| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 |
- name: Helm
- on:
- push:
- branches:
- - main
- paths:
- - 'deploy/charts/**'
- - 'deploy/crds/**'
- pull_request:
- paths:
- - 'deploy/charts/**'
- - 'deploy/crds/**'
- workflow_dispatch: {}
- permissions:
- contents: read
- jobs:
- lint-and-test:
- runs-on: ubuntu-latest
- steps:
- - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
- with:
- egress-policy: audit
- - name: Checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- fetch-depth: 0
- - name: Generate chart
- run: |
- make helm.generate
- - name: Set up Helm
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
- with:
- version: v3.14.2 # remember to also update for the second job (release)
- - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
- with:
- python-version: 3.12
- - name: Set up chart-testing
- uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
- - name: Run chart-testing (list-changed)
- id: list-changed
- run: |
- changed=$(ct list-changed --config=.github/ci/ct.yaml)
- if [[ -n "$changed" ]]; then
- echo "changed=true" >> $GITHUB_OUTPUT
- fi
- - name: Install chart unittest
- run: |
- helm env
- helm plugin install https://github.com/helm-unittest/helm-unittest
- - name: Run chart-testing (lint)
- run: ct lint --config=.github/ci/ct.yaml
- - name: Create kind cluster
- uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
- if: steps.list-changed.outputs.changed == 'true'
- - name: Run chart-testing (install)
- run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets
- if: steps.list-changed.outputs.changed == 'true'
- - name: Run unitests
- if: steps.list-changed.outputs.changed == 'true'
- run: make helm.test
- release:
- if: github.ref == 'refs/heads/main'
- permissions:
- contents: write # for helm/chart-releaser-action to push chart release and create a release
- packages: write # to push OCI chart package to GitHub Registry
- id-token: write # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
- attestations: write # this permission is necessary to persist the attestation
- runs-on: ubuntu-latest
- steps:
- - name: Harden the runner (Audit all outbound calls)
- uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
- with:
- egress-policy: audit
- - name: Checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- with:
- fetch-depth: 0
- - name: Configure Git
- run: |
- git config user.name "$GITHUB_ACTOR"
- git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- - name: Set up Helm
- uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4
- with:
- version: v3.17.3
- - name: Generate chart
- run: make helm.generate
- - name: Import GPG key
- run: |
- echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
- echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
- - name: Run chart-releaser
- uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
- env:
- CR_KEY: external-secrets <external-secrets@external-secrets.io>
- CR_KEYRING: keyring.gpg
- CR_PASSPHRASE_FILE: passphrase-file.txt
- CR_SIGN: true
- CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
- with:
- charts_dir: deploy/charts
- skip_existing: true
- charts_repo_url: https://charts.external-secrets.io
- - name: Set up Helm
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
- with:
- version: v3.17.3 # remember to also update for the first job (lint-and-test)
- - name: Login to GHCR
- uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
- with:
- registry: ghcr.io
- username: ${{ github.actor }}
- password: ${{ secrets.GITHUB_TOKEN }}
- - name: Install cosign
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- with:
- cosign-release: 'v2.4.1'
- - name: Push chart to GHCR
- id: push_chart
- run: |
- shopt -s nullglob
- # helm push fails when registry path contains Uppercase letters
- chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
- for pkg in .cr-release-packages/*.tgz; do
- if [ -z "${pkg:-}" ]; then
- break
- fi
- chart_name=$(helm show chart "${pkg}" | yq .name)
- chart_version=$(helm show chart "${pkg}" | yq .version)
- if helm show chart oci://${chart_registry}/${chart_name} --version ${chart_version} > /dev/null 2>&1; then
- echo "Chart oci://${chart_name}:${chart_version} already exists in repository - skipping..."
- echo "push_status=skipped" >> "$GITHUB_OUTPUT"
- continue
- fi
- helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
- digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
- echo "$helm_push_output"
- artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
- cosign sign --yes "$artifact_digest_uri"
- cosign verify "$artifact_digest_uri" \
- --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
- --certificate-oidc-issuer https://token.actions.githubusercontent.com
- echo "digest=${digest}" >> "$GITHUB_OUTPUT"
- echo "push_status=pushed" >> "$GITHUB_OUTPUT"
- echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
- echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
- done
- - name: Generate provenance attestation and push to OCI registry
- if: steps.push_chart.outputs.push_status == 'pushed'
- uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
- with:
- push-to-registry: true
- subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
- subject-digest: ${{ steps.push_chart.outputs.digest }}
|
