ci: Rework publishing CI (#381)

.github/workflows/charts-lint.yaml

@@ -71,6 +71,13 @@ jobs:
           chart: ${{ matrix.chart }}
           overrides: ${{ inputs.overrideDeps }}
 
+      - name: Dereference JSON schema before packaging
+        uses: bjw-s/helm-charts-actions/dereference-json-schema@main
+        with:
+          schemaFile: "charts/${{ matrix.chart }}/values.schema.json"
+          outputFile: "charts/${{ matrix.chart }}/values.schema.json"
+          allowFileNotFound: true
+
       - name: Run chart-testing (lint)
         run: ct lint --config .ci/ct/ct.yaml --charts "charts/${{ matrix.chart }}"
 

.github/workflows/charts-release-ghpages.yaml

@@ -1,96 +0,0 @@
-name: "Charts: Release to GitHub pages"
-
-on:
-  workflow_call:
-    inputs:
-      charts:
-        description: >
-          Json encoded list of Helm charts to release.
-          Defaults to releasing everything.
-        default: "[]"
-        required: false
-        type: string
-    secrets:
-      BJWS_APP_ID:
-        required: true
-      BJWS_APP_PRIVATE_KEY:
-        required: true
-
-env:
-  HELM_VERSION: 3.11.2
-
-jobs:
-  release-charts:
-    name: Release charts
-    runs-on: ubuntu-22.04
-    steps:
-      - name: "Generate Short Lived OAuth App Token (ghs_*)"
-        uses: actions/create-github-app-token@v1.10.4
-        id: app-token
-        with:
-          app-id: "${{ secrets.BJWS_APP_ID }}"
-          private-key: "${{ secrets.BJWS_APP_PRIVATE_KEY }}"
-
-      - name: Checkout charts branch
-        uses: actions/checkout@v4
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-          path: "src"
-          fetch-depth: 0
-
-      - name: Checkout gh-pages branch
-        uses: actions/checkout@v4
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-          path: "dest"
-          ref: "gh-pages"
-          fetch-depth: 0
-
-      - name: Install Kubernetes tools
-        uses: yokawasa/action-setup-kube-tools@v0.11.1
-        with:
-          setup-tools: |
-            helmv3
-          helm: "${{ env.HELM_VERSION }}"
-
-      - name: Package Helm Charts
-        shell: bash
-        env:
-          SRC_DIR: "src/charts"
-          DEST_DIR: "dest"
-        run: |
-          CHARTS=( $(yq --null-input e '${{ inputs.charts }}[]' ) )
-
-          for CHART in "${CHARTS[@]}" ; do
-            mapfile -t CHART_PATH_PARTS < <(echo "$CHART" | tr '/' '\n')
-            CHART_TYPE=${CHART_PATH_PARTS[0]}
-
-            helm package "${SRC_DIR}/${CHART}" --dependency-update --destination "${DEST_DIR}/${CHART_TYPE}"
-          done
-
-      - name: Update chart index
-        shell: bash
-        working-directory: dest
-        run: |
-          helm repo index . --url https://bjw-s.github.io/helm-charts/
-
-      - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@v5
-        id: auto-commit
-        with:
-          repository: dest
-          branch: gh-pages
-          commit_user_name: "bjw-s-bot[bot]"
-          commit_user_email: 87358111+bjw-s-bot[bot]@users.noreply.github.com
-          commit_author: bjw-s-bot[bot] <87358111+bjw-s-bot[bot]@users.noreply.github.com>
-          file_pattern: "index.yaml **/*.tgz"
-          disable_globbing: true
-
-      - name: Wait for deploy
-        uses: fountainhead/action-wait-for-check@v1.2.0
-        if: ${{ steps.auto-commit.outputs.changes_detected }}
-        id: wait-for-deploy
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-          ref: ${{ steps.auto-commit.outputs.commit_hash }}
-          checkName: deploy

.github/workflows/charts-release-oci.yaml

@@ -1,69 +0,0 @@
-name: "Charts: Release to GHCR OCI"
-
-on:
-  workflow_call:
-    inputs:
-      charts:
-        description: >
-          Json encoded list of Helm charts to release.
-          Defaults to releasing everything.
-        default: "[]"
-        required: false
-        type: string
-
-env:
-  HELM_VERSION: 3.11.2
-  CHARTS_SRC_DIR: "charts"
-  TARGET_REGISTRY: ghcr.io
-
-jobs:
-  release-charts:
-    name: Release charts
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      packages: write # needed for ghcr access
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-    steps:
-      - name: Checkout chart sources
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install Kubernetes tools
-        uses: yokawasa/action-setup-kube-tools@v0.11.1
-        with:
-          setup-tools: |
-            helmv3
-          helm: "${{ env.HELM_VERSION }}"
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.6.0
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.TARGET_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Package & Push Helm Charts
-        shell: bash
-        run: |
-          CHARTS=( $(yq --null-input e '${{ inputs.charts }}[]' ) )
-
-          for CHART in "${CHARTS[@]}" ; do
-            mapfile -t CHART_PATH_PARTS < <(echo "$CHART" | tr '/' '\n')
-            CHART_TYPE=${CHART_PATH_PARTS[0]}
-            CHART_NAME=${CHART_PATH_PARTS[1]}
-            CHART_VERSION=$(yq e '.version' ${{ env.CHARTS_SRC_DIR }}/${CHART}/Chart.yaml)
-
-            helm package "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}/${CHART_NAME}" --dependency-update --destination "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}" --version "${CHART_VERSION}"
-            helm push "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}/${CHART_NAME}-${CHART_VERSION}.tgz" oci://${{ env.TARGET_REGISTRY }}/${{ github.actor }}/helm &> push-metadata.txt
-            CHART_DIGEST=$(awk '/Digest: /{print $2}' push-metadata.txt)
-            cosign sign --yes "${{ env.TARGET_REGISTRY }}/${{ github.actor }}/helm/${CHART_NAME}:${CHART_VERSION}@${CHART_DIGEST}"
-            cosign verify "${{ env.TARGET_REGISTRY }}/${{ github.actor }}/helm/${CHART_NAME}:${CHART_VERSION}@${CHART_DIGEST}" \
-              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-              --certificate-identity "https://github.com/bjw-s/helm-charts/.github/workflows/charts-release-oci.yaml@refs/heads/main"
-          done

