Merge pull request #26 from codefresh-io/merge-upstream-argo-rollouts

Argo rollouts merge upstream 2.31.6 tag

.github/configs/cr.yaml

@@ -1,2 +1,12 @@
 ## Reference: https://github.com/helm/chart-releaser
-index-path: "./index.yaml" 
+index-path: "./index.yaml"
+
+# PGP signing
+sign: true
+key: Argo Helm maintainers
+# keyring:          # Set via env variable CR_KEYRING
+# passphrase-file:  # Set via env variable CR_PASSPHRASE_FILE
+
+# Enable automatic generation of release notes using GitHubs release notes generator.
+# see: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+generate-release-notes: true

.github/pull_request_template.md

@@ -1,6 +1,8 @@
+<!--
 Note on DCO:
 
 If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the *Details* link next to the DCO action for instructions on how to resolve this.
+-->
 
 Checklist:
 
@@ -11,4 +13,4 @@ Checklist:
 * [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/blob/master/community/CONTRIBUTING.md).
 * [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/stable/developer-guide/ci/)).
 
-Changes are automatically published when merged to `main`. They are not published on branches.
+<!-- Changes are automatically published when merged to `main`. They are not published on branches. -->

.github/workflows/lint-and-test.yml

@@ -6,27 +6,39 @@ permissions:
   contents: read
 
 jobs:
+  linter-artifacthub:
+    runs-on: ubuntu-latest
+    container:
+      image: public.ecr.aws/artifacthub/ah:v1.14.0
+      options: --user 1001
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Run ah lint
+        working-directory: ./charts
+        run: ah lint
+
   chart-test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
         with:
           version: v3.10.1 # Also update in publish.yaml
 
       - name: Set up python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
           python-version: 3.9
 
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@v2.3.0
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
         with:
           # Note: Also update in scripts/lint.sh
           version: v3.7.0
@@ -38,8 +50,8 @@ jobs:
           changed=$(ct --config ./.github/configs/ct-lint.yaml --target-branch ${{ github.base_ref }} list-changed)
           charts=$(echo "$changed" | tr '\n' ' ' | xargs)
           if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
-            echo "::set-output name=changed_charts::$charts"
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed_charts=$charts" >> $GITHUB_OUTPUT
           fi
       - name: Run chart-testing (lint)
         run: ct lint --debug --config ./.github/configs/ct-lint.yaml --target-branch ${{ github.base_ref }} --lint-conf ./.github/configs/lintconf.yaml
@@ -56,11 +68,20 @@ jobs:
             echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
           fi
       - name: Create kind cluster
-        uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         if: steps.list-changed.outputs.changed == 'true'
         with:
           config: .github/configs/kind-config.yaml
 
+      - name: Deploy latest ArgoCD CRDs when testing ArgoCD extensions
+        if: |
+          contains(steps.list-changed.outputs.changed_charts, 'argocd-image-updater') ||
+          contains(steps.list-changed.outputs.changed_charts, 'argocd-apps')
+        run: |
+          helm repo add dandydeveloper https://dandydeveloper.github.io/charts/
+          helm dependency build charts/argo-cd/
+          helm template charts/argo-cd/ --set server.extensions.enabled=true -s templates/crds/* | kubectl apply -f -
+
       - name: Skip HPA tests of ArgoCD
         if: contains(steps.list-changed.outputs.changed_charts, 'argo-cd')
         run: |
@@ -74,4 +95,4 @@ jobs:
           helm install redis bitnami/redis --wait --namespace redis --set auth.password=argocd --set architecture=standalone
       - name: Run chart-testing (install)
         run: ct install --config ./.github/configs/ct-install.yaml --target-branch ${{ github.base_ref }}
-        if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/pr-sizing.yml

@@ -1,8 +1,12 @@
 ## Reference: https://github.com/pascalgn/size-label-action
 name: 'PR Labeling'
+
 on: 
   pull_request_target:
-    types: [opened, synchronize, reopened]
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 permissions:
   contents: read
@@ -12,7 +16,7 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v4
+      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
         with:
           configuration-path: ".github/configs/labeler.yaml"
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
@@ -21,7 +25,6 @@ jobs:
   size-label:
     runs-on: ubuntu-latest
     steps:
-      - name: size-label
-        uses: "pascalgn/[email protected]"
+      - uses: pascalgn/size-label-action@37a5ad4ae20ea8032abf169d953bcd661fd82cd3 # v0.5.0
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr-title.yml

