Upgrade helm in console by sowmya-sl · Pull Request #16607 · openshift/console

sowmya-sl · 2026-06-12T10:42:29Z

This PR has Helm 3 to Helm 4 upgrade for console. The changes include the Helm API import changes from v3 to v4, adding Helm 4 to vendor folder and fixing the changed interfaces in Helm 4 to work with the current code.

Summary by CodeRabbit

Chores
- Upgraded Helm integration from version 3 to version 4 across install, upgrade, rollback, uninstall, templating, chart repository handling, and OCI registry support.
- Refreshed Go dependencies to newer compatible versions (including updated Helm module versions).
Bug Fixes
- Improved reliability by validating Helm command result release types and returning clear errors on unexpected results.
- Adjusted release listing behavior to return an empty list (not null) and aligned rendered/installed behavior with Helm v4 expectations.
Tests
- Updated the test suite to use Helm v4 release/status types and revised configuration defaults accordingly.

Migrate all Go import paths under pkg/helm/ (actions, chartproxy, chartverifier, handlers) to the Helm v4 module path as part of the Helm SDK upgrade.

Helm v4 introduces interface-based return types and restructured packages. This updates all call sites to handle the new Releaser interface with type assertions, adapts to the removed Configuration.Init() logger parameter, replaces DryRun/ClientOnly with DryRunStrategy, and converts dependency slice types for CheckDependencies. Co-authored-by: Cursor <cursoragent@cursor.com>

Helm v4 returns release.Releaser and chart.Dependency interface types instead of concrete v1 release and v2 dependency types. Update install, upgrade, list, history, template, and uninstall code to type-assert release results, convert chart dependency slices for CheckDependencies, and use the new Configuration.Init and Install action fields.

openshift-ci · 2026-06-12T10:42:34Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

openshift-ci · 2026-06-12T10:42:50Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sowmya-sl
Once this PR has been reviewed and has the lgtm label, please assign therealjon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai · 2026-06-12T10:42:59Z

Caution

Review failed

An error occurred during the review process. Please try again later.

Walkthrough

This PR migrates the codebase from Helm v3 to Helm v4 by updating the direct dependency in go.mod to version 4.1.4, updating all import paths across action packages, adjusting API calls to match v4 signatures (e.g., removing logging callbacks from config initialization), adding runtime type assertions for release results, and updating the uninstall response type from release.UninstallReleaseResponse to releasecommon.UninstallReleaseResponse.

Changes

Helm v3→v4 Dependency and API Migration

Layer / File(s)	Summary
Dependency version update and module setup `go.mod`, `pkg/helm/actions/setup_test.go`	`go.mod` requires `helm.sh/helm/v4 v4.1.4` directly, adds indirect dependencies (observe-sdk, extism, wabin, wazero, gofrs/flock, ianlancetaylor/demangle), and updates Kustomize versions. Test setup detects the v4 module version.
Core Helm action imports and authentication setup `pkg/helm/actions/auth.go`, `pkg/helm/actions/auth_test.go`, `pkg/helm/actions/config.go`, `pkg/helm/actions/get_chart.go`, `pkg/helm/actions/get_registry.go`, `pkg/helm/chartproxy/proxy.go`, `pkg/helm/chartproxy/proxy_test.go`, `pkg/helm/chartproxy/repos.go`, `pkg/helm/chartproxy/repos_test.go`, `pkg/helm/chartverifier/chart_verifier.go`, `pkg/helm/handlers/handlerChartVerifier.go`, `pkg/helm/handlers/handler_chartVerifier_test.go`	Imports for `action`, `cli`, `chart`, `registry`, and `repo` packages switch from Helm v3 paths to v4 equivalents. Config initialization removes the logging callback parameter to match the v4 API. Authentication, basic chart loading, and repository utilities maintain their external function signatures.
Release retrieval operations with type assertions and nil handling `pkg/helm/actions/get_chart_test.go`, `pkg/helm/actions/get_registry_test.go`, `pkg/helm/actions/get_release.go`, `pkg/helm/actions/get_release_test.go`, `pkg/helm/actions/list_releases.go`, `pkg/helm/actions/list_releases_test.go`, `pkg/helm/actions/release_history.go`, `pkg/helm/actions/release_history_test.go`	GetRelease, ListReleases, and GetReleaseHistory now type-assert `cmd.Run()` results to `*releaseV1.Release`, handle nil results by returning empty slices instead of nil, and return errors on unexpected element types. Return types updated to Helm v4 release/v1 types. Test fixtures updated to use v4 release types and `common.DefaultCapabilities`.
Installation operations with Helm v4 configuration options `pkg/helm/actions/install_chart.go`, `pkg/helm/actions/install_chart_test.go`	InstallChart now returns `*releaseV1.Release`, captures `cmd.Run` output and type-asserts to release v1, errors on type mismatches. Install configuration sets `DryRunStrategy` to `DryRunClient`, explicitly sets `SkipCRDs` false, enables `Replace`, `DependencyUpdate`, and `SkipSchemaValidation`. Both sync and async paths set `ServerSideApply` false and `WaitStrategy` to `kube.LegacyStrategy`.
Upgrade operations with new helper and Helm v4 configuration `pkg/helm/actions/upgrade_release.go`, `pkg/helm/actions/upgrade_release_test.go`	UpgradeRelease returns `*releaseV1.Release`, sets `ServerSideApply` false, and uses new `checkChartDependencies` helper to validate chart dependencies. Type-asserts `cmd.Run` result to release v1 with error handling. UpgradeReleaseAsync sets `WaitStrategy` to `kube.LegacyStrategy`. Tests updated for v4 release types and status constants (`rcommon.StatusDeployed`).
Template rendering with Helm v4 configuration and type assertions `pkg/helm/actions/template.go`, `pkg/helm/actions/template_test.go`	RenderManifests sets install command options using v4 API: `DryRunStrategy` set to `DryRunClient`, `SkipCRDs` explicitly false, `Replace` enabled, `DependencyUpdate` enabled, `SkipSchemaValidation` enabled. Type-asserts rendered result to `*releaseV1.Release` and returns consistent empty-string error responses. Tests updated for v4 capabilities and imports.
Rollback release with updated return type `pkg/helm/actions/rollback_release.go`, `pkg/helm/actions/rollback_release_test.go`	RollbackRelease imports updated to Helm v4 action and release/v1 packages. Function logic, revision validation, and error handling unchanged; return type updated to `*releaseV1.Release`. Test fixtures and capabilities source updated to Helm v4 types and common.DefaultCapabilities.
Uninstall operations with response type change and release type assertions `pkg/helm/actions/uninstall_release.go`, `pkg/helm/actions/uninstall_release_test.go`	UninstallRelease return type changes from `release.UninstallReleaseResponse` to `releasecommon.UninstallReleaseResponse`. Chart metadata access for metrics now requires type-asserting `resp.Release` to `*releaseV1.Release` before reading `.Chart` in both sync and async code paths. Test fixtures updated for v4 types and new response type, status assertions use `rcommon.StatusUninstalled` and `rcommon.StatusDeployed`.
Handler integration and wiring with response type updates `pkg/helm/handlers/client.go`, `pkg/helm/handlers/handler_test.go`, `pkg/helm/handlers/handlers.go`	Handlers migrate to Helm v4 packages. UninstallReleaseResponse type switches from `release` package to `releasecommon`. Handler client updates action imports. Handler function field types updated: InstallChart, UpgradeRelease, GetRelease, ListReleases, GetReleaseHistory, RollbackRelease all return `releaseV1.Release`; UninstallRelease returns `releasecommon.UninstallReleaseResponse`. Test mocks and handler setup updated with v4 types and uninstall response type.

🎯 4 (Complex) | ⏱️ ~75 minutes

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 3 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	setup_test.go is a new file that contains fmt.Println() calls in startTests(), which is invoked from TestMain() at lines 81, 85, 89, 93. These are in process-level code that will write to stdout, v...	Redirect fmt.Println warnings in setup_test.go's startTests defer block to os.Stderr or remove them entirely, as they violate OTE's JSON stdout requirement.
No-Sensitive-Data-In-Logs	❌ Error	Lines 250 and 369 of install_chart.go log entire error objects via klog.Errorf with %v, which could expose OCI/HTTP authentication credentials or sensitive Helm API errors that contain passwords or...	Sanitize error messages before logging: use only error type names or wrap errors with custom messages, avoid logging full error objects that may contain credentials from failed authentication attempts.
Description check	⚠️ Warning	The PR description does not follow the required template structure. It is missing required sections including Analysis/Root cause, Solution description, Test setup, Test cases, Browser conformance, and proper Jira issue prefix in the title.	Fill in all required template sections: provide root cause analysis, detailed solution description, test setup instructions, test cases, browser conformance checklist, and update the title with a Jira issue prefix (e.g., CONSOLE-XXXX).
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.80% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Tests use standard Go testing (not Ginkgo), but violate quality requirements: (1) Most assertions lack meaningful failure messages (136 t.Error vs 141 require. calls but many without messages), (2)...	Add assertion messages to all require.* calls, use t.Cleanup() or refactor to setup functions for resource creation, use context.WithTimeout for operations, split composite assertions into separate test cases.
Title check	❓ Inconclusive	The title is vague and generic—'Upgrade helm in console' lacks specificity about what aspect of Helm is being upgraded (version 3 to 4) and uses non-descriptive phrasing.	Revise the title to be more specific and descriptive, such as 'Upgrade Helm from v3 to v4' or 'Migrate Helm integration to v4' to clearly convey the main change.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo tests—only standard Go testing with table-driven tests. All test names use static strings from test data, with no dynamic values, timestamps, UUIDs, or generated identifi...
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. All changes are to the Helm module (go.mod) and internal Helm package implementations/unit tests using standard Go testing (*testing.T), not Ginkgo fr...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR is a Helm v3→v4 migration adding only standard Go unit tests (func TestXxx(t *testing.T)), not Ginkgo e2e tests. Custom check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR is a pure Helm v3→v4 SDK migration affecting only backend library code (pkg/helm/). No deployment manifests, operator code, controllers, or scheduling constraints are added or modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. All changes are to existing Helm v3→v4 migration in pkg/helm, which modifies only standard Go unit tests (using testing.T) and implementation code. No...
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the PR changes.
Container-Privileges	✅ Passed	This PR exclusively contains Go source code and dependency file changes for Helm v3→v4 API migration; it does not modify any Kubernetes manifests, Dockerfiles, or container configurations that woul...

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

pkg/helm/actions/auth_test.go (1)
72-73: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Don't discard the fixture read failures.

If server.crt or server.key is missing, this test keeps going with empty data and fails later in setUpAuthentication with a misleading PEM-validation error. Assert both reads succeed here. As per coding guidelines, Go code should never ignore error returns.
Suggested fix
-				cert, _ := os.ReadFile("./server.crt")
-				key, _ := os.ReadFile("./server.key")
+				cert, err := os.ReadFile("./server.crt")
+				require.NoError(t, err)
+				key, err := os.ReadFile("./server.key")
+				require.NoError(t, err)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/auth_test.go` around lines 72 - 73, The test currently
discards errors from os.ReadFile when loading "./server.crt" and "./server.key"
which can lead to misleading PEM errors in setUpAuthentication; update the test
to capture and assert the read errors for both cert and key (e.g., check err
after reading into cert and key and fail the test with t.Fatalf or use
require.NoError) so the test stops with a clear message if the fixture files are
missing or unreadable.
Source: Coding guidelines
pkg/helm/actions/config.go (1)
51-58: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Handle conf.Init failures (and OCI registry errors) instead of discarding them.

In pkg/helm/actions/config.go (lines 51-58), conf.Init(...) is called but its returned error is ignored, leaving *action.Configuration potentially partially initialized. Change GetActionConfigurations to return (*action.Configuration, error) and plumb it through the handler function type in pkg/helm/handlers/handlers.go. Also, GetDefaultOCIRegistry()’s err is only logged; return/handle it the same way to avoid continuing with a nil/invalid RegistryClient.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/config.go` around lines 51 - 58, Update
GetActionConfigurations to return (*action.Configuration, error), call conf.Init
and check its returned error instead of discarding it (return nil, err on
failure), and likewise propagate any error from GetDefaultOCIRegistry instead of
only logging it; set conf.RegistryClient only when registryClient is non-nil and
no error occurred. Then update the handler function type in
pkg/helm/handlers/handlers.go (the handler signature you use to build handlers)
to accept/return the error from GetActionConfigurations and propagate that error
up to callers so initialization failures are handled rather than ignored. Ensure
references to conf.Init, GetDefaultOCIRegistry, conf.RegistryClient, and the
handler type are updated consistently.
pkg/helm/actions/get_chart_test.go (1)
89-96: ⚠️ Potential issue | 🔴 Critical

Fix Helm v4 test fixture API usage (action.Configuration + chartutil)

pkg/helm/actions/get_chart_test.go still uses removed Helm v3 configuration members:

chartutil.DefaultCapabilities is undefined

action.Configuration no longer has a Log field

These issues repeat at lines 89-96, 202-209, and 336-343, and the same Helm v4 mismatches also break pkg/helm/actions/get_registry_test.go / pkg/helm/actions/get_release_test.go (including release.StatusDeployed), so go test ./pkg/helm/actions fails to build. Update the fixtures to the Helm v4 configuration/types instead of carrying v3 fields forward.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/get_chart_test.go` around lines 89 - 96, Tests are still
using Helm v3-only fields: remove the v3-only action.Configuration.Log and
chartutil.DefaultCapabilities usages and migrate the fixtures to the Helm v4
initialization pattern by creating an action.Configuration via the v4 helper
(create a configuration instance and call the v4 init/new routine to wire
RESTClientGetter, Releases (storage.Init(driver.NewMemory())), and KubeClient
(kubefake.PrintingKubeClient)), and where tests referenced chart capabilities
replace chartutil.DefaultCapabilities with constructing a chartutil.Capabilities
using the Helm v4 constructor/helper; also update any v3 release constants (e.g.
release.StatusDeployed) to the Helm v4 equivalents. Ensure you update the three
fixture blocks (the ones around action.Configuration in the diff) and mirror the
same changes in pkg/helm/actions/get_registry_test.go and get_release_test.go.
Source: Linters/SAST tools
pkg/helm/actions/list_releases.go (1)
39-40: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle releases with no chart before copying metadata.

The new limitInfo path dereferences rel.Chart.Metadata unconditionally. A single release with Chart == nil now panics the whole list call instead of returning the other releases.
Suggested fix
 		for _, rel := range releases {
+			var limitedChart *chart.Chart
+			if rel.Chart != nil {
+				limitedChart = &chart.Chart{
+					Metadata: rel.Chart.Metadata,
+				}
+			}
 			info := release.Release{
 				Name:      rel.Name,
 				Version:   rel.Version,
 				Namespace: rel.Namespace,
 				Info:      rel.Info,
-				Chart: &chart.Chart{
-					Metadata: rel.Chart.Metadata,
-				},
+				Chart:     limitedChart,
 			}
 			limited = append(limited, &info)
 		}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/list_releases.go` around lines 39 - 40, The code
unconditionally dereferences rel.Chart.Metadata (in the limitInfo path) and will
panic if rel.Chart is nil; update the logic in list_releases.go to check
rel.Chart != nil before accessing rel.Chart.Metadata (e.g., inside the code that
builds the Chart: &chart.Chart{ Metadata: rel.Chart.Metadata }). If rel.Chart is
nil, either skip copying Metadata and leave Chart nil/empty on the returned
release or populate Metadata with an empty/default metadata object so the
function returns other releases without panicking.

🧹 Nitpick comments (1)

pkg/helm/actions/uninstall_release.go (1)

26-29: Guard the Helm v4 Release assertion when recording uninstall metrics (hardening).
Helm v4’s successful non-dry-run action.Uninstall.Run populates UninstallReleaseResponse.Release with *helm.sh/helm/v4/pkg/release/v1.Release, so the current assertion is unlikely to panic today; still, since Release is interface{}, adding an ok type-assert guard (and resp != nil) prevents metrics from crashing on unexpected/nil shapes.

