Publish Helm Chart #4599
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # Post-submit and daily build and publish of the Helm chart and Docker container | |
| # This is a separate workflow than image-build.yml because image-build.yml is | |
| # run in the PR context, and those runs aren't allowed package:write permissions if | |
| # the source is a fork(GitHub errors and invalidates the entire workflow if you try). | |
| name: Publish Helm Chart | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| # Weekdays at noon GMT | |
| - cron: '00 12 * * 1-5' | |
| jobs: | |
| check-helm: | |
| name: Build Helm chart | |
| runs-on: ubuntu-latest | |
| if: github.repository_owner == 'mindersec' || vars.PUBLISH_IMAGES == 'true' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write # To sign the provenance. | |
| env: | |
| BASE_REPO: "ghcr.io/${{ github.repository }}" | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 | |
| - name: Checkout | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup Go | |
| uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 | |
| with: | |
| version: v0.16.0 | |
| - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| with: | |
| version: v3.12.2 | |
| - name: Compute version number | |
| id: version-string | |
| run: | | |
| DATE="$(date +%Y%m%d)" | |
| COMMIT="$(git rev-parse --short HEAD)" | |
| echo "tag=0.$DATE.$GITHUB_RUN_NUMBER+ref.$COMMIT" >> "$GITHUB_OUTPUT" | |
| - name: Build images and Helm Chart | |
| run: | | |
| KO_DOCKER_REPO=$BASE_REPO make helm | |
| echo "Built images:" | |
| cat deployment/helm/built-images.yaml | |
| env: | |
| KO_PUSH_IMAGE: "true" | |
| HELM_PACKAGE_VERSION: "${{ steps.version-string.outputs.tag }}" | |
| - name: Helm Login | |
| # ko can pick up tokens ambiently from the GitHub Actions environment, but | |
| # Helm needs explicit login | |
| run: | | |
| helm registry login $BASE_REPO --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push Helm Chart | |
| id: helm-push | |
| run: | | |
| cd deployment/helm | |
| helm push minder-*.tgz oci://$BASE_REPO/helm 2>&1 | tee helm-push.log | |
| DIGEST=$(grep Digest: helm-push.log | awk '{print $2}') | |
| echo "Helm chart digest: $DIGEST" | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Sign the published helm chart and ko image | |
| # This step uses the identity token to provision an ephemeral certificate | |
| # against the sigstore community Fulcio instance. | |
| run: | | |
| # Sign the ko image | |
| cosign sign --yes $(cat deployment/helm/built-images.yaml) | |
| # Sign the helm chart | |
| cosign sign --yes $BASE_REPO/helm/minder@${{ steps.helm-push.outputs.digest }} |