[DEVEX-1535] Add helm-chart-lint + helm-goldens-check composite actions

[ronneseth]

Summary

Adds the two central composite actions the per-repo Helm chart convention runbook depends on. Each chart adopting the convention wires them into its PR-triggered CI workflow as the chart-lint + goldens-check merge gates.

• Convention guideline: https://github.com/encodium/dump/blob/main/aronneseth/helm_chart_naming_guideline.plan.md (§3.1 + §3.2)
• Per-repo runbook: https://github.com/encodium/dump/blob/main/aronneseth/helm_chart_per_repo_runbook.plan.md (Step 6 wires these into per-repo CI)

This is prerequisite #2 of DEVEX-1535 (covers both prereqs 2a and 2b from the Story).

helm-chart-lint (§3.1)

.github/actions/helm-chart-lint/ — POSIX shell + yq. Enforces all seven rules from the guideline:

#	Rule
1	Values file names match ^(values\.yaml|values-(local|stg|qa|prod|dev-ec2|qa-ec2|prod-ec2)\.yaml|Chart\.yaml|values\.schema\.json)$
2	helm template <chart> (no -f, no --set) renders cleanly
3	templates/env-file.yaml forbidden — must be templates/env-configmap.yaml
4	No top-level topo: key in any values file
5	Mandatory .app namespace in values.yaml
6	No top-level non-reserved namespaces (aws:, ec2:, etc. fail)
7	No if .Values.<unapproved-key> render gates in templates

The reserved chart-control key list is configurable via the reserved-chart-control-keys input so charts with legitimately distinct chart-control keys can extend it locally.

helm-goldens-check v1 (§3.2)

.github/actions/helm-goldens-check/ — installs Helm + the helm-unittest plugin and runs:

• Layer 1 (EKS-Helm path): helm unittest <chart-path> when <chart-path>/tests/ exists. Snapshot diffing is handled by the plugin.
• Layer 1 (SetupPkg + Helm-EC2 paths): delegated to a chart-committed <goldens-path>/regenerate.sh hook; the action re-runs git diff over <goldens-path> after the hook executes and fails on any change. Path-specific render logic stays with the chart (per guideline: "Layer 2 stays custom — no community tool spans those paths").
• Layer 2 (cross-path baseline): same delegation pattern via <goldens-path>/regenerate-cross-path-baseline.sh. Action fails on any diff.

skip-layer1 and skip-cross-path inputs let charts opt out during the migration window before they've committed tests/ or a baseline.

Why the goldens-check is a thin wrapper

The runbook generates per-chart goldens during Step 2 (<slug><env>-<path>.env) and Step 8 (cross-path-baseline.txt) and commits them. The action's job is to enforce "diff against committed = empty", not to know how each chart renders its three paths (Pattern S vs R vs D, daemon-set flags, multi-Deployment slugs). Delegating to per-chart regenerate hooks keeps the central action stable while each chart owns its matrix.

A v2 that drives an explicit matrix.yaml and renders all three paths centrally is a follow-up once a few charts have migrated and the shape stabilizes.

Test plan

A new Test helm-chart actions workflow exercises both actions on PR / push to main:

• lint-good-fixture: lint passes against a convention-compliant fixture chart
• lint-bad-fixture: lint exits non-zero against an intentionally-unmigrated fixture chart (catches Rules 1, 3, 4, 5, 6, and 7 — verified locally)
• goldens-good-fixture: goldens-check passes against the good fixture with skip flags engaged
• Bash scripts pass shellcheck clean
• Workflow file passes actionlint

Locally verified the linter against the radmin chart (unmigrated): catches every expected violation across all seven rules. Output shape uses ::error:: annotations for GitHub UI surfacing.

JIRA

DEVEX-1535

Made with Cursor

[cursor]

PR Summary

Low Risk
Changes are limited to GitHub Actions and bash lint/golden scripts; they do not alter runtime deployments until each repo opts in via its own workflow.

Overview
Adds two reusable GitHub composite actions so repos adopting the org Helm chart convention can wire PR merge gates without duplicating logic.

helm-chart-lint installs Helm and yq, then runs lint.sh against a chart path (default ./deployments). It enforces seven guideline rules: allowed values filenames, clean helm template with default values.yaml, ban on templates/env-file.yaml, no top-level topo:, required .app map, top-level keys limited to a configurable reserved set (always including app), and template render gates only on approved .Values.* roots (including else if / else with forms).

helm-goldens-check runs Layer 1 via helm unittest when tests/ exists (optional skip-layer1), optional per-chart regenerate.sh with git diff on the goldens dir, and Layer 2 cross-path baseline via regenerate-cross-path-baseline.sh / cross-path-baseline.txt (optional skip-cross-path).

A new Test helm-chart actions workflow exercises compliant and intentionally bad fixture charts, including a regression check that Rule 7 flags else if .Values.aws, and an end-to-end helm-unittest install/run job.

^{Reviewed by Cursor Bugbot for commit c4efbbe. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 558eeea. Configure here.}