Update Helm linting and testing workflow

[empovit]

• Bump action versions
• Bump and pin Kind and K8s versions
• Update the ConsolePlugin CRD
• Allow manual dispatching
• Allow forcing lint and test even if no changes were made

Summary by CodeRabbit

• New Features

  • Added Content Security Policy support for plugins and enhanced proxy configuration options.

• Documentation

  • Expanded and clarified descriptions for plugin fields, proxy settings, i18n loading (now accepts an empty-string option), and CSP guidance.

• Breaking Changes

  • Proxy authorization representation changed between API versions (type/format modified).

• Chores

  • CI workflow improved: manual trigger with force-install option, conditional gating of lint/cluster/setup/install steps, and updated CI actions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: empovit

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [empovit]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds a workflow_dispatch input and a conditional "should-install" gating to the Helm lint/install GitHub Actions workflow; upgrades several action versions. Extends the ConsolePlugin CRD: adds v1 spec.contentSecurityPolicy, marks proxy list atomic, changes proxy.authorization to a string enum, and expands schema descriptions.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow /.github/workflows/helm-lint-test.yaml	Add workflow_dispatch inputs (force_install_unchanged, target_branch); add should-install step to determine whether to run; gate ct lint/install, Kind cluster creation, kubectl setup, and OpenShift deps behind should-install; pass --all when forced; upgrade multiple actions (checkout v6, setup-helm v4, setup-python v6, chart-testing-action v2.8.0, kubectl setup v4); set Kind parameters.
ConsolePlugin CRD (schema & metadata) deployment/hack/crds/consoleplugin.customresourcedefinition.yaml	Add CRD metadata annotations and multiline descriptions; introduce spec.contentSecurityPolicy in v1 with detailed directive schema and examples; set x-kubernetes-list-type: atomic for ConsolePluginProxy in v1; change proxy.authorization semantics (string enum vs boolean in v1alpha1); add "" option to i18n.loadType in v1alpha1; numerous description/formatting refinements.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant User as Workflow trigger
    participant GH as GitHub Actions
    participant Decide as should-install step
    participant CT as chart-testing (ct)
    participant Kind as Kind action
    participant Kubectl as kubectl/setup
    participant OpenShift as OpenShift deps

    User->>GH: trigger (workflow_dispatch) with inputs
    GH->>Decide: run should-install (inspect inputs + ct list-changed)
    alt should-install = true
        Decide->>CT: ct lint (include --all if forced, use target_branch)
        Decide->>Kind: create Kind cluster (version/node_image)
        Kind->>Kubectl: provide cluster context
        Decide->>Kubectl: setup kubectl (v4)
        Decide->>OpenShift: setup OpenShift deps
        Decide->>CT: ct install (include --all if forced, use target_branch)
    else should-install = false
        Decide-->>GH: skip cluster/setup/install
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Use dynamic target branch in chart-testing workflow #103: Modifies the same helm-lint-test.yaml workflow to pass a dynamic target branch to chart-testing, closely related to the workflow changes here.

Suggested labels

lgtm

Suggested reviewers

• TomerNewman

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update Helm linting and testing workflow' accurately summarizes the main change in the pull request, which is updating the Helm workflow file with new action versions, triggers, and conditional logic.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 157b636 and b84e816.

📒 Files selected for processing (2)

• .github/workflows/helm-lint-test.yaml
• deployment/hack/crds/consoleplugin.customresourcedefinition.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/helm-lint-test.yaml

🔇 Additional comments (3)

deployment/hack/crds/consoleplugin.customresourcedefinition.yaml (3)

241-250: LGTM: Empty string added as valid loadType value.

The addition of the empty string ("") to the i18n.loadType enum is consistent with the updated description stating that omitting the value or setting it to empty string is equivalent to Lazy type behavior. This provides flexibility for plugin developers.

---

346-346: LGTM: Atomic list type for proxy array.

The addition of x-kubernetes-list-type: atomic ensures that the entire proxy array is replaced as a unit during updates, which is appropriate for this configuration structure and prevents partial updates that could lead to inconsistent states.

---

107-229: CEL validation rules for contentSecurityPolicy are correctly implemented.

All four requested verifications pass:

1. Uniqueness validation (self.all(x, self.exists_one(y, x == y))) correctly ensures each value appears exactly once in the array using the standard CEL pattern.

2. Character restriction validations properly reject quotes, whitespace, commas, semicolons, and wildcards through individual CEL rules using contains() and matches() operators.

