Add support for chart signature #24
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Helm Publish | ||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| paths: | ||
| - 'stable/**' | ||
| workflow_dispatch: | ||
| env: | ||
| CHARTS_PATH: stable | ||
| REGISTRY: "ghcr.io/${{ github.repository }}" | ||
| jobs: | ||
| package-and-release: | ||
| permissions: | ||
| contents: write | ||
| packages: write | ||
| pull-requests: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Install Helm | ||
| uses: azure/setup-helm@v4 | ||
| with: | ||
| version: v3.16.4 | ||
| - name: Import GPG key | ||
| id: import_gpg | ||
| uses: crazy-max/ghaction-import-gpg@v6 | ||
| with: | ||
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | ||
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | ||
| - name: Save GPG passphrase | ||
| run: | | ||
| cat << EOF > passphrase.txt | ||
| ${{ secrets.GPG_PASSPHRASE }} | ||
| EOF | ||
| - name: Package Helm Charts | ||
| shell: bash | ||
| run: | | ||
| find ${CHARTS_PATH} -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq | xargs --verbose -L 1 helm dep up | ||
| for d in ${CHARTS_PATH}/*; do | ||
| if [[ ! -f "${d}/Chart.yaml" ]]; then | ||
| echo "${d}/Chart.yaml not found. Skipping." | ||
| continue | ||
| fi | ||
| echo "$d" | ||
| helm package --sign "$d" -u --key ${{ steps.import_gpg.outputs.name }} --passphrase-file passphrase.txt | ||
| done | ||
| rm passphrase.txt | ||
| echo "Packing done" | ||
| - name: Login to GitHub Container Registry | ||
| shell: bash | ||
| run: echo "${GITHUB_TOKEN}" | helm registry login ${REGISTRY} --username ${GITHUB_ACTOR} --password-stdin | ||
| env: | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
| - name: Push Helm Charts to Github Container Registry as OCI packages | ||
| shell: bash | ||
| run: | | ||
| for f in *.tgz ; do | ||
| echo "$f" | ||
| helm push $f oci://${REGISTRY,,} | ||
| done | ||
| - name: Upload the Chart to Rekor | ||
| shell: bash | ||
| run: | | ||
| helm plugin install https://github.com/sigstore/helm-sigstore | ||
| for f in *.tgz ; do | ||
| echo "$f" | ||
| helm sigstore upload "$d" | ||
| done | ||
| - name: Generate Helm repo index.yaml | ||
| shell: bash | ||
| run: helm repo index . --merge index.yaml | ||
| - name: Update URLs in index.yaml with yq | ||
| uses: mikefarah/[email protected] | ||
| with: | ||
| cmd: yq eval -i '. |= .entries[][] |= .urls[0] = "oci://" + env(REGISTRY) + "/" + .name + ":" + .version' index.yaml | ||
| - name: Create Pull Request | ||
| id: cpr | ||
| uses: peter-evans/create-pull-request@v7 | ||
| with: | ||
| commit-message: "Updating index.yaml for ${{ github.ref }}" | ||
| branch: update-index | ||
| delete-branch: true | ||
| title: "[stable/index] Updating index.yaml for ${{ github.ref }}" | ||
| add-paths: | | ||
| index.yaml | ||
| labels: | | ||
| index | ||
| automated pr | ||
