Merge branch 'main' into feat/exec_custom_listener_support

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           languages: javascript
 
@@ -51,7 +51,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -65,4 +65,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9

.github/workflows/devcontainer.yml

@@ -23,6 +23,6 @@ jobs:
           show-progress: false
 
       - name: Build and run dev container task
-        uses: devcontainers/ci@c252b79ef4714c98801103cf62df41bf83240771 # v0.3.1900000411
+        uses: devcontainers/ci@b217ffc359068515fb678d1a53232968b8b95b28 # v0.3.1900000413
         with:
           runCmd: pnpm build

.github/workflows/scorecard.yml

@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -31,7 +31,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+      - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: trivy-results.sarif
           category: 'docker-image-${{ matrix.tag }}'

lib/modules/manager/azure-pipelines/readme.md

@@ -44,7 +44,7 @@ resources:
     - container: linux
       image: ubuntu:24.04
     - container: python
-      image: python:3.13@sha256:236d5c655815dfa4e6c1d8f63cd6abd962755ebf6b6f8905e53b66fe4ff14bad
+      image: python:3.13@sha256:589ed6659c0e4aac182f309131cd35e85452d21072570b1f6abc45b7687093a3
 
 stages:
   - stage: StageOne

lib/modules/manager/flux/__fixtures__/helmChart.yaml

@@ -0,0 +1,14 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: sealed-secrets
+  namespace: kube-system
+spec:
+  interval: 10m
+  chart: sealed-secrets
+  sourceRef:
+    kind: HelmRepository
+    name: sealed-secrets
+  version: "2.0.2"
+  valuesFiles:
+    - values-prod.yaml

lib/modules/manager/flux/__fixtures__/helmChartRefRelease.yaml

@@ -0,0 +1,13 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: sealed-secrets
+  namespace: kube-system
+spec:
+  interval: 10m
+  chartRef:
+    kind: HelmChart
+    name: sealed-secrets
+    namespace: kube-system
+  values:
+    replicaCount: 2

lib/modules/manager/flux/extract.spec.ts

@@ -14,6 +14,9 @@ import { extractAllPackageFiles, extractPackageFile } from '.';
 
 const config: ExtractConfig = {};
 const adminConfig: RepoGlobalConfig = { localDir: '' };
+const fixtureHelmSource = Fixtures.get('helmSource.yaml');
+const fixtureHelmChart = Fixtures.get('helmChart.yaml');
+const fixtureHelmChartRefRelease = Fixtures.get('helmChartRefRelease.yaml');
 
 describe('modules/manager/flux/extract', () => {
   beforeEach(() => {
@@ -162,6 +165,22 @@ describe('modules/manager/flux/extract', () => {
       });
     });
 
+    it('ignores HelmRelease resources without any chart reference', () => {
+      const result = extractPackageFile(
+        codeBlock`
+          apiVersion: helm.toolkit.fluxcd.io/v2beta1
+          kind: HelmRelease
+          metadata:
+            name: sealed-secrets
+            namespace: kube-system
+          spec:
+            interval: 10m
+        `,
+        'test.yaml',
+      );
+      expect(result).toBeNull();
+    });
+
     it('ignores HelmRelease resources without a chart name', () => {
       const result = extractPackageFile(
         codeBlock`
@@ -240,7 +259,7 @@ describe('modules/manager/flux/extract', () => {
     it('does not match HelmRelease resources without a sourceRef', () => {
       const result = extractPackageFile(
         codeBlock`
-          ${Fixtures.get('helmSource.yaml')}
+          ${fixtureHelmSource}
           ---
           apiVersion: helm.toolkit.fluxcd.io/v2beta1
           kind: HelmRelease
@@ -270,7 +289,7 @@ describe('modules/manager/flux/extract', () => {
     it('does not match HelmRelease resources without a namespace', () => {
       const result = extractPackageFile(
         codeBlock`
-          ${Fixtures.get('helmSource.yaml')}
+          ${fixtureHelmSource}
           ---
           apiVersion: helm.toolkit.fluxcd.io/v2beta1
           kind: HelmRelease
@@ -337,6 +356,182 @@ describe('modules/manager/flux/extract', () => {
       });
     });
 
