chore: update CHANGELOG.md for merged changes #677
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Charts | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| dry_run: | |
| description: 'Dry run (skip actual release)' | |
| required: false | |
| type: boolean | |
| default: false | |
| concurrency: | |
| group: release | |
| cancel-in-progress: true | |
| jobs: | |
| release: | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - name: Login to Registry | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ${{ vars.REGISTRY }} | |
| username: ${{ secrets.REGISTRY_USER }} | |
| password: ${{ secrets.REGISTRY_PASSWORD }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run chart-releaser | |
| id: chart-releaser | |
| uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 | |
| with: | |
| skip_existing: true | |
| env: | |
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Install cosign | |
| uses: sigstore/[email protected] | |
| if: ${{ steps.chart-releaser.outputs.changed_charts }} | |
| - id: github-repo-owner-name | |
| uses: ASzc/change-string-case-action@d0603cd0a7dd490be678164909f65c7737470a7f # v6 | |
| with: | |
| string: ${{ github.repository_owner }} | |
| - name: Upload charts to OCI registries | |
| id: upload | |
| if: ${{ steps.chart-releaser.outputs.changed_charts }} | |
| env: | |
| COSIGN_KEY: ${{ secrets.COSIGN_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| REGISTRY_USER: ${{ secrets.REGISTRY_USER }} | |
| run: | | |
| set -euo pipefail | |
| CHANGED_CHARTS="${{ steps.chart-releaser.outputs.changed_charts }}" | |
| # Retry function for network operations | |
| retry() { | |
| local max_attempts=3 | |
| local attempt=1 | |
| local delay=5 | |
| while [ $attempt -le $max_attempts ]; do | |
| if "$@"; then | |
| return 0 | |
| else | |
| echo "Attempt $attempt failed. Retrying in ${delay}s..." | |
| sleep $delay | |
| delay=$((delay * 2)) | |
| attempt=$((attempt + 1)) | |
| fi | |
| done | |
| echo "ERROR: All $max_attempts attempts failed" | |
| return 1 | |
| } | |
| # Login to primary registry with retry | |
| echo "Logging into primary registry..." | |
| retry helm registry login --username $REGISTRY_USER --password ${{ secrets.REGISTRY_PASSWORD }} https://${{ vars.REGISTRY }} | |
| # Login to GHCR with retry | |
| echo "Logging into GHCR..." | |
| retry helm registry login --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} https://ghcr.io | |
| RELEASED_CHARTS="" | |
| for chart_directory in ${CHANGED_CHARTS//,/ }; do | |
| CHART_NAME=${chart_directory#charts/} | |
| cd $chart_directory | |
| # Extract version and appVersion from Chart.yaml | |
| CHART_VERSION=$(yq eval '.version' "Chart.yaml") | |
| APP_VERSION=$(yq eval '.appVersion' "Chart.yaml") | |
| # Push to primary registry (Docker Hub) with retry | |
| echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}" | |
| if retry helm push ${{ github.workspace }}/.cr-release-packages/${CHART_NAME}-${CHART_VERSION}.tgz oci://${{ vars.REGISTRY }}/${{ vars.REPOSITORY }} 2>&1 | tee ${CHART_NAME}-output.log; then | |
| # Extract digest and sign chart | |
| # More robust parsing: looks for "Digest: sha256:..." pattern | |
| DIGEST=$(grep -oP 'Digest:\s*\K(sha256:[a-f0-9]+)' ${CHART_NAME}-output.log || echo "") | |
| if [ -z "$DIGEST" ]; then | |
| echo "ERROR: Failed to extract digest from helm push output" | |
| echo "Output was:" | |
| cat ${CHART_NAME}-output.log | |
| exit 1 | |
| fi | |
| echo "Extracted digest: $DIGEST" | |
| echo "Signing chart at ${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}/${CHART_NAME}:${CHART_VERSION}@$DIGEST" | |
| if ! cosign sign -y --upload=true --key env://COSIGN_KEY ${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}/${CHART_NAME}:${CHART_VERSION}@$DIGEST; then | |
| echo "ERROR: Failed to sign chart" | |
| exit 1 | |
| fi | |
| RELEASED_CHARTS="$RELEASED_CHARTS ${CHART_NAME}" | |
| echo "Successfully released $CHART_NAME-$CHART_VERSION to primary registry" | |
| else | |
| echo "ERROR: Failed to push $CHART_NAME-$CHART_VERSION to primary registry" | |
| cat ${CHART_NAME}-output.log | |
| exit 1 | |
| fi | |
| # Push to GHCR with retry | |
| echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts" | |
| if retry helm push ${{ github.workspace }}/.cr-release-packages/${CHART_NAME}-${CHART_VERSION}.tgz oci://ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts 2>&1 | tee ${CHART_NAME}-ghcr-output.log; then | |
| # Extract digest and sign GHCR chart | |
| # More robust parsing: looks for "Digest: sha256:..." pattern | |
| GHCR_DIGEST=$(grep -oP 'Digest:\s*\K(sha256:[a-f0-9]+)' ${CHART_NAME}-ghcr-output.log || echo "") | |
| if [ -z "$GHCR_DIGEST" ]; then | |
| echo "ERROR: Failed to extract digest from helm push output" | |
| echo "Output was:" | |
| cat ${CHART_NAME}-ghcr-output.log | |
| exit 1 | |
| fi | |
| echo "Extracted digest: $GHCR_DIGEST" | |
| echo "Signing chart at ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts/${CHART_NAME}:${CHART_VERSION}@$GHCR_DIGEST" | |
| if ! cosign sign -y --upload=true --key env://COSIGN_KEY ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts/${CHART_NAME}:${CHART_VERSION}@$GHCR_DIGEST; then | |
| echo "ERROR: Failed to sign chart" | |
| exit 1 | |
| fi | |
| echo "Successfully released $CHART_NAME-$CHART_VERSION to GHCR" | |
| else | |
| echo "ERROR: Failed to push $CHART_NAME-$CHART_VERSION to GHCR" | |
| cat ${CHART_NAME}-ghcr-output.log | |
| exit 1 | |
| fi | |
| cd ${{ github.workspace }} | |
| done | |
| echo "released_charts=$RELEASED_CHARTS" >> "$GITHUB_OUTPUT" | |
| # Generate job summary | |
| echo "## 📦 Helm Charts Released" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Successfully released the following charts:" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| for chart in $RELEASED_CHARTS; do | |
| echo "- ✅ **$chart**" >> $GITHUB_STEP_SUMMARY | |
| done | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### 📍 Registries" >> $GITHUB_STEP_SUMMARY | |
| echo "- Primary: \`${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- GHCR: \`ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts\`" >> $GITHUB_STEP_SUMMARY |