Skip to content

feat: Helm chart #1086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
motoki317 merged 13 commits into from
Aug 14, 2025
Merged

feat: Helm chart #1086

motoki317 merged 13 commits into from
Aug 14, 2025

Conversation

@motoki317
Copy link
Member

@motoki317 motoki317 commented Jul 26, 2025
edited
Loading

なぜやるか

Helm chartを導入
アプリケーションと、よく行う冗長な設定を一緒にパッケージ化し、必要なところだけをいじれるようにします。
kustomizeでのパッチ祭りが辛くなってきたら、helmに移行していくと良いと思います。

やったこと

  • charts/neoshowcase/ を作成 (helm create から作成)
    • どこをvaluesから調整可能にするかは(本質的に)難しいところですが、とりあえず最小限にしたつもり。
    • 必要なところを発見したら、修正して、publishして... を繰り返すことを想定しています。
    • ※ アプリケーションのバージョニングとhelm chartのバージョニングは全く別であることが多いです。Helm chartはsemverに従うことが推奨されているので、breaking changeの場合はどんどんmajor versionを上げていきます。詳しくは charts/neoshowcase/Chart.yaml を参照
  • Actions周りを整える
    • "Create new tag" もしくは "Create new tag (helm)" workflowをぽちっとトリガーすることを想定しています
    • "Create new tag" → 今まで通りの通常のアプリリリース & helmのリリースが行われる
    • "Create new tag (helm)" → helmのリリースだけが行われる

使い方

以下の使い方を参考にしてください

やらなかったこと

https://github.com/googleapis/release-please がHelmに対応しており、ちゃんとしているリポジトリはこういうものを使っているイメージがあるのですが、
semverに沿う必要があったり、色々考慮事項がありそうなので、一旦shell芸でがっとシンプルにやってしまいました

資料

actions周りのテスト用リポジトリ: https://github.com/motoki317/actions-test

@github-actions
Copy link
Contributor

github-actions bot commented Jul 26, 2025

Preview (prod backend + PR dashboard) → https://1086.ns-preview.trapti.tech/

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 26, 2025
View reviewed changes
@motoki317 motoki317 mentioned this pull request Jul 26, 2025
Open
@motoki317 motoki317 requested review from cp-20 and pirosiki197 July 26, 2025 05:29
@Kentaro1043 Kentaro1043 self-requested a review July 29, 2025 04:34
pirosiki197
pirosiki197 approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@pirosiki197 pirosiki197 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ありがとうございます!

@motoki317 motoki317 marked this pull request as draft August 14, 2025 05:52
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 14, 2025
View reviewed changes
@motoki317 motoki317 marked this pull request as ready for review August 14, 2025 06:05
@motoki317
Copy link
Member Author

motoki317 commented Aug 14, 2025

@pirosiki197
最後に3コミットActions周りを整えるコミットを入れました 🙇
"Create new tag" or "Create new tag (helm)" workflowから、全自動でhelmの更新 & publishまでされるようにしました
これで運用負荷は上がらないはず

テスト用リポジトリ: https://github.com/motoki317/actions-test

@motoki317 motoki317 requested a review from pirosiki197 August 14, 2025 06:06
@motoki317 motoki317 marked this pull request as draft August 14, 2025 06:10
@motoki317 motoki317 marked this pull request as ready for review August 14, 2025 06:18
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 14, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 14, 2025
View reviewed changes
.github/workflows/tag.yaml
Comment on lines +83 to +86
needs: [ tag ]
uses: ./.github/workflows/release-helm.yaml
with:
strategy: ${{ inputs.strategy }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 months ago

To fix the problem, add a permissions block to the workflow, either at the root level (applies to all jobs) or to each job individually. The minimal required permissions for this workflow are likely contents: write (to allow pushing tags) and possibly actions: read (for workflow usage), but the most important is contents: write for the tag job. For jobs that only use other workflows (like release and helm-tag), contents: read is usually sufficient. The best approach is to add a root-level permissions block with contents: write, which will apply to all jobs unless overridden. This should be added after the name and run-name fields, before the on block.

Suggested changeset 1
.github/workflows/tag.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml
--- a/.github/workflows/tag.yaml
+++ b/.github/workflows/tag.yaml
@@ -1,5 +1,7 @@
 name: Create new tag
 run-name: Create new tag (${{ inputs.strategy }})
+permissions:
+  contents: write
 
 on:
   workflow_dispatch:
EOF
@@ -1,5 +1,7 @@
name: Create new tag
run-name: Create new tag (${{ inputs.strategy }})
permissions:
contents: write

on:
workflow_dispatch:
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 14, 2025
View reviewed changes
.github/workflows/release-helm.yaml
Comment on lines 39 to 76
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: '0'

- name: Git config
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Update helm Chart.yaml
run: |
cd charts
./bump.sh ${{ inputs.chart }} ${{ github.event.inputs.strategy }}
cd ..
- name: Commit and push helm changes
run: |
git add charts/${{ inputs.chart }}/Chart.yaml
git commit -m "Update charts/${{ inputs.chart }} to ${{ steps.calc-tag.outputs.new-raw }}"
git push
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ env.REGISTRY_USER }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Publish chart
run: |
cd charts
./publish.sh ${{ inputs.chart }} oci://ghcr.io/${{ env.REGISTRY_USER }}/charts

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

To fix the problem, add a permissions block to the workflow to restrict the permissions granted to the GITHUB_TOKEN. The block should be placed at the top level of the workflow (before jobs:) to apply to all jobs, unless a job requires different permissions. For this workflow, since it pushes commits and publishes to a registry, it needs contents: write (to push changes to the repository). If it interacts with other resources (such as packages or pull requests), those permissions should be added as needed, but based on the provided code, only contents: write is required. The change should be made at the top of the file, after the name and run-name fields and before on:.

Suggested changeset 1
.github/workflows/release-helm.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-helm.yaml b/.github/workflows/release-helm.yaml
--- a/.github/workflows/release-helm.yaml
+++ b/.github/workflows/release-helm.yaml
@@ -1,5 +1,7 @@
 name: Release helm chart
 run-name: Release helm chart (${{ inputs.strategy }})
+permissions:
+  contents: write
 
 on:
   workflow_dispatch:
EOF
@@ -1,5 +1,7 @@
name: Release helm chart
run-name: Release helm chart (${{ inputs.strategy }})
permissions:
contents: write

on:
workflow_dispatch:
Copilot is powered by AI and may make mistakes. Always verify output.
@motoki317
Copy link
Member Author

motoki317 commented Aug 14, 2025

何度も変更してすみません
もう大丈夫なはず

@motoki317 motoki317 merged commit a741378 into main Aug 14, 2025
19 of 21 checks passed
@motoki317 motoki317 deleted the feat/helm-chart branch August 14, 2025 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pirosiki197 pirosiki197 pirosiki197 approved these changes

@cp-20 cp-20 Awaiting requested review from cp-20

@Kentaro1043 Kentaro1043 Awaiting requested review from Kentaro1043

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@motoki317 @pirosiki197