.github/workflows/charts-release-steps.yaml

@@ -0,0 +1,180 @@
+---
+name: "Charts: Release"
+
+on:
+  workflow_call:
+    inputs:
+      charts:
+        description: >
+          Json encoded list of Helm charts to release.
+          Defaults to releasing everything.
+        default: "[]"
+        required: false
+        type: string
+      excludedChartsRelease:
+        description: >
+          Json encoded list of Helm charts to exclude from release.
+        default: "[]"
+        required: false
+        type: string
+      publishToGhPages:
+        description: >
+          Should the charts be published to GitHub Pages.
+        default: true
+        required: false
+        type: boolean
+      ghPagesBranch:
+        description: >
+          Target branch for GitHub Pages.
+        default: "gh-pages"
+        required: false
+        type: string
+      publishToOciRegistry:
+        description: >
+          Should the charts be published to an OCI registry.
+        default: true
+        required: false
+        type: boolean
+      ociRegistry:
+        description: >
+          Target OCI registry for Helm charts.
+        default: "ghcr.io"
+        required: false
+        type: string
+      helmVersion:
+        description: >
+          Helm version to use.
+        default: "3.11.2"
+        required: false
+        type: string
+
+jobs:
+  package-charts:
+    name: Package charts
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        charts: ${{ fromJSON(inputs.charts) }}
+      fail-fast: false
+    steps:
+      - name: Checkout source branch
+        if: ${{ !contains(fromJSON(inputs.excludedChartsRelease), matrix.charts) }}
+        uses: actions/checkout@v4
+        with:
+          path: src
+          fetch-depth: 0
+
+      - name: Package Helm charts
+        uses: ./src/.github/actions/charts-package
+        if: ${{ !contains(fromJSON(inputs.excludedChartsRelease), matrix.charts) }}
+        with:
+          rootFolder: src/charts
+          chartFolder: ${{ matrix.charts }}
+          artifactPrefix: chart__
+          helmVersion: ${{ inputs.helmVersion }}
+
+  release-charts-to-github-pages:
+    name: Release charts to GitHub Pages
+    runs-on: ubuntu-22.04
+    if: ${{ inputs.publishToGhPages }}
+    needs:
+      - package-charts
+    steps:
+      - name: Checkout source branch
+        uses: actions/checkout@v4
+        with:
+          path: src
+
+      - name: Checkout gh-pages branch
+        uses: actions/checkout@v4
+        with:
+          token: ${{ github.token }}
+          path: gh-pages
+          ref: ${{ inputs.ghPagesBranch }}
+          fetch-depth: 0
+
+      - name: Prepare artifacts for release to GitHub Pages
+        uses: ./src/.github/actions/charts-release-ghpages
+        with:
+          artifactPattern: "*"
+          artifactPrefix: chart__
+          targetFolder: gh-pages
+          targetBranch: gh-pages
+
+      - name: Publish changes to GitHub Pages
+        uses: ./src/.github/actions/publish-folder-to-pages
+        with:
+          path: gh-pages/
+
+  prepare-release-charts-to-oci:
+    name: Prepare releasing charts to OCI registry
+    runs-on: ubuntu-22.04
+    if: ${{ inputs.publishToOciRegistry }}
+    needs:
+      - package-charts
+    outputs:
+      artifacts: ${{ steps.artifacts.outputs.artifacts }}
+    steps:
+      - name: List artifacts
+        id: list
+        uses: yakubique/list-artifacts@v1.1
+        with:
+          name: chart__*
+
+      - name: Rewrite artifacts output
+        id: artifacts
+        shell: bash
+        env:
+          JQ_COMMAND: |-
+            [.[] | {artifact_name: .name, chart_name: (.name | split("__")[-2]), chart_version: (.name | split("__")[-1]) }]
+        run: |
+          echo '${{ steps.list.outputs.result }}' | jq -c -r "$JQ_COMMAND" > artifacts
+          echo "artifacts=$(cat artifacts)" >> "$GITHUB_OUTPUT"
+
+  release-charts-to-oci:
+    name: Release charts to OCI registry
+    runs-on: ubuntu-22.04
+    if: ${{ inputs.publishToOciRegistry && needs.prepare-release-charts-to-oci.outputs.artifacts != '[]' }}
+    strategy:
+      matrix:
+        artifacts: ${{ fromJSON(needs.prepare-release-charts-to-oci.outputs.artifacts) }}
+      fail-fast: false
+    needs:
+      - package-charts
+      - prepare-release-charts-to-oci
+    env:
+      TARGET_REGISTRY: ghcr.io
+    steps:
+      - name: Download chart artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+          pattern: ${{ matrix.artifacts.artifact_name }}
+
+      - name: Checkout source branch
+        uses: actions/checkout@v4
+        with:
+          path: src
+
+      - name: Release chart to OCI registry
+        uses: ./src/.github/actions/charts-release-oci
+        with:
+          workingDir: artifacts/${{ matrix.artifacts.artifact_name }}
+          chartName: ${{ matrix.artifacts.chart_name }}
+          chartVersion: ${{ matrix.artifacts.chart_version }}
+
+  cleanup-charts-artifacts:
+    name: Clean up artifacts
+    runs-on: ubuntu-22.04
+    needs:
+      - package-charts
+      - release-charts-to-github-pages
+      - release-charts-to-oci
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+    steps:
+    - name: Clean up artifact
+      uses: joernott/rm-artifact@v1
+      with:
+        name: "*"
+        useGlob: true
+        failOnError: true

.github/workflows/charts-release.yaml

@@ -1,92 +1,88 @@
+---
 name: "Charts: Release"
 
 concurrency: helm-release
 
 on:
   workflow_dispatch:
-    inputs:
-      charts:
-        description: >
-          Charts to release. Comma-separated string.
-          Defaults to releasing everything.
-        default: ""
-        required: false
-
   push:
     branches:
       - main
     paths:
       - "charts/**"
 
