Skip to content

ci(#4750): backport helm-smoke k3d-version pin + DRAFT-skip to main#4750

Closed
aegis-gh-agent[bot] wants to merge 3 commits into
mainfrom
backport/helm-smoke-k3d-pin
Closed

ci(#4750): backport helm-smoke k3d-version pin + DRAFT-skip to main#4750
aegis-gh-agent[bot] wants to merge 3 commits into
mainfrom
backport/helm-smoke-k3d-pin

Conversation

@aegis-gh-agent

@aegis-gh-agent aegis-gh-agent Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Backport to `main` of the helm-smoke CI hardening landed on `develop` in #4560 and #4562:

  1. k3d-version pin to v5.9.0 (without it, `AbsaOSS/k3d-action@v2` defaults to v5.4.6 whose install.sh URL 404s on `k3d-io/k3d`).
  2. DRAFT-skip gate (helm-smoke is heavy ~1-5min; skip on PR drafts to save CI minutes).
  3. Regression note documenting the wrong-base dependabot pattern (5/30, 16.7% rate) so future operators don't strip the pin.

Context: the 3 red dependabot PRs

On 2026-06-16/17, three dependabot PRs (#4747 vite /, #4748 vite /dashboard, #4749 dompurify /dashboard) failed helm-smoke with `curl: (22) 404` from the k3d install step. They all targeted `main` (wrong-base pattern, 5/30 = 16.7% recent rate). `main` lacked the `k3d-version: v5.9.0` pin that #4560 added to `develop` on 2026-06-02T21:33:59Z.

Root cause: wrong-base dependabot PRs hit a workflow file on `main` that didn't have the pin.

Boss framing was "perms issue" β€” verified NOT. `k3d-version: v5.9.0` was simply missing on `main`.

Why backport (not just close the wrong-base PRs)

  • Defensive: any future wrong-base dependabot PR will pass helm-smoke without waiting for the next develop-targeted weekly scan.
  • Cheap: 1-line change to workflow file.
  • No runtime change: same k3d v5.9.0, same action, same behavior.
  • Matches the workflow trigger: `branches: [main, develop]` already says main runs this, so main should be safe.

Verification

  • PR targets `main` β†’ will trigger helm-smoke on the workflow file itself (self-test).
  • The 2 cherry-picked commits are byte-identical to the originals on `develop` (verified via `git log -p`).
  • CI matrix (lint, test ubuntuΓ—2, dashboard-test, helm-smoke, CodeQL, feat-minor-bump-gate, sync-state, Discord Notifications) should all pass.

Out of scope

  • `fix/helm-smoke-k3d-4586` branch (5 commits: replace `AbsaOSS/k3d-action@v2` with direct binary install + SHA256-pin). That's a more thorough fix tracked separately; this PR is the minimal-impact unblock.
  • dependabot.yml config (verified correct: `target-branch: develop` for all 4 ecosystems).
  • The wrong-base pattern itself (5/30 recent) β€” GitHub-side issue, documented in HEARTBEAT.

Refs

OneStepAt4time and others added 3 commits June 17, 2026 14:29
@OneStepAt4time
ci(#4560): pin k3d-version to v5.9.0 in helm-smoke (#4560)
8e9d494 
The AbsaOSS/k3d-action@v2.4.0 default k3d version is v5.4.6 (Jan 2023).
The k3d v5.4.6 installer URL has been returning HTTP 404 on PR runs,
causing helm-smoke to fail at the "Create k3d cluster" step. Pin to
k3d v5.9.0 (latest stable, working release assets in k3d-io/k3d).

Closes #4558

Reviewed-by: aegis-gh-agent[bot]
Co-authored-by: Hermes <hermes@onestepat4time.dev>
@OneStepAt4time
ci(#4562): add DRAFT-skip gate to helm-smoke (5th gate, closes #4559) (…
74589b2 
…#4562)

Add `github.event.pull_request.draft == false` gate to the helm-smoke
job. The 5th and final DRAFT-skip gate from the original #4557 audit
proposal, held back pending the k3d v5.4.6 404 fix in #4558 (now
resolved by PR #4560 / merged as 36dcd09).

The disjunct form `github.event_name != pull_request || draft == false`
correctly handles both triggers in helm-smoke.yml's `on:` block (PR
and push). Push events have no `pull_request` object but the first
disjunct is true, so the job runs normally on push. PR events evaluate
the second disjunct, which is true on ready PRs and false on DRAFTs.

A 5-line comment documents the rationale and the disjunct-form logic
per the acceptance criteria in #4559.

Verification:
- DRAFT run (26850293126): helm-smoke β†’ SKIPPED βœ… (gate works)
- Ready run (26850610310): helm-smoke β†’ SUCCESS at 22:04:08 βœ…
  (k3d v5.9.0 pin from #4560 ensures the chart deploy + ag doctor
  pipeline completes)

Closes #4559

Reviewed-by: aegis-gh-agent[bot]
Co-authored-by: Hermes <hermes@onestepat4time.dev>
@OneStepAt4time
ci(#4750): document k3d-version pin requirement in helm-smoke
d834cd6 
Backport to main of the helm-smoke k3d-version pin (#4560) + DRAFT-skip
gate (#4562), with a regression note explaining why the pin is required.

Context: 3 consecutive dependabot PRs (#4747, #4748, #4749) failed
helm-smoke on 2026-06-16/17 with 'curl: (22) 404' from the k3d install
step. Root cause: dependabot opened against main (wrong-base pattern,
5/30 rate) and main lacked the k3d-version pin that #4560 added to
develop on 2026-06-02. The action defaulted to v5.4.6, whose install.sh
URL 404s on the k3d-io/k3d repo.

Backport ensures wrong-base dependabot PRs also pass helm-smoke without
requiring the supply chain to wait for develop-targeted retries.

Refs #4560, #4562, #4747, #4748, #4749
Boss task 2026-06-17 14:12 GMT+2 (msg 1516777596979773552)
HEARTBEAT 2026-06-17 (helm-smoke dependabot red gate)
@aegis-gh-agent aegis-gh-agent Bot closed this Jun 17, 2026
This was referenced Jun 17, 2026
Closed
Closed
@OneStepAt4time OneStepAt4time deleted the backport/helm-smoke-k3d-pin branch June 17, 2026 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OneStepAt4time OneStepAt4time Awaiting requested review from OneStepAt4time OneStepAt4time will be requested when the pull request is marked ready for review OneStepAt4time is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OneStepAt4time