OpenTelemetry/Signoz Implementation

.github/workflows/documentation.yml

@@ -311,6 +311,16 @@ jobs:
           done
           echo "Rebuilt $REBUILT historical tag(s); remainder served from cache"
 
+      - name: Register Helm subchart repositories
+        # `helm dependency build` resolves tarballs by repository URL; the URL
+        # in Chart.lock is matched against `helm repo list`, not fetched
+        # directly. On a fresh runner the SigNoz repo isn't registered, so
+        # `dependency build` fails with `no repository definition for
+        # https://charts.signoz.io`. Register before any packaging step that
+        # relies on it. `--force-update` is idempotent across re-runs.
+        run: |
+          helm repo add --force-update signoz https://charts.signoz.io
+
       - name: Package Tagged Helm Charts
         run: |
           mkdir -p docs/public/helm
@@ -327,8 +337,17 @@ jobs:
               echo "Packaging helm chart for $TAG (version: $VERSION)"
               WORKDIR=$(mktemp -d)
               git worktree add "$WORKDIR" "$TAG"
+              if grep -q "^dependencies:" "$WORKDIR/helm/Chart.yaml"; then
+                helm dependency build "$WORKDIR/helm"
+              fi
               helm package "$WORKDIR/helm" -d docs/public/helm --version "$VERSION" --app-version "$VERSION" --debug
-              git worktree remove "$WORKDIR"
+              # --force: the worktree is a mktemp scratch dir, and even if a
+              # future helm version starts emitting files that aren't matched
+              # by the chart's .gitignore (currently `helm/**/*.tgz` covers
+              # the dep tarball), `git worktree remove` would refuse to clean
+              # up an apparently dirty tree and abort the rest of Pages
+              # publication. There's nothing of value in this worktree.
+              git worktree remove --force "$WORKDIR"
               PACKAGED=$((PACKAGED + 1))
             else
               echo "Tag $TAG does not match vMAJOR.MINOR.PATCH — skipping"
@@ -337,7 +356,9 @@ jobs:
           echo "Packaged $PACKAGED new chart(s); remainder served from cache"
 
       - name: Package Main Helm chart
-        run: helm package helm -d docs/public/helm --debug
+        run: |
+          helm dependency build helm
+          helm package helm -d docs/public/helm --debug
 
       - name: Index Helm charts
         run: helm repo index docs/public/helm --url "${{ steps.pages.outputs.base_url }}/helm"

.github/workflows/opentofu.yml

@@ -80,12 +80,21 @@ jobs:
       - name: Install Python and Dependencies
         run: |
           apk add --no-cache python3 py3-pip
-          pip3 install --break-system-packages pyyaml jsonschema referencing
+          pip3 install --break-system-packages pyyaml jsonschema referencing pytest
 
       - name: Validate Oracle Resource Manager Schema
         working-directory: ./tests/opentofu
         run: python3 ./validate_omr_schema.py OMRMetaSchema.yaml ../../opentofu/schema.yaml
 
+      - name: Run OpenTofu render contract tests
+        # Exercises tests/opentofu/test_cfgmgt_optimizer_values.py, which
+        # invokes `tofu` to render ai-optimizer-values.yaml under various
+        # BYO/observability combinations. The container already has tofu.
+        # The single helm-requiring e2e test in that file skips here (no
+        # helm binary in this container); the unit-level tests cover the
+        # same defects without needing helm.
+        run: pytest tests/opentofu/ -v
+
   # Job 2: Security scanning (runs on host for Docker access)
   verify-iac-security:
     name: Security Scan

.github/workflows/pytest.yml

@@ -17,6 +17,12 @@ concurrency:
   group: pytest-${{ github.ref }}
   cancel-in-progress: true
 
+# Helm binary/install-script pin — referenced by every job that needs helm
+# (check-helm, check-opentofu). Update both values together when bumping helm.
+env:
+  HELM_INSTALL_SCRIPT_VERSION: v4.1.4
+  HELM_INSTALL_SCRIPT_SHA256: 38b65f882d9cae3891755bdb03becc6a01ae6f9cb24826c191f219ddfee70a5d
+
 jobs:
   detect-changes:
     if: github.event.pull_request.draft == false || github.event_name == 'workflow_dispatch'
@@ -79,8 +85,8 @@ jobs:
             echo "helm=false" >> $GITHUB_OUTPUT
           fi
 
-          # OpenTofu
-          if echo "$CHANGED" | grep -qE '^opentofu/'; then
+          # OpenTofu — module sources or the pytest suite under tests/opentofu/
+          if echo "$CHANGED" | grep -qE '^opentofu/|^tests/opentofu/'; then
             echo "opentofu=true" >> $GITHUB_OUTPUT
           else
             echo "opentofu=false" >> $GITHUB_OUTPUT
@@ -127,7 +133,7 @@ jobs:
       - name: Setup Python + uv
         uses: ./.github/actions/setup-python-uv
         with:
-          extras: ${{ matrix.variant }},dev
+          extras: ${{ matrix.variant == 'server' && 'server,otel,dev' || format('{0},dev', matrix.variant) }}
           cache-suffix: ${{ matrix.variant }}
 
       - name: Run yamllint
@@ -175,25 +181,33 @@ jobs:
         run: |
           pip install yamllint pytest pyyaml
           HELM_INSTALL_SCRIPT=$(mktemp)
-          curl -fsSL -o "$HELM_INSTALL_SCRIPT" https://raw.githubusercontent.com/helm/helm/v4.1.4/scripts/get-helm-3
-          EXPECTED_HASH="38b65f882d9cae3891755bdb03becc6a01ae6f9cb24826c191f219ddfee70a5d"
+          curl -fsSL -o "$HELM_INSTALL_SCRIPT" "https://raw.githubusercontent.com/helm/helm/${HELM_INSTALL_SCRIPT_VERSION}/scripts/get-helm-3"
           ACTUAL_HASH=$(sha256sum "$HELM_INSTALL_SCRIPT" | cut -d' ' -f1)
-          if [ "$ACTUAL_HASH" != "$EXPECTED_HASH" ]; then
+          if [ "$ACTUAL_HASH" != "$HELM_INSTALL_SCRIPT_SHA256" ]; then
             echo "Helm install script hash mismatch!"
-            echo "Expected: $EXPECTED_HASH"
+            echo "Expected: $HELM_INSTALL_SCRIPT_SHA256"
             echo "Actual:   $ACTUAL_HASH"
             exit 1
           fi
-          bash "$HELM_INSTALL_SCRIPT"
+          bash "$HELM_INSTALL_SCRIPT" --version "$HELM_INSTALL_SCRIPT_VERSION"
+          helm version --short
 
       - name: Run yamllint
         run: yamllint helm/
 
+      - name: Build chart dependencies
+        # Pulls subchart tarballs into helm/charts/. The repo-add is
+        # required because `helm dependency build` resolves by repository
+        # URL via `helm repo list`, not by fetching the URL directly.
+        run: |
+          helm repo add --force-update signoz https://charts.signoz.io
+          helm dependency build helm/
+
       - name: Run Helm Lint (basic structure)
         run: helm lint helm/
 
       - name: Run Helm Lint (with required values)
-        run: helm lint helm/ --set global.api.apiKey=test-api-key
+        run: helm lint helm/ --set global.api.apiKey=test-api-key --set client.cookieSecret=test-cookie
 
       - name: Run Helm Package (validate chart builds)
         run: helm package helm/ --destination "$RUNNER_TEMP/helm-package"
@@ -219,11 +233,32 @@ jobs:
           python-version: "3.11"
 
       - name: Install dependencies
-        run: pip install ruff
+        run: |
+          pip install ruff pytest
+          HELM_INSTALL_SCRIPT=$(mktemp)
+          curl -fsSL -o "$HELM_INSTALL_SCRIPT" "https://raw.githubusercontent.com/helm/helm/${HELM_INSTALL_SCRIPT_VERSION}/scripts/get-helm-3"
+          ACTUAL_HASH=$(sha256sum "$HELM_INSTALL_SCRIPT" | cut -d' ' -f1)
+          if [ "$ACTUAL_HASH" != "$HELM_INSTALL_SCRIPT_SHA256" ]; then
+            echo "Helm install script hash mismatch!"
+            echo "Expected: $HELM_INSTALL_SCRIPT_SHA256"
+            echo "Actual:   $ACTUAL_HASH"
+            exit 1
+          fi
+          bash "$HELM_INSTALL_SCRIPT" --version "$HELM_INSTALL_SCRIPT_VERSION"
+          helm version --short
 
       - name: Run Ruff
         run: ruff check opentofu
 
+      - name: Run cfgmgt pytest
+        # Exercises opentofu/cfgmgt/apply.py helpers (dep resolution, repo
+        # registration). Needs the helm binary because the helpers shell
+        # out to `helm dependency list/build/update`. pytest discovers only
+        # `test_*.py` so the non-test `validate_omr_schema.py` script in the
+        # same directory is not collected. Tests requiring tofu skip here
+        # and run in opentofu.yml's verify-iac-static instead.
+        run: pytest tests/opentofu/ -v
+
   check:
     needs:
       - detect-changes