Changing how upstream sync works as part of devsecops

[JayGhiya]

Currently we have a alpha workflow which fetches latest charts of stateful applications as stated below:

1. Checkout the repository using the actions/checkout@v2 action and specify the upstream-sync branch.
2. Set up Helm using the azure/setup-helm@v3 action and specify version v3.11.1.
3. Add the Helm repository and update it.
4. Fetch the Latest Helm chart from the chart repository.
5. Install yq.
6. Login to Github Container Registry using the docker/login-action@v2 action.
7. Run a Kubescape scan on the Helm charts and upload the results to Github Code Scanning using the github/codeql-action/upload-sarif@v2 action.
8. Move scan results to appropriate folders.
9. Push changes to the repository by adding and committing changes to the charts and reports folders, then pushing to the upstream-sync branch.
10. Create a pull request using the peter-evans/create-pull-request@v3 action with specified title, commit message, branch, base, and token.

The problem with the current approach is that we are using same static branch for fetching updates and raising pr with develop branch.
Here is a major downside to it:

• if every week a version is being released in upstream how do you audit and keep track of all if same branch is used for raising pr. The only solution is to get rid of stale pr and have pr with latest charts. But this results in forcing the user to always update to latest releases and not intermediate one even if it involves breaking changes or more bugs depending upon the release.

The alternative solution is to run the batch job always with a new branch named "upstream-sync-$helm-chart-version". Also while fetching pr it has to check whether chart version is really updated compared to last to avoid duplicates. This should make the process clean. Share your thoughts on the same. Will share updated action soon.

[JayGhiya]

cc : @vipinshreyaskumar @devsinghnaini

[JayGhiya]

this is live as part of unoplat-loki-stack and is working as expected.