@@ -19,7 +19,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -31,6 +31,7 @@ jobs:
             argo-workflows
             argocd-image-updater
             argocd-apps
+            deps
             github
           # Configure that a scope must always be provided.
           requireScope: true

.github/workflows/publish.yml

@@ -5,6 +5,8 @@ on:
   push:
     branches:
       - argo-rollouts
+    paths:
+      - "charts/**"
 
 permissions:
   contents: read
@@ -13,15 +15,16 @@ jobs:
   publish:
     permissions:
       contents: write  # for helm/chart-releaser-action to push chart release and create a release
+      packages: write  # to push OCI chart package to GitHub Registry
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
         with:
           version: v3.10.1 # Also update in lint-and-test.yaml
 
@@ -37,10 +40,28 @@ jobs:
           rm -rf .cr-release-packages
           mkdir .cr-release-packages
           helm package charts/argo-rollouts -u -d .cr-release-packages/
+
+      # The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key
+      # in ASCII-armored format. To export a (new) key, run this command:
+      # `gpg --armor --export-secret-key <my key>`
+      - name: Prepare PGP key
+        run: |
+          IFS=""
+          echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg
+          echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt
+
+          # Tell chart-releaser-action where to find the key and its passphrase
+          echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV"
+          echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV"
+        env:
+          PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}"
+          PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}"
+
+
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@main
+        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
         with:
           config: "./.github/configs/cr.yaml"
           skip_packaging: true
         env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/scorecard.yml

@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '21 6 * * 6'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    if: github.repository_owner == 'argoproj'
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        with:
+          sarif_file: results.sarif

.github/workflows/stale.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Number of days of inactivity before an issue becomes stale

CODEOWNERS

@@ -1,16 +1,14 @@
-# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
-
-# Other and new charts
-/charts/ @oliverbaehler
+# All
+*                              @mkilchhofer @jmeridth
 
 # Argo Workflows
-/charts/argo-workflows/ @stefansedich @paguos @vladlosev @yann-soubeyrand @jmeridth @yu-croco
+/charts/argo-workflows/        @vladlosev @jmeridth @yu-croco @tico24
 
 # Argo CD
-/charts/argo-cd/ @davidkarlsen @mr-sour @yann-soubeyrand @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil
+/charts/argo-cd/               @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil @tico24
 
 # Argo Events
-/charts/argo-events/ @jbehling @VaibhavPage @pdrastil
+/charts/argo-events/           @pdrastil @jmeridth @tico24
 
 # Argo Rollouts
-/charts/argo-rollouts/
+/charts/argo-rollouts/         @jmeridth

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# Code of Conduct
+
+We adhere to the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).  Please reference the link for details.
+
+## TL;DR (too long didn't read)
+
+Be kind
+
+Your participation is at the discression of the maintainers of this project.

CONTRIBUTING.md

@@ -80,21 +80,35 @@ Changes on a chart must be documented in a chart specific changelog in the `Char
 
 A new `artifacthub.io/changes` needs to be written covering only the changes since the previous release.
 
-Each change requires a new bullet point following the pattern `- "[{type}]: {description}"`. You can use the following template:
+Each change requires a new bullet point following the pattern. See more information [Artifact Hub annotations in Helm Chart.yaml file](https://artifacthub.io/docs/topics/annotations/helm/).
+
+```yaml
+- kind: {type}
+  description: {description}
+```
+
+You can use the following template:
 
 ```yaml
 name: argo-cd
-version: 3.4.1
+version: 5.19.12
 ...
 annotations:
   artifacthub.io/changes: |
-    - "[Added]: Something New was added"
-    - "[Changed]: Changed Something within this chart"
-    - "[Changed]: Changed Something else within this chart"
-    - "[Deprecated]: Something deprecated"
-    - "[Removed]: Something was removed"
-    - "[Fixed]: Something was fixed"
-    - "[Security]: Some Security Patch was included"
+    - kind: added
+      description: Something New was added
+    - kind: changed
+      description: Changed Something within this chart
+    - kind: changed
+      description: Changed Something else within this chart
+    - kind: deprecated
+      description: Something deprecated
+    - kind: removed
+      description: Something was removed
+    - kind: fixed
+      description: Something was fixed
+    - kind: security
+      description: Some Security Patch was included
 ```
 
 ## Testing
@@ -108,7 +122,7 @@ helm install charts/argo-workflows -n argo
 argo version
 ```
 
-Follow this instructions for running a hello world workflow.
+Follow [these](https://argoproj.github.io/argo-workflows/quick-start/#submitting-an-example-workflow) instructions for running a hello world workflow.
 
 ### Testing Argo CD Changes