logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179
							name: Helm

on:
  push:
    branches:
      - main
  pull_request:
  workflow_dispatch: {}

permissions:
  contents: read

jobs:
  lint-and-test:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Generate chart
        run: |
          make helm.generate
      - name: Set up Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: v3.14.2 # remember to also update for the second job (release)

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: 3.12

      - name: Set up chart-testing
        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0

      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --config=.github/ci/ct.yaml)
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> $GITHUB_OUTPUT
          fi
      - name: Run chart-testing (lint)
        run: ct lint --config=.github/ci/ct.yaml

      - name: Create kind cluster
        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
        if: steps.list-changed.outputs.changed == 'true'

      - name: Run chart-testing (install)
        run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets
        if: steps.list-changed.outputs.changed == 'true'

      - name: Run unitests
        if: steps.list-changed.outputs.changed == 'true'
        run: make helm.test
  release:
    if: github.ref == 'refs/heads/main'
    permissions:
      contents: write  # for helm/chart-releaser-action to push chart release and create a release
      packages: write  # to push OCI chart package to GitHub Registry
      id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
      attestations: write # this permission is necessary to persist the attestation
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Set up Helm
        uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4
        with:
          version: v3.17.3

      - name: Generate chart
        run: make helm.generate

      - name: Import GPG key
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          gpg --dearmor --output keyring.gpg <(printf '%s' "$GPG_PRIVATE_KEY")
          chmod 600 keyring.gpg

          printf '%s' "$GPG_PASSPHRASE" > passphrase-file.txt
          chmod 600 passphrase-file.txt

      - name: Run chart-releaser
        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
        env:
          CR_KEY: external-secrets <external-secrets@external-secrets.io>
          CR_KEYRING: keyring.gpg
          CR_PASSPHRASE_FILE: passphrase-file.txt
          CR_SIGN: true
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
        with:
          charts_dir: deploy/charts
          skip_existing: true
          charts_repo_url: https://charts.external-secrets.io

      - name: Set up Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: v3.17.3 # remember to also update for the first job (lint-and-test)

      - name: Login to GHCR
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
        with:
          cosign-release: 'v3.0.2'

      - name: Push chart to GHCR
        id: push_chart
        run: |
          shopt -s nullglob
          # helm push fails when registry path contains Uppercase letters
          chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
          for pkg in .cr-release-packages/*.tgz; do
            if [ -z "${pkg:-}" ]; then
              break
            fi
            chart_name=$(helm show chart "${pkg}" | yq .name)
            chart_version=$(helm show chart "${pkg}" | yq .version)
            if helm show chart oci://${chart_registry}/${chart_name} --version ${chart_version} > /dev/null 2>&1; then
              echo "Chart oci://${chart_name}:${chart_version} already exists in repository - skipping..."
              echo "push_status=skipped" >> "$GITHUB_OUTPUT"
              continue
            fi

            helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
            digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
            echo "$helm_push_output"

            artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
            cosign sign --yes --new-bundle-format=false --use-signing-config=false "$artifact_digest_uri"
            cosign verify --new-bundle-format=false "$artifact_digest_uri" \
                --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
                --certificate-oidc-issuer https://token.actions.githubusercontent.com

            echo "digest=${digest}" >> "$GITHUB_OUTPUT"
            echo "push_status=pushed" >> "$GITHUB_OUTPUT"
            echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
            echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
          done

      - name: Generate provenance attestation and push to OCI registry
        if: steps.push_chart.outputs.push_status == 'pushed'
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          push-to-registry: true
          subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
          subject-digest: ${{ steps.push_chart.outputs.digest }}