+    it('ignores HelmRelease resources using an invalid chartRef', () => {
+      const result = extractPackageFile(
+        fixtureHelmChartRefRelease,
+        'test.yaml',
+      );
+      expect(result).toBeNull();
+    });
+
+    it('ignores HelmRelease resources using a chartRef targetting a HelmChart', () => {
+      const result = extractPackageFile(
+        codeBlock`
+          ${fixtureHelmChartRefRelease}
+          ---
+          ${fixtureHelmChart}
+          ---
+          ${fixtureHelmSource}
+        `,
+        'test.yaml',
+      );
+      // HelmRelease is ignored, only HelmChart itself is processed (-> no duplicates expected)
+      expect(result).toEqual({
+        deps: [
+          {
+            currentValue: '2.0.2',
+            datasource: HelmDatasource.id,
+            depName: 'sealed-secrets',
+            registryUrls: ['https://bitnami-labs.github.io/sealed-secrets'],
+          },
+        ],
+      });
+    });
+
+    it('ignores HelmRelease resources using a chartRef targetting an OCIRepository', () => {
+      const result = extractPackageFile(
+        codeBlock`
+          ${Fixtures.get('ociSource.yaml')}
+          ---
+          apiVersion: helm.toolkit.fluxcd.io/v2
+          kind: HelmRelease
+          metadata:
+            name: kyverno-controller
+            namespace: kube-system
+          spec:
+            chartRef:
+              kind: OCIRepository
+              name: kyverno-controller
+              namespace: kube-system
+        `,
+        'test.yaml',
+      );
+      // HelmRelease is ignored, only OCIRepository itself is processed (-> no duplicates expected)
+      expect(result).toEqual({
+        deps: [
+          {
+            autoReplaceStringTemplate:
+              '{{#if newValue}}{{newValue}}{{/if}}{{#if newDigest}}@{{newDigest}}{{/if}}',
+            currentDigest: undefined,
+            currentValue: 'v1.8.2',
+            depName: 'ghcr.io/kyverno/manifests/kyverno',
+            packageName: 'ghcr.io/kyverno/manifests/kyverno',
+            datasource: DockerDatasource.id,
+            replaceString: 'v1.8.2',
+          },
+        ],
+      });
+    });
+
+    it('extracts HelmChart version', () => {
+      const result = extractPackageFile(
+        codeBlock`
+          ${fixtureHelmSource}
+          ---
+          ${fixtureHelmChart}
+        `,
+        'test.yaml',
+      );
+      expect(result).toEqual({
+        deps: [
+          {
+            currentValue: '2.0.2',
+            datasource: HelmDatasource.id,
+            depName: 'sealed-secrets',
+            registryUrls: ['https://bitnami-labs.github.io/sealed-secrets'],
+          },
+        ],
+      });
+    });
+
+    it('does not match HelmChart resources without a namespace', () => {
+      const result = extractPackageFile(
+        codeBlock`
+          ${fixtureHelmSource}
+          ---
+          apiVersion: source.toolkit.fluxcd.io/v1
+          kind: HelmChart
+          metadata:
+            name: sealed-secrets
+          spec:
+            interval: 10m
+            chart: sealed-secrets
+            sourceRef:
+              kind: HelmRepository
+              name: sealed-secrets
+            version: "2.0.2"
+        `,
+        'test.yaml',
+      );
+      expect(result).toEqual({
+        deps: [
+          {
+            currentValue: '2.0.2',
+            datasource: HelmDatasource.id,
+            depName: 'sealed-secrets',
+            skipReason: 'unknown-registry',
+          },
+        ],
+      });
+    });
+
+    it('ignores HelmChart resources using git sources', () => {
+      const result = extractPackageFile(
+        codeBlock`
+          apiVersion: source.toolkit.fluxcd.io/v1
+          kind: HelmChart
+          metadata:
+            name: sealed-secrets
+            namespace: kube-system
+          spec:
+            interval: 10m
+            chart: ./helm/sealed-secrets
+            sourceRef:
+              kind: GitRepository
+              name: sealed-secrets
+        `,
+        'test.yaml',
+      );
+      expect(result).toBeNull();
+    });
+
+    it('ignores HelmChart resources using bucket sources', () => {
+      const result = extractPackageFile(
+        codeBlock`
+          apiVersion: source.toolkit.fluxcd.io/v1
+          kind: Bucket
+          metadata:
+            name: sealed-secrets
+            namespace: kube-system
+          spec:
+            interval: 5m0s
+            endpoint: sealed-secrets.example.com
+            bucketName: example
+          ---
+          apiVersion: source.toolkit.fluxcd.io/v1
+          kind: HelmChart
+          metadata:
+            name: sealed-secrets
+            namespace: kube-system
+          spec:
+            interval: 10m
+            chart: ./helm/sealed-secrets
+            sourceRef:
+              kind: Bucket
+              name: sealed-secrets
+        `,
+        'test.yaml',
+      );
+      expect(result).toEqual({
+        deps: [
+          {
+            depName: './helm/sealed-secrets',
+            skipReason: 'unsupported-datasource',
+          },
+        ],
+      });
+    });
+
     it('ignores GitRepository without a tag nor a commit', () => {
       const result = extractPackageFile(
         codeBlock`
@@ -897,5 +1092,26 @@ describe('modules/manager/flux/extract', () => {
       ]);
       expect(result).toBeNull();
     });
+
+    it('should pick correct package file when using HelmRepository with chartRef', async () => {
+      const result = await extractAllPackageFiles(config, [
+        'lib/modules/manager/flux/__fixtures__/helmChartRefRelease.yaml',
+        'lib/modules/manager/flux/__fixtures__/helmChart.yaml',
+        'lib/modules/manager/flux/__fixtures__/helmSource.yaml',
+      ]);
+      expect(result).toEqual([
+        {
+          deps: [
+            {
+              currentValue: '2.0.2',
+              datasource: HelmDatasource.id,
+              depName: 'sealed-secrets',
+              registryUrls: ['https://bitnami-labs.github.io/sealed-secrets'],
+            },
+          ],
+          packageFile: 'lib/modules/manager/flux/__fixtures__/helmChart.yaml',
+        },
+      ]);
+    });
   });
 });