name: helm-release

permissions: {}

on:
  push:
    tags:
      - 'kyverno-chart-v*'
      - 'kyverno-policies-chart-v*'
      - 'kyverno-chart-*'
      - 'kyverno-policies-chart-*'

jobs:
  helm-tests:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup caches
        uses: ./.github/actions/setup-caches
        timeout-minutes: 5
        continue-on-error: true
      - name: Setup build env
        uses: ./.github/actions/setup-build-env
        timeout-minutes: 10
      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
        with:
          python-version: 3.7
      - name: Set up chart-testing
        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
      - name: Run chart-testing (lint)
        run: ct lint --target-branch=main --check-version-increment=false --validate-maintainers=false

  linter-artifacthub:
    runs-on: ubuntu-latest
    container:
      image: artifacthub/ah
      options: --user root
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Run ah lint
        working-directory: ./charts/
        run: ah lint

  create-release:
    runs-on: ubuntu-latest
    needs: helm-tests
    permissions:
      contents: write
      packages: write
      id-token: write 
      pages: write
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup caches
        uses: ./.github/actions/setup-caches
        timeout-minutes: 5
        continue-on-error: true
      - name: Setup build env
        uses: ./.github/actions/setup-build-env
        timeout-minutes: 10

      - name: Install Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: v3.10.3

      - name: Install Cosign
        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0

      - name: Set version
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

      - name: Create charts tmp directory
        run: |
          mkdir charts-tmp
          if [[ "$RELEASE_VERSION" = "kyverno-policies-chart-v"* ]]; then
            cp -a charts/kyverno-policies charts-tmp/kyverno-policies
          fi
          if [[ "$RELEASE_VERSION" = "kyverno-chart-v"* ]]; then
            cp -a charts/kyverno charts-tmp/kyverno
          fi
          if [[ "$RELEASE_VERSION" = "kyverno-policies-chart-"* ]]; then
            cp -a charts/kyverno-policies charts-tmp/kyverno-policies
          fi
          if [[ "$RELEASE_VERSION" = "kyverno-chart-"* ]]; then
            cp -a charts/kyverno charts-tmp/kyverno
          fi

      - name: Run chart-releaser
        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 #v1.7.0
        with:
          token: "${{ secrets.GITHUB_TOKEN }}"
          linting: off
          charts_dir: charts-tmp

      - name: Login to GitHub Container Registry
        run: |
          helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
      
      - name: Publish OCI Charts
        run: |
          for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do
            chart=${dir##*/}
            echo "Found chart: ${chart}"
            helm package charts-tmp/${chart} --destination .dist
            helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts |& tee .digest
            cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
            cosign sign --yes ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
          done