.clomonitor.yml

@@ -0,0 +1,27 @@
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+exemptions:
+  - check: dependency_update_tool
+    reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI)
+  - check: sbom
+    reason: "Tracking Helm dependencies is not yet a stable practice."
+  - check: self_assessment
+    reason: "Refer to self assessments supplied by the codebases Argo Helm supports."
+  - check: signed_releases
+    reason: "Argo Helm releases are made via Artifact Hub, where they are signed. The unsigned GitHub releases are for reference only."
+  - check: license_scanning
+    reason: "Temporary exemption: pending response from CNCF Service Desk"
+
+# TODO:
+# License scanning information
+# licenseScanning:
+  # URL with the repository's license scanning results
+  #
+  # CLOMonitor can extract license scanning results from FOSSA and Snyk badges
+  # in the repository README.md file automatically. If your repository uses a
+  # different scanning solution, this url can be set to pass the corresponding
+  # check.
+  # url: https://license-scanning-results.url
+

.editorconfig

@@ -0,0 +1,4 @@
+[*.{md,md.gotmpl}]
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = false

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+* @mkilchhofer @jmeridth @yu-croco
+
+/charts/argo-workflows/        @vladlosev @jmeridth @yu-croco @tico24
+/charts/argo-cd/               @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil @tico24
+/charts/argo-events/           @pdrastil @jmeridth @tico24
+/charts/argo-rollouts/         @jmeridth

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -0,0 +1,69 @@
+---
+name: Bug report
+description: Create a report to help us improve
+labels:
+- bug
+body:
+- type: textarea
+  attributes:
+    label: Describe the bug
+    description: A clear and concise description of what the bug is.
+  validations:
+    required: true
+
+- type: dropdown
+  attributes:
+    label: Related helm chart
+    description: You may select more than one.
+    multiple: true
+    options:
+      - argo-cd
+      - argo-events
+      - argo-rollouts
+      - argo-workflows
+      - argocd-image-updater
+      - argocd-apps
+      - other
+  validations:
+    required: true
+
+- type: input
+  attributes:
+    label: Helm chart version
+    description: Version of the Helm chart this issue relates to
+    placeholder: e.g. 0.16.2
+  validations:
+    required: true
+
+- type: textarea
+  attributes:
+    label: To Reproduce
+    description: Steps to reproduce the behavior
+    placeholder: |
+      1. Go to '...'
+      2. Click on '....'
+      3. Scroll down to '....'
+      4. See error
+  validations:
+    required: true
+
+- type: textarea
+  attributes:
+    label: Expected behavior
+    description: A clear and concise description of what you expected to happen.
+  validations:
+    required: true
+
+- type: textarea
+  attributes:
+    label: Screenshots
+    description: If applicable, add screenshots to help explain your problem.
+  validations:
+    required: false
+
+- type: textarea
+  attributes:
+    label: Additional context
+    description: Add any other context about the problem here.
+  validations:
+    required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,9 @@
+blank_issues_enabled: false
+
+contact_links:
+  - name: Ask a question
+    url: https://github.com/argoproj/argo-helm/discussions/new
+    about: Ask a question or start a discussion about our community Helm Charts
+  - name: Chat on Slack
+    url: https://argoproj.github.io/community/join-slack
+    about: Maybe chatting with the community can help

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -0,0 +1,51 @@
+---
+name: Feature request
+description: Suggest an idea for this project
+labels:
+- enhancement
+body:
+- type: textarea
+  attributes:
+    label: Is your feature request related to a problem?
+    description: A clear and concise description of what the problem is. Please describe.
+    placeholder: |
+      Ex. I'm always frustrated when [...]
+  validations:
+    required: false
+
+- type: dropdown
+  attributes:
+    label: Related helm chart
+    description: You may select more than one.
+    multiple: true
+    options:
+      - argo-cd
+      - argo-events
+      - argo-rollouts
+      - argo-workflows
+      - argocd-image-updater
+      - argocd-apps
+      - other
+  validations:
+    required: true
+
+- type: textarea
+  attributes:
+    label: Describe the solution you'd like
+    description: A clear and concise description of what you want to happen.
+  validations:
+    required: true
+
+- type: textarea
+  attributes:
+    label: Describe alternatives you've considered
+    description: A clear and concise description of any alternative solutions or features you've considered.
+  validations:
+    required: false
+
+- type: textarea
+  attributes:
+    label: Additional context
+    description: Add any other context or screenshots about the feature request here.
+  validations:
+    required: false

