Skip to content

update-chart

update-chart #265

Workflow file for this run

name: Update helm charts
on:
workflow_dispatch:
inputs:
version:
description: |
version:
Version of the release that triggered the workflow
required: true
type: string
default: v1.10.0
oldVersion:
description: |
oldVersion:
Previous version of the release, already shipped in helm-charts
required: true
type: string
default: v1.9.0
repository:
description: |
repository:
Repository of the release that triggered the workflow
required: true
# in case of developing, change to type string:
# type: string
type: choice
options:
- kubewarden/kubewarden-controller
- kubewarden/policy-server
- kubewarden/kwctl
- kubewarden/audit-scanner
repository_dispatch:
types: [update-chart]
jobs:
setvariables:
name: Read variables from dispatch
# read variables from either the repository_dispatch or the
# workflow_dispatch, and create job outputs to reuse in other jobs.
# It is not enough with env vars. We need job outputs, as they are shared
# between jobs, since each job runs in a different VM instance.
runs-on: ubuntu-latest
outputs:
version: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.version || steps.from_workflow_dispatch.outputs.version }}
old_version: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.old_version || steps.from_workflow_dispatch.outputs.old_version }}
repository: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.repository || steps.from_workflow_dispatch.outputs.repository }}
steps:
- name: Validate payload
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: github.event_name == 'repository_dispatch'
with:
script: |
let repository = context.payload.client_payload.repository
if (!repository.endsWith("kubewarden-controller") && !repository.endsWith("policy-server") && !repository.endsWith("kwctl") && !repository.endsWith("audit-scanner")) {
core.setFailed("Invalid repository")
}
- name: Set job output vars from repository_dispatch payload
id: from_repository_dispatch
if: github.event_name == 'repository_dispatch'
run: |
echo "old_version=${{ github.event.client_payload.oldVersion }}" >> "$GITHUB_OUTPUT"
echo "version=${{ github.event.client_payload.version }}" >> "$GITHUB_OUTPUT"
echo "repository=${{ github.event.client_payload.repository }}" >> "$GITHUB_OUTPUT"
- name: Set job output vars from workflow_dispatch input
id: from_workflow_dispatch
if: github.event_name == 'workflow_dispatch'
run: |
echo "old_version=${{ inputs.oldVersion }}" >> "$GITHUB_OUTPUT"
echo "version=${{ inputs.version }}" >> "$GITHUB_OUTPUT"
echo "repository=${{ inputs.repository }}" >> "$GITHUB_OUTPUT"
check-update-type:
name: Detect update type
runs-on: ubuntu-latest
needs: setvariables
outputs:
update_type: ${{ steps.check_update_type.outputs.update_type }}
repository: ${{ steps.check_update_type.outputs.repository }}
prerelease: ${{ steps.check_update_type.outputs.prerelease }}
steps:
- name: Install semver comparison tool
run: |
INSTALL_DIR="$HOME"/.semver
mkdir -p "$INSTALL_DIR"
wget -O "$INSTALL_DIR"/semver https://github.com/fsaintjacques/semver-tool/raw/3.4.0/src/semver
chmod +x "$INSTALL_DIR"/semver
echo "$INSTALL_DIR" >> "$GITHUB_PATH"
- name: Check if it is a patch update
id: check_update_type
run: |
OLDVERSION="${{ needs.setvariables.outputs.old_version }}"
NEWVERSION="${{ needs.setvariables.outputs.version }}"
REPOSITORY="${{ needs.setvariables.outputs.repository }}"
VALID="$(semver validate $OLDVERSION)"
if [[ $VALID == "invalid" ]]; then
exit 1
fi
VALID="$(semver validate $NEWVERSION)"
if [[ $VALID == "invalid" ]]; then
exit 1
fi
UPDATE_TYPE="$(semver diff $OLDVERSION $NEWVERSION)"
PRERELEASE_SUFFIX="-$(semver get prerelease $NEWVERSION)"
if [[ $PRERELEASE_SUFFIX == "-" ]];then
PRERELEASE_SUFFIX=" "
fi
echo "update_type=$UPDATE_TYPE" >> "$GITHUB_OUTPUT"
echo "repository=$REPOSITORY" >> "$GITHUB_OUTPUT"
echo "prerelease=$PRERELEASE_SUFFIX" >> "$GITHUB_OUTPUT"
patch-update:
name: Patch release updates
runs-on: ubuntu-latest
needs:
- check-update-type
- setvariables
if: needs.check-update-type.outputs.update_type == 'patch' && !endsWith(needs.check-update-type.outputs.repository, 'kwctl')
permissions:
contents: write
pull-requests: write
steps:
- name: create env vars from needs.setvariables.outputs
# This is neeeded because in scripts, we don't have a way to access the `needs` json object.
# The env vars defined here will be accesible in the scripts under `process.env.foo`
run: |
echo "old_version=${{ needs.setvariables.outputs.old_version }}" >> "$GITHUB_ENV"
echo "version=${{ needs.setvariables.outputs.version }}" >> "$GITHUB_ENV"
echo "repository=${{ needs.setvariables.outputs.repository }}" >> "$GITHUB_ENV"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download CRDS controller
if: endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller')
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let repository_split = process.env.repository.split("/")
let owner = repository_split[0]
const repo = "kubewarden-controller"
const version = process.env.version
const crds_tarball = "CRDS.tar.gz"
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`)
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => {
for (const file of response.data.assets) {
if (file.name == crds_tarball) {
return file.id;
}
}
return null;
}, (failedResponse) => {
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found")
});
if (typeof(crds_asset_id) != "number") {
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`)
}
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`)
let asset = await github.rest.repos.getReleaseAsset({
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{
accept: "application/octet-stream"},
})
let fs = require('fs');
fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
console.log(`${crds_tarball} downloaded successfully`)
- name: Download CRDS audit-scanner
if: endsWith(needs.setvariables.outputs.repository, 'audit-scanner')
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let repository_split = process.env.repository.split("/")
let owner = repository_split[0]
const repo = "audit-scanner"
const version = process.env.version
const crds_tarball = "CRDS.tar.gz"
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`)
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => {
for (const file of response.data.assets) {
if (file.name == crds_tarball) {
return file.id;
}
}
return null;
}, (failedResponse) => {
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found")
});
if (typeof(crds_asset_id) != "number") {
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`)
}
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`)
let asset = await github.rest.repos.getReleaseAsset({
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{
accept: "application/octet-stream"},
})
let fs = require('fs');
fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
console.log(`${crds_tarball} downloaded successfully`)
- name: Update CRDs
if: endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner')
id: update_crds
run: |
# Install CRDs from tar.gz, and then see if there was any change,
# which tells us if updatecli needs to bump the crds chart or not
./updatecli/scripts/install_crds.sh
set +e
git diff --exit-code --no-patch charts/kubewarden-crds
echo "must_update_crds_chart=$?" >> "$GITHUB_OUTPUT"
- name: Install Updatecli in the runner
uses: updatecli/updatecli-action@704a64517239e0993c5e3bf6749a063b8f950d9f # v2.70.0
- name: Update kubewarden-defaults Helm chart
if: endsWith(needs.setvariables.outputs.repository, 'policy-server')
env:
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }}
run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-defaults.yaml --values updatecli/values.yaml"
- name: Update kubewarden-controller Helm chart with no CRDs update
if: (endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner')) && steps.update_crds.outputs.must_update_crds_chart==0
env:
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }}
run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller.yaml --values updatecli/values.yaml"
- name: Update kubewarden-controller Helm chart with CRDs update
if: (endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner')) && steps.update_crds.outputs.must_update_crds_chart!=0
env:
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }}
run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml --values updatecli/values.yaml"
major-minor-prerelease-update:
name: Major or minor release updates
runs-on: ubuntu-latest
needs:
- check-update-type
- setvariables
if: needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor' || needs.check-update-type.outputs.update_type == 'prerelease'
steps:
