Skip to content

chore: update sys and net #204

chore: update sys and net

chore: update sys and net #204

Workflow file for this run

name: Helm
on:
release:
types: [published]
push:
branches:
- main
tags:
- "v*"
pull_request:
workflow_dispatch:
inputs:
version:
description: "Chart version to release (overrides Chart.yaml). Leave empty to use Chart.yaml."
required: false
type: string
permissions:
contents: read
jobs:
lint-and-test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
with:
version: v3.14.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.12
- name: Set up chart-testing
uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --config=.github/ci/ct.yaml)
if [[ -n "$changed" ]]; then
echo "changed=true" >> $GITHUB_OUTPUT
fi
- name: Run chart-testing (lint)
run: ct lint --config=.github/ci/ct.yaml
- name: Set up Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version-file: go.mod
if: steps.list-changed.outputs.changed == 'true'
- name: Build reloader image
if: steps.list-changed.outputs.changed == 'true'
run: |
VERSION=$(helm show chart deploy/charts/reloader | grep appVersion | awk '{print $2}')
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/reloader-linux-amd64 cmd/main.go
docker build -f Dockerfile -t ghcr.io/external-secrets/reloader:${VERSION} .
- name: Create kind cluster
uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
if: steps.list-changed.outputs.changed == 'true'
- name: Load image into kind
if: steps.list-changed.outputs.changed == 'true'
run: |
VERSION=$(helm show chart deploy/charts/reloader | grep appVersion | awk '{print $2}')
kind load docker-image ghcr.io/external-secrets/reloader:${VERSION} --name chart-testing
- name: Run chart-testing (install)
run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/reloader
if: steps.list-changed.outputs.changed == 'true'
release:
needs: lint-and-test
if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch' || github.event_name == 'release'
permissions:
contents: read
packages: write
id-token: write
attestations: write
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
with:
version: v3.17.3
- name: Login to GHCR
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
with:
cosign-release: 'v3.0.2'
- name: Package chart
id: package_chart
env:
VERSION_INPUT: ${{ inputs.version }}
run: |
version_arg=()
if [[ -n "${VERSION_INPUT}" ]]; then
version_arg=(--version "${VERSION_INPUT}")
fi
helm package deploy/charts/reloader --destination .helm-packages "${version_arg[@]}"
echo "pkg=$(echo .helm-packages/*.tgz)" >> "$GITHUB_OUTPUT"
- name: Push chart to GHCR
id: push_chart
run: |
chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
pkg="${{ steps.package_chart.outputs.pkg }}"
chart_name=$(helm show chart "${pkg}" | yq .name)
chart_version=$(helm show chart "${pkg}" | yq .version)
if helm show chart "oci://${chart_registry}/${chart_name}" --version "${chart_version}" > /dev/null 2>&1; then
echo "Chart oci://${chart_name}:${chart_version} already exists — skipping"
echo "push_status=skipped" >> "$GITHUB_OUTPUT"
exit 0
fi
helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
echo "$helm_push_output"
artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
cosign sign --yes --new-bundle-format=false --use-signing-config=false "$artifact_digest_uri"
cosign verify --new-bundle-format=false "$artifact_digest_uri" \
--certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
echo "digest=${digest}" >> "$GITHUB_OUTPUT"
echo "push_status=pushed" >> "$GITHUB_OUTPUT"
echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
- name: Generate provenance attestation and push to OCI registry
if: steps.push_chart.outputs.push_status == 'pushed'
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
push-to-registry: true
subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
subject-digest: ${{ steps.push_chart.outputs.digest }}