Главная Обзор Помощь
Вход
logic855
/
helm-external-secrets
зеркало из https://github.com/external-secrets/external-secrets
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: ed2ca48ef6
Ветки Метки
helm-externa...
/
.github
/
workflows
/
helm.yml

helm.yml 7.4 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 
  1. name: Helm
    2. 

  2. 

  3. on:
    4. 

  4.   push:
    5. 

  5.     branches:
    6. 

  6.       - main
    7. 

  7.       - release-*
    8. 

  8.     paths:
    9. 

  9.       - 'deploy/charts/**'
    10. 

  10.       - 'deploy/crds/**'
    11. 

  11.   pull_request:
    12. 

  12.     paths:
    13. 

  13.       - 'deploy/charts/**'
    14. 

  14.       - 'deploy/crds/**'
    15. 

  15.   workflow_dispatch: {}
    16. 

  16. 

  17. permissions:
    18. 

  18.   contents: read
    19. 

  19. 

  20. jobs:
    21. 

  21.   lint-and-test:
    22. 

  22.     runs-on: ubuntu-latest
    23. 

  23.     steps:
    24. 

  24.       - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
    25. 

  25.         with:
    26. 

  26.           egress-policy: audit
    27. 

  27.       - name: Checkout
    28. 

  28.         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    29. 

  29.         with:
    30. 

  30.           fetch-depth: 0
    31. 

  31. 

  32.       - name: Generate chart
    33. 

  33.         run: |
    34. 

  34.           make helm.generate
    35. 

  35.       - name: Set up Helm
    36. 

  36.         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
    37. 

  37.         with:
    38. 

  38.           version: v3.14.2 # remember to also update for the second job (release)
    39. 

  39. 

  40.       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
    41. 

  41.         with:
    42. 

  42.           python-version: 3.12
    43. 

  43. 

  44.       - name: Set up chart-testing
    45. 

  45.         uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
    46. 

  46. 

  47.       - name: Run chart-testing (list-changed)
    48. 

  48.         id: list-changed
    49. 

  49.         run: |
    50. 

  50.           changed=$(ct list-changed --config=.github/ci/ct.yaml)
    51. 

  51.           if [[ -n "$changed" ]]; then
    52. 

  52.             echo "changed=true" >> $GITHUB_OUTPUT
    53. 

  53.           fi
    54. 

  54.       - name: Install chart unittest
    55. 

  55.         run: |
    56. 

  56.           helm env
    57. 

  57.           helm plugin install https://github.com/helm-unittest/helm-unittest
    58. 

  58.       - name: Run chart-testing (lint)
    59. 

  59.         run: ct lint --config=.github/ci/ct.yaml
    60. 

  60. 

  61.       - name: Create kind cluster
    62. 

  62.         uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
    63. 

  63.         if: steps.list-changed.outputs.changed == 'true'
    64. 

  64. 

  65.       - name: Run chart-testing (install)
    66. 

  66.         run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets
    67. 

  67.         if: steps.list-changed.outputs.changed == 'true'
    68. 

  68. 

  69.       - name: Run unitests
    70. 

  70.         if: steps.list-changed.outputs.changed == 'true'
    71. 

  71.         run: make helm.test
    72. 

  72.   check-release:
    73. 

  73.     permissions:
    74. 

  74.         contents: read
    75. 

  75.     outputs:
    76. 

  76.       release_exists: ${{ steps.check_release.outputs.release_exists }}
    77. 

  77.     runs-on: ubuntu-latest
    78. 

  78.     steps:
    79. 

  79.       - name: Harden the runner (Audit all outbound calls)
    80. 

  80.         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
    81. 

  81.         with:
    82. 

  82.           egress-policy: audit
    83. 

  83.       - name: Checkout
    84. 

  84.         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    85. 

  85.         with:
    86. 

  86.           fetch-depth: 0
    87. 

  87.       - name: Check if release already exists
    88. 

  88.         id: check_release
    89. 

  89.         run: |
    90. 

  90.           release_version=$(yq .version deploy/charts/external-secrets/Chart.yaml)
    91. 

  91.           release_status=$(curl --silent -w "%{http_code}" --output /dev/null "https://api.github.com/repos/external-secrets/external-secrets/releases/tags/helm-chart-${release_version}")
    92. 

  92.           if [ $release_status -eq 200 ]; then
    93. 

  93.             echo "Release already exists"
    94. 

  94.             echo "release_exists='true'">> $GITHUB_OUTPUT
    95. 

  95.           else 
    96. 

  96.             echo "Release does not exist"
    97. 

  97.             echo "release_exists='false'" >> $GITHUB_OUTPUT
    98. 

  98.           fi
    99. 

  99.   release:
    100. 

  100.     needs:
    101. 

  101.       - check-release
    102. 

  102.     if: needs.check-release.outputs.release_exists == 'false' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-'))
    103. 

  103.     permissions:
    104. 

  104.       contents: write  # for helm/chart-releaser-action to push chart release and create a release
    105. 

  105.       packages: write  # to push OCI chart package to GitHub Registry
    106. 

  106.       id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
    107. 

  107.       attestations: write # this permission is necessary to persist the attestation
    108. 

  108.     runs-on: ubuntu-latest
    109. 

  109.     steps:
    110. 

  110.       - name: Harden the runner (Audit all outbound calls)
    111. 

  111.         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
    112. 

  112.         with:
    113. 

  113.           egress-policy: audit
    114. 

  114. 

  115.       - name: Checkout
    116. 

  116.         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    117. 

  117.         with:
    118. 

  118.           fetch-depth: 0
    119. 

  119. 

  120.       - name: Configure Git
    121. 

  121.         run: |
    122. 

  122.           git config user.name "$GITHUB_ACTOR"
    123. 

  123.           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
    124. 

  124. 

  125.       - name: Set up Helm
    126. 

  126.         uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4
    127. 

  127.         with:
    128. 

  128.           version: v3.4.2
    129. 

  129. 

  130.       - name: Generate chart
    131. 

  131.         run: make helm.generate
    132. 

  132. 

  133.       - name: Import GPG key
    134. 

  134.         run: |
    135. 

  135.           echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
    136. 

  136.           echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
    137. 

  137. 

  138.       - name: Run chart-releaser
    139. 

  139.         uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
    140. 

  140.         env:
    141. 

  141.           CR_KEY: external-secrets <external-secrets@external-secrets.io>
    142. 

  142.           CR_KEYRING: keyring.gpg
    143. 

  143.           CR_PASSPHRASE_FILE: passphrase-file.txt
    144. 

  144.           CR_SIGN: true
    145. 

  145.           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
    146. 

  146.           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
    147. 

  147.         with:
    148. 

  148.           charts_dir: deploy/charts
    149. 

  149.           skip_existing: true
    150. 

  150.           charts_repo_url: https://charts.external-secrets.io
    151. 

  151. 

  152.       - name: Set up Helm
    153. 

  153.         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
    154. 

  154.         with:
    155. 

  155.           version: v3.14.2 # remember to also update for the first job (lint-and-test)
    156. 

  156.           
    157. 

  157.       - name: Login to GHCR
    158. 

  158.         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
    159. 

  159.         with:
    160. 

  160.           registry: ghcr.io
    161. 

  161.           username: ${{ github.actor }}
    162. 

  162.           password: ${{ secrets.GITHUB_TOKEN }}
    163. 

  163. 

  164.       - name: Install cosign
    165. 

  165.         uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
    166. 

  166.         with:
    167. 

  167.           cosign-release: 'v2.4.1'
    168. 

  168. 

  169.       - name: Push chart to GHCR
    170. 

  170.         id: push_chart
    171. 

  171.         run: |
    172. 

  172.           shopt -s nullglob
    173. 

  173.           for pkg in .cr-release-packages/*.tgz; do
    174. 

  174.             if [ -z "${pkg:-}" ]; then
    175. 

  175.               break
    176. 

  176.             fi
    177. 

  177.             chart_name=$(helm show chart "${pkg}" | yq .name)
    178. 

  178.             # helm push fails when registry path contains Uppercase letters
    179. 

  179.             chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
    180. 

  180. 

  181.             helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
    182. 

  182.             digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
    183. 

  183.             echo "$helm_push_output"
    184. 

  184. 

  185.             artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
    186. 

  186.             cosign sign --yes "$artifact_digest_uri"
    187. 

  187.             cosign verify "$artifact_digest_uri" \
    188. 

  188.                 --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
    189. 

  189.                 --certificate-oidc-issuer https://token.actions.githubusercontent.com
    190. 

  190. 

  191.             echo "digest=${digest}" >> "$GITHUB_OUTPUT"
    192. 

  192.             echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
    193. 

  193.             echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
    194. 

  194.           done
    195. 

  195. 

  196.       - name: Generate provenance attestation and push to OCI registry
    197. 

  197.         uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
    198. 

  198.         with:
    199. 

  199.           push-to-registry: true
    200. 

  200.           subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
    201. 

  201.           subject-digest: ${{ steps.push_chart.outputs.digest }}
    202.