ci: Rework publishing CI (#381)

2025-07-03 16:37:04 +02:00 · 2025-02-10 13:05:48 +01:00 · 2025-02-10 13:05:48 +01:00 · c94a28baa3
commit c94a28baa3
parent b8c2eca310
10 changed files with 512 additions and 274 deletions
--- a/.github/actions/charts-package/action.yaml
+++ b/.github/actions/charts-package/action.yaml
@ -0,0 +1,77 @@
+---
+name: "Package charts"
+description: "Package charts for release"
+inputs:
+  rootFolder:
+    description: "Root folder containing the charts to package"
+    required: true
+  chartFolder:
+    description: "Folder containing the chart to package relative to the base folder"
+    required: true
+  destinationFolder:
+    description: "Folder where the chart packages should be stored"
+    required: true
+    default: "out"
+  artifactPrefix:
+    description: "Prefix for the artifact name"
+    required: false
+    default: ""
+  retentionDays:
+    description: "Duration after which artifacts will expire in days."
+    required: true
+    default: "1"
+  helmVersion:
+    description: "Helm version to use for packaging"
+    required: true
+    default: 3.17.0
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Kubernetes tools
+      uses: yokawasa/action-setup-kube-tools@v0.11.1
+      with:
+        setup-tools: |
+          helmv3
+        helm: "${{ inputs.helmVersion }}"
+
+    - name: Grab chart details
+      id: chart-details
+      shell: bash
+      env:
+        ROOT_DIR: "${{ inputs.rootFolder }}"
+        CHART_DIR: "${{ inputs.chartFolder }}"
+      run: |
+        PARENT_DIR=$(basename $(dirname "${ROOT_DIR}/${CHART_DIR}"))
+        echo "parentdir=${PARENT_DIR}" >> "$GITHUB_OUTPUT"
+        echo "name=$(yq '.name' ${ROOT_DIR}/${CHART_DIR}/Chart.yaml)" >> "$GITHUB_OUTPUT"
+        echo "version=$(yq '.version' ${ROOT_DIR}/${CHART_DIR}/Chart.yaml)" >> "$GITHUB_OUTPUT"
+
+    - name: Dereference JSON schema before packaging
+      uses: bjw-s/helm-charts-actions/dereference-json-schema@main
+      with:
+        schemaFile: "${{ inputs.rootFolder }}/${{ inputs.chartFolder }}/values.schema.json"
+        outputFile: "${{ inputs.rootFolder }}/${{ inputs.chartFolder }}/values.schema.json"
+        allowFileNotFound: true
+
+    - name: Package Helm Chart
+      shell: bash
+      env:
+        ROOT_DIR: "${{ inputs.rootFolder }}"
+        CHART_DIR: "${{ inputs.chartFolder }}"
+        PARENT_DIR: "${{ steps.chart-details.outputs.parentdir }}"
+        TARGET_DIR: "${{ inputs.destinationFolder }}"
+      run: |
+        helm package "${ROOT_DIR}/${CHART_DIR}" --dependency-update --destination "${TARGET_DIR}/${PARENT_DIR}"
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      env:
+        PARENT_DIR: "${{ steps.chart-details.outputs.parentdir }}"
+        CHART_NAME: "${{ steps.chart-details.outputs.name }}"
+        CHART_VERSION: "${{ steps.chart-details.outputs.version }}"
+        TARGET_DIR: "${{ inputs.destinationFolder }}"
+      with:
+        name: "${{ inputs.artifactPrefix }}${{ env.PARENT_DIR }}__${{ env.CHART_NAME }}__${{ env.CHART_VERSION }}"
