vp-patterns/publish-charts #74
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow is expected to be run by the git workflow of the remote | |
| # chart whenever a new target is pushed: | |
| # gh workflow run publish-charts.yml --repo mbaldessari/charts-test --ref main \ | |
| # -f SOURCE_TAG="v0.0.1" -f SOURCE_REPO="mbaldessari/helm-chart-test" | |
| name: vp-patterns/publish-charts | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| SOURCE_TAG: | |
| required: true | |
| description: The tag of the helm chart repo to build | |
| SOURCE_REPO: | |
| required: true | |
| description: The helm chart repo | |
| SOURCE_BRANCH_OVERRIDE: | |
| required: false | |
| description: If specified, checks out the head of this branch rather than the commit tagged by SOURCE_TAG | |
| default: "" | |
| env: | |
| SOURCE_TAG: "${{ inputs.SOURCE_TAG }}" | |
| SOURCE_REPO: "${{ inputs.SOURCE_REPO }}" | |
| SOURCE_BRANCH_OVERRIDE: "${{ inputs.SOURCE_BRANCH_OVERRIDE }}" | |
| UMBRELLA_REPO: "validatedpatterns/helm-charts" | |
| ASSETS_BASE_URL: "https://github.com/validatedpatterns/helm-charts/releases/download/main/" | |
| QUAY_BASE_URL: "oci://quay.io/hybridcloudpatterns" | |
| jobs: | |
| update-charts: | |
| if: ${{ inputs.SOURCE_TAG }} | |
| runs-on: ubuntu-latest | |
| permissions: write-all | |
| steps: | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.12.1 | |
| - name: Clone remote helm repo | |
| env: | |
| SOURCE_BRANCH_OVERRIDE: ${{ inputs.SOURCE_BRANCH_OVERRIDE }} | |
| run: |- | |
| set -e | |
| if [ -n "${SOURCE_BRANCH_OVERRIDE}" ]; then | |
| git clone "https://github.com/${SOURCE_REPO}.git" \ | |
| --branch "${SOURCE_BRANCH_OVERRIDE}" --single-branch helm-repo | |
| else | |
| git clone "https://github.com/${SOURCE_REPO}.git" \ | |
| --branch "${SOURCE_TAG}" --single-branch helm-repo | |
| fi | |
| - name: Package the helm chart | |
| shell: bash | |
| run: |- | |
| set -euo pipefail | |
| helm package helm-repo/${{ inputs.TEMPLATE_DIR }} | |
| CHART_NAME=$(yq -r '.name' helm-repo/Chart.yaml) | |
| CHART_VERSION=$(yq -r '.version' helm-repo/Chart.yaml) | |
| CHART_TGZ="${CHART_NAME}-${CHART_VERSION}.tgz" | |
| echo "CHART_NAME=$(yq -r '.name' helm-repo/Chart.yaml)" >> $GITHUB_ENV | |
| echo "CHART_VERSION=$(yq -r '.version' helm-repo/Chart.yaml)" >> $GITHUB_ENV | |
| echo "CHART_TGZ=${CHART_TGZ}" >> $GITHUB_ENV | |
| - name: Sign the chart | |
| shell: bash | |
| env: | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| run: |- | |
| set -euo pipefail | |
| echo ${{ secrets.GPG_SECRET_SUBKEY }} | base64 -d | gpg --batch --import | |
| echo ${{ secrets.GPG_PUBLIC_KEY }} | base64 -d | gpg --batch --import | |
| # Needed because helm verify only supports old format | |
| gpg --export >~/.gnupg/pubring.gpg | |
| pip install git+https://gitlab.com/mbaldessari/helm-sign.git@couple-of-fixes | |
| helm-sign ${{ env.CHART_TGZ }} | |
| helm verify ${{ env.CHART_TGZ }} | |
| - name: Upload helm package as a release asset | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: ${{ env.CHART_TGZ }} | |
| asset_name: ${{ env.CHART_TGZ }} | |
| tag: ${{ github.ref }} | |
| body: "${{ env.CHART_NAME }} Released ${{ env.CHART_VERSION }}" | |
| overwrite: true | |
| - name: Upload helm package signature as a release asset | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| file: ${{ env.CHART_TGZ }}.prov | |
| asset_name: ${{ env.CHART_TGZ }}.prov | |
| tag: ${{ github.ref }} | |
| body: "${{ env.CHART_NAME }} Released ${{ env.CHART_VERSION }}" | |
| overwrite: true | |
| # Uploaded to https://github.com/validatedpatterns/helm-charts/releases/download/main/test-0.0.1.tgz | |
| # This step fetches all assets and places them in the current folder | |
| # The reason for doing this is that it makes things fully idempotent and we do not need | |
| # to rely on the --merge feature when generating the index | |
| # While this probably does not scale all too well it should be fine for our not too large | |
| # helm repo | |
| - name: Fetch all assets locally | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: |- | |
| set -e | |
| for i in $(gh api repos/${UMBRELLA_REPO}/releases/latest | jq -r ".assets[].browser_download_url"); do | |
| curl -O -L "${i}" | |
| done | |
| - name: Update the helm index.yaml file | |
| run: |- | |
| set -e | |
| helm repo index --url "${ASSETS_BASE_URL}" . | |
| # FIXME(bandini): this is for debugging only | |
| ls -l index.html | |
| cat index.yaml | |
| - name: Checkout code to git-repo folder | |
| uses: actions/checkout@v4 | |
| with: | |
| # Full git history is needed to get a proper list of changed files within `super-linter` | |
| fetch-depth: 0 | |
| path: git-repo | |
| - name: Commit to gh-pages | |
| run: |- | |
| set -e | |
| cd git-repo | |
| git config user.name "${{ github.actor }}" | |
| git config user.email "${{ github.actor }}@users.noreply.github.com" | |
| # Install index.html generator | |
| git checkout gh-pages | |
| # This copies the newly generated index.yaml to the git repo | |
| cp -fv ../index.yaml . | |
| helm plugin install https://github.com/halkeye/helm-repo-html | |
| helm repo-html | |
| git add index.yaml index.html | |
| git commit -m "Updated ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}" | |
| git push origin gh-pages | |
| - name: Push the chart to quay | |
| run: |- | |
| set -e | |
| helm registry login -u="${{ secrets.QUAY_HELM_USER }}" -p="${{ secrets.QUAY_HELM_PASS }}" quay.io | |
| helm push "${{ env.CHART_TGZ }}" "${QUAY_BASE_URL}" |