1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00
external-secrets/.github/workflows/helm.yml
dependabot[bot] 70a2661bf1
chore(deps): bump actions/attest-build-provenance from 1.4.4 to 2.0.1 (#4189)
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.4.4 to 2.0.1.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](ef244123eb...c4fbc64884)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-12-09 10:41:02 +01:00

164 lines
5.9 KiB
YAML

name: Helm
on:
push:
branches:
- main
- release-*
paths:
- 'deploy/charts/**'
- 'deploy/crds/**'
pull_request:
paths:
- 'deploy/charts/**'
- 'deploy/crds/**'
workflow_dispatch: {}
permissions:
contents: read
jobs:
lint-and-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Generate chart
run: |
make helm.generate
- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.14.2 # remember to also update for the second job (release)
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: 3.7
- name: Set up chart-testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --config=.github/ci/ct.yaml)
if [[ -n "$changed" ]]; then
echo "changed=true" >> $GITHUB_OUTPUT
fi
- name: Install chart unittest
run: |
helm env
helm plugin install https://github.com/helm-unittest/helm-unittest
- name: Run chart-testing (lint)
run: ct lint --config=.github/ci/ct.yaml
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
if: steps.list-changed.outputs.changed == 'true'
- name: Run chart-testing (install)
run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets
if: steps.list-changed.outputs.changed == 'true'
- name: Run unitests
if: steps.list-changed.outputs.changed == 'true'
run: make helm.test
release:
permissions:
contents: write # for helm/chart-releaser-action to push chart release and create a release
packages: write # to push OCI chart package to GitHub Registry
id-token: write # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
attestations: write # this permission is necessary to persist the attestation
runs-on: ubuntu-latest
if: |
github.ref == 'refs/heads/main' ||
startsWith(github.ref, 'refs/heads/release-')
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Set up Helm
uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4
with:
version: v3.4.2
- name: Generate chart
run: make helm.generate
- name: Import GPG key
run: |
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
- name: Run chart-releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_KEY: external-secrets <external-secrets@external-secrets.io>
CR_KEYRING: keyring.gpg
CR_PASSPHRASE_FILE: passphrase-file.txt
CR_SIGN: true
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
with:
charts_dir: deploy/charts
skip_existing: true
charts_repo_url: https://charts.external-secrets.io
- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.14.2 # remember to also update for the first job (lint-and-test)
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: 'v2.4.1'
- name: Push chart to GHCR
id: push_chart
run: |
shopt -s nullglob
for pkg in .cr-release-packages/*.tgz; do
if [ -z "${pkg:-}" ]; then
break
fi
chart_name=$(helm show chart "${pkg}" | yq .name)
# helm push fails when registry path contains Uppercase letters
chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
echo "$helm_push_output"
artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
cosign sign --yes "$artifact_digest_uri"
cosign verify "$artifact_digest_uri" \
--certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
echo "digest=${digest}" >> "$GITHUB_OUTPUT"
echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
done
- name: Generate provenance attestation and push to OCI registry
uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
with:
push-to-registry: true
subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
subject-digest: ${{ steps.push_chart.outputs.digest }}