diff --git a/.github/configs/cr.yaml b/.github/configs/cr.yaml index 154dbfbfb..c90c960da 100644 --- a/.github/configs/cr.yaml +++ b/.github/configs/cr.yaml @@ -2,11 +2,11 @@ index-path: "./index.yaml" # PGP signing -sign: true +sign: false key: Argo Helm maintainers # keyring: # Set via env variable CR_KEYRING # passphrase-file: # Set via env variable CR_PASSPHRASE_FILE # Enable automatic generation of release notes using GitHubs release notes generator. # see: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes -generate-release-notes: true +generate-release-notes: false diff --git a/.github/configs/labeler.yaml b/.github/configs/labeler.yaml index acd6f2192..947d80499 100644 --- a/.github/configs/labeler.yaml +++ b/.github/configs/labeler.yaml @@ -1,17 +1,2 @@ -argo-cd: - - charts/argo-cd/**/* - -argo-events: - - charts/argo-events/**/* - -argo-rollouts: - - charts/argo-rollouts/**/* - argo-workflows: - charts/argo-workflows/**/* - -argocd-image-updater: - - charts/argocd-image-updater/**/* - -argocd-apps: - - charts/argocd-apps/**/* diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 9d3a170fb..a4f34dd69 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,15 +4,16 @@ on: push: branches: - main - paths: - - "charts/**" + - 0.36.2 permissions: - contents: read + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout jobs: publish: permissions: + id-token: write contents: write # for helm/chart-releaser-action to push chart release and create a release packages: write # to push OCI chart package to GitHub Registry runs-on: ubuntu-latest @@ -22,6 +23,20 @@ jobs: with: fetch-depth: 0 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + audience: sts.amazonaws.com + role-to-assume: arn:aws:iam::024630551114:role/gh-action-role + role-session-name: GitHub_to_AWS_via_FederatedOIDC_ARGO_HELM + aws-region: us-east-1 + + - name: Login to Amazon ECR Public + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@v2 + with: + registry-type: public + - name: Install Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: @@ -36,26 +51,26 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - ## This is required to consider the old Circle-CI Index and to stay compatible with all the old releases. - - name: Fetch current Chart Index - run: | - git checkout origin/gh-pages index.yaml + # ## This is required to consider the old Circle-CI Index and to stay compatible with all the old releases. + # - name: Fetch current Chart Index + # run: | + # git checkout origin/gh-pages index.yaml - # The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key - # in ASCII-armored format. To export a (new) key, run this command: - # `gpg --armor --export-secret-key ` - - name: Prepare PGP key - run: | - IFS="" - echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg - echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt + # # The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key + # # in ASCII-armored format. To export a (new) key, run this command: + # # `gpg --armor --export-secret-key ` + # - name: Prepare PGP key + # run: | + # IFS="" + # echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg + # echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt - # Tell chart-releaser-action where to find the key and its passphrase - echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV" - echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV" - env: - PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}" - PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}" + # # Tell chart-releaser-action where to find the key and its passphrase + # echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV" + # echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV" + # env: + # PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}" + # PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}" - name: Run chart-releaser uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 @@ -64,19 +79,23 @@ jobs: env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - name: Login to GHCR - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + # - name: Login to GHCR + # uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} - name: Push chart to GHCR + env: + REGISTRY: ${{ steps.login-ecr-public.outputs.registry }} + REGISTRY_ALIAS: f1l2l1f6 run: | shopt -s nullglob for pkg in .cr-release-packages/*.tgz; do if [ -z "${pkg:-}" ]; then break fi - helm push "${pkg}" oci://ghcr.io/${{ github.repository }} - done + echo "pushing ${{ github.repository }}/${pkg}" + helm push "${pkg}" oci://public.ecr.aws/${REGISTRY_ALIAS}/${{ github.repository }} + done \ No newline at end of file diff --git a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml index c2d2a7713..264776f68 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml @@ -25,12 +25,6 @@ rules: - update - patch - delete -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - apiGroups: - "" resources: diff --git a/charts/argo-workflows/templates/controller/workflow-role.yaml b/charts/argo-workflows/templates/controller/workflow-role.yaml index 51050d0fa..f78589d8a 100644 --- a/charts/argo-workflows/templates/controller/workflow-role.yaml +++ b/charts/argo-workflows/templates/controller/workflow-role.yaml @@ -26,12 +26,6 @@ rules: verbs: - get - watch - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - apiGroups: - argoproj.io resources: