chore(ci): publish helm charts to gh-pages on tags#23
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @roderik, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request refactors the continuous integration process for Helm chart publishing. The primary goal is to transition the chart distribution mechanism from an internal Harbor registry to GitHub Pages, providing a more standardized and accessible approach. This change also enforces that chart releases are tied to Git tags, enhancing version control, and includes a cleanup of outdated packaging scripts.
Highlights
- Helm Chart Publishing: The method for publishing Helm charts has been updated, moving from pushing to a Harbor registry to utilizing
helm-gh-pagesfor distribution. - Publishing Restriction: Chart publishing is now explicitly restricted to occur only when a new tag is pushed, ensuring versioned releases.
- Script Removal: Obsolete Helm packaging and Harbor registry push scripts have been removed from the
package.jsonfile, streamlining the project configuration.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in pull request comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
|
To view in Slack, search for: 1758136398.456669 |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey there - I've reviewed your changes and they look great!
Blocking issues:
- An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location> `.github/workflows/qa.yml:277` </location>
<code_context>
uses: stefanprodan/helm-gh-pages@v1.7.0
</code_context>
<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
*Source: opengrep*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 | ||
| github.event_name == 'push' && | ||
| startsWith(github.ref, 'refs/tags/') | ||
| uses: stefanprodan/helm-gh-pages@v1.7.0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
github-actions
Bot
added
the
status:ready-for-review
There was a problem hiding this comment.
Code Review
This pull request removes the npm scripts for packaging and pushing the Helm chart to Harbor, which aligns with the goal of migrating to a GitHub Pages-based publishing workflow. The change is clean and focused. However, the documentation in README.md has not been updated to reflect the new way of consuming the Helm chart from GitHub Pages. I've left a specific comment regarding this.
github-actions
Bot
added
status:merged
1 participant
Summary
Testing
Summary by Sourcery
Switch Helm chart publishing in the CI workflow from Harbor to GitHub Pages on tagged releases and remove associated packaging scripts.
CI:
Chores: