From c8ecb34ce2f41640129fe4be6b7c080a907ac073 Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik.i.sundell@gmail.com>
Date: Fri, 15 Jan 2021 22:01:36 +0100
Subject: [PATCH 1/2] ci: add test for helm warnings

---
 .github/workflows/test_k3s.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/test_k3s.yml b/.github/workflows/test_k3s.yml
index c761643..f610958 100644
--- a/.github/workflows/test_k3s.yml
+++ b/.github/workflows/test_k3s.yml
@@ -109,6 +109,11 @@ jobs:
           helm version
           helm list
 
+          if helm version 2>&1 | grep WARNING > /dev/null; then
+              echo "helm is expected to run without a WARNING!"
+              exit 1
+          fi
+
       - name: Install network policies test
         run: helm install test-calico ./test-calico --wait
 

From a8cc397dbdddc6976e5fee6c9563da941b43e55a Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik.i.sundell@gmail.com>
Date: Fri, 15 Jan 2021 22:08:55 +0100
Subject: [PATCH 2/2] fix: remove group/world permissions for home folder
 kubeconfig

---
 action.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/action.yml b/action.yml
index 41a64cd..9349fe9 100644
--- a/action.yml
+++ b/action.yml
@@ -115,10 +115,14 @@ runs:
           ${{ inputs.extra-setup-args }}
       shell: bash
 
+    # By providing a kubeconfig owned by the current user with 600 permissions,
+    # kubectl becomes usable without sudo, and helm won't emit warnings about
+    # bloated access to group/world.
     - name: Prepare a kubeconfig in ~/.kube/config
       run: |
         mkdir -p ~/.kube
         sudo cat /etc/rancher/k3s/k3s.yaml > "$HOME/.kube/config"
+        chmod 600 "$HOME/.kube/config"
         echo "KUBECONFIG=$HOME/.kube/config" >> $GITHUB_ENV
       shell: bash