Suggested fix

-	ch := resp.Release.(*release.Release).Chart
-	if ch != nil && ch.Metadata != nil && ch.Metadata.Name != "" && ch.Metadata.Version != "" {
-		metrics.HandleconsoleHelmUninstallsTotal(ch.Metadata.Name, ch.Metadata.Version)
-	}
+	if rel, ok := resp.Release.(*release.Release); ok && rel != nil {
+		ch := rel.Chart
+		if ch != nil && ch.Metadata != nil && ch.Metadata.Name != "" && ch.Metadata.Version != "" {
+			metrics.HandleconsoleHelmUninstallsTotal(ch.Metadata.Name, ch.Metadata.Version)
+		}
+	}
...
-		ch := resp.Release.(*release.Release).Chart
-		if ch != nil && ch.Metadata != nil && ch.Metadata.Name != "" && ch.Metadata.Version != "" {
-			metrics.HandleconsoleHelmUninstallsTotal(ch.Metadata.Name, ch.Metadata.Version)
-		}
+		if rel, ok := resp.Release.(*release.Release); ok && rel != nil {
+			ch := rel.Chart
+			if ch != nil && ch.Metadata != nil && ch.Metadata.Name != "" && ch.Metadata.Version != "" {
+				metrics.HandleconsoleHelmUninstallsTotal(ch.Metadata.Name, ch.Metadata.Version)
+			}
+		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/uninstall_release.go` around lines 26 - 29, The current code
directly type-asserts resp.Release to *release.Release which can panic; update
the uninstall metrics block to first ensure resp != nil, perform a safe type
assertion like r, ok := resp.Release.(*release.Release), and only if ok and r !=
nil and r.Chart != nil and r.Chart.Metadata != nil and r.Chart.Metadata.Name !=
"" and r.Chart.Metadata.Version != "" call
metrics.HandleconsoleHelmUninstallsTotal(r.Chart.Metadata.Name,
r.Chart.Metadata.Version); this replaces direct use of
resp.Release.(*release.Release).Chart with the guarded r.Chart path.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 230: The go.mod currently pulls helm.sh/helm/v3 v3.17.1 (transitively via
github.com/redhat-certification/chart-verifier) which is vulnerable; update the
dependency graph by either (A) bumping
github.com/redhat-certification/chart-verifier to a newer version that itself
depends on a patched helm v3 (so the transitive helm.sh/helm/v3 resolves to >=
v3.17.3/v3.18.4), or (B) add a go.mod replace directive to pin helm.sh/helm/v3
to a patched release (e.g., v3.17.3 or v3.18.4) to override the transitive
v3.17.1; locate references to github.com/redhat-certification/chart-verifier and
helm.sh/helm/v3 in go.mod and update the chart-verifier module version or add
the replace line, then run go mod tidy && go mod vendor (if vendored) and verify
the module graph no longer contains helm.sh/helm/v3 v3.17.1.

In `@pkg/helm/actions/get_release.go`:
- Line 15: The code currently returns releases.(*release.Release) directly which
can panic if cmd.Run returns a different release.Releaser implementation; change
the direct assertion to a guarded one: use rel, ok :=
releases.(*release.Release) (referencing the releases variable and the
release.Release type) and if !ok return a descriptive error (e.g., using
fmt.Errorf or errors.New) instead of panicking, otherwise return rel, nil.
Ensure the function that calls cmd.Run (the code containing the releases
variable and the return) uses this guarded pattern.

In `@pkg/helm/actions/template.go`:
- Around line 28-35: The code currently sets client.DryRunStrategy =
action.DryRunNone which in Helm v4 is not a client-side dry-run and still
interacts with the server; change the dry-run strategy to a client-only dry-run
by setting client.DryRunStrategy = action.DryRunClient in the same
initialization block (the code around actions.RenderManifests, client.Run(ch,
vals), and the Install runner) so that Install.RunWithContext treats the
operation as a dry-run (isDryRun true / interactWithServer false) and does not
call i.cfg.Releases.Create or performInstall.

---

Outside diff comments:
In `@pkg/helm/actions/auth_test.go`:
- Around line 72-73: The test currently discards errors from os.ReadFile when
loading "./server.crt" and "./server.key" which can lead to misleading PEM
errors in setUpAuthentication; update the test to capture and assert the read
errors for both cert and key (e.g., check err after reading into cert and key
and fail the test with t.Fatalf or use require.NoError) so the test stops with a
clear message if the fixture files are missing or unreadable.

In `@pkg/helm/actions/config.go`:
- Around line 51-58: Update GetActionConfigurations to return
(*action.Configuration, error), call conf.Init and check its returned error
instead of discarding it (return nil, err on failure), and likewise propagate
any error from GetDefaultOCIRegistry instead of only logging it; set
conf.RegistryClient only when registryClient is non-nil and no error occurred.
Then update the handler function type in pkg/helm/handlers/handlers.go (the
handler signature you use to build handlers) to accept/return the error from
GetActionConfigurations and propagate that error up to callers so initialization
failures are handled rather than ignored. Ensure references to conf.Init,
GetDefaultOCIRegistry, conf.RegistryClient, and the handler type are updated
consistently.

In `@pkg/helm/actions/get_chart_test.go`:
- Around line 89-96: Tests are still using Helm v3-only fields: remove the
v3-only action.Configuration.Log and chartutil.DefaultCapabilities usages and
migrate the fixtures to the Helm v4 initialization pattern by creating an
action.Configuration via the v4 helper (create a configuration instance and call
the v4 init/new routine to wire RESTClientGetter, Releases
(storage.Init(driver.NewMemory())), and KubeClient
(kubefake.PrintingKubeClient)), and where tests referenced chart capabilities
replace chartutil.DefaultCapabilities with constructing a chartutil.Capabilities
using the Helm v4 constructor/helper; also update any v3 release constants (e.g.
release.StatusDeployed) to the Helm v4 equivalents. Ensure you update the three
fixture blocks (the ones around action.Configuration in the diff) and mirror the
same changes in pkg/helm/actions/get_registry_test.go and get_release_test.go.

In `@pkg/helm/actions/list_releases.go`:
- Around line 39-40: The code unconditionally dereferences rel.Chart.Metadata
(in the limitInfo path) and will panic if rel.Chart is nil; update the logic in
list_releases.go to check rel.Chart != nil before accessing rel.Chart.Metadata
(e.g., inside the code that builds the Chart: &chart.Chart{ Metadata:
rel.Chart.Metadata }). If rel.Chart is nil, either skip copying Metadata and
leave Chart nil/empty on the returned release or populate Metadata with an
empty/default metadata object so the function returns other releases without
panicking.

---

Nitpick comments:
In `@pkg/helm/actions/uninstall_release.go`:
- Around line 26-29: The current code directly type-asserts resp.Release to
*release.Release which can panic; update the uninstall metrics block to first
ensure resp != nil, perform a safe type assertion like r, ok :=
resp.Release.(*release.Release), and only if ok and r != nil and r.Chart != nil
and r.Chart.Metadata != nil and r.Chart.Metadata.Name != "" and
r.Chart.Metadata.Version != "" call
metrics.HandleconsoleHelmUninstallsTotal(r.Chart.Metadata.Name,
r.Chart.Metadata.Version); this replaces direct use of
resp.Release.(*release.Release).Chart with the guarded r.Chart path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2d74fa45-705f-4576-8d1b-d23e560d3ce0

📥 Commits

Reviewing files that changed from the base of the PR and between 2a1f492 and 720a261.

⛔ Files ignored due to path filters (264)

