fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME

[gandalf-at-lerian]

Problem

The helm-update-chart workflow uses COMP_NAME to build template file paths:

CONFIGMAP_FILE="${TEMPLATES_BASE}/${COMP_NAME}/configmap.yaml"
SECRET_FILE="${TEMPLATES_BASE}/${COMP_NAME}/secret.yaml"

But the actual directory structure uses VALUES_KEY names. For example, the component plugin-br-pix-indirect-btg-worker-inbound has values_key: inbound, so the template lives at templates/inbound/configmap.yaml, not templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml.

The if [ -f ] check returns false silently, so detected env vars are never injected.

Found in PR #1143 (plugin-br-pix-indirect-btg v1.5.0) — 32 env vars detected but none inserted.

Fix

• Use VALUES_KEY instead of COMP_NAME for CONFIGMAP_FILE and SECRET_FILE paths
• Update create_secret_template function to take VALUES_KEY as the single argument (used for both directory path and .Values references)
• Add ::warning:: annotations when template files are not found (no more silent failures)

Closes #167

Summary by CodeRabbit

• Bug Fixes

  • Emits explicit warnings when secret/config templates or markers are missing and skips insertions instead of failing silently.
  • Improved reliability of workflow outputs reporting updated components.

• Refactor

  • Streamlined template/value selection so secret and config templates consistently resolve under a single values key.

• Chores

  • Pinned key workflow tools to specific revisions and added a security/code-scanning note near checkout.

• Documentation

  • Tightened guidance: require SHA pins for third‑party actions, prefer tags/branches for org actions, and added examples.

[lerian-studio]

⚠️ Invalid Source Branch

Pull requests to main can only come from:

• develop
• hotfix/*

Your source branch: fix/helm-update-chart-path-bug

Please change the base branch or create a PR from an allowed branch.

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	1 file(s)	✅ success
Action Lint	1 file(s)	❌ failure
Pinned Actions	1 file(s)	❌ failure
Markdown Link Check	4 file(s)	✅ success
Spelling Check	7 file(s)	✅ success
Shell Check	1 file(s)	❌ failure
README Check	1 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped

❌ Failures (3)

Action Lint

.github

• .github (line 469) — �[31m❌ [actionlint] The command ran successfully and some problem was found (found 0 errors, linted 0 files), exit code: 1�[0m

.github/workflows/helm-update-chart.yml

• .github/workflows/helm-update-chart.yml (line 478) — shellcheck reported issue in this script: SC2129:style:6:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects
• .github/workflows/helm-update-chart.yml (line 478) — shellcheck reported issue in this script: SC2129:style:19:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects
• .github/workflows/helm-update-chart.yml (line 417) — shellcheck reported issue in this script: SC2034:warning:4:1: COMMIT_MSG appears unused. Verify use (or export if used externally)

Pinned Actions

.github

• .github (line 82) — Process completed with exit code 1.
• .github (line 81) — Found 2 unpinned external action(s). Pin to a final release version (vX or vX.Y.Z).

.github/workflows/helm-update-chart.yml

• .github/workflows/helm-update-chart.yml (line 202) — Unpinned action found: uses: mikefarah/yq@5a7e72a
• .github/workflows/helm-update-chart.yml (line 164) — Unpinned action found: uses: crazy-max/ghaction-import-gpg@2dc316d

Shell Check

.github

• .github (line 132) — Process completed with exit code 1.
• .github (line 131) — Found 2 shellcheck error(s) in run: blocks.

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

Found 1 issue(s): 1 Medium

Severity	Rule	File	Message
🟡 Medium	actions/untrusted-checkout/medium	.github/workflows/helm-update-chart.yml:155	Potential unsafe checkout of untrusted pull request on privileged workflow.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

Updated the reusable workflow to resolve template paths using VALUES_KEY, simplify secret-template creation, harden and quote GitHub Actions output writes, pin a couple of actions to specific commits, add a CodeQL checkout comment, and emit warnings when templates or marker comments are missing. (49 words)