.github/configs/cr.yaml

@@ -0,0 +1,12 @@
+## Reference: https://github.com/helm/chart-releaser
+index-path: "./index.yaml"
+
+# PGP signing
+sign: true
+key: Argo Helm maintainers
+# keyring:          # Set via env variable CR_KEYRING
+# passphrase-file:  # Set via env variable CR_PASSPHRASE_FILE
+
+# Enable automatic generation of release notes using GitHubs release notes generator.
+# see: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+generate-release-notes: true

.github/configs/ct-install.yaml

@@ -0,0 +1,15 @@
+## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md
+# Don't add the 'debug' attribute, otherwise the workflow won't work anymore
+# Only Used for the CT Install Stage
+remote: origin
+target-branch: main
+chart-dirs:
+  - charts
+chart-repos:
+  - dandydeveloper=https://dandydeveloper.github.io/charts/
+helm-extra-args: "--timeout 600s"  
+validate-chart-schema: false
+validate-maintainers: true
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []

.github/configs/ct-lint.yaml

@@ -0,0 +1,14 @@
+## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md
+# Don't add the 'debug' attribute, otherwise the workflow won't work anymore
+# Only Used for the CT Lint Stage
+remote: origin
+target-branch: main
+chart-dirs:
+  - charts
+chart-repos:
+  - dandydeveloper=https://dandydeveloper.github.io/charts/
+validate-chart-schema: false
+validate-maintainers: true
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []

.github/configs/kind-config.yaml

@@ -0,0 +1,7 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker
+  - role: worker
+  - role: worker

.github/configs/labeler.yaml

@@ -0,0 +1,17 @@
+argo-cd:
+  - charts/argo-cd/**/*
+
+argo-events:
+  - charts/argo-events/**/*
+
+argo-rollouts:
+  - charts/argo-rollouts/**/*
+
+argo-workflows:
+  - charts/argo-workflows/**/*
+
+argocd-image-updater:
+  - charts/argocd-image-updater/**/*
+
+argocd-apps:
+  - charts/argocd-apps/**/*

.github/configs/lintconf.yaml

@@ -0,0 +1,42 @@
+---
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments:
+    require-starting-space: true
+    min-spaces-from-content: 1
+  document-end: disable
+  document-start: disable # No --- to start a file
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    spaces: consistent
+    indent-sequences: whatever # - list indentation will handle both indentation and without
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable # Lines can be any length
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    level: warning

.github/dependabot.yml

@@ -0,0 +1,8 @@
+## Reference: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: "saturday"

.github/no-response.yml

@@ -0,0 +1 @@
+# See https://github.com/probot/no-response

.github/pull_request_template.md

@@ -0,0 +1,16 @@
+<!--
+Note on DCO:
+
+If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the *Details* link next to the DCO action for instructions on how to resolve this.
+-->
+
+Checklist:
+
+* [ ] I have bumped the chart version according to [versioning](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md#versioning)
+* [ ] I have updated the documentation according to [documentation](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md#documentation)
+* [ ] I have updated the chart changelog with all the changes that come with this pull request according to [changelog](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md#changelog).
+* [ ] Any new values are backwards compatible and/or have sensible default.
+* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/blob/master/community/CONTRIBUTING.md).
+* [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/stable/developer-guide/ci/)).
+
+<!-- Changes are automatically published when merged to `main`. They are not published on branches. -->

.github/workflows/lint-and-test.yml

@@ -0,0 +1,102 @@
+## Reference: https://github.com/helm/chart-testing-action
+name: Linting and Testing
+on: pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  linter-artifacthub:
+    runs-on: ubuntu-latest
+    container:
+      image: public.ecr.aws/artifacthub/ah:v1.14.0
+      options: --user 1001
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run ah lint
+        working-directory: ./charts
+        run: ah lint
+
+  chart-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.10.1 # Also update in publish.yaml
+
+      - name: Set up python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: 3.9
+
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        with:
+          # Note: Also update in scripts/lint.sh
+          version: v3.10.0
+
+      - name: List changed charts
+        id: list-changed
+        run: |
+          ## If executed with debug this won't work anymore.
+          changed=$(ct --config ./.github/configs/ct-lint.yaml list-changed)
+          charts=$(echo "$changed" | tr '\n' ' ' | xargs)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed_charts=$charts" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --debug --config ./.github/configs/ct-lint.yaml --lint-conf ./.github/configs/lintconf.yaml
+
+      - name: Run docs-testing (helm-docs)
+        id: helm-docs
+        run: |
+          ./scripts/helm-docs.sh
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mDocumentation outdated!\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
+          fi
+
+      - name: Create kind cluster
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        if: steps.list-changed.outputs.changed == 'true'
+        with:
+          config: .github/configs/kind-config.yaml
+
+      - name: Deploy latest ArgoCD CRDs when testing ArgoCD extensions
+        if: |
+          contains(steps.list-changed.outputs.changed_charts, 'argocd-image-updater') ||
+          contains(steps.list-changed.outputs.changed_charts, 'argocd-apps')
+        run: |
+          helm repo add dandydeveloper https://dandydeveloper.github.io/charts/
+          helm dependency build charts/argo-cd/
+          helm template charts/argo-cd/ --set server.extensions.enabled=true -s templates/crds/* | kubectl apply -f -
+
+      - name: Skip HPA tests of ArgoCD
+        if: contains(steps.list-changed.outputs.changed_charts, 'argo-cd')
+        run: |
+          ## Metrics API not available in kind cluster
+          rm charts/argo-cd/ci/ha-autoscaling-values.yaml
+
+      - name: Create an external redis for ArgoCD externalRedis feature
+        if: contains(steps.list-changed.outputs.changed_charts, 'argo-cd')
+        run: |
+          kubectl create namespace redis
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm install redis bitnami/redis --wait --namespace redis --set auth.password=argocd --set architecture=standalone
+
+      - name: Run chart-testing (install)
+        run: ct install --config ./.github/configs/ct-install.yaml
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/pr-sizing.yml

@@ -0,0 +1,30 @@
+## Reference: https://github.com/pascalgn/size-label-action
+name: 'PR Labeling'
+
+on: 
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
+        with:
+          configuration-path: ".github/configs/labeler.yaml"
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          sync-labels: true
+
+  size-label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: pascalgn/size-label-action@37a5ad4ae20ea8032abf169d953bcd661fd82cd3 # v0.5.0
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr-title.yml

@@ -0,0 +1,37 @@
+## Reference: https://github.com/amannn/action-semantic-pull-request
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Configure which scopes are allowed.
+          scopes: |
+            argo-cd
+            argo-events
+            argo-rollouts
+            argo-workflows
+            argocd-image-updater
+            argocd-apps
+            deps
+            github
+          # Configure that a scope must always be provided.
+          requireScope: true

.github/workflows/publish.yml

@@ -0,0 +1,82 @@
+## Reference: https://github.com/helm/chart-releaser-action
+name: Chart Publish
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/**"
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    permissions:
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
+      packages: write  # to push OCI chart package to GitHub Registry
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.10.1 # Also update in lint-and-test.yaml
+
+      - name: Add dependency chart repos
+        run: |
+          helm repo add dandydeveloper https://dandydeveloper.github.io/charts/
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      ## This is required to consider the old Circle-CI Index and to stay compatible with all the old releases.
+      - name: Fetch current Chart Index
+        run: |
+          git checkout origin/gh-pages index.yaml
+
+      # The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key
+      # in ASCII-armored format. To export a (new) key, run this command:
+      # `gpg --armor --export-secret-key <my key>`
+      - name: Prepare PGP key
+        run: |
+          IFS=""
+          echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg
+          echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt
+
+          # Tell chart-releaser-action where to find the key and its passphrase
+          echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV"
+          echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV"
+        env:
+          PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}"
+          PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}"
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        with:
+          config: "./.github/configs/cr.yaml"
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Login to GHCR
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push chart to GHCR
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*.tgz; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" oci://ghcr.io/${{ github.repository }}
+          done

.github/workflows/scorecard.yml

@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '21 6 * * 6'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    if: github.repository_owner == 'argoproj'
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        with:
+          sarif_file: results.sarif

.github/workflows/stale.yml

@@ -0,0 +1,38 @@
+## Reference: https://github.com/actions/stale
+name: Mark stale issues and pull requests
+on:
+  schedule:
+  - cron: "30 1 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        # Number of days of inactivity before an issue becomes stale
+        days-before-stale: 60
+        # Number of days of inactivity before a stale issue is closed
+        days-before-close: 7
+        # Issues with these labels will never be considered stale
+        exempt-issue-labels: "on-hold,pinned,security"
+        exempt-pr-labels: "on-hold,pinned,security"
+        # Comment to post when marking an issue as stale.
+        stale-issue-message: >
+          This issue has been automatically marked as stale because it has not had
+          recent activity. It will be closed if no further activity occurs. Thank you
+          for your contributions.
+        stale-pr-message: >
+          This pull request has been automatically marked as stale because it has not had
+          recent activity. It will be closed if no further activity occurs. Thank you
+          for your contributions.
+        # Label to use when marking an issue as stale
+        stale-issue-label: 'no-issue-activity'
+        stale-pr-label: 'no-pr-activity'

.gitignore

@@ -0,0 +1,6 @@
+output
+.vscode
+.DS_Store
+.idea
+**/*.tgz
+**/charts/*/charts

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# Code of Conduct
+
+We adhere to the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).  Please reference the link for details.
+
+## TL;DR (too long didn't read)
+
+Be kind
+
+Your participation is at the discression of the maintainers of this project.

CONTRIBUTING.md

@@ -0,0 +1,190 @@
+# Contributing
+
+Argo Helm is a collection of **community maintained** charts. Therefore we rely on you to test your changes sufficiently.
+
+## Pull Requests
+
+All submissions, including submissions by project members, require review. We use GitHub pull requests for this purpose. Consult [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more information on using pull requests. See the above stated requirements for PR on this project.
+
+### Pull Request Title Linting
+
+We lint the title of your pull request to ensure it follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification.  This is done using GitHub actions and the [action-semantic-pull-request](.github/workflows/pr-title.yml) workflow. We require the scope of the change to be included in the title.  The scope should be the name of the chart you are changing.  For example, if you are changing the `argo-cd` chart, the title of your pull request should be `fix(argo-cd): Fix typo in values.yaml`.
+
+## Documentation
+
+The documentation for each chart is generated with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation.
+
+We have a script on the repository which will execute the helm-docs docker container, so that you don't have to worry about downloading the binary etc. Simply execute the script (Bash compatible, might require sudo privileges):
+
+```shell
+./scripts/helm-docs.sh
+```
+
+> **Note**
+> When creating your own `README.md.gotmpl`, don't forget to add it to your `.helmignore` file.
+
+### Updating a chart README.md
+
+When updating the `README.md.gotmpl` inside a chart directory you must to run the `helm-docs` script to generate the updated `README.md` file. To reiterate, you should not edit the `README.md` file manually.  It will be generated by the following command:
+
+```shell
+./scripts/helm-docs.sh
+```
+
+> **Note**
+> If you see changes to unrelated chart `README.md` files you may have accidentally updated a `README.md.gotmpl` file in another chart's folder unintentionally or someone else failed to run this script.  Please revert those changes if you do not intend them to be a part of your pull request.
+
+## Versioning
+
+Each chart's version follows the [semver standard](https://semver.org/).
+
+New charts should start at version `1.0.0`, if it's considered stable. If it isn't considered stable, it must be released as `prerelease`.
+
+Any breaking changes to a chart (backwards incompatible) require:
+
+* Bump of the current Major version of the chart
+* State possible manual changes for this chart version in the `Upgrading` section of the chart's `README.md.gotmpl`
+
+### New Application Versions
+
+Helm charts are intended to be created for all non-patched releases of Argo CD, Workflows, Rollouts, and Events. Associated dependencies, such as Redis, will use the version recommended by the associated release.
+
+When selecting new application versions ensure you make the following changes:
+
+* `values.yaml`: Bump all instances of the container image version
+* `Chart.yaml`: Ensure `appVersion` matches the above container image and bump `version`
+
+Please ensure chart version changes adhere to semantic versioning standards:
+
+* Major: Large chart rewrites, major non-backwards compatible or destructive changes
+* Minor: New chart functionality (sidecars), major application updates or minor non-backwards compatible changes
+* Patch: App version patch updates, backwards compatible optional chart features
+
+### Immutability
+
+Each release for each chart must be immutable. Any change to a chart (even just documentation) requires a version bump. Trying to release the same version twice will result in an error.
+
+### Chart Versioning
+
+Currently we require a chart version bump for every change to a chart, including updating information for older versions.  This may change in the future.
+
+### Artifact Hub Annotations
+
+Since we release our charts on Artifact Hub we encourage making use of the provided chart annotations for Artifact Hub.
+
+* [https://artifacthub.io/docs/topics/annotations/helm/](https://artifacthub.io/docs/topics/annotations/helm/)
+
+#### Changelog
+
+We want to deliver transparent chart releases for our chart consumers. Therefore we require a changelog per new chart release.
+
+Changes on a chart must be documented in a chart specific changelog in the `Chart.yaml` [Annotation Section](https://helm.sh/docs/topics/charts/#the-chartyaml-file).
+
+A new `artifacthub.io/changes` needs to be written covering only the changes since the previous release.
+
+Each change requires a new bullet point following the pattern. See more information [Artifact Hub annotations in Helm Chart.yaml file](https://artifacthub.io/docs/topics/annotations/helm/).
+
+```yaml
+- kind: {type}
+  description: {description}
+```
+
+You can use the following template:
+
+```yaml
+name: argo-cd
+version: 5.19.12
+...
+annotations:
+  artifacthub.io/changes: |
+    - kind: added
+      description: Something New was added
+    - kind: changed
+      description: Changed Something within this chart
+    - kind: changed
+      description: Changed Something else within this chart
+    - kind: deprecated
+      description: Something deprecated
+    - kind: removed
+      description: Something was removed
+    - kind: fixed
+      description: Something was fixed
+    - kind: security
+      description: Some Security Patch was included
+```
+
+## Testing
+
+### Testing Argo Workflows Changes
+
+Minimally:
+
+```shell
+helm install charts/argo-workflows -n argo
+argo version
+```
+
+Follow [these](https://argoproj.github.io/argo-workflows/quick-start/#submitting-an-example-workflow) instructions for running a hello world workflow.
+
+### Testing Argo CD Changes
+
+Clean-up:
+
+```shell
+helm delete argo-cd --purge
+kubectl delete crd -l app.kubernetes.io/part-of=argocd
+```
+
+Pre-requisites:
+
+```shell
+helm repo add redis-ha https://dandydeveloper.github.io/charts/
+helm dependency update
+```
+
+Minimally:
+
+```shell
+helm install argocd  argo/argo-cd  -n argocd --create-namespace
+kubectl port-forward service/argo-cd-argocd-server -n argocd 8080:443
+```
+
+In a new terminal:
+
+```shell
+argocd version --server localhost:8080 --insecure
+# reset password to 'Password1!'
+kubectl -n argocd patch secret argocd-secret \
+  -p '{"stringData": {
+      "admin.password": "$2a$10$hDj12Tw9xVmvybSahN1Y0.f9DZixxN8oybyA32Uy/eqWklFU4Mo8O",
+      "admin.passwordMtime": "'$(date +%FT%T%Z)'"
+  }}'
+argocd login localhost:8080 --username admin --password 'Password1!'
+
+# WARNING: server certificate had error: x509: certificate signed by unknown authority. Proceed insecurely (y/n)? y
+```
+
+Create and sync app:
+
+```shell
+argocd app create guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --path guestbook --project default --repo https://github.com/argoproj/argocd-example-apps.git
+argocd app sync guestbook
+```
+
+### Testing Charts
+
+As part of the Continuous Integration system we run Helm's [Chart Testing](https://github.com/helm/chart-testing) tool.
+
+The checks for Chart Testing are stricter than the standard Helm requirements. For example, fields normally considered optional like `maintainer` are required in the standard spec and must be valid GitHub usernames.
+
+Linting configuration can be found in [ct-lint.yaml](./.github/configs/ct-lint.yaml)
+
+The linting can be invoked manually with the following command:
+
+```shell
+./scripts/lint.sh
+```
+
+## Publishing Changes
+
+Changes are automatically publish whenever a commit is merged to the `main` branch by the CI job (see `./.github/workflows/publish.yml`).

EMERITUS.md

@@ -0,0 +1,14 @@
+# Emeritus Approvers
+
+These are the people who have been approvers in the past, and have since retired from the role.
+
+We thank them for their service to the project.
+
+| Emeritus | GitHub ID |
+| -------- | --------- |
+| Oliver Bähler | [oliverbaehler](https://github.com/oliverbaehler) |
+| Stefan Sedich | [stefansedich](https://github.com/stefansedich) |
+| Pablo Osinaga | [paguos](https://github.com/paguos) |
+| Yann Soubeyrand | [yann-soubeyrand](https://github.com/yann-soubeyrand) |
+| David J. M. Karlsen | [davidkarlsen](https://github.com/davidkarlsen) |
+| John Behling | [jbehling](https://github.com/jbehling) |

LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2017-2018 The Argo Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -6,6 +6,7 @@
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo)](https://artifacthub.io/packages/search?repo=argo)
 [![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/argo/badge)](https://clomonitor.io/projects/cncf/argo)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7942/badge)](https://www.bestpractices.dev/projects/7942)
 
 Argo Helm is a collection of **community maintained** charts for [https://argoproj.github.io](https://argoproj.github.io) projects. The charts can be added using following command:
 
@@ -15,7 +16,7 @@ helm repo add argo https://argoproj.github.io/argo-helm
 
 ## Contributing
 
-We'd love to have you contribute! Please refer to our [contribution guidelines](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md) for details.
+We'd love to have you contribute! Please refer to our [contribution guidelines](CONTRIBUTING.md) for details.
 
 ### Custom resource definitions
 
@@ -36,7 +37,7 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=v2.4.9"
 
 ### Security Policy
 
-Please refer to [SECURITY.md](https://github.com/argoproj/argo-helm/blob/main/SECURITY.md) for details on how to report security issues.
+Please refer to [SECURITY.md](SECURITY.md) for details on how to report security issues.
 
 ### Changelog
 

SECURITY-INSIGHTS.yml

@@ -0,0 +1,23 @@
+header:
+  schema-version: '1.0.0'
+  expiration-date: '2024-11-04T10:00:00.000Z'
+  project-url: https://github.com/argoproj/argo-helm
+project-lifecycle:
+  status: active
+  bug-fixes-only: false
+  core-maintainers:
+  - https://github.com/mkilchhofer
+  - https://github.com/jmeridth
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+distribution-points:
+  - https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: cncf-argo-maintainers@lists.cncf.io
+  security-policy: https://github.com/argoproj/argo-helm/blob/main/SECURITY.md
+  comment: Please refer to the security policy for reporting information prior to using the email contact.
+dependencies:
+  env-dependencies-policy:
+    policy-url: https://github.com/argoproj/argo-helm/blob/master/CONTRIBUTING.md#new-application-versions

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions and Upstream Reporting
+
+Each helm chart currently supports the designated application version in the Chart.yaml. There is a chance a security issue you've discovered may not be with the helm chart but with the upstream application. Please visit that application's Security policy document to find out how to report the security issue.
+
+* [Security Policy for Argo Workflows](https://github.com/argoproj/argo-workflows/blob/master/SECURITY.md)
+* [Security Policy for Argo Events](https://github.com/argoproj/argo-events/blob/master/SECURITY.md)
+* [Security Policy for Argo Rollouts](https://github.com/argoproj/argo-rollouts/blob/master/docs/security.md)
+* [Security Policy for Argo CD](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md)
+* [Security Policy for Argo CD Image Updater](https://github.com/argoproj-labs/argocd-image-updater/blob/master/SECURITY.md)
+
+## Reporting a Vulnerability for Argo Helm Charts
+
+We have enabled the ability to privately report security issues through the  Security tab above.
+
+[Here are the details on how to file](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) on how to do that
+
+A repository owner/maintainer will respond as fast as possible to coordinate confirmation of issue and remediation.
+
+Thank you for helping to ensure this code stays secure.

_config.yml

@@ -1 +0,0 @@
-theme: jekyll-theme-cayman