GitGuardian
diff --git a/‎.github/dependabot.yml‎
Lines changed: 22 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎.github/workflows/auto-label.yaml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/auto-label.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/check-signed-commits.yaml‎
Lines changed: 44 additions & 108 deletions b/‎.github/workflows/check-signed-commits.yaml‎
Lines changed: 44 additions & 108 deletions
diff --git a/‎.github/workflows/post-merge.yaml‎
Lines changed: 161 additions & 0 deletions b/‎.github/workflows/post-merge.yaml‎
Lines changed: 161 additions & 0 deletions
@@ -0,0 +1,22 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    open-pull-requests-limit: 10
+    assignees:
+      - "CloudPirates-io/maintainers"
+    # Group all GitHub Actions updates into a single PR
+    groups:
+      github-actions:
+        patterns:
+          - "*"
@@ -5,15 +5,20 @@ on:
   pull_request:
     types: [opened]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number }}
+  cancel-in-progress: true
+
 jobs:
   label:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       issues: write
       pull-requests: write
     steps:
       - name: Apply labels
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             let content = "";
 
@@ -1,139 +1,75 @@
-name: "Check Signed Commits"
+name: Check signed commits in PR
+on: pull_request_target
 
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-    branches:
-      - main
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
   check-signed-commits:
+    name: Check signed commits in PR
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       pull-requests: write
-      issues: write
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5.0.0
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
 
-      - name: Configure Git for SSH signature verification
-        run: |
-          # Create a temporary allowed signers file (not used for actual verification)
-          # This allows git to recognize SSH signatures exist without requiring key validation
-          touch /tmp/allowed_signers
-          git config --global gpg.ssh.allowedSignersFile /tmp/allowed_signers
-          # Configure git to recognize SSH signing format
-          git config --global gpg.format ssh
-
-      - name: Check for verified commits
-        id: check-commits
+      - name: Check for bot commits
+        id: check-bots
         run: |
           # Get all commits in the PR
           git fetch origin ${{ github.event.pull_request.base.ref }}
-          COMMITS=$(git rev-list origin/${{ github.event.pull_request.base.ref }}..${{ github.event.pull_request.head.sha }})
-
-          UNSIGNED_COMMITS=""
-          UNSIGNED_COUNT=0
-          TOTAL_COUNT=0
-
-          for commit in $COMMITS; do
-            TOTAL_COUNT=$((TOTAL_COUNT + 1))
-            # Check if commit is signed (GPG or SSH signature)
-            # %G? returns signature status
-            # %GF returns the signing key fingerprint (empty if not signed)
-            SIGNATURE=$(git log -1 --format='%G?' $commit)
-            FINGERPRINT=$(git log -1 --format='%GF' $commit)
-
-            # %G? returns:
-            # G = good GPG signature
-            # U = unverified signature (has signature but can't verify - common for SSH)
-            # B = bad signature
-            # N = no signature
-            # E = signature expired
-            # Y = good signature (expired key)
-
-            # A commit is considered SIGNED if it has any signature present
-            # We check for a fingerprint to confirm a signature exists
-            # For SSH signatures, %G? will be "U" but %GF will have the fingerprint
-
-            if [[ -z "$FINGERPRINT" ]]; then
-              # No fingerprint means no signature at all
-              UNSIGNED_COMMITS="${UNSIGNED_COMMITS}${commit}\n"
-              UNSIGNED_COUNT=$((UNSIGNED_COUNT + 1))
-            fi
-          done
-
-          echo "total_commits=${TOTAL_COUNT}" >> $GITHUB_OUTPUT
-          echo "unsigned_commits=${UNSIGNED_COUNT}" >> $GITHUB_OUTPUT
-
-          if [ $UNSIGNED_COUNT -gt 0 ]; then
-            echo "has_unsigned=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_unsigned=false" >> $GITHUB_OUTPUT
-          fi
+          COMMITS=$(git log origin/${{ github.event.pull_request.base.ref }}..HEAD --format="%an")
 
-      - name: Check if comment already exists
-        if: steps.check-commits.outputs.has_unsigned == 'true'
-        id: check-comment
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          # Check if our bot has already commented on this PR
-          COMMENT_EXISTS=$(gh api \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-            | jq -r '.[] | select(.user.login == "github-actions[bot]" and (.body | contains("⚠️ Unsigned Commits Detected"))) | .id' | head -1)
-
-          if [ -n "$COMMENT_EXISTS" ]; then
-            echo "comment_exists=true" >> $GITHUB_OUTPUT
-            echo "comment_id=${COMMENT_EXISTS}" >> $GITHUB_OUTPUT
+          echo "Commits in PR:"
+          echo "$COMMITS"
+
+          # Check if any commits are NOT from bots
+          # grep -v returns 0 (true) if it finds lines NOT matching the pattern
+          # grep -v returns 1 (false) if all lines match the pattern (all are bots)
+          if echo "$COMMITS" | grep -qv '\[bot\]'; then
+            echo "Found human commits"
+            echo "has_human_commits=true" >> $GITHUB_OUTPUT
           else
-            echo "comment_exists=false" >> $GITHUB_OUTPUT
+            echo "All commits are from bots"
+            echo "has_human_commits=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Post warning comment
-        if: steps.check-commits.outputs.has_unsigned == 'true' && steps.check-comment.outputs.comment_exists == 'false'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          cat << 'EOF' | gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} -F -
-          ## ⚠️ Unsigned Commits Detected
-
-          This pull request contains unsigned commits.
+      - name: Check signed commits in PR
+        if: steps.check-bots.outputs.has_human_commits == 'true'
+        continue-on-error: true
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1.2.0
+        with:
+          comment: |
+            ## ⚠️ Unsigned Commits Detected
 
-          ### What does this mean?
+            This pull request contains unsigned commits.
 
-          Signed commits help ensure the authenticity and traceability of contributions. They allow us to verify that commits actually came from the stated author, even if GitHub accounts are deleted or modified in the future.
+            ### What does this mean?
 
-          ### Current Policy (Grace Period)
+            Signed commits help ensure the authenticity and traceability of contributions. They allow us to verify that commits actually came from the stated author, even if GitHub accounts are deleted or modified in the future.
 
-          **This is currently a warning only.** We are in a transition period to give all contributors time to set up commit signing.
+            ### Current Policy (Grace Period)
 
-          After this grace period, **all commits will be required to be signed** before PRs can be merged.
+            **This is currently a warning only.** We are in a transition period to give all contributors time to set up commit signing.
 
-          ### How to sign your commits
+            After this grace period, **all commits will be required to be signed** before PRs can be merged.
 
-          Please see our [Contributing Guide](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment) for detailed instructions on setting up commit signing.
+            ### How to sign your commits
 
-          ### Resources
+            Please see our [Contributing Guide](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment) for detailed instructions on setting up commit signing.
 
-          - [Contributing Guide: Development Setup](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment)
-          - [GitHub Docs: About Commit Signature Verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+            ### Resources
 
-          ---
+            - [Contributing Guide: Development Setup](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment)
+            - [GitHub Docs: About Commit Signature Verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
 
-          _This check will become mandatory in the future. Please start signing your commits now to avoid issues later._
-          EOF
+            ---
 
