Helm chart minor release (#572) #431

Summary
Jobs
- release
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/helm-chart-release.yml at 5bc08a2

	# This action releases the kubewarden Helm charts.
	# The action must run on each commit done against main, however
	# a new release will be performed only when a change occurs inside
	# of the `charts` directory.
	#
	# When the helm charts are changed, this action will, for each chart:
	# * Create a new GitHub release: e.g. kubwarden-controller-chart.
	# * This release has a kubwarden-controller-chart.tar.gz asset associated with
	# it. This is the actual Helm chart.
	# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
	# index of our https Helm chart repository, which we serve through GitHub pages.
	# * Update the docs shown at https://charts.kubewarden.io, on the `gh-pages`
	# branch. This is the README files of the chart(s), served also through
	# GitHub pages.
	# * Push the chart, signed and with attestation, to ghcr.io OCI registry.
	#
	# = FAQ
	#
	# == Why don't we run this action only when a tag like `v*` is created?
	#
	# Running the action only when a "release tag" is created will not produce
	# a helm chart. That happens because the code which determines if something
	# changed inside of the `charts` directory will not find any changes.
	#
	# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
	#
	# Yes, we even got that to work. However, what we really want to do is the
	# ability to tag the releases of the kubewarden-controller and its helm chart
	# in an independent way. Which the official GitHub action already does.

	name: Release helm chart

	on:
	push:
	branches:
	- main

	jobs:
	release:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	packages: write
	contents: write
	attestations: write
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0

	- name: Configure Git
	run: \|
	git config user.name "$GITHUB_ACTOR"
	git config user.email "[email protected]"

	- name: Check that the contents of common-values.yaml are included in values.yaml
	run: \|
	make check-common-values

	- name: Install cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- name: Generate container image files
	run: \|
	make generate-images-file

	- name: Generate policies files
	run: \|
	make generate-policies-file

	- name: Generate changelog files
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	make generate-changelog-files

	- name: Add dependency repo required to release the controller chart
	run: \|
	helm repo add policy-reporter https://kyverno.github.io/policy-reporter
	helm repo update

	- name: Run chart-releaser
	uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
	with:
	charts_dir: charts
	env:
	CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	CR_SKIP_EXISTING: true

	- name: Prepare GH pages readme
	run: \|
	mkdir -p ./to-gh-pages
	cat charts/kubewarden-controller/README.md >> charts/README.md
	echo >> charts/README.md
	cat charts/kubewarden-defaults/README.md >> charts/README.md
	echo >> charts/README.md
	cat charts/kubewarden-crds/README.md >> charts/README.md
	cp -f charts/README.md ./to-gh-pages/
	cp -f artifacthub-repo.yml ./to-gh-pages/

	- name: Deploy readme to GH pages
	uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	publish_dir: ./to-gh-pages
	keep_files: true
	enable_jekyll: true

	- name: Upload images and policies file
	shell: bash
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	set -e
	# .cr-release-packages is the directory used by the Helm releaser from a previous step
	chart_directory=.cr-release-packages
	if [ ! -d "$chart_directory" ]; then
	echo "$chart_directory does not exist. Assuming no charts update"
	exit 0
	fi

	charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d)
	asset_name=""
	for chart in $charts; do
	chart_name=$(helm show chart $chart \| yq -r '.name' )
	chart_version=$(helm show chart $chart \| yq -r '.version')
	asset_name="${asset_name}_${chart_name}-${chart_version}"
	done
	image_asset_name="${asset_name:1}_images.txt"
	cp imagelist.txt $image_asset_name

	charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
	for chart in $charts; do
	chart_name=$(helm show chart $chart \| yq -r '.name' )
	chart_version=$(helm show chart $chart \| yq -r '.version')
	if [[ $chart_name != *"-crds" ]]; then
	gh release upload $chart_name-$chart_version $image_asset_name --clobber
	fi
	if [[ $chart_name == *"-defaults" ]]; then
	cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt"
	gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber
	fi
	done

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Publish and sign kubewarden-crds chart in OCI registry
	shell: bash
	run: \|
	set -ex
	chart_name=kubewarden-crds

	# .cr-release-packages is the directory used by the Helm releaser from a previous step
	chart_path=.cr-release-packages/${chart_name}-*.tgz
	if [ ! -f $chart_path ]; then
	echo "$chart_path does not exist. Assuming no charts update"
	exit 0
	fi
	REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts"
	echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV"
	push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1)
	chart_url=$(echo $push_output \| sed -n 's/Pushed: $.$:. Digest: $.*$$/\1\@\2/p')
	digest=$(echo $push_output \| sed -n 's/Pushed: $.$:. Digest: $.*$$/\2/p')
	echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV"
	cosign sign --yes "$chart_url"

	- name: Generate provenance attestation for kubewarden-crds chart and push to OCI
	uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
	if: env.DIGEST_kubewarden-crds != ''
	with:
	push-to-registry: true
	subject-name: ${{ env.REGISTRY}}/kubewarden-crds
	subject-digest: ${{ env.DIGEST_kubewarden-crds }}

	- name: Publish and sign kubewarden-controller chart in OCI registry
	shell: bash
	run: \|
	set -ex
	chart_name=kubewarden-controller

	# .cr-release-packages is the directory used by the Helm releaser from a previous step
	chart_path=.cr-release-packages/${chart_name}-*.tgz
	if [ ! -f $chart_path ]; then
	echo "$chart_path does not exist. Assuming no charts update"
	exit 0
	fi
	REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts"
	echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV"
	push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1)
	chart_url=$(echo $push_output \| sed -n 's/Pushed: $.$:. Digest: $.*$$/\1\@\2/p')
	digest=$(echo $push_output \| sed -n 's/Pushed: $.$:. Digest: $.*$$/\2/p')
	echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV"
	cosign sign --yes "$chart_url"

	- name: Generate provenance attestation for kubewarden-controller chart and push to OCI
	uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
	if: env.DIGEST_kubewarden-controller != ''
	with:
	push-to-registry: true
	subject-name: ${{ env.REGISTRY}}/kubewarden-controller
	subject-digest: ${{ env.DIGEST_kubewarden-controller }}

	- name: Publish and sign kubewarden-defaults chart in OCI registry
	shell: bash
	run: \|
	set -ex
	chart_name=kubewarden-defaults

	# .cr-release-packages is the directory used by the Helm releaser from a previous step
	chart_path=.cr-release-packages/${chart_name}-*.tgz
	if [ ! -f $chart_path ]; then
	echo "$chart_path does not exist. Assuming no charts update"
	exit 0
	fi
	REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts"
	echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV"
	push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1)
	chart_url=$(echo $push_output \| sed -n 's/Pushed: $.$:. Digest: $.*$$/\1\@\2/p')
	digest=$(echo $push_output \| sed -n 's/Pushed: $.$:. Digest: $.*$$/\2/p')
	echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV"
	cosign sign --yes "$chart_url"

	- name: Generate provenance attestation for kubewarden-defaults chart and push to OCI
	uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
	if: env.DIGEST_kubewarden-defaults != ''
	with:
	push-to-registry: true
	subject-name: ${{ env.REGISTRY}}/kubewarden-defaults
	subject-digest: ${{ env.DIGEST_kubewarden-defaults }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Helm chart minor release (#572) #431

Workflow file

Helm chart minor release (#572) #431

Jobs

Run details

Workflow file for this run