docs: update existing keycloak environment variable

.github/actions/generate-chart-matrix/action.yml

@@ -1,5 +1,9 @@
 name: Generate chart matrix
 description: Find changed charts and generate matrix for changed ones only.
+inputs:
+  charts-path:
+    description: Charts path to match.
+    default: "charts/camunda-platform*"
 outputs:
   matrix:
     description: JSON matrix of changed charts which will be used as and input for GHA workflow matrix.
@@ -19,10 +23,11 @@ runs:
         ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
       run: |
         echo "Setting matrix based on changed files"
-        echo "Changed files: ${ALL_CHANGED_FILES}"
+        echo "Changed files:"
+        printf "%s\n" ${ALL_CHANGED_FILES}
         touch matrix_versions.txt
 
-        ls -d charts/camunda-platform-8* | while read chart_dir; do
+        ls -d ${{ inputs.charts-path }} | while read chart_dir; do
           if [[ $(echo ${ALL_CHANGED_FILES} | grep "${chart_dir}") ]]; then
             camunda_version="$(echo ${chart_dir} | cut -d '-' -f 3)";
             echo "Camunda version: ${camunda_version}"

.github/actions/workflow-vars/action.yml

@@ -82,19 +82,21 @@ runs:
       # The var is needed in some non-shell steps.
       echo "ingress-host=${TEST_INGRESS_HOST}" | tee -a $GITHUB_OUTPUT
 
-      # Chart version.
-      # Used to install previous supported versions of Camunda Helm charts.
-      # This is only needed in the upgrade flow not the setup.
+  - name: Set workflow vars - Chart version
+    shell: bash
+    run: |
+      # In the upgrade flow, the latest released chart for certain minor Camunda version will installed,
+      # then upgraded from the PR branch to ensure upgradability.
       if [[ "${{ inputs.setup-flow }}" == 'upgrade' ]]; then
-        TEST_CHART_VERSION="$(yq '.version' charts/${{ inputs.chart-dir }}/Chart.yaml)"
+        git fetch origin main:main --no-tags
+        TEST_CHART_VERSION="$(git show main:charts/${{ inputs.chart-dir }}/Chart.yaml | yq '.version')"
         echo "TEST_CHART_VERSION=${TEST_CHART_VERSION}" | tee -a $GITHUB_ENV
       fi
 
     # Avoid confusion about the chart version since we only change the version during the release process
     # as the "version" field in "Chart.yaml" file doesn't reflect the changes since the latest release.
   - name: Set chart version
     shell: bash
-    # TODO: Use the branch name dynamically as part of the version when it's supported in GitHub:
-    # https://github.com/orgs/community/discussions/70343
     run: |
-      yq -i '.version = "0.0.0-ci-snapshot"' charts/${{ inputs.chart-dir }}/Chart.yaml
+      chart_version="$(echo ${{ inputs.chart-dir }} | sed 's/camunda-platform/0.0.0-ci-snapshot/g')" \
+        yq -i '.version = env(chart_version)' charts/${{ inputs.chart-dir }}/Chart.yaml

.github/renovate.json5

@@ -24,19 +24,19 @@
       "matchFileNames": [
         ".github/workflows/*.ya?ml",
         ".github/actions/action.ya?ml",
-        "charts/camunda-platform/Chart.yaml",
-        "charts/camunda-platform/values*.yaml",
-        "charts/camunda-platform/go.*"
+        "charts/camunda-platform-latest/Chart.yaml",
+        "charts/camunda-platform-latest/values*.yaml",
+        "charts/camunda-platform-latest/go.*"
       ],
       "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
       // "addLabels": ["automerge"],
       // "automerge": true
     },
     {
       "matchFileNames": [
-        "charts/camunda-platform*/Chart.yaml",
-        "charts/camunda-platform*/values*.yaml",
-        "charts/camunda-platform*/go.*",
+        "charts/camunda-platform-8*/Chart.yaml",
+        "charts/camunda-platform-8*/values*.yaml",
+        "charts/camunda-platform-8*/go.*",
       ],
       "matchUpdateTypes": ["patch"],
     },
@@ -51,14 +51,14 @@
       "enabled": false,
       "matchManagers": ["helm-values", "regex"],
       "matchPaths": [
-        "charts/camunda-platform*/values*.yaml",
+        "charts/camunda-platform-8*/values*.yaml",
       ],
       "matchUpdateTypes": ["minor"]
     },
     {
       // Enable non-major version update for current Camunda version.
       "matchDatasources": ["github-releases", "docker", "regex"],
-      "matchPaths": ["charts/camunda-platform/values.yaml", "charts/camunda-platform/values-latest.yaml"],
+      "matchPaths": ["charts/camunda-platform-latest/values.yaml", "charts/camunda-platform-latest/values-latest.yaml"],
       "matchUpdateTypes": ["minor", "patch"]
     },
     {
@@ -71,14 +71,14 @@
       // Limit Elasticsearch version to latest supported version in Camunda v8.5.
       // https://docs.camunda.io/docs/reference/supported-environments/#camunda-8-self-managed
       "matchDatasources": ["docker"],
-      "matchPaths": ["charts/camunda-platform/values.yaml", "charts/camunda-platform/values-latest.yaml"],
+      "matchPaths": ["charts/camunda-platform-latest/values.yaml", "charts/camunda-platform-latest/values-latest.yaml"],
       "matchDepNames": ["bitnami/elasticsearch"],
       "allowedVersions": "~8.12.0"
     },
     {
       // Disable Helm chart upgrades from bitnami/elasticsearch
       "matchDepNames": ["elasticsearch"],
-      "matchPaths": ["charts/camunda-platform*/Chart.yaml"],
+      "matchPaths": ["charts/camunda-platform-8*/Chart.yaml"],
       "enabled": false
     },
     // Limit tools and libs versions to the actual Distro CI Kubernetes cluster.

.github/workflows/chart-public-files.yaml

@@ -7,9 +7,10 @@ on:
     branches:
     - main
     paths:
-    - 'charts/camunda-platform/values*.yaml'
-    - 'charts/camunda-platform/version-matrix/**'
+    - '.github/workflows/chart-public-files.yaml'
+    - 'charts/camunda-platform*/values*.yaml'
     - 'scripts/templates/version-matrix/*'
+    - 'version-matrix/**'
   workflow_dispatch: { }
 
 permissions:
@@ -22,31 +23,31 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           ref: gh-pages
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           path: main
       - name: Copy files
         run: |
           #
           # Values files.
-          mkdir -p camunda-platform/values camunda-platform/version-matrix
+          mkdir -p camunda-platform/values
 
           # Latest version.
-          cp -a main/charts/camunda-platform/values-latest.yaml camunda-platform/values/values-latest.yaml
+          cp -a main/charts/camunda-platform-latest/values-latest.yaml camunda-platform/values/values-latest.yaml
 
           # Previous versions.
-          find charts -name "camunda-platform-*" | while read chart_id; do
+          find main/charts -name "camunda-platform-*" | while read chart_id; do
               camunda_version="$(echo ${chart_id} | cut -d '-' -f 3)";
               echo "cp -a main/${chart_id}/values-latest.yaml camunda-platform/values/values-v${camunda_version}.yaml";
           done
 
           #
           # Version matrix.
-          mkdir -p camunda-platform/values camunda-platform/version-matrix
-          cp -a main/charts/camunda-platform/version-matrix/* camunda-platform/version-matrix/
+          mkdir -p camunda-platform/version-matrix
+          cp -a main/version-matrix/* camunda-platform/version-matrix/
 
           #
           # Post run.            

.github/workflows/chart-release-snapshot.yaml

@@ -16,7 +16,7 @@ jobs:
     defaults:
       run:
         shell: bash
-        working-directory: charts/camunda-platform
+        working-directory: charts/camunda-platform-latest
     #
     # Vars.
     env:
@@ -26,7 +26,7 @@ jobs:
       CHART_VERSION: "0.0.0-main-snapshot"
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           ref: main
           fetch-depth: 0
@@ -73,7 +73,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Install ORAS CLI
-        uses: oras-project/setup-oras@ee7dbe1144cb00080a89497f937dae78f85fce29 # v1
+        uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1
       - name: Upload Helm chart Cosign bundle
         run: |
           oras push ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }}:${{ env.CHART_VERSION }}.cosign.bundle \