-env:
-  HELM_VERSION: 3.11.2
-
 jobs:
-  prepare:
+  prepare-release:
     name: Prepare data required for release
     runs-on: ubuntu-22.04
     outputs:
-      libraryChartsToRelease: ${{ steps.collect-charts.outputs.chartsLibraryToRelease }}
-      applicationChartsToRelease: ${{ steps.collect-charts.outputs.chartsApplicationToRelease }}
+      repoConfiguration: ${{ steps.repo-config.outputs.config }}
+      libraryChartsToRelease: ${{ steps.changed-library-charts.outputs.all_changed_files }}
+      applicationChartsToRelease: ${{ steps.changed-charts.outputs.all_changed_files }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Collect charts to release
-        uses: bjw-s/helm-charts-actions/collect-charts@main
-        id: collect-charts
+      - name: Grab repository configuration
+        id: repo-config
+        shell: bash
+        run: |
+          echo "config=$(yq '.' '.ci/repo-config.yaml' -o json -I=0)" >> "$GITHUB_OUTPUT"
+
+      - name: Get changed library charts
+        id: changed-library-charts
+        uses: tj-actions/changed-files@v45
         with:
-          repoConfigFile: ./.ci/repo-config.yaml
-          overrideCharts: "[${{ inputs.charts }}]"
-          requireHeadAheadOfBase: false
+          matrix: true
+          path: charts
+          dir_names: true
+          dir_names_max_depth: 2
+          files: |
+            library/**
+
+      - name: Get changed charts
+        id: changed-charts
+        uses: tj-actions/changed-files@v45
+        with:
+          matrix: true
+          path: charts
+          dir_names: true
+          dir_names_max_depth: 2
+          files_ignore: |
+            library/**
 
   release-library-charts:
-    name: Release Library charts to GitHub pages
-    uses: ./.github/workflows/charts-release-ghpages.yaml
+    name: Release library charts
     needs:
-      - prepare
+      - prepare-release
+    if: ${{ needs.prepare-release.outputs.libraryChartsToRelease != '[]' }}
+    uses: ./.github/workflows/charts-release-steps.yaml
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
+      packages: write
     with:
-      charts: "${{ needs.prepare.outputs.libraryChartsToRelease }}"
-    secrets: inherit
+      charts: ${{ needs.prepare-release.outputs.libraryChartsToRelease }}
+      excludedChartsRelease: ${{ toJSON(fromJSON(needs.prepare-release.outputs.repoConfiguration).excluded-charts-release) }}
+      ghPagesBranch: gh-pages
+      publishToOciRegistry: false
 
-  tag-library-charts:
-    name: Create git tags for library charts
-    uses: ./.github/workflows/tag-charts.yaml
+  release-other-charts:
+    name: Release other charts
     needs:
-      - prepare
+      - prepare-release
       - release-library-charts
+    if: ${{ needs.prepare-release.outputs.applicationChartsToRelease != '[]' }}
+    uses: ./.github/workflows/charts-release-steps.yaml
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
+      packages: write
     with:
-      charts: "${{ needs.prepare.outputs.libraryChartsToRelease }}"
-    secrets: inherit
-
-  release-application-charts:
-    name: Release Application charts to GitHub pages
-    uses: ./.github/workflows/charts-release-ghpages.yaml
-    needs:
-      - prepare
-      - release-library-charts
-    with:
-      charts: "${{ needs.prepare.outputs.applicationChartsToRelease }}"
-    secrets: inherit
-
-  tag-application-charts:
-    name: Create git tags for application charts
-    uses: ./.github/workflows/tag-charts.yaml
-    needs:
-      - prepare
-      - release-application-charts
-    with:
-      charts: "${{ needs.prepare.outputs.applicationChartsToRelease }}"
-    secrets: inherit
-
-  release-github-oci:
-    name: Release Application charts to GitHub Container Registry
-    uses: ./.github/workflows/charts-release-oci.yaml
-    needs:
-      - prepare
-      - release-library-charts
-    with:
-      charts: "${{ needs.prepare.outputs.applicationChartsToRelease }}"
-    secrets: inherit
+      charts: ${{ needs.prepare-release.outputs.applicationChartsToRelease }}
+      excludedChartsRelease: ${{ toJSON(fromJSON(needs.prepare-release.outputs.repoConfiguration).excluded-charts-release) }}
+      ghPagesBranch: gh-pages