From d2ae2b067b16d7bd66ab346840794f6411f7e600 Mon Sep 17 00:00:00 2001 From: Ahmed AbouZaid <6760103+aabouzaid@users.noreply.github.com> Date: Fri, 11 Oct 2024 16:27:38 +0200 Subject: [PATCH] wip Signed-off-by: Ahmed AbouZaid <6760103+aabouzaid@users.noreply.github.com> --- .../workflows/chart-release-candidate.yaml | 47 ++++ .github/workflows/chart-release-snapshot.yaml | 203 +++--------------- .github/workflows/chart-release-template.yaml | 158 ++++++++++++++ 3 files changed, 233 insertions(+), 175 deletions(-) create mode 100644 .github/workflows/chart-release-candidate.yaml create mode 100644 .github/workflows/chart-release-template.yaml diff --git a/.github/workflows/chart-release-candidate.yaml b/.github/workflows/chart-release-candidate.yaml new file mode 100644 index 0000000000..82f725b716 --- /dev/null +++ b/.github/workflows/chart-release-candidate.yaml @@ -0,0 +1,47 @@ +name: "Chart - Release - Candidate" + +on: + push: + branches: + - release-candidate* + - 2404-aa-create-rc-workflow + +jobs: + release: + name: Release Candidate + uses: ./.github/workflows/chart-release-template.yaml + with: + branch: ${{ github.ref_name }} + chart-matrix: | + [ + { + "name": "Helm Chart rolling - 8.2", + "directory": "charts/camunda-platform-8.2", + "versionSuffix": "rc-8.2", + "override": true + }, + { + "name": "Helm Chart rolling - 8.3", + "directory": "charts/camunda-platform-8.3", + "versionSuffix": "rc-8.3", + "override": true + }, + { + "name": "Helm Chart rolling - 8.4", + "directory": "charts/camunda-platform-8.4", + "versionSuffix": "rc-8.4", + "override": true + }, + { + "name": "Helm Chart rolling - 8.5", + "directory": "charts/camunda-platform-8.5", + "versionSuffix": "rc-8.5", + "override": true + }, + { + "name": "Helm Chart rolling - 8.6", + "directory": "charts/camunda-platform-8.6", + "versionSuffix": "rc-8.6", + "override": true + } + ] diff --git a/.github/workflows/chart-release-snapshot.yaml b/.github/workflows/chart-release-snapshot.yaml index fe3d3aacba..fee00f47d5 100644 --- a/.github/workflows/chart-release-snapshot.yaml +++ b/.github/workflows/chart-release-snapshot.yaml @@ -1,186 +1,39 @@ -# TODO: Convert this workflow to a template and use it for both snapshot and actual releases. name: "Chart - Release - Snapshot" on: push: branches: - main + - 2404-aa-create-rc-workflow paths: - .github/workflows/chart-release-snapshot.yaml - - charts/camunda-platform-alpha/** + - charts/camunda-platform-alpha/* + - charts/camunda-platform-8.6/* jobs: - clean: - name: Clean old artifacts digest - permissions: - packages: write - runs-on: ubuntu-latest - defaults: - run: - shell: bash - working-directory: /tmp - steps: - - name: Delete old artifacts - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - # Get IDs of the untagged artifacts (the sha256 digest). - artifacts_ids_to_delete="$( - gh api -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' \ - '/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions?per_page=100' | - jq '.[] | select(.metadata.container.tags | length == 0)' | jq '.id' - )" - # Early exit if no artifacts to delete. - test -z "${artifacts_ids_to_delete}" && { - echo "No old untagged artifacts to delete ..."; - exit 0; - } - # Delete the untagged artifacts. - echo -e "Deleting the old untagged artifacts IDs:\n${artifacts_ids_to_delete}" - for container_id in ${artifacts_ids_to_delete}; do - gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \ - "/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions/${container_id}" - done - release: - needs: clean - name: ${{ matrix.chart.name }} - permissions: - packages: write - id-token: write - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - chart: - - name: Helm Chart rolling - 8.2 - directory: charts/camunda-platform-8.2 - versionSuffix: snapshot-8.2 - override: true - - name: Helm Chart rolling - 8.3 - directory: charts/camunda-platform-8.3 - versionSuffix: snapshot-8.3 - override: true - - name: Helm Chart rolling - 8.4 - directory: charts/camunda-platform-8.4 - versionSuffix: snapshot-8.4 - override: true - - name: Helm Chart rolling - 8.5 - directory: charts/camunda-platform-8.5 - versionSuffix: snapshot-8.5 - override: true - - name: Helm Chart rolling - 8.6 - directory: charts/camunda-platform-8.6 - versionSuffix: snapshot-8.6 - override: true - - name: Helm Chart rolling - Latest - directory: charts/camunda-platform-8.6 - versionSuffix: snapshot-latest - override: true - - name: Helm Chart rolling - Alpha - directory: charts/camunda-platform-alpha - versionSuffix: snapshot-alpha - override: true - - name: Helm Chart versioned - Alpha - directory: charts/camunda-platform-alpha - versionSuffix: "" - override: false - defaults: - run: - shell: bash - working-directory: ${{ matrix.chart.directory }} - # - # Vars. - env: - REPOSITORY_NAME: "camunda/helm" - CHART_NAME: "camunda-platform" - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - with: - fetch-depth: 0 - - name: Set vars - run: | - # NOTE: Helm CLI only accepts SemVer so we need to use something like "0.0.0-snapshot-latest". - CHART_VERSION_SUFFIX="${{ matrix.chart.versionSuffix }}" - CHART_VERSION_SUFFIX_DEFAULT="$(yq '.version' Chart.yaml)" - echo "CHART_VERSION=0.0.0-${CHART_VERSION_SUFFIX:-${CHART_VERSION_SUFFIX_DEFAULT}}" | tee -a $GITHUB_ENV - # - # Changelog. - - name: Generate snapshot changelog - run: | - export SNAPSHOT_DESCRIPTION="Check chart dir for more details: https://github.com/camunda/camunda-platform-helm/tree/main/charts/${{ matrix.chart.directory }}" - yq -i '.description |= strenv(SNAPSHOT_DESCRIPTION)' Chart.yaml - # - # Package. - - name: Install Helm CLI - uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 - - name: Print Helm CLI version - run: helm version - - name: ⭐ Check if the chart artifact should be published ⭐ - id: vars - run: | - case "${{ matrix.chart.override }}" in - "true") - # For snapshots, the artifact is always overriden. - PUBLISH_ARTIFACT="true" - ;; - "false") - # If the artfact exists, then it will not republished. - helm pull oci://ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }} \ - --version ${{ env.CHART_VERSION }} 2> /dev/null && EXIT_CODE=0 || EXIT_CODE=1 - test ${EXIT_CODE} -eq 0 && PUBLISH_ARTIFACT="false" || PUBLISH_ARTIFACT="true" - ;; - *) - echo "Unsupported value." - exit 1 - ;; - esac - # Add the var to GH vars. - echo "PUBLISH_ARTIFACT=${PUBLISH_ARTIFACT}" | tee -a $GITHUB_ENV - - name: Helm dependency update - if: env.PUBLISH_ARTIFACT == 'true' - run: | - make -C ../.. helm.dependency-update \ - chartPath=${{ matrix.chart.directory }} - - name: Package and push Helm chart - if: env.PUBLISH_ARTIFACT == 'true' - env: - HELM_EXPERIMENTAL_OCI: 1 - run: | - echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ghcr.io - helm package --version ${{ env.CHART_VERSION }} . - helm push ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz oci://ghcr.io/${{ env.REPOSITORY_NAME }} - helm registry logout ghcr.io - # - # Security signature. - - name: Install Cosign CLI - if: env.PUBLISH_ARTIFACT == 'true' - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - name: Sign Helm chart with Cosign - if: env.PUBLISH_ARTIFACT == 'true' - run: | - cosign sign-blob -y ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \ - --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle - - name: Verify signed Helm chart with Cosign - if: env.PUBLISH_ARTIFACT == 'true' - run: | - cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \ - --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \ - --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" - - name: Login to GitHub Container Registry - if: env.PUBLISH_ARTIFACT == 'true' - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Install ORAS CLI - if: env.PUBLISH_ARTIFACT == 'true' - uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1 - - name: Upload Helm chart Cosign bundle - if: env.PUBLISH_ARTIFACT == 'true' - run: | - oras push ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }}:${{ env.CHART_VERSION }}.cosign.bundle \ - ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle:text/plain + name: Release Candidate + uses: ./.github/workflows/chart-release-template.yaml + with: + branch: ${{ github.ref_name }} + chart-matrix: | + [ + { + "name": "Helm Chart rolling - Latest", + "directory": "charts/camunda-platform-8.6", + "versionSuffix": "snapshot-latest", + "override": true + }, + { + "name": "Helm Chart rolling - Alpha", + "directory": "charts/camunda-platform-alpha", + "versionSuffix": "snapshot-alpha", + "override": true + }, + { + "name": "Helm Chart versioned - Alpha", + "directory": "charts/camunda-platform-alpha", + "versionSuffix": "", + "override": false + } + ] diff --git a/.github/workflows/chart-release-template.yaml b/.github/workflows/chart-release-template.yaml new file mode 100644 index 0000000000..99bf390286 --- /dev/null +++ b/.github/workflows/chart-release-template.yaml @@ -0,0 +1,158 @@ +name: "Chart - Release - Template" + +on: + workflow_call: + inputs: + branch: + description: List of charts to release. + required: true + type: string + chart-matrix: + description: List of charts to release. + required: true + type: string + +jobs: + clean: + name: Clean old artifacts digest + permissions: + packages: write + runs-on: ubuntu-latest + defaults: + run: + shell: bash + working-directory: /tmp + steps: + - name: Delete old artifacts + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Get IDs of the untagged artifacts (the sha256 digest). + artifacts_ids_to_delete="$( + gh api -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' \ + '/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions?per_page=100' | + jq '.