workflow: sign Helm packages and upload provenance files #166
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Package Helm charts | ||
| on: | ||
| push: | ||
| tags: | ||
| - v[0-9]+.[0-9]+.[0-9]+ | ||
| branches: | ||
| - main | ||
| - release-* | ||
| env: | ||
| CHARTS_DIR: deployment/helm/ | ||
| UNSTABLE_CHARTS: unstable-helm-charts | ||
| REGISTRY: ghcr.io | ||
| REGISTRY_USER: ${{ github.repository_owner }} | ||
| REGISTRY_PATH: ${{ github.repository }} | ||
| jobs: | ||
| release: | ||
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | ||
| permissions: | ||
| contents: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Import GPG key | ||
| uses: crazy-max/ghaction-import-gpg@v6 | ||
| id: import-gpg | ||
| with: | ||
| gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }} | ||
| passphrase: ${{ secrets.BOT_PASSPHRASE }} | ||
| - name: Export GPG private key | ||
| run: | | ||
| gpg --batch \ | ||
| --yes \ | ||
| --pinentry-mode loopback \ | ||
| --passphrase ${{ secrets.BOT_PASSPHRASE }} \ | ||
| --export-secret-keys ${{ secrets.BOT_GPG_ID }} \ | ||
| > ~/.gnupg/secring.gpg | ||
| - name: Verify GPG secret key file | ||
| run: | | ||
| if [ ! -f ~/.gnupg/secring.gpg ]; then | ||
| echo "Error: GPG secret key file '~/.gnupg/secring.gpg' not found!" >&2 | ||
| exit 1 | ||
| fi | ||
| - name: Install Helm | ||
| uses: azure/[email protected] | ||
| - name: Package Stable Helm Charts | ||
| run: | | ||
| find "$CHARTS_DIR" -name values.yaml | xargs -I '{}' \ | ||
| sed -e s"/pullPolicy:.*/pullPolicy: IfNotPresent/" -i '{}' | ||
| echo ${{ secrets.BOT_PASSPHRASE }} | helm package \ | ||
| --sign \ | ||
| --key ${{ steps.import-gpg.outputs.email }} \ | ||
| --keyring ~/.gnupg/secring.gpg \ | ||
| --version "$GITHUB_REF_NAME" \ | ||
| --app-version "$GITHUB_REF_NAME" \ | ||
| "$CHARTS_DIR"/* \ | ||
| --passphrase-file "-" | ||
| find . -name '*.tgz' -print | while read SRC_FILE; do | ||
| DEST_FILE=$(echo $SRC_FILE | sed 's/v/helm-chart-v/g') | ||
| mv $SRC_FILE $DEST_FILE | ||
| done | ||
| - name: Upload Stable Helm Charts to GitHub Release | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| name: ${{ github.ref_name }} | ||
| draft: true | ||
| append_body: true | ||
| files: | | ||
| nri-*helm-chart*.tgz | ||
| nri-*helm-chart*.tgz.prov | ||
| unstable: | ||
| if: ${{ !startsWith(github.ref, 'refs/tags/v') }} | ||
| concurrency: | ||
| group: unstable-helm-charts | ||
| cancel-in-progress: false | ||
| permissions: | ||
| packages: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Deep Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Install Helm | ||
| uses: azure/[email protected] | ||
| - name: Package Unstable Helm Charts | ||
| id: package-charts | ||
| run: | | ||
| # For unstable chart version we use: | ||
| # - chart version: x.y-unstable derived from the latest tag x.y.z | ||
| # - image version: 'unstable'. | ||
| majmin="$(git describe --tags | sed -E 's/(v[0-9]*\.[0-9]*).*$/\1/')" | ||
| CHART_VERSION="${majmin}-unstable" | ||
| if [ $GITHUB_REF_NAME = "main" ]; then | ||
| APP_VERSION=unstable | ||
| else | ||
| APP_VERSION="${majmin}-unstable" | ||
| fi | ||
| # Package charts | ||
| find "$CHARTS_DIR" -name values.yaml | xargs -I '{}' \ | ||
| sed -e s"/pullPolicy:.*/pullPolicy: Always/" -i '{}' | ||
| helm package --version "$CHART_VERSION" --app-version $APP_VERSION "$CHARTS_DIR"/* | ||
| find "$CHARTS_DIR" -name values.yaml | xargs -I '{}' \ | ||
| git checkout '{}' | ||
| mkdir ../$UNSTABLE_CHARTS | ||
| find . -name '*.tgz' -print | while read SRC_FILE; do | ||
| DEST_FILE=$(echo $SRC_FILE | sed 's/v/helm-chart-v/g') | ||
| mv -v $SRC_FILE ../$UNSTABLE_CHARTS/$DEST_FILE | ||
| done | ||
| - name: Log In To Registry | ||
| run: | | ||
| echo "${{ secrets.GITHUB_TOKEN }}" | \ | ||
| helm registry login ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }} -u ${{ env.REGISTRY_USER }} --password-stdin | ||
| - name: Push Unstable Helm Charts To Registry | ||
| shell: bash | ||
| run: | | ||
| # Notes: | ||
| # Currently we only publish unstable Helm charts from main/HEAD. | ||
| # We have no active cleanup of old unstable charts in place. In | ||
| # between new tags unstable chart have the same version, though. | ||
| pushd ../$UNSTABLE_CHARTS | ||
| for i in ./*.tgz; do | ||
| helm push $i oci://${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/helm-charts | ||
| done | ||
| popd | ||
