Merge pull request #118 from codefresh-io/fix/security-fix #111
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Reference: https://github.com/helm/chart-releaser-action | |
name: Chart Publish | |
on: | |
push: | |
branches: | |
- argo-events | |
permissions: | |
contents: read | |
jobs: | |
publish: | |
if: github.repository == 'codefresh-io/argo-helm' | |
permissions: | |
contents: write # for helm/chart-releaser-action to push chart release and create a release | |
packages: write # to push OCI chart package to GitHub Registry | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: Install Helm | |
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
with: | |
version: v3.10.1 # Also update in lint-and-test.yaml | |
- name: Add dependency chart repos | |
run: | | |
helm repo add dandydeveloper https://dandydeveloper.github.io/charts/ | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
## This is required to consider the old Circle-CI Index and to stay compatible with all the old releases. | |
- name: Fetch current Chart Index | |
run: | | |
git checkout origin/gh-pages index.yaml | |
- name: Package chart | |
run: | | |
rm -rf .cr-release-packages | |
mkdir .cr-release-packages | |
helm package charts/argo-events -u -d .cr-release-packages/ | |
# The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key | |
# in ASCII-armored format. To export a (new) key, run this command: | |
# `gpg --armor --export-secret-key <my key>` | |
- name: Prepare PGP key | |
run: | | |
IFS="" | |
echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg | |
echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt | |
# Tell chart-releaser-action where to find the key and its passphrase | |
echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV" | |
echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV" | |
env: | |
PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}" | |
PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}" | |
- name: Run chart-releaser | |
# todo: change later to v1.6.0 (also in agro-rollouts chart) | |
# issue: https://github.com/helm/chart-releaser-action/issues/171 | |
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 | |
with: | |
config: "./.github/configs/cr.yaml" | |
skip_packaging: true | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Login to GHCR | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push chart to GHCR | |
run: | | |
shopt -s nullglob | |
for pkg in .cr-release-packages/*.tgz; do | |
if [ -z "${pkg:-}" ]; then | |
break | |
fi | |
helm push "${pkg}" oci://ghcr.io/${{ github.repository }} | |
done |