From 1cae49194824ce8a6b94254b121b5720df874ccc Mon Sep 17 00:00:00 2001
From: "Benjamin R. J. Schwedler" <ben@posit.co>
Date: Fri, 24 Apr 2026 09:21:21 -0500
Subject: [PATCH] Add update-helm job to production workflow

After a successful build of release versions, dispatch the
product-release.yml workflow on rstudio/helm via a GitHub App token
sourced from the posit-connect-projects App (POSIT_CONNECT_PROJECTS_APP_ID / _PEM) so the helm chart's connect image tag is
updated to the new image version automatically.
---
 .github/workflows/production.yml | 43 +++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index 0dee54c..2a3f8ab 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -31,13 +31,14 @@ jobs:
     timeout-minutes: 10
     needs:
       - build
+      - update-helm
 
     steps:
       - uses: re-actors/alls-green@release/v1
         id: alls-green
         with:
           jobs: ${{ toJSON(needs) }}
-          allowed-skips: clean
+          allowed-skips: clean, update-helm
       - if: always() && github.ref == 'refs/heads/main'
         continue-on-error: true
         uses: posit-dev/images-shared/.github/actions/slack-build-notify@main
@@ -65,6 +66,46 @@ jobs:
       # Push images only for merges into main and weekly schduled re-builds.
       push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }}
 
+  update-helm:
+    name: Update Helm
+    if: ${{ needs.build.result == 'success' && (github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }}
+    needs:
+      - build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install bakery
+        uses: posit-dev/images-shared/setup-bakery@main
+
+      - name: Get latest version
+        id: version
+        run: |
+          APP_VERSION=$(bakery get version connect)
+          APP_VERSION="${APP_VERSION%%[+-]*}"
+          echo "app-version=$APP_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.POSIT_CONNECT_PROJECTS_APP_ID }}
+          private-key: ${{ secrets.POSIT_CONNECT_PROJECTS_PEM }}
+          owner: rstudio
+          repositories: helm
+
+      - name: Dispatch Helm update
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_VERSION: ${{ steps.version.outputs.app-version }}
+        run: |
+          gh workflow run product-release.yml \
+            --repo rstudio/helm \
+            --field product=connect \
+            --field version="$APP_VERSION"
+
   clean:
     name: Clean
     if: always() && github.ref == 'refs/heads/main'