merge conflicts

.clomonitor.yml

@@ -7,6 +7,12 @@ exemptions:
     reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI)
   - check: sbom
     reason: "Tracking Helm dependencies is not yet a stable practice."
+  - check: self_assessment
+    reason: "Refer to self assessments supplied by the codebases Argo Helm supports."
+  - check: signed_releases
+    reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only."
+  - check: license_scanning
+    reason: "Temporary exemption: pending response from CNCF Service Desk"
 
 # TODO:
 # License scanning information

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+* @mkilchhofer @jmeridth @yu-croco
+
+/charts/argo-workflows/        @vladlosev @jmeridth @yu-croco @tico24
+/charts/argo-cd/               @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil @tico24
+/charts/argo-events/           @pdrastil @jmeridth @tico24 @yu-croco
+/charts/argo-rollouts/         @jmeridth @yu-croco

.github/configs/cr.yaml

@@ -1,2 +1,12 @@
 ## Reference: https://github.com/helm/chart-releaser
-index-path: "./index.yaml" 
+index-path: "./index.yaml"
+
+# PGP signing
+sign: true
+key: Argo Helm maintainers
+# keyring:          # Set via env variable CR_KEYRING
+# passphrase-file:  # Set via env variable CR_PASSPHRASE_FILE
+
+# Enable automatic generation of release notes using GitHubs release notes generator.
+# see: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+generate-release-notes: true

.github/configs/ct-lint.yaml

@@ -7,7 +7,6 @@ chart-dirs:
   - charts
 chart-repos:
   - dandydeveloper=https://dandydeveloper.github.io/charts/
-helm-extra-args: "--timeout 600s"  
 validate-chart-schema: false
 validate-maintainers: true
 validate-yaml: true

.github/configs/labeler.yaml

@@ -1,17 +1,23 @@
 argo-cd:
-  - charts/argo-cd/**/*
+  - changed-files:
+      - any-glob-to-any-file: charts/argo-cd/**
 
 argo-events:
-  - charts/argo-events/**/*
+  - changed-files:
+      - any-glob-to-any-file: charts/argo-events/**
 
 argo-rollouts:
-  - charts/argo-rollouts/**/*
+  - changed-files:
+      - any-glob-to-any-file: charts/argo-rollouts/**
 
 argo-workflows:
-  - charts/argo-workflows/**/*
+  - changed-files:
+      - any-glob-to-any-file: charts/argo-workflows/**
 
 argocd-image-updater:
-  - charts/argocd-image-updater/**/*
+  - changed-files:
+      - any-glob-to-any-file: charts/argocd-image-updater/**
 
 argocd-apps:
-  - charts/argocd-apps/**/*
+  - changed-files:
+      - any-glob-to-any-file: charts/argocd-apps/**

.github/pull_request_template.md

@@ -1,6 +1,8 @@
+<!--
 Note on DCO:
 
 If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the *Details* link next to the DCO action for instructions on how to resolve this.
+-->
 
 Checklist:
 
@@ -11,4 +13,4 @@ Checklist:
 * [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/blob/master/community/CONTRIBUTING.md).
 * [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/stable/developer-guide/ci/)).
 
-Changes are automatically published when merged to `main`. They are not published on branches.
+<!-- Changes are automatically published when merged to `main`. They are not published on branches. -->

.github/workflows/chart-version-bump.yml

@@ -0,0 +1,57 @@
+## Used on Renovate PRs to bump the chart version and add a changelog entry
+## Reference: https://github.com/stefanzweifel/git-auto-commit-action
+## Reference: https://github.com/marketplace/actions/changed-files
+name: 'Chart Version Bump and Changelog'
+
+on:
+  pull_request:
+    types:
+      - labeled
+
+permissions:
+  contents: write
+
+jobs:
+  helm-bumper:
+    if: ${{ (contains(github.event.pull_request.labels.*.name, 'renovate')) }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: ${{ secrets.PAT }}
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@ae82ed4ae04587b665efad2f206578aa6f0e8539 # v42.0.0
+        with:
+          files: charts/{argo-workflows,argo-cd,argo-events,argo-rollouts,argocd-image-updater}/Chart.yaml
+
+      - name: "Bump Version and Changelog"
+        run: |
+          chartName="$(echo \"${{ steps.changed-files.outputs.all_changed_files }}\" | cut -d '/' -f2)"
+          echo "Changed chart name is: $chartName"
+          echo "----------------------------------------"
+
+          parentDir="charts/${chartName}"
+
+          # Bump the chart version by one patch version
+          version=$(grep '^version:' ${parentDir}/Chart.yaml | awk '{print $2}')
+          major=$(echo $version | cut -d. -f1)
+          minor=$(echo $version | cut -d. -f2)
+          patch=$(echo $version | cut -d. -f3)
+          patch=$(expr $patch + 1)
+          sed -i "s/^version:.*/version: ${major}.${minor}.${patch}/g" ${parentDir}/Chart.yaml
+
+          # Add a changelog entry
+          appVersion=$(grep '^appVersion:' ${parentDir}/Chart.yaml | awk '{print $2}')
+          sed -i -e '/^  artifacthub.io\/changes: |/,$d' ${parentDir}/Chart.yaml
+          echo "  artifacthub.io/changes: |" >> ${parentDir}/Chart.yaml
+          echo "    - kind: changed" >> ${parentDir}/Chart.yaml
+          echo "      description: Bump ${chartName} to ${appVersion}" >> ${parentDir}/Chart.yaml
+          cat ${parentDir}/Chart.yaml
+
+      - name: "Commit and push changes"
+        uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0
+        with:
+          commit_options: '--signoff'

