Skip to content

fix(github-mcp-server): align template standards#668

Open
mberlofa wants to merge 3 commits into
mainfrom
fix/github-mcp-server-template-standards
Open

fix(github-mcp-server): align template standards#668
mberlofa wants to merge 3 commits into
mainfrom
fix/github-mcp-server-template-standards

Conversation

@mberlofa

@mberlofa mberlofa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • use selector labels in the Deployment pod template and guard ingressClassName rendering for empty values
  • add networkPolicy.extraEgress support with built-in DNS/HTTPS allowances, schema updates, and unit coverage
  • centralize validation through github-mcp-server.validate and align NOTES with numbered HelmForge sections

Validation

  • helm unittest charts/github-mcp-server
  • helm lint --strict charts/github-mcp-server
  • make template-standards-check CHART=github-mcp-server
  • make standards-check CHART=github-mcp-server
  • make standards-guard CHART=github-mcp-server
  • make validate-chart CHART=github-mcp-server TIMEOUT=900: FULLY VALIDATED (17 layers)
  • make site-sync-check CHART=github-mcp-server
  • make release-check REPO=charts
  • make attribution-check REPO=charts

Site PR: helmforgedev/site#346
Issue: #633

Summary by CodeRabbit

  • New Features
    • Added networkPolicy.extraEgress to append custom egress rules after built-in DNS/HTTPS allowances.
  • Documentation
    • Expanded Helm chart notes with clearer, numbered setup, access, security, scaling, networking, troubleshooting, and resources guidance.
  • Bug Fixes
    • Ingress now omits spec.ingressClassName when the value is empty.
    • Pod template labels now match the Deployment selector labels.
  • Validation
    • Chart render-time checks now enforce required token settings, persistence access-mode constraints, and prevent podLabels from overriding selector labels.
  • Tests
    • Added/updated tests covering extra egress rendering, ingressClassName omission, and validation success/failure scenarios.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Standards Check (GR-079) — PASS

Every changed chart fully passes standards-check.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f50c6c47-eaa7-45e2-b65a-3c005ac61a73

📥 Commits

Reviewing files that changed from the base of the PR and between fa46a72 and 203e221.

📒 Files selected for processing (12)
  • charts/github-mcp-server/README.md
  • charts/github-mcp-server/templates/NOTES.txt
  • charts/github-mcp-server/templates/_helpers.tpl
  • charts/github-mcp-server/templates/deployment.yaml
  • charts/github-mcp-server/templates/ingress.yaml
  • charts/github-mcp-server/templates/networkpolicy.yaml
  • charts/github-mcp-server/templates/validate.yaml
  • charts/github-mcp-server/tests/networkpolicy_test.yaml
  • charts/github-mcp-server/tests/templates_test.yaml
  • charts/github-mcp-server/tests/validation_test.yaml
  • charts/github-mcp-server/values.schema.json
  • charts/github-mcp-server/values.yaml
✅ Files skipped from review due to trivial changes (1)
  • charts/github-mcp-server/README.md
🚧 Files skipped from review as they are similar to previous changes (8)
  • charts/github-mcp-server/tests/templates_test.yaml
  • charts/github-mcp-server/templates/ingress.yaml
  • charts/github-mcp-server/templates/networkpolicy.yaml
  • charts/github-mcp-server/templates/deployment.yaml
  • charts/github-mcp-server/values.schema.json
  • charts/github-mcp-server/tests/networkpolicy_test.yaml
  • charts/github-mcp-server/templates/_helpers.tpl
  • charts/github-mcp-server/values.yaml

📝 Walkthrough

Walkthrough

This PR centralizes chart validation, makes ingress and network policy rendering conditional, updates deployment labels, and refreshes chart notes and install documentation. Tests and schema/default values were updated to match the new behavior.

