From d79c8f2404d403747fa55d8e58a8237a746f3771 Mon Sep 17 00:00:00 2001
From: Mario Trangoni <mjtrangoni@gmail.com>
Date: Tue, 16 Jan 2024 19:59:55 +0100
Subject: [PATCH 1/5] Helm chart deployment via GH Actions

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
---
 .github/linters/.markdown-lint.yml |  2 ++
 .github/linters/ct.yaml            | 11 ++++++
 .github/workflows/lint-test.yaml   | 44 +++++++++++++++++++++++
 .github/workflows/release.yaml     | 57 ++++++++++++++++++++++++++++++
 .github/workflows/superlinter.yml  | 31 ++++++++++++++++
 .github/workflows/sync-readme.yaml | 27 ++++++++++++++
 6 files changed, 172 insertions(+)
 create mode 100644 .github/linters/.markdown-lint.yml
 create mode 100644 .github/linters/ct.yaml
 create mode 100644 .github/workflows/lint-test.yaml
 create mode 100644 .github/workflows/release.yaml
 create mode 100644 .github/workflows/superlinter.yml
 create mode 100644 .github/workflows/sync-readme.yaml

diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml
new file mode 100644
index 0000000..56f4e6b
--- /dev/null
+++ b/.github/linters/.markdown-lint.yml
@@ -0,0 +1,2 @@
+MD013:
+  line_length: 600
diff --git a/.github/linters/ct.yaml b/.github/linters/ct.yaml
new file mode 100644
index 0000000..0322dac
--- /dev/null
+++ b/.github/linters/ct.yaml
@@ -0,0 +1,11 @@
+# See https://github.com/helm/chart-testing#configuration
+remote: origin
+target-branch: master
+chart-dirs:
+  - deploy
+chart-repos:
+  - cert-manager-webhook-hetzner=https://vadimkim.github.io/cert-manager-webhook-hetzner
+helm-extra-args: --timeout 600s
+excluded-charts:
+additional-commands:
+  # - helm unittest --helm3 --strict --file unittests/*.yaml --file 'unittests/**/*.yaml' {{ .Path }}
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
new file mode 100644
index 0000000..4697520
--- /dev/null
+++ b/.github/workflows/lint-test.yaml
@@ -0,0 +1,44 @@
+name: Lint and Test Charts
+
+on: pull_request
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.12.1
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config .github/linters/ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --config .github/linters/ct.yaml
+
+      - name: Create kind cluster
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: helm/kind-action@v1.8.0
+
+      - name: Run chart-testing (install)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --config .github/linters/ct.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000..31316fe
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,57 @@
+name: release-charts
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  release:
+    permissions:
+      contents: write # to push chart release and create a release (helm/chart-releaser-action)
+      packages: write # needed for ghcr access
+      id-token: write # needed for keyless signing
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Fetch history
+        run: git fetch --prune --unshallow
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3.5
+        with:
+          version: v3.12.0
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.6.0
+        with:
+          charts_dir: deploy
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_GENERATE_RELEASE_NOTES: true
+
+      # see https://github.com/helm/chart-releaser/issues/183
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push charts to GHCR
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+          done
diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
new file mode 100644
index 0000000..6bc9a89
--- /dev/null
+++ b/.github/workflows/superlinter.yml
@@ -0,0 +1,31 @@
+name: Lint Code Base
+
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+
+on: pull_request
+
+jobs:
+  build:
+    name: Lint Code Base
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Lint Code Base
+        uses: docker://github/super-linter:slim-v4
+        env:
+          DEFAULT_BRANCH: master
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LINTER_RULES_PATH: .github/linters
+          VALIDATE_ALL_CODEBASE: false
+          VALIDATE_BASH: false
+          VALIDATE_JSCPD: false
+          VALIDATE_KUBERNETES_KUBEVAL: false
+          VALIDATE_PYTHON: false
+          VALIDATE_PYTHON_FLAKE8: false
+          VALIDATE_PYTHON_BLACK: false
+          VALIDATE_YAML: false
diff --git a/.github/workflows/sync-readme.yaml b/.github/workflows/sync-readme.yaml
new file mode 100644
index 0000000..8424357
--- /dev/null
+++ b/.github/workflows/sync-readme.yaml
@@ -0,0 +1,27 @@
+on:
+  push:
+    branches:
+      - 'master'
+    paths:
+      - 'README.md'
+
+jobs:
+  build:
+    permissions:
+      contents: write # for git push
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          cp -f README.md ${{ runner.temp }}/README.md
+      - uses: actions/checkout@v4
+        with:
+          ref: gh-pages
+      - run: |
+          cp -f ${{ runner.temp }}/README.md .
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git add README.md
+          git commit --signoff -m "Sync README from master"
+          git push

