}; \ No newline at end of file diff --git a/docs/techdocs/crds.md b/docs/techdocs/crds.md index b4576c5..9021e91 100644 --- a/docs/techdocs/crds.md +++ b/docs/techdocs/crds.md @@ -800,7 +800,7 @@ _Appears in:_ | `name` _string_ | Name is the GitHub repository name.
Repository names can contain alphanumeric characters, hyphens, underscores, and periods. | | MaxLength: 100
MinLength: 1
Pattern: `^[.a-zA-Z0-9][a-zA-Z0-9_.-]\{0,99\}$`
Required: \{\}
Type: string
| | `customProperties` _[CustomPropertyValue](#custompropertyvalue) array_ | CustomProperties is a list of custom property values to apply to this repository.
These properties must be defined in the parent organization's custom properties.
If a property is not present in this list, it will be unset (removed) from the repository.
See: https://docs.github.com/en/rest/repos/custom-properties | | ExactlyOneOf: [value values]
| | `defaultBranch` _string_ | DefaultBranch is the name of the default branch for the repository.
This is the base branch for pull requests and where the repository opens by default. | main | MaxLength: 100
MinLength: 1
Pattern: `^[a-zA-Z0-9][a-zA-Z0-9_.-]\{0,99\}$`
Type: string
| -| `visibility` _string_ | Visibility controls who can see the repository.
- "public": Anyone can see the repository
- "private": Only people with explicit access can see the repository
- "internal": Only members of the organization can see the repository (Enterprise only)
See: https://docs.github.com/en/rest/repos/repos#create-an-organization-repository | internal | Enum: [public private internal]
Type: string
| +| `visibility` _string_ | Visibility controls who can see the repository.
- "public": Anyone can see the repository
- "private": Only people with explicit access can see the repository
- "internal": Only members of the organization can see the repository (Enterprise only)
See: https://docs.github.com/en/rest/repos/repos#create-an-organization-repository | private | Enum: [public private internal]
Type: string
| | `hasIssues` _boolean_ | HasIssues enables or disables the GitHub Issues feature for the repository.
When enabled, users can create and track issues. | true | Type: boolean
| | `hasProjects` _boolean_ | HasProjects enables or disables the GitHub Projects (classic) feature for the repository.
Note: This refers to classic projects, not the newer Projects feature. | false | Type: boolean
| | `hasWiki` _boolean_ | HasWiki enables or disables the GitHub Wiki feature for the repository.
When enabled, users can create wiki pages for documentation. | false | Type: boolean
| @@ -812,7 +812,7 @@ _Appears in:_ | `deleteBranchOnMerge` _boolean_ | DeleteBranchOnMerge automatically deletes head branches after pull requests are merged.
This helps keep the repository clean by removing merged feature branches.
See: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-the-automatic-deletion-of-branches | true | | | `about` _[About](#about)_ | About contains descriptive information about the repository. | | | | `archived` _boolean_ | Archived marks the repository as archived (read-only).
Archived repositories cannot receive new issues, pull requests, or commits.
See: https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories | false | | -| `actionsEnabled` _boolean_ | ActionsEnabled determines whether this repository can use GitHub Actions.
This must be enabled at the organization level for this setting to take effect.
See: https://docs.github.com/en/rest/actions/permissions | false | | +| `actionsEnabled` _boolean_ | ActionsEnabled determines whether this repository can use GitHub Actions.
This must be enabled at the organization level for this setting to take effect.
See: https://docs.github.com/en/rest/actions/permissions | true | | | `accessLevelForExternalWorkflows` _string_ | AccessLevelForExternalWorkflows controls access to workflows outside the repository.
- "none": Only workflows in this repository can access actions and reusable workflows
- "user": Workflows in user-owned private repositories can access them
- "organization": Workflows across the organization can access them
- "enterprise": Workflows across the enterprise can access them
See: https://docs.github.com/en/rest/actions/permissions | none | Enum: [none user organization enterprise]
| | `availableActionsRunnerGroups` _string array_ | AvailableActionsRunnerGroups lists runner group names that this repository can use.
This is only relevant when the organization's runner groups have "selected" visibility.