Changes

github-mcp-server chart updates

Layer / File(s) Summary
Centralized validation helper
charts/github-mcp-server/templates/_helpers.tpl, charts/github-mcp-server/templates/validate.yaml, charts/github-mcp-server/tests/validation_test.yaml
Adds github-mcp-server.validate checks for token config, persistence scaling constraints, and selector-label overrides; validate.yaml now includes the helper, with validation tests for existingClaim and podLabels failures.
Deployment selector label fix
charts/github-mcp-server/templates/deployment.yaml
The pod template now uses selector labels instead of full chart labels.
Conditional ingressClassName rendering
charts/github-mcp-server/templates/ingress.yaml, charts/github-mcp-server/tests/templates_test.yaml, charts/github-mcp-server/README.md
Ingress omits spec.ingressClassName when the value is empty, with matching test coverage and install docs.
NetworkPolicy extraEgress support
charts/github-mcp-server/templates/networkpolicy.yaml, charts/github-mcp-server/values.schema.json, charts/github-mcp-server/values.yaml, charts/github-mcp-server/tests/networkpolicy_test.yaml
NetworkPolicy renders built-in DNS/HTTPS egress plus appended extraEgress rules, and the schema, defaults, and tests reflect the new setting.
NOTES content update
charts/github-mcp-server/templates/NOTES.txt
The release notes output is reorganized into numbered sections with expanded access, security, scaling, networking, and troubleshooting text.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • helmforgedev/charts#641: Implements the same NetworkPolicy extraEgress extension pattern with matching template, values, and test changes.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and matches the PR’s main goal of aligning the github-mcp-server chart with template standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/github-mcp-server-template-standards

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🟢 Security Scan: github-mcp-server

Framework Score
MITRE + NSA + SOC2 75.757576%

✅ Security posture acceptable.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 09ce38d862

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread charts/github-mcp-server/templates/networkpolicy.yaml Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
charts/github-mcp-server/templates/NOTES.txt (1)

29-34: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider mentioning networkPolicy.extraEgress in Security guidance.

The Security section documents networkPolicy.ingressFrom but not the newly added extraEgress option, which is also security-relevant for restricting outbound traffic.

📝 Suggested addition
 - Enable networkPolicy.enabled and set networkPolicy.ingressFrom for restricted clients.
+- Use networkPolicy.extraEgress to restrict outbound traffic to required destinations only.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/github-mcp-server/templates/NOTES.txt` around lines 29 - 34, The
Security guidance in NOTES.txt should also mention the newly added
networkPolicy.extraEgress setting alongside networkPolicy.enabled and
networkPolicy.ingressFrom. Update the Security section near the existing
networkPolicy references to note that extraEgress can be used to restrict
outbound traffic, keeping the wording consistent with the other security
recommendations.
charts/github-mcp-server/tests/validation_test.yaml (1)

20-26: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add symmetric test for app.kubernetes.io/instance override.

This covers the name key branch of the new podLabels guard; the sibling instance key branch (helpers.tpl lines 41-43) has no test.

♻️ Suggested addition
   - it: fails when podLabels override selector labels
     set:
       podLabels:
         app.kubernetes.io/name: custom
     asserts:
       - failedTemplate:
           errorMessage: "podLabels must not override the selector label app.kubernetes.io/name"
+  - it: fails when podLabels override the selector instance label
+    set:
+      podLabels:
+        app.kubernetes.io/instance: custom
+    asserts:
+      - failedTemplate:
+          errorMessage: "podLabels must not override the selector label app.kubernetes.io/instance"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/github-mcp-server/tests/validation_test.yaml` around lines 20 - 26,
Add a symmetric validation test for the podLabels guard covering
app.kubernetes.io/instance, since the current validation only exercises the
app.kubernetes.io/name branch. Update the tests around validation_test.yaml to
add a failing case that sets podLabels.app.kubernetes.io/instance and asserts
the same kind of failedTemplate error message, matching the behavior enforced in
the helpers.tpl podLabels selector checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/github-mcp-server/templates/_helpers.tpl`:
- Around line 34-36: The validation in _helpers.tpl is too strict because it
checks persistence.accessModes even when persistence.existingClaim is set.
Update the replicaCount/persistence guard so the fail only runs when the chart
is actually creating a PVC, matching the pvc.yaml behavior that skips
accessModes for existingClaim. Use the same symbols here, especially
replicaCount, persistence.enabled, persistence.existingClaim, and
persistence.accessModes, to ensure users with an external RWX claim are not
blocked.

---

Nitpick comments:
In `@charts/github-mcp-server/templates/NOTES.txt`:
- Around line 29-34: The Security guidance in NOTES.txt should also mention the
newly added networkPolicy.extraEgress setting alongside networkPolicy.enabled
and networkPolicy.ingressFrom. Update the Security section near the existing
networkPolicy references to note that extraEgress can be used to restrict
outbound traffic, keeping the wording consistent with the other security
recommendations.

