Conversation
Contributor
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (147)
📒 Files selected for processing (4)
📝 WalkthroughWalkthroughMigrates Kubebuilder Helm plugin to v2-alpha, adds Makefile Helm deployment targets/variables, sets manager image override in Kustomize, and updates the GitHub Actions workflow to build/load the image and run Helm via make targets. ChangesHelm Plugin Migration and Deployment Infrastructure
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/test-chart.yml:
- Around line 29-31: Replace the current unpinned curl download (the line that
runs curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env
GOARCH)) with a pinned release URL (e.g.
https://kind.sigs.k8s.io/dl/<VERSION>/kind-linux-$(go env GOARCH)), also
download the corresponding <binary>.sha256sum file from the same <VERSION>
directory, run sha256sum --check <binary>.sha256sum to verify integrity, and
only then keep the existing chmod +x ./kind to install the verified binary;
ensure the workflow errors out if the checksum verification fails.
In `@Makefile`:
- Around line 445-450: The helm-deploy target currently uses the IMG Make
variable without checking it; add a guard at the start of the helm-deploy recipe
to fail fast if IMG is empty by printing an error and exiting non-zero.
Specifically, in the helm-deploy target, detect if the IMG variable is
unset/empty (e.g., test -z "$(IMG)") and if so echo a clear error like "IMG is
required for helm-deploy" and exit 1 before any use of ${IMG%:*} or ${IMG##*:};
otherwise continue to the existing $(HELM) upgrade --install invocation.
- Around line 439-442: The install-helm Makefile target should stop downloading
and executing the script from helm/helm@main; instead pin to a specific,
immutable release (e.g., a GitHub release tag or commit) and fetch a verified
artifact (release tarball or platform binary) with checksum verification rather
than piping curl to bash; update the install-helm target (reference: HELM,
install-helm) to use the pinned URL and verify integrity before installing. For
helm-deploy, validate the IMG variable format before templating so
manager.image.repository/manager.image.tag are not left empty: add a guard in
the helm-deploy target that checks IMG matches repo:tag (reference: IMG,
helm-deploy, manager.image.repository) and fail with a clear error or split IMG
into repository and tag with sensible defaults when missing to avoid producing a
malformed chart value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 151f070a-06c3-4526-bd05-2bc720957bc8
⛔ Files ignored due to path filters (84)
dist/chart/templates/NOTES.txtis excluded by!**/dist/**dist/chart/templates/_helpers.tplis excluded by!**/dist/**dist/chart/templates/cert-manager/metrics-certs.yamlis excluded by!**/dist/**dist/chart/templates/cert-manager/selfsigned-issuer.yamlis excluded by!**/dist/**dist/chart/templates/cert-manager/serving-cert.yamlis excluded by!**/dist/**dist/chart/templates/crd/biossettings.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/biossettingssets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/biosversions.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/biosversionsets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcs.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcsecrets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcsettings.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcsettingssets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcusers.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcversions.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcversionsets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/endpoints.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/serverbootconfigurations.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/serverclaims.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/servermaintenances.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/servers.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/manager/manager.yamlis excluded by!**/dist/**dist/chart/templates/metrics/controller-manager-metrics-service.yamlis excluded by!**/dist/**dist/chart/templates/prometheus/controller-manager-metrics-monitor.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/controller-manager.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/leader-election-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/leader-election-rolebinding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/manager-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/manager-rolebinding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics-auth-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics-auth-rolebinding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics-reader.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/webhook/validating-webhook-configuration.yamlis excluded by!**/dist/**dist/chart/templates/webhook/webhook-service.yamlis excluded by!**/dist/**dist/chart/values.yamlis excluded by!**/dist/**dist/install.yamlis excluded by!**/dist/**
📒 Files selected for processing (4)
.github/workflows/test-chart.ymlMakefilePROJECTconfig/manager/kustomization.yaml
Comment on lines
29
to
31
| run: | | ||
| curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 | ||
| curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH) | ||
| chmod +x ./kind |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the official recommended way to install kind in CI with version pinning and checksum verification?
