name: release-chart

on:
  push:
    tags:
      - 'policy-reporter-chart-v*'

jobs:
  helm-chart:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
      pages: write
      id-token: write 
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
        with:
          fetch-depth: 0

      - name: Verify Helm Docs
        run: |
          set -e
          make verify-helm-docs

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Install Helm
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
        with:
          version: v3.16.1

      - name: Prepare GPG key
        run: |
          gpg_dir=.cr-gpg
          mkdir "$gpg_dir"
          keyring="$gpg_dir/secring.gpg"
          base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring"
          passphrase_file="$gpg_dir/passphrase"
          echo "$GPG_PASSPHRASE" > "$passphrase_file"
          echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
          echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
        env:
          GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" #Referring secrets of github above
          GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}" 

      - name: Run chart-releaser
        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
        id: cr
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          CR_KEY: "${{ secrets.CR_KEY }}"
          CR_SIGN: true

      - name: Install Cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Login to Github Packages
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set version
        run: |
          set -e
          TAG=${{ github.ref_name }}
          echo "VERSION=${TAG#policy-reporter-chart-v}" >> $GITHUB_ENV

      - name: Push to OCI
        run: |
          set -e
          output=$(helm push .cr-release-packages/policy-reporter-${{ env.VERSION }}.tgz oci://ghcr.io/${{github.repository_owner}}/charts 2>&1)
          digest=$( echo "$output" | grep Digest | cut -c9-)
          echo CR_DIGEST=$digest
          echo "CR_DIGEST=$digest" >> "$GITHUB_ENV"

      - name: Sign Chart
        run: |
          cosign sign --yes ghcr.io/${{github.repository_owner}}/charts/policy-reporter@${{ env.CR_DIGEST }}