seerr/.github/workflows/helm.yml at develop · ProgenyAlpha/seerr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Release Charts

on:
  push:
    branches:
      - develop
    paths:
      - 'charts/**'
      - '.github/workflows/release-charts.yml'

permissions:
  contents: read

concurrency:
  group: helm-charts
  cancel-in-progress: true

jobs:
  package-helm-chart:
    name: Package helm chart
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      packages: read
    outputs:
      has_artifacts: ${{ steps.check-artifacts.outputs.has_artifacts }}
    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install helm
        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1

      - name: Install Oras
        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4

      - name: Login to GitHub Container Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Package helm charts
        run: |
          mkdir -p ./.cr-release-packages
          for chart_path in ./charts/*; do
            if [ -d "$chart_path" ] && [ -f "$chart_path/Chart.yaml" ]; then
              chart_name=$(grep '^name:' "$chart_path/Chart.yaml" | awk '{print $2}')
              # get current version
              current_version=$(grep '^version:' "$chart_path/Chart.yaml" | awk '{print $2}')
              # try to get current release version
              if oras manifest fetch "ghcr.io/${{ github.repository }}/${chart_name}:${current_version}" >/dev/null 2>&1; then
                echo "No version change for $chart_name. Skipping."
              else
                helm dependency build "$chart_path"
                helm package "$chart_path" --destination ./.cr-release-packages
              fi
            else
              echo "Skipping $chart_name: Not a valid Helm chart"
            fi
          done

      - name: Check if artifacts exist
        id: check-artifacts
        run: |
          if ls .cr-release-packages/*.tgz >/dev/null 2>&1; then
            echo "has_artifacts=true" >> $GITHUB_OUTPUT
          else
            echo "has_artifacts=false" >> $GITHUB_OUTPUT
          fi

      - name: Upload artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: steps.check-artifacts.outputs.has_artifacts == 'true'
        with:
          name: artifacts
          include-hidden-files: true
          path: .cr-release-packages/

  publish:
    name: Publish to ghcr.io
    runs-on: ubuntu-24.04
    permissions:
      packages: write
      id-token: write
    needs: [package-helm-chart]
    if: needs.package-helm-chart.outputs.has_artifacts == 'true'
    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install helm
        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1

      - name: Install Oras
        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4

      - name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - name: Downloads artifacts
        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: artifacts
          path: .cr-release-packages/

      - name: Login to GitHub Container Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push charts to GHCR
        env:
          COSIGN_YES: true
        run: |
          for chart_path in `find .cr-release-packages -name '*.tgz' -print`; do
            # push chart to OCI
            chart_release_file=$(basename "$chart_path")
            chart_name=${chart_release_file%-*}
            helm push ${chart_path} oci://ghcr.io/${{ github.repository }} |& tee helm-push-output.log
            chart_digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
            # sign chart
            cosign sign "ghcr.io/${{ github.repository }}/${chart_name}@${chart_digest}"
            # push artifacthub-repo.yml to OCI
            oras push \
              ghcr.io/${{ github.repository }}/${chart_name}:artifacthub.io \
              --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
              charts/$chart_name/artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml \
              |& tee oras-push-output.log
            artifacthub_digest=$(grep "Digest:" oras-push-output.log | awk '{print $2}')
            # sign artifacthub-repo.yml
            cosign sign "ghcr.io/${{ github.repository }}/${chart_name}:artifacthub.io@${artifacthub_digest}"
          done

  verify:
    name: Verify signatures for each chart tag
    needs: [publish]
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - name: Downloads artifacts
        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: artifacts
          path: .cr-release-packages/

      - name: Login to GitHub Container Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Verify signatures for each chart tag
        run: |
          for chart_path in $(find .cr-release-packages -name '*.tgz' -print); do
            chart_release_file=$(basename "$chart_path")
            chart_name=${chart_release_file%-*}
            version=${chart_release_file#$chart_name-}
            version=${version%.tgz}

            cosign verify "ghcr.io/${{ github.repository }}/${chart_name}:${version}" \
              --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
              --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
          done