add pr based chart releases

[KevinGruber2001]

Summary by CodeRabbit

• Chores
  • Automated preview CI added: packages charts on PRs, publishes preview versions, and posts installation instructions to PRs.
  • Release workflow updated to install Helm and resolve chart dependencies.
  • Local settings file added declaring allowed external fetch/CLI permissions.
  • Chart defaults updated: shared config mount path changed (now read-only), plugins supported via init step and plugins volume, Prometheus credentials added, and repository configuration format normalized.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a local Claude settings file with allowed WebFetch/Bash permissions, a PR-triggered GitHub Actions workflow that packages and publishes Helm chart previews to GHCR, updates the release workflow to install Helm and update chart deps, modifies Helm chart values to support plugins and a new config mount path, and converts Reposilite repository config from a map to an array.

Changes

Cohort / File(s)	Summary
Claude config ./.claude/settings.local.json	New local Claude configuration declaring an allow list for WebFetch domains and Bash command patterns.
Chart preview workflow ./.github/workflows/chart-preview.yml	New PR-triggered workflow: checkout, install Helm, helm dependency update, compute PREVIEW_VERSION, package chart, push OCI package to GHCR, and post a PR comment with install instructions.
Release workflow update ./.github/workflows/release.yml	Added azure/setup-helm@v4 step and helm dependency update ./chart before chart release steps.
Helm chart values & deployment ./chart/values.yaml	Changed REPOSILITE_OPTS config path to /etc/reposilite/configuration.shared.json; added Prometheus env/ initContainer to download a plugin; added plugins emptyDir volume and plugin mount; adjusted shared config mount to use subPath and readOnly.
Reposilite shared config template ./chart/templates/reposilite-shared-config.yaml	Converted Maven repositories from an object/map to an array of repository objects (id fields); renamed preserved→preserveSnapshots; removed storageProvider; renamed proxied link→reference; adjusted YAML structure accordingly.

Sequence Diagram

sequenceDiagram
    participant PR as PR Event
    participant GA as GitHub Actions
    participant Repo as Repository
    participant Helm as Helm CLI
    participant GHCR as GHCR Registry
    participant Commenter as PR Commenter

    PR->>GA: Trigger chart-preview workflow
    activate GA
    GA->>Repo: Checkout repository
    GA->>Helm: Install Helm (azure/setup-helm)
    GA->>Helm: helm dependency update ./chart
    GA->>Repo: Read Chart.yaml, compute PREVIEW_VERSION
    GA->>Helm: helm package ./chart --version PREVIEW_VERSION
    GA->>GHCR: Authenticate & push packaged chart
    GHCR-->>GA: Publish confirmation
    GA->>Commenter: Post PR comment with install instructions
    Commenter-->>PR: Installation instructions added
    deactivate GA

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through charts and JSON bright,

I fetched a plugin in the night.
A preview gem with version spun,
Pushed to GHCR—now tests can run.
I twitch my nose: the pipeline’s fun!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'add pr based chart releases' accurately reflects the main changes in the pull request, which adds GitHub Actions workflows for publishing Helm charts to GHCR based on pull requests and releases.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-dependency-cache

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.claude/settings.local.json:
- Around line 1-11: The file .claude/settings.local.json (containing the
developer-specific "permissions.allow" array) should not be committed; add
.claude/settings.local.json to .gitignore, remove it from tracking with git rm
--cached .claude/settings.local.json and commit that change, and optionally add
a committed template (e.g., .claude/settings.example.json) showing the allowed
keys/structure so contributors can create their own local copy with the
"permissions.allow" entries.

In @.github/workflows/chart-preview.yml:
- Around line 11-14: The workflow lacks the required permission for the
marocchino/sticky-pull-request-comment action; update the workflow permissions
block to include pull-requests: write so the "Comment install instructions" step
(the marocchino/sticky-pull-request-comment action) can create/update PR
comments without a 403; i.e., add the pull-requests: write permission alongside
contents: read and packages: write in the permissions section.

🧹 Nitpick comments (2)

.github/workflows/chart-preview.yml (2)

25-30: Version parsing could be more robust.

The grep + awk approach on Line 27 will break if the version in Chart.yaml is quoted (e.g., version: "1.0.0") or has a trailing comment. Consider using yq for proper YAML parsing, though this is low risk if you control the chart format.

