fix(helm): Unpin old HELM version

[kiblik]

The previous implementation used an old version of helm, which was pinned in .github/workflows/release-x-manual-helm-chart.yml. Renovate and Dependable ignored these values.

Version v3.4.0 did not support oci protocol for pulling charts (support was added in v3.5 as an experiment and from v.3.8 by default; source: https://helm.sh/docs/topics/registries/). The current latest version is v3.16.3

The issue has not been noticed because:

• dependency repo (psql) did not use oci as default
• linter and release used different method for setup helm

This change removes pinning in the "release" step. It uses exactly the same method as the helm linter

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 22 to 23 in fc60348

	- name: Set up Helm
	uses: azure/setup-helm@v4.2.0

Context: https://owasp.slack.com/archives/C2P5BA8MN/p1733236658398939

Failing step: https://github.com/DefectDojo/django-DefectDojo/actions/runs/12125529029/job/33855921016

[dryrunsecurity]

DryRun Security Summary

The pull request updates the GitHub Actions workflow for releasing a Helm chart for the DefectDojo application, including Helm setup, repository configuration, Docker image version pinning, Helm chart packaging, GitHub release creation, and Helm repository index file update, without introducing any obvious security concerns.

Expand for full summary

Summary:

The code changes in this pull request are related to the GitHub Actions workflow for releasing a Helm chart for the DefectDojo application. The changes update the Helm setup, configure the Helm repositories, pin the Docker image version, package the Helm chart, create a new GitHub release, and update the Helm repository index file.

From an application security perspective, the changes do not introduce any obvious security concerns, as the workflow is focused on the release process and does not directly interact with the application code. However, it's important to consider the security aspects of dependency management, credential management, Helm chart security, and Helm repository security to ensure the overall security of the release process.

Files Changed:

• .github/workflows/release-x-manual-helm-chart.yml: This file contains the GitHub Actions workflow for releasing the DefectDojo Helm chart. The changes include:
  • Updating the Helm setup step to use a newer version of the azure/setup-helm action.
  • Configuring the Helm repositories, including the Bitnami repository, and updating the dependencies for the DefectDojo Helm chart.
  • Pinning the Docker image version to the release number specified as an input.
  • Packaging the DefectDojo Helm chart and storing the resulting artifact.
  • Creating a new GitHub release for the specified release number and attaching the packaged Helm chart.
  • Updating the Helm repository index file (index.yaml) by adding the new Helm chart release.

The workflow changes do not directly interact with the application code, but it's important to review the security aspects of dependency management, credential management, Helm chart security, and Helm repository security to ensure the overall security of the release process.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[kiblik]

Is it possible to approve and merge this PR? 3.4.1 is already the second release where the HELM chart is missing: https://github.com/DefectDojo/django-DefectDojo/actions/runs/12239754638