[] | select(.metadata.container.tags | length == 0)' | jq '.id' + )" + # Early exit if no artifacts to delete. + test -z "${artifacts_ids_to_delete}" && { + echo "No old untagged artifacts to delete ..."; + exit 0; + } + # Delete the untagged artifacts. + echo -e "Deleting the old untagged artifacts IDs:\n${artifacts_ids_to_delete}" + for container_id in ${artifacts_ids_to_delete}; do + gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \ + "/orgs/camunda/packages/container/helm%2Fcamunda-platform/versions/${container_id}" + done + + release: + needs: clean + name: ${{ matrix.chart.name }} + permissions: + packages: write + id-token: write + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + chart: ${{ fromJson(inputs.chart-matrix) }} + defaults: + run: + shell: bash + working-directory: ${{ matrix.chart.directory }} + # + # Vars. + env: + REPOSITORY_NAME: "camunda/helm" + CHART_NAME: "camunda-platform" + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + fetch-depth: 0 + ref: ${{ inputs.branch }} + - name: Set vars + run: | + # NOTE: Helm CLI only accepts SemVer so we need to use something like "0.0.0-snapshot-latest". + CHART_VERSION_SUFFIX="${{ matrix.chart.versionSuffix }}" + CHART_VERSION_SUFFIX_DEFAULT="$(yq '.version' Chart.yaml)" + echo "CHART_VERSION=0.0.0-${CHART_VERSION_SUFFIX:-${CHART_VERSION_SUFFIX_DEFAULT}}" | tee -a $GITHUB_ENV + # + # Changelog. + - name: Generate snapshot changelog + run: | + export SNAPSHOT_DESCRIPTION="Check chart dir for more details: https://github.com/camunda/camunda-platform-helm/tree/main/charts/${{ matrix.chart.directory }}" + yq -i '.description |= strenv(SNAPSHOT_DESCRIPTION)' Chart.yaml + # + # Package. + - name: Install Helm CLI + uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3 + - name: Print Helm CLI version + run: helm version + - name: ⭐ Check if the chart artifact should be published ⭐ + id: vars + run: | + case "${{ matrix.chart.override }}" in + "true") + # For snapshots, the artifact is always overriden. + PUBLISH_ARTIFACT="true" + ;; + "false") + # If the artfact exists, then it will not republished. + helm pull oci://ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }} \ + --version ${{ env.CHART_VERSION }} 2> /dev/null && EXIT_CODE=0 || EXIT_CODE=1 + test ${EXIT_CODE} -eq 0 && PUBLISH_ARTIFACT="false" || PUBLISH_ARTIFACT="true" + ;; + *) + echo "Unsupported value." + exit 1 + ;; + esac + # Add the var to GH vars. + echo "PUBLISH_ARTIFACT=${PUBLISH_ARTIFACT}" | tee -a $GITHUB_ENV + - name: Helm dependency update + if: env.PUBLISH_ARTIFACT == 'true' + run: | + make -C ../.. helm.dependency-update \ + chartPath=${{ matrix.chart.directory }} + - name: Package and push Helm chart + if: env.PUBLISH_ARTIFACT == 'true' + env: + HELM_EXPERIMENTAL_OCI: 1 + run: | + echo ${{ secrets.GITHUB_TOKEN }} | helm registry login -u ${{ github.actor }} --password-stdin ghcr.io + helm package --version ${{ env.CHART_VERSION }} . + helm push ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz oci://ghcr.io/${{ env.REPOSITORY_NAME }} + helm registry logout ghcr.io + # + # Security signature. + - name: Install Cosign CLI + if: env.PUBLISH_ARTIFACT == 'true' + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - name: Sign Helm chart with Cosign + if: env.PUBLISH_ARTIFACT == 'true' + run: | + cosign sign-blob -y ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \ + --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle + - name: Verify signed Helm chart with Cosign + if: env.PUBLISH_ARTIFACT == 'true' + run: | + cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \ + --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \ + --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" + - name: Login to GitHub Container Registry + if: env.PUBLISH_ARTIFACT == 'true' + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Install ORAS CLI + if: env.PUBLISH_ARTIFACT == 'true' + uses: oras-project/setup-oras@ca28077386065e263c03428f4ae0c09024817c93 # v1 + - name: Upload Helm chart Cosign bundle + if: env.PUBLISH_ARTIFACT == 'true' + run: | + oras push ghcr.io/${{ env.REPOSITORY_NAME }}/${{ env.CHART_NAME }}:${{ env.CHART_VERSION }}.cosign.bundle \ + ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle:text/plain