Merge commit '9dd4b92' into fspiers/ENT-3334/incremental-sync-batch-1

Author: Frederic Spiers

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -56,6 +56,7 @@ body:
         - universal
         - clusterpirate
         - common
+        - etcd
         - ghost
         - keycloak
         - mariadb
@@ -68,6 +69,7 @@ body:
         - redis
         - timescaledb
         - valkey
+        - wordpress
         - zookeeper
     validations:
       required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -45,6 +45,7 @@ body:
         - universal
         - clusterpirate
         - common
+        - etcd
         - ghost
         - keycloak
         - mariadb
@@ -57,4 +58,5 @@ body:
         - redis
         - timescaledb
         - valkey
+        - wordpress
         - zookeeper

.github/PULL_REQUEST_TEMPLATE.md

@@ -4,6 +4,9 @@
  - Describe the scope of your change - i.e. what the change does.
  - Describe any known limitations with your change.
  - Please run any tests or examples that can exercise your modified code.
+ - Labels are automatically applied when they are inside the square brackets of your PR title on opening. Examples:
+   - [redis]: adds `redis` label
+   - [redis, valkey] Adds `redis` and `valkey` labels
 
  Thank you for contributing! We will try to test and integrate the change as soon as we can.
  -->
@@ -23,6 +26,7 @@
 ### Applicable issues
 
 <!-- Enter any applicable Issues here (You can reference an issue using #) -->
+
 - fixes #
 
 ### Additional information
@@ -33,6 +37,6 @@
 
 <!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->
 
-- [ ] Chart version bumped in `Chart.yaml` according to [semver](http://semver.org/). This is *not necessary* when the changes only affect README.md files.
+- [ ] Chart version bumped in `Chart.yaml` according to [semver](http://semver.org/). This is _not necessary_ when the changes only affect README.md files.
 - [ ] Variables are documented in the values.yaml and added to the `README.md`
 - [ ] Title of the pull request follows this pattern [<name_of_the_chart>] Descriptive title

.github/workflows/auto-label.yaml

@@ -2,23 +2,39 @@ name: Auto-label issues
 on:
   issues:
     types: [opened]
+  pull_request:
+    types: [opened]
 
 jobs:
   label:
     runs-on: ubuntu-latest
     permissions:
       issues: write
+      pull-requests: write
     steps:
       - name: Apply labels
         uses: actions/github-script@v7
         with:
           script: |
-            const labels = (context.payload.issue.body.split(/### Affected Helm charts/)[1] || "")
+            let content = "";
+            if (context.payload.pull_request) {
+              const parsedTitle = context.payload.pull_request.title.match(/^\[([a-z_-]+(?:, [a-z_-]+)*)\].+$/);
+              content = parsedTitle ? parsedTitle[1] : "";
+            } else {
+              content = context.payload.issue.body.split(/### Affected Helm charts/)[1] || "";
+            }
+            const { data } = await github.rest.issues.listLabelsForRepo({
+              ...context.repo,
+              per_page: 100,
+            });
+            const existingLabels = new Set(data.map((label) => label.name));
+            const labels = content
               .trim()
               .split(",")
               .map((s) => s.trim())
-              .filter((s) => s && s !== "_No response_");
+              .filter((s) => s && existingLabels.has(s));
             if (labels.length) {
+              console.log(`Adding ${labels.length} labels: ${labels.join(', ')}`)
               await github.rest.issues.addLabels({
                 ...context.repo,
                 issue_number: context.issue.number,

.github/workflows/check-signed-commits.yaml

@@ -0,0 +1,139 @@
+name: "Check Signed Commits"
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+    branches:
+      - main
+
+jobs:
+  check-signed-commits:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5.0.0
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Configure Git for SSH signature verification
+        run: |
+          # Create a temporary allowed signers file (not used for actual verification)
+          # This allows git to recognize SSH signatures exist without requiring key validation
+          touch /tmp/allowed_signers
+          git config --global gpg.ssh.allowedSignersFile /tmp/allowed_signers
+          # Configure git to recognize SSH signing format
+          git config --global gpg.format ssh
+
+      - name: Check for verified commits
+        id: check-commits
+        run: |
+          # Get all commits in the PR
+          git fetch origin ${{ github.event.pull_request.base.ref }}
+          COMMITS=$(git rev-list origin/${{ github.event.pull_request.base.ref }}..${{ github.event.pull_request.head.sha }})
+
+          UNSIGNED_COMMITS=""
+          UNSIGNED_COUNT=0
+          TOTAL_COUNT=0
+
+          for commit in $COMMITS; do
+            TOTAL_COUNT=$((TOTAL_COUNT + 1))
+            # Check if commit is signed (GPG or SSH signature)
+            # %G? returns signature status
+            # %GF returns the signing key fingerprint (empty if not signed)
+            SIGNATURE=$(git log -1 --format='%G?' $commit)
+            FINGERPRINT=$(git log -1 --format='%GF' $commit)
+
+            # %G? returns:
+            # G = good GPG signature
+            # U = unverified signature (has signature but can't verify - common for SSH)
+            # B = bad signature
+            # N = no signature
+            # E = signature expired
+            # Y = good signature (expired key)
+
+            # A commit is considered SIGNED if it has any signature present
+            # We check for a fingerprint to confirm a signature exists
+            # For SSH signatures, %G? will be "U" but %GF will have the fingerprint
+
+            if [[ -z "$FINGERPRINT" ]]; then
+              # No fingerprint means no signature at all
+              UNSIGNED_COMMITS="${UNSIGNED_COMMITS}${commit}\n"
+              UNSIGNED_COUNT=$((UNSIGNED_COUNT + 1))
+            fi
+          done
+
+          echo "total_commits=${TOTAL_COUNT}" >> $GITHUB_OUTPUT
+          echo "unsigned_commits=${UNSIGNED_COUNT}" >> $GITHUB_OUTPUT
+
+          if [ $UNSIGNED_COUNT -gt 0 ]; then
+            echo "has_unsigned=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_unsigned=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check if comment already exists
+        if: steps.check-commits.outputs.has_unsigned == 'true'
+        id: check-comment
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Check if our bot has already commented on this PR
+          COMMENT_EXISTS=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            | jq -r '.[] | select(.user.login == "github-actions[bot]" and (.body | contains("⚠️ Unsigned Commits Detected"))) | .id' | head -1)
+
+          if [ -n "$COMMENT_EXISTS" ]; then
+            echo "comment_exists=true" >> $GITHUB_OUTPUT
+            echo "comment_id=${COMMENT_EXISTS}" >> $GITHUB_OUTPUT
+          else
+            echo "comment_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Post warning comment
+        if: steps.check-commits.outputs.has_unsigned == 'true' && steps.check-comment.outputs.comment_exists == 'false'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          cat << 'EOF' | gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} -F -
+          ## ⚠️ Unsigned Commits Detected
+
+          This pull request contains unsigned commits.
+
+          ### What does this mean?
+
+          Signed commits help ensure the authenticity and traceability of contributions. They allow us to verify that commits actually came from the stated author, even if GitHub accounts are deleted or modified in the future.
+
+          ### Current Policy (Grace Period)
+
+          **This is currently a warning only.** We are in a transition period to give all contributors time to set up commit signing.
+
+          After this grace period, **all commits will be required to be signed** before PRs can be merged.
+
+          ### How to sign your commits
+
+          Please see our [Contributing Guide](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment) for detailed instructions on setting up commit signing.
+
+          ### Resources
+
+          - [Contributing Guide: Development Setup](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment)
+          - [GitHub Docs: About Commit Signature Verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+
+          ---
+
+          _This check will become mandatory in the future. Please start signing your commits now to avoid issues later._
+          EOF
+
+      - name: Success message
+        if: steps.check-commits.outputs.has_unsigned == 'false'
+        run: |
+          echo "✅ All ${{ steps.check-commits.outputs.total_commits }} commits in this PR are signed!"

CONTRIBUTING.md

@@ -6,11 +6,23 @@ Hi there! We are thrilled that you'd like to contribute to this project. It's pe
 
 - [Code of Conduct](#code-of-conduct)
 - [How Can I Contribute?](#how-can-i-contribute)
+  - [Reporting Bugs](#reporting-bugs)
+  - [Suggesting Enhancements](#suggesting-enhancements)
+  - [Types of Contributions We're Looking For](#types-of-contributions-were-looking-for)
 - [Development Setup](#development-setup)
+  - [Prerequisites](#prerequisites)
+  - [Setting Up Your Development Environment](#setting-up-your-development-environment)
 - [Contributing Guidelines](#contributing-guidelines)
-- [Chart Development Standards](#chart-development-standards)
+  - [Chart Development Standards](#chart-development-standards)
+  - [Chart Structure](#chart-structure)
+  - [Documentation Requirements](#documentation-requirements)
+  - [Versioning](#versioning)
 - [Testing](#testing)
+  - [Running Tests](#running-tests)
+  - [Test Requirements](#test-requirements)
+  - [Manual Testing](#manual-testing)
 - [Pull Request Process](#pull-request-process)
+  - [Pull Request Checklist](#pull-request-checklist)
 
 ## Code of Conduct
 
@@ -22,21 +34,21 @@ This project and everyone participating in it is governed by our [Code of Conduc
 
 Before creating bug reports, please check the existing issues as you might find out that you don't need to create one. When you are creating a bug report, please include as many details as possible:
 
-- **Use a clear and descriptive title**
-- **Describe the exact steps to reproduce the problem**
-- **Provide specific examples to demonstrate the steps**
-- **Describe the behavior you observed and what behavior you expected**
-- **Include details about your configuration and environment**
+- Use a **clear and descriptive title**
+- Describe the **exact steps to reproduce** the problem
+- Provide **specific examples** to demonstrate the steps
+- Describe the **behavior you observed** and what **behavior you expected**
+- Include details about **your configuration and environment**
 
 ### Suggesting Enhancements
 
 Enhancement suggestions are tracked as GitHub issues. When creating an enhancement suggestion, please include:
 
-- **Use a clear and descriptive title**
-- **Provide a step-by-step description of the suggested enhancement**
-- **Provide specific examples to demonstrate the steps**
-- **Describe the current behavior and explain which behavior you expected to see**
-- **Explain why this enhancement would be useful**
+- Use a **clear and descriptive title**
+- Provide a **step-by-step description** of the suggested enhancement
+- Provide **specific examples** to demonstrate the steps
+- Describe the **current behavior** and explain which **behavior you expected** to see
+- Explain **why this enhancement would be useful**
 
 ### Types of Contributions We're Looking For
 
@@ -52,40 +64,61 @@ Enhancement suggestions are tracked as GitHub issues. When creating an enhanceme
 - Kubernetes 1.24+
 - Helm 3.2.0+
 - [helm-unittest](https://github.com/helm-unittest/helm-unittest) plugin
+- Commits verified by signature
 
 ### Setting Up Your Development Environment
 
 1. Fork the repository on GitHub
 2. Clone your fork locally:
+
    ```bash
    git clone https://github.com/your-username/helm-charts.git
    cd helm-charts
    ```
 
 3. Install the helm-unittest plugin:
+
    ```bash
    helm plugin install https://github.com/helm-unittest/helm-unittest
    ```
 
+4. Make sure to sign your commits
+
+   ```bash
+   git config gpg.format ssh
+   git config user.signingkey <filePath>
+   git config commit.gpgsign true
+   git config tag.gpgsign true
+   ```
+
+   Replace `<filePath>` with the path to your public ssh key file, e.g. `~/.ssh/id_ed25519.pub`, wich you use to push to GitHub.
+   Alternatively, a signing ssh key can be used instead.
+   If you want to sign commits in every repository, not just this one, add the `--global` parameter.
+
+   > More information: [GitHub docs](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+
 ## Contributing Guidelines
 
 ### Chart Development Standards
 
 All charts in this repository must follow these standards:
 
 #### Security First
+
 - Implement read-only root filesystems where possible
 - Drop unnecessary Linux capabilities
 - Configure security contexts properly
 - Never hardcode credentials
 
 #### Production Ready
+
 - Include comprehensive health checks (liveness, readiness, startup probes)
 - Support resource requests and limits
 - Provide persistent storage configurations
 - Include health check endpoints
 
 #### Highly Configurable
+
 - Provide extensive `values.yaml` with detailed documentation
 - Support existing secrets and ConfigMaps
 - Offer flexible ingress configurations
@@ -154,6 +187,7 @@ helm unittest charts/your-chart
 ### Test Requirements
 
 Your tests should cover:
+
 - Template rendering with default values
 - Template rendering with custom values
 - Required value validation
@@ -181,13 +215,15 @@ kubectl get all -n test
 ## Pull Request Process
 
 1. **Branch**: Create a feature branch from `main`
+
    ```bash
    git checkout -b feature/your-chart-improvement
    ```
 
 2. **Development**: Make your changes following the guidelines above
 
 3. **Testing**: Run all tests and ensure they pass
+
    ```bash
    ./test-all-charts.sh
    helm lint ./charts/your-chart
@@ -196,6 +232,7 @@ kubectl get all -n test
 4. **Documentation**: Update documentation as needed
 
 5. **Commit**: Use clear, descriptive commit messages
+
    ```bash
    git commit -m "[chart-name] Add support for custom annotations"
    ```

charts/common/CHANGELOG.md

@@ -2,4 +2,4 @@
 
 ## 1.1.1 (2025-10-09)
 
-* [mongodb] feat: add metrics exporter ([#243](https://github.com/CloudPirates-io/helm-charts/pull/243))
+* [mongodb] fix: newline between mongo labels and additional labels ([#301](https://github.com/CloudPirates-io/helm-charts/pull/301))