-      - name: Success message
-        if: steps.check-commits.outputs.has_unsigned == 'false'
-        run: |
-          echo "✅ All ${{ steps.check-commits.outputs.total_commits }} commits in this PR are signed!"
+            _This check will become mandatory in the future. Please start signing your commits now to avoid issues later._
@@ -0,0 +1,161 @@
+name: "Post-Merge Changelog Update"
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'charts/**'
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  update-changelog:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout main branch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Git
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+
+      - name: Fetch all tags
+        run: |
+          git fetch --tags --force
+          echo "Available tags:"
+          git tag -l | head -20
+
+      - name: Install yq
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Setup Helm
+        uses: Azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+
+      # Python is required because `ct` uses Python-based tools
+      - name: Set up Python
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        with:
+          python-version: 3.x
+
+      - name: Set up chart-testing-action
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Get changed charts from last commit
+        id: list-changed
+        run: |
+          # Get the commit SHA before the merge
+          BEFORE_SHA="${{ github.event.before }}"
+
+          # Use chart-testing to find changed charts
+          changed=$(ct list-changed --target-branch main --since "${BEFORE_SHA}")
+
+          if [[ -n "$changed" ]]; then
+            echo "Changed charts:"
+            echo "$changed"
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo 'changedCharts<<EOF' >> $GITHUB_OUTPUT
+            echo $changed >> $GITHUB_OUTPUT
+            echo 'EOF' >> $GITHUB_OUTPUT
+          else
+            echo "No chart changes detected"
+            echo "changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Get PR information
+        id: pr-info
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const commit = context.payload.head_commit;
+            const commitSha = commit.id;
+
+            // Find the PR that was merged
+            const { data: prs } = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              commit_sha: commitSha
+            });
+
+            const mergedPR = prs.find(pr => pr.merged_at);
+
+            if (mergedPR) {
+              core.setOutput('pr_number', mergedPR.number);
+              core.setOutput('pr_title', mergedPR.title);
+              core.setOutput('pr_url', mergedPR.html_url);
+              console.log(`Found merged PR #${mergedPR.number}: ${mergedPR.title}`);
+            } else {
+              console.log('No merged PR found for this commit');
+              core.setOutput('pr_number', '');
+              core.setOutput('pr_title', commit.message.split('\n')[0]);
+              core.setOutput('pr_url', '');
+            }
+
+      - name: Generate changelog
+        id: generate-changelog
+        if: steps.list-changed.outputs.changed == 'true'
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GITHUB_REPOSITORY: "${{ github.repository }}"
+          GITHUB_REPOSITORY_URL: "${{ github.server_url }}/${{ github.repository }}"
+          CHANGED_CHARTS: ${{ steps.list-changed.outputs.changedCharts }}
+          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
+          PR_TITLE: ${{ steps.pr-info.outputs.pr_title }}
+          PR_URL: ${{ steps.pr-info.outputs.pr_url }}
+        run: |
+          set -e
+
+          # Extract chart names from changed chart directories
+          CHART_NAMES=()
+          for chart_directory in ${CHANGED_CHARTS}; do
+            CHART_NAME=${chart_directory#charts/}
+            CHART_NAMES+=("--chart" "$CHART_NAME")
+          done
+
+          # Build arguments for the changelog script
+          CHANGELOG_ARGS=("${CHART_NAMES[@]}")
+
+          if [[ -n "$PR_TITLE" ]]; then
+            CHANGELOG_ARGS+=("--pr-title" "${PR_TITLE}")
+          fi
+
+          if [[ -n "$PR_NUMBER" ]]; then
+            CHANGELOG_ARGS+=("--pr-number" "${PR_NUMBER}")
+          fi
+
+          if [[ -n "$PR_URL" ]]; then
+            CHANGELOG_ARGS+=("--pr-url" "${PR_URL}")
+          fi
+
+          # Run the changelog generation script
+          ./generate-changelog.sh "${CHANGELOG_ARGS[@]}"
+
+          # Check if there are changes
+          if git status --porcelain | grep -q 'CHANGELOG.md'; then
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+            echo "Changelog changes detected"
+          else
+            echo "No CHANGELOG changes"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit and push changelog updates
+        if: steps.generate-changelog.outputs.has_changes == 'true'
+        run: |
+          git add charts/*/CHANGELOG.md
+          git commit -m "chore: update CHANGELOG.md for merged changes" \
+            -m "Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
+          git push origin main