Merge remote-tracking branch 'origin/main' into maintenance/security-…

…context-and-tmp-directories

.changeset/config.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://unpkg.com/@changesets/[email protected]/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "restricted",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": []
+}

.github/workflows/lint-test.yml

@@ -33,7 +33,7 @@ jobs:
           fi
 
       - name: Run chart-testing (lint)
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --check-version-increment=false
 
       - name: Create kind cluster
         uses: helm/[email protected]

.github/workflows/release.yml

@@ -7,17 +7,30 @@ on:
 
 jobs:
   release:
-    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
-    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
-    permissions:
-      contents: write
+    name: Changeset and Release
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      - name: Checkout Repo
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Setup Node.js 
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20.10.0
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3          
+
+      - name: Install Dependencies
+        run: npm install
+
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
@@ -35,14 +48,22 @@ jobs:
           echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
         env:
           GPG_OPERATIONS_BASE64: "${{ secrets.GPG_OPERATIONS_BASE64 }}"
-          GPG_OPERATIONS_PASSPHRASE: "${{ secrets.GPG_OPERATIONS_PASSPHRASE }}"
+          GPG_OPERATIONS_PASSPHRASE: "${{ secrets.GPG_OPERATIONS_PASSPHRASE }}"        
 
-      - name: Install Helm
-        uses: azure/setup-helm@v3
+      - name: Create Release Pull Request
+        id: changesets
+        uses: changesets/action@v1
+        with:
+          title: Release Tracking
+          version: npm run changeset:version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Run chart-releaser
+      - name: Publish
+        if: steps.changesets.outputs.hasChangesets == 'false'
         uses: helm/[email protected]
         with:
           config: .github/workflows/cr.yaml
+          skip_existing: true
         env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"        

.gitignore

@@ -1,2 +1,4 @@
 charts/openproject/charts
 Chart.lock
+node_modules/
+.cr-gpg/

README.md

@@ -10,10 +10,14 @@ using helm's [chart-releaser](https://github.com/helm/chart-releaser-action) act
 Please refer to our [documentation](https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/) for instructions on how to install the OpenProject helm chart.
 
 
-
 ## Helm chart signing
 
 We sign our chart using the [Helm Provenance and Integrity](https://helm.sh/docs/topics/provenance/) functionality. You can find the used public key here
 
 -  https://github.com/opf/helm-charts/blob/main/signing.key 
 - https://keys.openpgp.org/vks/v1/by-fingerprint/CB1CA0488A75B7471EA1B087CF56DD6A0AE260E5
+
+
+# Contribution
+
+We welcome all contributions. For the release management, we're using the [changeset action](https://github.com/changesets/action) to generate the changelog and maintain the release process.