go.sum is excluded by !**/*.sum
vendor/github.com/ProtonMail/go-crypto/openpgp/clearsign/clearsign.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_unaligned.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/sign.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/bucket.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/event.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/otel_formatter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/telemetry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/trace_ctx.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/dylibso/observe-sdk/go/wasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/extism-runtime.wasm is excluded by !**/*.wasm, !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/extism-runtime.wasm.version is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/extism.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/host.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/module.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/plugin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/extism/go-sdk/runtime.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/LICENSE_TEMPLATE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/LICENSE_TEMPLATE_GO is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/aggregator/aggregator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/clusterreader/caching_reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/clusterreader/direct_reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/clusterreader/dynamic_reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/collector/collector.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/engine/engine.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/engine/reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/engine/status_reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/event/event.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/event/type_string.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/statusreaders/common.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/statusreaders/default.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/statusreaders/deployment.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/statusreaders/generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/statusreaders/pod_controller.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/statusreaders/replicaset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/polling/statusreaders/statefulset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/status/core.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/status/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/status/generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/status/status.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/status/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/blind_status_watcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/default_status_watcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/dynamic_informer_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/event_funnel.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/object_filter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/object_status_reporter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/restscopestrategy_string.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/unschedulable.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/kstatus/watcher/watcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/field.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/infos.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/objmetadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/objmetadata_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/strings.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/unstructured.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fluxcd/cli-utils/pkg/object/unstructured_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-errors/errors/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-errors/errors/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-errors/errors/error_1_13.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-errors/errors/error_backward.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-errors/errors/join_unwrap_1_20.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-errors/errors/join_unwrap_backward.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/build.sh is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/flock.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/flock_others.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/flock_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/flock_unix_fcntl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gofrs/flock/flock_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ianlancetaylor/demangle/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ianlancetaylor/demangle/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ianlancetaylor/demangle/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ianlancetaylor/demangle/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ianlancetaylor/demangle/ast.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ianlancetaylor/demangle/demangle.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ianlancetaylor/demangle/rust.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/code.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/const_expr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/custom.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/decoder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/element.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/encoder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/export.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/function.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/global.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/header.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/import.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/limits.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/memory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/names.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/section.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/binary/value.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/ieee754/ieee754.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/leb128/leb128.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/wasm/counts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/wasm/features.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/wasm/instruction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/wasm/memory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/wasm/module.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wabin/wasm/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/.editorconfig is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/.gitmodules is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/RATIONALE.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/api/features.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/api/wasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/builder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/checkpoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/close.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/compilationworkers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/experimental.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/features.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/importresolver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/memory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/dir.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/errno.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/oflag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/syscall_errno.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/syscall_errno_notwindows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/syscall_errno_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/syscall_errno_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/time.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/experimental/sys/unimplemented.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/fsconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/args.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/clock.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/environ.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/poll.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/proc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/random.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/sched.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/sock.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1/wasi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/descriptor/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/interpreter/compiler.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/interpreter/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/interpreter/interpreter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/interpreter/operations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/interpreter/signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/abi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/backend.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/compiler.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/compiler_lower.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/go_call.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/abi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/abi_entry_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/abi_entry_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/abi_entry_preamble.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/abi_go_call.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/cond.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/ext.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/instr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/instr_encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/lower_constant.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/lower_mem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/machine.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/machine_pro_epi_logue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/machine_regalloc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/machine_vec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/operands.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/reg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64/stack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/abi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/abi_entry_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/abi_entry_arm64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/abi_entry_preamble.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/abi_go_call.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/cond.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/instr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/instr_encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/lower_constant.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/lower_instr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/lower_instr_operands.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/lower_mem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/machine.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/machine_pro_epi_logue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/machine_regalloc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/machine_relocation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/reg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64/unwind_stack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/machine.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/regalloc/api.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/regalloc/reg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/regalloc/regalloc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/regalloc/regset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/backend/vdef.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/call_engine.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/engine.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/engine_cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/entrypoint_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/entrypoint_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/entrypoint_other.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/frontend/frontend.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/frontend/lower.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/frontend/misc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/frontend/sort_id.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/hostmodule.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/isa_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/isa_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/isa_other.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/memmove.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/module_engine.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/basic_block.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/basic_block_sort.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/builder.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/cmp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/funcref.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/instructions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/pass.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/pass_blk_layouts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/pass_cfg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/ssa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/ssa/vs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/debug_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/exitcode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/offsetdata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/perfmap.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/perfmap_disabled.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/perfmap_enabled.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/ptr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/tetratelabs/wazero/internal/engine/wazevo/wazevoapi/queue.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (36)

go.mod
pkg/helm/actions/auth.go
pkg/helm/actions/auth_test.go
pkg/helm/actions/config.go
pkg/helm/actions/get_chart.go
pkg/helm/actions/get_chart_test.go
pkg/helm/actions/get_registry.go
pkg/helm/actions/get_registry_test.go
pkg/helm/actions/get_release.go
pkg/helm/actions/get_release_test.go
pkg/helm/actions/install_chart.go
pkg/helm/actions/install_chart_test.go
pkg/helm/actions/list_releases.go
pkg/helm/actions/list_releases_test.go
pkg/helm/actions/release_history.go
pkg/helm/actions/release_history_test.go
pkg/helm/actions/rollback_release.go
pkg/helm/actions/rollback_release_test.go
pkg/helm/actions/setup_test.go
pkg/helm/actions/template.go
pkg/helm/actions/template_test.go
pkg/helm/actions/uninstall_release.go
pkg/helm/actions/uninstall_release_test.go
pkg/helm/actions/upgrade_release.go
pkg/helm/actions/upgrade_release_test.go
pkg/helm/chartproxy/proxy.go
pkg/helm/chartproxy/proxy_test.go
pkg/helm/chartproxy/repos.go
pkg/helm/chartproxy/repos_test.go
pkg/helm/chartverifier/chart_verifier.go
pkg/helm/chartverifier/chart_verifier_test.go
pkg/helm/handlers/client.go
pkg/helm/handlers/handlerChartVerifier.go
pkg/helm/handlers/handler_chartVerifier_test.go
pkg/helm/handlers/handler_test.go
pkg/helm/handlers/handlers.go

coderabbitai · 2026-06-12T10:57:57Z

CVE-2025-32386

 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	helm.sh/helm/v3 v3.17.1 // indirect


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail # 1) Inspect go.mod around the referenced line echo "=== go.mod lines 200-260 ===" nl -ba go.mod | sed -n '200,260p' # 2) Find all helm v3/v4 references in go.mod/go.sum echo echo "=== helm v3 references in go.mod/go.sum ===" rg -n "helm\.sh/helm/v3" go.mod go.sum || true echo echo "=== helm v4 references in go.mod/go.sum ===" rg -n "helm\.sh/helm/v4" go.mod go.sum || true # 3) Search code for helm v3 imports/uses echo echo "=== Search for helm v3 imports in repo ===" rg -n "helm\.sh/helm/v3" -S --hidden --glob '!.git/*' . || true echo echo "=== Search for helm v4 imports in repo ===" rg -n "helm\.sh/helm/v4" -S --hidden --glob '!.git/*' . || true # 4) Check which module pulls in helm/v3 by looking for helm v3 in go.mod dependency graph textually # (no go command dependency on tools; best-effort: search go.mod for indirect requirements) echo echo "=== Any explicit require for helm v3 besides the snippet? (show full require blocks) ===" awk ' BEGIN{inreq=0} /^require $/ {inreq=1; print ">> require block starts: " NR; next} inreq && /^$/ {inreq=0; print ">> require block ends: " NR; next} inreq {print} ' go.mod | rg -n "helm\.sh/helm/v(3|4)" || true

Repository: openshift/console

Length of output: 151

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== go.mod lines 200-260 (with line numbers) ===" awk 'NR>=200 && NR<=260 {printf "%d\t%s\n", NR, $0}' go.mod | sed -n '1,120p' echo echo "=== helm v3 references in go.mod/go.sum ===" rg -n "helm\.sh/helm/v3" go.mod go.sum || true echo echo "=== helm v4 references in go.mod/go.sum ===" rg -n "helm\.sh/helm/v4" go.mod go.sum || true echo echo "=== Search for helm v3 imports in repo ===" rg -n "helm\.sh/helm/v3" -S --hidden --glob '!.git/*' . || true echo echo "=== Search for helm v4 imports in repo ===" rg -n "helm\.sh/helm/v4" -S --hidden --glob '!.git/*' . || true echo echo "=== Any explicit require for helm v3/v4 besides the snippet? (require blocks) ===" awk ' function printblock(bstart) { for (i=bstart;i<=NR;i++) print arr[i] } BEGIN{inreq=0} /^require $/ {inreq=1} inreq {arr[NR]=$0} inreq && /^$/ {inreq=0; # just continue; handled below } { } ' go.mod > /tmp/go.mod.req.tmp # Print lines in go.mod containing helm v3/v4 plus a small neighborhood rg -n "helm\.sh/helm/v(3|4)" -n go.mod -C 3 || true

Repository: openshift/console

Length of output: 50373

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Inspect pkg/helm/handlers/handlers.go imports ===" if [ -f pkg/helm/handlers/handlers.go ]; then sed -n '1,120p' pkg/helm/handlers/handlers.go | nl -ba | sed -n '1,120p' 2>/dev/null || sed -n '1,120p' pkg/helm/handlers/handlers.go else echo "Missing: pkg/helm/handlers/handlers.go" ls -R pkg/helm/handlers 2>/dev/null || true fi echo echo "=== Non-vendor helm v3 imports ===" rg -n "helm\.sh/helm/v3" --glob '!vendor/*' --glob '!.git/*' . || true echo echo "=== Non-vendor helm v4 imports ===" rg -n "helm\.sh/helm/v4" --glob '!vendor/*' --glob '!.git/*' . || true echo echo "=== Non-vendor usage of chart-verifier (likely pulls helm v3) ===" rg -n "redhat-certification/chart-verifier" --glob '!vendor/*' --glob '!.git/*' . || true echo echo "=== Non-vendor usage of helm-shaded chart-verifier packages (chartverifier) ===" rg -n "chartverifier" --glob '!vendor/*' --glob '!.git/*' pkg . || true