See: https://docs.github.com/en/rest/actions/self-hosted-runner-groups | | | | `organizationRef` _[OrganizationRef](#organizationref)_ | OrganizationRef references the Organization CRD this repository belongs to. | | Required: \{\}
| @@ -1203,7 +1203,10 @@ _Appears in:_ | `members` _string array_ | Members is a list of GitHub usernames to add to the team.
This field is mutually exclusive with IDPGroup.
When set, team membership is managed manually through this list.
Members not in this list will be removed from the team. | | MaxItems: 100
| | `idpGroup` _string_ | IDPGroup is the name of the Identity Provider group to synchronize with this team.
This field is mutually exclusive with Members.
When set, team membership is automatically synchronized from the IDP group.
See: https://docs.github.com/en/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group | | MaxLength: 100
Pattern: `^[a-zA-Z0-9][a-zA-Z0-9_.-]\{0,99\}$`
Type: string
| | `description` _string_ | Description provides additional information about the team's purpose.
This appears on the team's page in GitHub. | | MaxLength: 1000
Optional: \{\}
Type: string
| -| `organizationRoles` _string array_ | OrganizationRoles is a list of organization role names to assign to this team.
Organization roles define the permissions the team has within the organization.
If not specified, defaults to ["all_repo_write"].
Set to an empty list to remove all role assignments.
See: https://docs.github.com/en/rest/orgs/organization-roles | | Optional: \{\}
| +| `privacy` _string_ | Privacy controls the visibility of the team within the organization.
- "closed": The team is visible to all members of the organization, but only team members can see team discussions and manage team membership.
- "secret": The team is only visible to organization owners and team members.
See: https://docs.github.com/en/rest/teams/teams#create-a-team | closed | Enum: [closed secret]
Optional: \{\}
| +| `permission` _string_ | Permission specifies the default permission granted to team members for organization repositories.
- "pull": Team members can pull (read) from organization repositories.
- "push": Team members can pull and push (read and write) to organization repositories.
Note: This is a legacy field. Use organization roles for more fine-grained permissions.
See: https://docs.github.com/en/rest/teams/teams#create-a-team | pull | Enum: [pull push]
Optional: \{\}
| +| `notificationSetting` _string_ | NotificationSetting controls whether team members receive notifications for the team.
- "notifications_disabled": No one receives notifications.
- "notifications_enabled": Everyone receives notifications when the team is @mentioned.
See: https://docs.github.com/en/rest/teams/teams#create-a-team | notifications_disabled | Enum: [notifications_disabled notifications_enabled]
Optional: \{\}
| +| `organizationRoles` _string array_ | OrganizationRoles is a list of organization role names to assign to this team.
Organization roles define the permissions the team has within the organization.
If not specified, defaults to empty list.
Set to an empty list to remove all role assignments.
See: https://docs.github.com/en/rest/orgs/organization-roles | | Optional: \{\}
| | `organizationRefs` _[OrganizationRef](#organizationref) array_ | OrganizationRefs is a list of Organization CRDs that this team belongs to.
The team will be created or updated in all referenced organizations.
