update-chart #265
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update helm charts | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: | | |
version: | |
Version of the release that triggered the workflow | |
required: true | |
type: string | |
default: v1.10.0 | |
oldVersion: | |
description: | | |
oldVersion: | |
Previous version of the release, already shipped in helm-charts | |
required: true | |
type: string | |
default: v1.9.0 | |
repository: | |
description: | | |
repository: | |
Repository of the release that triggered the workflow | |
required: true | |
# in case of developing, change to type string: | |
# type: string | |
type: choice | |
options: | |
- kubewarden/kubewarden-controller | |
- kubewarden/policy-server | |
- kubewarden/kwctl | |
- kubewarden/audit-scanner | |
repository_dispatch: | |
types: [update-chart] | |
jobs: | |
setvariables: | |
name: Read variables from dispatch | |
# read variables from either the repository_dispatch or the | |
# workflow_dispatch, and create job outputs to reuse in other jobs. | |
# It is not enough with env vars. We need job outputs, as they are shared | |
# between jobs, since each job runs in a different VM instance. | |
runs-on: ubuntu-latest | |
outputs: | |
version: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.version || steps.from_workflow_dispatch.outputs.version }} | |
old_version: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.old_version || steps.from_workflow_dispatch.outputs.old_version }} | |
repository: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.repository || steps.from_workflow_dispatch.outputs.repository }} | |
steps: | |
- name: Validate payload | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
if: github.event_name == 'repository_dispatch' | |
with: | |
script: | | |
let repository = context.payload.client_payload.repository | |
if (!repository.endsWith("kubewarden-controller") && !repository.endsWith("policy-server") && !repository.endsWith("kwctl") && !repository.endsWith("audit-scanner")) { | |
core.setFailed("Invalid repository") | |
} | |
- name: Set job output vars from repository_dispatch payload | |
id: from_repository_dispatch | |
if: github.event_name == 'repository_dispatch' | |
run: | | |
echo "old_version=${{ github.event.client_payload.oldVersion }}" >> "$GITHUB_OUTPUT" | |
echo "version=${{ github.event.client_payload.version }}" >> "$GITHUB_OUTPUT" | |
echo "repository=${{ github.event.client_payload.repository }}" >> "$GITHUB_OUTPUT" | |
- name: Set job output vars from workflow_dispatch input | |
id: from_workflow_dispatch | |
if: github.event_name == 'workflow_dispatch' | |
run: | | |
echo "old_version=${{ inputs.oldVersion }}" >> "$GITHUB_OUTPUT" | |
echo "version=${{ inputs.version }}" >> "$GITHUB_OUTPUT" | |
echo "repository=${{ inputs.repository }}" >> "$GITHUB_OUTPUT" | |
check-update-type: | |
name: Detect update type | |
runs-on: ubuntu-latest | |
needs: setvariables | |
outputs: | |
update_type: ${{ steps.check_update_type.outputs.update_type }} | |
repository: ${{ steps.check_update_type.outputs.repository }} | |
prerelease: ${{ steps.check_update_type.outputs.prerelease }} | |
steps: | |
- name: Install semver comparison tool | |
run: | | |
INSTALL_DIR="$HOME"/.semver | |
mkdir -p "$INSTALL_DIR" | |
wget -O "$INSTALL_DIR"/semver https://github.com/fsaintjacques/semver-tool/raw/3.4.0/src/semver | |
chmod +x "$INSTALL_DIR"/semver | |
echo "$INSTALL_DIR" >> "$GITHUB_PATH" | |
- name: Check if it is a patch update | |
id: check_update_type | |
run: | | |
OLDVERSION="${{ needs.setvariables.outputs.old_version }}" | |
NEWVERSION="${{ needs.setvariables.outputs.version }}" | |
REPOSITORY="${{ needs.setvariables.outputs.repository }}" | |
VALID="$(semver validate $OLDVERSION)" | |
if [[ $VALID == "invalid" ]]; then | |
exit 1 | |
fi | |
VALID="$(semver validate $NEWVERSION)" | |
if [[ $VALID == "invalid" ]]; then | |
exit 1 | |
fi | |
UPDATE_TYPE="$(semver diff $OLDVERSION $NEWVERSION)" | |
PRERELEASE_SUFFIX="-$(semver get prerelease $NEWVERSION)" | |
if [[ $PRERELEASE_SUFFIX == "-" ]];then | |
PRERELEASE_SUFFIX=" " | |
fi | |
echo "update_type=$UPDATE_TYPE" >> "$GITHUB_OUTPUT" | |
echo "repository=$REPOSITORY" >> "$GITHUB_OUTPUT" | |
echo "prerelease=$PRERELEASE_SUFFIX" >> "$GITHUB_OUTPUT" | |
patch-update: | |
name: Patch release updates | |
runs-on: ubuntu-latest | |
needs: | |
- check-update-type | |
- setvariables | |
if: needs.check-update-type.outputs.update_type == 'patch' && !endsWith(needs.check-update-type.outputs.repository, 'kwctl') | |
permissions: | |
contents: write | |
pull-requests: write | |
steps: | |
- name: create env vars from needs.setvariables.outputs | |