From bd1e3bcbb61b23a7555438980c6fb5c926c69e84 Mon Sep 17 00:00:00 2001
From: Mario Trangoni <mjtrangoni@gmail.com>
Date: Tue, 16 Jan 2024 20:10:07 +0100
Subject: [PATCH 2/5] Helm: Switch chart to use ghcr.io repository instead of
 docker.io

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
---
 .gitignore                                                   | 2 +-
 .../cert-manager-webhook-hetzner/templates/deployment.yaml   | 2 +-
 deploy/cert-manager-webhook-hetzner/values.yaml              | 5 ++++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 3f8c273..59daa23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,4 +16,4 @@ kubebuilder
 *.out
 
 # Ignore the built binary
-cert-manager-webhook-hetzner
+./cert-manager-webhook-hetzner
diff --git a/deploy/cert-manager-webhook-hetzner/templates/deployment.yaml b/deploy/cert-manager-webhook-hetzner/templates/deployment.yaml
index 50c037e..2725553 100644
--- a/deploy/cert-manager-webhook-hetzner/templates/deployment.yaml
+++ b/deploy/cert-manager-webhook-hetzner/templates/deployment.yaml
@@ -23,7 +23,7 @@ spec:
       serviceAccountName: {{ include "cert-manager-webhook-hetzner.fullname" . }}
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - --tls-cert-file=/tls/tls.crt
diff --git a/deploy/cert-manager-webhook-hetzner/values.yaml b/deploy/cert-manager-webhook-hetzner/values.yaml
index 30ec00b..463f5ce 100644
--- a/deploy/cert-manager-webhook-hetzner/values.yaml
+++ b/deploy/cert-manager-webhook-hetzner/values.yaml
@@ -13,7 +13,10 @@ certManager:
   serviceAccountName: cert-manager
 
 image:
-  repository: zmejg/cert-manager-webhook-hetzner
+  registry: ghcr.io
+  repository: vadimkim/cert-manager-webhook-hetzner
+  # Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }}
+  tag: ""
   pullPolicy: IfNotPresent
 
 nameOverride: ""

From 7acde37e61e7b2fe71938aa0c94ac2564a1a8e03 Mon Sep 17 00:00:00 2001
From: Mario Trangoni <mjtrangoni@gmail.com>
Date: Wed, 17 Jan 2024 10:15:40 +0100
Subject: [PATCH 3/5] Restrict PR CI jobs to relevant changes

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
---
 .github/workflows/build.yml         | 4 ++++
 .github/workflows/golangci-lint.yml | 5 +++++
 .github/workflows/lint-test.yaml    | 6 +++++-
 .github/workflows/superlinter.yml   | 6 +++++-
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 025081f..ecce4a1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,10 @@ on:
     tags:
       - 'v*'
   pull_request:
+    paths:
+      - '**.go'
+      - 'Dockerfile'
+      - 'Makefile'
 
 jobs:
   build:
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 4347d19..5bda17c 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -4,6 +4,11 @@ on:
     branches:
       - master
   pull_request:
+    paths:
+      - '**.go'
+      - '.golangci.yml'
+      - 'go.mod'
+      - 'go.sum'
 
 permissions:
   contents: read
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
index 4697520..b7b673c 100644
--- a/.github/workflows/lint-test.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -1,6 +1,10 @@
 name: Lint and Test Charts
 
