ci: add helm lint and validate workflow

[Ri-go]

Summary

• Add GitHub Actions workflow that lints, templates, and validates the helm chart
• Triggers on PRs and pushes to master when helm/** files change
• Auto-discovers all values.*.yaml files so future environments are covered without workflow changes
• Uses kubectl apply --dry-run=client to validate rendered manifests

Test plan

• Verify workflow triggers on helm file changes
• Confirm lint, template, and validate steps pass for values.testnet.yaml

Summary by CodeRabbit

• Chores
  • Added a CI workflow ("Helm Lint & Template") that triggers on relevant changes, lints Helm charts, discovers configuration value files, renders templates per configuration, and performs client-side dry-run validation of the rendered manifests to catch deployment issues early.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 353a7281-934c-4cc8-ac85-80a69b1d0998

📥 Commits

Reviewing files that changed from the base of the PR and between bf877ad and a0701dd.

📒 Files selected for processing (1)

• .github/workflows/helm-lint.yaml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/helm-lint.yaml

---

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/helm-lint.yaml that lints a Helm chart, discovers all values.*.yaml/values.*.yml files, renders the chart for each values file, and validates rendered manifests with kubectl apply --dry-run=client. Triggers on PRs and pushes to master when helm/** changes.

Changes

Cohort / File(s)	Summary
Helm Validation Workflow .github/workflows/helm-lint.yaml	Introduces CI job helm-lint that checks out code, installs Helm v3.17.3, runs helm lint ./helm, discovers values.*.yaml/values.*.yml under ./helm, runs helm template price-oracle ./helm -f <values-file> for each, and validates rendered manifests via kubectl apply --dry-run=client -f -.

Sequence Diagram(s)

sequenceDiagram
  participant GH as "GitHub Actions\n(runner)"
  participant Repo as "Repository\n(helm/**)"
  participant Helm as "Helm v3.17.3"
  participant K8s as "kubectl (dry-run)"

  GH->>Repo: checkout
  GH->>Helm: install Helm
  GH->>Helm: helm lint ./helm
  GH->>Repo: find values.*.yaml / .yml
  loop for each values file
    GH->>Helm: helm template price-oracle ./helm -f <values-file>
    Helm->>GH: rendered manifests (stdout)
    GH->>K8s: kubectl apply --dry-run=client -f -
    K8s-->>GH: validation result
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through charts with linting delight,

Rendered each values file by soft moonlight,
Dry-run approved with a confident cheer,
A rabbit's small stamp says "CI is clear!" 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a GitHub Actions workflow for Helm linting and validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/helm-ci

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the high-level summary generated by CodeRabbit.

Configure the reviews.high_level_summary_instructions setting to provide custom instructions for generating the high-level summary.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/helm-lint.yaml (2)

3-10: Consider triggering on workflow-file changes as well.

With current path filters, edits to Line 1–Line 48 alone won’t execute this workflow. Add .github/workflows/helm-lint.yaml to paths so CI validates workflow changes too.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm-lint.yaml around lines 3 - 10, The workflow path
filters currently only include "helm/**" so changes to this workflow file itself
won't trigger the job; update the paths list in .github/workflows/helm-lint.yaml
(the pull_request and push "paths" arrays) to also include
".github/workflows/helm-lint.yaml" so edits to the workflow file run the CI;
modify both pull_request.paths and push.paths entries to add the workflow
filepath alongside "helm/**".

---

42-48: Pin/install kubectl explicitly for reproducible CI behavior.

Validation currently depends on whatever kubectl version ubuntu-latest provides. That drift can cause non-deterministic failures; set up a fixed kubectl version in this workflow before Line 42.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm-lint.yaml around lines 42 - 48, The workflow step
"Validate rendered manifests" currently relies on the runner's implicit kubectl;
add an explicit installation step before that step to pin a kubectl version
(e.g., use actions/setup-kubectl or azure/setup-kubectl with kubectl-version:
'1.26.0' or another chosen semver) so the subsequent helm template | kubectl
apply --dry-run=client command uses a known kubectl; implement the new step
immediately before the "Validate rendered manifests" step and reference the same
job context so the "kubectl apply --dry-run=client" invocation runs against the
pinned kubectl binary.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/helm-lint.yaml:
- Around line 26-33: The "Find values files" step (id: values) currently writes
whatever find returns to GITHUB_OUTPUT but doesn't fail if none are found; after
capturing files into the variable named files, add an explicit non-empty check
(e.g., test if "$files" is empty) and if empty call exit 1 or use gh action
failure to stop the job, logging a clear message to indicate no
values.*.yaml/yml files were discovered so downstream template/validate loops
don't silently become no-ops.
- Around line 42-48: Add strict shell options to the validation step so failures
in helm template are not masked: at the start of the run block containing the
loop that echoes and runs "helm template price-oracle ./helm -f \"$f\" | kubectl
apply --dry-run=client -f -", add "set -euo pipefail" (or equivalent POSIX-safe
options) so any command error or undefined variable causes the step to fail;
ensure this is applied before the while IFS= read -r f; do ... done <<< "${{
steps.values.outputs.files }}" loop so helm template failures are preserved.

---

Nitpick comments:
In @.github/workflows/helm-lint.yaml:
- Around line 3-10: The workflow path filters currently only include "helm/**"
so changes to this workflow file itself won't trigger the job; update the paths
list in .github/workflows/helm-lint.yaml (the pull_request and push "paths"
arrays) to also include ".github/workflows/helm-lint.yaml" so edits to the
workflow file run the CI; modify both pull_request.paths and push.paths entries
to add the workflow filepath alongside "helm/**".
- Around line 42-48: The workflow step "Validate rendered manifests" currently
relies on the runner's implicit kubectl; add an explicit installation step
before that step to pin a kubectl version (e.g., use actions/setup-kubectl or
azure/setup-kubectl with kubectl-version: '1.26.0' or another chosen semver) so
the subsequent helm template | kubectl apply --dry-run=client command uses a
known kubectl; implement the new step immediately before the "Validate rendered
manifests" step and reference the same job context so the "kubectl apply
--dry-run=client" invocation runs against the pinned kubectl binary.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cc4e91f9-7563-4e14-ba38-0950c1a09998

📥 Commits

Reviewing files that changed from the base of the PR and between 05cc462 and bf877ad.

📒 Files selected for processing (1)

• .github/workflows/helm-lint.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fail fast when no values files are discovered.

If find returns nothing, template/validate loops become no-ops and the job still passes. Add an explicit non-empty check after Line 29.

Suggested patch

       - name: Find values files
         id: values
         run: |
           files=$(find ./helm -name 'values.*.yaml' -o -name 'values.*.yml' | sort)
+          if [ -z "$files" ]; then
+            echo "No values.*.yaml or values.*.yml files found under ./helm" >&2
+            exit 1
+          fi
           echo "files<<EOF" >> "$GITHUB_OUTPUT"
           echo "$files" >> "$GITHUB_OUTPUT"
           echo "EOF" >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm-lint.yaml around lines 26 - 33, The "Find values
files" step (id: values) currently writes whatever find returns to GITHUB_OUTPUT
but doesn't fail if none are found; after capturing files into the variable
named files, add an explicit non-empty check (e.g., test if "$files" is empty)
and if empty call exit 1 or use gh action failure to stop the job, logging a
clear message to indicate no values.*.yaml/yml files were discovered so
downstream template/validate loops don't silently become no-ops.