Skip to content

chore(deps): update dependencies for alpha (#2299) #424

chore(deps): update dependencies for alpha (#2299)

chore(deps): update dependencies for alpha (#2299) #424

# TODO: Convert this workflow to a template and use it for both snapshot and actual releases.
name: "Chart - Release - Snapshot"
on:
push:
branches:
- main
paths:
- .github/workflows/chart-release-snapshot.yaml
- charts/camunda-platform-latest/**
- charts/camunda-platform-alpha/**
jobs:
clean:
name: Clean old artifacts digest
permissions:
packages: write
runs-on: ubuntu-latest
defaults:
run:
shell: bash
working-directory: /tmp
steps:
- name: Delete old artifacts
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Get IDs of the untagged artifacts (the sha256 digest).
artifacts_ids_to_delete="$(
gh api -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' \
'/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions?per_page=100' |
jq '.[] | select(.metadata.container.tags | length == 0)' | jq '.id'
)"
# Early exit if no artifacts to delete.
test -z "${artifacts_ids_to_delete}" && {
echo "No old untagged artifacts to delete ...";
exit 0;
}
# Delete the untagged artifacts.
echo -e "Deleting the old untagged artifacts IDs:\n${artifacts_ids_to_delete}"
for container_id in ${artifacts_ids_to_delete}; do
gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
"/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions/${container_id}"
done
release:
needs: clean
name: ${{ matrix.chart.name }}
permissions:
packages: write
id-token: write
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
chart:
- name: Helm Chart Latest rolling
directory: charts/camunda-platform-latest
versionSuffix: snapshot-latest
- name: Helm Chart Alpha rolling
directory: charts/camunda-platform-alpha
versionSuffix: snapshot-alpha
- name: Helm Chart Alpha versioned
directory: charts/camunda-platform-alpha
versionSuffix: ""
defaults:
run:
shell: bash
working-directory: ${{ matrix.chart.directory }}
#
# Vars.
env:
REPOSITORY_NAME: "camunda/helm"
CHART_NAME: "camunda-platform"
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Set vars
run: |
# NOTE: Helm CLI only accepts SemVer so we need to use something like "0.0.0-snapshot-latest".
CHART_VERSION_SUFFIX="${{ matrix.chart.versionSuffix }}"
CHART_VERSION_SUFFIX_DEFAULT="$(yq '.version' Chart.yaml)"
echo "CHART_VERSION=0.0.0-${CHART_VERSION_SUFFIX:-${CHART_VERSION_SUFFIX_DEFAULT}}" | tee -a $GITHUB_ENV
#
# Changelog.
- name: Generate snapshot changelog
run: |
export SNAPSHOT_DESCRIPTION="Check chart dir for more details: https://github.com/camunda/camunda-platform-helm/tree/main/charts/${{ matrix.chart.directory }}"
yq -i '.description |= strenv(SNAPSHOT_DESCRIPTION)' Chart.yaml
#
# Package.
- name: Install Helm CLI
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
- name: Print Helm CLI version
run: helm version
- name: Package and push Helm chart
env:
HELM_EXPERIMENTAL_OCI: 1
run: |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ghcr.io
helm dependency update
helm package --version ${{ env.CHART_VERSION }} .
helm push ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz oci://ghcr.io/${{ env.REPOSITORY_NAME }}
helm registry logout ghcr.io
#
# Security signature.
- name: Install Cosign CLI
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Sign Helm chart with Cosign
run: |
cosign sign-blob -y ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
--bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle
- name: Verify signed Helm chart with Cosign
run: |
cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
--bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \
--certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install ORAS CLI
uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1
- name: Upload Helm chart Cosign bundle
run: |
oras push ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }}:${{ env.CHART_VERSION }}.cosign.bundle \
${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle:text/plain