name: Helm on: push: branches: - main - release-* paths: - 'deploy/charts/**' - 'deploy/crds/**' pull_request: paths: - 'deploy/charts/**' - 'deploy/crds/**' workflow_dispatch: {} permissions: contents: read jobs: lint-and-test: runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Generate chart run: | make helm.generate - name: Set up Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: version: v3.14.2 # remember to also update for the second job (release) - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: 3.12 - name: Set up chart-testing uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 - name: Run chart-testing (list-changed) id: list-changed run: | changed=$(ct list-changed --config=.github/ci/ct.yaml) if [[ -n "$changed" ]]; then echo "changed=true" >> $GITHUB_OUTPUT fi - name: Install chart unittest run: | helm env helm plugin install https://github.com/helm-unittest/helm-unittest - name: Run chart-testing (lint) run: ct lint --config=.github/ci/ct.yaml - name: Create kind cluster uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets if: steps.list-changed.outputs.changed == 'true' - name: Run unitests if: steps.list-changed.outputs.changed == 'true' run: make helm.test release: if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') permissions: contents: write # for helm/chart-releaser-action to push chart release and create a release packages: write # to push OCI chart package to GitHub Registry id-token: write # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate attestations: write # this permission is necessary to persist the attestation runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Set up Helm uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4 with: version: v3.17.3 - name: Generate chart run: make helm.generate - name: Import GPG key run: | echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt - name: Run chart-releaser uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 env: CR_KEY: external-secrets CR_KEYRING: keyring.gpg CR_PASSPHRASE_FILE: passphrase-file.txt CR_SIGN: true CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}" with: charts_dir: deploy/charts skip_existing: true charts_repo_url: https://charts.external-secrets.io - name: Set up Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: version: v3.17.3 # remember to also update for the first job (lint-and-test) - name: Login to GHCR uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install cosign uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1 with: cosign-release: 'v2.4.1' - name: Push chart to GHCR id: push_chart run: | shopt -s nullglob # helm push fails when registry path contains Uppercase letters chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts" for pkg in .cr-release-packages/*.tgz; do if [ -z "${pkg:-}" ]; then break fi chart_name=$(helm show chart "${pkg}" | yq .name) chart_version=$(helm show chart "${pkg}" | yq .version) if helm show chart oci://${chart_registry}/${chart_name} --version ${chart_version} > /dev/null 2>&1; then echo "Chart oci://${chart_name}:${chart_version} already exists in repository - skipping..." echo "push_status=skipped" >> "$GITHUB_OUTPUT" continue fi helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1) digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*') echo "$helm_push_output" artifact_digest_uri="${chart_registry}/${chart_name}@${digest}" cosign sign --yes "$artifact_digest_uri" cosign verify "$artifact_digest_uri" \ --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com echo "digest=${digest}" >> "$GITHUB_OUTPUT" echo "push_status=pushed" >> "$GITHUB_OUTPUT" echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT" echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT" done - name: Generate provenance attestation and push to OCI registry if: steps.push_chart.outputs.push_status == 'pushed' uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: push-to-registry: true subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }} subject-digest: ${{ steps.push_chart.outputs.digest }}