Helm chart minor release (#619) #459
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action releases the kubewarden Helm charts. | |
| # The action must run on each commit done against main, however | |
| # a new release will be performed **only** when a change occurs inside | |
| # of the `charts` directory. | |
| # | |
| # When the helm charts are changed, this action will, for each chart: | |
| # * Create a new GitHub release: e.g. kubwarden-controller-chart. | |
| # * This release has a kubwarden-controller-chart.tar.gz asset associated with | |
| # it. This is the actual Helm chart. | |
| # * Update the `index.yaml` file inside of the `gh-pages` branch. This is the | |
| # index of our https Helm chart repository, which we serve through GitHub pages. | |
| # * Update the docs shown at https://charts.kubewarden.io, on the `gh-pages` | |
| # branch. This is the README files of the chart(s), served also through | |
| # GitHub pages. | |
| # * Push the chart, signed and with attestation, to ghcr.io OCI registry. | |
| # | |
| # = FAQ | |
| # | |
| # == Why don't we run this action only when a tag like `v*` is created? | |
| # | |
| # Running the action only when a "release tag" is created will not produce | |
| # a helm chart. That happens because the code which determines if something | |
| # changed inside of the `charts` directory will not find any changes. | |
| # | |
| # == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action? | |
| # | |
| # Yes, we even got that to work. However, what we really want to do is the | |
| # ability to tag the releases of the kubewarden-controller and its helm chart | |
| # in an independent way. Which the official GitHub action already does. | |
| name: Release helm chart | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: write | |
| attestations: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - name: Check that the contents of common-values.yaml are included in values.yaml | |
| run: | | |
| make check-common-values | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Generate container image files | |
| run: | | |
| make generate-images-file | |
| - name: Generate policies files | |
| run: | | |
| make generate-policies-file | |
| - name: Generate changelog files | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| make generate-changelog-files | |
| - name: Add dependency repo required to release the controller chart | |
| run: | | |
| helm repo add policy-reporter https://kyverno.github.io/policy-reporter | |
| helm repo update | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install chart-releaser | |
| uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 | |
| with: | |
| install_only: true | |
| - name: Release Helm charts | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -ex | |
| OWNER=${{ github.repository_owner }} | |
| REPO=helm-charts | |
| CONFIG_FILE=cr.yaml | |
| PACKAGE_PATH=.cr-release-packages | |
| CR_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
| rm -rf ${PACKAGE_PATH} | |
| # Release each chart in the charts directory | |
| for chart in $(find charts -maxdepth 1 -mindepth 1 -type d ); do | |
| chart_name=$(basename $chart) | |
| chart_path=${PACKAGE_PATH}/${chart_name}-*.tgz | |
| cr package charts/${chart_name} --config ${CONFIG_FILE} --package-path ${PACKAGE_PATH} | |
| # check if the chart version is already release. If so, do nothing | |
| chart_version=$(helm show chart $chart_path | yq -r '.version') | |
| if gh --repo ${OWNER}/${REPO} release view $chart_name-$chart_version; then | |
| echo "Chart $chart_name-$chart_version already released. No need to release again." | |
| rm $chart_path | |
| continue | |
| fi | |
| done | |
| # Upload the charts if the .cr-release-packages directory is not empty | |
| if [ "$(ls ${PACKAGE_PATH})" ]; then | |
| # Upload the chart to the GitHub release | |
| cr upload --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} -c "$(git rev-parse HEAD)" --skip-existing --make-release-latest=false --token ${CR_TOKEN} --push | |
| echo "Charts released!" | |
| # Reindex the repository | |
| cr index --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} --push --token ${CR_TOKEN} --index-path . | |
| echo "Repository indexed!" | |
| # Publish the charts to the OCI registry and sign them | |
| REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts" | |
| echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV" | |
| for chart_path in $(find ${PACKAGE_PATH} -maxdepth 1 -mindepth 1 ); do | |
| echo "Pushing chart $chart_path to ghcr.io" | |
| chart_name=$(helm show chart ${chart_path} | yq ".name") | |
| push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1) | |
| chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p') | |
| digest=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\2/p') | |
| echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV" | |
| cosign sign --yes "$chart_url" | |
| echo "Chart $chart_name signed and pushed to ghcr.io" | |
| done | |
| fi | |
| - name: Prepare GH pages readme | |
| run: | | |
| mkdir -p ./to-gh-pages | |
| cat charts/kubewarden-controller/README.md >> charts/README.md | |
| echo >> charts/README.md | |
| cat charts/kubewarden-defaults/README.md >> charts/README.md | |
| echo >> charts/README.md | |
| cat charts/kubewarden-crds/README.md >> charts/README.md | |
| cp -f charts/README.md ./to-gh-pages/ | |
| cp -f artifacthub-repo.yml ./to-gh-pages/ | |
| - name: Deploy readme to GH pages | |
| uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./to-gh-pages | |
| keep_files: true | |
| enable_jekyll: true | |
| - name: Upload images and policies file | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| # .cr-release-packages is the directory used by the Helm releaser from a previous step | |
| chart_directory=.cr-release-packages | |
| if [ ! -d "$chart_directory" ]; then | |
| echo "$chart_directory does not exist. Assuming no charts update" | |
| exit 0 | |
| fi | |
| charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d) | |
| asset_name="" | |
| for chart in $charts; do | |
| chart_name=$(helm show chart $chart | yq -r '.name' ) | |
| chart_version=$(helm show chart $chart | yq -r '.version') | |
| asset_name="${asset_name}_${chart_name}-${chart_version}" | |
| done | |
| image_asset_name="${asset_name:1}_images.txt" | |
| cp imagelist.txt $image_asset_name | |
| charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f) | |
| for chart in $charts; do | |
| chart_name=$(helm show chart $chart | yq -r '.name' ) | |
| chart_version=$(helm show chart $chart | yq -r '.version') | |
| if [[ $chart_name != *"-crds" ]]; then | |
| gh release upload $chart_name-$chart_version $image_asset_name --clobber | |
| fi | |
| if [[ $chart_name == *"-defaults" ]]; then | |
| cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" | |
| gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber | |
| fi | |
| done | |
| - name: Generate provenance attestation for kubewarden-crds chart and push to OCI | |
| uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
| if: env.DIGEST_kubewarden-crds != '' | |
| with: | |
| push-to-registry: true | |
| subject-name: ${{ env.REGISTRY}}/kubewarden-crds | |
| subject-digest: ${{ env.DIGEST_kubewarden-crds }} | |
| - name: Generate provenance attestation for kubewarden-controller chart and push to OCI | |
| uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
| if: env.DIGEST_kubewarden-controller != '' | |
| with: | |
| push-to-registry: true | |
| subject-name: ${{ env.REGISTRY}}/kubewarden-controller | |
| subject-digest: ${{ env.DIGEST_kubewarden-controller }} | |
| - name: Generate provenance attestation for kubewarden-defaults chart and push to OCI | |
| uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
| if: env.DIGEST_kubewarden-defaults != '' | |
| with: | |
| push-to-registry: true | |
| subject-name: ${{ env.REGISTRY}}/kubewarden-defaults | |
| subject-digest: ${{ env.DIGEST_kubewarden-defaults }} |