chore: add chart audit workflow

Author: portswigger-tim

.github/actions/setup-polaris/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:3.14
+
+RUN apk add --no-cache \
+  bash \
+  ca-certificates \
+  curl \
+  wget \
+  tar \
+  jq
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

.github/actions/setup-polaris/action.yaml

@@ -0,0 +1,22 @@
+name: 'Install polaris'
+description: 'Download a specific polaris version'
+
+inputs:
+  version:
+    description: 'version of polaris'
+    required: true
+    default: 'latest'
+
+runs:
+  using: 'docker'
+  image: './Dockerfile'
+  args:
+    - ${{ inputs.version }}
+
+outputs:
+  version:
+    description: 'Version of polaris installed'
+
+branding:
+  icon: 'download-cloud'
+  color: 'gray-dark'

.github/actions/setup-polaris/entrypoint.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+if [[ -z "$INPUT_VERSION" ]]; then
+  echo "Missing polaris version information"
+  exit 1
+fi
+polaris version | grep "$INPUT_VERSION" &> /dev/null
+if [ $? == 0 ]; then
+   echo "Polaris $INPUT_VERSION is already installed! Exiting gracefully."
+   exit 0
+else
+  echo "Installing polaris to path."
+fi
+TARGET_FILE="polaris.tar.gz"
+curl -LJ -o $TARGET_FILE 'https://github.com/FairwindsOps/polaris/releases/download/'"$INPUT_VERSION"'/polaris_linux_amd64.tar.gz'
+mkdir polaris
+tar -xzf $TARGET_FILE -C polaris
+rm $TARGET_FILE
+echo "polaris" >> $GITHUB_PATH
+echo "::set-output name=version::$INPUT_VERSION"

.github/workflows/chart-audit.yaml

@@ -0,0 +1,68 @@
+name: Chart Audit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch: {}
+
+jobs:
+  polaris:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Install Polaris
+        uses: ./.github/actions/setup-polaris
+        with:
+          version: 4.0.7
+
+      - name: Polaris Audit
+        run: |
+          set -o pipefail
+          echo '<img src="https://camo.githubusercontent.com/21017bcdf60b658e5719e8d4b8ebf4ba4c1115ea907f2d8190427a82f8979eaf/68747470733a2f2f706f6c617269732e646f63732e6661697277696e64732e636f6d2f696d672f706f6c617269732d6c6f676f2e706e67" width="400" />' > audit-results.out
+          for chart in $(ls -d helm-charts/*/)
+          do
+            echo '<details>' >> audit-results.out
+            echo "<summary>::RESULT:: Audit results for: ${chart}</summary>" >> audit-results.out
+            echo '' >> audit-results.out
+            echo '```bash' >> audit-results.out
+            polaris audit \
+              --set-exit-code-on-danger \
+              --set-exit-code-below-score 85 \
+              --format pretty \
+              --helm-chart ${chart} \
+              --helm-values ${chart}/values.yaml | tee -a audit-results.out
+            echo '```' >> audit-results.out
+            echo '</details>' >> audit-results.out
+            echo '' >> audit-results.out
+            sed -i'' 's/::RESULT::/:white_check_mark:/' audit-results.out
+          done
+      - name: Close details on failure
+        if: failure() && (github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main')
+        run: |
+          echo '```' >> audit-results.out
+          echo '</details>' >> audit-results.out
+          sed -i'' 's/::RESULT::/:x:/' audit-results.out
+      - name: Replace ANSI Colors
+        if: always() && (github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main')
+        run: |
+          sed -i'' -r 's/[[:cntrl:]]\[[0-9]{1,3}(;[0-9]{1})?m//g' audit-results.out
+      - name: Update PR
+        if: always() && (github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main')
+        uses: machine-learning-apps/pr-comment@1.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          path: audit-results.out

.github/workflows/docker-release.yml .github/workflows/docker-release.yaml.github/workflows/docker-release.yml renamed to .github/workflows/docker-release.yaml

@@ -46,4 +46,4 @@ jobs:
         context: ${{ matrix.app }}
         push: ${{ github.event_name != 'pull_request' }}
         tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
+        labels: ${{ steps.meta.outputs.labels }}

.github/workflows/test-and-lint.yml .github/workflows/test-and-lint.yaml.github/workflows/test-and-lint.yml renamed to .github/workflows/test-and-lint.yaml

@@ -44,4 +44,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: psf/black@stable
+      - uses: psf/black@stable

.pre-commit-config.yaml

@@ -0,0 +1,18 @@
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+    #- id: no-commit-to-branch
+    - id: check-merge-conflict
+    - id: check-yaml
+      exclude: ^heplm-charts/.+/templates/
+    - id: end-of-file-fixer
+    - id: trailing-whitespace
+  - repo: https://github.com/norwoodj/helm-docs
+    rev: v1.6.0
+    hooks:
+      - id: helm-docs
+        args:
+          - --chart-search-root=helm-charts
+          - --template-files=README.md.gotmpl

helm-charts/simplejson-proxy/README.md.gotmpl

@@ -9,8 +9,8 @@
 
 ## Installation
 ```
-helm repo add aws-exporters https://aws-exporters.github.io/charts/
-helm install {{ template "chart.name" . }} aws-exporters/{{ template "chart.name" . }}
+helm repo add devopsmakers https://devopsmakers.github.io/charts/
+helm install {{ template "chart.name" . }} devopsmakers/{{ template "chart.name" . }}
 ```
 
 {{ template "chart.maintainersSection" . }}