💡 Result:
Official, CI-friendly way (with version pinning + checksum verification) is to download the exact kind binary release asset for your OS/arch at a pinned version, also download the matching ${binary}.sha256sum asset, then verify with sha256sum -c before marking the binary executable. The kind project publishes stable binaries and they are “generally strongly recommended for CI usage”. [1][2] Example (Linux amd64; adapt OS/arch and filenames): 1) Pick a pinned kind version, e.g. v0.31.0. 2) Download the binary and its checksum, then verify: VERSION=v0.31.0 OS="$(uname -s | tr '[:upper:]' '[:lower:]')" # should map to github asset naming ARCH="$(uname -m)" case "$ARCH" in x86_64) ARCH_SUFFIX=amd64;; aarch64) ARCH_SUFFIX=arm64;; *) echo "unsupported arch: .sha256sum files alongside the binaries. [3][4] - A widely used install implementation pattern in the ecosystem is: download kind-linux-${arch} and kind-linux-${arch}.sha256sum, then run sha256sum -c/--check against the checksum file before moving the binary into place. [5] Notes: - If you use Kubernetes-in-kind node images, you can further pin node images by digest (the kind docs recommend using sha256 shasums for those images). [6][7]
Citations:
- 1: https://github.com/kubernetes-sigs/kind/blob/master/README.md
- 2: https://pkg.go.dev/sigs.k8s.io/kind@v0.31.0
- 3: https://github.com/kubernetes-sigs/kind/releases/tag/v0.26.0
- 4: https://github.com/kubernetes-sigs/kind/releases/tag/v0.29.0
- 5: https://github.com/helm/kind-action/blob/main/kind.sh
- 6: https://kind.sigs.k8s.io/docs/user/quick-start/
- 7: https://kind.sigs.k8s.io/docs/user/quick-start
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '1,120p' .github/workflows/test-chart.yml | nl -ba | sed -n '20,60p'Repository: ironcore-dev/metal-operator
Length of output: 114
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show numbered lines around the reported location (use cat -n since nl isn't available)
cat -n .github/workflows/test-chart.yml | sed -n '20,60p'Repository: ironcore-dev/metal-operator
Length of output: 1454
Pin kind version and verify its SHA256 checksum in CI
In .github/workflows/test-chart.yml (lines 28-32), the workflow downloads kind from .../dl/latest/... and installs it without any checksum verification, making CI behavior drift and weakening binary integrity. Download a pinned kind release binary and its matching ${binary}.sha256sum from https://kind.sigs.k8s.io/dl/<version>/, run sha256sum --check on the checksum file, then install the verified binary.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/test-chart.yml around lines 29 - 31, Replace the current
unpinned curl download (the line that runs curl -Lo ./kind
https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)) with a pinned
release URL (e.g. https://kind.sigs.k8s.io/dl/<VERSION>/kind-linux-$(go env
GOARCH)), also download the corresponding <binary>.sha256sum file from the same
<VERSION> directory, run sha256sum --check <binary>.sha256sum to verify
integrity, and only then keep the existing chmod +x ./kind to install the
verified binary; ensure the workflow errors out if the checksum verification
fails.
Comment on lines
+445
to
+450
| helm-deploy: install-helm ## Deploy manager to the K8s cluster via Helm. Specify an image with IMG. | ||
| $(HELM) upgrade --install $(HELM_RELEASE) $(HELM_CHART_DIR) \ | ||
| --namespace $(HELM_NAMESPACE) \ | ||
| --create-namespace \ | ||
| --set manager.image.repository=$${IMG%:*} \ | ||
| --set manager.image.tag=$${IMG##*:} \ |
Contributor
There was a problem hiding this comment.
Fail fast when IMG is unset in helm-deploy.
Right now, empty IMG values flow into string-splitting and can produce unclear Helm failures.
Suggested guard
.PHONY: helm-deploy
helm-deploy: install-helm ## Deploy manager to the K8s cluster via Helm. Specify an image with IMG.
