Add update-helm job to production workflow

bschwedler · bschwedler · commit 807f2cf6d6a6 · 2026-04-24T09:21:23.000-05:00
After a successful build of release versions, dispatch the
product-release.yml workflow on rstudio/helm via a GitHub App token
sourced from the workbench-ide-release App (WORKBENCH_IDE_RELEASE_APP_ID / _PEM) so the helm chart's workbench image tag is
updated to the new image version automatically.
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -31,12 +31,14 @@ jobs:
     timeout-minutes: 10
     needs:
       - build
+      - update-helm
 
     steps:
       - uses: re-actors/alls-green@release/v1
         id: alls-green
         with:
           jobs: ${{ toJSON(needs) }}
+          allowed-skips: update-helm
       - if: always() && github.ref == 'refs/heads/main'
         continue-on-error: true
         uses: posit-dev/images-shared/.github/actions/slack-build-notify@main
@@ -66,6 +68,46 @@ jobs:
       # Push images only for merges into main and weekly schduled re-builds.
       push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }}
 
+  update-helm:
+    name: Update Helm
+    if: ${{ needs.build.result == 'success' && (github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }}
+    needs:
+      - build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install bakery
+        uses: posit-dev/images-shared/setup-bakery@main
+
+      - name: Get latest version
+        id: version
+        run: |
+          APP_VERSION=$(bakery get version workbench)
+          APP_VERSION="${APP_VERSION%%[+-]*}"
+          echo "app-version=$APP_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.WORKBENCH_IDE_RELEASE_APP_ID }}
+          private-key: ${{ secrets.WORKBENCH_IDE_RELEASE_PEM }}
+          owner: rstudio
+          repositories: helm
+
+      - name: Dispatch Helm update
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_VERSION: ${{ steps.version.outputs.app-version }}
+        run: |
+          gh workflow run product-release.yml \
+            --repo rstudio/helm \
+            --field product=workbench \
+            --field version="$APP_VERSION"
+
   clean:
     name: Clean
     if: always() && github.ref == 'refs/heads/main'
