Helm Publish #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Helm Publish | |
on: | |
push: | |
branches: | |
- master | |
paths: | |
- 'stable/**' | |
workflow_dispatch: | |
env: | |
CHARTS_PATH: stable | |
REGISTRY: "ghcr.io/${{ github.repository }}" | |
jobs: | |
package-and-release: | |
permissions: | |
contents: write | |
packages: write | |
pull-requests: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Helm | |
uses: azure/setup-helm@v4 | |
with: | |
version: v3.16.4 | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
- name: Save GPG passphrase and legacy keyring | |
run: | | |
cat << EOF > passphrase.txt | |
${{ secrets.GPG_PASSPHRASE }} | |
EOF | |
gpg -o ~/.gnupg/pubring.gpg --export ${{ steps.import_gpg.outputs.keyid }} | |
gpg --batch --pinentry-mode loopback --passphrase $(cat passphrase.txt) -o ~/.gnupg/secring.gpg --export-secret-keys ${{ steps.import_gpg.outputs.keyid }} | |
- name: Package Helm Charts | |
shell: bash | |
run: | | |
find ${CHARTS_PATH} -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq | xargs --verbose -L 1 helm dep up | |
for d in ${CHARTS_PATH}/*; do | |
if [[ ! -f "${d}/Chart.yaml" ]]; then | |
echo "${d}/Chart.yaml not found. Skipping." | |
continue | |
fi | |
echo "Packaging chart: $d" | |
helm package --sign "$d" -u --key "${{ steps.import_gpg.outputs.name }}" --passphrase-file passphrase.txt --keyring ~/.gnupg/secring.gpg | |
done | |
rm passphrase.txt | |
echo "Packing done" | |
- name: Login to GitHub Container Registry | |
shell: bash | |
run: echo "${GITHUB_TOKEN}" | helm registry login ${REGISTRY} --username ${GITHUB_ACTOR} --password-stdin | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
- name: Push Helm Charts to Github Container Registry as OCI packages | |
shell: bash | |
run: | | |
for f in *.tgz ; do | |
echo "$f" | |
helm push $f oci://${REGISTRY,,} | |
done | |
- name: Upload the Chart to Rekor | |
shell: bash | |
run: | | |
helm plugin install https://github.com/sigstore/helm-sigstore | |
for f in *.tgz ; do | |
echo "$f" | |
helm sigstore upload "$d" | |
done | |
- name: Generate Helm repo index.yaml | |
shell: bash | |
run: helm repo index . --merge index.yaml | |
- name: Update URLs in index.yaml with yq | |
uses: mikefarah/[email protected] | |
with: | |
cmd: yq eval -i '. |= .entries[][] |= .urls[0] = "oci://" + env(REGISTRY) + "/" + .name + ":" + .version' index.yaml | |
- name: Create Pull Request | |
id: cpr | |
uses: peter-evans/create-pull-request@v7 | |
with: | |
commit-message: "Updating index.yaml for ${{ github.ref }}" | |
branch: update-index | |
delete-branch: true | |
title: "[stable/index] Updating index.yaml for ${{ github.ref }}" | |
add-paths: | | |
index.yaml | |
labels: | | |
index | |
automated pr |