Skip to content

publish-chart

publish-chart #121

---
# This is a manually triggered workflow to package and upload the Helm chart from the
# main branch to Aqua Security repository at https://github.com/aquasecurity/helm-charts.
name: Publish Helm chart
on:
repository_dispatch:
types: [publish-chart]
paths:
- deploy/helm/Chart.yaml
env:
CR_PACKAGE_PATH: .cr-release-packages
HELM_REP: helm-charts
GH_OWNER: aquasecurity
CHART_DIR: deploy/helm
KIND_VERSION: v0.17.0
KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
jobs:
release:
# this job will only run if the PR has been merged
if: github.event.client_payload.action == 'chart-release' || github.event.client_payload.action == 'chart-and-app-release'
permissions:
contents: write # for peter-evans/repository-dispatch to create a repository dispatch event
packages: write # to push OCI chart package to GitHub Registry
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.14.2
- name: Set up python
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/[email protected]
- name: Setup Kubernetes cluster (KIND)
uses: helm/[email protected] # v1.5.0
with:
version: ${{ env.KIND_VERSION }}
node_image: ${{ env.KIND_IMAGE }}
- name: Run chart-testing
run: ct lint-and-install --validate-maintainers=false --charts deploy/helm
- name: Install chart-releaser
run: |
wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37 chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
- name: Package helm chart
run: |
./cr package ${{ env.CHART_DIR }}
# Classic helm repository with GitHub pages
- name: Upload helm chart
# Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
continue-on-error: true
run: |
./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }}
- name: Index helm chart
run: |
./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
- name: Push index file
uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 # v1.1.1
env:
API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
with:
source_file: "index.yaml"
destination_repo: "${{ env.GH_OWNER }}/${{ env.HELM_REP }}"
destination_folder: "."
destination_branch: "gh-pages"
user_email: [email protected]
user_name: "aqua-bot"
# OCI registry as helm repository (helm 3.8+)
- name: Login to GHCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push chart to GHCR
run: |
shopt -s nullglob
for pkg in ${{ env.CR_PACKAGE_PATH }}/*.tgz; do
if [ -z "${pkg:-}" ]; then
break
fi
helm push "${pkg}" oci://ghcr.io/${{ env.GH_OWNER }}/${{ env.HELM_REP }}
done
- name: Get latest tag
id: latest_tag
run: |
latest_tag=$(git describe --tags --abbrev=0)
echo "::set-output name=tag::$latest_tag"
- name: Repository Dispatch Publish docs
if: github.event.client_payload.action == 'chart-and-app-release' && !contains(steps.latest_tag.outputs.tag, 'rc')
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
event-type: publish-docs
client-payload: '{"action": "docs-release", "tag": "${{ steps.latest_tag.outputs.tag }}"}'