+ `@test` -n "$$IMG" || { echo "IMG is required (example: IMG=ghcr.io/org/controller:tag make helm-deploy)"; exit 1; }
$(HELM) upgrade --install $(HELM_RELEASE) $(HELM_CHART_DIR) \
--namespace $(HELM_NAMESPACE) \
--create-namespace \📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| helm-deploy: install-helm ## Deploy manager to the K8s cluster via Helm. Specify an image with IMG. | |
| $(HELM) upgrade --install $(HELM_RELEASE) $(HELM_CHART_DIR) \ | |
| --namespace $(HELM_NAMESPACE) \ | |
| --create-namespace \ | |
| --set manager.image.repository=$${IMG%:*} \ | |
| --set manager.image.tag=$${IMG##*:} \ | |
| helm-deploy: install-helm ## Deploy manager to the K8s cluster via Helm. Specify an image with IMG. | |
| `@test` -n "$$IMG" || { echo "IMG is required (example: IMG=ghcr.io/org/controller:tag make helm-deploy)"; exit 1; } | |
| $(HELM) upgrade --install $(HELM_RELEASE) $(HELM_CHART_DIR) \ | |
| --namespace $(HELM_NAMESPACE) \ | |
| --create-namespace \ | |
| --set manager.image.repository=$${IMG%:*} \ | |
| --set manager.image.tag=$${IMG##*:} \ |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Makefile` around lines 445 - 450, The helm-deploy target currently uses the
IMG Make variable without checking it; add a guard at the start of the
helm-deploy recipe to fail fast if IMG is empty by printing an error and exiting
non-zero. Specifically, in the helm-deploy target, detect if the IMG variable is
unset/empty (e.g., test -z "$(IMG)") and if so echo a clear error like "IMG is
required for helm-deploy" and exit 1 before any use of ${IMG%:*} or ${IMG##*:};
otherwise continue to the existing $(HELM) upgrade --install invocation.
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (3)
Makefile (2)
445-450:⚠️ Potential issue | 🟠 Major | ⚡ Quick winValidate
IMGformat before splitting into repository/tag.
$${IMG%:*}and$${IMG##*:}are used without a guard; empty or malformedIMGproduces bad Helm values and confusing failures later.Proposed fix
.PHONY: helm-deploy helm-deploy: install-helm ## Deploy manager to the K8s cluster via Helm. Specify an image with IMG. + `@test` -n "$$IMG" || { echo "IMG is required (example: ghcr.io/org/controller:v1.2.3)"; exit 1; } + `@repo`="$${IMG%:*}"; tag="$${IMG##*:}"; \ + [ -n "$$repo" ] && [ -n "$$tag" ] && [ "$$repo" != "$$IMG" ] || { \ + echo "IMG must be in <repository>:<tag> format"; exit 1; \ + } $(HELM) upgrade --install $(HELM_RELEASE) $(HELM_CHART_DIR) \ --namespace $(HELM_NAMESPACE) \ --create-namespace \ --set manager.image.repository=$${IMG%:*} \ --set manager.image.tag=$${IMG##*:} \ --wait \ --timeout 5m \ $(HELM_EXTRA_ARGS)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Makefile` around lines 445 - 450, The helm-deploy Makefile target uses $${IMG%:*} and $${IMG##*:} without validating IMG; add a guard that checks IMG is non-empty and contains a colon before splitting (or provide a sensible default tag like "latest"), and fail fast with a clear error message if validation fails; update the helm-deploy recipe (referencing the helm-deploy target and the IMG variable) to compute repository and tag only after validation or to set REPO and TAG variables conditionally so the upgrade --set manager.image.repository and --set manager.image.tag always receive valid values.
439-442:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin Helm installation inputs and verify downloaded artifact integrity.
