Release-1.6.4

.github/actions/check-chart-locks/action.yml

@@ -0,0 +1,63 @@
+name: Check For Lock
+description: |
+  Checks for the existence of chart-name in a given chart lock file. If a chart
+  is found to be locked at the URL searched, the lockpath is returned should the
+  caller need it for further evaluation.
+
+  Designed to work with OWNERS file merges to prevent chart naming conflicts.
+inputs:
+  # e.g. vault
+  chart-name:
+    required: true
+    description:
+      Check the lock status of this chart by name.
+  fail-workflow-if-locked:
+    required: false
+    default: 'false'
+    description: |
+      Forces a failure of this action when the chart is locked. Must explicitly
+      be set to the value 'true'. All other values (even a boolean true) are
+      considered false.
+outputs:
+  # e.g. true/false
+  chart-is-locked:
+    description: Whether the chart provided via the chart-name input is locked
+    value: ${{ steps.set-lock-state.outputs.chart-is-locked }}
+  # e.g. charts/category/vendor/chartname if package-is-locked is true, else null
+  locked-to-path:
+    description: The path to which a locked chart is locked.
+    value: ${{ steps.check-for-chart-lock.outputs.locked-to-path }}
+runs:
+  using: composite
+  steps:
+  - name: Generate Locks
+    id: generate-locks
+    uses: ./.github/actions/generate-chart-locks
+  - name: Check lockfile for chart lock
+    id: check-for-chart-lock
+    shell: bash
+    run: |
+      set -e
+      echo "Ensuring expected key exists in lock JSON."
+      jq --exit-status .packages < ${{ steps.generate-locks.outputs.lockfile-path }}
+
+      echo "Checking if chart '${{ inputs.chart-name }}' is locked."
+      LOCK_PATH=$(jq -r '.packages."${{ inputs.chart-name }}"' < ${{ steps.generate-locks.outputs.lockfile-path }})
+
+      echo "locked-to-path=${LOCK_PATH}" | tee -a $GITHUB_OUTPUT
+
+  # Defaults to a locked state as a safeguard.
+  - name: Set lock state output
+    shell: bash
+    id: set-lock-state
+    run: |
+      echo "chart-is-locked=${{ steps.check-for-chart-lock.outputs.locked-to-path != 'null' }}" | tee -a $GITHUB_OUTPUT
+
+  - name: Fail if requested and the chart is locked
+    shell: bash
+    if: |
+      inputs.fail-workflow-if-locked == 'true' &&
+      steps.set-lock-state.outputs.chart-is-locked == 'true'
+    run: |
+      echo "::error::Workflow is failing at the caller's request."
+      exit -1

.github/actions/generate-chart-locks/action.yaml

@@ -0,0 +1,78 @@
+name: Generate Chart Locks
+description: |
+  Generates chart locks at runtime and places the generated contents on the
+  filesystem.
+
+  For pull_request / pull_request_target events, this will pull down the branch
+  receiving the changes as the source of truth.
+
+  In the production repository, this will always pull the main branch, regardless
+  of which branch is receiving the pull request.
+
+  It is expected that the CI scripts have already been installed at call time.
+inputs:
+  to-file:
+    description: Where to write the chart-locks.json file.
+    default: "/tmp/chart-locks.json"
+    required: false
+  generator-cmd-path:
+    description: |
+      The path to the generate-chart-locks command. This action expects CI
+      scripts to be installed by the caller, and so it stands to reason the
+      caller may install scripts at various locations.
+    default: "ve1/bin/generate-chart-locks"
+    required: false
+outputs:
+  lockfile-path:
+    description: |
+      Where the lock file was written. Mostly placed as an output to simplify
+      workflows for callers.
+    value: ${{ steps.generate-chart-locks.outputs.lockfile-path }}
+runs:
+  using: composite
+  steps:
+  - name: Resolve repository ref
+    id: resolve
+    shell: bash
+    run: |
+      set -e
+
+      # PRs to the production repository will always use main.
+      if [ "${GITHUB_REPOSITORY}" == "openshift-helm-charts/charts" ]; then
+        echo "Running in the production repository."
+        echo "The only allowed ref is 'refs/heads/main'."
+        echo "ref=refs/heads/main" | tee -a $GITHUB_OUTPUT
+        exit 0
+      fi
+
+      echo "GITHUB_EVENT_NAME = '${GITHUB_EVENT_NAME}'"
+      echo "GITHUB_BASE_REF = '${GITHUB_BASE_REF}'"
+
+      # GITHUB_BASE_REF is set for pull_requests/pull_requests_targets, but empty for
+      # workflow_dispatch. We'll set it to main if it's not set.
+      resolvedRef="refs/heads/${GITHUB_BASE_REF:-"main"}"
+      echo "ref=${resolvedRef}" | tee -a $GITHUB_OUTPUT
+  - name: Checkout
+    id: clone-repository
+    uses: actions/checkout@v3
+    with:
+      ref: ${{ steps.resolve.outputs.ref }}
+      path: temp-gen-chart-lock-repo
+  - name: Setting up python
+    uses: actions/setup-python@v4
+    with:
+      python-version: "3.10"
+  - name: Generate lock file JSON from existing charts
+    working-directory: temp-gen-chart-lock-repo
+    id: generate-chart-locks
+    shell: bash
+    run: |
+      set -o pipefail
+      ${{ inputs.generator-cmd-path }} | jq | tee ${{ inputs.to-file }}
+      echo "lockfile-path=$(realpath ${{ inputs.to-file }})" | tee -a $GITHUB_OUTPUT
+  - name: Cleanup
+    id: cleanup
+    if: always()
+    shell: bash
+    run: |
+      rm -rf temp-gen-chart-lock-repo

