Tier1 #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Validate Charts | |
| on: | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'charts/**' | |
| - 'profiles/**' | |
| - 'environments/**' | |
| - 'helmfile.yaml.gotmpl' | |
| concurrency: | |
| group: validate-${{ github.head_ref }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| jobs: | |
| lint: | |
| name: Lint Charts | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.17.0 | |
| - name: Lint all charts | |
| run: | | |
| exit_code=0 | |
| for chart in charts/*/; do | |
| echo "::group::Linting $(basename "${chart}")..." | |
| helm lint "${chart}" --strict || exit_code=1 | |
| echo "::endgroup::" | |
| done | |
| exit $exit_code | |
| template: | |
| name: Template Render | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.17.0 | |
| - name: Template render all charts | |
| run: | | |
| exit_code=0 | |
| for chart in charts/*/; do | |
| chart_name=$(basename "${chart}") | |
| echo "::group::Rendering ${chart_name}..." | |
| # provide dummy secrets so helm template can render without a cluster | |
| case "${chart_name}" in | |
| countly) | |
| helm template test-release "${chart}" \ | |
| --set secrets.common.encryptionReportsKey=test \ | |
| --set secrets.common.webSessionSecret=test \ | |
| --set secrets.common.passwordSecret=test \ | |
| --set secrets.clickhouse.password=test \ | |
| --set secrets.mongodb.password=test \ | |
| > /dev/null || exit_code=1 | |
| ;; | |
| countly-clickhouse) | |
| helm template test-release "${chart}" \ | |
| --set auth.defaultUserPassword.password=test \ | |
| > /dev/null || exit_code=1 | |
| ;; | |
| countly-kafka) | |
| helm template test-release "${chart}" \ | |
| --set kafkaConnect.clickhouse.password=test \ | |
| > /dev/null || exit_code=1 | |
| ;; | |
| countly-mongodb) | |
| helm template test-release "${chart}" \ | |
| --set users.app.password=test \ | |
| --set users.metrics.password=test \ | |
| > /dev/null || exit_code=1 | |
| ;; | |
| *) | |
| helm template test-release "${chart}" > /dev/null || exit_code=1 | |
| ;; | |
| esac | |
| echo "::endgroup::" | |
| done | |
| exit $exit_code | |
| profile-validate: | |
| name: Validate Profiles | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 3 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Validate profile paths | |
| run: | | |
| exit_code=0 | |
| # Sizing profiles — every chart should have a file for each size | |
| for size in local small production; do | |
| for chart in countly mongodb clickhouse kafka observability; do | |
| path="profiles/sizing/${size}/${chart}.yaml" | |
| if [ ! -f "${path}" ]; then | |
| echo "::warning::Missing sizing profile: ${path}" | |
| fi | |
| done | |
| done | |
| # Observability profiles — helmfile references observability.yaml, countly.yaml, kafka.yaml per mode | |
| for mode in disabled full external external-grafana; do | |
| for file in observability.yaml countly.yaml kafka.yaml; do | |
| path="profiles/observability/${mode}/${file}" | |
| if [ ! -f "${path}" ]; then | |
| echo "::error::Missing observability profile: ${path}" | |
| exit_code=1 | |
| fi | |
| done | |
| done | |
| # Kafka-connect profiles | |
| for mode in throughput balanced low-latency; do | |
| path="profiles/kafka-connect/${mode}/kafka.yaml" | |
| if [ ! -f "${path}" ]; then | |
| echo "::error::Missing kafka-connect profile: ${path}" | |
| exit_code=1 | |
| fi | |
| done | |
| # TLS profiles | |
| for mode in none letsencrypt provided selfSigned; do | |
| path="profiles/tls/${mode}/countly.yaml" | |
| if [ ! -f "${path}" ]; then | |
| echo "::error::Missing TLS profile: ${path}" | |
| exit_code=1 | |
| fi | |
| done | |
| # Security profiles | |
| for mode in open hardened; do | |
| for chart in countly mongodb clickhouse kafka observability; do | |
| path="profiles/security/${mode}/${chart}.yaml" | |
| if [ ! -f "${path}" ]; then | |
| echo "::error::Missing security profile: ${path}" | |
| exit_code=1 | |
| fi | |
| done | |
| done | |
| exit $exit_code | |
| version-check: | |
| name: Version Consistency | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Check Chart.yaml versions | |
| run: | | |
| for chart in charts/*/Chart.yaml; do | |
| chart_name=$(basename "$(dirname "${chart}")") | |
| version=$(grep '^version:' "${chart}" | awk '{print $2}' | tr -d '"'"'") | |
| if [ -z "${version}" ]; then | |
| echo "::error::Missing version in ${chart}" | |
| exit 1 | |
| fi | |
| echo "${chart_name}: v${version}" | |
| done |