-
Notifications
You must be signed in to change notification settings - Fork 42
69 lines (68 loc) · 2.67 KB
/
chart-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# SPDX-FileCopyrightText: Copyright 2023 The Minder Authors
# SPDX-License-Identifier: Apache-2.0
# Post-submit and daily build and publish of the Helm chart and Docker container
# This is a separate workflow than image-build.yml because image-build.yml is
# run in the PR context, and those runs aren't allowed package:write permissions if
# the source is a fork(GitHub errors and invalidates the entire workflow if you try).
name: Publish Helm Chart
on:
push:
branches:
- main
schedule:
# Weekdays at noon GMT
- cron: '00 12 * * 1-5'
jobs:
check-helm:
name: Build Helm chart
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # To sign the provenance.
env:
BASE_REPO: "ghcr.io/mindersec/minder"
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: 'go.mod'
- uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
with:
version: v0.16.0
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.12.2
- name: Compute version number
id: version-string
run: |
DATE="$(date +%Y%m%d)"
COMMIT="$(git rev-parse --short HEAD)"
echo "tag=0.$DATE.$GITHUB_RUN_NUMBER+ref.$COMMIT" >> "$GITHUB_OUTPUT"
- name: Build images and Helm Chart
run: |
KO_DOCKER_REPO=$BASE_REPO make helm
env:
KO_PUSH_IMAGE: "true"
HELM_PACKAGE_VERSION: "${{ steps.version-string.outputs.tag }}"
- name: Helm Login
# ko can pick up tokens ambiently from the GitHub Actions environment, but
# Helm needs explicit login
run: |
helm registry login $BASE_REPO --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}
- name: Push Helm Chart
run: |
cd deployment/helm
helm push minder-*.tgz oci://$BASE_REPO/helm
- name: Sign the published helm chart and ko image
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
# Sign the ko image
cosign sign --yes $BASE_REPO/server
# Sign the helm chart
cosign sign --yes $BASE_REPO/helm/minder:$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')