ci(helm): cosign OCI helm chart #15
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push Helm Chart | |
| on: | |
| pull_request: | |
| types: | |
| - closed | |
| branches: | |
| - master | |
| paths: | |
| - 'deployments/kubernetes/chart/reloader/**' | |
| - '.github/workflows/push-helm-chart.yaml' | |
| env: | |
| HELM_REGISTRY_URL: "https://stakater.github.io/stakater-charts" | |
| REGISTRY: ghcr.io | |
| jobs: | |
| verify-and-push-helm-chart: | |
| permissions: | |
| contents: read | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| packages: write # for pushing and signing container images | |
| name: Verify and Push Helm Chart | |
| if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'release/helm-chart')) }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.PUBLISH_TOKEN }} | |
| fetch-depth: 0 # otherwise, you will fail to push refs to dest repo | |
| submodules: recursive | |
| # Setting up helm binary | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.11.3 | |
| - name: Add Stakater Helm Repo | |
| run: | | |
| helm repo add stakater https://stakater.github.io/stakater-charts | |
| - name: Get version for chart from helm repo | |
| id: chart_eval | |
| run: | | |
| current_chart_version=$(helm search repo stakater/reloader | tail -n 1 | awk '{print $2}') | |
| echo "CURRENT_CHART_VERSION=$(echo ${current_chart_version})" >> $GITHUB_OUTPUT | |
| - name: Get Updated Chart version from Chart.yaml | |
| uses: mikefarah/yq@master | |
| id: new_chart_version | |
| with: | |
| cmd: yq e '.version' deployments/kubernetes/chart/reloader/Chart.yaml | |
| - name: Check Version | |
| uses: aleoyakas/check-semver-increased-action@v1 | |
| id: check-version | |
| with: | |
| current-version: ${{ steps.new_chart_version.outputs.result }} | |
| previous-version: ${{ steps.chart_eval.outputs.CURRENT_CHART_VERSION }} | |
| - name: Fail if Helm Chart version isnt updated | |
| if: steps.check-version.outputs.is-version-increased != 'true' | |
| run: | | |
| echo "Helm Chart Version wasnt updated" | |
| exit 1 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Login to GHCR Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: stakater-user | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish Helm chart to ghcr.io | |
| run: | | |
| helm package ./deployments/kubernetes/chart/reloader --destination ./packaged-chart | |
| helm push ./packaged-chart/*.tgz oci://ghcr.io/stakater/charts | |
| rm -rf ./packaged-chart | |
| - name: Sign artifacts with Cosign | |
| run: cosign sign --yes ghcr.io/stakater/charts/reloader:${{ steps.new_chart_version.outputs.result }} | |
| - name: Publish Helm chart to gh-pages | |
| uses: stefanprodan/helm-gh-pages@master | |
| with: | |
| branch: master | |
| repository: stakater-charts | |
| target_dir: docs | |
| token: ${{ secrets.GHCR_TOKEN }} | |
| charts_dir: deployments/kubernetes/chart/ | |
| charts_url: ${{ env.HELM_REGISTRY_URL }} | |
| owner: stakater | |
| linting: on | |
| commit_username: stakater-user | |
| commit_email: [email protected] | |
| - name: Notify Slack | |
| uses: 8398a7/action-slack@v3 | |
| if: always() # Pick up events even if the job fails or is canceled. | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,author,action,eventName,ref,workflow | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }} | |
| SLACK_WEBHOOK_URL: ${{ secrets.STAKATER_DELIVERY_SLACK_WEBHOOK }} |