-
Notifications
You must be signed in to change notification settings - Fork 17
172 lines (152 loc) · 6.3 KB
/
helm-chart-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# This action releases the kubewarden-controller helm chart
# The action must run on each commit done against master, however
# a new release will be performed **only** when a change occurs inside
# of the `charts` directory.
#
# When the helm chart is changed, this action will:
# * Create a new GitHub release named: kubwarden-controller-chart
# * This release has a kubwarden-controller-chart.tar.gz asset associated with
# it. This is the actual helm chart
# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
# index of the helm chart repository, which we serve through GitHub pages
# * Update the docs shown https://charts.kubewarden.io, on the `gh-pages`
# branch. This is the README files of the chart(s), served also through
# GitHub pages
#
# = FAQ
#
# == Why don't we run this action only when a tag like `v*` is created?
#
# Running the action only when a "release tag" is created will not produce
# a helm chart. That happens because the code which determines if something
# changed inside of the `charts` directory will not find any changes.
#
# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
#
# Yes, we even got that to work. However, what we really want to do is the
# ability to tag the releases of the kubewarden-controller and its helm chart
# in an independent way. Which what the official GitHub action already does.
name: Release helm chart
on:
push:
branches:
- main
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Check Helm generated values are up-to-date before releasing
run: |
make check-generated-values
- name: Install Helm
uses: azure/setup-helm@v3
with:
version: v3.8.0
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Generate container image files
run: |
make generate-images-file
- name: Generate policies files
run: |
make generate-policies-file
- name: Generate changelog files
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make generate-changelog-files
- name: Run chart-releaser
uses: helm/[email protected]
with:
charts_dir: charts
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SKIP_EXISTING: true
- name: Prepare GH pages readme
run: |
mkdir -p ./to-gh-pages
cat charts/kubewarden-controller/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-defaults/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-crds/README.md >> charts/README.md
cp -f charts/README.md ./to-gh-pages/
cp -f artifacthub-repo.yml ./to-gh-pages/
- name: Deploy readme to GH pages
uses: peaceiris/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./to-gh-pages
keep_files: true
enable_jekyll: true
- name: Upload images and policies file
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d)
asset_name=""
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
asset_name="${asset_name}_${chart_name}-${chart_version}"
done
image_asset_name="${asset_name:1}_images.txt"
cp imagelist.txt $image_asset_name
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
if [[ $chart_name != *"-crds" ]]; then
gh release upload $chart_name-$chart_version $image_asset_name --clobber
fi
if [[ $chart_name == *"-defaults" ]]; then
cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt"
gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber
fi
done
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate, sign and publish charts in OCI registry
shell: bash
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER"
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq '.name' | sed 's/"//g')
chart_version=$(helm show chart $chart | yq '.version' | sed 's/"//g')
package_file=".cr-release-packages/$chart_name-$chart_version.tgz"
push_output=$(helm push $package_file "oci://$REGISTRY/charts")
chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p')
cosign sign --yes "$chart_url"
done