In `@charts/github-mcp-server/tests/validation_test.yaml`:
- Around line 20-26: Add a symmetric validation test for the podLabels guard
covering app.kubernetes.io/instance, since the current validation only exercises
the app.kubernetes.io/name branch. Update the tests around validation_test.yaml
to add a failing case that sets podLabels.app.kubernetes.io/instance and asserts
the same kind of failedTemplate error message, matching the behavior enforced in
the helpers.tpl podLabels selector checks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5249a15e-a96c-4106-b1b9-0239c00adb2d

📥 Commits

Reviewing files that changed from the base of the PR and between 870b4c7 and 09ce38d.

📒 Files selected for processing (12)
  • charts/github-mcp-server/README.md
  • charts/github-mcp-server/templates/NOTES.txt
  • charts/github-mcp-server/templates/_helpers.tpl
  • charts/github-mcp-server/templates/deployment.yaml
  • charts/github-mcp-server/templates/ingress.yaml
  • charts/github-mcp-server/templates/networkpolicy.yaml
  • charts/github-mcp-server/templates/validate.yaml
  • charts/github-mcp-server/tests/networkpolicy_test.yaml
  • charts/github-mcp-server/tests/templates_test.yaml
  • charts/github-mcp-server/tests/validation_test.yaml
  • charts/github-mcp-server/values.schema.json
  • charts/github-mcp-server/values.yaml

Comment thread charts/github-mcp-server/templates/_helpers.tpl Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
charts/github-mcp-server/tests/validation_test.yaml (1)

28-34: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider adding coverage for the app.kubernetes.io/instance override branch.

The helper also fails when podLabels overrides app.kubernetes.io/instance, but only the app.kubernetes.io/name branch is tested here.

♻️ Proposed additional test case
   - it: fails when podLabels override selector labels
     set:
       podLabels:
         app.kubernetes.io/name: custom
     asserts:
       - failedTemplate:
           errorMessage: "podLabels must not override the selector label app.kubernetes.io/name"
+  - it: fails when podLabels override the instance selector label
+    set:
+      podLabels:
+        app.kubernetes.io/instance: custom
+    asserts:
+      - failedTemplate:
+          errorMessage: "podLabels must not override the selector label app.kubernetes.io/instance"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/github-mcp-server/tests/validation_test.yaml` around lines 28 - 34,
The validation tests only cover the selector-label override path for
app.kubernetes.io/name, but the same helper also rejects
app.kubernetes.io/instance overrides. Add a new case alongside the existing
validation in validation_test.yaml that uses podLabels to override
app.kubernetes.io/instance and asserts the same failedTemplate behavior, so both
branches of the chart validation are covered.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/github-mcp-server/tests/validation_test.yaml`:
- Around line 28-34: The validation tests only cover the selector-label override
path for app.kubernetes.io/name, but the same helper also rejects
app.kubernetes.io/instance overrides. Add a new case alongside the existing
validation in validation_test.yaml that uses podLabels to override
app.kubernetes.io/instance and asserts the same failedTemplate behavior, so both
branches of the chart validation are covered.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2a268cf2-225c-48dc-99e7-e01b0bdcba84

📥 Commits

Reviewing files that changed from the base of the PR and between 09ce38d and 4e77237.

📒 Files selected for processing (7)
  • charts/github-mcp-server/README.md
  • charts/github-mcp-server/templates/_helpers.tpl
  • charts/github-mcp-server/templates/networkpolicy.yaml
  • charts/github-mcp-server/tests/networkpolicy_test.yaml
  • charts/github-mcp-server/tests/validation_test.yaml
  • charts/github-mcp-server/values.schema.json
  • charts/github-mcp-server/values.yaml
✅ Files skipped from review due to trivial changes (1)
  • charts/github-mcp-server/README.md
🚧 Files skipped from review as they are similar to previous changes (5)
  • charts/github-mcp-server/values.yaml
  • charts/github-mcp-server/templates/networkpolicy.yaml
  • charts/github-mcp-server/tests/networkpolicy_test.yaml
  • charts/github-mcp-server/templates/_helpers.tpl
  • charts/github-mcp-server/values.schema.json

@mberlofa mberlofa force-pushed the fix/github-mcp-server-template-standards branch from 4e77237 to fa46a72 Compare July 4, 2026 13:00

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
charts/github-mcp-server/templates/NOTES.txt (1)

29-41: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider mentioning networkPolicy.extraEgress in the Security/Networking guidance.

