forked from kubewarden/helm-charts
-
Notifications
You must be signed in to change notification settings - Fork 0
176 lines (156 loc) · 6.78 KB
/
helm-chart-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# This action releases the kubewarden-controller helm chart
# The action must run on each commit done against master, however
# a new release will be performed **only** when a change occurs inside
# of the `charts` directory.
#
# When the helm chart is changed, this action will:
# * Create a new GitHub release named: kubwarden-controller-chart
# * This release has a kubwarden-controller-chart.tar.gz asset associated with
# it. This is the actual helm chart
# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
# index of the helm chart repository, which we serve through GitHub pages
# * Update the docs shown https://charts.kubewarden.io, on the `gh-pages`
# branch. This is the README files of the chart(s), served also through
# GitHub pages
#
# = FAQ
#
# == Why don't we run this action only when a tag like `v*` is created?
#
# Running the action only when a "release tag" is created will not produce
# a helm chart. That happens because the code which determines if something
# changed inside of the `charts` directory will not find any changes.
#
# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
#
# Yes, we even got that to work. However, what we really want to do is the
# ability to tag the releases of the kubewarden-controller and its helm chart
# in an independent way. Which what the official GitHub action already does.
name: Release helm chart
on:
push:
branches:
- main
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Check that the contents of common-values.yaml are included in values.yaml
run: |
make check-common-values
- name: Install Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.8.0
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- name: Generate container image files
run: |
make generate-images-file
- name: Generate policies files
run: |
make generate-policies-file
- name: Generate changelog files
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make generate-changelog-files
- name: Add dependency repo required to release the controller chart
run: |
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
- name: Run chart-releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
with:
charts_dir: charts
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SKIP_EXISTING: true
- name: Prepare GH pages readme
run: |
mkdir -p ./to-gh-pages
cat charts/kubewarden-controller/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-defaults/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-crds/README.md >> charts/README.md
cp -f charts/README.md ./to-gh-pages/
cp -f artifacthub-repo.yml ./to-gh-pages/
- name: Deploy readme to GH pages
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./to-gh-pages
keep_files: true
enable_jekyll: true
- name: Upload images and policies file
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d)
asset_name=""
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
asset_name="${asset_name}_${chart_name}-${chart_version}"
done
image_asset_name="${asset_name:1}_images.txt"
cp imagelist.txt $image_asset_name
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
if [[ $chart_name != *"-crds" ]]; then
gh release upload $chart_name-$chart_version $image_asset_name --clobber
fi
if [[ $chart_name == *"-defaults" ]]; then
cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt"
gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber
fi
done
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate, sign and publish charts in OCI registry
shell: bash
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER"
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq '.name' | sed 's/"//g')
chart_version=$(helm show chart $chart | yq '.version' | sed 's/"//g')
package_file=".cr-release-packages/$chart_name-$chart_version.tgz"
push_output=$(helm push $package_file "oci://$REGISTRY/charts")
chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p')
cosign sign --yes "$chart_url"
done