# This is neeeded because in scripts, we don't have a way to access the `needs` json object. | |
# The env vars defined here will be accesible in the scripts under `process.env.foo` | |
run: | | |
echo "old_version=${{ needs.setvariables.outputs.old_version }}" >> "$GITHUB_ENV" | |
echo "version=${{ needs.setvariables.outputs.version }}" >> "$GITHUB_ENV" | |
echo "repository=${{ needs.setvariables.outputs.repository }}" >> "$GITHUB_ENV" | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Download CRDS controller | |
if: endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let repository_split = process.env.repository.split("/") | |
let owner = repository_split[0] | |
const repo = "kubewarden-controller" | |
const version = process.env.version | |
const crds_tarball = "CRDS.tar.gz" | |
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`) | |
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => { | |
for (const file of response.data.assets) { | |
if (file.name == crds_tarball) { | |
return file.id; | |
} | |
} | |
return null; | |
}, (failedResponse) => { | |
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found") | |
}); | |
if (typeof(crds_asset_id) != "number") { | |
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`) | |
} | |
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`) | |
let asset = await github.rest.repos.getReleaseAsset({ | |
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{ | |
accept: "application/octet-stream"}, | |
}) | |
let fs = require('fs'); | |
fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data)) | |
console.log(`${crds_tarball} downloaded successfully`) | |
- name: Download CRDS audit-scanner | |
if: endsWith(needs.setvariables.outputs.repository, 'audit-scanner') | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let repository_split = process.env.repository.split("/") | |
let owner = repository_split[0] | |
const repo = "audit-scanner" | |
const version = process.env.version | |
const crds_tarball = "CRDS.tar.gz" | |
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`) | |
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => { | |
for (const file of response.data.assets) { | |
if (file.name == crds_tarball) { | |
return file.id; | |
} | |
} | |
return null; | |
}, (failedResponse) => { | |
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found") | |
}); | |
if (typeof(crds_asset_id) != "number") { | |
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`) | |
} | |
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`) | |
let asset = await github.rest.repos.getReleaseAsset({ | |
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{ | |
accept: "application/octet-stream"}, | |
}) | |
let fs = require('fs'); | |
fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data)) | |
console.log(`${crds_tarball} downloaded successfully`) | |
- name: Update CRDs | |
if: endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner') | |
id: update_crds | |
run: | | |
# Install CRDs from tar.gz, and then see if there was any change, | |
# which tells us if updatecli needs to bump the crds chart or not | |
./updatecli/scripts/install_crds.sh | |
set +e | |
git diff --exit-code --no-patch charts/kubewarden-crds | |
echo "must_update_crds_chart=$?" >> "$GITHUB_OUTPUT" | |
- name: Install Updatecli in the runner | |
uses: updatecli/updatecli-action@704a64517239e0993c5e3bf6749a063b8f950d9f # v2.70.0 | |
- name: Update kubewarden-defaults Helm chart | |
if: endsWith(needs.setvariables.outputs.repository, 'policy-server') | |
env: | |
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-defaults.yaml --values updatecli/values.yaml" | |
- name: Update kubewarden-controller Helm chart with no CRDs update | |
if: (endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner')) && steps.update_crds.outputs.must_update_crds_chart==0 | |
env: | |
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller.yaml --values updatecli/values.yaml" | |
- name: Update kubewarden-controller Helm chart with CRDs update | |
if: (endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner')) && steps.update_crds.outputs.must_update_crds_chart!=0 | |
env: | |
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml --values updatecli/values.yaml" | |
major-minor-prerelease-update: | |
name: Major or minor release updates | |
runs-on: ubuntu-latest | |
needs: | |
- check-update-type | |
- setvariables | |
if: needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor' || needs.check-update-type.outputs.update_type == 'prerelease' | |
steps: | |
- name: create env vars from needs.setvariables.outputs | |
# This is neeeded because in scripts, we don't have a way to access the `needs` json object. | |
# The env vars defined here will be accesible in the scripts under `process.env.foo` | |
run: | | |
echo "old_version=${{ needs.setvariables.outputs.old_version }}" >> "$GITHUB_ENV" | |
