Merge pull request #625 from klihub/devel/resource-annotator/cert-man… #378
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Package Helm charts | |
| on: | |
| push: | |
| tags: | |
| - v[0-9]+.[0-9]+.[0-9]+ | |
| branches: | |
| - main | |
| - release-* | |
| - test/build/* | |
| env: | |
| CHARTS_DIR: deployment/helm/ | |
| UNSTABLE_CHARTS: unstable-helm-charts | |
| REGISTRY: ghcr.io | |
| REGISTRY_USER: ${{ github.repository_owner }} | |
| REGISTRY_PATH: ${{ github.repository }} | |
| jobs: | |
| release: | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| id: import-gpg | |
| with: | |
| gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.BOT_PASSPHRASE }} | |
| - name: Export GPG private key | |
| run: | | |
| gpg --batch \ | |
| --yes \ | |
| --pinentry-mode loopback \ | |
| --passphrase ${{ secrets.BOT_PASSPHRASE }} \ | |
| --export-secret-keys ${{ secrets.BOT_GPG_ID }} \ | |
| > ~/.gnupg/secring.gpg | |
| - name: Verify GPG secret key file | |
| run: | | |
| if [ ! -f ~/.gnupg/secring.gpg ]; then | |
| echo "Error: GPG secret key file '~/.gnupg/secring.gpg' not found!" >&2 | |
| exit 1 | |
| fi | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4.0.0 | |
| - name: Package Stable Helm Charts | |
| run: | | |
| find "$CHARTS_DIR" -name values.yaml | xargs -I '{}' \ | |
| sed -e s"/pullPolicy:.*/pullPolicy: IfNotPresent/" -i '{}' | |
| for chart in "$CHARTS_DIR"/*; do | |
| echo ${{ secrets.BOT_PASSPHRASE }} | \ | |
| helm package \ | |
| --sign \ | |
| --key ${{ steps.import-gpg.outputs.email }} \ | |
| --keyring ~/.gnupg/secring.gpg \ | |
| --version "$GITHUB_REF_NAME" \ | |
| --app-version "$GITHUB_REF_NAME" \ | |
| --passphrase-file "-" \ | |
| $chart; | |
| done | |
| find . -name '*.tgz' -print | while read SRC_FILE; do | |
| DEST_FILE=$(echo $SRC_FILE | sed 's/v/helm-chart-v/g') | |
| mv $SRC_FILE $DEST_FILE | |
| done | |
| - name: Upload Stable Helm Charts to GitHub Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| name: ${{ github.ref_name }} | |
| draft: true | |
| append_body: true | |
| files: | | |
| nri-*helm-chart*.tgz | |
| nri-*helm-chart*.tgz.prov | |
| unstable: | |
| if: ${{ !startsWith(github.ref, 'refs/tags/v') }} | |
| concurrency: | |
| group: unstable-helm-charts | |
| cancel-in-progress: false | |
| permissions: | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Deep Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4.0.0 | |
| - name: Package Unstable Helm Charts | |
| id: package-charts | |
| run: | | |
| # For unstable chart version we use: | |
| # - chart version: x.y-unstable derived from the latest tag x.y.z | |
| # - image version: 'unstable'. | |
| majmin="$(git describe --tags | sed -E 's/(v[0-9]*\.[0-9]*).*$/\1/')" | |
| CHART_VERSION="${majmin}-unstable" | |
| variant="" | |
| case $GITHUB_REF_NAME in | |
| main) | |
| APP_VERSION=unstable | |
| ;; | |
| release-*) | |
| APP_VERSION="${majmin}-unstable" | |
| ;; | |
| test/build/*) | |
| variant="${GITHUB_REF_NAME#test/build/}" | |
| variant="${variant//\//-}" | |
| tag="${majmin}-${variant}-unstable" | |
| APP_VERSION="${majmin}-${variant}-unstable" | |
| CHART_VERSION="${majmin}-${variant}-unstable" | |
| ;; | |
| esac | |
| echo "- Using APP_VERSION=$APP_VERSION" | |
| echo " CHART_VERSION=$CHART_VERSION" | |
| # Package charts | |
| find "$CHARTS_DIR" -name values.yaml | xargs -I '{}' \ | |
| sed -e s"/pullPolicy:.*/pullPolicy: Always/" -i '{}' | |
| orig="ghcr.io/containers/nri-plugins" | |
| repo="${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}" | |
| find "$CHARTS_DIR" -name values.yaml | xargs -I '{}' \ | |
| sed -e s"| name: $orig/| name: $repo/|g" -i '{}' | |
| helm package --version "$CHART_VERSION" --app-version "$APP_VERSION" "$CHARTS_DIR"/* | |
| find "$CHARTS_DIR" -name values.yaml | xargs -I '{}' \ | |
| git checkout '{}' | |
| mkdir ../$UNSTABLE_CHARTS | |
| find . -name '*.tgz' -print | while read SRC_FILE; do | |
| DEST_FILE=$(echo $SRC_FILE | sed 's/v/helm-chart-v/g') | |
| mv -v $SRC_FILE ../$UNSTABLE_CHARTS/$DEST_FILE | |
| done | |
| - name: Log In To Registry | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | \ | |
| helm registry login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin | |
| - name: Push Unstable Helm Charts To Registry | |
| shell: bash | |
| run: | | |
| # Notes: | |
| # Currently we only publish unstable Helm charts from main/HEAD. | |
| # We have no active cleanup of old unstable charts in place. In | |
| # between new tags unstable chart have the same version, though. | |
| pushd ../$UNSTABLE_CHARTS | |
| for i in ./*.tgz; do | |
| helm push $i oci://${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/helm-charts | |
| done | |
| popd |