3. Total size constraint (self.map(x, x.values.map(y, y.size()).sum()).sum() < 8192) accurately sums character lengths across all directives and enforces the 8KB limit through nested mapping.

4. x-kubernetes-list-type: map with directive as the list-map-key correctly prevents duplicate directive types.

The implementation is comprehensive, well-structured, and follows Kubernetes CEL validation best practices.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b84e816 and 1f732a5.

📒 Files selected for processing (2)

• .github/workflows/helm-lint-test.yaml
• deployment/hack/crds/consoleplugin.customresourcedefinition.yaml

🔇 Additional comments (9)

.github/workflows/helm-lint-test.yaml (4)

7-16: LGTM! Manual workflow dispatch is a useful addition.

The workflow_dispatch trigger with the force_install_unchanged input is well-structured and provides flexibility for manual testing runs.

---

39-50: Excellent conditional logic for gating installations.

The should-install step correctly determines whether to run the subsequent steps based on:

1. The force_install_unchanged input flag, OR
2. Detection of changed charts via ct list-changed

The conditional execution and --all flag usage in the lint step are implemented correctly. When triggered by pull requests (where the input is undefined), the logic properly falls back to checking for chart changes.

---

52-80: LGTM! Consistent conditional gating across all installation steps.

All subsequent steps (kind cluster creation, kubectl setup, OpenShift dependencies, and chart installation) are properly gated on the should-install output. This prevents unnecessary resource allocation when charts are unchanged and the force flag is not set. The --all flag usage in the install step is consistent with the lint step.

---

23-23: All action versions are confirmed to exist and are stable.

Verification confirms that all updated GitHub Actions versions are published and actively used:

• actions/checkout@v4 (v4.0.0+, requires Actions Runner >= v2.308.0)
• azure/setup-helm@v4 (tagged releases available)
• helm/[email protected] (released Jan 20, includes updates to ct v3.11.0, yamllint 1.33.0, yamale 4.0.4)
• helm/[email protected] (stable tag in use across workflows)
• azure/setup-kubectl@v4 (latest v4.0.1 on GitHub Marketplace)

deployment/hack/crds/consoleplugin.customresourcedefinition.yaml (5)

4-12: LGTM! Standard OpenShift CRD annotations.

The metadata annotations follow OpenShift conventions and indicate proper API approval via the referenced GitHub PR.

---

107-229: Excellent CSP implementation with comprehensive validations.

The new contentSecurityPolicy field is well-designed with:

• Proper list-type annotations (map for directives, atomic for values)
• Robust CEL validations preventing injection attacks (no quotes, whitespace, commas, semicolons, wildcards)
• Uniqueness enforcement and size limits (8kb total)
• Clear documentation with examples and MDN references

The implementation correctly ensures each directive appears once via the list-map-keys annotation.

---

346-346: Appropriate list-type annotation for proxy array.

The atomic list type is a safe choice for the proxy array, requiring full array replacement during updates. This prevents patch conflicts and is reasonable given proxy configurations are typically small.

---

28-48: Excellent documentation improvements throughout v1 schema.

The description enhancements provide:

• Better formatting with multi-line YAML strings for readability
• More detailed explanations and practical examples
• Improved API documentation clarity
• Proper handling of empty string in loadType enum for backward compatibility

Also applies to: 52-70, 99-100, 231-236, 241-251, 256-274, 289-294, 300-305, 320-322, 333-334

---

279-287: No action needed — authorization field change is properly aligned with upstream OpenShift.

The field evolution from authorize (boolean) to authorization (enum string) between v1alpha1 and v1 is documented in OpenShift's API. The enum supports UserToken (include auth token) and None (no token), with default None, maintaining backward compatibility semantics. The api-approved annotation references the proper upstream PR.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/helm-lint-test.yaml (1)

52-57: Consider updating node_image to match Kind v0.31.0's provided images.

Kind v0.31.0 provides pre-built images including "v1.32.11: kindest/node:v1.32.11@sha256:5fc52d52a7b9574015299724bd68f183702956aa4a2116ae75a63cb574b35af8". The workflow specifies kindest/node:v1.32.0, which may not be built for Kind v0.31.0.

For improved reliability and reproducibility, consider either:

1. Updating to kindest/node:v1.32.11 (latest 1.32.x for v0.31.0)
2. Pinning the image with its sha256 digest for guaranteed compatibility

🔎 Suggested fix

       uses: helm/[email protected]
       with:
         version: v0.31.0
-        node_image: kindest/node:v1.32.0
+        node_image: kindest/node:v1.32.11@sha256:5fc52d52a7b9574015299724bd68f183702956aa4a2116ae75a63cb574b35af8

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f732a5 and 509826a.

