Skip to content

Publish Helm Chart #112

Publish Helm Chart

Publish Helm Chart #112

Workflow file for this run

# Post-submit and daily build and publish of the Helm chart and Docker container
# This is a separate workflow than image-build.yml because image-build.yml is
# run in the PR context, and those runs aren't allowed package:write permissions if
# the source is a fork(GitHub errors and invalidates the entire workflow if you try).
name: Publish Helm Chart
on:
push:
branches:
- main
schedule:
# Weekdays at noon GMT
- cron: '00 12 * * 1-5'
jobs:
check-helm:
name: Build Helm chart
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # To sign the provenance.
env:
BASE_REPO: "ghcr.io/stacklok/minder"
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Checkout
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: 'go.mod'
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.12.2
- name: Compute version number
id: version-string
run: |
DATE="$(date +%Y%m%d)"
COMMIT="$(git rev-parse --short HEAD)"
echo "tag=0.$DATE.$GITHUB_RUN_NUMBER+ref.$COMMIT" >> "$GITHUB_OUTPUT"
- name: Build images and Helm Chart
run: |
KO_DOCKER_REPO=$BASE_REPO make helm
env:
KO_PUSH_IMAGE: "true"
HELM_PACKAGE_VERSION: "${{ steps.version-string.outputs.tag }}"
- name: Helm Login
# ko can pick up tokens ambiently from the GitHub Actions environment, but
# Helm needs explicit login
run: |
helm registry login $BASE_REPO --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}
- name: Push Helm Chart
run: |
cd deployment/helm
helm push minder-*.tgz oci://$BASE_REPO/helm
- name: Sign the published helm chart and ko image
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: |
# Sign the ko image
cosign sign --yes $BASE_REPO/server
# Sign the helm chart
cosign sign --yes $BASE_REPO/helm/minder:$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')