feat(ci): add automatic chart version bump workflow

.github/workflows/bump-version.yaml

@@ -0,0 +1,37 @@
+name: Bump Chart Version
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  bump-version:
+    if: "!contains(github.actor, 'oauth2-proxy-bot')"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          ssh-key: "${{ secrets.PUSH_KEY }}"
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "oauth2-proxy-bot"
+          git config user.email "oauth2-proxy-bot@users.noreply.github.com"
+
+      - name: Bump Chart Version
+        uses: GarnerCorp/build-actions/bump-version@ed29b86d30dadb5912f0ec45dc3a0c3ca0148826 # main
+        with:
+          version-file-path: helm/oauth2-proxy/Chart.yaml
+          version-parser: scripts/chart-version-parser.sh
+          git-name: "oauth2-proxy-bot"
+          git-email: "oauth2-proxy-bot@users.noreply.github.com"
+          major: changelogs/major
+          minor: changelogs/minor

.github/workflows/lint-test.yaml

@@ -22,6 +22,16 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2.8.0
 
+      - name: Check changelog entry
+        run: |
+          if git diff --name-only origin/main...HEAD | grep -q '^helm/'; then
+            if ! git diff --name-only origin/main...HEAD | grep -qE '^changelogs/(major|minor)/[^.]+$'; then
+              echo "::error::Chart files changed but no changelog entry found."
+              echo "Add a file to changelogs/minor/ (new feature) or changelogs/major/ (breaking change)."
+              exit 1
+            fi
+          fi
+
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |

changelogs/README.md

@@ -0,0 +1,33 @@
+# Changelogs
+
+This directory drives the automatic version bump workflow.
+
+When a PR modifies the Helm chart, include a file in the appropriate subdirectory:
+
+- `minor/` — new feature (bumps `x.Y.0`)
+- `major/` — breaking change (bumps `X.0.0`)
+- No file needed for patch-only changes (CI fixes, doc tweaks) — the workflow defaults to patch
+
+## Filename
+
+Use a descriptive name matching your PR, e.g.:
+- `minor/add-runtimeclassname`
+- `major/breaking-tpl-extrainitcontainers`
+
+## File content
+
+Write a short description of the change. This becomes part of the version bump commit message.
+
+Example (`minor/add-runtimeclassname`):
+```
+Add optional runtimeClassName field to the Deployment spec, enabling
+users to run oauth2-proxy under alternative container runtimes such as
+gVisor or Kata Containers.
+```
+
+## How it works
+
+On merge to `main`, the `bump-version` workflow reads files from these
+directories, determines the bump type (major > minor > patch), updates
+`version:` in `helm/oauth2-proxy/Chart.yaml`, commits, and pushes.
+The changelog files are deleted as part of that commit.

