forked from kubewarden/helm-charts
-
Notifications
You must be signed in to change notification settings - Fork 0
229 lines (200 loc) · 9.45 KB
/
helm-chart-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# This action releases the kubewarden Helm charts.
# The action must run on each commit done against main, however
# a new release will be performed **only** when a change occurs inside
# of the `charts` directory.
#
# When the helm charts are changed, this action will, for each chart:
# * Create a new GitHub release: e.g. kubwarden-controller-chart.
# * This release has a kubwarden-controller-chart.tar.gz asset associated with
# it. This is the actual Helm chart.
# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
# index of our https Helm chart repository, which we serve through GitHub pages.
# * Update the docs shown at https://charts.kubewarden.io, on the `gh-pages`
# branch. This is the README files of the chart(s), served also through
# GitHub pages.
# * Push the chart, signed and with attestation, to ghcr.io OCI registry.
#
# = FAQ
#
# == Why don't we run this action only when a tag like `v*` is created?
#
# Running the action only when a "release tag" is created will not produce
# a helm chart. That happens because the code which determines if something
# changed inside of the `charts` directory will not find any changes.
#
# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
#
# Yes, we even got that to work. However, what we really want to do is the
# ability to tag the releases of the kubewarden-controller and its helm chart
# in an independent way. Which the official GitHub action already does.
name: Release helm chart
on:
workflow_dispatch:
push:
branches:
- main
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: write
attestations: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Check that the contents of common-values.yaml are included in values.yaml
run: |
make check-common-values
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Generate container image files
run: |
make generate-images-file
- name: Generate policies files
run: |
make generate-policies-file
- name: Generate changelog files
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make generate-changelog-files
- name: Add dependency repo required to release the controller chart
run: |
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install chart-releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
with:
install_only: true
- name: Release Helm charts
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -ex
OWNER=${{ github.repository_owner }}
REPO=helm-charts
CONFIG_FILE=cr.yaml
PACKAGE_PATH=.cr-release-packages
CR_TOKEN=${{ secrets.GITHUB_TOKEN }}
rm -rf ${PACKAGE_PATH}
# Release each chart in the charts directory
for chart in $(find charts -maxdepth 1 -mindepth 1 -type d ); do
chart_name=$(basename $chart)
chart_path=${PACKAGE_PATH}/${chart_name}-*.tgz
cr package charts/${chart_name} --config ${CONFIG_FILE} --package-path ${PACKAGE_PATH}
# check if the chart version is already release. If so, do nothing
chart_version=$(helm show chart $chart_path | yq -r '.version')
if gh --repo ${OWNER}/${REPO} release view $chart_name-$chart_version; then
echo "Chart $chart_name-$chart_version already released. No need to release again."
rm $chart_path
continue
fi
done
# Upload the charts if the .cr-release-packages directory is not empty
if [ "$(ls ${PACKAGE_PATH})" ]; then
# Upload the chart to the GitHub release
cr upload --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} -c "$(git rev-parse HEAD)" --skip-existing --make-release-latest=false --token ${CR_TOKEN} --push
echo "Charts released!"
# Reindex the repository
cr index --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} --push --token ${CR_TOKEN} --index-path .
echo "Repository indexed!"
# Publish the charts to the OCI registry and sign them
REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts"
echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV"
for chart_path in $(find ${PACKAGE_PATH} -maxdepth 1 -mindepth 1 ); do
echo "Pushing chart $chart_path to ghcr.io"
chart_name=$(helm show chart ${chart_path} | yq ".name")
push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1)
chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p')
digest=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\2/p')
echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV"
cosign sign --yes "$chart_url"
echo "Chart $chart_name signed and pushed to ghcr.io"
done
fi
- name: Prepare GH pages readme
run: |
mkdir -p ./to-gh-pages
cat charts/kubewarden-controller/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-defaults/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-crds/README.md >> charts/README.md
cp -f charts/README.md ./to-gh-pages/
cp -f artifacthub-repo.yml ./to-gh-pages/
- name: Deploy readme to GH pages
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./to-gh-pages
keep_files: true
enable_jekyll: true
- name: Upload images and policies file
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d)
asset_name=""
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
asset_name="${asset_name}_${chart_name}-${chart_version}"
done
image_asset_name="${asset_name:1}_images.txt"
cp imagelist.txt $image_asset_name
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
if [[ $chart_name != *"-crds" ]]; then
gh release upload $chart_name-$chart_version $image_asset_name --clobber
fi
if [[ $chart_name == *"-defaults" ]]; then
cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt"
gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber
fi
done
- name: Generate provenance attestation for kubewarden-crds chart and push to OCI
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: env.DIGEST_kubewarden-crds != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-crds
subject-digest: ${{ env.DIGEST_kubewarden-crds }}
- name: Generate provenance attestation for kubewarden-controller chart and push to OCI
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: env.DIGEST_kubewarden-controller != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-controller
subject-digest: ${{ env.DIGEST_kubewarden-controller }}
- name: Generate provenance attestation for kubewarden-defaults chart and push to OCI
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: env.DIGEST_kubewarden-defaults != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-defaults
subject-digest: ${{ env.DIGEST_kubewarden-defaults }}