echo "version=${{ needs.setvariables.outputs.version }}" >> "$GITHUB_ENV" | |
echo "repository=${{ needs.setvariables.outputs.repository }}" >> "$GITHUB_ENV" | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Check if all components have a release with the same tag | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let repository_split = process.env.repository.split("/") | |
let owner = repository_split[0] | |
const version = process.env.version | |
let repos = ['kubewarden-controller', 'policy-server', 'kwctl', 'audit-scanner'] | |
for (const repo of repos) { | |
try { | |
await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}) | |
} catch (e) { | |
core.setFailed(`${repo} is missing a release for the tag ${version}`) | |
} | |
} | |
- name: Download CRDs from Kubewarden controller | |
id: download_crds_controller | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let repository_split = process.env.repository.split("/") | |
let owner = repository_split[0] | |
const repo = "kubewarden-controller" | |
const version = process.env.version | |
const crds_tarball = "CRDS.tar.gz" | |
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`) | |
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => { | |
for (const file of response.data.assets) { | |
if (file.name == crds_tarball) { | |
return file.id; | |
} | |
} | |
return null; | |
}, (failedResponse) => { | |
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found") | |
}); | |
if (typeof(crds_asset_id) != "number") { | |
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`) | |
} | |
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`) | |
let asset = await github.rest.repos.getReleaseAsset({ | |
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{ | |
accept: "application/octet-stream"}, | |
}) | |
let fs = require('fs'); | |
fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data)) | |
console.log(`${crds_tarball} downloaded successfully`) | |
- name: Download CRDs from audit scanner | |
id: download_crds_audit_scanner | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let repository_split = process.env.repository.split("/") | |
let owner = repository_split[0] | |
const repo = "audit-scanner" | |
const version = process.env.version | |
const crds_tarball = "CRDS.tar.gz" | |
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`) | |
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => { | |
for (const file of response.data.assets) { | |
if (file.name == crds_tarball) { | |
return file.id; | |
} | |
} | |
return null; | |
}, (failedResponse) => { | |
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found") | |
}); | |
if (typeof(crds_asset_id) != "number") { | |
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`) | |
} | |
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`) | |
let asset = await github.rest.repos.getReleaseAsset({ | |
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{ | |
accept: "application/octet-stream"}, | |
}) | |
let fs = require('fs'); | |
fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data)) | |
console.log(`${crds_tarball} downloaded successfully`) | |
- name: Update CRDS | |
id: update_crds | |
run: | | |
# Install CRDs from tar.gz, and then see if there was any change, | |
# which tells us if updatecli needs to bump the crds chart or not | |
./updatecli/scripts/install_crds.sh | |
set +e | |
git diff --exit-code --no-patch charts/kubewarden-crds | |
echo "must_update_crds_chart=$?" >> "$GITHUB_OUTPUT" | |
- name: Install Updatecli in the runner | |
uses: updatecli/updatecli-action@704a64517239e0993c5e3bf6749a063b8f950d9f # v2.70.0 | |
- name: Major or minor update Kubewarden charts with NO CRDs update | |
if: steps.update_crds.outputs.must_update_crds_chart==0 && (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor') | |
env: | |
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update.yaml --values updatecli/values.yaml" | |
- name: Major or minor update Kubewarden charts WITH CRDs update | |
if: steps.update_crds.outputs.must_update_crds_chart==1 && (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor') | |
env: | |
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml" | |
- name: Prerelease update Kubewarden charts with NO CRDs update | |
if: steps.update_crds.outputs.must_update_crds_chart==0 && needs.check-update-type.outputs.update_type == 'prerelease' | |
env: | |
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update.yaml --values updatecli/values.yaml" | |
- name: Prerelease update Kubewarden charts WITH CRDs update | |
if: steps.update_crds.outputs.must_update_crds_chart==1 && needs.check-update-type.outputs.update_type == 'prerelease' | |
env: | |
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml" |