Skip to content

Merge pull request #301 from fabriziosestito/feat/add-policyserver-va… #225

Merge pull request #301 from fabriziosestito/feat/add-policyserver-va…

Merge pull request #301 from fabriziosestito/feat/add-policyserver-va… #225

# This action releases the kubewarden-controller helm chart
# The action must run on each commit done against master, however
# a new release will be performed **only** when a change occurs inside
# of the `charts` directory.
#
# When the helm chart is changed, this action will:
# * Create a new GitHub release named: kubwarden-controller-chart
# * This release has a kubwarden-controller-chart.tar.gz asset associated with
# it. This is the actual helm chart
# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
# index of the helm chart repository, which we serve through GitHub pages
# * Update the docs shown https://charts.kubewarden.io, on the `gh-pages`
# branch. This is the README files of the chart(s), served also through
# GitHub pages
#
# = FAQ
#
# == Why don't we run this action only when a tag like `v*` is created?
#
# Running the action only when a "release tag" is created will not produce
# a helm chart. That happens because the code which determines if something
# changed inside of the `charts` directory will not find any changes.
#
# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
#
# Yes, we even got that to work. However, what we really want to do is the
# ability to tag the releases of the kubewarden-controller and its helm chart
# in an independent way. Which what the official GitHub action already does.
name: Release helm chart
on:
push:
branches:
- main
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Check Helm generated values are up-to-date before releasing
run: |
make check-generated-values
- name: Install Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.8.0
- name: Install cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Generate container image files
run: |
make generate-images-file
- name: Generate policies files
run: |
make generate-policies-file
- name: Generate changelog files
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make generate-changelog-files
- name: Add dependency repo required to release the controller chart
run: |
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
- name: Run chart-releaser
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
with:
charts_dir: charts
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SKIP_EXISTING: true
- name: Prepare GH pages readme
run: |
mkdir -p ./to-gh-pages
cat charts/kubewarden-controller/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-defaults/README.md >> charts/README.md
echo >> charts/README.md
cat charts/kubewarden-crds/README.md >> charts/README.md
cp -f charts/README.md ./to-gh-pages/
cp -f artifacthub-repo.yml ./to-gh-pages/
- name: Deploy readme to GH pages
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./to-gh-pages
keep_files: true
enable_jekyll: true
- name: Upload images and policies file
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d)
asset_name=""
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
asset_name="${asset_name}_${chart_name}-${chart_version}"
done
image_asset_name="${asset_name:1}_images.txt"
cp imagelist.txt $image_asset_name
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
if [[ $chart_name != *"-crds" ]]; then
gh release upload $chart_name-$chart_version $image_asset_name --clobber
fi
if [[ $chart_name == *"-defaults" ]]; then
cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt"
gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber
fi
done
- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate, sign and publish charts in OCI registry
shell: bash
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER"
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq '.name' | sed 's/"//g')
chart_version=$(helm show chart $chart | yq '.version' | sed 's/"//g')
package_file=".cr-release-packages/$chart_name-$chart_version.tgz"
push_output=$(helm push $package_file "oci://$REGISTRY/charts")
chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p')
cosign sign --yes "$chart_url"
done