ci(helm): auto public Helm chart after PR merged

.github/workflows/bypass-test.yaml

@@ -9,13 +9,15 @@ on:
       - 'mkdocs.yml'
       - 'LICENSE'
       - '.release-please-manifest.json'
+      - 'helm/trivy/Chart.yaml'
   pull_request:
     paths:
       - '**.md'
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
       - '.release-please-manifest.json'
+      - 'helm/trivy/Chart.yaml'
 jobs:
   test:
     name: Test

.github/workflows/publish-chart.yaml

@@ -4,6 +4,11 @@ name: Publish Helm chart
 on:
   workflow_dispatch:
   pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - closed
     branches:
       - main
     paths:
@@ -19,6 +24,7 @@ env:
   KIND_IMAGE: "kindest/node:v1.23.6@sha256:b1fa224cc6c7ff32455e0b1fd9cbfd3d3bc87ecaa8fcb06961ed1afb3db0f9ae"
 jobs:
   test-chart:
+    if: github.event_name != 'push'
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
@@ -48,8 +54,29 @@ jobs:
           sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
+  update-chart-version:
+    if: github.event_name == 'push'
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+        with:
+          fetch-depth: 0
+      - name: Set up Git user
+        run: |
+          git config --global user.email "actions@github.com"
+          git config --global user.name "GitHub Actions"
+      - name: Get the tag without the 'v' prefix
+        run: echo "TAG=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
+      - name: Create a PR
+        run: ./misc/helm-chart/create-pr.sh ${{ env.TAG }}
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+
   publish-chart:
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
     needs:
       - test-chart
     runs-on: ubuntu-20.04

.github/workflows/test.yaml

@@ -7,6 +7,7 @@ on:
       - 'mkdocs.yml'
       - 'LICENSE'
       - '.release-please-manifest.json' ## don't run tests for release-please PRs
+      - 'helm/trivy/Chart.yaml'
   merge_group:
 env:
   GO_VERSION: '1.22'

misc/helm-chart/create-pr.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+
+VERSION=$1
+
+# Update version in file
+echo "Update Chart.yaml with Trivy $VERSION"
+sed -i "s/version: [0-9]\+\.[0-9]\+\.[0-9]\+/version: $VERSION/" ./helm/trivy/Chart.yaml
+sed -i "s/appVersion: [0-9]\+\.[0-9]\+\.[0-9]\+/appVersion: $VERSION/" ./helm/trivy/Chart.yaml
+
+echo "Create PR for update Trivy $VERSION in the Helm Chart"
+
+# Create a new branch
+NEW_BRANCH="ci/bump-trivy-to-$VERSION"
+
+echo "Creating new branch: $NEW_BRANCH"
+git switch -c "$NEW_BRANCH"
+
+# Create the title
+TITLE="ci(helm): bump Trivy version to $VERSION"
+
+# commit Helm Values with a new version
+git add ./helm/trivy/Chart.yaml
+git commit -m "$TITLE"
+
+# Create the pull request description
+PR_DESCRIPTION="# Description
+
+This PR bumps Trivy up to the $VERSION version for the Helm chart."
+
+echo "Pushing new branch to origin: $NEW_BRANCH"
+git push origin "$NEW_BRANCH"
+
+echo "Pull request title: $TITLE"
+
+echo "Pull request description:"
+echo "$PR_DESCRIPTION"
+
+# Create a new pull request
+echo "Creating pull request..."
+gh pr create --base main --head "$NEW_BRANCH" --title "$TITLE" --body "$PR_DESCRIPTION" --repo "$GITHUB_REPOSITORY" --label "lifecycle/active"