This section now covers networkPolicy.enabled/ingressFrom but omits the newly added extraEgress support. Since default-deny egress policies can silently block traffic to dependencies the user hasn't allow-listed, a pointer here could reduce troubleshooting friction for operators enabling the policy.

✏️ Optional wording addition
 - Enable networkPolicy.enabled and set networkPolicy.ingressFrom for restricted clients.
+- If networkPolicy.enabled=true, add required destinations via networkPolicy.extraEgress (DNS/HTTPS are allowed by default).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/github-mcp-server/templates/NOTES.txt` around lines 29 - 41, The
Security/Networking guidance in NOTES.txt mentions networkPolicy.enabled and
networkPolicy.ingressFrom but omits the newly added networkPolicy.extraEgress
setting. Update the Security section to reference networkPolicy.extraEgress
alongside the existing networkPolicy guidance, so operators know to allow-list
outbound dependencies when using default-deny egress policies and can find the
relevant configuration option easily.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@charts/github-mcp-server/templates/NOTES.txt`:
- Around line 29-41: The Security/Networking guidance in NOTES.txt mentions
networkPolicy.enabled and networkPolicy.ingressFrom but omits the newly added
networkPolicy.extraEgress setting. Update the Security section to reference
networkPolicy.extraEgress alongside the existing networkPolicy guidance, so
operators know to allow-list outbound dependencies when using default-deny
egress policies and can find the relevant configuration option easily.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9f2d3a8b-6524-4586-91ec-fb7855f9698a

📥 Commits

Reviewing files that changed from the base of the PR and between 4e77237 and fa46a72.

📒 Files selected for processing (12)
  • charts/github-mcp-server/README.md
  • charts/github-mcp-server/templates/NOTES.txt
  • charts/github-mcp-server/templates/_helpers.tpl
  • charts/github-mcp-server/templates/deployment.yaml
  • charts/github-mcp-server/templates/ingress.yaml
  • charts/github-mcp-server/templates/networkpolicy.yaml
  • charts/github-mcp-server/templates/validate.yaml
  • charts/github-mcp-server/tests/networkpolicy_test.yaml
  • charts/github-mcp-server/tests/templates_test.yaml
  • charts/github-mcp-server/tests/validation_test.yaml
  • charts/github-mcp-server/values.schema.json
  • charts/github-mcp-server/values.yaml
✅ Files skipped from review due to trivial changes (2)
  • charts/github-mcp-server/values.yaml
  • charts/github-mcp-server/README.md
🚧 Files skipped from review as they are similar to previous changes (8)
  • charts/github-mcp-server/values.schema.json
  • charts/github-mcp-server/templates/deployment.yaml
  • charts/github-mcp-server/tests/templates_test.yaml
  • charts/github-mcp-server/tests/networkpolicy_test.yaml
  • charts/github-mcp-server/templates/ingress.yaml
  • charts/github-mcp-server/tests/validation_test.yaml
  • charts/github-mcp-server/templates/_helpers.tpl
  • charts/github-mcp-server/templates/networkpolicy.yaml

@mberlofa mberlofa force-pushed the fix/github-mcp-server-template-standards branch from fa46a72 to 203e221 Compare July 5, 2026 20:04
@mberlofa

mberlofa commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the still-valid CodeRabbit nitpicks from the later review bodies.

What changed:

  • Added the missing podLabels.app.kubernetes.io/instance validation test, alongside the existing name override test.
  • Refactored the selector-label guard to range over the protected selector keys.
  • Added networkPolicy.extraEgress guidance to NOTES security guidance for private proxies and GitHub Enterprise endpoints.
  • Rechecked the earlier persistence.existingClaim validation fix; the existingClaim test is present and passing.

Validation:

  • helm unittest charts/github-mcp-server -f tests/validation_test.yaml passed.
  • make validate-chart CHART=github-mcp-server passed after the final rebase: github-mcp-server: FULLY VALIDATED (17 layers), including all k3d behavioral scenarios.
  • make release-check REPO=charts passed with the expected GR-077 release-publication warning.
  • make attribution-check REPO=charts passed.

The remaining items were posted in CodeRabbit review bodies/top-level summaries. Existing review threads were already resolved/confirmed, so there is no new unresolved thread ID to reply to or resolve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant