Merge pull request #301 from fabriziosestito/feat/add-policyserver-va… #225
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This action releases the kubewarden-controller helm chart | |
# The action must run on each commit done against master, however | |
# a new release will be performed **only** when a change occurs inside | |
# of the `charts` directory. | |
# | |
# When the helm chart is changed, this action will: | |
# * Create a new GitHub release named: kubwarden-controller-chart | |
# * This release has a kubwarden-controller-chart.tar.gz asset associated with | |
# it. This is the actual helm chart | |
# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the | |
# index of the helm chart repository, which we serve through GitHub pages | |
# * Update the docs shown https://charts.kubewarden.io, on the `gh-pages` | |
# branch. This is the README files of the chart(s), served also through | |
# GitHub pages | |
# | |
# = FAQ | |
# | |
# == Why don't we run this action only when a tag like `v*` is created? | |
# | |
# Running the action only when a "release tag" is created will not produce | |
# a helm chart. That happens because the code which determines if something | |
# changed inside of the `charts` directory will not find any changes. | |
# | |
# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action? | |
# | |
# Yes, we even got that to work. However, what we really want to do is the | |
# ability to tag the releases of the kubewarden-controller and its helm chart | |
# in an independent way. Which what the official GitHub action already does. | |
name: Release helm chart | |
on: | |
push: | |
branches: | |
- main | |
jobs: | |
release: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
packages: write | |
contents: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
fetch-depth: 0 | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
- name: Check Helm generated values are up-to-date before releasing | |
run: | | |
make check-generated-values | |
- name: Install Helm | |
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 | |
with: | |
version: v3.8.0 | |
- name: Install cosign | |
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Generate container image files | |
run: | | |
make generate-images-file | |
- name: Generate policies files | |
run: | | |
make generate-policies-file | |
- name: Generate changelog files | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
make generate-changelog-files | |
- name: Add dependency repo required to release the controller chart | |
run: | | |
helm repo add policy-reporter https://kyverno.github.io/policy-reporter | |
helm repo update | |
- name: Run chart-releaser | |
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 | |
with: | |
charts_dir: charts | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
CR_SKIP_EXISTING: true | |
- name: Prepare GH pages readme | |
run: | | |
mkdir -p ./to-gh-pages | |
cat charts/kubewarden-controller/README.md >> charts/README.md | |
echo >> charts/README.md | |
cat charts/kubewarden-defaults/README.md >> charts/README.md | |
echo >> charts/README.md | |
cat charts/kubewarden-crds/README.md >> charts/README.md | |
cp -f charts/README.md ./to-gh-pages/ | |
cp -f artifacthub-repo.yml ./to-gh-pages/ | |
- name: Deploy readme to GH pages | |
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
publish_dir: ./to-gh-pages | |
keep_files: true | |
enable_jekyll: true | |
- name: Upload images and policies file | |
shell: bash | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
set -e | |
# .cr-release-packages is the directory used by the Helm releaser from a previous step | |
chart_directory=.cr-release-packages | |
if [ ! -d "$chart_directory" ]; then | |
echo "$chart_directory does not exist. Assuming no charts update" | |
exit 0 | |
fi | |
charts=$(find ./charts -maxdepth 1 -mindepth 1 -type d) | |
asset_name="" | |
for chart in $charts; do | |
chart_name=$(helm show chart $chart | yq -r '.name' ) | |
chart_version=$(helm show chart $chart | yq -r '.version') | |
asset_name="${asset_name}_${chart_name}-${chart_version}" | |
done | |
image_asset_name="${asset_name:1}_images.txt" | |
cp imagelist.txt $image_asset_name | |
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f) | |
for chart in $charts; do | |
chart_name=$(helm show chart $chart | yq -r '.name' ) | |
chart_version=$(helm show chart $chart | yq -r '.version') | |
if [[ $chart_name != *"-crds" ]]; then | |
gh release upload $chart_name-$chart_version $image_asset_name --clobber | |
fi | |
if [[ $chart_name == *"-defaults" ]]; then | |
cp "./charts/kubewarden-defaults/policylist.txt" "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" | |
gh release upload $chart_name-$chart_version "./charts/kubewarden-defaults/${asset_name:1}_policylist.txt" --clobber | |
fi | |
done | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate, sign and publish charts in OCI registry | |
shell: bash | |
run: | | |
set -e | |
# .cr-release-packages is the directory used by the Helm releaser from a previous step | |
chart_directory=.cr-release-packages | |
if [ ! -d "$chart_directory" ]; then | |
echo "$chart_directory does not exist. Assuming no charts update" | |
exit 0 | |
fi | |
REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER" | |
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f) | |
for chart in $charts; do | |
chart_name=$(helm show chart $chart | yq '.name' | sed 's/"//g') | |
chart_version=$(helm show chart $chart | yq '.version' | sed 's/"//g') | |
package_file=".cr-release-packages/$chart_name-$chart_version.tgz" | |
push_output=$(helm push $package_file "oci://$REGISTRY/charts") | |
chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p') | |
cosign sign --yes "$chart_url" | |
done |