📒 Files selected for processing (2)

• .github/workflows/helm-lint-test.yaml
• deployment/hack/crds/consoleplugin.customresourcedefinition.yaml

🔇 Additional comments (10)

.github/workflows/helm-lint-test.yaml (6)

7-16: LGTM!

The workflow_dispatch trigger with the force_install_unchanged input is well-structured, allowing manual triggering with an optional override to force install even when charts are unchanged.

---

39-46: LGTM!

The logic correctly determines whether to proceed with installation based on either the manual force flag or detected chart changes. The script handles the pull_request trigger case where force_install_unchanged will be empty.

---

48-50: LGTM!

The conditional execution and the dynamic --all flag based on the force input are correctly implemented.

---

59-76: LGTM!

The kubectl setup and OpenShift dependencies configuration are properly gated and correctly configure the test environment with CRDs and TLS certificates.

---

78-80: LGTM!

The chart-testing install step is correctly gated and uses the same dynamic --all flag pattern as the lint step.

---

22-37: All action versions verified and appropriate.

All specified action versions exist and are valid:

• actions/checkout@v6 (v6.0.1, released Dec 2, 2025)
• azure/setup-helm@v4 (v4.3.1, latest stable)
• actions/setup-python@v6 (v6.1.0, released Nov 25)
• helm/[email protected] (confirmed in official examples)

Helm v3.19.0 is a feature release that addresses previous compatibility concerns. The version bumps are appropriate and ready to merge.

deployment/hack/crds/consoleplugin.customresourcedefinition.yaml (4)

4-12: LGTM!

The metadata annotations follow standard OpenShift CRD conventions for API approval, capability declaration, and release inclusion flags.

---

28-106: LGTM!

The enhanced descriptions provide clearer documentation for the CRD fields, following Kubernetes API conventions with proper multi-line formatting.

---

107-229: Comprehensive CSP configuration with correct validation rules.

The contentSecurityPolicy field provides a well-structured CSP model with appropriate CEL validations for security constraints. The validation expressions correctly enforce:

• No single quotes, whitespace, commas, or semicolons in values
• No wildcard (*) values
• Uniqueness of values within each directive
• Total combined size limit of 8KB

Note: The schema defines 6 directive types (DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ConnectSrc) but maxItems: 5 at line 221 means only 5 can be specified simultaneously. This appears to be intentional from the upstream OpenShift API.

---

237-346: LGTM!

The i18n and proxy field updates are well-structured:

• The x-kubernetes-list-type: atomic at line 346 ensures atomic updates to the proxy list, which is appropriate for this use case
• The authorization field with UserToken/None enum provides clear configuration options
• Enhanced descriptions improve API documentation

[coderabbitai]

Actionable comments posted: 2

Fix all issues with AI Agents 🤖

In @.github/workflows/helm-lint-test.yaml:
- Line 23: The workflow updates introduce action version compatibility risks;
verify your runners meet the minimum GitHub Actions Runner versions (>=
v2.327.1, preferably v2.329.0+) and either pin or adjust action versions
accordingly: confirm actions/checkout@v6 is supported by your runners or
revert/pin to a compatible release (e.g., v5) if using older runners, pin
azure/setup-helm to a stable patch (e.g., v4.3.1) rather than a moving v4 tag,
and ensure actions/setup-python and helm/chart-testing-action versions match
your runner/node requirements before merging.

In @deployment/hack/crds/consoleplugin.customresourcedefinition.yaml:
- Around line 221-225: The contentSecurityPolicy array currently sets maxItems:
5 but the enum/doc list six directive types (DefaultSrc, ScriptSrc, StyleSrc,
ImgSrc, FontSrc, ConnectSrc); update the schema by changing maxItems from 5 to 6
for the contentSecurityPolicy array (and ensure x-kubernetes-list-type/map keys
remain unchanged) so all six directives can be defined once each.

♻️ Duplicate comments (1)

deployment/hack/crds/consoleplugin.customresourcedefinition.yaml (1)

231-233: Typo acknowledged from upstream.

The typo "dispalyName" was previously flagged and the author confirmed it matches upstream for easier comparison. No further action needed.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 509826a and 544d952.

📒 Files selected for processing (2)

• .github/workflows/helm-lint-test.yaml
• deployment/hack/crds/consoleplugin.customresourcedefinition.yaml

🔇 Additional comments (17)

deployment/hack/crds/consoleplugin.customresourcedefinition.yaml (8)

4-12: LGTM!

The metadata annotations follow standard OpenShift CRD conventions and provide appropriate capability and release inclusion markers.

---

28-47: LGTM!

The descriptions follow Kubernetes API conventions and provide appropriate documentation links.

---

199-201: Verify the quote validation CEL rule.

The validation rule !self.contains("''") appears to check for two consecutive single quotes ('') rather than a single quote character. Based on the message "CSP directive value cannot contain a quote", the intent seems to be checking for a single quote.

If this is from upstream, you may want to verify the behavior matches the documented intent.

---

241-251: LGTM!

The description clearly documents the empty string option and its equivalence to Lazy loading behavior.

---

279-287: LGTM!

The authorization field change from boolean to string enum provides better extensibility while maintaining backward compatibility with the default value of None.

---

345-346: LGTM!

Adding x-kubernetes-list-type: atomic to the proxy array ensures proper replace-on-update semantics, which is appropriate for this type of configuration.

---

182-216: LGTM!

The CSP values array has appropriate constraints with proper uniqueness validation using CEL's exists_one pattern.

---

107-148: Well-documented CSP configuration.

The contentSecurityPolicy field has comprehensive documentation with clear examples showing how directives are aggregated across plugins. The MDN links provide helpful reference material for users.

.github/workflows/helm-lint-test.yaml (9)

7-16: LGTM!

The workflow_dispatch trigger with the force_install_unchanged input is well-structured. Using type: choice provides good UX and prevents invalid values.

---

32-34: LGTM!

Python 3.13 is the latest stable Python version and is appropriate for CI workflows.

---

39-46: LGTM!

The conditional gating logic is well-implemented. It correctly sets the should-install output based on either the force_install_unchanged input or detected chart changes via ct list-changed.

---

49-50: LGTM!

The conditional execution and dynamic --all flag addition are correctly implemented. When force_install_unchanged is true, all charts will be linted regardless of changes.

---

63-63: LGTM!

The conditional gating for OpenShift dependencies and chart installation is consistently applied across all relevant steps. The dynamic --all flag handling in the install step correctly mirrors the lint step.

Also applies to: 79-80

---

59-60: azure/setup-kubectl@v4 is available.

The action is released with versions v4.0.0 and v4.0.1, so the reference in the workflow is valid.

---

56-57: Consider updating to Kubernetes v1.33 or later; Kind v0.31.0 exists but defaults to v1.35.0.

Kind v0.31.0 was released December 18, 2025 and defaults to Kubernetes v1.35.0, suggesting much newer versions are readily available. Kubernetes 1.32 reaches end-of-life February 28, 2026—approximately 2 months away. Update to v1.33.x or higher for extended support and consistency with Kind's upstream defaults.

Likely an incorrect or invalid review comment.

---

30-30: Helm v3.19.0 is compatible with Kubernetes v1.32.0. The upgrade from v3.16.3 resolves the previously identified incompatibility, as Helm v3.19.0 officially supports Kubernetes 1.31.x through 1.34.x.

---

54-54: helm/kind-action v1.13.0 is a valid release. It exists and has been publicly released with documented changes including kubectl sha256 verification and kind bumping to v0.29.0.

[empovit]

@yakovbeder

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @deployment/hack/crds/consoleplugin.customresourcedefinition.yaml:
- Around line 174-181: The schema's enum lists six directive types (DefaultSrc,
ScriptSrc, StyleSrc, ImgSrc, FontSrc, ConnectSrc) but the associated maxItems is
incorrectly set to 5; update the maxItems value to 6 for the property that
constrains this enum and do the same for the second occurrence referenced in the
comment so the maximum allowed items matches the six unique directives.
- Around line 231-236: Fix the typo in the CRD description for the displayName
field: change "dispalyName" to "displayName" in the multiline description under
the displayName property (the description block for the displayName
maxLength/minLength/type entries) so the text reads "The displayName should be
between 1 and 128 characters."

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 544d952 and adc96fc.

📒 Files selected for processing (2)

• .github/workflows/helm-lint-test.yaml
• deployment/hack/crds/consoleplugin.customresourcedefinition.yaml

🔇 Additional comments (9)

.github/workflows/helm-lint-test.yaml (6)

7-21: LGTM - Well-structured workflow_dispatch inputs.

The workflow_dispatch configuration allows manual triggering with clear options for forcing installation and specifying a target branch. The use of choice type for the boolean-like force_install_unchanged ensures valid input values.

---

44-59: LGTM - Solid conditional logic for determining installation need.