Repository: openshift/console

Length of output: 19408

🌐 Web query:

OSV vulnerabilities for helm.sh/helm/v3 v3.17.1 (highest severity)

💡 Result:

As of June 12, 2026, version 3.17.1 of helm.sh/helm/v3 is affected by multiple vulnerabilities, including high-severity issues. The two most prominent vulnerabilities identified for this specific version are: 1. CVE-2025-32386 (GHSA-4hfp-h4cw-hj8p): A specially crafted chart archive can cause Out-Of-Memory (OOM) termination. A chart can be designed to expand to a significantly larger size when uncompressed, exhausting available memory during loading [1][2][3]. 2. CVE-2025-32387 (GHSA-5xqw-8hwv-wg92): A specially crafted JSON Schema within a chart can cause a stack overflow. Deeply nested chains of references in the schema can exceed the parser's stack size limit [4][5][6]. Both of these vulnerabilities have a severity rating of 6.5 (Medium, according to CVSS v3.1) and were resolved in Helm v3.17.3 [4][5][1][6][3]. Users running v3.17.1 are advised to upgrade to a patched version to mitigate these risks [6][3]. Additionally, version 3.17.1 is affected by CVE-2025-53547 (GHSA-557j-xg8c-q2mm), which involves potential local code execution when updating dependencies if a malicious Chart.lock symlink is present; this was resolved in Helm v3.17.4 and v3.18.4 [7].

Citations:

1: https://osv.dev/vulnerability/CVE-2025-32386

2: https://osv.dev/vulnerability/GHSA-4hfp-h4cw-hj8p

3: GHSA-4hfp-h4cw-hj8p

4: https://osv.dev/vulnerability/CVE-2025-32387

5: https://osv.dev/vulnerability/GHSA-5xqw-8hwv-wg92

6: GHSA-5xqw-8hwv-wg92

7: GHSA-557j-xg8c-q2mm

🌐 Web query:

osv.dev helm.sh/helm/v3 3.17.1 advisory

💡 Result:

Helm version 3.17.1 is affected by several security vulnerabilities that have been addressed in subsequent releases. Users are advised to upgrade to a newer version to mitigate these risks. Key vulnerabilities affecting Helm 3.17.1 include: 1. Stack Overflow via JSON Schema (CVE-2025-32387): A vulnerability exists where a specially crafted JSON Schema within a chart can lead to parser recursion, exceeding stack size limits and causing a stack overflow [1][2][3]. This was resolved in Helm v3.17.3 [1][2][3]. 2. Out-of-Memory (OOM) Termination via Chart Archive (CVE-2025-32386): Helm is vulnerable to OOM termination if a specially crafted chart archive is loaded, where the uncompressed size is significantly larger than the compressed size [4][5][6]. This issue was resolved in Helm v3.17.3 [4][5][6]. 3. Local Code Execution during Dependency Updates (CVE-2025-53547): A vulnerability involving malicious Chart.yaml content and symbolic links in Chart.lock files can lead to local code execution during dependency updates [7][8]. This was resolved in Helm v3.17.4 and v3.18.4 [7][8]. Given these vulnerabilities, upgrading to the latest available version of Helm is recommended to ensure all security patches are applied [7][2][5][8]. You can verify vulnerability statuses and associated advisories through the official OSV.dev database or the Helm GitHub repository security advisories page [1][9][7][2][5][8].

Citations:

1: https://osv.dev/vulnerability/CVE-2025-32387

2: GHSA-5xqw-8hwv-wg92

3: https://nvd.nist.gov/vuln/detail/CVE-2025-32387

4: https://osv.dev/CVE-2025-32386

5: GHSA-4hfp-h4cw-hj8p

6: https://nvd.nist.gov/vuln/detail/CVE-2025-32386

7: https://osv.dev/vulnerability/GHSA-557j-xg8c-q2mm

8: GHSA-557j-xg8c-q2mm

9: https://osv.dev/vulnerability/GHSA-4hfp-h4cw-hj8p

Remove or patch the leftover Helm v3 module

go.mod still pins helm.sh/helm/v3 v3.17.1 // indirect, and this version is pulled into the vendored build via github.com/redhat-certification/chart-verifier (while the console’s own Helm handler code imports Helm v4). OSV reports multiple vulnerabilities for v3.17.1 (notably CVE-2025-32386, CVE-2025-32387, CVE-2025-53547), with fixes in v3.17.3/v3.17.4/v3.18.4. Update the transitive Helm v3 dependency by bumping the chart-verifier dependency (or pinning helm.sh/helm/v3 to the patched version via replace) so the module graph/vendor no longer uses v3.17.1.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination in helm.sh/helm

(GO-2025-3601)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow in helm.sh/helm

(GO-2025-3602)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm

(GO-2025-3802)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion in helm.sh/helm

(GO-2025-3887)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm May Panic Due To Incorrect YAML Content in helm.sh/helm

(GO-2025-3888)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination

(GHSA-4hfp-h4cw-hj8p)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm vulnerable to Code Injection through malicious chart.yaml content

(GHSA-557j-xg8c-q2mm)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow

(GHSA-5xqw-8hwv-wg92)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

(GHSA-9h84-qmv7-982p)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm May Panic Due To Incorrect YAML Content

(GHSA-f9f8-9pmf-xv68)

[HIGH] 230-230: helm.sh/helm/v3 3.17.1: Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

(GHSA-hr2v-4r36-88hr)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 230, The go.mod currently pulls helm.sh/helm/v3 v3.17.1 (transitively via github.com/redhat-certification/chart-verifier) which is vulnerable; update the dependency graph by either (A) bumping github.com/redhat-certification/chart-verifier to a newer version that itself depends on a patched helm v3 (so the transitive helm.sh/helm/v3 resolves to >= v3.17.3/v3.18.4), or (B) add a go.mod replace directive to pin helm.sh/helm/v3 to a patched release (e.g., v3.17.3 or v3.18.4) to override the transitive v3.17.1; locate references to github.com/redhat-certification/chart-verifier and helm.sh/helm/v3 in go.mod and update the chart-verifier module version or add the replace line, then run go mod tidy && go mod vendor (if vendored) and verify the module graph no longer contains helm.sh/helm/v3 v3.17.1.

Sources: Coding guidelines, Linters/SAST tools

redhat-certification/chart-verifier#620

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail gh issue view 623 --repo redhat-certification/chart-verifier --json number,title,state,body,createdAt,updatedAt,comments | jq '{number, title, state, createdAt, updatedAt, bodyPreview: .body[:500], commentCount: (.comments | length), lastComments: (.comments[-3:] | map({author: .author.login, body: .body[:300]}) )}'

Length of output: 988

@sowmya-sl Thanks for filing redhat-certification/chart-verifier#623 to track the upstream upgrade. Since that issue is freshly opened and has no timeline yet, the transitive helm.sh/helm/v3 v3.17.1 will remain in the module graph for some time.

As a short-term mitigation until chart-verifier upgrades, consider adding a replace directive in go.mod to pin the transitive v3 dependency to a patched release:

// Temporary: pin transitive helm v3 (via chart-verifier) to patched release until // redhat-certification/chart-verifier#623 is resolved. replace helm.sh/helm/v3 => helm.sh/helm/v3 v3.17.4

Note: v3.17.4 fixes all currently known HIGH CVEs (CVE-2025-32386, CVE-2025-32387, CVE-2025-53547, and the additional ones flagged by OSV). You would then run go mod tidy && go mod vendor to apply it. Once chart-verifier ships a version that pulls in a patched helm v3 (or upgrades to v4), the replace can be removed.

webbnh

I don't see any major problems beyond what CodeRabbit already called out. I suggested an alternative labeling for releasecommon, and I raised a concern about the charts v2 dependency (but we can defer that to round 2). Otherwise, I just flagged a few nits.

webbnh · 2026-06-12T20:53:26Z

+	chart "helm.sh/helm/v4/pkg/chart/v2"
+	"helm.sh/helm/v4/pkg/chart/v2/loader"


This raises a red flag: the reason for upgrading to the v4 SDK is to get support for chart-v3 features, so simply replacing helm.sh/helm/v3/pkg/chart with helm.sh/helm/v4/pkg/chart/v2 may not be what we want (although, it might be OK as a first step to get to v4).

webbnh · 2026-06-12T21:11:52Z

 			continue
 		}
-		// Match line like "	helm.sh/helm/v3 v3.18.5" or "	helm.sh/helm/v3 v3.18.5 // indirect".
+		// Match line like " helm.sh/helm/v4 v4.1.1 " // indirect".


