From e10be0fd79beabf72e8fa81b626f54191fa67696 Mon Sep 17 00:00:00 2001 From: Kacper Sawicki Date: Mon, 15 Dec 2025 11:31:26 +0000 Subject: [PATCH 1/3] ci: add fallback for helm install when get.helm.sh is down Add a fallback step that installs helm via apt from Buildkite's repository if the primary azure/setup-helm action fails. This makes CI resilient to get.helm.sh outages while preserving the caching benefits of the action when it works. The fallback uses GPG-signed packages from the official Helm apt repository hosted by Buildkite, as recommended by the Helm docs. Fixes: https://github.com/coder/internal/issues/1109 --- .github/workflows/ci.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 68494f3d21cc1..8d6c849eeb9f0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -207,6 +207,19 @@ jobs: uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 with: version: v3.9.2 + continue-on-error: true + id: setup-helm + + - name: Install helm (fallback) + if: steps.setup-helm.outcome == 'failure' + # Fallback to Buildkite's apt repository if get.helm.sh is down. + # See: https://github.com/coder/internal/issues/1109 + run: | + set -euo pipefail + curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list + sudo apt-get update + sudo apt-get install -y helm - name: make lint run: | From 22115cc426d1095071cde0481d9a00898d0e25c0 Mon Sep 17 00:00:00 2001 From: Kacper Sawicki Date: Tue, 16 Dec 2025 09:08:20 +0000 Subject: [PATCH 2/3] ci: pin helm version in apt fallback to 3.9.2-1 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8d6c849eeb9f0..85f3a497c0d5c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -219,7 +219,7 @@ jobs: curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list sudo apt-get update - sudo apt-get install -y helm + sudo apt-get install -y helm=3.9.2-1 - name: make lint run: | From 5c083a11ac349b1550276baf63f1b0c6d9cf6c21 Mon Sep 17 00:00:00 2001 From: Kacper Sawicki Date: Tue, 16 Dec 2025 10:59:05 +0000 Subject: [PATCH 3/3] ci: add helm version verification step --- .github/workflows/ci.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 85f3a497c0d5c..6369d1ec8a8ab 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -221,6 +221,9 @@ jobs: sudo apt-get update sudo apt-get install -y helm=3.9.2-1 + - name: Verify helm version + run: helm version --short + - name: make lint run: | # zizmor isn't included in the lint target because it takes a while,