From 9dab26e5bcdf646cff3e9371809335a8e17b73f7 Mon Sep 17 00:00:00 2001
From: Austin Mitchell <amitchell@mozilla.com>
Date: Mon, 8 Dec 2025 14:42:35 -0800
Subject: [PATCH 1/5] fix(psa-checker): handle lack of rendered chart w/
 failing job

---
 .github/workflows/psa-checker.yml | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
index 0e01160..e654417 100644
--- a/.github/workflows/psa-checker.yml
+++ b/.github/workflows/psa-checker.yml
@@ -54,7 +54,7 @@ jobs:
       - name: download artifacts
         uses: actions/download-artifact@v6
         with:
-          pattern: "k8s-manifests-*"
+          pattern: k8s-manifests-*
           merge-multiple: true
           path: "shared"
       - name: run psa-checker
@@ -62,14 +62,19 @@ jobs:
         shell: bash # sets the flags --noprofile --norc -eo pipefail
         env:
           PSS_LEVEL: ${{ inputs.pss_level }}
-          CHART_DIR: ${{ matrix.chart }}
+          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
         run: |
-          # Loop over templates from each environment dir and check PSS levels
+          # Loop over templates from each chart and check PSS levels
           docker pull $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA # Pull before run so the output is less messy
-          cd "shared/charts/$CHART_DIR/"
-          for ENV_DIR in */; do
-            find $ENV_DIR -type f -exec cat {} + \
-              | docker run -i --rm $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA --level "$PSS_LEVEL" -f - \
-              | grep -v "Non standard" \
-              | grep -v "Kind not"
+          echo "DEBUG: CHARTS is $CHARTS"
+          for chart in $CHARTS; do
+            echo "Checking PSS level for ${chart}..."
+            if [ -d "shared/charts/${chart}" ]; then
+              find "shared/charts/${chart}" -type f -exec cat {} + \
+                | docker run -i --rm $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA --level "$PSS_LEVEL" -f - \
+                | grep -v "Non standard" \
+                | grep -v "Kind not"
+            else
+              echo "Warning: Rendered output for ${chart} not found."
+            fi
           done

From 356db4e8b66320d02bb917a6ff7ab2f9954aced8 Mon Sep 17 00:00:00 2001
From: Austin Mitchell <amitchell@mozilla.com>
Date: Mon, 8 Dec 2025 14:50:49 -0800
Subject: [PATCH 2/5] unloop

---
 .github/workflows/psa-checker.yml | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
index e654417..9807a04 100644
--- a/.github/workflows/psa-checker.yml
+++ b/.github/workflows/psa-checker.yml
@@ -66,15 +66,13 @@ jobs:
         run: |
           # Loop over templates from each chart and check PSS levels
           docker pull $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA # Pull before run so the output is less messy
-          echo "DEBUG: CHARTS is $CHARTS"
-          for chart in $CHARTS; do
-            echo "Checking PSS level for ${chart}..."
-            if [ -d "shared/charts/${chart}" ]; then
-              find "shared/charts/${chart}" -type f -exec cat {} + \
-                | docker run -i --rm $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA --level "$PSS_LEVEL" -f - \
-                | grep -v "Non standard" \
-                | grep -v "Kind not"
-            else
-              echo "Warning: Rendered output for ${chart} not found."
-            fi
-          done
+          echo "DEBUG: CHART is $CHART"
+          echo "Checking PSS level for ${chart}..."
+          if [ -d "shared/charts/${chart}" ]; then
+            find "shared/charts/${chart}" -type f -exec cat {} + \
+              | docker run -i --rm $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA --level "$PSS_LEVEL" -f - \
+              | grep -v "Non standard" \
+              | grep -v "Kind not"
+          else
+            echo "Warning: Rendered output for ${chart} not found."
+          fi

From 1e6347b522b29bcee386a4da37b14cdda61f0f28 Mon Sep 17 00:00:00 2001
From: Austin Mitchell <amitchell@mozilla.com>
Date: Mon, 8 Dec 2025 14:55:12 -0800
Subject: [PATCH 3/5] fix var

---
 .github/workflows/psa-checker.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
index 9807a04..9a8251b 100644
--- a/.github/workflows/psa-checker.yml
+++ b/.github/workflows/psa-checker.yml
@@ -62,17 +62,17 @@ jobs:
         shell: bash # sets the flags --noprofile --norc -eo pipefail
         env:
           PSS_LEVEL: ${{ inputs.pss_level }}
-          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
+          CHART: ${{ matrix.chart }}
         run: |
           # Loop over templates from each chart and check PSS levels
           docker pull $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA # Pull before run so the output is less messy
           echo "DEBUG: CHART is $CHART"
-          echo "Checking PSS level for ${chart}..."
-          if [ -d "shared/charts/${chart}" ]; then
-            find "shared/charts/${chart}" -type f -exec cat {} + \
+          echo "Checking PSS level for ${CHART}..."
+          if [ -d "shared/charts/${CHART}" ]; then
+            find "shared/charts/${CHART}" -type f -exec cat {} + \
               | docker run -i --rm $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA --level "$PSS_LEVEL" -f - \
               | grep -v "Non standard" \
               | grep -v "Kind not"
           else
-            echo "Warning: Rendered output for ${chart} not found."
+            echo "Warning: Rendered output for ${CHART} not found."
           fi

From a4ab796de0251869fa32d68b28ee6988a458cbeb Mon Sep 17 00:00:00 2001
From: Austin Mitchell <amitchell@mozilla.com>
Date: Mon, 8 Dec 2025 15:06:23 -0800
Subject: [PATCH 4/5] drop debug echo; add comment

---
 .github/workflows/psa-checker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
index 9a8251b..efc10fc 100644
--- a/.github/workflows/psa-checker.yml
+++ b/.github/workflows/psa-checker.yml
@@ -66,7 +66,6 @@ jobs:
         run: |
           # Loop over templates from each chart and check PSS levels
           docker pull $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA # Pull before run so the output is less messy
-          echo "DEBUG: CHART is $CHART"
           echo "Checking PSS level for ${CHART}..."
           if [ -d "shared/charts/${CHART}" ]; then
             find "shared/charts/${CHART}" -type f -exec cat {} + \
@@ -74,5 +73,6 @@ jobs:
               | grep -v "Non standard" \
               | grep -v "Kind not"
           else
+            # Fail only if PSS violations are found - if chart failed to render just print a warning
             echo "Warning: Rendered output for ${CHART} not found."
           fi

From 0249988a64909f80d74ba97c09e4feea4ea36a80 Mon Sep 17 00:00:00 2001
From: Austin Mitchell <amitchell@mozilla.com>
Date: Mon, 8 Dec 2025 15:17:51 -0800
Subject: [PATCH 5/5] update comment

---
 .github/workflows/psa-checker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
index efc10fc..6beec6a 100644
--- a/.github/workflows/psa-checker.yml
+++ b/.github/workflows/psa-checker.yml
@@ -64,7 +64,7 @@ jobs:
           PSS_LEVEL: ${{ inputs.pss_level }}
           CHART: ${{ matrix.chart }}
         run: |
-          # Loop over templates from each chart and check PSS levels
+          # Check pod security levels for templates in each chart
           docker pull $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA # Pull before run so the output is less messy
           echo "Checking PSS level for ${CHART}..."
           if [ -d "shared/charts/${CHART}" ]; then