.github/workflows/lint-and-test.yml

@@ -6,30 +6,42 @@ permissions:
   contents: read
 
 jobs:
+  linter-artifacthub:
+    runs-on: ubuntu-latest
+    container:
+      image: public.ecr.aws/artifacthub/ah:v1.14.0
+      options: --user 1001
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run ah lint
+        working-directory: ./charts
+        run: ah lint
+
   chart-test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
         with:
           version: v3.10.1 # Also update in publish.yaml
 
       - name: Set up python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: 3.9
 
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@v2.3.0
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
         with:
           # Note: Also update in scripts/lint.sh
-          version: v3.7.0
+          version: v3.10.0
 
       - name: List changed charts
         id: list-changed
@@ -38,8 +50,8 @@ jobs:
           changed=$(ct --config ./.github/configs/ct-lint.yaml --target-branch ${{ github.base_ref }} list-changed)
           charts=$(echo "$changed" | tr '\n' ' ' | xargs)
           if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
-            echo "::set-output name=changed_charts::$charts"
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed_charts=$charts" >> $GITHUB_OUTPUT
           fi
       - name: Run chart-testing (lint)
         run: ct lint --debug --config ./.github/configs/ct-lint.yaml --target-branch ${{ github.base_ref }} --lint-conf ./.github/configs/lintconf.yaml
@@ -56,7 +68,7 @@ jobs:
             echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
           fi
       - name: Create kind cluster
-        uses: helm/kind-action@v1.4.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         if: steps.list-changed.outputs.changed == 'true'
         with:
           config: .github/configs/kind-config.yaml

.github/workflows/pr-sizing.yml

@@ -1,8 +1,12 @@
 ## Reference: https://github.com/pascalgn/size-label-action
 name: 'PR Labeling'
+
 on: 
   pull_request_target:
-    types: [opened, synchronize, reopened]
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 permissions:
   contents: read
@@ -12,7 +16,7 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v4
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           configuration-path: ".github/configs/labeler.yaml"
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
@@ -21,7 +25,6 @@ jobs:
   size-label:
     runs-on: ubuntu-latest
     steps:
-      - name: size-label
-        uses: "pascalgn/[email protected]"
+      - uses: pascalgn/size-label-action@37a5ad4ae20ea8032abf169d953bcd661fd82cd3 # v0.5.0
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr-title.yml

@@ -19,7 +19,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -31,6 +31,7 @@ jobs:
             argo-workflows
             argocd-image-updater
             argocd-apps
+            deps
             github
           # Configure that a scope must always be provided.
           requireScope: true

.github/workflows/publish.yml

@@ -11,15 +11,16 @@ jobs:
   publish:
     permissions:
       contents: write  # for helm/chart-releaser-action to push chart release and create a release
+      packages: write  # to push OCI chart package to GitHub Registry
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
         with:
           version: v3.10.1 # Also update in lint-and-test.yaml
 
@@ -41,4 +42,4 @@ jobs:
           config: "./.github/configs/cr.yaml"
           skip_packaging: true
         env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/scorecard.yml

@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '21 6 * * 6'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    if: github.repository_owner == 'argoproj'
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        with:
+          sarif_file: results.sarif

.github/workflows/stale.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Number of days of inactivity before an issue becomes stale

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# Code of Conduct
+
+We adhere to the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).  Please reference the link for details.
+
+## TL;DR (too long didn't read)
+
+Be kind
+
+Your participation is at the discression of the maintainers of this project.