Line 441 executes a moving script from
helm/helm@main, which makes CI non-deterministic and weakens supply-chain guarantees.Proposed fix
+HELM_VERSION ?= v4.0.0 + .PHONY: install-helm -install-helm: ## Install the latest version of Helm. +install-helm: ## Install a pinned Helm version. `@command` -v $(HELM) >/dev/null 2>&1 || { \ echo "Installing Helm..." && \ - curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4 | bash; \ + tmp_dir=$$(mktemp -d) && \ + os=$$(go env GOOS) && arch=$$(go env GOARCH) && \ + archive="helm-$(HELM_VERSION)-$${os}-$${arch}.tar.gz" && \ + curl -fsSLo "$$tmp_dir/$$archive" "https://get.helm.sh/$$archive" && \ + curl -fsSLo "$$tmp_dir/$$archive.sha256sum" "https://get.helm.sh/$$archive.sha256sum" && \ + ( cd "$$tmp_dir" && sha256sum --check "$$archive.sha256sum" ) && \ + tar -xzf "$$tmp_dir/$$archive" -C "$$tmp_dir" && \ + install "$$tmp_dir/$${os}-$${arch}/helm" "$(LOCALBIN)/helm"; \ }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Makefile` around lines 439 - 442, Replace the unpinned, remote installer invocation that checks for $(HELM) and curls https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4 with a deterministic flow: pin a specific Helm release (update the HELM variable to a fixed version or add HELM_VERSION), download the corresponding installer artifact from a release tag URL instead of /main, download a published checksum file (or signature) for that release, verify the artifact integrity before executing it, and fail the Makefile target if verification does not pass; update the Makefile rule that currently references $(HELM) and the get-helm-4 URL to use these pinned URLs and verification steps..github/workflows/test-chart.yml (1)
30-32:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
kindversion and verify checksum before install.Line 30 downloads
kindfromlatestwith no checksum verification, which introduces CI drift and binary integrity risk.Proposed fix
+ - name: Install pinned kind + env: + KIND_VERSION: v0.31.0 + run: | + ARCH="$(go env GOARCH)" + BIN="kind-linux-${ARCH}" + BASE="https://kind.sigs.k8s.io/dl/${KIND_VERSION}" + curl -fsSLo ./kind "${BASE}/${BIN}" + curl -fsSLo ./${BIN}.sha256sum "${BASE}/${BIN}.sha256sum" + sha256sum --check ./${BIN}.sha256sum + chmod +x ./kind + sudo mv ./kind /usr/local/bin/kind - - name: Install the latest version of kind - run: | - curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH) - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/test-chart.yml around lines 30 - 32, Replace the uncontrolled "curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)" download with a pinned kind release and add checksum verification: define a KIND_VERSION variable (e.g., vX.Y.Z), download both the binary URL "https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-$(go env GOARCH)" and its corresponding SHA256SUM or .sha256 file, verify the checksum (e.g., using sha256sum -c or echo <checksum> | sha256sum -c) before running "chmod +x ./kind" and "sudo mv ./kind /usr/local/bin/kind", and fail the job if the checksum does not match.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/test-chart.yml:
- Line 19: Replace the floating action tags with immutable commit SHAs: update
the workflow refs that currently use actions/checkout@v6 and actions/setup-go@v6
to point to their corresponding full commit SHA values (e.g.,
actions/checkout@<commit-sha> and actions/setup-go@<commit-sha>) so the workflow
is pinned to exact commits; ensure both occurrences are updated and commit the
workflow change.
- Around line 58-63: The helm install command that deploys cert-manager (the
helm install cert-manager jetstack/cert-manager invocation) is not pinned and
can float; update that command to add --version 1.20.2 so the CI uses the same
chart version as the e2e suite's certmanagerVersion ("v1.20.2") to ensure
consistency between Helm installs and the manifests used by e2e.
---
Duplicate comments:
In @.github/workflows/test-chart.yml:
- Around line 30-32: Replace the uncontrolled "curl -Lo ./kind
https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)" download with a
pinned kind release and add checksum verification: define a KIND_VERSION
variable (e.g., vX.Y.Z), download both the binary URL
"https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-$(go env GOARCH)" and
its corresponding SHA256SUM or .sha256 file, verify the checksum (e.g., using
sha256sum -c or echo <checksum> | sha256sum -c) before running "chmod +x ./kind"
and "sudo mv ./kind /usr/local/bin/kind", and fail the job if the checksum does
not match.
In `@Makefile`:
- Around line 445-450: The helm-deploy Makefile target uses $${IMG%:*} and
$${IMG##*:} without validating IMG; add a guard that checks IMG is non-empty and
contains a colon before splitting (or provide a sensible default tag like
"latest"), and fail fast with a clear error message if validation fails; update
the helm-deploy recipe (referencing the helm-deploy target and the IMG variable)
to compute repository and tag only after validation or to set REPO and TAG
variables conditionally so the upgrade --set manager.image.repository and --set
manager.image.tag always receive valid values.
- Around line 439-442: Replace the unpinned, remote installer invocation that
checks for $(HELM) and curls
https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-4 with a
deterministic flow: pin a specific Helm release (update the HELM variable to a
fixed version or add HELM_VERSION), download the corresponding installer
artifact from a release tag URL instead of /main, download a published checksum
file (or signature) for that release, verify the artifact integrity before
executing it, and fail the Makefile target if verification does not pass; update
the Makefile rule that currently references $(HELM) and the get-helm-4 URL to
use these pinned URLs and verification steps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 879e67a1-35bf-465a-a7cb-e6862e50bb5d
⛔ Files ignored due to path filters (147)
dist/chart/Chart.yamlis excluded by!**/dist/**dist/chart/templates/NOTES.txtis excluded by!**/dist/**dist/chart/templates/_helpers.tplis excluded by!**/dist/**dist/chart/templates/cert-manager/metrics-certs.yamlis excluded by!**/dist/**dist/chart/templates/cert-manager/selfsigned-issuer.yamlis excluded by!**/dist/**dist/chart/templates/cert-manager/serving-cert.yamlis excluded by!**/dist/**dist/chart/templates/certmanager/certificate.yamlis excluded by!**/dist/**dist/chart/templates/configmap/ignition-template.yamlis excluded by!**/dist/**dist/chart/templates/crd/biossettings.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/biossettingssets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/biosversions.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/biosversionsets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcs.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcsecrets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcsettings.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcsettingssets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcusers.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcversions.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/bmcversionsets.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/endpoints.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/serverbootconfigurations.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/serverclaims.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/servermaintenances.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/crd/servers.metal.ironcore.dev.yamlis excluded by!**/dist/**dist/chart/templates/manager/manager.yamlis excluded by!**/dist/**dist/chart/templates/metrics/controller-manager-metrics-service.yamlis excluded by!**/dist/**dist/chart/templates/metrics/metrics-service.yamlis excluded by!**/dist/**dist/chart/templates/network-policy/allow-metrics-traffic.yamlis excluded by!**/dist/**dist/chart/templates/network-policy/allow-webhook-traffic.yamlis excluded by!**/dist/**dist/chart/templates/prometheus/controller-manager-metrics-monitor.yamlis excluded by!**/dist/**dist/chart/templates/prometheus/monitor.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettings_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biossettingsset_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversion_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/biosversionset_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmc_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsecret_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettings_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcsettingsset_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcuser_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversion_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/bmcversionset_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/controller-manager.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/endpoint_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/leader-election-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/leader-election-rolebinding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/leader_election_role_binding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/manager-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/manager-rolebinding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics-auth-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics-auth-rolebinding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics-reader.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics_auth_role_binding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/metrics_reader_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/role_binding.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/server_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverbootconfiguration_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/serverclaim_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance-admin-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance-editor-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance-viewer-role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance_admin_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance_editor_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/servermaintenance_viewer_role.yamlis excluded by!**/dist/**dist/chart/templates/rbac/service_account.yamlis excluded by!**/dist/**dist/chart/templates/registry-service/service.yamlis excluded by!**/dist/**dist/chart/templates/webhook/service.yamlis excluded by!**/dist/**dist/chart/templates/webhook/validating-webhook-configuration.yamlis excluded by!**/dist/**dist/chart/templates/webhook/webhook-service.yamlis excluded by!**/dist/**dist/chart/templates/webhook/webhooks.yamlis excluded by!**/dist/**dist/chart/values.yamlis excluded by!**/dist/**dist/install.yamlis excluded by!**/dist/**
📒 Files selected for processing (4)
.github/workflows/test-chart.ymlMakefilePROJECTconfig/manager/kustomization.yaml
Signed-off-by: Andreas Fritzler <andreas.fritzler@sap.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed Changes
Migrate from helm/v1-alpha (deprecated) to helm/v2-alpha.
Fixes #685
Summary by CodeRabbit