- name: create env vars from needs.setvariables.outputs
# This is neeeded because in scripts, we don't have a way to access the `needs` json object.
# The env vars defined here will be accesible in the scripts under `process.env.foo`
run: |
echo "old_version=${{ needs.setvariables.outputs.old_version }}" >> "$GITHUB_ENV"
echo "version=${{ needs.setvariables.outputs.version }}" >> "$GITHUB_ENV"
echo "repository=${{ needs.setvariables.outputs.repository }}" >> "$GITHUB_ENV"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check if all components have a release with the same tag
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let repository_split = process.env.repository.split("/")
let owner = repository_split[0]
const version = process.env.version
let repos = ['kubewarden-controller', 'policy-server', 'kwctl', 'audit-scanner']
for (const repo of repos) {
try {
await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,})
} catch (e) {
core.setFailed(`${repo} is missing a release for the tag ${version}`)
}
}
- name: Download CRDs from Kubewarden controller
id: download_crds_controller
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let repository_split = process.env.repository.split("/")
let owner = repository_split[0]
const repo = "kubewarden-controller"
const version = process.env.version
const crds_tarball = "CRDS.tar.gz"
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`)
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => {
for (const file of response.data.assets) {
if (file.name == crds_tarball) {
return file.id;
}
}
return null;
}, (failedResponse) => {
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found")
});
if (typeof(crds_asset_id) != "number") {
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`)
}
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`)
let asset = await github.rest.repos.getReleaseAsset({
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{
accept: "application/octet-stream"},
})
let fs = require('fs');
fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
console.log(`${crds_tarball} downloaded successfully`)
- name: Download CRDs from audit scanner
id: download_crds_audit_scanner
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let repository_split = process.env.repository.split("/")
let owner = repository_split[0]
const repo = "audit-scanner"
const version = process.env.version
const crds_tarball = "CRDS.tar.gz"
console.log(`Obtaining GH asset id for ${crds_tarball} in ${process.env.repository}`)
let crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}).then((response) => {
for (const file of response.data.assets) {
if (file.name == crds_tarball) {
return file.id;
}
}
return null;
}, (failedResponse) => {
core.setFailed("Cannot obtain crds_assed_id, no matching CRDS.tar.gz found")
});
if (typeof(crds_asset_id) != "number") {
core.setFailed(`No ${crds_tarball} found. This is expected if the ${repo} release job is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`)
}
console.log(`Fetching ${crds_tarball} asset with id: ${crds_asset_id}`)
let asset = await github.rest.repos.getReleaseAsset({
owner: owner, repo: repo, asset_id: crds_asset_id, headers:{
accept: "application/octet-stream"},
})
let fs = require('fs');
fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
console.log(`${crds_tarball} downloaded successfully`)
- name: Update CRDS
id: update_crds
run: |
# Install CRDs from tar.gz, and then see if there was any change,
# which tells us if updatecli needs to bump the crds chart or not
./updatecli/scripts/install_crds.sh
set +e
git diff --exit-code --no-patch charts/kubewarden-crds
echo "must_update_crds_chart=$?" >> "$GITHUB_OUTPUT"
- name: Install Updatecli in the runner
uses: updatecli/updatecli-action@704a64517239e0993c5e3bf6749a063b8f950d9f # v2.70.0
- name: Major or minor update Kubewarden charts with NO CRDs update
if: steps.update_crds.outputs.must_update_crds_chart==0 && (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor')
env:
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }}
run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update.yaml --values updatecli/values.yaml"
- name: Major or minor update Kubewarden charts WITH CRDs update
if: steps.update_crds.outputs.must_update_crds_chart==1 && (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor')
env:
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }}
run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml"
- name: Prerelease update Kubewarden charts with NO CRDs update
if: steps.update_crds.outputs.must_update_crds_chart==0 && needs.check-update-type.outputs.update_type == 'prerelease'
env:
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }}
run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update.yaml --values updatecli/values.yaml"
- name: Prerelease update Kubewarden charts WITH CRDs update
if: steps.update_crds.outputs.must_update_crds_chart==1 && needs.check-update-type.outputs.update_type == 'prerelease'
env:
UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }}
run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml"