update-chart #57

Workflow file for this run

.github/workflows/update-charts.yml at 311f0a9

	name: Update helm charts

	on:
	repository_dispatch:
	types: [update-chart]

	jobs:
	check-update-type:
	name: Detect update type
	runs-on: ubuntu-latest
	outputs:
	update_type: ${{ steps.check_update_type.outputs.update_type }}
	repository: ${{ steps.check_update_type.outputs.repository }}
	prerelease: ${{ steps.check_update_type.outputs.prerelease }}
	steps:
	- name: Validate payload
	uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
	with:
	script: \|
	let repository = context.payload.client_payload.repository
	if (!repository.endsWith("kubewarden-controller") && !repository.endsWith("policy-server") && !repository.endsWith("kwctl") && !repository.endsWith("audit-scanner")) {
	core.setFailed("Invalid repository")
	}

	- name: Install semver comparison tool
	run: \|
	INSTALL_DIR=$HOME/.semver
	mkdir -p $INSTALL_DIR
	wget -O $INSTALL_DIR/semver https://github.com/fsaintjacques/semver-tool/raw/3.4.0/src/semver
	chmod +x $INSTALL_DIR/semver
	echo $INSTALL_DIR >> $GITHUB_PATH

	- name: Check if it is a patch update
	id: check_update_type
	run: \|
	OLDVERSION=${{github.event.client_payload.oldVersion}}
	NEWVERSION=${{github.event.client_payload.version}}
	REPOSITORY=${{github.event.client_payload.repository}}

	VALID=$(semver validate $OLDVERSION)
	if [[ $VALID == "invalid" ]]; then
	exit 1
	fi

	VALID=$(semver validate $NEWVERSION)
	if [[ $VALID == "invalid" ]]; then
	exit 1
	fi
	UPDATE_TYPE=$(semver diff $OLDVERSION $NEWVERSION)
	PRERELEASE_SUFFIX="-$(semver get prerelease $NEWVERSION)"
	if [[ $PRERELEASE_SUFFIX == "-" ]];then
	PRERELEASE_SUFFIX=" "
	fi


	echo "update_type=$UPDATE_TYPE" >> $GITHUB_OUTPUT
	echo "repository=$REPOSITORY" >> $GITHUB_OUTPUT
	echo "prerelease=$PRERELEASE_SUFFIX" >> $GITHUB_OUTPUT

	patch-update:
	name: Patch release updates
	runs-on: ubuntu-latest
	needs:
	- check-update-type
	if: needs.check-update-type.outputs.update_type == 'patch' && !endsWith(needs.check-update-type.outputs.repository, 'kwctl')
	permissions:
	contents: write
	pull-requests: write
	steps:
	- name: Set environment variables
	uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
	with:
	script: \|
	core.exportVariable("UPDATECLI_GITHUB_OWNER", context.repo["owner"])
	core.exportVariable("UPDATECLI_CHART_VERSION", context.payload.client_payload.version)

	- name: Checkout
	uses: actions/checkout@v4

	- name: Download CRDS controller
	if: endsWith(github.event.client_payload.repository, 'kubewarden-controller')
	uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
	with:
	script: \|
	let repository = context.payload.client_payload.repository
	if (repository.endsWith("kubewarden-controller")) {
	let crds_asset_id = context.payload.client_payload.crds_asset_id
	console.log(`Fetching asset ID: ${crds_asset_id}`)
	let repository_split = context.payload.client_payload.repository.split("/")
	let owner = repository_split[0]
	let repository = repository_split[1]
	let asset = await github.rest.repos.getReleaseAsset({
	owner: owner, repo: repository, asset_id: crds_asset_id, headers:{
	accept: "application/octet-stream"},
	})
	let fs = require('fs');
	fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
	}

	- name: Download CRDS audit-scanner
	if: endsWith(github.event.client_payload.repository, 'audit-scanner')
	uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
	with:
	script: \|
	let repository = context.payload.client_payload.repository
	if (repository.endsWith("audit-scanner")) {
	let crds_asset_id = context.payload.client_payload.crds_asset_id
	console.log(`Fetching asset ID: ${crds_asset_id}`)
	let repository_split = context.payload.client_payload.repository.split("/")
	let owner = repository_split[0]
	let repository = repository_split[1]
	let asset = await github.rest.repos.getReleaseAsset({
	owner: owner, repo: repository, asset_id: crds_asset_id, headers:{
	accept: "application/octet-stream"},
	})
	let fs = require('fs');
	fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
	}

	- name: Update CRDs
	if: endsWith(github.event.client_payload.repository, 'kubewarden-controller') \|\| endsWith(github.event.client_payload.repository, 'audit-scanner')
	id: update_crds
	run: \|
	# The next commands are use in the updatecli/scripts/install_crds.sh as well.
	# Here the commands are used to detect CRDs changes. In the script they are used
	# to install the CRDs
	tar -xvf /tmp/crds-controller.tar.gz
	find . -maxdepth 1 -name "_policyserver" -exec mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \;
	find . -maxdepth 1 -name "_admissionpolicies" -exec mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \;
	find . -maxdepth 1 -name "_clusteradmissionpolicies" -exec mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;

	tar -xvf /tmp/crds-audit-scanner.tar.gz
	find . -maxdepth 1 -name "_clusterpolicyreports" -exec mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
	find . -maxdepth 1 -name "_policyreports" -exec mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;

	set +e
	git diff --exit-code --no-patch charts/kubewarden-crds
	echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT

	- name: Install Updatecli in the runner
	uses: updatecli/updatecli-action@e0a352905ddb198fc7b068935133776c646465f9 # v2.39.0

	- name: Update kubewarden-defaults Helm chart
	if: endsWith(github.event.client_payload.repository, 'policy-server')
	env:
	UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-defaults.yaml --values updatecli/values.yaml"

	- name: Update kubewarden-controller Helm chart with no CRDs update
	if: endsWith(github.event.client_payload.repository, 'kubewarden-controller') && steps.update_crds.outputs.must_update_crds_chart==0
	env:
	UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller.yaml --values updatecli/values.yaml"

	- name: Update kubewarden-controller Helm chart with CRDs update
	if: endsWith(github.event.client_payload.repository, 'kubewarden-controller') && steps.update_crds.outputs.must_update_crds_chart!=0
	env:
	UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml --values updatecli/values.yaml"

	major-minor-prerelease-update:
	name: Major or minor release updates
	runs-on: ubuntu-latest
	needs:
	- check-update-type
	if: needs.check-update-type.outputs.update_type == 'major' \|\| needs.check-update-type.outputs.update_type == 'minor' \|\| needs.check-update-type.outputs.update_type == 'prerelease'
	steps:
	- name: Checkout
	uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

	- name: Check if all components has a release with the same tag
	uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
	with:
	script: \|
	let repository_split = context.payload.client_payload.repository.split("/")
	let owner = repository_split[0]
	const version = context.payload.client_payload.version
	let repos = ['kubewarden-controller', 'policy-server', 'kwctl', 'audit-scanner']

	for (const repo of repos) {
	try {
	await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,})
	} catch (e) {
	core.setFailed(`${repo} is missing a release for the tag ${version}`)
	}
	}

	- name: Check if CRD are available in the Kubewarden controller
	id: download_crds_controller
	uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
	with:
	script: \|
	let repository_split = context.payload.client_payload.repository.split("/")
	let owner = repository_split[0]
	let repository = repository_split[1]
	let crds_asset_id = null
	const controller_repo = "kubewarden-controller"
	const version = context.payload.client_payload.version
	const crds_tarball = "CRDS.tar.gz"

	if (repository === controller_repo) {
	crds_asset_id = context.payload.client_payload.crds_asset_id
	} else {
	crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: controller_repo, tag: version,}).then((response) => {
	for (const file of response.data.assets) {
	if (file.name == crds_tarball) {
	return file.id;
	}
	}
	return null;
	}, (failedResponse) => {
	consolog.log("FAILED")
	return null;
	});
	}
	console.log(`Fetching asset ID: ${crds_asset_id}`)
	if (typeof(crds_asset_id) === "number") {
	let asset = await github.rest.repos.getReleaseAsset({
	owner: owner, repo: controller_repo, asset_id: crds_asset_id, headers:{
	accept: "application/octet-stream"},
	})
	let fs = require('fs');
	fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
	console.log(`${crds_tarball} downloaded successfully`)
	} else {
	core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the controller repository is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`)
	core.setFailed("No CRDs tarball found")
	}

