diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..0c647fa --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,62 @@ +name: Publish Helm Chart + +on: + release: + types: [published] + workflow_dispatch: + inputs: + tag: + description: "Release tag to publish (e.g. common-v0.1.1)" + required: true + +concurrency: + group: publish-${{ github.event.release.tag_name || inputs.tag }} + cancel-in-progress: false + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Resolve tag + id: tag + run: | + TAG="${{ github.event.release.tag_name || inputs.tag }}" + if [[ ! "$TAG" =~ ^([a-z0-9-]+)-v([0-9]+\.[0-9]+\.[0-9]+)$ ]]; then + echo "::error::Tag '$TAG' does not match expected format -v" + exit 1 + fi + COMPONENT="${BASH_REMATCH[1]}" + VERSION="${BASH_REMATCH[2]}" + echo "ref=$TAG" >> "$GITHUB_OUTPUT" + echo "component=$COMPONENT" >> "$GITHUB_OUTPUT" + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + echo "chart_path=charts/$COMPONENT" >> "$GITHUB_OUTPUT" + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ steps.tag.outputs.ref }} + + - name: Set up Helm + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5 + with: + version: v4.1.4 + + - name: Login to GHCR + run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin + + - name: Package and push + run: | + helm dependency update "${{ steps.tag.outputs.chart_path }}" + helm package "${{ steps.tag.outputs.chart_path }}" --destination . + helm push "${{ steps.tag.outputs.component }}-${{ steps.tag.outputs.version }}.tgz" \ + oci://ghcr.io/docspec/charts + + - name: Logout from GHCR + if: always() + run: helm registry logout ghcr.io diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index ab5974e..c461ad0 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -16,50 +16,9 @@ jobs: permissions: contents: write pull-requests: write - outputs: - releases_created: ${{ steps.rp.outputs.releases_created }} - paths_released: ${{ steps.rp.outputs.paths_released }} steps: - name: Run release-please - id: rp uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4 with: config-file: release-please-config.json manifest-file: .release-please-manifest.json - - publish: - needs: release-please - if: needs.release-please.outputs.releases_created == 'true' - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - attestations: write - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - ref: ${{ github.event.workflow_run.head_sha }} - - - name: Set up Helm - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5 - with: - version: v4.1.4 - - - name: Login to GHCR - run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin - - - name: Package and push released charts - run: | - PATHS_RELEASED='${{ needs.release-please.outputs.paths_released }}' - for chart_path in $(echo "$PATHS_RELEASED" | jq -r '.[]'); do - chart_name="$(basename "$chart_path")" - echo "Publishing $chart_name from $chart_path" - helm dependency update "$chart_path" - helm package "$chart_path" --destination . - helm push ${chart_name}-*.tgz oci://ghcr.io/docspec/charts - done - - - name: Logout from GHCR - if: always() - run: helm registry logout ghcr.io