-
Notifications
You must be signed in to change notification settings - Fork 138
132 lines (129 loc) · 5.28 KB
/
chart-release-snapshot.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# TODO: Convert this workflow to a template and use it for both snapshot and actual releases.
name: "Chart - Release - Snapshot"
on:
push:
branches:
- main
paths:
- .github/workflows/chart-release-snapshot.yaml
- charts/camunda-platform-latest/**
- charts/camunda-platform-alpha/**
jobs:
clean:
name: Clean old artifacts digest
permissions:
packages: write
runs-on: ubuntu-latest
defaults:
run:
shell: bash
working-directory: /tmp
steps:
- name: Delete old artifacts
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Get IDs of the untagged artifacts (the sha256 digest).
artifacts_ids_to_delete="$(
gh api -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' \
'/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions?per_page=100' |
jq '.[] | select(.metadata.container.tags | length == 0)' | jq '.id'
)"
# Early exit if no artifacts to delete.
test -z "${artifacts_ids_to_delete}" && {
echo "No old untagged artifacts to delete ...";
exit 0;
}
# Delete the untagged artifacts.
echo -e "Deleting the old untagged artifacts IDs:\n${artifacts_ids_to_delete}"
for container_id in ${artifacts_ids_to_delete}; do
gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
"/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions/${container_id}"
done
release:
needs: clean
name: ${{ matrix.chart.name }}
permissions:
packages: write
id-token: write
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
chart:
- name: Helm Chart Latest rolling
directory: charts/camunda-platform-latest
versionSuffix: snapshot-latest
- name: Helm Chart Alpha rolling
directory: charts/camunda-platform-alpha
versionSuffix: snapshot-alpha
- name: Helm Chart Alpha versioned
directory: charts/camunda-platform-alpha
versionSuffix: ""
defaults:
run:
shell: bash
working-directory: ${{ matrix.chart.directory }}
#
# Vars.
env:
REPOSITORY_NAME: "camunda/helm"
CHART_NAME: "camunda-platform"
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Set vars
run: |
# NOTE: Helm CLI only accepts SemVer so we need to use something like "0.0.0-snapshot-latest".
CHART_VERSION_SUFFIX="${{ matrix.chart.versionSuffix }}"
CHART_VERSION_SUFFIX_DEFAULT="$(yq '.version' Chart.yaml)"
echo "CHART_VERSION=0.0.0-${CHART_VERSION_SUFFIX:-${CHART_VERSION_SUFFIX_DEFAULT}}" | tee -a $GITHUB_ENV
#
# Changelog.
- name: Generate snapshot changelog
run: |
export SNAPSHOT_DESCRIPTION="Check chart dir for more details: https://github.com/camunda/camunda-platform-helm/tree/main/charts/${{ matrix.chart.directory }}"
yq -i '.description |= strenv(SNAPSHOT_DESCRIPTION)' Chart.yaml
#
# Package.
- name: Install Helm CLI
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
- name: Print Helm CLI version
run: helm version
- name: Package and push Helm chart
env:
HELM_EXPERIMENTAL_OCI: 1
run: |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ghcr.io
helm dependency update
helm package --version ${{ env.CHART_VERSION }} .
helm push ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz oci://ghcr.io/${{ env.REPOSITORY_NAME }}
helm registry logout ghcr.io
#
# Security signature.
- name: Install Cosign CLI
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Sign Helm chart with Cosign
run: |
cosign sign-blob -y ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
--bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle
- name: Verify signed Helm chart with Cosign
run: |
cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
--bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \
--certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install ORAS CLI
uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1
- name: Upload Helm chart Cosign bundle
run: |
oras push ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }}:${{ env.CHART_VERSION }}.cosign.bundle \
${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle:text/plain