-
Notifications
You must be signed in to change notification settings - Fork 106
88 lines (75 loc) · 3.01 KB
/
release-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: release-publish
on:
push:
branches:
- main
permissions:
contents: write # Required for pushing the Helm charts to the gh-pages branch
packages: write # Required for GHCR access
id-token: write # Required for signing
jobs:
release:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0 # important for fetching all history to run comparison against
- name: Fetch history
run: git fetch --prune
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Import PGP Private Key
run: |
echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output /tmp/keyring.gpg
echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > /tmp/passphrase-file.txt
- name: Set up Helm
uses: azure/setup-helm@b7246b12e77f7134dc2d460a3d5bad15bbe29390 # v4.1.0
with:
version: v3.14.1
- name: Add chart dependencies
run: |
helm repo add cnpg-grafana-dashboard https://cloudnative-pg.github.io/grafana-dashboards
- name: Run chart-releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_KEY: [email protected]
CR_KEYRING: /tmp/keyring.gpg
CR_PASSPHRASE_FILE: /tmp/passphrase-file.txt
CR_SIGN: true
CR_SKIP_EXISTING: true
CR_GENERATE_RELEASE_NOTES: true
CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-v{{ .Version }}"
- name: Securely delete the PGP key and passphrase
if: always()
run: shred --remove=wipesync /tmp/keyring.gpg /tmp/passphrase-file.txt
- name: Login to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install sigstore/cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- name: Push charts to GHCR
env:
COSIGN_EXPERIMENTAL: 1
# when filling gaps with previously released charts, cr would create
# nothing in .cr-release-packages/, and the original globbing character
# would be preserved, causing a non-zero exit. Set nullglob to fix this
run: |
shopt -s nullglob
for pkg in .cr-release-packages/*.tgz; do
if [ -z "${pkg:-}" ]; then
break
fi
helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY}"
file=${pkg##*/}
name=${file%-*}
version=${file%.*}
version=${version##*-}
cosign sign --yes ghcr.io/"${GITHUB_REPOSITORY}"/"${name}":"${version}"
done