Skip to content

Update actions/checkout digest to df4cb1c (#1017) #757

Update actions/checkout digest to df4cb1c (#1017)

Update actions/checkout digest to df4cb1c (#1017) #757

# This action releases the kubewarden Helm charts.
# The action must run on each commit done against main, however
# a new release will be performed **only** when a change occurs inside
# of the `charts` directory.
#
# When the helm charts are changed, this action will, for each chart:
# * Create a new GitHub release: e.g. kubwarden-controller-chart.
# * This release has a kubwarden-controller-chart.tar.gz asset associated with
# it. This is the actual Helm chart.
# * Update the `index.yaml` file inside of the `gh-pages` branch. This is the
# index of our https Helm chart repository, which we serve through GitHub pages.
# * Update the docs shown at https://charts.kubewarden.io, on the `gh-pages`
# branch. This is the README files of the chart(s), served also through
# GitHub pages.
# * Push the chart, signed and with attestation, to ghcr.io OCI registry.
#
# = FAQ
#
# == Why don't we run this action only when a tag like `v*` is created?
#
# Running the action only when a "release tag" is created will not produce
# a helm chart. That happens because the code which determines if something
# changed inside of the `charts` directory will not find any changes.
#
# == The action is just a "wrapper" around the official `github.com/helm/chart-releaser` tool, can't we just create our own action?
#
# Yes, we even got that to work. However, what we really want to do is the
# ability to tag the releases of the kubewarden-controller and its helm chart
# in an independent way. Which the official GitHub action already does.
name: Release helm chart
on:
workflow_dispatch:
push:
branches:
- main
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: write
attestations: write
pages: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Check that the contents of common-values.yaml are included in values.yaml
run: |
make check-common-values
- name: Install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: Generate container image files
run: |
make generate-images-file
- name: Generate policies files
run: |
make generate-policies-file
- name: Generate changelog files
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make generate-changelog-files
- name: Add dependency repo required to release the controller chart
run: |
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
- name: Add dependency repo required to release the crds chart
run: |
helm repo add openreports https://openreports.github.io/reports-api
helm repo update
- name: Add dependency repo required to release the sbomscanner chart
run: |
helm repo add nats https://nats-io.github.io/k8s/helm/charts
helm repo update
- name: Login to GitHub Container Registry
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install chart-releaser
uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
with:
install_only: true
- name: Release Helm charts
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -ex
OWNER=${{ github.repository_owner }}
REPO=helm-charts
CONFIG_FILE=cr.yaml
PACKAGE_PATH=.cr-release-packages
CR_TOKEN=${{ secrets.GITHUB_TOKEN }}
rm -rf ${PACKAGE_PATH}
# Release each chart in the charts directory
for chart in $(find charts -maxdepth 1 -mindepth 1 -type d ); do
chart_name=$(basename $chart)
chart_path=${PACKAGE_PATH}/${chart_name}-*.tgz
cr package charts/${chart_name} --config ${CONFIG_FILE} --package-path ${PACKAGE_PATH}
# check if the chart version is already release. If so, do nothing
chart_version=$(helm show chart $chart_path | yq -r '.version')
if gh --repo ${OWNER}/${REPO} release view $chart_name-$chart_version; then
echo "Chart $chart_name-$chart_version already released. No need to release again."
rm $chart_path
continue
fi
done
# Upload the charts if the .cr-release-packages directory is not empty
if [ "$(ls ${PACKAGE_PATH})" ]; then
# Upload the chart to the GitHub release
cr upload --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} -c "$(git rev-parse HEAD)" --skip-existing --make-release-latest=false --token ${CR_TOKEN} --push
echo "Charts released!"
# Reindex the repository
cr index --config ${CONFIG_FILE} -o ${OWNER} -r ${REPO} --push --token ${CR_TOKEN} --index-path .
echo "Repository indexed!"
# Publish the charts to the OCI registry and sign them
REGISTRY="ghcr.io/$GITHUB_REPOSITORY_OWNER/charts"
echo "REGISTRY=${REGISTRY}" >> "$GITHUB_ENV"
for chart_path in $(find ${PACKAGE_PATH} -maxdepth 1 -mindepth 1 ); do
echo "Pushing chart $chart_path to ghcr.io"
chart_name=$(helm show chart ${chart_path} | yq ".name")
push_output=$(helm push $chart_path "oci://$REGISTRY" 2>&1)
chart_url=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\1\@\2/p')
digest=$(echo $push_output | sed -n 's/Pushed: \(.*\):.* Digest: \(.*\)$/\2/p')
echo "DIGEST_${chart_name}=${digest}" >> "$GITHUB_ENV"
# We need to disable the new bundle format enabled by default since
# cosign v3.x.x because some verification tools (e.g. slsactl) are not
# able to properly verify the signatures using this new format
cosign sign --yes --new-bundle-format=false --use-signing-config=false "$chart_url"
# Sign with cosign v3 signature format as well
cosign sign --yes --new-bundle-format=true --use-signing-config=true "$chart_url"
echo "Chart $chart_name signed and pushed to ghcr.io"
done
fi
- name: Prepare GH pages readme & artifacthub-repo.yml
run: |
mkdir -p ./to-gh-pages
cp -f charts/README.md ./to-gh-pages/
cp -f artifacthub-repo.yml ./to-gh-pages/
- name: Configure Git
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
git config --global url."https://${GH_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
- name: Clone existing gh-pages branch and commit
run: |
git fetch origin gh-pages
git worktree add gh-pages-worktree gh-pages
cp -r ./to-gh-pages/* gh-pages-worktree/
cd gh-pages-worktree
git add .
git commit -m "Update GitHub Pages content" || echo "No changes to commit"
git push origin gh-pages
- name: Upload images, policies and Hauler files
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
# .cr-release-packages is the directory used by the Helm releaser from a previous step
chart_directory=.cr-release-packages
if [ ! -d "$chart_directory" ]; then
echo "$chart_directory does not exist. Assuming no charts update"
exit 0
fi
# sign hauler manifest and image list
cosign sign-blob --yes ./charts/hauler_manifest.yaml --bundle hauler_manifest_cosign.bundle
charts=$(find $chart_directory -maxdepth 1 -mindepth 1 -type f)
for chart in $charts; do
chart_name=$(helm show chart $chart | yq -r '.name' )
chart_version=$(helm show chart $chart | yq -r '.version')
if [[ "$chart_name" == kubewarden* ]]; then
# upload hauler manifest and its verification bundle
gh release upload $chart_name-$chart_version ./charts/hauler_manifest.yaml --clobber
gh release upload $chart_name-$chart_version hauler_manifest_cosign.bundle --clobber
fi
done
- name: Generate provenance attestation for kubewarden-crds chart and push to OCI
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
if: env.DIGEST_kubewarden-crds != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-crds
subject-digest: ${{ env.DIGEST_kubewarden-crds }}
- name: Generate provenance attestation for kubewarden-controller chart and push to OCI
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
if: env.DIGEST_kubewarden-controller != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-controller
subject-digest: ${{ env.DIGEST_kubewarden-controller }}
- name: Generate provenance attestation for kubewarden-defaults chart and push to OCI
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
if: env.DIGEST_kubewarden-defaults != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/kubewarden-defaults
subject-digest: ${{ env.DIGEST_kubewarden-defaults }}
- name: Generate provenance attestation for sbomscanner chart and push to OCI
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
if: env.DIGEST_sbomscanner != ''
with:
push-to-registry: true
subject-name: ${{ env.REGISTRY}}/sbomscanner
subject-digest: ${{ env.DIGEST_sbomscanner }}