scripts/chart-version-parser.sh

@@ -0,0 +1,138 @@
+#!/usr/bin/env bash
+# chart-version-parser.sh — version-parser for GarnerCorp/build-actions/bump-version
+#
+# Usage:
+#   chart-version-parser.sh parse  <chart-yaml>
+#       → prints current semver from "version: X.Y.Z"
+#
+#   COMMIT_LOG=<path> chart-version-parser.sh update <chart-yaml> <new-version>
+#       → updates "version:" and "artifacthub.io/changes" block in-place
+#
+# COMMIT_LOG format (produced by GarnerCorp/build-actions/next-version):
+#   ### <filename>
+#   <one-line description> [#<pr-number>]
+#
+#   ### <filename2>
+#   ...
+#
+# Example input (Chart.yaml excerpt):
+#   version: 10.6.0
+#   annotations:
+#     artifacthub.io/changes: |
+#       - kind: added
+#         description: Added name attribute for HTTPRoute rules
+#
+# Example COMMIT_LOG:
+#   ### add-runtimeclassname
+#   Add optional runtimeClassName field to the Deployment spec #410
+#
+#   ### add-alpha-config-helpers
+#   Add alpha-config.source and alpha-config.name helpers #405
+#
+# Example output (Chart.yaml excerpt):
+#   version: 10.7.0
+#   annotations:
+#     artifacthub.io/changes: |
+#       - kind: added
+#         description: Add optional runtimeClassName field to the Deployment spec
+#         links:
+#           - name: GitHub PR
+#             url: https://github.com/oauth2-proxy/manifests/pull/410
+#       - kind: added
+#         description: Add alpha-config.source and alpha-config.name helpers
+#         links:
+#           - name: GitHub PR
+#             url: https://github.com/oauth2-proxy/manifests/pull/405
+set -euo pipefail
+
+COMMAND="${1:-}"
+CHART_FILE="${2:-}"
+
+case "$COMMAND" in
+  parse)
+    grep -E '^version:' "$CHART_FILE" | head -1 | sed 's/version:[[:space:]]*//'
+    ;;
+
+  update)
+    NEW_VERSION="${3:-}"
+    if [ -z "$NEW_VERSION" ]; then
+      echo "Usage: $0 update <chart-yaml> <version>" >&2
+      exit 1
+    fi
+
+    # Update the version field
+    sed -i.bak "s/^version:[[:space:]].*/version: ${NEW_VERSION}/" "$CHART_FILE"
+    rm -f "${CHART_FILE}.bak"
+
+    # Rebuild artifacthub.io/changes from COMMIT_LOG (set by next-version action)
+    COMMIT_LOG="${COMMIT_LOG:-}"
+    if [ -z "$COMMIT_LOG" ] || [ ! -s "$COMMIT_LOG" ]; then
+      exit 0
+    fi
+
+    # Build the new changes YAML block from commit log entries
+    changes_yaml=""
+    current_file=""
+    while IFS= read -r line; do
+      if [[ "$line" =~ ^###[[:space:]]+(.*) ]]; then
+        current_file="${BASH_REMATCH[1]}"
+      elif [[ -n "$line" && -n "$current_file" ]]; then
+        kind="added"
+        if echo "$line" | grep -qiE "break|BREAKING|remov|deprecat"; then
+          kind="changed"
+        fi
+        pr_number=$(echo "$line" | grep -oE '#[0-9]+' | head -1 | tr -d '#' || true)
+        description=$(echo "$line" | sed 's/[[:space:]]*#[0-9]*[[:space:]]*$//' | sed 's/^[[:space:]]*//')
+
+        entry="    - kind: ${kind}\n      description: ${description}"
+        if [ -n "${pr_number}" ]; then
+          entry="${entry}\n      links:\n        - name: GitHub PR\n          url: https://github.com/oauth2-proxy/manifests/pull/${pr_number}"
+        fi
+        changes_yaml="${changes_yaml}${entry}\n"
+        current_file=""
+      fi
+    done < "$COMMIT_LOG"
+
+    if [ -z "$changes_yaml" ]; then
+      exit 0
+    fi
+
+    # Splice the new changes block into Chart.yaml using python for reliable multi-line handling
+    changes_block="$(printf '%b' "$changes_yaml")"
+    python3 - "$CHART_FILE" "$changes_block" << 'PYEOF'
+import sys
+
+chart_file = sys.argv[1]
+new_entries = sys.argv[2]  # pre-formatted YAML lines (4-space indented)
+
+with open(chart_file) as f:
+    lines = f.readlines()
+
+out = []
+skip = False
+for line in lines:
+    if line.startswith('  artifacthub.io/changes:'):
+        # Replace the entire block with new content
+        out.append('  artifacthub.io/changes: |\n')
+        for entry_line in new_entries.splitlines():
+            out.append(entry_line + '\n')
+        skip = True
+        continue
+    if skip:
+        # Skip old block lines (indented with 4+ spaces under annotations)
+        if line.startswith('    '):
+            continue
+        else:
+            skip = False
+    out.append(line)
+
+with open(chart_file, 'w') as f:
+    f.writelines(out)
+PYEOF
+    ;;
+
+  *)
+    echo "Usage: $0 {parse|update} <chart-yaml> [version]" >&2
+    exit 1
+    ;;
+esac