-
Notifications
You must be signed in to change notification settings - Fork 22
103 lines (89 loc) · 3.26 KB
/
Copy pathrelease.yml
File metadata and controls
103 lines (89 loc) · 3.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: Release Charts
on:
push:
branches:
- main
jobs:
release:
permissions:
contents: write
packages: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v7
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
id: install
uses: azure/setup-helm@v5
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Prepare chart signing key (Helm provenance)
id: signing
shell: bash
env:
GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}"
GPG_SIGNING_KEY: "${{ secrets.GPG_SIGNING_KEY }}"
run: |
set -euo pipefail
if [[ -z "${GPG_KEYRING_BASE64:-}" || -z "${GPG_SIGNING_KEY:-}" ]]; then
echo "enabled=false" >> "$GITHUB_OUTPUT"
echo "Chart signing key not configured; will refuse to release chart version bumps." >&2
exit 0
fi
mkdir -p .cr-gpg
echo "$GPG_KEYRING_BASE64" | base64 -d > .cr-gpg/private.key
chmod 600 .cr-gpg/private.key
# Import signing key into a dedicated GPG homedir so helm/cr can find the private key.
GNUPGHOME="$PWD/.gnupg"
mkdir -p "$GNUPGHOME"
chmod 700 "$GNUPGHOME"
gpg --batch --homedir "$GNUPGHOME" --import .cr-gpg/private.key
{
echo "CR_SIGN=true"
echo "CR_KEY=$GPG_SIGNING_KEY"
# cr/helm expects CR_KEYRING to point at a keyring that contains the secret key.
# We use an exported secret key file produced by `gpg --export-secret-keys`.
echo "CR_KEYRING=$PWD/.cr-gpg/private.key"
echo "GNUPGHOME=$GNUPGHOME"
} >> "$GITHUB_ENV"
echo "enabled=true" >> "$GITHUB_OUTPUT"
- name: Refuse unsigned chart releases
if: ${{ steps.signing.outputs.enabled != 'true' }}
shell: bash
run: |
set -euo pipefail
if git diff --name-only "${{ github.event.before }}" "${{ github.sha }}" | grep -Eq '^charts/[^/]+/Chart.yaml$'; then
echo "Chart.yaml changed in this push, but signing is not configured. Aborting release." >&2
exit 1
fi
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1
with:
version: v1.8.1
skip_existing: true
env:
CR_TOKEN: ${{ github.token }}
# Note: Removed extra cr index step to avoid merge conflicts with chart-releaser's own gh-pages updates.
- name: Login to GitHub Container Registry
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Push Charts to GHCR
shell: bash
run: |
if [ -d ".cr-release-packages" ]; then
shopt -s nullglob
for pkg in .cr-release-packages/*.tgz; do
helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
done
else
echo "Directory .cr-release-packages does not exist."
fi