feat: support cnpg operator namespace-restricted installation (#430) #142
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release-publish | |
on: | |
push: | |
branches: | |
- main | |
permissions: | |
contents: write # Required for pushing the Helm charts to the gh-pages branch | |
packages: write # Required for GHCR access | |
id-token: write # Required for signing | |
jobs: | |
release: | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 # important for fetching all history to run comparison against | |
- name: Fetch history | |
run: git fetch --prune | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
- name: Import PGP Private Key | |
run: | | |
echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output /tmp/keyring.gpg | |
echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > /tmp/passphrase-file.txt | |
- name: Set up Helm | |
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
with: | |
version: v3.16.2 | |
- name: Add chart dependencies | |
run: | | |
helm repo add cnpg-grafana-dashboard https://cloudnative-pg.github.io/grafana-dashboards | |
- name: Run chart-releaser | |
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
CR_KEY: [email protected] | |
CR_KEYRING: /tmp/keyring.gpg | |
CR_PASSPHRASE_FILE: /tmp/passphrase-file.txt | |
CR_SIGN: true | |
CR_SKIP_EXISTING: true | |
CR_GENERATE_RELEASE_NOTES: true | |
CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-v{{ .Version }}" | |
- name: Securely delete the PGP key and passphrase | |
if: always() | |
run: shred --remove=wipesync /tmp/keyring.gpg /tmp/passphrase-file.txt | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install sigstore/cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Push charts to GHCR | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
# when filling gaps with previously released charts, cr would create | |
# nothing in .cr-release-packages/, and the original globbing character | |
# would be preserved, causing a non-zero exit. Set nullglob to fix this | |
run: | | |
shopt -s nullglob | |
for pkg in .cr-release-packages/*.tgz; do | |
if [ -z "${pkg:-}" ]; then | |
break | |
fi | |
helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY}" | |
file=${pkg##*/} | |
name=${file%-*} | |
version=${file%.*} | |
version=${version##*-} | |
cosign sign --yes ghcr.io/"${GITHUB_REPOSITORY}"/"${name}":"${version}" | |
done |