Skip to content

feat!: bump default Helm version v3.8.2 → v4.2.0 (PIE-6)#90

Open
mangyau wants to merge 3 commits into
masterfrom
pie-6/update-default-versions
Open

feat!: bump default Helm version v3.8.2 → v4.2.0 (PIE-6)#90
mangyau wants to merge 3 commits into
masterfrom
pie-6/update-default-versions

Conversation

@mangyau
Copy link
Copy Markdown

@mangyau mangyau commented Jun 1, 2026
edited
Loading

Summary

  • Bumps the version parameter default in commands/install_helm_client.yml from v3.8.2 to v4.2.0
  • v3.8.2 was released April 2022; v4.2.0 is the latest Helm stable release.
  • Adds Helm 4 plugin verification support to install_helm_plugin:
    • New skip_verify param (default false) — passes --verify=false for plugins without GPG-signed provenance files
    • New gpg_key_url param — imports a GPG public key before installation, enabling fully verified installs for plugins that ship .prov files
    • Updates helm-secrets test to v4.7.6 via direct tarball URL with GPG key import (Helm 4 can only verify tarball-URL installs, not GitHub repo URLs)
    • Sets skip_verify: true for helm-env (unmaintained plugin with no provenance support)

Breaking change

Users who relied on the v3.8.2 default without pinning an explicit `version` will now get Helm v4.2.0.

Migration guide (v→v+1)

# Pin the old version to keep it:
- helm/install_helm_client:
    version: "v3.8.2"

Closes PIE-6

@mangyau mangyau requested a review from a team as a code owner June 1, 2026 17:18
@linear-code
Copy link
Copy Markdown

linear-code Bot commented Jun 1, 2026

PIE-6

@mangyau
feat!: bump default Helm version from v3.8.2 to v4.2.0
3c9b114 
v3.8.2 was released in April 2022. v4.2.0 is the latest Helm stable
release as of the date of this commit.

BREAKING CHANGE: users relying on the v3.8.2 default must now pin an explicit version.
@mangyau mangyau force-pushed the pie-6/update-default-versions branch from 9a8a08b to 3c9b114 Compare June 2, 2026 14:35
@mangyau mangyau changed the title feat!: bump default Helm version v3.8.2 → v3.20.2 (PIE-6) feat!: bump default Helm version v3.8.2 → v4.2.0 (PIE-6) Jun 2, 2026
mangyau added 2 commits June 2, 2026 16:08
@mangyau
fix: add Helm 4 plugin verification support to install_helm_plugin
2f2da64 
- Add skip_verify param (default false) to pass --verify=false for
  plugins without GPG-signed provenance files
- Add gpg_key_url param to import a signing key before installation,
  enabling verified installs for plugins that provide .prov files
- Refactor install script to build args array cleanly
- Update helm-secrets test to v4.7.6 tarball URL with GPG key import
  (v4.7.0+ ships .prov files; repo URL installs cannot be verified in Helm 4)
- Set skip_verify: true for helm-env (unmaintained, no provenance support)
@mangyau
fix: correct skip_verify and GPG legacy keyring export
3b25517 
- Export imported GPG key to ~/.gnupg/pubring.gpg after gpg --import, as
  GPG 2.1+ uses the .kbx keybox format by default but Helm requires the
  legacy pubring.gpg format for plugin verification
@mangyau mangyau force-pushed the pie-6/update-default-versions branch from 3e42526 to 3b25517 Compare June 2, 2026 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mangyau