Changes

Cohort / File(s)	Summary
Helm Update Chart Workflow \.github/workflows/helm-update-chart.yml	Replace COMP_NAME-based template lookups with VALUES_KEY; create_secret_template now accepts only values_key and uses ${TEMPLATES_BASE}/${VALUES_KEY}/secret.yaml; component env-var insertion resolves configmap/secret under ${TEMPLATES_BASE}/${VALUES_KEY}/...; emit ::warning:: when files or marker comments are absent; group and quote $GITHUB_OUTPUT/$GITHUB_STEP_SUMMARY writes; normalize updated_components formatting; pin ghaction-import-gpg and yq to commit SHAs; add CodeQL checkout comment.
Action Pinning & Guidance (docs) \.claude/commands/composite.md, \.claude/commands/gha.md, \.claude/commands/workflow.md, AGENTS.md	Tighten GitHub Action pinning guidance: require third-party actions (outside org) to be pinned by commit SHA (optionally annotated with # vX.Y.Z), specify org-owned actions be pinned by release tag or testing branch; update examples and security guidance accordingly.
Linting / Rules (cursor) \.cursor/rules/composite-actions.mdc, \.cursor/rules/reusable-workflows.mdc	Align repository rule files with the new pinning policy: third-party actions pinned by commit SHA (with optional version comment), org-owned actions pinned by tag/branch; preserve prohibition on @main/@master for third-party actions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Documentation updates in .claude/commands/ and .cursor/rules/ expand GitHub Actions pinning guidance (third-party by SHA, org-owned by tag) but are unrelated to the helm-update-chart bug fix in issue #167.	Move pinning rule updates to a separate PR or document their connection to the helm-update-chart changes. These are policy/documentation changes orthogonal to the VALUES_KEY path bug fix.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the primary fix: replacing COMP_NAME with VALUES_KEY for template file paths in helm-update-chart workflow.
Description check	✅ Passed	Description clearly states the problem, root cause, and fixes. Includes concrete example and identifies the linked issue.
Linked Issues check	✅ Passed	Changes address all coding objectives from issue #167: CONFIGMAP_FILE and SECRET_FILE now use VALUES_KEY instead of COMP_NAME; create_secret_template updated to use VALUES_KEY; warning annotations added for missing templates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/helm-update-chart-path-bug

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bedatty]

LGTM — surgical and correct fix.

Review summary:

• Template paths fixed from COMP_NAME → VALUES_KEY (root cause of the bug)
• create_secret_template() simplified from 2 params to 1 (removes fallback that masked the issue)
• ::warning:: added in else branches to prevent silent failures going forward

No side effects — VALUES_KEY was already used correctly for tag bumps and .Values.* references.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/helm-update-chart.yml:
- Line 405: The workflow is emitting a dead output named commit_msg (echo
"commit_msg=${COMMIT_MSG}" >> "$GITHUB_OUTPUT") while the subsequent step only
assigns it to COMMIT_MSG and never uses it, so either remove the output emission
and the unused assignment to COMMIT_MSG to eliminate the dead-variable (SC2034)
or keep the output and actually consume COMMIT_MSG in a later step; locate the
echo line that writes commit_msg to GITHUB_OUTPUT and the step that assigns
COMMIT_MSG and either delete both or change downstream steps to reference
COMMIT_MSG so the output is used.
- Around line 244-247: The function create_secret_template builds paths using
the caller-supplied values_key and can be exploited with "../" or absolute
paths; validate values_key against a strict single path-segment slug regex (e.g.
allow only ASCII letters, digits, dot, underscore, hyphen: ^[A-Za-z0-9._-]+$),
and abort with a non-zero exit/explicit error if it fails validation before
constructing secret_file or any other path using TEMPLATES_BASE and values_key;
apply the same validation check wherever values_key is used to build files (the
other create_* template calls that reference values_key) to ensure no
multi-segment, parent-traversal, or absolute paths are allowed.
- Around line 139-147: The exported workflow outputs (CHART, HAS_NEW_ENV_VARS,
SOURCE_REF, SOURCE_REPO, SOURCE_ACTOR, SOURCE_SHA, BRANCH_NAME) are written
using plain key=value which is vulnerable to newline injection; change the
export to GitHub's multiline output format (e.g., write "VAR<<EOF", then the
variable value, then "EOF" for each variable) when appending to GITHUB_OUTPUT to
safely preserve newlines. Also validate and sanitize VALUES_KEY (reject or fail
on values containing ../, /, or other path-traversal characters and any
characters unsafe for yq expressions) before using it in filesystem paths or yq
commands so callers cannot traverse directories or inject expressions.
- Around line 479-483: The workflow currently injects the reusable input `${{
inputs.base_branch }}` directly into the bash script (used in the echo lines
that write to GITHUB_STEP_SUMMARY), which allows command-substitution vectors
like `$(id)` from untrusted callers; fix it by moving `inputs.base_branch` into
the job/step `env:` (e.g. set `env: BASE_BRANCH: ${{ inputs.base_branch }}`) and
then reference the environment variable (`"$BASE_BRANCH"`) in the echo that
writes the Base line (use `"$BASE_BRANCH"` instead of ```${{ inputs.base_branch
}}```); keep the other variables (CHART, BRANCH_NAME) usage as-is and ensure all
echo arguments are quoted to avoid further word-splitting or substitution.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 87e4f603-27a6-4f54-88ca-23826eb10e85

📥 Commits

Reviewing files that changed from the base of the PR and between 99dd556 and f7b22fa.

📒 Files selected for processing (1)

• .github/workflows/helm-update-chart.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/helm-update-chart.yml (1)

17-27: ⚠️ Potential issue | 🟠 Major

Missing workflow_dispatch and dry_run input.

Per coding guidelines, reusable workflows must:

1. Support workflow_dispatch for manual testing
2. Include a dry_run boolean input (default: false) for workflows that apply state changes

This workflow commits changes, pushes branches, and creates PRs—all state-changing operations that would benefit from dry-run capability.

Add required triggers and input

 on:
   workflow_call:
     inputs:
+      dry_run:
+        description: 'Run in dry-run mode without creating commits/PRs (default: false)'
+        type: boolean
+        default: false
       payload:
         description: 'JSON payload with chart, components, and metadata'
         # ... rest of inputs
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Run in dry-run mode without creating commits/PRs'
+        type: boolean
+        default: true
+      payload:
+        description: 'JSON payload with chart, components, and metadata'
+        type: string
+        required: true
+      # ... mirror other inputs

As per coding guidelines: "Always include a dry_run input in reusable workflows" and "Every reusable workflow must support workflow_call for external callers and workflow_dispatch for manual testing."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm-update-chart.yml around lines 17 - 27, Add a manual
trigger and a dry-run input: keep the existing workflow_call block
(inputs.payload and inputs.base_branch) and add a top-level workflow_dispatch
trigger to allow manual testing, and add an inputs.dry_run boolean (default:
false) to the workflow_call inputs so callers can opt into non-mutating runs;
ensure the workflow logic references inputs.dry_run where commits/branch
pushes/PR creation occur to skip state-changing operations when true.

♻️ Duplicate comments (1)

.github/workflows/helm-update-chart.yml (1)

408-408: ⚠️ Potential issue | 🟡 Minor

Dead output: commit_msg is assigned but never used.

Line 421 captures COMMIT_MSG from this output, but that variable is never referenced afterwards. The pipeline failure (SC2034) is valid.

Remove the dead output and assignment

-          echo "commit_msg=${COMMIT_MSG}" >> "$GITHUB_OUTPUT"
           echo "Committing with message: ${COMMIT_MSG}"
           git commit -m "${COMMIT_MSG}"

And at line 421:

-          COMMIT_MSG="${{ steps.commit.outputs.commit_msg }}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/helm-update-chart.yml at line 408, Remove the dead output
assignment echo "commit_msg=${COMMIT_MSG}" >> "$GITHUB_OUTPUT" and the
corresponding capture of that output (the commit_msg/COMMIT_MSG variable)
elsewhere in the workflow; specifically delete the echo that writes commit_msg
to GITHUB_OUTPUT and any usage or assignment that reads commit_msg/COMMIT_MSG
(the unused COMMIT_MSG capture) so the unused variable warning (SC2034) is
resolved.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/helm-update-chart.yml:
- Around line 484-503: The multiple echo lines writing to GITHUB_STEP_SUMMARY
(using variables CHART, BRANCH_NAME, BASE_BRANCH, HAS_CHANGES and the COMPONENTS
jq output) should be combined into a single redirected block to avoid repeated
redirection (fix SC2129); replace the series of individual echo >>
"$GITHUB_STEP_SUMMARY" calls with one grouped write (e.g., a here-doc or a
single cat <<'EOF' >> "$GITHUB_STEP_SUMMARY" ... EOF) that includes the header,
PR status conditional output (expand the HAS_CHANGES check into the block or
write the conditional result into a variable and include it), and the Components
table header, then append the jq-produced component rows in one grouped
redirection to GITHUB_STEP_SUMMARY so all lines are written with a single >>
operation.

---

Outside diff comments:
In @.github/workflows/helm-update-chart.yml:
- Around line 17-27: Add a manual trigger and a dry-run input: keep the existing
workflow_call block (inputs.payload and inputs.base_branch) and add a top-level
workflow_dispatch trigger to allow manual testing, and add an inputs.dry_run
boolean (default: false) to the workflow_call inputs so callers can opt into
non-mutating runs; ensure the workflow logic references inputs.dry_run where
commits/branch pushes/PR creation occur to skip state-changing operations when
true.

---

Duplicate comments:
In @.github/workflows/helm-update-chart.yml:
- Line 408: Remove the dead output assignment echo "commit_msg=${COMMIT_MSG}" >>
"$GITHUB_OUTPUT" and the corresponding capture of that output (the
commit_msg/COMMIT_MSG variable) elsewhere in the workflow; specifically delete
the echo that writes commit_msg to GITHUB_OUTPUT and any usage or assignment
that reads commit_msg/COMMIT_MSG (the unused COMMIT_MSG capture) so the unused
variable warning (SC2034) is resolved.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5409ceee-8674-405e-9689-fbc6f0ef9d00

📥 Commits

Reviewing files that changed from the base of the PR and between f7b22fa and 566bf29.

📒 Files selected for processing (1)

• .github/workflows/helm-update-chart.yml

All comments addressed. 1 valid (dead commit_msg output — will fix), 1 already fixed (base_branch injection), 2 dismissed (low-risk defense-in-depth for internal workflow_call).