diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..3a22fba --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,33 @@ +name: Release Charts + +on: + push: + branches: + - main + workflow_dispatch: {} + +jobs: + release: + # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions + # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3 + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.5.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 1ee6fd0..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Release Charts - -on: - push: - branches: - - main - workflow_dispatch: {} - -jobs: - release: - # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions - # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token - permissions: - contents: write - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - - name: Install Helm - uses: azure/setup-helm@v3 - - - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.5.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..ac5e2e8 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,73 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v6.0.0 + hooks: + # Security + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - id: detect-private-key + + # Standard checks + - id: check-executables-have-shebangs + - id: check-json + - id: check-symlinks + - id: check-toml + - id: check-yaml + # Skip Helm templates (they're not valid plain YAML due to {{ ... }}) + exclude: '^charts/[^/]+/templates/' + - id: end-of-file-fixer + exclude: '.*\.svg$' + - id: pretty-format-json + args: + - '--autofix' + - '--no-ensure-ascii' + - id: trailing-whitespace + args: ['--markdown-linebreak-ext=md'] + + # Cross platform + - id: check-case-conflict + - id: destroyed-symlinks + - id: mixed-line-ending + args: ['--fix=lf'] + + # Git + - id: check-added-large-files + - id: check-merge-conflict + - id: forbid-submodules + - id: no-commit-to-branch + +- repo: https://github.com/shellcheck-py/shellcheck-py + rev: v0.11.0.1 + hooks: + - id: shellcheck + +- repo: https://github.com/google/yamlfmt + rev: v0.21.0 + hooks: + - id: yamlfmt + exclude: '^charts/[^/]+/templates/' + args: + - '-formatter=indentless_arrays=true' + - '-formatter=pad_line_comments=2' + - '-formatter=retain_line_breaks=true' + +- repo: local + hooks: + - id: yaml-extension + name: Check if YAML files use *.yaml extension. + entry: YAML filenames must have .yaml extension. + language: fail + files: '.yml$' + +- repo: https://github.com/gruntwork-io/pre-commit + rev: v0.1.30 + hooks: + - id: helmlint + +- repo: https://github.com/norwoodj/helm-docs + rev: v1.14.2 + hooks: + - id: helm-docs + args: + # Search for charts only under the `charts` directory + - --chart-search-root=charts diff --git a/CLAUDE.md b/CLAUDE.md index f6bacd2..aa119f1 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -34,8 +34,30 @@ helm package charts/spicedb-operator/ # Regenerate README.md from README.md.gotmpl (run after changing Chart.yaml or README.md.gotmpl) helm-docs + +# Run pre-commit checks on all files (SKIP=no-commit-to-branch avoids failure when main is checked out) +SKIP=no-commit-to-branch pre-commit run --show-diff-on-failure --color=always --all-files + +# Run a specific pre-commit hook +SKIP=no-commit-to-branch pre-commit run --show-diff-on-failure --color=always --all-files ``` +## Pre-commit + +This repo uses [pre-commit](https://pre-commit.com/) to enforce formatting and catch common issues. The configuration is in `.pre-commit-config.yaml`. Hooks run automatically on `git commit`; run `pre-commit install` to set up the git hook if needed. + +Key conventions enforced by pre-commit: + +- **YAML formatting**: `yamlfmt` auto-formats YAML files (indentless arrays, padded line comments, retained line breaks). Helm template files under `charts/*/templates/` are excluded since they contain Go template syntax. +- **YAML extension**: All YAML files must use the `.yaml` extension, not `.yml`. +- **Helm linting**: `helmlint` runs `helm lint` on all charts. +- **Helm docs**: `helm-docs` automatically regenerates `README.md` from `README.md.gotmpl` when chart files change. +- **Shell scripts**: `shellcheck` validates any shell scripts. +- **Trailing whitespace and EOF**: Files must have no trailing whitespace and end with a newline. +- **JSON formatting**: JSON files are auto-formatted with `pretty-format-json`. +- **Security**: Checks for accidentally committed AWS credentials and private keys. +- **Git hygiene**: Prevents commits directly to the default branch, checks for merge conflict markers, and flags large files. + ## Updating to a New SpiceDB Operator Version This chart is derived from the `bundle.yaml` files published in the [SpiceDB Operator releases](https://github.com/authzed/spicedb-operator/releases). To update the chart, you diff the old and new bundle.yaml files and apply the changes to the Helm templates. @@ -87,4 +109,4 @@ This chart is derived from the `bundle.yaml` files published in the [SpiceDB Ope ## Release Process -Releases are automated via GitHub Actions (`.github/workflows/release.yml`). Pushing to `main` triggers `helm/chart-releaser-action` which packages and publishes the chart to GitHub Pages. +Releases are automated via GitHub Actions (`.github/workflows/release.yaml`). Pushing to `main` triggers `helm/chart-releaser-action` which packages and publishes the chart to GitHub Pages. diff --git a/README.md b/README.md index 7294660..5165706 100644 --- a/README.md +++ b/README.md @@ -8,4 +8,4 @@ A Helm chart to install the [SpiceDB Operator](https://github.com/authzed/spiced helm repo add spicedb-operator-chart https://bushelpowered.github.io/spicedb-operator-chart/ helm repo update helm repo upgrade --install ... spicedb-operator-chart/spicedb-operator -``` \ No newline at end of file +```