9e1453c8bda64198b3e79072eb7447dc-a-partner-or-redhat-associate-submits-a-signed-chart-tarball-without-report-d1862f6-partners-hashicorp-vault-0.17.0 #114302
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request_target: | |
types: [opened, synchronize, reopened, edited, ready_for_review, labeled] | |
env: | |
# Path to the submission artifact. | |
# This artifact is created in the 'validate-submission' job. It contains a JSON representation of | |
# the Submision object. It can be read by other jobs to access those information rather than | |
# fetch them from the GitHub API a second time. | |
SUBMISSION_PATH: "submission.json" | |
jobs: | |
setup: | |
name: Setup CI | |
runs-on: ubuntu-22.04 | |
outputs: | |
run_build: ${{ steps.check_build_required.outputs.run-build }} | |
verifier-action-image: ${{ steps.set-env.outputs.verifier-action-image }} | |
insecure_skip_tls_verify: ${{ steps.set-env.outputs.insecure_skip_tls_verify }} | |
if: | | |
github.event.pull_request.draft == false && | |
(github.event.action != 'labeled' || github.event.label.name == 'force-publish') && | |
github.actor != 'redhat-mercury-bot' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: ./.github/actions/setup-python | |
- name: Set up Python 3.x Part 2 | |
run: | | |
# set up python | |
python3 -m venv ve1 | |
cd scripts | |
../ve1/bin/pip3 install -r requirements.txt | |
../ve1/bin/pip3 install . | |
cd .. | |
- name: Check for CI changes | |
id: check_ci_changes | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
run: | | |
# check if workflow testing should run. | |
echo "[INFO] check if PR contains only workflow changes and user is authorized" | |
ve1/bin/check-pr-for-ci --verify-user=${{ github.event.pull_request.user.login }} --api-url=${{ github.event.pull_request._links.self.href }} | |
- name: Check if PR created as part of release process | |
id: check_created_release_pr | |
if: ${{ steps.check_ci_changes.outputs.run-tests != true }} | |
env: | |
BOT_NAME: ${{ secrets.BOT_NAME }} | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
run: | | |
# check if PR was created as part of release processing | |
./ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }} \ | |
--sender='${{ github.event.sender.login }}' \ | |
--pr_branch='${{ github.event.pull_request.head.ref }}' \ | |
--pr_body="${{ github.event.pull_request.body }}" \ | |
--pr_base_repo='${{ github.event.pull_request.base.repo.full_name }}' \ | |
--pr_head_repo='${{ github.event.pull_request.head.repo.full_name }}' | |
- name: Exit if build not required | |
id: check_build_required | |
env: | |
RUN_TESTS: ${{ steps.check_ci_changes.outputs.run-tests }} | |
NOT_CI_AUTHORIZED: ${{ steps.check_ci_changes.outputs.workflow-only-but-not-authorized }} | |
NO_CODE_TO_BUILD: ${{ steps.check_ci_changes.outputs.do-not-build }} | |
DEV_PR_FOR_RELEASE: ${{ steps.check_created_release_pr.outputs.dev_release_branch }} | |
CHARTS_PR_FOR_RELEASE: ${{ steps.check_created_release_pr.outputs.charts_release_branch }} | |
run: | | |
# exit if build not required | |
if [ "${RUN_TESTS}" == "true" ] || [ "${NOT_CI_AUTHORIZED}" == "true" ]; then | |
echo "The PR is workflow changes only - do not continue." | |
exit 0 | |
elif [ "${NO_CODE_TO_BUILD}" == "true" ]; then | |
echo "The PR does not contain changes which need build or test." | |
exit 0 | |
elif [ "${DEV_PR_FOR_RELEASE}" == "true" ]; then | |
echo "The PR is part of release processing for the development repository - do not continue." | |
elif [ "${CHART_PR_FOR_RELEASE}" == "true" ]; then | |
echo "The PR is part of release processing for the charts repository - do not continue." | |
else | |
echo "run-build=true" >> $GITHUB_OUTPUT | |
fi | |
- name: Set Environment | |
id: set-env | |
run: | | |
#set environment based on repository | |
if [ $GITHUB_REPOSITORY == "openshift-helm-charts/charts" ]; then | |
echo "Use latest verifier image" | |
echo "verifier-action-image=latest" >> $GITHUB_OUTPUT | |
else | |
echo "Use dev verifier image" | |
echo "verifier-action-image=0.1.0" >> $GITHUB_OUTPUT | |
fi | |
echo "insecure_skip_tls_verify=true" >> $GITHUB_OUTPUT | |
validate-submission: | |
name: Extract and validate PR content | |
runs-on: ubuntu-22.04 | |
needs: [setup] | |
outputs: | |
pr-content-error-message: ${{ steps.validate-submission.outputs.pr-content-error-message }} | |
owners-error-message: ${{ steps.validate-submission.outputs.owners-error-message }} | |
validate-submission-outcome: ${{ steps.validate-submission.outcome }} | |
chart_entry_name: ${{ steps.validate-submission.outputs.chart_entry_name }} | |
release_tag: ${{ steps.validate-submission.outputs.release_tag }} | |
web_catalog_only: ${{ steps.validate-submission.outputs.web_catalog_only }} | |
vendor_type: ${{ steps.validate-submission.outputs.vendor_type }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Checkout PR Branch | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
path: "pr-branch" | |
- name: Set up Python | |
uses: ./.github/actions/setup-python | |
- name: Set up Python 3.x Part 2 | |
run: | | |
# set up python | |
python3 -m venv ve1 | |
cd scripts | |
../ve1/bin/pip3 install -r requirements.txt | |
../ve1/bin/pip3 install . | |
cd .. | |
- name: Extract PR information | |
id: validate-submission | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
run: | | |
# Sandbox repo does not have an helm repository index | |
if [ "$GITHUB_REPOSITORY" == "openshift-helm-charts/sandbox" ]; then | |
CLI_FLAG="--ignore_missing_helm_index" | |
fi | |
./ve1/bin/validate-submission \ | |
--api_url "${{ github.event.pull_request._links.self.href }}" \ | |
--output "$SUBMISSION_PATH" \ | |
--repository ${{ github.repository }} \ | |
${CLI_FLAG} | |
- name: Upload PR information | |
uses: actions/upload-artifact@v4 | |
if: ${{ always() && steps.validate-submission.outputs.submission_file_present == 'true' }} | |
with: | |
name: submission | |
path: ${{ env.SUBMISSION_PATH }} | |
- name: Add 'content-ok' label | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
github.rest.issues.addLabels({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
labels: ['content-ok'] | |
}) | |
- name: Remove 'content-ok' label | |
uses: actions/github-script@v7 | |
if: ${{ failure() && contains( github.event.pull_request.labels.*.name, 'content-ok') }} | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
github.rest.issues.removeLabel({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
name: 'content-ok' | |
}) | |
chart-verifier: | |
name: Run chart-verifier | |
runs-on: ubuntu-22.04 | |
needs: [setup, validate-submission] | |
outputs: | |
report_content: ${{ steps.check_report.outputs.report_content }} | |
redhat_to_community: ${{ steps.check_report.outputs.redhat_to_community }} | |
community_manual_review_required: ${{ steps.check_report.outputs.community_manual_review_required }} | |
install-oc-outcome: ${{ steps.install-oc.outcome }} | |
verifier_error_message: ${{ steps.check-verifier-result.outputs.verifier_error_message }} | |
run-verifier-outcome: ${{ steps.run-verifier.outcome }} | |
check_report-outcome: ${{ steps.check_report.outcome }} | |
upload-chart-report-errors-outcome: ${{ steps.upload-chart-report-errors.outcome }} | |
ocp-version-range: ${{ steps.get-ocp-range.outputs.ocp-version-range }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Checkout PR Branch | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
path: "pr-branch" | |
- name: Set up Python 3.x Part 1 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Set up Python 3.x Part 2 | |
run: | | |
# set up python | |
python3 -m venv ve1 | |
cd scripts | |
../ve1/bin/pip3 install -r requirements.txt | |
../ve1/bin/pip3 install . | |
cd .. | |
- name: Download submission information | |
uses: actions/download-artifact@v4 | |
with: | |
name: submission | |
- name: Remove 'authorized-request' label from PR | |
uses: actions/github-script@v7 | |
if: ${{ needs.setup.outputs.run_build == 'true' && contains( github.event.pull_request.labels.*.name, 'authorized-request') }} | |
continue-on-error: true | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
var issue_number = ${{ github.event.number }}; | |
github.rest.issues.removeLabel({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: Number(issue_number), | |
name: 'authorized-request' | |
}) | |
- name: install chart verifier for action | |
uses: redhat-actions/openshift-tools-installer@v1 | |
with: | |
source: github | |
skip_cache: true | |
