Skip to content

deps: Migrate to rancher/kuberlr-kubectl #181

deps: Migrate to rancher/kuberlr-kubectl

deps: Migrate to rancher/kuberlr-kubectl #181

# This action releases the kubewarden Helm charts.
# The action must run on each commit done against main, however
# a new release will be performed **only** when a change occurs inside
# of the `charts` directory.
#
# When the helm charts are changed, this action will, for each chart:
# * Create a new GitHub release: e.g. kubwarden-controller-chart.
# * This release has a kubwarden-controller-chart.tar.gz asset associated with
# it. This is the actual Helm chart.
# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
# index of our https Helm chart repository, which we serve through GitHub pages.
# * Update the docs shown at https://charts.kubewarden.io, on the `gh-pages`
# branch. This is the README files of the chart(s), served also through
# GitHub pages.
# * Push the chart, signed and with attestation, to ghcr.io OCI registry.
#
# = FAQ
#
# == Why don't we run this action only when a tag like `v*` is created?
#
# Running the action only when a "release tag" is created will not produce
# a helm chart. That happens because the code which determines if something
# changed inside of the `charts` directory will not find any changes.
#
# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
#
# Yes, we even got that to work. However, what we really want to do is the
# ability to tag the releases of the kubewarden-controller and its helm chart
# in an independent way. Which the official GitHub action already does.
name: Release helm chart
on:
workflow_dispatch:
push:
branches:
- main
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: write
attestations: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Check that the contents of common-values.yaml are included in values.yaml
run: |
make check-common-values
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Generate container image files
run: |
make generate-images-file
- name: Generate policies files
run: |
make generate-policies-file
- name: Generate changelog files
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make generate-changelog-files
- name: Add dependency repo required to release the controller chart
run: |
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install chart-releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
with:
install_only: true
- name: Release Helm charts
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -ex
OWNER=${{ github.repository_owner }}
REPO=helm-charts
CONFIG_FILE=cr.yaml
PACKAGE_PATH=.cr-release-packages
CR_TOKEN=${{ secrets.GITHUB_TOKEN }}
rm -rf ${PACKAGE_PATH}
# Release each chart in the charts directory
for chart in $(find charts -maxdepth 1 -mindepth 1 -type d ); do
chart_name=$(basename $chart)
chart_path=${PACKAGE_PATH}/${chart_name}-*.tgz
cr package charts/${chart_name} --config ${CONFIG_FILE} --package-path ${PACKAGE_PATH}
# check if the chart version is already release. If so, do nothing
chart_version=$(helm show chart $chart_path | yq -r '.version')
if gh --repo ${OWNER}/${REPO} release view $chart_name-$chart_version; then
echo "Chart $chart_name-$chart_version already released. No need to release again."
rm $chart_path
continue
fi
done
# Upload the charts if the .cr-release-packages directory is not empty
if [ "$(ls ${PACKAGE_PATH})" ]; then
# Upload the chart to the GitHub release
cr upload --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} -c "$(git rev-parse HEAD)" --skip-existing --make-release-latest=false --token ${CR_TOKEN} --push
echo "Charts released!"
# Reindex the repository
cr index --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} --push --token ${CR_TOKEN} --index-path .
echo "Repository indexed!"
# Publish the charts to the OCI registry and sign them
REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts"
echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV"
for chart_path in $(find ${PACKAGE_PATH} -maxdepth 1 -mindepth 1 ); do
echo "Pushing chart $chart_path to ghcr.io"
chart_name=$(helm show chart ${chart_path} | yq ".name")
push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1)
chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p')
digest=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\2/p')
echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV"
cosign sign --yes "$chart_url"
echo "Chart $chart_name signed and pushed to ghcr.io"
done
fi
- name: Prepare GH pages readme
run: |
mkdir -p ./to-gh-pages
cat charts/kubewarden-controller/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-defaults/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-crds/README.md >> charts/README.md
cp -f charts/README.md ./to-gh-pages/
cp -f artifacthub-repo.yml ./to-gh-pages/
- name: Deploy readme to GH pages
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./to-gh-pages
keep_files: true
enable_jekyll: true
- name: Upload images and policies file
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d)
asset_name=""
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
asset_name="${asset_name}_${chart_name}-${chart_version}"
done
image_asset_name="${asset_name:1}_images.txt"
cp imagelist.txt $image_asset_name
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
if [[ $chart_name != *"-crds" ]]; then
gh release upload $chart_name-$chart_version $image_asset_name --clobber
fi
if [[ $chart_name == *"-defaults" ]]; then
cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt"
gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber
fi
done
- name: Generate provenance attestation for kubewarden-crds chart and push to OCI
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: env.DIGEST_kubewarden-crds != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-crds
subject-digest: ${{ env.DIGEST_kubewarden-crds }}
- name: Generate provenance attestation for kubewarden-controller chart and push to OCI
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: env.DIGEST_kubewarden-controller != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-controller
subject-digest: ${{ env.DIGEST_kubewarden-controller }}
- name: Generate provenance attestation for kubewarden-defaults chart and push to OCI
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: env.DIGEST_kubewarden-defaults != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-defaults
subject-digest: ${{ env.DIGEST_kubewarden-defaults }}