name: (gha) Validate Helm Charts

on:
  pull_request:
    branches:
      - master
    paths:
      - 'charts/**'
      - '.github/workflows/gha-validate-chart.yaml'
      - '!charts/actions-runner-controller/**'
      - '!**.md'
  push:
    paths:
      - 'charts/**'
      - '.github/workflows/gha-validate-chart.yaml'
      - '!charts/actions-runner-controller/**'
      - '!**.md'
  workflow_dispatch:
env:
  KUBE_SCORE_VERSION: 1.16.1
  HELM_VERSION: v3.8.0

permissions:
  contents: read

concurrency:
  # This will make sure we only apply the concurrency limits on pull requests
  # but not pushes to master branch by making the concurrency group name unique
  # for pushes
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  validate-chart:
    name: Lint Chart
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Helm
        # Using https://github.com/Azure/setup-helm/releases/tag/v4.2
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
        with:
          version: ${{ env.HELM_VERSION }}

      - name: Set up kube-score
        run: |
          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
          chmod 755 kube-score

      - name: Kube-score generated manifests
        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
              --ignore-test pod-networkpolicy
              --ignore-test deployment-has-poddisruptionbudget
              --ignore-test deployment-has-host-podantiaffinity
              --ignore-test container-security-context
              --ignore-test pod-probes
              --ignore-test container-image-tag
              --enable-optional-test container-security-context-privileged
              --enable-optional-test container-security-context-readonlyrootfilesystem

      # python is a requirement for the chart-testing action below (supports yamllint among other tests)
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.6.0

      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          ct version
          changed=$(ct list-changed --config charts/.ci/ct-config-gha.yaml)
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> $GITHUB_OUTPUT
          fi

      - name: Run chart-testing (lint)
        run: |
          ct lint --config charts/.ci/ct-config-gha.yaml

      - name: Set up docker buildx
        uses: docker/setup-buildx-action@v3
        if: steps.list-changed.outputs.changed == 'true'
        with:
          version: latest

      - name: Build controller image
        uses: docker/build-push-action@v5
        if: steps.list-changed.outputs.changed == 'true'
        with:
          file: Dockerfile
          platforms: linux/amd64
          load: true
          build-args: |
            DOCKER_IMAGE_NAME=test-arc
            VERSION=dev
          tags: |
            test-arc:dev
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Create kind cluster
        uses: helm/kind-action@v1.4.0
        if: steps.list-changed.outputs.changed == 'true'
        with:
          cluster_name: chart-testing

      - name: Load image into cluster
        if: steps.list-changed.outputs.changed == 'true'
        run: |
            export DOCKER_IMAGE_NAME=test-arc
            export VERSION=dev
            export IMG_RESULT=load
            make docker-buildx
            kind load docker-image test-arc:dev --name chart-testing

      - name: Run chart-testing (install)
        if: steps.list-changed.outputs.changed == 'true'
        run: |
          ct install --config charts/.ci/ct-config-gha.yaml