.github/actions/get-ocp-range/action.yaml

@@ -12,7 +12,7 @@ runs:
   using: "composite"
   steps:
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: '>=1.20'
 

.github/workflows/build.yml

@@ -19,10 +19,10 @@ jobs:
       github.actor != 'redhat-mercury-bot'
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python 3.x Part 1
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
@@ -113,18 +113,18 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Checkout PR Branch
         if: ${{ needs.setup.outputs.run_build == 'true' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           path: "pr-branch"
 
       - name: Set up Python 3.x Part 1
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
@@ -149,7 +149,7 @@ jobs:
           ./ve1/bin/check-pr-content --index-branch=${INDEX_BRANCH} --repository=${{ github.repository }} --api-url=${{ github.event.pull_request._links.self.href }}
 
       - name: Add 'content-ok' label
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         if: ${{ steps.check_pr_content.outcome == 'success'}}
         continue-on-error: true
         with:
@@ -163,7 +163,7 @@ jobs:
             })
 
       - name: Remove 'content-ok' label
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         if: ${{ steps.check_pr_content.outcome == 'failure' && contains( github.event.pull_request.labels.*.name, 'content-ok') }}
         continue-on-error: true
         with:
@@ -183,7 +183,7 @@ jobs:
           exit 1
 
       - name: Remove 'authorized-request' label from PR
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         if: ${{ needs.setup.outputs.run_build == 'true' && contains( github.event.pull_request.labels.*.name, 'authorized-request') }}
         continue-on-error: true
         with:
@@ -266,15 +266,15 @@ jobs:
       - name: Get profile version set in report provided by the user
         id: get-profile-version
         if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }}
-        uses: mikefarah/yq@v4.35.1
+        uses: mikefarah/yq@v4
         with:
           cmd: yq '.metadata.tool.profile.version' ${{ format('./pr-branch/{0}', steps.verify_requires.outputs.provided_report_relative_path) }}
 
       - name: Get the range of Kubernetes versions set in the report provided by the user
         id: get-kube-range
         if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }}
         continue-on-error: true
-        uses: mikefarah/yq@v4.35.1
+        uses: mikefarah/yq@v4
         with:
           cmd: yq '.metadata.chart.kubeversion' ${{ format('./pr-branch/{0}', steps.verify_requires.outputs.provided_report_relative_path) }}
 
@@ -352,7 +352,7 @@ jobs:
         
       - name: Comment on PR
         if: ${{ always() && needs.setup.outputs.run_build == 'true' }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -368,7 +368,7 @@ jobs:
 
       - name: Add 'authorized-request' label to PR
         if: ${{ always() && steps.check_pr_content.outcome == 'success' && steps.run-verifier.outcome != 'failure' && needs.setup.outputs.run_build == 'true' }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -397,7 +397,7 @@ jobs:
       - name: Merge PR
         id: merge_pr
         if: ${{ steps.approve_pr.conclusion == 'success' }}
-        uses: pascalgn/automerge-action@v0.15.6
+        uses: pascalgn/automerge-action@v0.16.2
         env:
           GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
           MERGE_METHOD: squash
@@ -418,18 +418,18 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Checkout PR Branch
         if: ${{ needs.setup.outputs.run_build == 'true' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           path: "pr-branch"
 
       - name: Set up Python 3.x Part 1
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
@@ -577,7 +577,7 @@ jobs:
       - name: Alert Slack helm_dev on failure to update metrics
         continue-on-error: true
         if: steps.add_metrics.outcome == 'failure'
-        uses: archive/github-actions-slack@v2.7.0
+        uses: archive/github-actions-slack@v2.8.0
         with:
           slack-bot-user-oauth-access-token: ${{ secrets.SLACK_BOT_USER_OAUTH_ACCESS_TOKEN }}
           slack-channel: C02979BDUPL

.github/workflows/check-contributor.yml

@@ -40,10 +40,10 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout repository base
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 

.github/workflows/mercury_bot.yml

@@ -11,10 +11,10 @@ jobs:
     if: github.event.pull_request.draft == false && github.actor == 'redhat-mercury-bot'
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python 3.x Part 1
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
@@ -63,7 +63,7 @@ jobs:
 
       - name: Comment on PR
         if: ${{ steps.check_for_owners.outputs.merge_pr == 'false' }}
-        uses: actions/github-script@v3
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -93,7 +93,7 @@ jobs:
       - name: Merge PR
         id: merge_pr
         if: ${{ steps.approve_pr.conclusion == 'success' }}
-        uses: pascalgn/automerge-action@v0.15.6
+        uses: pascalgn/automerge-action@v0.16.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           MERGE_METHOD: squash

.github/workflows/owners.yml

@@ -14,7 +14,7 @@ jobs:
       SEGMENT_TEST_WRITE_KEY: ${{ secrets.SEGMENT_TEST_WRITE_KEY }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python 3.x Part 1
         uses: actions/setup-python@4

.github/workflows/python-style.yml

@@ -13,7 +13,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v4
     - name: Set up Python 3.x Part 1
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: "3.10"
     - name: Install style tooling

.github/workflows/test.yml

@@ -40,15 +40,15 @@ jobs:
       needs.check-contributor.outputs.is-repo-owner == 'true'
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 0
 
       - name: Set up Python 3.x Part 1
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
@@ -154,7 +154,7 @@ jobs:
       - name: Merge PR
         id: merge_pr
         if: ${{ steps.check_if_release_pr.outputs.charts_release_branch == 'true' }}
-        uses: pascalgn/automerge-action@v0.15.6
+        uses: pascalgn/automerge-action@v0.16.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           MERGE_METHOD: squash