A comprehensive GitHub Action for detecting drift between deployed Helm chart versions and current changes across multiple services. Perfect for GitOps workflows using ArgoCD or similar tools.
- π Service-specific version detection - Automatically extracts deployed versions from Argo ApplicationSet files
- π Multi-service support - Compare multiple services simultaneously with different deployed versions
β οΈ Configuration validation - Warns about missing files or version extraction issues without failing- π Detailed reporting - Creates comprehensive PR comments with visual diffs
- π Configurable - JSON-based service configuration for easy maintenance
- π§ Robust - Handles errors gracefully, perfect for awareness checks
- π¨ Clear visualization - Uses dyff for human-readable YAML diffs
- Usage
- Inputs
- Outputs
- Service Configuration
- Examples
- Output Example
- Requirements
- How It Works
- Troubleshooting
- Contributing
- License
name: Helm Drift Check
on:
pull_request:
types: [opened, synchronize]
jobs:
drift-check:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Helm Chart Drift Check
uses: helm-tools/helm-drift-check@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
manifests-repository: 'your-org/manifests-repo'
chart-path: 'charts/your-chart'
services-config: |
[
{
"name": "api",
"argo_file": "manifests/argo-apps/api/api-prod.yaml",
"values_file": "manifests/api/values-prod.yaml"
},
{
"name": "web",
"argo_file": "manifests/argo-apps/web/web-prod.yaml",
"values_file": "manifests/web/values-prod.yaml"
}
]For private repositories, you can use GitHub App authentication:
- name: Run Helm Chart Drift Check
uses: helm-tools/helm-drift-check@v1
with:
github-app-id: ${{ secrets.APP_ID }}
github-app-private-key: ${{ secrets.APP_PRIVATE_KEY }}
manifests-repository: 'your-org/private-manifests'
chart-path: 'charts/your-chart'
services-config: |
[
{
"name": "service1",
"argo_file": "manifests/service1/app.yaml",
"values_file": "manifests/service1/values.yaml"
}
]| Input | Description | Required | Default |
|---|---|---|---|
github-app-id |
GitHub App ID for private repo access | β | - |
github-app-private-key |
GitHub App private key | β | - |
github-token |
GitHub token for repo access | β | ${{ github.token }} |
manifests-repository |
Repository with Argo files (format: owner/repo) |
β | - |
chart-path |
Path to Helm chart directory | β | charts/app |
services-config |
JSON array of service configurations | β | - |
dyff-version |
Version of dyff tool to use | β | 1.7.0 |
create-pr-comment |
Create PR comments with results | β | true |
Note: Either
github-tokenor bothgithub-app-idandgithub-app-private-keymust be provided.
| Output | Description | Type |
|---|---|---|
drift-found |
Whether any drift was detected | boolean |
files-with-diffs |
Number of files with differences | number |
total-files |
Total files checked | number |
summary-file |
Path to summary markdown file | string |
- name: Run Helm Chart Drift Check
id: drift-check
uses: helm-tools/helm-drift-check@v1
with:
# ... inputs
- name: Handle drift
if: steps.drift-check.outputs.drift-found == 'true'
run: |
echo "Drift detected in ${{ steps.drift-check.outputs.files-with-diffs }} files"Services are configured using a JSON array. Each service must specify:
[
{
"name": "service-name",
"argo_file": "path/to/argo/applicationset.yaml",
"values_file": "path/to/helm/values.yaml"
}
]- name (required): Unique identifier for the service (used in reports)
- argo_file (required): Path to Argo ApplicationSet file containing
targetRevision - values_file (required): Path to Helm values file for template rendering
All paths in the service configuration are relative to the root of the manifests-repository.
services-config: |
[
{
"name": "api-prod",
"argo_file": "argo-apps/api/prod.yaml",
"values_file": "values/api/prod-us-east.yaml"
},
{
"name": "api-staging",
"argo_file": "argo-apps/api/staging.yaml",
"values_file": "values/api/staging-us-west.yaml"
},
{
"name": "worker-prod",
"argo_file": "argo-apps/worker/prod.yaml",
"values_file": "values/worker/prod-eu-west.yaml"
}
]- uses: helm-tools/helm-drift-check@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
manifests-repository: 'your-org/manifests'
create-pr-comment: 'false'
# ... other inputs- uses: helm-tools/helm-drift-check@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
manifests-repository: 'your-org/manifests'
dyff-version: '1.8.0'
# ... other inputsThe action creates detailed PR comments with visual diffs:
## π Helm Chart Drift Check Results
**Comparison:** api: `v1.2.3`, web: `v2.0.1` β `HEAD`
### β
web
**Deployed version:** `v2.0.1` | **Values file:** `values-prod.yaml`
No differences detected
### β οΈ api
**Deployed version:** `v1.2.3` | **Values file:** `values-prod.yaml`
*Changes detected for review and confirmation*
```diff
spec.template.spec.containers[0].image
Β± value change
- api:v1.2.3
+ api:v1.2.4
spec.template.spec.containers[0].resources.limits.memory
Β± value change
- 512Mi
+ 1Giπ Summary: 1 out of 2 files have changes for review
- Helm 3.x - Automatically installed via azure/setup-helm
- Git repository - Chart repository must have git tags matching versions
- Argo ApplicationSet files - Must contain
targetRevisionfields - Linux or macOS runner - Action supports both architectures (amd64/arm64)
- Authentication - Generates token using GitHub App or uses provided token
- Checkout - Clones the manifests repository containing Argo files
- Version Extraction - Parses Argo ApplicationSet files to find
targetRevision - Template Rendering - Renders Helm templates for both deployed and current versions
- Comparison - Uses dyff to generate human-readable diffs
- Reporting - Creates markdown summary and posts as PR comment
βββββββββββββββββββββββ
β Extract Versions β Parses Argo ApplicationSet files
β (extract-versions) β Outputs: service_versions.json
ββββββββββββ¬βββββββββββ
β
βΌ
βββββββββββββββββββββββ
β Drift Check β Compares Helm templates
β (drift-check) β Uses: dyff for YAML diff
ββββββββββββ¬βββββββββββ
β
βΌ
βββββββββββββββββββββββ
β Report & Comment β Posts PR comment with results
β (GitHub Script) β Updates existing comments
βββββββββββββββββββββββ
Symptom: Action reports "No service versions found"
Solutions:
- Verify Argo ApplicationSet files exist at specified paths
- Ensure files contain
targetRevisionfields - Check that paths are relative to manifests repository root
- Verify the repository structure matches your configuration
Symptom: Warning about missing values files
Solutions:
- Confirm values file paths in service configuration
- Ensure manifests repository checkout is successful
- Check file permissions and naming (case-sensitive)
Symptom: "Failed to render Helm template" errors
Solutions:
- Validate Helm chart syntax in both versions
- Ensure values files are valid YAML
- Check that all required values are provided
- Test locally with
helm templatecommand
Symptom: Cannot access manifests repository
Solutions:
- Verify GitHub token has correct permissions
- For GitHub App, ensure proper installation and permissions
- Check repository visibility settings
Contributions are welcome! Please see CONTRIBUTING.md for details.
- Fork the repository
- Create a feature branch
- Make your changes
- Test with a sample workflow
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
- dyff - Amazing YAML diff tool
- Helm - The package manager for Kubernetes
- ArgoCD - Declarative GitOps CD for Kubernetes
- π Report a bug
- π‘ Request a feature
- π¬ Discussions
Made with β€οΈ for the Kubernetes and GitOps community