fix(helm): address Aikido review findings on validation scripts

Apply the fixes from the per-finding review branches directly:

validate-helm-charts.sh:
- process_chart now returns instead of exit, so the sequential loop
  validates every chart and reaches the summary (the parallel path is
  unaffected).
- Use a single `mktemp -d` dir (lint/template files) instead of an
  unused base temp file; clean up with one `rm -rf`.
- Pass the chart path to `helm dependency update` / `helm template`
  instead of cd-ing into the dir; drop the now-unused INITIAL_DIR.
- Split the `helm template | kubeconform` pipeline for readability
  (keeping the `if !` guard, which is pipefail-safe).

test-local.sh:
- Redact LABELS_SERVICE_API_KEY when echoing the auth response.
- Correct the eth_getLogs decimal block numbers (0x1254048f =
  307,496,079, 0x12558b2f = 307,596,079, range = 100,000).

The Aikido suggestion to move should_skip_validation before `helm lint`
was intentionally not applied: lint is meant to run for all charts;
only kubeconform is skipped for database charts.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: rguichard

helm/charts/erpc/test-local.sh

@@ -192,7 +192,9 @@ if [ -n "${LABELS_SERVICE_API_KEY:-}" ] && [ "$LABELS_SERVICE_API_KEY" != "your-
             echo "✅ Authentication with proper secret parameter works"
         else
             echo "⚠️  Authentication secret parameter didn't work as expected"
-            echo "   Response: $auth_response_with_secret"
+            # Redact the API key in case the response (or a reflected error)
+            # echoes back the request URL containing the secret.
+            echo "   Response: ${auth_response_with_secret//$LABELS_SERVICE_API_KEY/***REDACTED***}"
         fi
     else
         echo "⚠️  Authentication might not be properly configured (no auth rejection detected)"
@@ -222,8 +224,8 @@ if echo "$response" | grep -q '"result"'; then
     log_count=$(echo "$response" | jq -r '.result | length' 2>/dev/null || echo "unknown")
     echo "✅ Arbitrum eth_getLogs test successful"
     echo "   Logs found: $log_count"
-    echo "   Block range: 0x1254048f (307,074,191) to 0x12558b2f (307,166,767)"
-    echo "   Range size: ~92,576 blocks"
+    echo "   Block range: 0x1254048f (307,496,079) to 0x12558b2f (307,596,079)"
+    echo "   Range size: 100,000 blocks"
 elif echo "$response" | grep -q '"error"'; then
     error_message=$(echo "$response" | jq -r '.error.message // .error' 2>/dev/null || echo "unknown")
     echo "⚠️  eth_getLogs returned error (expected for large ranges):"

validate-helm-charts.sh

@@ -39,10 +39,6 @@ if ! command -v helm &> /dev/null; then
     exit 1
 fi
 
-# Store the initial working directory
-INITIAL_DIR=$(pwd)
-export INITIAL_DIR
-
 # Set base directories to scan (erpc: base chart + prd env wrapper only)
 DIRS_TO_SCAN=("helm/charts/erpc" "helm/environments/prd/erpc")
 
@@ -80,7 +76,9 @@ export SKIP_VALIDATION_CHARTS
 process_chart() {
     local chart_path=$1
     local chart_name=$(basename "$chart_path")
-    local result_file=$(mktemp)
+    local result_dir=$(mktemp -d)
+    local lint_file="$result_dir/lint"
+    local template_file="$result_dir/template"
     local has_error=0
 
     # Store the absolute path to the chart
@@ -89,9 +87,9 @@ process_chart() {
     echo "Processing: ${chart_path}" >&2
 
     # Run helm lint
-    if ! helm lint "$chart_absolute_path" > "$result_file.lint" 2>&1; then
+    if ! helm lint "$chart_absolute_path" > "$lint_file" 2>&1; then
         echo -e "${RED}✗ Helm lint failed for ${chart_name}${NC}" >&2
-        cat "$result_file.lint" >&2
+        cat "$lint_file" >&2
         has_error=1
     else
         echo -e "${GREEN}✓ Helm lint passed for ${chart_name}${NC}" >&2
@@ -100,39 +98,39 @@ process_chart() {
     # Check if this chart should skip validation
     if should_skip_validation "$chart_name"; then
         echo -e "${YELLOW}⊘ Skipping kubeconform for ${chart_name} (database chart)${NC}" >&2
-        rm -f "$result_file" "$result_file.lint" "$result_file.template"
-        exit $has_error
+        rm -rf "$result_dir"
+        return $has_error
     fi
 
     # Build dependencies if Chart.yaml exists and has dependencies
     if [ -f "${chart_absolute_path}/Chart.yaml" ]; then
         if grep -q "dependencies:" "${chart_absolute_path}/Chart.yaml"; then
-            cd "$chart_absolute_path"
-            if ! helm dependency update > /dev/null 2>&1; then
+            if ! helm dependency update "$chart_absolute_path" > /dev/null 2>&1; then
                 echo -e "${RED}✗ Dependency update failed for ${chart_name}${NC}" >&2
-                cd "$INITIAL_DIR"
-                rm -f "$result_file" "$result_file.lint" "$result_file.template"
-                exit 1
+                rm -rf "$result_dir"
+                return 1
             fi
         fi
 
-        # Run template validation
-        cd "$chart_absolute_path"
-        if ! helm template . 2>/dev/null | kubeconform --ignore-missing-schemas --summary --skip "$CUSTOM_RESOURCES" > "$result_file.template" 2>&1; then
+        # Run template validation: render the chart and validate the
+        # resulting manifests with kubeconform. The pipeline's exit status
+        # reflects kubeconform (the last command), which is what we check.
+        if ! helm template "$chart_absolute_path" 2>/dev/null \
+            | kubeconform --ignore-missing-schemas --summary --skip "$CUSTOM_RESOURCES" \
+                > "$template_file" 2>&1; then
             echo -e "${RED}✗ Kubeconform failed for ${chart_name}${NC}" >&2
-            cat "$result_file.template" >&2
+            cat "$template_file" >&2
             has_error=1
         else
             echo -e "${GREEN}✓ Kubeconform passed for ${chart_name}${NC}" >&2
         fi
-        cd "$INITIAL_DIR"
     else
         echo -e "${RED}No Chart.yaml found in ${chart_path}${NC}" >&2
         has_error=1
     fi
 
-    rm -f "$result_file" "$result_file.lint" "$result_file.template"
-    exit $has_error
+    rm -rf "$result_dir"
+    return $has_error
 }
 
 # Export for parallel