.github/workflows/chart-release.yaml

@@ -29,17 +29,16 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Install env dependencies
         uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
       - name: Remove Dev Comments
         run: |
           TARGET_FILES=(
-            "charts/camunda-platform/values/*"
-            "charts/camunda-platform/values.yaml"
-            "charts/camunda-platform/Chart.yaml"
+            "charts/camunda-platform*/values*.yaml"
+            "charts/camunda-platform*/Chart.yaml"
           )
           for FILE in "${TARGET_FILES[@]}"; do
             sed -i '/# START DEV COMMENT/,/# END DEV COMMENT/d' $FILE
@@ -58,60 +57,113 @@ jobs:
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+      - name: Install Chart Releaser
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        with:
+          install_only: true
+        env:
+          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          CR_SKIP_EXISTING: 'true'
       - name: Add Helm repos
         run: |
           make helm.repos-add
       - name: Update Helm dependency
         run: |
-          make helm.dependency-update
+          chartPath="$(ct list-changed | tr '\n' ' ')" \
+            make helm.dependency-update
       - name: cosign-installer
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-      - name: Set Helm chart version var
-        run: |
-          CHART_NAME="$(yq ".name" charts/camunda-platform/Chart.yaml)"
-          CHART_VERSION="$(yq ".version" charts/camunda-platform/Chart.yaml)"
-          echo "CHART_NAME_WITH_VERSION=${CHART_NAME}-${CHART_VERSION}" | tee -a $GITHUB_ENV
       # TODO: Move this step to pre-release workflow when we have it.
       - name: Generate release note footer
         run: |
           make release.generate-notes-footer
-      - name: Clean up release readme
+      - name: Tidy up
+        run: |
+          # Clean up badges from readme to avoid showing them in Artifact Hub.
+          sed -ri '/Badge .+/d' charts/camunda-platform-latest/README.md
+          mkdir release-packages
+
+      #
+      # We run Chart Releaser twice as a workaround because it's not possible to control the release order.
+      # CR by default will release "camunda-platform-10.x.x" first then "camunda-platform-8.x.x",
+      # however, we want the latest version to show as the latest release in GitHub releases.
+      #
+
+      # Release previous versions.
+      - name: Pre-Release - Previous versions
+        run: |
+          rm -rf charts/camunda-platform-latest
+      - name: Run Chart Releaser - Previous versions
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        with:
+          config: .github/config/chart-releaser.yaml
+        env:
+          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          CR_SKIP_EXISTING: 'true'
+      - name: Post-Release - Previous versions
         run: |
-          sed -ri '/Badge .+/d' charts/camunda-platform/README.md
-      - name: Run Chart Releaser
+          mv .cr-release-packages/* release-packages/
+          git checkout :/
+
+      # Release the latest version.
+      - name: Pre-Release - Latest version
+        run: |
+          rm -rf charts/camunda-platform-8*
+      - name: Run Chart Releaser - Latest version
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
         with:
           config: .github/config/chart-releaser.yaml
         env:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
           CR_SKIP_EXISTING: 'true'
+      - name: Post-Release - Latest version
+        run: |
+          mv .cr-release-packages/* release-packages/
+          git checkout :/
+
+      # Sign and upload the signature of the chart package.
+      - name: Set Helm chart vars
+        run: |
+          CHART_PACKAGES="$(find release-packages -maxdepth 1 -name "camunda-platform*.tgz" \
+            -exec basename {} \; | xargs)"
+          echo "CHART_PACKAGES=${CHART_PACKAGES}" | tee -a $GITHUB_ENV
       - name: Sign Helm chart with Cosign
         run: |
-          cosign sign-blob -y .cr-release-packages/${CHART_NAME_WITH_VERSION}.tgz \
-            --bundle ${CHART_NAME_WITH_VERSION}.cosign.bundle
+          for chart_package in ${CHART_PACKAGES}; do
+            echo "Package: ${chart_package}"
+            cosign sign-blob -y release-packages/${chart_package} \
+              --bundle "${chart_package%.*}.cosign.bundle"
+          done
       - name: Verify signed Helm chart with Cosign
         run: |
-          cosign verify-blob .cr-release-packages/${CHART_NAME_WITH_VERSION}.tgz \
-            --bundle ./${CHART_NAME_WITH_VERSION}.cosign.bundle \
-            --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+          for chart_package in ${CHART_PACKAGES}; do
+            echo "Package: ${chart_package}"
+            cosign verify-blob release-packages/${chart_package} \
+              --bundle "${chart_package%.*}.cosign.bundle" \
+              --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+          done
       - name: Upload Helm chart signature bundle
         run: |
-          gh release upload "${CHART_NAME_WITH_VERSION}" \
-            ./${CHART_NAME_WITH_VERSION}.cosign.bundle \
-            --repo "${GITHUB_REPOSITORY}"
+          for chart_package in ${CHART_PACKAGES}; do
+            echo "Package: ${chart_package}"
+            gh release upload "${chart_package%.*}" \
+              "${chart_package%.*}.cosign.bundle" \
+              --repo "${GITHUB_REPOSITORY}"
+          done
         env:
           GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+
   post-release:
     needs: release
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
-          # The verify step happens in the "release" branch before merging to the "main" branch.
+          # The verification step happens in the "release" branch before merging into the "main" branch.
           ref: release
           fetch-depth: 0
       - name: Install env dependencies
@@ -126,10 +178,11 @@ jobs:
           command: make release.verify-components-version
       - name: Generate version matrix
         run: |
+          make helm.repos-add
           make release.generate-version-matrix-index
           make release.generate-version-matrix-released
       - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
         with:
           author_name: "renovate[bot]"
           author_email: "29139614+renovate[bot]@users.noreply.github.com"
-          message: "chore: Generate VERSION-MATRIX.md"
+          message: "chore: Generate version matrix"

.github/workflows/chart-update-readme.yaml

@@ -5,6 +5,7 @@ on:
     branches:
       - main
     paths:
+      - 'charts/camunda-platform*/README.md'
       - 'charts/camunda-platform*/values.yaml'
       - '.github/workflows/chart-update-readme.yaml'
 
@@ -24,7 +25,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID_DISTRO_CI }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY_DISTRO_CI }}
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           token: '${{ steps.generate-github-token.outputs.token }}'
       - name: Install readme-generator-for-helm

.github/workflows/chart-validate-template.yaml

@@ -13,7 +13,7 @@ on:
         type: string
       camunda-helm-dir:
         required: false
-        default: camunda-platform
+        default: camunda-platform-latest
         type: string
 
 permissions:
@@ -30,7 +30,7 @@ jobs:
     steps:
       # Checkout.
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
           ref: "${{ inputs.camunda-helm-git-ref }}"