Alternative using yq

      - name: Set preview version
        run: |
-          CURRENT_VERSION=$(grep '^version:' chart/Chart.yaml | awk '{print $2}')
+          CURRENT_VERSION=$(yq '.version' chart/Chart.yaml)
           PREVIEW_VERSION="${CURRENT_VERSION}-pr.${{ github.event.pull_request.number }}"
           sed -i "s/^version: .*/version: ${PREVIEW_VERSION}/" chart/Chart.yaml
           echo "PREVIEW_VERSION=${PREVIEW_VERSION}" >> $GITHUB_ENV

---

35-38: Hardcoded chart name may drift from Chart.yaml.

The .tgz filename on Line 38 assumes the chart is named theia-shared-cache. If the name field in Chart.yaml ever changes, this step will silently fail because helm package generates the filename from Chart.yaml's name field.

Proposed fix: use a glob or extract the name

      - name: Package and push
        run: |
          helm package ./chart
-          helm push theia-shared-cache-${PREVIEW_VERSION}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
+          helm push *.tgz oci://ghcr.io/${{ github.repository_owner }}/charts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

This local settings file likely shouldn't be committed.

.claude/settings.local.json is a developer-specific configuration file (note the .local suffix). It should typically be added to .gitignore rather than tracked in version control, as different developers may need different permission settings.

🤖 Prompt for AI Agents

In @.claude/settings.local.json around lines 1 - 11, The file
.claude/settings.local.json (containing the developer-specific
"permissions.allow" array) should not be committed; add
.claude/settings.local.json to .gitignore, remove it from tracking with git rm
--cached .claude/settings.local.json and commit that change, and optionally add
a committed template (e.g., .claude/settings.example.json) showing the allowed
keys/structure so contributors can create their own local copy with the
"permissions.allow" entries.

[github-actions]

📦 Chart Preview Ready

helm install test oci://ghcr.io/ls1intum/charts/theia-shared-cache --version 0.2.3-pr.24

Updated: 15b26b7

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/chart-preview.yml:
- Around line 26-31: The CURRENT_VERSION extraction can include surrounding
quotes (e.g., "1.0.0") because awk '{print $2}' doesn't strip them; update the
extraction so CURRENT_VERSION is normalized by trimming whitespace and removing
any leading/trailing quotes before building PREVIEW_VERSION and calling sed to
replace version in Chart.yaml. Locate the block that defines CURRENT_VERSION,
PREVIEW_VERSION and runs sed (the variables named CURRENT_VERSION and
PREVIEW_VERSION and the sed line) and change the extraction to strip surrounding
quotes (or use a more robust grep/sed capture of the value) so PREVIEW_VERSION
is always an unquoted semver string.

In `@chart/values.yaml`:
- Around line 82-93: Extract the hardcoded plugin version into a values key
(e.g., reposilite.prometheusPlugin.version) and add a companion checksum key
(e.g., reposilite.prometheusPlugin.sha256) in values.yaml, then update the
initContainer (name: download-prometheus-plugin) command in the Deployment
template to use those values instead of the fixed 3.5.26 and to perform a
post-download SHA256 integrity check using the configured checksum (fail/exit
non-zero on mismatch) before placing the JAR into the plugins volume mount
(/plugins); reference the initContainer name, the wget command invocation and
the /plugins mountPath when applying the change.

🧹 Nitpick comments (4)

chart/values.yaml (2)

75-78: Hardcoded Prometheus credentials should be templated.

These credentials default to admin/changeme but unlike the gradle auth block (lines 13-17), they aren't clearly marked for override and lack a dedicated config section. Consider extracting them under reposilite.prometheus.username / reposilite.prometheus.password in values.yaml so they're easier to discover and override, especially since they'll be visible in the pod spec.

---

74-74: Admin token is exposed in plain text in the pod environment.

--token admin:changeme passes credentials via command-line args, which may be visible in process listings. Consider using a Kubernetes Secret reference instead of embedding credentials in env values.

.github/workflows/chart-preview.yml (2)

36-39: Hardcoded chart name in package filename is fragile.

Line 39 assumes the packaged chart will be named theia-shared-cache-${PREVIEW_VERSION}.tgz. If the name field in Chart.yaml ever changes, this step will silently fail. Consider using a glob or dynamically extracting the chart name:

Proposed fix

       - name: Package and push
         run: |
           helm package ./chart
-          helm push theia-shared-cache-${PREVIEW_VERSION}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
+          CHART_NAME=$(grep '^name:' chart/Chart.yaml | awk '{print $2}' | tr -d '"')
+          helm push ${CHART_NAME}-${PREVIEW_VERSION}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts

---

1-52: No cleanup mechanism for stale PR preview charts.

Each PR push will publish a new chart version to the OCI registry. Over time, these preview versions will accumulate. Consider adding a cleanup job (e.g., on PR close) or documenting a manual cleanup process.