fix: reload identity when its config changed (#2234) #397
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # TODO: Convert this workflow to a template and use it for both snapshot and actual releases. | |
| name: "Chart - Release - Snapshot" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/chart-release-snapshot.yaml | |
| - charts/camunda-platform-latest/** | |
| - charts/camunda-platform-alpha/** | |
| jobs: | |
| clean: | |
| name: Clean old artifacts digest | |
| permissions: | |
| packages: write | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| working-directory: /tmp | |
| steps: | |
| - name: Delete old artifacts | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Get IDs of the untagged artifacts (the sha256 digest). | |
| artifacts_ids_to_delete="$( | |
| gh api -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' \ | |
| '/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions?per_page=100' | | |
| jq '.[] | select(.metadata.container.tags | length == 0)' | jq '.id' | |
| )" | |
| # Early exit if no artifacts to delete. | |
| test -z "${artifacts_ids_to_delete}" && { | |
| echo "No old untagged artifacts to delete ..."; | |
| exit 0; | |
| } | |
| # Delete the untagged artifacts. | |
| echo -e "Deleting the old untagged artifacts IDs:\n${artifacts_ids_to_delete}" | |
| for container_id in ${artifacts_ids_to_delete}; do | |
| gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions/${container_id}" | |
| done | |
| release: | |
| needs: clean | |
| name: ${{ matrix.chart.name }} | |
| permissions: | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| chart: | |
| - name: Helm Chart Latest rolling | |
| directory: charts/camunda-platform-latest | |
| versionSuffix: snapshot-latest | |
| - name: Helm Chart Alpha rolling | |
| directory: charts/camunda-platform-alpha | |
| versionSuffix: snapshot-alpha | |
| - name: Helm Chart Alpha versioned | |
| directory: charts/camunda-platform-alpha | |
| versionSuffix: "" | |
| defaults: | |
| run: | |
| shell: bash | |
| working-directory: ${{ matrix.chart.directory }} | |
| # | |
| # Vars. | |
| env: | |
| REPOSITORY_NAME: "camunda/helm" | |
| CHART_NAME: "camunda-platform" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set vars | |
| run: | | |
| # NOTE: Helm CLI only accepts SemVer so we need to use something like "0.0.0-snapshot-latest". | |
| CHART_VERSION_SUFFIX="${{ matrix.chart.versionSuffix }}" | |
| CHART_VERSION_SUFFIX_DEFAULT="$(yq '.version' Chart.yaml)" | |
| echo "CHART_VERSION=0.0.0-${CHART_VERSION_SUFFIX:-${CHART_VERSION_SUFFIX_DEFAULT}}" | tee -a $GITHUB_ENV | |
| # | |
| # Changelog. | |
| - name: Generate snapshot changelog | |
| run: | | |
| export SNAPSHOT_DESCRIPTION="Check chart dir for more details: https://github.com/camunda/camunda-platform-helm/tree/main/charts/${{ matrix.chart.directory }}" | |
| yq -i '.description |= strenv(SNAPSHOT_DESCRIPTION)' Chart.yaml | |
| # | |
| # Package. | |
| - name: Install Helm CLI | |
| uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 | |
| - name: Print Helm CLI version | |
| run: helm version | |
| - name: Package and push Helm chart | |
| env: | |
| HELM_EXPERIMENTAL_OCI: 1 | |
| run: | | |
| echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ghcr.io | |
| helm dependency update | |
| helm package --version ${{ env.CHART_VERSION }} . | |
| helm push ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz oci://ghcr.io/${{ env.REPOSITORY_NAME }} | |
| helm registry logout ghcr.io | |
| # | |
| # Security signature. | |
| - name: Install Cosign CLI | |
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
| - name: Sign Helm chart with Cosign | |
| run: | | |
| cosign sign-blob -y ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \ | |
| --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle | |
| - name: Verify signed Helm chart with Cosign | |
| run: | | |
| cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \ | |
| --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \ | |
| --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install ORAS CLI | |
| uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1 | |
| - name: Upload Helm chart Cosign bundle | |
| run: | | |
| oras push ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }}:${{ env.CHART_VERSION }}.cosign.bundle \ | |
| ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle:text/plain |