Update actions/checkout digest to df4cb1c (#1017) #757
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action releases the kubewarden Helm charts. | |
| # The action must run on each commit done against main, however | |
| # a new release will be performed **only** when a change occurs inside | |
| # of the `charts` directory. | |
| # | |
| # When the helm charts are changed, this action will, for each chart: | |
| # * Create a new GitHub release: e.g. kubwarden-controller-chart. | |
| # * This release has a kubwarden-controller-chart.tar.gz asset associated with | |
| # it. This is the actual Helm chart. | |
| # * Update the `index.yaml` file inside of the `gh-pages` branch. This is the | |
| # index of our https Helm chart repository, which we serve through GitHub pages. | |
| # * Update the docs shown at https://charts.kubewarden.io, on the `gh-pages` | |
| # branch. This is the README files of the chart(s), served also through | |
| # GitHub pages. | |
| # * Push the chart, signed and with attestation, to ghcr.io OCI registry. | |
| # | |
| # = FAQ | |
| # | |
| # == Why don't we run this action only when a tag like `v*` is created? | |
| # | |
| # Running the action only when a "release tag" is created will not produce | |
| # a helm chart. That happens because the code which determines if something | |
| # changed inside of the `charts` directory will not find any changes. | |
| # | |
| # == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action? | |
| # | |
| # Yes, we even got that to work. However, what we really want to do is the | |
| # ability to tag the releases of the kubewarden-controller and its helm chart | |
| # in an independent way. Which the official GitHub action already does. | |
| name: Release helm chart | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: write | |
| attestations: write | |
| pages: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
| - name: Check that the contents of common-values.yaml are included in values.yaml | |
| run: | | |
| make check-common-values | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| - name: Generate container image files | |
| run: | | |
| make generate-images-file | |
| - name: Generate policies files | |
| run: | | |
| make generate-policies-file | |
| - name: Generate changelog files | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| make generate-changelog-files | |
| - name: Add dependency repo required to release the controller chart | |
| run: | | |
| helm repo add policy-reporter https://kyverno.github.io/policy-reporter | |
| helm repo update | |
| - name: Add dependency repo required to release the crds chart | |
| run: | | |
| helm repo add openreports https://openreports.github.io/reports-api | |
| helm repo update | |
| - name: Add dependency repo required to release the sbomscanner chart | |
| run: | | |
| helm repo add nats https://nats-io.github.io/k8s/helm/charts | |
| helm repo update | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install chart-releaser | |
| uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 | |
| with: | |
| install_only: true | |
| - name: Release Helm charts | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -ex | |
| OWNER=${{ github.repository_owner }} | |
| REPO=helm-charts | |
| CONFIG_FILE=cr.yaml | |
| PACKAGE_PATH=.cr-release-packages | |
| CR_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
| rm -rf ${PACKAGE_PATH} | |
| # Release each chart in the charts directory | |
| for chart in $(find charts -maxdepth 1 -mindepth 1 -type d ); do | |
| chart_name=$(basename $chart) | |
| chart_path=${PACKAGE_PATH}/${chart_name}-*.tgz | |
| cr package charts/${chart_name} --config ${CONFIG_FILE} --package-path ${PACKAGE_PATH} | |
| # check if the chart version is already release. If so, do nothing | |
| chart_version=$(helm show chart $chart_path | yq -r '.version') | |
| if gh --repo ${OWNER}/${REPO} release view $chart_name-$chart_version; then | |
| echo "Chart $chart_name-$chart_version already released. No need to release again." | |
| rm $chart_path | |
| continue | |
| fi | |
| done | |
| # Upload the charts if the .cr-release-packages directory is not empty | |
| if [ "$(ls ${PACKAGE_PATH})" ]; then | |
| # Upload the chart to the GitHub release | |
| cr upload --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} -c "$(git rev-parse HEAD)" --skip-existing --make-release-latest=false --token ${CR_TOKEN} --push | |
| echo "Charts released!" | |
| # Reindex the repository | |
