- root.go: guard against nil writer in newRegistryClient variadic
parameter to prevent panic on explicit nil pass
- push.go (cmd): replace io.Discard with suppressSummaryWriter that
forwards warnings/errors to stderr while silently dropping the
registry client's built-in "Pushed:"/"Digest:" summary lines
- push.go (action): return a clear error when Run() is called on an
OCI remote without WithPushConfig, preventing nil-pointer panic on
p.cfg.RegistryClient dereference
Signed-off-by: Ilya Kislitsyn <kis-ilya-a@yandex.ru>
Signed-off-by: Ilya Kiselev <kis-ilya-a@yandex.ru>
Add an optional io.Writer parameter to newRegistryClient (and the
internal newDefaultRegistryClient / newRegistryClientWithTLS helpers)
so callers can control where registry client output goes.
All existing callers are unaffected (default remains os.Stderr).
For helm push, pass io.Discard so that the registry client's built-in
"Pushed:"/"Digest:" lines are suppressed. The --output writer
(WriteTable / WriteJSON / WriteYAML) is the single source of truth for
push result output, preventing duplication on the terminal.
Signed-off-by: Ilya Kiselev <kis-ilya-a@yandex.ru>
Address Copilot review feedback:
- WriteTable now uses "Pushed:"/"Digest:" labels consistent with the
registry client's built-in output (pkg/registry/client.go:746-747),
so the default --output table experience is familiar to existing users
- Add TestPushOutputFlagCompletion to verify the --output flag is
properly registered and offers json/yaml/table completions
- Document that Pusher.Push and action.Push.Run signature changes are
intentional breaking changes in the Helm v4 major release
Signed-off-by: Ilya Kiselev <kis-ilya-a@yandex.ru>
cmd/push: implement WriteTable to emit ref and digest
The WithPushOptWriter option and the out field on Push were never
wired to any meaningful output path — ChartUploader.Out is not read
by UploadTo() and the registry client manages its own writer.
Remove them to avoid dead API surface.
WriteTable now writes a tab-aligned REF/DIGEST result to the
command's stdout stream. The registry client continues to write
its own progress output to stderr, so there is no duplication.
Signed-off-by: Mentigen <mentigen@mentigen.ru>
Signed-off-by: Ilya Kiselev <kis-ilya-a@yandex.ru>
Add support for --output flag to 'helm push' command for machine-readable
output formats (JSON and YAML). This enables programmatic consumption of push
results and integration with tools like cosign for artifact signing.
Changes:
- Modified Pusher interface to return (*registry.PushResult, error)
- Updated OCIPusher.Push() and push() to return PushResult
- Updated action.Push.Run() to return (*registry.PushResult, error)
- Added output formatting to push command (table/json/yaml)
- Created pushResult struct with Ref and Digest fields
- Implemented pushWriter with WriteTable/WriteJSON/WriteYAML methods
- Updated test fixtures to handle new return signature
The default table format maintains backward compatibility with existing
plain-text output style.
Fixes#11735
Signed-off-by: Ilya Kiselev <kis-ilya-a@yandex.ru>
Adds the bidichk linter to .golangci.yml to detect dangerous invisible
Unicode characters (ZWSP, bidi controls) in source files during CI.
Fixes#32137
Signed-off-by: Arnav Nagzirkar <arnav.nagzirkar@mail.utoronto.ca>
Upgrades golang.org/x/net from v0.53.0 to v0.55.0 to fix CVE-2026-39821
(GO-2026-5026), where idna.ToASCII/ToUnicode incorrectly accept Punycode-
encoded labels that decode to ASCII-only labels, enabling privilege escalation
via hostname check bypass.
Coordinated x/ upgrade pulled in by the module graph:
- golang.org/x/sys v0.44.0 => v0.45.0
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Helm v4 shipped on 2025-11-17. Mark it as the current stable release
and v3 as support-mode with its end-of-support dates.
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>
The comment describing allowed plugin name characters contained three
U+200B (zero-width space) characters around the '_' and '-' literals.
The rendered comment is identical without them; the ZWSP were likely
copy-pasted from a rich-text source.
Downstream impact: every project that vendors helm.sh/helm/v4 and runs
Renovate gets a repo-wide warning on its Dependency Dashboard about
hidden Unicode characters. Renovate scans the whole tree (including
vendor/) for ZWSP/bidi-override codepoints and cannot be told to skip
a path for this specific check. Removing the characters here clears
the warning everywhere downstream.
Signed-off-by: Aleksei Sviridkin <f@lex.la>
slog.Error on line 157 passes printf-style positional args (%q, %s)
instead of key-value pairs. The slog API treats these as unkeyed
attributes, producing garbled log output.
Two nearby slog.Warn calls wrap fmt.Sprintf unnecessarily. Convert
all three calls to use proper structured key-value arguments.
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Assisted-by: Grok/grok-4
Ilya Kiselev
Terry Howe
George Jenkins
dependabot[bot]
Evans Mungai
Austin Abro
Arnav Nagzirkar
Benoit Tigeot
Aleksei Sviridkin
Robert Sirchia
Matheus Pimenta
Sebastien Tardif
Kai Tanaka
box4wangjing