While it's OK to update this from v3 to v4, there are supposed to be two options (a direct and an // indirect, enclosed in quotes (to mark the blanks) with an or between them 🙂).

webbnh · 2026-06-12T21:14:53Z

 	includeCrds := true
+	client.SkipCRDs = !includeCrds


Is there any reason to instantiate includeCrds, or should we just set client.SkipCRDs to false?

(There's a similar question about validate.)

webbnh · 2026-06-12T21:19:47Z

-	client.DryRun = true
+	client.DryRunStrategy = action.DryRunNone


CodeRabbit already mentioned this, but the new DryRunStrategy = action.DryRunNone doesn't look equivalent to the old DryRun = true.

Its a a replacement of Helmv3's DryRun=true and ClientOnly=true

webbnh · 2026-06-12T21:22:52Z

+	result, err := client.Run(ch, vals)
 	if err != nil {
-		return emptyResponse, err
+		return "", err


Some lines in this function (e.g., new line 77) return emptyResponse, while others (e.g., new line 61) return an empty string literal...it would be good if the code were consistent.

webbnh · 2026-06-12T21:25:42Z

+	releasecommon "helm.sh/helm/v4/pkg/release"
+	release "helm.sh/helm/v4/pkg/release/v1"


This is OK, but I think the code would have better longevity if you labeled helm.sh/helm/v4/pkg/release/v1 as release_v1 (or releaseV1) so that helm.sh/helm/v4/pkg/release could remain plain release.

I checked the changes, most of the release is now in release/v1 except one function which went to release in v4.
https://pkg.go.dev/helm.sh/helm/v3@v3.20.1/pkg/release
https://pkg.go.dev/helm.sh/helm/v4@v4.1.4/pkg/release/v1

Changing release to release_v1 will add a lot more code changes just changing the names.

Changing release to release_v1 will add a lot more code changes just changing the names.

So, that means, at best, we're relying on compatibility code for our release support, and at worse we have a bunch of accrued technical debt.

I suppose, in terms of getting to Helm v4 quickly, and doing it via small, incremental change, keeping release referring to release/v1 is expedient, but it smells like we're papering over something which might become a problem. At least if we were to use the release_v1 label, we would be making it clear where we are "behind".

When you say it will add a lot more code changes, how much of that is to code that you are already changing?

Also, among other things that Cursor has to say about this topic, it says,

For direct field access on chart-v2 releases, the migration is mostly import rewrites plus handling Releaser returns from action APIs. For library code that should survive future chart API versions, prefer release.NewAccessor() over hard-coding *releasev1.Release.

If you follow that advice, then I think you'll be removing references to release/v1, and then you'll prefer to have release refer to v4/pkg/release.

Also, apparently there is a v4/pkg/release/common...on that basis, I would recommend against using the releasecommon label to refer to any other packge (like v4/pkg/release).

changed release/v1 to be imported as releaseV1
Should I change releasecomon also?

webbnh · 2026-06-12T21:30:06Z

 	}

-	ch := resp.Release.Chart
+	ch := resp.Release.(*release.Release).Chart


No guard is required or appropriate here (nor at line new line 42)?

webbnh · 2026-06-15T17:02:50Z

/test all

webbnh · 2026-06-15T20:16:52Z

FWIW, the ci/prow/backend test failures look like problems with the v3 -> v4 migration. (I didn't look at the e2e-gcp tests.)

- Rename release import alias from `release` to `releaseV1` for clarity since the v4 SDK splits release types across release/v1 and release/common - Add type assertions for Helm v4 Run() results which now return interface{} - Replace removed Configuration.Log and chartutil.DefaultCapabilities with v4 equivalents (structured logging, common.DefaultCapabilities) - Fix template.go: use DryRunClient strategy, correct DependencyUpdate and SkipSchemaValidation flags - Update all tests to use rcommon.StatusDeployed and releaseV1 types

coderabbitai

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

pkg/helm/actions/upgrade_release.go (1)

58-106: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

TLS temp files are not guaranteed to be cleaned on error paths.

Both sync and async upgrade flows can return before cleanup is scheduled/executed, leaving auth temp files on disk.

Proposed fix

@@
-   var tlsFiles []*os.File
+   var tlsFiles []*os.File
+   defer func() {
+       if !fileCleanUp {
+           return
+       }
+       for _, f := range tlsFiles {
+           _ = os.Remove(f.Name())
+       }
+   }()
@@
-   // remove all the tls related files created by this process
-   defer func() {
-       if fileCleanUp == false {
-           return
-       }
-       for _, f := range tlsFiles {
-           os.Remove(f.Name())
-       }
-   }()
    return rel, nil

For UpgradeReleaseAsync, keep goroutine cleanup, but also add an outer fallback cleanup for pre-goroutine failures (e.g., with a started flag) so early returns are covered.

Also applies to: 129-136, 175-223, 244-251

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/upgrade_release.go` around lines 58 - 106, TLS temporary
files created by setUpAuthentication and setUpAuthenticationProject calls are
not guaranteed to be cleaned up when errors occur on early return paths, leaving
auth temp files on disk. In the UpgradeReleaseAsync function, implement a
fallback cleanup mechanism for the tlsFiles variable that covers pre-goroutine
failures by adding a started flag and ensuring cleanup is executed even when
early returns happen before the cleanup goroutine is launched. This fix should
be applied at the anchor location in upgrade_release.go (58-106 where tlsFiles
are initially created and returned on error paths) and ensure the cleanup logic
at the sibling locations (129-136, 175-223, 244-251) is also properly protected
by the fallback mechanism so that all code paths that could return early have
cleanup covered.

pkg/helm/actions/rollback_release_test.go (1)

65-70: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Rollback tests have unsafe/missing error assertions.

Line 66 can dereference tt.err when it is nil (success case), and Line 104-107 doesn’t fail when an expected error is missing.

Proposed fix

@@
-           r, err := RollbackRelease(tt.release.Name, tt.rollbackTo, actionConfig)
-           if err != nil && err.Error() != tt.err.Error() {
-               t.Error(err)
-           }
-           if err != nil && err.Error() == tt.err.Error() {
-               return
-           }
+           r, err := RollbackRelease(tt.release.Name, tt.rollbackTo, actionConfig)
+           if tt.err != nil {
+               require.ErrorIs(t, err, tt.err)
+               return
+           }
+           require.NoError(t, err)
@@
-           _, err := RollbackRelease(tt.releaseName, tt.rollbackTo, actionConfig)
-           if err != nil && err.Error() != tt.err.Error() {
-               t.Error(err)
-           }
+           _, err := RollbackRelease(tt.releaseName, tt.rollbackTo, actionConfig)
+           require.ErrorIs(t, err, tt.err)

Also applies to: 104-107

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/rollback_release_test.go` around lines 65 - 70, The test has
unsafe error assertions that can cause nil pointer dereferences and fail to
catch missing expected errors. In pkg/helm/actions/rollback_release_test.go at
lines 65-70, before comparing error messages with `err.Error() !=
tt.err.Error()`, first verify that both `err` and `tt.err` are non-nil to avoid
dereferencing a nil pointer in success cases. Additionally, at lines 104-107 in
the same file, add proper test failure logic to ensure the test fails when an
expected error (tt.err) is not nil but the actual error is nil, indicating the
expected error did not occur as anticipated.

pkg/helm/actions/upgrade_release_test.go (1)

9-10: ⚠️ Potential issue | 🔴 Critical

Duplicate time import causes compile failure.

Lines 9 and 25 both import "time": line 9 unaliased, line 25 as helmTime. Go forbids duplicate import paths in a single import block, even with different aliases. Remove the aliased import on line 25 and replace all 6 occurrences of helmTime.Time{} with time.Time{} (at lines 121, 224, 352, 466, 584, 670).
Proposed fix
 import (
 	"fmt"
 	"io"
 	"os"
 	"strings"
 	"testing"
 	"time"
-
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/require"
Then replace all helmTime.Time{} with time.Time{} at lines 121, 224, 352, 466, 584, 670.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/upgrade_release_test.go` around lines 9 - 10, Remove the
duplicate `time` import by deleting the aliased import statement that imports
`"time"` as `helmTime` from the import block. Then locate all 6 occurrences
where `helmTime.Time{}` is used throughout the file and replace each one with
`time.Time{}` to use the unaliased `time` package import that remains at the top
of the file.

pkg/helm/actions/install_chart_test.go (1)

106-116: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Success-path assertions are currently unreachable in TestInstallChart.

Line 106 checks tt.releaseName == "valid chart path", but the table values are "myrelease" and "invalid chart path" (Lines 47 and 70). So the success assertions (including the Helm v4 status assertion on Line 110) never run.

Suggested fix

-			if tt.releaseName == "valid chart path" {
+			if tt.releaseName == "myrelease" {
 				require.NoError(t, err)
 				require.Equal(t, "test", rel.Name)
 				require.Equal(t, "test-namespace", rel.Namespace)
 				require.Equal(t, rcommon.StatusDeployed, rel.Info.Status)
 				require.Equal(t, tt.chartName, rel.Chart.Metadata.Name)
 				require.Equal(t, tt.chartVersion, rel.Chart.Metadata.Version)
 				require.Equal(t, tt.chartPath, rel.Chart.Metadata.Annotations["chart_url"])
 			} else if tt.releaseName == "invalid chart path" {
 				require.Error(t, err)
 			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/install_chart_test.go` around lines 106 - 116, The condition
in the TestInstallChart test function is checking for a releaseName value of
"valid chart path" that does not exist in the test table data. Update the
condition at line 106 to check for the actual releaseName value from the first
test case in the table (which represents the success case) instead of "valid
chart path". This will make the success-path assertions in the subsequent block
reachable so they execute properly during the test.

pkg/helm/actions/install_chart.go (1)

159-167: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

TLS auth temp-file cleanup is deferred too late in both install and template flows.
Both functions register cleanup near the end, but return on earlier errors; this can leave cert/key temp files on disk after failure paths.

pkg/helm/actions/install_chart.go#L159-L167: move the TLS cleanup defer to immediately after tlsFiles initialization (or right after auth setup) so it runs for all return paths, including the new type-assertion failure.

pkg/helm/actions/template.go#L39-L84: apply the same pattern so early errors (auth setup, chart locate/load, run/type assertion) still trigger file cleanup.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/install_chart.go` around lines 159 - 167, The TLS cleanup
defer statement is registered too late in the error handling flow, causing
temporary certificate and key files to leak when early errors occur. In
pkg/helm/actions/install_chart.go (lines 159-167), move the defer cleanup
statement that handles tlsFiles to immediately after the tlsFiles variable is
initialized or after the authentication setup completes, ensuring it runs for
all return paths including the type-assertion failure for the Release object.
Apply the identical pattern in pkg/helm/actions/template.go (lines 39-84) by
moving its TLS cleanup defer to the earliest point after tlsFiles setup so that
early errors during auth configuration, chart location, chart loading, command
execution, and type assertion all trigger the proper file cleanup before
returning.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/helm/actions/install_chart.go`:
- Around line 250-253: The async helm install error handling block ignores error
returns from both createSecret and Delete operations, which can hide failures
and leave stale secrets. Capture and handle the error returned from the
createSecret call when creating the tracking secret with value 1, and also
capture and handle the error returned from the Delete operation on
coreClient.Secrets. For both cases, log any errors that occur rather than
silently dropping them, ensuring proper error reporting for the async
installation failure flow.

In `@pkg/helm/actions/uninstall_release_test.go`:
- Around line 50-55: The test is missing explicit assertions on the error
outcomes. In the success case around the UninstallRelease call (lines 50-55),
add an explicit check that err is nil to confirm the operation succeeded without
errors. In the error case around lines 83-90, add an explicit check that err is
not nil to confirm the expected error was actually returned. Both test paths
must fail immediately when their expected error condition is not met, rather
than silently passing when the err value is not validated.

---

Outside diff comments:
In `@pkg/helm/actions/install_chart_test.go`:
- Around line 106-116: The condition in the TestInstallChart test function is
checking for a releaseName value of "valid chart path" that does not exist in
the test table data. Update the condition at line 106 to check for the actual
releaseName value from the first test case in the table (which represents the
success case) instead of "valid chart path". This will make the success-path
assertions in the subsequent block reachable so they execute properly during the
test.

In `@pkg/helm/actions/install_chart.go`:
- Around line 159-167: The TLS cleanup defer statement is registered too late in
the error handling flow, causing temporary certificate and key files to leak
when early errors occur. In pkg/helm/actions/install_chart.go (lines 159-167),
move the defer cleanup statement that handles tlsFiles to immediately after the
tlsFiles variable is initialized or after the authentication setup completes,
ensuring it runs for all return paths including the type-assertion failure for
the Release object. Apply the identical pattern in pkg/helm/actions/template.go
(lines 39-84) by moving its TLS cleanup defer to the earliest point after
tlsFiles setup so that early errors during auth configuration, chart location,
chart loading, command execution, and type assertion all trigger the proper file
cleanup before returning.

In `@pkg/helm/actions/rollback_release_test.go`:
- Around line 65-70: The test has unsafe error assertions that can cause nil
pointer dereferences and fail to catch missing expected errors. In
pkg/helm/actions/rollback_release_test.go at lines 65-70, before comparing error
messages with `err.Error() != tt.err.Error()`, first verify that both `err` and
`tt.err` are non-nil to avoid dereferencing a nil pointer in success cases.
Additionally, at lines 104-107 in the same file, add proper test failure logic
to ensure the test fails when an expected error (tt.err) is not nil but the
actual error is nil, indicating the expected error did not occur as anticipated.

In `@pkg/helm/actions/upgrade_release_test.go`:
- Around line 9-10: Remove the duplicate `time` import by deleting the aliased
import statement that imports `"time"` as `helmTime` from the import block. Then
locate all 6 occurrences where `helmTime.Time{}` is used throughout the file and
replace each one with `time.Time{}` to use the unaliased `time` package import
that remains at the top of the file.

In `@pkg/helm/actions/upgrade_release.go`:
- Around line 58-106: TLS temporary files created by setUpAuthentication and
setUpAuthenticationProject calls are not guaranteed to be cleaned up when errors
occur on early return paths, leaving auth temp files on disk. In the
UpgradeReleaseAsync function, implement a fallback cleanup mechanism for the
tlsFiles variable that covers pre-goroutine failures by adding a started flag
and ensuring cleanup is executed even when early returns happen before the
cleanup goroutine is launched. This fix should be applied at the anchor location
in upgrade_release.go (58-106 where tlsFiles are initially created and returned
on error paths) and ensure the cleanup logic at the sibling locations (129-136,
175-223, 244-251) is also properly protected by the fallback mechanism so that
all code paths that could return early have cleanup covered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 42ac90f1-9941-4dce-abb3-8365c1117ef5

📥 Commits

Reviewing files that changed from the base of the PR and between 720a261 and 2651c14.

📒 Files selected for processing (22)

pkg/helm/actions/get_chart_test.go
pkg/helm/actions/get_registry_test.go
pkg/helm/actions/get_release.go
pkg/helm/actions/get_release_test.go
pkg/helm/actions/install_chart.go
pkg/helm/actions/install_chart_test.go
pkg/helm/actions/list_releases.go
pkg/helm/actions/list_releases_test.go
pkg/helm/actions/release_history.go
pkg/helm/actions/release_history_test.go
pkg/helm/actions/rollback_release.go
pkg/helm/actions/rollback_release_test.go
pkg/helm/actions/setup_test.go
pkg/helm/actions/template.go
pkg/helm/actions/template_test.go
pkg/helm/actions/uninstall_release.go
pkg/helm/actions/uninstall_release_test.go
pkg/helm/actions/upgrade_release.go
pkg/helm/actions/upgrade_release_test.go
pkg/helm/chartverifier/chart_verifier_test.go
pkg/helm/handlers/handler_test.go
pkg/helm/handlers/handlers.go

🚧 Files skipped from review as they are similar to previous changes (6)

pkg/helm/chartverifier/chart_verifier_test.go
pkg/helm/actions/uninstall_release.go
pkg/helm/handlers/handlers.go
pkg/helm/actions/setup_test.go
pkg/helm/actions/list_releases.go
pkg/helm/actions/release_history_test.go

coderabbitai · 2026-06-16T13:57:04Z

+			klog.Errorf("Async helm install failed for %s/%s: %v", ns, name, err)
 			createSecret(ns, name, 1, coreClient, err)
 			time.Sleep(15 * time.Second)
 			coreClient.Secrets(ns).Delete(context.TODO(), name, v1.DeleteOptions{})


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle async secret lifecycle errors instead of dropping them.

Line 251 ignores createSecret(...) errors and Line 253 ignores Delete(...) errors. That can hide failure-state reporting and leave stale tracking secrets behind.

As per coding guidelines, **/*.go: Go security (prodsec-skills): Never ignore error returns.

Suggested fix

import ( "context" "fmt" "net/url" "os" "regexp" "strings" "time" "github.com/openshift/api/helm/v1beta1" "github.com/openshift/console/pkg/helm/metrics" "helm.sh/helm/v4/pkg/action" chart "helm.sh/helm/v4/pkg/chart/v2" "helm.sh/helm/v4/pkg/chart/v2/loader" "helm.sh/helm/v4/pkg/kube" releaseV1 "helm.sh/helm/v4/pkg/release/v1" kv1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/dynamic" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/klog/v2" ) @@ } else { klog.Errorf("Async helm install failed for %s/%s: %v", ns, name, err) - createSecret(ns, name, 1, coreClient, err) + if secretErr := createSecret(ns, name, 1, coreClient, err); secretErr != nil { + klog.Errorf("Failed to create error-tracking secret for %s/%s: %v", ns, name, secretErr) + } time.Sleep(15 * time.Second) - coreClient.Secrets(ns).Delete(context.TODO(), name, v1.DeleteOptions{}) + if delErr := coreClient.Secrets(ns).Delete(context.TODO(), name, v1.DeleteOptions{}); delErr != nil && !apierrors.IsNotFound(delErr) { + klog.Errorf("Failed to delete error-tracking secret for %s/%s: %v", ns, name, delErr) + } }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

klog.Errorf("Async helm install failed for %s/%s: %v", ns, name, err)

createSecret(ns, name, 1, coreClient, err)

time.Sleep(15 * time.Second)

coreClient.Secrets(ns).Delete(context.TODO(), name, v1.DeleteOptions{})

klog.Errorf("Async helm install failed for %s/%s: %v", ns, name, err)

if secretErr := createSecret(ns, name, 1, coreClient, err); secretErr != nil {

klog.Errorf("Failed to create error-tracking secret for %s/%s: %v", ns, name, secretErr)

}

time.Sleep(15 * time.Second)

if delErr := coreClient.Secrets(ns).Delete(context.TODO(), name, v1.DeleteOptions{}); delErr != nil && !apierrors.IsNotFound(delErr) {

klog.Errorf("Failed to delete error-tracking secret for %s/%s: %v", ns, name, delErr)

}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/helm/actions/install_chart.go` around lines 250 - 253, The async helm install error handling block ignores error returns from both createSecret and Delete operations, which can hide failures and leave stale secrets. Capture and handle the error returned from the createSecret call when creating the tracking secret with value 1, and also capture and handle the error returned from the Delete operation on coreClient.Secrets. For both cases, log any errors that occur rather than silently dropping them, ensuring proper error reporting for the async installation failure flow.

Source: Coding guidelines

coderabbitai · 2026-06-16T13:57:05Z

 			resp, err := UninstallRelease(tt.release.Name, actionConfig)
-			if resp != nil && resp.Release.Info.Status != release.StatusUninstalled {
-				t.Error(errors.New("Release status is not uninstalled"))
+			if resp != nil {
+				if rel, ok := resp.Release.(*releaseV1.Release); ok && rel.Info.Status != rcommon.StatusUninstalled {
+					t.Error(errors.New("Release status is not uninstalled"))
+				}
 			}


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Assert expected uninstall error outcomes explicitly.

Line 50 assigns err but the success case never asserts err == nil, and Line 83’s invalid-case logic doesn’t fail when the expected error is absent. Both tests can pass on broken behavior.

Proposed fix

@@ - resp, err := UninstallRelease(tt.release.Name, actionConfig) - if resp != nil { - if rel, ok := resp.Release.(*releaseV1.Release); ok && rel.Info.Status != rcommon.StatusUninstalled { - t.Error(errors.New("Release status is not uninstalled")) - } - } + resp, err := UninstallRelease(tt.release.Name, actionConfig) + require.NoError(t, err) + require.NotNil(t, resp) + rel, ok := resp.Release.(*releaseV1.Release) + require.True(t, ok) + require.Equal(t, rcommon.StatusUninstalled, rel.Info.Status) @@ - resp, err := UninstallRelease(tt.release.Name, actionConfig) - if err != nil && err.Error() != tt.err.Error() { - t.Error(err) - } - if resp != nil { - if rel, ok := resp.Release.(*releaseV1.Release); ok && rel.Info.Status != rcommon.StatusUninstalled { - t.Error(errors.New("Release status is not uninstalled")) - } - } + resp, err := UninstallRelease(tt.release.Name, actionConfig) + require.ErrorIs(t, err, tt.err) + require.Nil(t, resp)

Also applies to: 83-90

🧰 Tools

🪛 golangci-lint (2.12.2)

[error] 50-50: ineffectual assignment to err

(ineffassign)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/helm/actions/uninstall_release_test.go` around lines 50 - 55, The test is missing explicit assertions on the error outcomes. In the success case around the UninstallRelease call (lines 50-55), add an explicit check that err is nil to confirm the operation succeeded without errors. In the error case around lines 83-90, add an explicit check that err is not nil to confirm the expected error was actually returned. Both test paths must fail immediately when their expected error condition is not met, rather than silently passing when the err value is not validated.

Source: Linters/SAST tools

…trategy Helm v4 changed two critical defaults from v3: - NewInstall now defaults ServerSideApply=true (v3 used client-side apply) - WaitStrategy is now a required field (v3 had Wait bool defaulting to false) Disable ServerSideApply and set WaitStrategy to LegacyStrategy on all install and upgrade paths to preserve v3 behavior and prevent silent failures in async goroutines. Co-authored-by: Cursor <cursoragent@cursor.com>

openshift-ci · 2026-06-16T14:43:48Z

@sowmya-sl: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/backend	`2651c14`	link	true	`/test backend`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

sowmya-sl and others added 3 commits June 12, 2026 15:16

HELM-731: Update pkg/helm imports from helm.sh/helm/v3 to v4

b1137dc

Migrate all Go import paths under pkg/helm/ (actions, chartproxy, chartverifier, handlers) to the Helm v4 module path as part of the Helm SDK upgrade.

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 12, 2026

openshift-ci Bot added the component/backend Related to backend label Jun 12, 2026

coderabbitai Bot reviewed Jun 12, 2026

View reviewed changes

webbnh reviewed Jun 12, 2026

View reviewed changes

sowmya-sl marked this pull request as ready for review June 16, 2026 13:42

openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 16, 2026

openshift-ci Bot requested review from jhadvig and webbnh June 16, 2026 13:43

coderabbitai Bot reviewed Jun 16, 2026

View reviewed changes

sowmya-sl force-pushed the upgrade-helm-in-console branch from 2651c14 to c88249f Compare June 16, 2026 14:43

		chart "helm.sh/helm/v4/pkg/chart/v2"
		"helm.sh/helm/v4/pkg/chart/v2/loader"

		client.DryRun = true
		client.DryRunStrategy = action.DryRunNone

		releasecommon "helm.sh/helm/v4/pkg/release"
		release "helm.sh/helm/v4/pkg/release/v1"

Conversation

sowmya-sl commented Jun 12, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci Bot commented Jun 12, 2026

Uh oh!

openshift-ci Bot commented Jun 12, 2026

Uh oh!

coderabbitai Bot commented Jun 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review failed

Walkthrough

Changes

Pre-merge checks failed

❌ Failed checks (2 errors, 3 warnings, 1 inconclusive)

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sowmya-sl Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

webbnh left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

webbnh commented Jun 15, 2026

Uh oh!

webbnh commented Jun 15, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

sowmya-sl commented Jun 12, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 12, 2026 •

edited

Loading

coderabbitai Bot Jun 12, 2026 •

edited

Loading

sowmya-sl Jun 15, 2026 •

edited

Loading