| cr index --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} --push --token ${CR_TOKEN} --index-path . | |
| echo "Repository indexed!" | |
| # Publish the charts to the OCI registry and sign them | |
| REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts" | |
| echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV" | |
| for chart_path in $(find ${PACKAGE_PATH} -maxdepth 1 -mindepth 1 ); do | |
| echo "Pushing chart $chart_path to ghcr.io" | |
| chart_name=$(helm show chart ${chart_path} | yq ".name") | |
| push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1) | |
| chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p') | |
| digest=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\2/p') | |
| echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV" | |
| # We need to disable the new bundle format enabled by default since | |
| # cosign v3.x.x because some verification tools (e.g. slsactl) are not | |
| # able to properly verify the signatures using this new format | |
| cosign sign --yes --new-bundle-format=false --use-signing-config=false "$chart_url" | |
| # Sign with cosign v3 signature format as well | |
| cosign sign --yes --new-bundle-format=true --use-signing-config=true "$chart_url" | |
| echo "Chart $chart_name signed and pushed to ghcr.io" | |
| done | |
| fi | |
| - name: Prepare GH pages readme & artifacthub-repo.yml | |
| run: | | |
| mkdir -p ./to-gh-pages | |
| cp -f charts/README.md ./to-gh-pages/ | |
| cp -f artifacthub-repo.yml ./to-gh-pages/ | |
| - name: Configure Git | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| git config --global user.name "$GITHUB_ACTOR" | |
| git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
| git config --global url."https://${GH_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/" | |
| - name: Clone existing gh-pages branch and commit | |
| run: | | |
| git fetch origin gh-pages | |
| git worktree add gh-pages-worktree gh-pages | |
| cp -r ./to-gh-pages/* gh-pages-worktree/ | |
| cd gh-pages-worktree | |
| git add . | |
| git commit -m "Update GitHub Pages content" || echo "No changes to commit" | |
| git push origin gh-pages | |
| - name: Upload images, policies and Hauler files | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| # .cr-release-packages is the directory used by the Helm releaser from a previous step | |
| chart_directory=.cr-release-packages | |
| if [ ! -d "$chart_directory" ]; then | |
| echo "$chart_directory does not exist. Assuming no charts update" | |
| exit 0 | |
| fi | |
| # sign hauler manifest and image list | |
| cosign sign-blob --yes ./charts/hauler_manifest.yaml --bundle hauler_manifest_cosign.bundle | |
| charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f) | |
| for chart in $charts; do | |
| chart_name=$(helm show chart $chart | yq -r '.name' ) | |
| chart_version=$(helm show chart $chart | yq -r '.version') | |
| if [[ "$chart_name" == kubewarden* ]]; then | |
| # upload hauler manifest and its verification bundle | |
| gh release upload $chart_name-$chart_version ./charts/hauler_manifest.yaml --clobber | |
| gh release upload $chart_name-$chart_version hauler_manifest_cosign.bundle --clobber | |
| fi | |
| done | |
| - name: Generate provenance attestation for kubewarden-crds chart and push to OCI | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| if: env.DIGEST_kubewarden-crds != '' | |
| with: | |
| push-to-registry: true | |
| subject-name: ${{ env.REGISTRY}}/kubewarden-crds | |
| subject-digest: ${{ env.DIGEST_kubewarden-crds }} | |
| - name: Generate provenance attestation for kubewarden-controller chart and push to OCI | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| if: env.DIGEST_kubewarden-controller != '' | |
| with: | |
| push-to-registry: true | |
| subject-name: ${{ env.REGISTRY}}/kubewarden-controller | |
| subject-digest: ${{ env.DIGEST_kubewarden-controller }} | |
| - name: Generate provenance attestation for kubewarden-defaults chart and push to OCI | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| if: env.DIGEST_kubewarden-defaults != '' | |
| with: | |
| push-to-registry: true | |
| subject-name: ${{ env.REGISTRY}}/kubewarden-defaults | |
| subject-digest: ${{ env.DIGEST_kubewarden-defaults }} | |
| - name: Generate provenance attestation for sbomscanner chart and push to OCI | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| if: env.DIGEST_sbomscanner != '' | |
| with: | |
| push-to-registry: true | |
| subject-name: ${{ env.REGISTRY}}/sbomscanner | |
| subject-digest: ${{ env.DIGEST_sbomscanner }} |