Merge branch 'main' into feat/add-toyamlpretty-1

.github/pull_request_template.md

@@ -7,6 +7,6 @@
 **Special notes for your reviewer**:
 
 **If applicable**:
-- [ ] this PR contains documentation
+- [ ] this PR contains user facing changes (the `docs needed` label should be applied if so)
 - [ ] this PR contains unit tests
 - [ ] this PR has been tested for backwards compatibility

.github/workflows/build-test.yml

@@ -2,22 +2,25 @@ name: build-test
 on:
   push:
     branches:
-      - 'main'
-      - 'release-**'
+      - "main"
+      - "release-**"
   pull_request:
     branches:
       - main
 
+permissions:  
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # [email protected].1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # [email protected].7
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # [email protected].1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # [email protected].2
         with:
-          go-version: '1.22'
+          go-version: '1.22.7'
       - name: Test source headers are present
         run: make test-source-headers
       - name: Run unit tests

.github/workflows/codeql-analysis.yml

@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '29 6 * * 6'
 
+permissions:  
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -35,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # [email protected].1
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # [email protected].7
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # pinv3.25.5
+      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pinv3.26.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # pinv3.25.5
+      uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pinv3.26.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -64,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # pinv3.25.5
+      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # pinv3.26.6

.github/workflows/golangci-lint.yml

@@ -4,19 +4,22 @@ on:
   push:
   pull_request:
 
+permissions:  
+  contents: read
+
 jobs:
   golangci:
     name: golangci-lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # [email protected].1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # [email protected].7
 
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # [email protected].1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # [email protected].2
         with:
-          go-version: "1.22"
+          go-version: "1.22.7"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 #pin@6.0.1
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 #pin@6.1.0
         with:
           version: v1.58

.github/workflows/govulncheck.yml

@@ -0,0 +1,21 @@
+name: govulncheck
+on:
+  push:
+    paths:
+      - go.sum
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  govulncheck:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # [email protected]
+        with:
+          go-version: '1.22.7'
+      - name: govulncheck
+        uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # [email protected]
+        with:
+          go-package: ./...

.github/workflows/release.yml

@@ -18,14 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # [email protected].1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # [email protected].7
         with:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # [email protected].1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # [email protected].2
         with:
-          go-version: '1.22'
+          go-version: '1.22.7'
 
       - name: Run unit tests
         run: make test-coverage
@@ -34,7 +34,7 @@ jobs:
         run: |
           set -eu -o pipefail
 
-          make build-cross
+          make build-cross VERSION="${{ github.ref_name }}"
           make dist checksum VERSION="${{ github.ref_name }}"
 
       - name: Set latest version
@@ -76,12 +76,12 @@ jobs:
     if: github.ref == 'refs/heads/main'
     steps:
       - name: Checkout source code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # [email protected].1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # [email protected].7
 
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # [email protected].1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # [email protected].2
         with:
-          go-version: '1.22'
+          go-version: '1.22.7'
 
       - name: Run unit tests
         run: make test-coverage

.github/workflows/scorecards.yml

@@ -0,0 +1,69 @@
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '25 7 * * 0'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.github/workflows/stale-issue-bot.yaml

@@ -2,11 +2,14 @@ name: "Close stale issues"
 on:
   schedule:
   - cron: "0 0 * * *"
+permissions:  
+  contents: read
+
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/[email protected]
+    - uses: actions/stale@87c2b794b9b47a9bec68ae03c01aeb572ffebdb1 # v3.0.14
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.'

ADOPTERS.md

@@ -5,12 +5,15 @@
 
 # Organizations Using Helm
 
-- [Blood Orange](https://bloodorange.io)
 - [IBM](https://www.ibm.com)
 - [Microsoft](https://microsoft.com)
+- [Octopus Deploy](https://octopus.com/)
+- [New Relic](https://www.newrelic.com)
 - [Qovery](https://www.qovery.com/)
 - [Samsung SDS](https://www.samsungsds.com/)
 - [Softonic](https://hello.softonic.com/)
+- [Syself](https://syself.com)
 - [Ville de Montreal](https://montreal.ca)
+- [Intercept](https://Intercept.cloud)
 
 _This file is part of the CNCF official documentation for projects._

CONTRIBUTING.md

@@ -66,6 +66,18 @@ Use your real name (sorry, no pseudonyms or anonymous contributions.)
 If you set your `user.name` and `user.email` git configs, you can sign your commit automatically
 with `git commit -s`.
 
+The following command will update your git config with `user.email`:
+
+``` bash
+git config --global user.email [email protected]
+```
+
+This command will update your git config with `user.name`:
+
+``` bash
+git config --global user.name "Joe Smith"
+```
+
 Note: If your git config information is set properly then viewing the `git log` information for your
  commit will look something like this:
 
@@ -115,8 +127,9 @@ Helm maintains a strong commitment to backward compatibility. All of our changes
 formats are backward compatible from one major release to the next. No features, flags, or commands
 are removed or substantially modified (unless we need to fix a security issue).
 
-We also try very hard to not change publicly accessible Go library definitions inside of the `pkg/`
-directory of our source code.
+We also remain committed to not changing publicly accessible Go library definitions inside of the `pkg/` directory of our source code in a non-backwards-compatible way.
+
+For more details on Helm’s minor and patch release backwards-compatibility rules, please read [HIP-0004](https://github.com/helm/community/blob/main/hips/hip-0004.md)
 
 For a quick summary of our backward compatibility guidelines for releases between 3.0 and 4.0:
 
@@ -126,7 +139,7 @@ For a quick summary of our backward compatibility guidelines for releases betwee
   (barring the cases where (a) Kubernetes itself changed, and (b) the chart worked because it
   exploited a bug)
 - Chart repository functionality MUST be backward compatible
-- Go libraries inside of `pkg/` SHOULD remain backward compatible, though code inside of `cmd/` and
+- Go libraries inside of `pkg/` MUST remain backward compatible, though code inside of `cmd/` and
   `internal/` may be changed from release to release without notice.
 
 ## Issues
@@ -261,9 +274,9 @@ Like any good open source project, we use Pull Requests (PRs) to track code chan
 
 #### Documentation PRs
 
-Documentation PRs will follow the same lifecycle as other PRs. They will also be labeled with the
-`docs` label. For documentation, special attention will be paid to spelling, grammar, and clarity
-(whereas those things don't matter *as* much for comments in code).
+Documentation PRs should be made on the docs repo: <https://github.com/helm/helm-www>. Keeping Helm's documentation up to date is highly desirable, and it is recommend all user facing changes. Accurate and helpful documentation is critical for effectively communicating Helm's behavior to a wide audience.
+
+Small, ad-hoc changes/PRs to Helm which introduce user facing changes, which would benefit from documentation changes, should apply the `docs needed` label. Larger changes associated with a HIP should track docs via that HIP. The `docs needed` label doesn't block PRs, and maintainers/PR reviewers should apply discretion judging in whether the `docs needed` label should be applied.
 
 ## The Triager
 
@@ -306,6 +319,7 @@ The following tables define all label types used for Helm. It is split up by cat
 | `needs rebase` | Indicates a PR needs to be rebased before it can be merged |
 | `needs pick` | Indicates a PR needs to be cherry-picked into a feature branch (generally bugfix branches). Once it has been, the `picked` label should be applied and this one removed |
 | `picked` | This PR has been cherry-picked into a feature branch |
+| `docs needed` | Tracks PRs that introduces a feature/change for which documentation update would be desirable (non-blocking). Once a suitable documentation PR has been created, then this label should be removed |
 
 #### Size labels