The target branch resolution follows a sensible fallback chain (manual input → PR base ref → current branch). The short-circuit evaluation with force_install_unchanged is correctly implemented.

---

72-74: LGTM - Proper gating of kubectl setup.

The kubectl setup is correctly gated behind the should-install check.

---

91-93: LGTM - Install step properly gated with --all flag support.

The install step correctly applies the --all flag when force_install_unchanged is true, allowing testing of all charts regardless of changes.

---

65-70: Versions confirmed as available and compatible.

Both Kind v0.31.0 and kindest/node:v1.32.0 are released and available. The version combination is valid for this workflow.

---

28-42: All action and tool versions are available and stable. actions/checkout@v6, actions/setup-python@v6, and azure/setup-helm@v4 use floating major version tags that automatically reference their latest stable patches. helm/[email protected] and Helm v3.19.0 are confirmed stable releases.

deployment/hack/crds/consoleplugin.customresourcedefinition.yaml (3)

4-12: LGTM - Standard OpenShift CRD annotations.

The metadata annotations follow OpenShift conventions for API approval, feature gates, and capability declarations.

---

199-229: LGTM - Comprehensive CSP validation rules.

The CEL validations correctly prevent CSP injection vectors by disallowing quotes, whitespace, commas, semicolons, and wildcards. The uniqueness check and total size limit (8KB) are well-designed safeguards.

---

346-346: LGTM - Appropriate list type for proxy array.

The x-kubernetes-list-type: atomic annotation is suitable for the proxy list, ensuring the entire list is replaced atomically on updates.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @deployment/hack/crds/consoleplugin.customresourcedefinition.yaml:
- Around line 231-234: Fix the typo in the CRD description: change "dispalyName"
to "displayName" in the description string under the field that defines
displayName (the description block paired with maxLength: 128) so the text reads
"The displayName should be between 1 and 128 characters."
- Around line 221-229: The schema's maxItems is incorrect and the size
validation is off-by-one: update maxItems from 5 to 6 to match the six directive
enum values (DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ConnectSrc) and
change the validation rule in x-kubernetes-validations from using "< 8192" to
"<= 8192" (and adjust the message text if needed to reflect "must not exceed
8192 (8kb)") so the combined directive value size allows 8192 bytes inclusive.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between adc96fc and 9e803c9.

📒 Files selected for processing (2)

• .github/workflows/helm-lint-test.yaml
• deployment/hack/crds/consoleplugin.customresourcedefinition.yaml

🔇 Additional comments (9)

.github/workflows/helm-lint-test.yaml (6)

7-21: LGTM!

The workflow_dispatch configuration is well-structured with clear descriptions and sensible defaults. Using choice type for the boolean-like force_install_unchanged provides a better UI experience.

---

44-59: LGTM!

The branch detection logic correctly handles all workflow trigger scenarios: explicit workflow_dispatch input, PR base_ref, and fallback to current branch. The gating condition properly short-circuits when force_install_unchanged is true.

---

61-63: LGTM!

The conditional execution and dynamic --all flag work correctly.

---

72-93: LGTM!

All remaining steps are correctly gated with the should-install conditional, maintaining consistency throughout the workflow. The --all flag handling mirrors the lint step appropriately.

---

28-42: Action and tool versions are valid.

All versions are confirmed to exist and are current releases:

• actions/checkout@v6 ✓
• azure/setup-helm@v4 ✓
• actions/setup-python@v6 ✓
• helm/[email protected] ✓
• Helm v3.19.0 ✓

No compatibility issues detected with these version upgrades.

---

65-70: Kind v0.31.0 defaults to Kubernetes v1.35.0; confirm the v1.32.0 pin is intentional.

All versions are valid and exist:

• helm/[email protected] ✓
• Kind v0.31.0 ✓
• kindest/node:v1.32.0 ✓

However, Kind v0.31.0 defaults to Kubernetes v1.35.0, which removes cgroup v1 support. Your explicit pin to v1.32.0 appears to avoid this breaking change. Ensure this older Kubernetes version is intentional for your test needs.

deployment/hack/crds/consoleplugin.customresourcedefinition.yaml (3)

4-12: LGTM!

The metadata annotations follow standard OpenShift CRD conventions for API approval, capabilities, and CA bundle injection.

---

237-254: LGTM!

The loadType description clearly documents the behavior for each enum value including the empty string fallback semantics.

---

255-346: LGTM!

The addition of x-kubernetes-list-type: atomic is appropriate for proxy configurations where the entire list should be treated as a unit. The enhanced descriptions improve clarity around the proxy endpoint configuration.