+        path: "${{ env.TARGET_DIR }}/${{ env.PARENT_DIR }}/${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz"
+        retention-days: ${{ inputs.retentionDays }}
--- a/.github/actions/charts-release-ghpages/action.yaml
+++ b/.github/actions/charts-release-ghpages/action.yaml
@ -0,0 +1,70 @@
+---
+name: "Prepare chart artifacts for release"
+description: "Prepare chart artifacts for release to GitHub Pages"
+inputs:
+  artifactPattern:
+    description: "Pattern to match artifacts to release"
+    required: true
+  artifactPrefix:
+    description: "Prefix to strip from the artifact names"
+    required: false
+    default: ""
+  targetFolder:
+    description: "Folder where to move the chart artifacts"
+    required: true
+    default: gh-pages
+  targetBranch:
+    description: "Branch to push the chart artifacts"
+    required: true
+    default: gh-pages
+
+runs:
+  using: "composite"
+  steps:
+    - name: Prepare artifacts folder
+      shell: bash
+      run: |
+        mkdir -p artifacts
+
+    - name: Download chart artifacts
+      uses: actions/download-artifact@v4
+      with:
+        path: artifacts
+        pattern: ${{ inputs.artifactPrefix }}${{ inputs.artifactPattern }}
+
+    - name: Copy artifacts to gh-pages structure
+      shell: bash
+      working-directory: artifacts
+      env:
+        ARTIFACT_PREFIX: ${{ inputs.artifactPrefix }}
+        TARGET_FOLDER: ${{ inputs.targetFolder }}
+      run: |
+        while IFS= read -d $'\0' -r ARTIFACT ; do
+          echo ${ARTIFACT}
+          prefix_removed_chart=${ARTIFACT/#$ARTIFACT_PREFIX}
+          DELIMITER='__'
+          s=${prefix_removed_chart}${DELIMITER}
+          ARTIFACT_PATH_PARTS=();
+          while [[ $s ]]; do
+              ARTIFACT_PATH_PARTS+=( "${s%%"${DELIMITER}"*}" );
+              s=${s#*"${DELIMITER}"};
+          done;
+
+          CHART_FOLDER=${ARTIFACT_PATH_PARTS[0]}
+          mkdir -p "${TARGET_FOLDER}/${CHART_FOLDER}"
+          cp ${ARTIFACT}/* ${TARGET_FOLDER}/${CHART_FOLDER}/
+        done < <(find . -mindepth 1 -maxdepth 1 -type d -print0)
+
+    - name: Update chart index
+      shell: bash
+      working-directory: ${{ inputs.targetFolder }}
+      run: |
+        helm repo index . --url https://bjw-s.github.io/helm-charts/
+
+    - name: Commit Changes
+      uses: stefanzweifel/git-auto-commit-action@v5
+      with:
+        repository: ${{ inputs.targetFolder }}
+        branch: ${{ inputs.targetBranch }}
+        file_pattern: "index.yaml **/*.tgz"
+        disable_globbing: true
--- a/.github/actions/charts-release-oci/action.yaml
+++ b/.github/actions/charts-release-oci/action.yaml
@ -0,0 +1,59 @@
+---
+name: "Release charts to OCI registry"
+description: "Release charts to OCI registry"
+inputs:
+  chartName:
+    description: "Name of the chart to release"
+    required: true
+  chartVersion:
+    description: "Version of the chart to release"
+    required: true
+  workingDir:
+    description: "Working directory"
+    required: true
+    default: "."
+  ociRegistry:
+    description: >
+      Target OCI registry for Helm charts.
+    required: true
+    default: "ghcr.io"
+  helmVersion:
+    description: "Helm version to use for packaging"
+    required: true
+    default: 3.17.0
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3.6.0
+
+    - name: Install Kubernetes tools
+      uses: yokawasa/action-setup-kube-tools@v0.11.1
+      with:
+        setup-tools: |
+          helmv3
+        helm: ${{ inputs.helmVersion }}
+
+    - name: Login to OCI Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.ociRegistry }}
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
+
+    - name: Push Helm charts to OCI registry
+      shell: bash
+      working-directory: ${{ inputs.workingDir }}
+      env:
+        CHART_NAME: ${{ inputs.chartName }}
+        CHART_VERSION: ${{ inputs.chartVersion }}
+        CHART_TAG_BASE: ${{ inputs.ociRegistry }}/${{ github.actor }}/helm
+        CHART_TAG: ${{ inputs.chartName }}:${{ inputs.chartVersion }}
+      run: |
+        helm push "${CHART_NAME}-${CHART_VERSION}.tgz" oci://${CHART_TAG_BASE} &> push-metadata.txt
+        CHART_DIGEST=$(awk '/Digest: /{print $2}' push-metadata.txt)
+        cosign sign --yes "${CHART_TAG_BASE}/${CHART_TAG}@${CHART_DIGEST}"
+        cosign verify "${CHART_TAG_BASE}/${CHART_TAG}@${CHART_DIGEST}" \
+          --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+          --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/charts-release-steps.yaml@${{ github.ref }}"
--- a/.github/actions/label-from-status/action.yaml
+++ b/.github/actions/label-from-status/action.yaml
@ -1,48 +0,0 @@
-name: "Set issue labels based on status"
-description: "Sets / removes issue labels based on CI job status"
-inputs:
-  token:
-    required: true
-    description: "The Github API token to use"
-  issue-number:
-    required: true
-    description: "The issue to label"
-  prefix:
-    required: true
-    description: "The label prefix (e.g. lint, install)"
-  job-status:
-    required: true
-    description: "The status of the CI job"
-  remove-on-skipped:
-    required: false
-    default: "false"
-    description: "Remove the label if the job was skipped"
-
-runs:
-  using: "composite"
-  steps:
-    - name: Label success
-      uses: andymckay/labeler@1.0.4
-      if: ${{ inputs.job-status == 'success' }}
-      with:
-        repo-token: ${{ inputs.token }}
-        issue-number: ${{ inputs.issue-number }}
-        add-labels: "${{ inputs.prefix }}:ok"
-        remove-labels: "${{ inputs.prefix }}:failed"
-
-    - name: Label failure
-      uses: andymckay/labeler@1.0.4
-      if: ${{ inputs.job-status == 'failure' }}
-      with:
-        repo-token: ${{ inputs.token }}
-        issue-number: ${{ inputs.issue-number }}
-        add-labels: "${{ inputs.prefix }}:failed"
-        remove-labels: "${{ inputs.prefix }}:ok"
-
-    - name: Remove label
-      uses: andymckay/labeler@1.0.4
-      if: ${{ (inputs.job-status == 'skipped') && (inputs.remove-on-skipped == 'true') }}
-      with:
-        repo-token: ${{ inputs.token }}
-        issue-number: ${{ inputs.issue-number }}
-        remove-labels: "${{ inputs.prefix }}:ok, ${{ inputs.prefix }}:failed"
--- a/.github/actions/publish-folder-to-pages/action.yaml
+++ b/.github/actions/publish-folder-to-pages/action.yaml
@ -0,0 +1,62 @@
+---
+name: "Publish folder to GitHub Pages"
+description: "Publish the contents of a folder to GitHub Pages"
+inputs:
+  path:
+    description: "Path that contains the content to publish"
+    required: true
+    default: "gh-pages/"
+  artifactName:
+    description: "Filename of the artifact"
+    required: true
+    default: "github-pages"
+  retention-days:
+    description: "Duration after which artifact will expire in days."
+    required: true
+    default: "1"
+  deleteArtifactAfterPublish:
+    description: "Delete the artifact after deployment?"
+    required: true
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Prepare gh-pages artifact
+      shell: sh
+      env:
+        INPUT_PATH: ${{ inputs.path }}
+      run: |
+        echo ::group::Archive artifact
+        tar \
+          --dereference --hard-dereference \
+          --directory "$INPUT_PATH" \
+          -cvf "$RUNNER_TEMP/artifact.tar" \
+          --exclude=.git \
+          --exclude=.github \
+          --exclude=".[^/]*" \
+          .
+        echo ::endgroup::
+
+    - name: Upload gh-pages artifact
+      id: upload-artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.artifactName }}
+        path: ${{ runner.temp }}/artifact.tar
+        retention-days: 1
+        if-no-files-found: error
+
+    - name: Deploy to GitHub Pages
+      id: deploy-gh-pages
+      uses: actions/deploy-pages@v4
+      with:
+        artifact_name: ${{ inputs.artifactName }}
+
+    - name: Clean up artifact
+      if: ${{ inputs.deleteArtifactAfterPublish == 'true' }}
+      uses: joernott/rm-artifact@v1
+      with:
+        name: ${{ inputs.artifactName }}
+        useGlob: false
+        failOnError: true