chart-verifier: "${{ needs.setup.outputs.verifier-action-image }}" | |
- name: determine verify requirements | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
id: verify_requires | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
working-directory: ./pr-branch | |
run: | | |
../ve1/bin/get-verify-params --directory=pr --api-url=${{ github.event.pull_request._links.self.href }} | |
- name: Install oc | |
id: install-oc | |
if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }} | |
uses: redhat-actions/openshift-tools-installer@v1 | |
with: | |
oc: latest | |
- name: Set cluster login params | |
id: login-params | |
if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }} | |
run: | | |
#calculate cluster params | |
API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d) | |
echo "API_SERVER=${API_SERVER}" >> $GITHUB_OUTPUT | |
- uses: redhat-actions/oc-login@v1 | |
id: oc_login | |
if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }} | |
with: | |
openshift_server_url: ${{ steps.login-params.outputs.API_SERVER }} | |
openshift_token: ${{ secrets.CLUSTER_TOKEN }} | |
insecure_skip_tls_verify: ${{ needs.setup.outputs.insecure_skip_tls_verify }} | |
- name: create service account | |
id: create_service_account | |
if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }} | |
env: | |
API_SERVER: ${{ steps.login-params.outputs.API_SERVER }} | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
run: | | |
ve1/bin/sa-for-chart-testing --create charts-${{ github.event.number }} --token token.txt --server ${API_SERVER} | |
echo "delete_namespace=true" >> $GITHUB_OUTPUT | |
echo $KUBECONFIG | |
# Run chart-verifier against the provided chart, and generate a report.yaml. Runs only if a report.yaml hasn't been provided by the submitter. | |
- uses: redhat-actions/chart-verifier@v1 | |
id: run-verifier | |
if: ${{ steps.verify_requires.outputs.report_needed == 'true' }} | |
with: | |
chart_uri: ${{ steps.verify_requires.outputs.verify_uri }} | |
verify_args: ${{ steps.verify_requires.outputs.verify_args }} | |
report_type: all | |
fail: false | |
- name: check-verifier-result | |
id: check-verifier-result | |
if: ${{ always() && steps.run-verifier.outcome == 'failure' }} | |
run: | | |
error_message="The chart verifier returned an error when trying to obtain a verification report for the chart." | |
echo "verifier_error_message=$error_message" >> $GITHUB_OUTPUT | |
- name: Get profile version set in report provided by the user | |
id: get-profile-version | |
if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }} | |
uses: mikefarah/yq@master | |
with: | |
cmd: yq '.metadata.tool.profile.version' ${{ format('./pr-branch/{0}', steps.verify_requires.outputs.provided_report_relative_path) }} | |
- name: Get the range of Kubernetes versions set in the report provided by the user | |
id: get-kube-range | |
if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }} | |
continue-on-error: true | |
uses: mikefarah/yq@master | |
with: | |
cmd: yq '.metadata.chart.kubeversion' ${{ format('./pr-branch/{0}', steps.verify_requires.outputs.provided_report_relative_path) }} | |
- name: Get the corresponding range of OCP versions | |
id: get-ocp-range | |
if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }} | |
continue-on-error: true | |
uses: ./.github/actions/get-ocp-range | |
with: | |
kube-version-range: ${{ steps.get-kube-range.outputs.result }} | |
- name: Only ignore errors in get-ocp-range for profile in version v1.0 | |
if: ${{ (steps.get-kube-range.outcome == 'failure' || steps.get-ocp-range.outcome == 'failure') && steps.get-profile-version.outputs.result != 'v1.0' }} | |
run: | | |
echo "::error file=.github/workflows/build.yaml::Failure in get-ocp-range, mandatory for profile version ${{ steps.get-profile-version.outputs.result }}" | |
exit 1 | |
# This steps checks that the report.yaml generated by the chart-verifier action is not containing any error. | |
# If the user has provided a report.yaml in their submission, this report is checked instead (chart-verifier does not run in that case as signaled by report_needed=False) | |
- name: Check Report | |
id: check_report | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
VENDOR_TYPE: ${{ needs.validate-submission.outputs.vendor_type }} | |
WEB_CATALOG_ONLY: ${{ needs.validate-submission.outputs.web_catalog_only }} | |
REPORT_GENERATED: ${{ steps.verify_requires.outputs.report_needed }} | |
GENERATED_REPORT_PATH: ${{ steps.run-verifier.outputs.report_file }} | |
REPORT_SUMMARY_PATH: ${{ steps.run-verifier.outputs.report_info_file }} | |
WORKFLOW_WORKING_DIRECTORY: "../pr" | |
OCP_VERSION_RANGE: ${{ steps.get-ocp-range.outputs.ocp-version-range }} | |
run: | | |
cd pr-branch | |
../ve1/bin/chart-pr-review \ | |
--directory=../pr \ | |
--verify-user=${{ github.event.pull_request.user.login }} \ | |
--api-url=${{ github.event.pull_request._links.self.href }} | |
cd .. | |
- name: Upload chart_report errors | |
id: upload-chart-report-errors | |
uses: actions/upload-artifact@v4 | |
if: ${{ always() && steps.check_report.outcome == 'failure' }} | |
with: | |
name: chart_report_errors | |
path: pr/errors | |
if-no-files-found: error | |
continue-on-error: true | |
- name: Delete Namespace | |
if: ${{ always() && steps.oc_login.conclusion == 'success' }} | |
env: | |
KUBECONFIG: /tmp/ci-kubeconfig | |
run: | | |
API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d) | |
oc login --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} --insecure-skip-tls-verify=${{ needs.setup.outputs.insecure_skip_tls_verify }} | |
ve1/bin/sa-for-chart-testing --delete charts-${{ github.event.number }} | |
manage-gh-pr: | |
name: Comment and merge PR | |
runs-on: ubuntu-22.04 | |
needs: [setup, validate-submission, chart-verifier] | |
outputs: | |
message_file: ${{ steps.pr_comment.outputs.message-file }} | |
message_text_base64: ${{ steps.encode_pr_comment.outputs.message-text-base64 }} | |
# Run manage-gh-pr as long as setup was successful, independently from potential errors in validate-submission or chart-verifier | |
if: ${{ always() && needs.setup.result == 'success' }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Checkout PR Branch | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
path: "pr-branch" | |
- name: Set up Python 3.x Part 1 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Set up Python 3.x Part 2 | |
run: | | |
# set up python | |
python3 -m venv ve1 | |
cd scripts | |
../ve1/bin/pip3 install -r requirements.txt | |
../ve1/bin/pip3 install . | |
cd .. | |
# Submission information should always be present | |
- name: Download submission information | |
uses: actions/download-artifact@v4 | |
with: | |
name: submission | |
# Chart report errors are only present if an error has occured during the chart_report | |
- name: Download chart_report errors | |
uses: actions/download-artifact@v4 | |
if: ${{ needs.chart-verifier.outputs.upload-chart-report-errors-outcome == 'success' }} | |
with: | |
name: chart_report_errors | |
path: pr/ | |
- name: Prepare PR comment | |
id: pr_comment | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
PR_CONTENT_ERROR_MESSAGE: ${{ needs.validate-submission.outputs.pr-content-error-message }} | |
OWNERS_ERROR_MESSAGE: ${{ needs.validate-submission.outputs.owners-error-message }} | |
COMMUNITY_MANUAL_REVIEW: ${{ needs.chart-verifier.outputs.community_manual_review_required }} | |
OC_INSTALL_RESULT: ${{ needs.chart-verifier.outputs.install-oc-outcome || 'skipped' }} | |
VERIFIER_ERROR_MESSAGE: ${{ needs.chart-verifier.outputs.verifier_error_message }} | |
run: | | |
ve1/bin/pr-comment ${{ needs.validate-submission.outputs.validate-submission-outcome }} \ | |
${{ needs.chart-verifier.outputs.run-verifier-outcome || 'skipped' }} \ | |
${{ needs.chart-verifier.outputs.check_report-outcome || 'skipped'}} | |
# Note(komish): This step is a temporary fix for the metrics step in the next job | |
# which expects the PR comment to exist at the specified filesystem location. | |
- name: Encode PR Comment for Metrics | |
id: encode_pr_comment | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
run: | | |
commentBase64=$(base64 --wrap=0 ${{ steps.pr_comment.outputs.message-file }}) | |
echo "message-text-base64=${commentBase64}" | tee -a $GITHUB_OUTPUT | |
- name: Comment on PR | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
var fs = require('fs'); | |
var issue_number = ${{ github.event.number }}; | |
var comment = fs.readFileSync('./pr/comment', {encoding:'utf8', flag:'r'}); | |
github.rest.issues.createComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: Number(issue_number), | |
body: comment | |
}); | |
# The steps running chart-verifier may be skipped in some valid case, for instance if the user | |
# provided a valid report.yaml | |
- name: Add 'authorized-request' label to PR | |
if: ${{ needs.validate-submission.outputs.validate-submission-outcome == 'success' && | |
needs.chart-verifier.outputs.run-verifier-outcome != 'failure' && | |
needs.setup.outputs.run_build == 'true' }} | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.addLabels({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
labels: ['authorized-request'] | |
}) | |
- name: Approve PR | |
id: approve_pr | |
if: ${{ needs.chart-verifier.outputs.check_report-outcome == 'success' }} | |
uses: hmarr/auto-approve-action@v4 | |
with: | |
# The token we use for this changes for the Sandbox repository because the sandbox repository | |
# receives PRs from the openshift-helm-charts-bot, and that same bot cannot approve its own | |
# PRs which breaks workflows. Instead, for the Sandbox repo, we approve with the GHA bot. | |
github-token: ${{ github.repository == 'openshift-helm-charts/sandbox' && secrets.GITHUB_TOKEN || secrets.BOT_TOKEN }} | |
- name: Merge PR | |
id: merge_pr | |
if: ${{ steps.approve_pr.outcome == 'success' }} | |
uses: pascalgn/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }} | |
MERGE_METHOD: squash | |
MERGE_LABELS: "" | |
- name: Check for PR merge | |
if: ${{ steps.merge_pr.outcome == 'success' }} | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
run: | | |
./ve1/bin/check-auto-merge --api-url=${{ github.event.pull_request._links.self.href }} | |
release: | |
name: Release Chart | |
runs-on: ubuntu-22.04 | |
needs: [setup, validate-submission, chart-verifier, manage-gh-pr] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Checkout PR Branch | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
path: "pr-branch" | |
- name: Set up Python | |
uses: ./.github/actions/setup-python | |
- name: Set up Python 3.x Part 2 | |
run: | | |
# set up python | |
python3 -m venv ve1 | |
cd scripts | |
../ve1/bin/pip3 install -r requirements.txt | |
../ve1/bin/pip3 install . | |
cd .. | |
- name: install chart verifier for action | |
uses: redhat-actions/openshift-tools-installer@v1 | |
with: | |
source: github | |
skip_cache: true | |
chart-verifier: ${{ needs.setup.outputs.verifier-action-image }} | |
- name: Block until there is no running workflow | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
uses: softprops/turnstyle@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Configure Git | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
run: | | |
git config --global user.name "github-actions[bot]" | |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
- name: Prepare Chart Release and index entry | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
REPORT_CONTENT: ${{ needs.chart-verifier.outputs.report_content }} | |
REDHAT_TO_COMMUNITY: ${{ needs.chart-verifier.outputs.redhat_to_community }} | |
WEB_CATALOG_ONLY: ${{ needs.validate-submission.outputs.web_catalog_only }} | |
OCP_VERSION_RANGE: ${{ needs.chart-verifier.outputs.ocp-version-range }} | |
id: prepare-chart-release | |
run: | | |
cd pr-branch | |
../ve1/bin/chart-repo-manager \ | |
--repository=${{ github.repository }} \ | |
--api-url=${{ github.event.pull_request._links.self.href }} \ | |
# Upload the report file, potentially paired with a public key and, if provided, the chart's tarball and its prov file. | |
# Only the report file is always included. | |
# The release tag format is <organization_name>-<chart_name>-<chart_version> | |
- name: Create GitHub release | |
if: ${{ needs.validate-submission.outputs.web_catalog_only == 'False' }} | |
uses: softprops/action-gh-release@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag_name: ${{ needs.validate-submission.outputs.release_tag }} | |
files: | | |
${{ steps.prepare-chart-release.outputs.report_file }} | |
${{ steps.prepare-chart-release.outputs.public_key_file }} | |
${{ steps.prepare-chart-release.outputs.path_to_chart_tarball }} | |
${{ steps.prepare-chart-release.outputs.prov_file_name }} | |
fail_on_unmatched_files: true | |
- name: Update Helm repository index | |
if: ${{ needs.setup.outputs.run_build == 'true' }} | |
env: | |
CHART_ENTRY_NAME: ${{ needs.validate-submission.outputs.chart_entry_name }} | |
WEB_CATALOG_ONLY: ${{ needs.validate-submission.outputs.web_catalog_only }} | |
RELEASE_TAG: ${{ needs.validate-submission.outputs.release_tag }} | |
run: | | |
INDEX_BRANCH=$(if [ "${GITHUB_REF}" = "refs/heads/main" ]; then echo "gh-pages"; else echo "${GITHUB_REF##*/}-gh-pages"; fi) | |
echo "[INFO] Creating Git worktree for index branch" | |
INDEX_DIR=$(mktemp -d) | |
git remote add upstream "$GITHUB_SERVER_URL"/"$GITHUB_REPOSITORY" | |
git fetch upstream "$INDEX_BRANCH" | |
git worktree add --detach "$INDEX_DIR" upstream/"$INDEX_BRANCH" | |
if [ "$WEB_CATALOG_ONLY" == "True" ]; then | |
INDEX_FILE="unpublished-certified-charts.yaml" | |
else | |
INDEX_FILE="index.yaml" | |
fi | |
source ve1/bin/activate | |
cd $INDEX_DIR | |
update-index \ | |
--index-branch=${INDEX_BRANCH} \ | |
--index-file=${INDEX_FILE} \ | |
--repository=${{ github.repository }} \ | |
--chart-entry="${{ steps.prepare-chart-release.outputs.chart_entry }}" \ | |
--chart-url="${{ steps.prepare-chart-release.outputs.chart_url }}" \ | |
--version="${{ steps.prepare-chart-release.outputs.version }}" | |
echo "[INFO] Add and commit changes to git" | |
git status | |
git add $INDEX_FILE | |
git status | |
git commit -m "$RELEASE_TAG $INDEX_FILE (${{ github.event.number }})" | |
git status | |
git push \ | |
https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} \ | |
HEAD:refs/heads/${INDEX_BRANCH} | |
- name: Add a GitHub comment if release has failed | |
uses: actions/github-script@v7 | |
if: ${{ failure() && github.repository != 'openshift-helm-charts/sandbox' }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.createComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: context.issue.number, | |
body: `### Release job failed | |
An error occured while updating the Helm repository index. | |
cc @komish @mgoerens` | |
}); | |
# Note(komish): This step is a temporary workaround. Metrics requires the PR comment | |
# to be available, but it is written to the filesystem in the previous job. | |
# This can be removed once the metrics execution is restructured to have access to the PR | |
# comment, or pulled out of the release job entirely. | |
- name: Retrieve PR comment for metrics | |
if: ${{ always() && needs.setup.outputs.run_build == 'true' && github.repository != 'openshift-helm-charts/sandbox' }} | |
run: | | |
mkdir -p $(dirname ${{ needs.manage-gh-pr.outputs.message_file }}) | |
echo ${{ needs.manage-gh-pr.outputs.message_text_base64 }} | base64 -d | tee ${{ needs.manage-gh-pr.outputs.message_file }} | |
- name: Add metrics | |
id: add_metrics | |
if: ${{ always() && needs.setup.outputs.run_build == 'true' && github.repository != 'openshift-helm-charts/sandbox' }} | |
continue-on-error: true | |
env: | |
BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |
run: | | |
if [ $GITHUB_REPOSITORY == "openshift-helm-charts/charts" ]; then | |
WRITE_KEY=${{ secrets.SEGMENT_WRITE_KEY }} | |
ID_PREFIX="helm-metric-pr" | |
echo "Use segment production write key" | |
else | |
WRITE_KEY=${{ secrets.SEGMENT_TEST_WRITE_KEY }} | |
ID_PREFIX="helm-test-metric-pr" | |
echo "Use segment test write key" | |
fi | |
if [ "${WRITE_KEY}" != "" ]; then | |
echo "add PR run metric" | |
ve1/bin/metrics --write-key="${WRITE_KEY}" \ | |
--metric-type="pull_request" \ | |
--message-file="${{ needs.manage-gh-pr.outputs.message_file }}" \ | |
--pr-number="${{ github.event.number }}" \ | |
--pr-action="${{ github.event.action }}" \ | |
--repository="${GITHUB_REPOSITORY}" \ | |
--prefix="${ID_PREFIX}" \ | |
--pr_dir="./pr-branch" | |
else | |
echo "Do not collect metrics, required segment write key is not set" | |
fi | |
- name: Alert Slack helm_dev on failure to update metrics | |
continue-on-error: true | |
if: steps.add_metrics.outcome == 'failure' | |
uses: archive/[email protected] | |
with: | |
slack-bot-user-oauth-access-token: ${{ secrets.SLACK_BOT_USER_OAUTH_ACCESS_TOKEN }} | |
slack-channel: C02979BDUPL | |
slack-text: Failure! Updating metrics during a chart certification. See '${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}' |