diff --git a/.gitea/workflows/release-version.yml b/.gitea/workflows/release-version.yml index c4907a0..a993c77 100644 --- a/.gitea/workflows/release-version.yml +++ b/.gitea/workflows/release-version.yml @@ -1,109 +1,155 @@ -name: generate-chart +name: Release + +env: + GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key + GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }} + GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt on: push: tags: [ '**' ] jobs: - generate-chart-publish: + publish-chart: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5.0.0 + - uses: azure/setup-helm@v4.3.1 + with: + version: "v4.0.1" # renovate: datasource=github-tags depName=helm/helm + + - name: Install helm plugins + env: + HELM_SIGSTORE_VERSION: "0.3.0" # renovate: datasource=github-tags depName=sigstore/helm-sigstore extractVersion='^v(?\d+\.\d+\.\d+)$' + HELM_SCHEMA_VALUES_VERSION: "2.3.1" # renovate: datasource=github-tags depName=losisin/helm-values-schema-json extractVersion='^v(?\d+\.\d+\.\d+)$' + HELM_UNITTEST_VERSION: "1.0.3" # renovate: datasource=github-tags depName=helm-unittest/helm-unittest extractVersion='^v(?\d+\.\d+\.\d+)$' + run: | + helm plugin install --verify=false https://github.com/sigstore/helm-sigstore.git --version "${HELM_SIGSTORE_VERSION}" 1> /dev/null + helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git --version "${HELM_SCHEMA_VALUES_VERSION}" 1> /dev/null + helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null + helm plugin list + + - name: GPG configuration + env: + GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }} + GPG_PRIVATE_KEY: ${{ secrets.GPGSIGN_KEY }} + run: | + # Configure GPG and GPG Agent + mkdir --parents "${HOME}/.gnupg" + chmod 0700 "${HOME}/.gnupg" + + cat > "${HOME}/.gnupg/gpg.conf" < "${HOME}/.gnupg/gpg-agent.conf" < "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}" + cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}" + gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}" + + # Export GPG keyring + gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg" + gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}" + + - uses: actions/checkout@v6.0.2 with: fetch-depth: 0 - - name: Install packages via apt - run: | - apt update --yes - apt install --yes curl ca-certificates curl gnupg jq - - - name: Install helm - env: - # renovate: datasource=docker depName=alpine/helm - HELM_VERSION: "3.18.6" - run: | - curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin - mv linux-$(dpkg --print-architecture)/helm /usr/local/bin/ - rm --force --recursive linux-$(dpkg --print-architecture) helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz - helm version - - - name: Install yq - env: - YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq - run: | - curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin - mv yq_linux_$(dpkg --print-architecture) /usr/local/bin - rm --force --recursive yq_linux_$(dpkg --print-architecture) yq_linux_$(dpkg --print-architecture).tar.gz - yq --version - - - name: Install docker-ce via apt - run: | - install -m 0755 -d /etc/apt/keyrings - curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg - chmod a+r /etc/apt/keyrings/docker.gpg - echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null - apt update --yes - apt install --yes python3 python3-pip apt-transport-https docker-ce-cli - - - name: Install awscli - run: | - pip install awscli --break-system-packages - aws --version - - - name: Import GPG key - id: import_gpg - uses: https://github.com/crazy-max/ghaction-import-gpg@v6 - with: - gpg_private_key: ${{ secrets.GPGSIGN_KEY }} - passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} - fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0 - - name: Add Artifacthub.io annotations run: | NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)" OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)" .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}" - - name: Print Chart.yaml on stdout - run: cat Chart.yaml - - # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843 - - name: Package Helm chart + - name: Extract meta information + run: | + echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV + echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2)" >> $GITHUB_ENV + echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV + + - name: Package chart run: | - echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin - # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved - helm plugin install https://github.com/pat-s/helm-gpg helm dependency build - helm package --version "${GITHUB_REF#refs/tags/v}" ./ - mkdir gitea - mv gitea*.tgz gitea/ - curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml - helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml - # push to dockerhub - echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin - helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts - helm registry logout registry-1.docker.io + helm package \ + --sign \ + --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \ + --keyring "${HOME}/.gnupg/secring.gpg" \ + --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \ + --version "${PACKAGE_VERSION}" ./ - - name: Configure AWS credentials - uses: https://github.com/aws-actions/configure-aws-credentials@v5 + - uses: docker/login-action@v3.7.0 with: - aws-access-key-id: ${{ secrets.AWS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + username: ${{ secrets.DOCKER_IO_USERNAME }} + password: ${{ secrets.DOCKER_IO_PASSWORD }} - - name: Copy files to S3 and clear cache + - name: Upload package as OCI artifact to docker.io + env: + DOCKER_IO_REPO_NAME: ${{ vars.DOCKER_IO_REPO_NAME }} run: | - aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/ + helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz "oci://registry-1.docker.io/${DOCKER_IO_REPO_NAME}" - release-gitea: - container: docker.io/thegeeklab/git-sv:2.0.5 - needs: generate-chart-publish + # - uses: docker/login-action@v3.7.0 + # with: + # registry: ${{ github.server_url }} + # username: ${{ secrets.GITEA_PACKAGE_REGISTRY_USERNAME }} + # password: ${{ secrets.GITEA_PACKAGE_REGISTRY_TOKEN }} + + # - name: Build new index.yaml + # run: | + # mkdir gitea + # curl \ + # --fail \ + # --header \ + # --location \ + # --output gitea/index.yaml \ + # --show-error \ + # --silent \ + # https://dl.gitea.com/charts/index.yaml + + # helm repo index \ + # --merge gitea/index.yaml \ + # --url https://dl.gitea.com/charts \ + # gitea/ + + # - uses: aws-actions/configure-aws-credentials@v6.0.0 + # with: + # aws-access-key-id: ${{ secrets.AWS_KEY_ID }} + # aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + # aws-region: ${{ secrets.AWS_REGION }} + + # - name: Upload package as Helm chart to AWS S3 + # run: | + # aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET }}/charts/ + + publish-release-notes: + needs: publish-chart runs-on: ubuntu-latest steps: - - name: Install packages via apt + - name: Install gitsv + env: + GITSV_VERSION: v2.0.9 # renovate: datasource=github-releases depName=thegeeklab/git-sv run: | - apk add -q --update --no-cache nodejs - - uses: actions/checkout@v5.0.0 + curl \ + --fail \ + --location \ + --output git-sv \ + --output-dir /usr/local/bin \ + --silent \ + --show-error \ + https://github.com/thegeeklab/git-sv/releases/download/${GITSV_VERSION}/git-sv-linux-$(dpkg --print-architecture) + git-sv --version + + - uses: actions/checkout@v6.0.0 with: fetch-tags: true fetch-depth: 0 @@ -111,12 +157,12 @@ jobs: - name: Create changelog run: | git sv current-version - git sv release-notes -t ${GITHUB_REF#refs/tags/} -o CHANGELOG.md - sed -i '1,2d' CHANGELOG.md # remove version + git sv release-notes -t "${PACKAGE_VERSION}" -o CHANGELOG.md + sed -i '1,2d' CHANGELOG.md cat CHANGELOG.md - name: Release - uses: https://github.com/akkuman/gitea-release-action@v1 + uses: akkuman/gitea-release-action@v1.3.5 with: body_path: CHANGELOG.md token: "${{ secrets.RELEASE_TOKEN }}"