fix(ci): build helm deps natively to avoid bind-mount permission error#41935
fix(ci): build helm deps natively to avoid bind-mount permission error#41935sebastianiv21 wants to merge 3 commits into
Conversation
The `helm dependency update` step added in #41926 ran inside the `helmunittest/helm-unittest` container. On the Linux CI runner the container's non-root user can't write to the bind-mounted workdir, so `helm dependency build` failed with `mkdir charts: permission denied` (it passed locally only because Docker Desktop on macOS ignores mount ownership). Run the dependency build natively on the runner via `azure/setup-helm`, matching the pattern already used in helm-release.yml and helm-docs.yml. The charts/ dir is then created as the runner user and the existing unittest container reads it without issue. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
WalkthroughThis PR updates the Helm unit test workflow to install Helm v4.1.4 with ChangesHelm Workflow Dependency Setup
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/helm-unittest.yml (1)
24-40: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winPin the
helmunittest/helm-unittestimage tag too. The workflow now builds dependencies with a fixed Helm 4.1.4, but theUnittestcontainer still floats onlatest, so the Helm/plugin version used byhelm-unittestcan drift independently and change CI behavior over time.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-unittest.yml around lines 24 - 40, The workflow’s Unittest step is still using a floating helmunittest/helm-unittest image tag, so update that docker run invocation to use a fixed version instead of latest. Keep the pin consistent with the existing Setup Helm versioning approach and make the change in the Unittest step so helm-unittest runs with a stable container image across CI runs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/helm-unittest.yml:
- Around line 24-40: The workflow’s Unittest step is still using a floating
helmunittest/helm-unittest image tag, so update that docker run invocation to
use a fixed version instead of latest. Keep the pin consistent with the existing
Setup Helm versioning approach and make the change in the Unittest step so
helm-unittest runs with a stable container image across CI runs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 06197aae-0a3a-4cc1-998a-3922e4352ad5
📒 Files selected for processing (1)
.github/workflows/helm-unittest.yml
The comment claimed the unit tests derive the redis master host from the redis subchart fullname; on release that host is hardcoded in the parent templates, so the tests don't currently require the built subcharts. Reword to state the actual rationale: resolve subchart templates when present and keep CI dependency resolution in parity with the publish job (helm-release.yml). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Description
Tip
TL;DR: Follow-up to #41926. The dependency-build step it added ran inside the unittest container, where the non-root container user can't write to the bind-mounted workdir on Linux CI (
mkdir charts: permission denied). This runshelm dependency buildnatively on the runner viaazure/setup-helm, matching the pattern already used inhelm-release.yml/helm-docs.yml.#41926 added a
helm dependency updatestep so the Helm unit tests have their subcharts available (the.tgzfiles underdeploy/helm/charts/are gitignored). That step ran helm inside thehelmunittest/helm-unittestcontainer:docker run --rm -v $(pwd):/apps --entrypoint helm helmunittest/helm-unittest dependency update .On the Linux CI runner the container runs as a non-root user that cannot write into the bind-mounted workdir (owned by the runner user), so it failed:
It passed locally only because Docker Desktop on macOS ignores bind-mount ownership.
Fix: install helm on the runner with
azure/setup-helm@v4(pinnedv4.1.4) and runhelm dependency buildnatively — the same approach already used inhelm-release.ymlandhelm-docs.yml. Thecharts/dir is then created as the runner user, and the existing unittest container reads it without issue.Verification
Ran the new sequence locally against the chart:
helm dependency build(native) → all 5 subcharts resolved (redis, mongodb, postgresql, prometheus, mongodb-kubernetes)helm-unittest .(docker) → 13 suites, 67 tests, 7 snapshots — all passingFixes
N/A— CI infrastructure fix; follow-up to #41926.Automation
/ok-to-test tags="@tag.Sanity"
🔍 Cypress test results
Tip
🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/28547318249
Commit: 2b49886
Cypress dashboard.
Tags:
@tag.SanitySpec:
Wed, 01 Jul 2026 21:31:26 UTC
Communication
Should the DevRel and Marketing teams inform users about this change?
🤖 Generated with Claude Code
Summary by CodeRabbit