	- name: Check if CRD are available in the audit scanner
	id: download_crds_audit_scanner
	uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
	with:
	script: \|
	let repository_split = context.payload.client_payload.repository.split("/")
	let owner = repository_split[0]
	let repository = repository_split[1]
	let crds_asset_id = null
	const audit_scanner_repo = "audit-scanner"
	const version = context.payload.client_payload.version
	const crds_tarball = "CRDS.tar.gz"

	if (repository === audit_scanner_repo) {
	crds_asset_id = context.payload.client_payload.crds_asset_id
	} else {
	crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: audit_scanner_repo, tag: version,}).then((response) => {
	for (const file of response.data.assets) {
	if (file.name == crds_tarball) {
	return file.id;
	}
	}
	return null;
	}, (failedResponse) => {
	consolog.log("FAILED")
	return null;
	});
	}
	console.log(`Fetching asset ID: ${crds_asset_id}`)
	if (typeof(crds_asset_id) === "number") {
	let asset = await github.rest.repos.getReleaseAsset({
	owner: owner, repo: audit_scanner_repo, asset_id: crds_asset_id, headers:{
	accept: "application/octet-stream"},
	})
	let fs = require('fs');
	fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
	console.log(`${crds_tarball} downloaded successfully`)
	} else {
	core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the audit-scanner repository is still running. Otherwise, check why the release does not contains the CRDs tarball`)
	core.setFailed("No CRDs tarball found")
	}

	- name: Update CRDS
	id: update_crds
	run: \|
	# The next commands are used in the updatecli/scripts/install_crds.sh as well.
	# Here the commands are used to detect CRDs changes. In the script they are used
	# to install the CRDs
	tar -xvf /tmp/crds-controller.tar.gz
	find . -maxdepth 1 -name "_policyserver" -exec mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \;
	find . -maxdepth 1 -name "_admissionpolicies" -exec mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \;
	find . -maxdepth 1 -name "_clusteradmissionpolicies" -exec mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;

	tar -xvf /tmp/crds-audit-scanner.tar.gz
	find . -maxdepth 1 -name "_clusterpolicyreports" -exec mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
	find . -maxdepth 1 -name "_policyreports" -exec mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;
	# add the if statement to allow users to skip the reports CRDs installation
	sed -i '1 i {{- if .Values.installPolicyReportCRDs }}' charts/kubewarden-crds/templates/clusterpolicyreports.yaml
	sed -i '$ a {{ end }}' charts/kubewarden-crds/templates/clusterpolicyreports.yaml
	sed -i '1 i {{- if .Values.installPolicyReportCRDs }}' charts/kubewarden-crds/templates/policyreports.yaml
	sed -i '$ a {{ end }}' charts/kubewarden-crds/templates/policyreports.yaml

	set +e
	git diff --exit-code --no-patch charts/kubewarden-crds
	echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT

	- name: Install Updatecli in the runner
	uses: updatecli/updatecli-action@e0a352905ddb198fc7b068935133776c646465f9 # v2.39.0

	- name: Major or minor update Kubewarden charts with NO CRDs update
	if: steps.update_crds.outputs.must_update_crds_chart==0 && (needs.check-update-type.outputs.update_type == 'major' \|\| needs.check-update-type.outputs.update_type == 'minor')
	env:
	UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
	UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
	UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
	UPDATECLI_CHART_VERSION: ${{ github.event.client_payload.version }}
	run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update.yaml --values updatecli/values.yaml"

	- name: Major or minor update Kubewarden charts WITH CRDs update
	if: steps.update_crds.outputs.must_update_crds_chart==1 && (needs.check-update-type.outputs.update_type == 'major' \|\| needs.check-update-type.outputs.update_type == 'minor')
	env:
	UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
	UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
	UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
	UPDATECLI_CHART_VERSION: ${{ github.event.client_payload.version }}
	run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml"

	- name: Prerelease update Kubewarden charts with NO CRDs update
	if: steps.update_crds.outputs.must_update_crds_chart==0 && needs.check-update-type.outputs.update_type == 'prerelease'
	env:
	UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
	UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
	UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
	UPDATECLI_CHART_VERSION: ${{ github.event.client_payload.version }}
	run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update.yaml --values updatecli/values.yaml"

	- name: Prerelease update Kubewarden charts WITH CRDs update
	if: steps.update_crds.outputs.must_update_crds_chart==1 && needs.check-update-type.outputs.update_type == 'prerelease'
	env:
	UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }}
	UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }}
	UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }}
	UPDATECLI_CHART_VERSION: ${{ github.event.client_payload.version }}
	run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update-chart #57

Workflow file

update-chart #57

Jobs

Run details

Workflow file for this run