|
|
@@ -69,37 +69,7 @@ jobs:
|
|
|
- name: Run unitests
|
|
|
if: steps.list-changed.outputs.changed == 'true'
|
|
|
run: make helm.test
|
|
|
- check-release:
|
|
|
- permissions:
|
|
|
- contents: read
|
|
|
- outputs:
|
|
|
- release_exists: ${{ steps.check_release.outputs.release_exists }}
|
|
|
- runs-on: ubuntu-latest
|
|
|
- steps:
|
|
|
- - name: Harden the runner (Audit all outbound calls)
|
|
|
- uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
|
- with:
|
|
|
- egress-policy: audit
|
|
|
- - name: Checkout
|
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
- with:
|
|
|
- fetch-depth: 0
|
|
|
- - name: Check if release already exists
|
|
|
- id: check_release
|
|
|
- run: |
|
|
|
- release_version=$(yq .version deploy/charts/external-secrets/Chart.yaml)
|
|
|
- release_status=$(curl --silent -w "%{http_code}" --output /dev/null "https://api.github.com/repos/external-secrets/external-secrets/releases/tags/helm-chart-${release_version}")
|
|
|
- if [ $release_status -eq 200 ]; then
|
|
|
- echo "Release already exists"
|
|
|
- echo "release_exists='true'">> $GITHUB_OUTPUT
|
|
|
- else
|
|
|
- echo "Release does not exist"
|
|
|
- echo "release_exists='false'" >> $GITHUB_OUTPUT
|
|
|
- fi
|
|
|
release:
|
|
|
- needs:
|
|
|
- - check-release
|
|
|
- if: (needs.check-release.outputs.release_exists == 'false') && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-'))
|
|
|
permissions:
|
|
|
contents: write # for helm/chart-releaser-action to push chart release and create a release
|
|
|
packages: write # to push OCI chart package to GitHub Registry
|
|
|
@@ -125,7 +95,7 @@ jobs:
|
|
|
- name: Set up Helm
|
|
|
uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4
|
|
|
with:
|
|
|
- version: v3.4.2
|
|
|
+ version: v3.17.3
|
|
|
|
|
|
- name: Generate chart
|
|
|
run: make helm.generate
|
|
|
@@ -152,7 +122,7 @@ jobs:
|
|
|
- name: Set up Helm
|
|
|
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
|
|
|
with:
|
|
|
- version: v3.14.2 # remember to also update for the first job (lint-and-test)
|
|
|
+ version: v3.17.3 # remember to also update for the first job (lint-and-test)
|
|
|
|
|
|
- name: Login to GHCR
|
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
|
@@ -170,13 +140,19 @@ jobs:
|
|
|
id: push_chart
|
|
|
run: |
|
|
|
shopt -s nullglob
|
|
|
+ # helm push fails when registry path contains Uppercase letters
|
|
|
+ chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
|
|
|
for pkg in .cr-release-packages/*.tgz; do
|
|
|
if [ -z "${pkg:-}" ]; then
|
|
|
break
|
|
|
fi
|
|
|
chart_name=$(helm show chart "${pkg}" | yq .name)
|
|
|
- # helm push fails when registry path contains Uppercase letters
|
|
|
- chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
|
|
|
+ chart_version=$(helm show chart "${pkg}" | yq .version)
|
|
|
+ if helm show chart oci://${chart_registry}/${chart_name} --version ${chart_version} > /dev/null 2>&1; then
|
|
|
+ echo "Chart oci://${chart_name}:${chart_version} already exists in repository - skipping..."
|
|
|
+ echo "push_status=skipped" >> "$GITHUB_OUTPUT"
|
|
|
+ continue
|
|
|
+ fi
|
|
|
|
|
|
helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
|
|
|
digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
|
|
|
@@ -189,11 +165,13 @@ jobs:
|
|
|
--certificate-oidc-issuer https://token.actions.githubusercontent.com
|
|
|
|
|
|
echo "digest=${digest}" >> "$GITHUB_OUTPUT"
|
|
|
+ echo "push_status=pushed" >> "$GITHUB_OUTPUT"
|
|
|
echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
|
|
|
echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
|
|
|
done
|
|
|
|
|
|
- name: Generate provenance attestation and push to OCI registry
|
|
|
+ if: steps.push_chart.outputs.push_status == 'pushed'
|
|
|
uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
|
|
|
with:
|
|
|
push-to-registry: true
|
Gustavo Fernandes de Carvalho