feat(helm): Use conftest to validate "safe to automerge" diffs (#143)

jbuck · web-flow · commit c7df50778d33 · 2026-05-06T14:41:57.000-04:00
## Description This PR uses conftest to validate "safe to automerge" diffs  ## Related Tickets & Documents * MZCLD-2112 * mozilla/helm-charts#263
diff --git a/.github/workflows/diff-rendered-charts.yml b/.github/workflows/diff-rendered-charts.yml
@@ -8,6 +8,12 @@
 name: render and diff helm charts
 on:
   workflow_call:
+    inputs:
+      automerge_test:
+        description: Run confest against helm diff output to evaluate if PR is safe to automerge
+        default: false
+        required: false
+        type: boolean
 
 jobs:
   get_changed_helm_charts:
@@ -102,9 +108,6 @@ jobs:
       - get_changed_helm_charts
       - render_charts
     steps:
-      - name: setup helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 #v4.3.1
-
       - name: download artifacts
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
         with:
@@ -123,6 +126,7 @@ jobs:
           done
         env:
           CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
+
       - name: post diff as comment on pull request
         if: needs.get_changed_helm_charts.outputs.charts != ''
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -178,3 +182,120 @@ jobs:
                 body: comment
               })
             }
+
+  evaulate_helm_chart_automerge:
+    if: inputs.automerge_test
+    runs-on: ubuntu-latest
+    needs:
+      - get_changed_helm_charts
+      - render_charts
+    steps:
+      - name: set commit status
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #v9.0.0
+        with:
+          script: |
+            github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.payload.pull_request.head.sha,
+              state: 'pending',
+              context: 'conftest test',
+              description: '',
+              target_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
+            })
+
+      - name: download artifacts
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
+        with:
+          pattern: shared-*
+          merge-multiple: true
+          path: "shared"
+
+      # TODO Move this step into a separate action with tool cache support
+      - name: install conftest
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          gh release download v0.68.2 -R open-policy-agent/conftest -p "*_Linux_x86_64.tar.gz" -O - | tar xzf -
+          mv conftest /usr/local/bin
+
+      # TODO Move this step into a separate action with tool cache support
+      - name: install diffnest
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          gh release download v1.7.0 -R sters/diffnest -p "*_linux-amd64.tar.gz" -O - | tar xzf -
+          mv diffnest /usr/local/bin
+
+      - name: structured diff
+        env:
+          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
+        run: |
+          set -euo pipefail
+
+          shopt -s nullglob
+
+          for chart in ${CHARTS}; do
+            CONFIGS=`find "shared/base-charts/${chart}" "shared/head-charts/${chart}" -mindepth 1 -maxdepth 1 -type d -print0 | xargs --null basename -a | sort | uniq`
+
+            mkdir -p diff/${chart}
+
+            for config in ${CONFIGS}; do
+              for dir in "shared/base-charts/${chart}/${config}" "shared/head-charts/${chart}/${config}"; do
+                OUTPUT_FILE="${dir}.yaml"
+
+                touch "$OUTPUT_FILE"
+
+                # Recursively find and concatenate all files
+                find "$dir" -type f | sort | while read -r file; do
+                  cat "$file" >> "$OUTPUT_FILE"
+                  echo "" >> "$OUTPUT_FILE"  # ensure newline between files
+                done
+              done
+
+              diffnest --format json-patch "shared/base-charts/${chart}/${config}.yaml" "shared/head-charts/${chart}/${config}.yaml" > "diff/${chart}/${config}.json" || true
+            done
+          done
+
+      - name: conftest test
+        id: conftest
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -uo pipefail
+
+          CONFTEST_OUTPUT=$(conftest test --no-color --no-fail --strict --update https://raw.githubusercontent.com/mozilla/helm-charts/main/policy/helm-automerge.rego diff)
+          CONFTEST_EXIT_CODE=$?
+          STATUS_DESCRIPTION=$(echo "$CONFTEST_OUTPUT" | tail -1)
+
+          echo "STATUS_DESCRIPTION=${STATUS_DESCRIPTION}" >> "$GITHUB_OUTPUT"
+          echo "${STATUS_DESCRIPTION}" >> $GITHUB_STEP_SUMMARY
+          if [ ${CONFTEST_EXIT_CODE} -eq 0 ]; then
+            echo "STATUS_STATE=success" >> "$GITHUB_OUTPUT"
+          else
+            echo "STATUS_STATE=failure" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: set commit status
+        env:
+          STATUS_DESCRIPTION: ${{ steps.conftest.outputs.STATUS_DESCRIPTION }}
+          STATUS_STATE: ${{ steps.conftest.outputs.STATUS_STATE }}
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #v9.0.0
+        with:
+          script: |
+            const description = process.env.STATUS_DESCRIPTION
+            const state = process.env.STATUS_STATE
+
+            github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.payload.pull_request.head.sha,
+              state: state,
+              context: 'conftest test',
+              description: description,
+              target_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
+            })
