generated from iits-consulting/helm-chart-repo-gh-pages-template
-
Notifications
You must be signed in to change notification settings - Fork 7
131 lines (122 loc) · 3.88 KB
/
release-and-test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Release Charts
on:
pull_request:
branches:
- '*'
push:
branches:
- "*"
env:
HELM_VERSION: v3.11.3
jobs:
find-charts:
name: Find Charts
runs-on: ubuntu-latest
outputs:
matrix: "${{ steps.get_changed_charts_folders.outputs.matrix }}"
steps:
- uses: actions/checkout@v1
- name: Get changed charts
id: get_changed_charts
uses: tj-actions/[email protected]
with:
json: true
path: "./charts/"
diff_relative: true
dir_names_max_depth: 1
dir_names: true
dir_names_exclude_root: true
write_output_files: true
- name: Echo changed files
id: get_changed_charts_folders
env:
ALL_CHARTS: false
run: |
if $ALL_CHARTS
then
echo "Release all charts"
cd charts && echo matrix="[$(ls -d -Q -m -w 0 *)]" >> $GITHUB_OUTPUT
else
echo matrix=${{ steps.get_changed_charts.outputs.all_changed_files }} >> $GITHUB_OUTPUT
fi
check-charts:
name: Check
needs: find-charts
if: ${{ needs.find-charts.outputs.matrix != '' && toJson(fromJson(needs.find-charts.outputs.matrix)) != '[]' }}
strategy:
matrix:
chart: ${{fromJSON(needs.find-charts.outputs.matrix)}}
permissions:
contents: write
security-events: write
actions: read
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Setup Helm
uses: azure/setup-helm@v3
with:
version: ${{ env.HELM_VERSION }}
# - name: Trivy Scan ${{ matrix.chart }}
# uses: aquasecurity/[email protected]
# with:
# scan-type: 'config'
# hide-progress: false
# format: 'sarif'
# scan-ref: 'charts/${{matrix.chart}}'
# output: 'trivy-results.sarif'
# exit-code: '1'
# ignore-unfixed: false
# severity: 'MEDIUM,HIGH,CRITICAL'
# trivyignores: 'charts/${{matrix.chart}}/.trivyignore'
# limit-severities-for-sarif: false
- name: Lint ${{ matrix.chart }}
run: |
helm dependency update charts/${{ matrix.chart }}
helm lint charts/${{ matrix.chart }} --strict
- name: KubeVal ${{ matrix.chart }}
run: |
helm plugin install https://github.com/instrumenta/helm-kubeval
helm -f kubeval-values.yaml kubeval --ignore-missing-schemas --api-versions networking.k8s.io/v1/IngressClass charts/${{ matrix.chart }}
#
# - name: Upload Trivy scan results for ${{ matrix.chart }}
# uses: github/codeql-action/upload-sarif@v2
# if: always()
# with:
# sarif_file: 'trivy-results.sarif'
release-charts:
name: Release
if: github.ref == 'refs/heads/main'
needs: check-charts
permissions:
contents: write
security-events: write
actions: read
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Add helm repositories
run: |
for dir in $(ls -d charts/*/); do
helm dependency list $dir 2> /dev/null | tail +2 | head -n -1 | awk '{ print "helm repo add " $1 " " $3 }' | while read cmd; do $cmd; done
done
- name: Publish ${{ matrix.chart }}
uses: helm/[email protected]
env:
CR_SKIP_EXISTING: true
charts_dir: publish-charts
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"