Removing an organization from this list will delete the team from that organization
while preserving it in other organizations. | | MinItems: 1
Required: \{\}
| diff --git a/docs/techdocs/packaging.md b/docs/techdocs/packaging.md index 24656ae..246c9ec 100644 --- a/docs/techdocs/packaging.md +++ b/docs/techdocs/packaging.md @@ -65,7 +65,7 @@ The post-helmify tool is a Go binary at `hack/post-helmify/` with full test cove | `config/default/kustomization.yaml` | Kustomize overlay configuration | | `config/default/*_patch.yaml` | Kustomize strategic merge patches | | `hack/post-helmify/` | Post-generation Go binary that patches the Helm chart | -| `config/tmp/*.yaml` | Pre-built Helm templates copied by post-helmify | +| `hack/post-helmify/templates/*.yaml` | Pre-built Helm templates copied by post-helmify | | `chart/templates/_helpers.tpl` | Helm template helpers (manually maintained) | | `internal/controller/*_controller.go` | RBAC markers that generate `config/rbac/role.yaml` | diff --git a/hack/post-helmify/main.go b/hack/post-helmify/main.go index 5e33903..befdfd9 100644 --- a/hack/post-helmify/main.go +++ b/hack/post-helmify/main.go @@ -2,7 +2,7 @@ // customizations that helmify cannot produce natively. // // It performs the following transformations: -// - Replaces helmify-generated templates with pre-built versions from config/tmp/ +// - Replaces helmify-generated templates with pre-built versions from hack/post-helmify/templates/ // - Patches deployment.yaml with custom Helm helpers for env vars and labels // - Patches values.yaml to introduce watchedNamespaces list and remove kustomize artifacts // - Adds namespace templating to RBAC and webhook resources @@ -27,11 +27,11 @@ func main() { cfg := Config{ ChartPath: chartPath, - TemplateSrcDir: "config/tmp", + TemplateSrcDir: "hack/post-helmify/templates", } if err := run(cfg); err != nil { - fmt.Fprintf(os.Stderr, "ERROR: %v\n", err) + _, _ = fmt.Fprintf(os.Stderr, "ERROR: %v\n", err) os.Exit(1) } } @@ -41,6 +41,7 @@ func run(cfg Config) error { name string fn func(Config) error }{ + {"copy envs configmap template", copyEnvsConfigmapTemplate}, {"patch deployment podLabels", patchDeploymentPodLabels}, {"patch deployment strategy", patchDeploymentStrategy}, {"patch deployment preStop hook", patchDeploymentPreStop}, @@ -91,3 +92,9 @@ func (c Config) pdb() string { return c.ChartPath + "/templates/poddi func (c Config) pdbSrc() string { return c.TemplateSrcDir + "/poddisruptionbudget.yaml" } func (c Config) servingCertSrc() string { return c.TemplateSrcDir + "/serving-cert.yaml" } func (c Config) managerRBACSrc() string { return c.TemplateSrcDir + "/manager-rbac.yaml" } +func (c Config) envsConfigmapSrc() string { + return c.TemplateSrcDir + "/envs.configmap.yaml" +} +func (c Config) envsConfigmap() string { + return c.ChartPath + "/templates/envs.configmap.yaml" +} diff --git a/config/tmp/envs.configmap.yaml b/hack/post-helmify/templates/envs.configmap.yaml similarity index 100% rename from config/tmp/envs.configmap.yaml rename to hack/post-helmify/templates/envs.configmap.yaml diff --git a/config/tmp/manager-rbac.yaml b/hack/post-helmify/templates/manager-rbac.yaml similarity index 100% rename from config/tmp/manager-rbac.yaml rename to hack/post-helmify/templates/manager-rbac.yaml diff --git a/config/tmp/poddisruptionbudget.yaml b/hack/post-helmify/templates/poddisruptionbudget.yaml similarity index 100% rename from config/tmp/poddisruptionbudget.yaml rename to hack/post-helmify/templates/poddisruptionbudget.yaml diff --git a/config/tmp/serving-cert.yaml b/hack/post-helmify/templates/serving-cert.yaml similarity index 100% rename from config/tmp/serving-cert.yaml rename to hack/post-helmify/templates/serving-cert.yaml diff --git a/hack/post-helmify/transformations.go b/hack/post-helmify/transformations.go index 941d80d..3877049 100644 --- a/hack/post-helmify/transformations.go +++ b/hack/post-helmify/transformations.go @@ -223,8 +223,15 @@ func templateWebhookNamespaceSelector(cfg Config) error { // --- PodDisruptionBudget patches --- -// copyPDBTemplate copies the values-driven PDB template from config/tmp/. +// copyPDBTemplate copies the values-driven PDB template from hack/post-helmify/templates/. // Only requires the source to exist; the destination is created if missing. +func copyEnvsConfigmapTemplate(cfg Config) error { + if _, err := os.Stat(cfg.envsConfigmapSrc()); os.IsNotExist(err) { + return nil + } + return copyFile(cfg.envsConfigmapSrc(), cfg.envsConfigmap()) +} + func copyPDBTemplate(cfg Config) error { if _, err := os.Stat(cfg.pdbSrc()); os.IsNotExist(err) { return nil