-on: pull_request
+on:
+  pull_request:
+    paths:
+      - 'deploy/**'
+      - '.github/**'
 
 jobs:
   lint-test:
diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
index 6bc9a89..a085dbf 100644
--- a/.github/workflows/superlinter.yml
+++ b/.github/workflows/superlinter.yml
@@ -3,7 +3,11 @@ name: Lint Code Base
 # Documentation:
 # https://help.github.com/en/articles/workflow-syntax-for-github-actions
 
-on: pull_request
+on:
+  pull_request:
+    paths:
+      - 'deploy/**'
+      - '.github/**'
 
 jobs:
   build:

From 3081b6af8994f4132b62ca10dc73c8b5ea987397 Mon Sep 17 00:00:00 2001
From: Mario Trangoni <mjtrangoni@gmail.com>
Date: Wed, 17 Jan 2024 10:36:19 +0100
Subject: [PATCH 4/5] superlinter: Fix Failed to call GitHub Status API

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
---
 .github/workflows/superlinter.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
index a085dbf..7d43b9e 100644
--- a/.github/workflows/superlinter.yml
+++ b/.github/workflows/superlinter.yml
@@ -13,6 +13,15 @@ jobs:
   build:
     name: Lint Code Base
     runs-on: ubuntu-latest
+
+    ############################################
+    # Grant status permission for MULTI_STATUS #
+    ############################################
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4

From 9f25fa7767720bad76ecb0d0dc4f0dd55ba14b94 Mon Sep 17 00:00:00 2001
From: Mario Trangoni <mjtrangoni@gmail.com>
Date: Tue, 16 Jan 2024 20:26:46 +0100
Subject: [PATCH 5/5] Refactor helm chart Chart.yaml, fix CI helm installation

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
---
 .github/workflows/lint-test.yaml              |  6 +++++
 .../cert-manager-webhook-hetzner/Chart.yaml   | 22 ++++++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
index b7b673c..2789273 100644
--- a/.github/workflows/lint-test.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -43,6 +43,12 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         uses: helm/kind-action@v1.8.0
 
+      - name: Install cert-manager
+        run: |
+          kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.13.3/cert-manager.yaml
+          kubectl wait --timeout=5m --for=condition=available deployment cert-manager -n cert-manager
+          kubectl wait --timeout=5m --for=condition=available deployment cert-manager-webhook -n cert-manager
+
       - name: Run chart-testing (install)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct install --config .github/linters/ct.yaml
diff --git a/deploy/cert-manager-webhook-hetzner/Chart.yaml b/deploy/cert-manager-webhook-hetzner/Chart.yaml
index 8442d12..4ba7bca 100644
--- a/deploy/cert-manager-webhook-hetzner/Chart.yaml
+++ b/deploy/cert-manager-webhook-hetzner/Chart.yaml
@@ -1,5 +1,21 @@
-apiVersion: v1
+apiVersion: v2
+name: cert-manager-webhook-hetzner
+version: 1.3.1
 appVersion: "1.3.0"
+kubeVersion: ">= 1.22.0-0"
 description: Allow cert-manager to solve DNS challenges using Hetzner DNS API
-name: cert-manager-webhook-hetzner
-version: 1.3.0
+home: https://github.com/vadimkim/cert-manager-webhook-hetzner
+icon: https://raw.githubusercontent.com/cert-manager/cert-manager/master/logo/logo-small.png
+keywords:
+  - cert-manager
+  - hetzner
+  - kube-lego
+  - letsencrypt
+  - tls
+sources:
+  - https://github.com/vadimkim/cert-manager-webhook-hetzner
+maintainers:
+  - name: vadimkim
+    email: vadim@ant.ee
+annotations:
+  artifacthub.io/license: Apache-2.0