fix(ci): adapt release workflow

.editorconfig

@@ -10,3 +10,6 @@ end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = false
 insert_final_newline = false
+
+[Makefile]
+indent_style = tab

.gitea/scripts/add-annotations.sh

@@ -1,61 +1,65 @@
 #!/bin/bash
 
-set -e
+set -e -o pipefail
 
-CHART_FILE="Chart.yaml"
-if [ ! -f "${CHART_FILE}" ]; then
-  echo "ERROR: ${CHART_FILE} not found!" 1>&2
+chart_file="Chart.yaml"
+if [ ! -f "${chart_file}" ]; then
+  echo "ERROR: ${chart_file} not found!" 1>&2
   exit 1
 fi
 
-DEFAULT_NEW_TAG="$(git tag --sort=-version:refname | head -n 1)"
-DEFAULT_OLD_TAG="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+default_new_tag="$(git tag --sort=-version:refname | head -n 1)"
+default_old_tag="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
 
 if [ -z "${1}" ]; then
-  read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
-  if [ -z "${OLD_TAG}" ]; then
-    OLD_TAG="${DEFAULT_OLD_TAG}"
+  echo "Enter start tag [${default_old_tag}]:"
+  read -r old_tag
+  if [ -z "${old_tag}" ]; then
+    old_tag="${default_old_tag}"
   fi
 
-  while [ -z "$(git tag --list "${OLD_TAG}")" ]; do
-    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
-    read -p "Enter start tag [${DEFAULT_OLD_TAG}]: " OLD_TAG
-    if [ -z "${OLD_TAG}" ]; then
-      OLD_TAG="${DEFAULT_OLD_TAG}"
+  while [ -z "$(git tag --list "${old_tag}")" ]; do
+    echo "ERROR: Tag '${old_tag}' not found!" 1>&2
+    echo "Enter start tag [${default_old_tag}]:"
+    read -r old_tag
+    if [ -z "${old_tag}" ]; then
+      old_tag="${default_old_tag}"
     fi
   done
 else
-  OLD_TAG=${1}
-  if [ -z "$(git tag --list "${OLD_TAG}")" ]; then
-    echo "ERROR: Tag '${OLD_TAG}' not found!" 1>&2
+  old_tag=${1}
+  if [ -z "$(git tag --list "${old_tag}")" ]; then
+    echo "ERROR: Tag '${old_tag}' not found!" 1>&2
     exit 1
   fi
 fi
 
 if [ -z "${2}" ]; then
-  read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
-  if [ -z "${NEW_TAG}" ]; then
-    NEW_TAG="${DEFAULT_NEW_TAG}"
+  echo "Enter end tag [${default_new_tag}]:"
+  read -r new_tag
+  if [ -z "${new_tag}" ]; then
+    new_tag="${default_new_tag}"
   fi
 
-  while [ -z "$(git tag --list "${NEW_TAG}")" ]; do
-    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
-    read -p "Enter end tag [${DEFAULT_NEW_TAG}]: " NEW_TAG
-    if [ -z "${NEW_TAG}" ]; then
-      NEW_TAG="${DEFAULT_NEW_TAG}"
+  while [ -z "$(git tag --list "${new_tag}")" ]; do
+    echo "ERROR: Tag '${new_tag}' not found!" 1>&2
+    echo "Enter end tag [${default_new_tag}]:"
+    read -r new_tag
+    if [ -z "${new_tag}" ]; then
+      new_tag="${default_new_tag}"
     fi
   done
 else
-  NEW_TAG=${2}
+  new_tag=${2}
 
-  if [ -z "$(git tag --list "${NEW_TAG}")" ]; then
-    echo "ERROR: Tag '${NEW_TAG}' not found!" 1>&2
+  if [ -z "$(git tag --list "${new_tag}")" ]; then
+    echo "ERROR: Tag '${new_tag}' not found!" 1>&2
     exit 1
   fi
 fi
 
-CHANGE_LOG_YAML=$(mktemp)
-echo "[]" > "${CHANGE_LOG_YAML}"
+change_log_yaml=$(mktemp)
+echo "[]" > "${change_log_yaml}"
 
 function map_type_to_kind() {
   case "${1}" in
@@ -80,35 +84,42 @@ function map_type_to_kind() {
   esac
 }
 
-COMMIT_TITLES="$(git log --pretty=format:"%s" "${OLD_TAG}..${NEW_TAG}")"
+commit_titles="$(git log --pretty=format:"%s" "${old_tag}..${new_tag}")"
 
-echo "INFO: Generate change log entries from ${OLD_TAG} until ${NEW_TAG}"
+echo "INFO: Generate change log entries from ${old_tag} until ${new_tag}"
 
 while IFS= read -r line; do
   if [[ "${line}" =~ ^([a-zA-Z]+)(\([^\)]+\))?\:\ (.+)$ ]]; then
-    TYPE="${BASH_REMATCH[1]}"
-    KIND=$(map_type_to_kind "${TYPE}")
+    type="${BASH_REMATCH[1]}"
+    kind=$(map_type_to_kind "${type}")
 
-    if [ "${KIND}" == "skip" ]; then
+    if [ "${kind}" == "skip" ]; then
       continue
     fi
 
-    DESC="${BASH_REMATCH[3]}"
+    desc="${BASH_REMATCH[3]}"
 
-    echo "- ${KIND}: ${DESC}"
+    echo "- ${kind}: ${desc}"
 
-    jq --arg kind "${KIND}" --arg description "${DESC}" '. += [ $ARGS.named ]' < "${CHANGE_LOG_YAML}" > "${CHANGE_LOG_YAML}.new"
-    mv "${CHANGE_LOG_YAML}.new" "${CHANGE_LOG_YAML}"
+    jq --arg kind "${kind}" --arg description "${desc}" '. += [ $ARGS.named ]' < "${change_log_yaml}" > "${change_log_yaml}.new"
+    mv "${change_log_yaml}.new" "${change_log_yaml}"
 
   fi
-done <<< "${COMMIT_TITLES}"
+done <<< "${commit_titles}"
 
-if [ -s "${CHANGE_LOG_YAML}" ]; then
-  yq --inplace --input-format json --output-format yml "${CHANGE_LOG_YAML}"
-  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${CHANGE_LOG_YAML}\") | sort_keys(.)" "${CHART_FILE}"
+if [ -s "${change_log_yaml}" ]; then
+  yq --inplace --input-format json --output-format yml "${change_log_yaml}"
+  yq --no-colors --inplace ".annotations.\"artifacthub.io/changes\" |= loadstr(\"${change_log_yaml}\") | sort_keys(.)" "${chart_file}"
 else
-  echo "ERROR: Changelog file is empty: ${CHANGE_LOG_YAML}" 1>&2
+  echo "ERROR: Changelog file is empty: ${change_log_yaml}" 1>&2
   exit 1
 fi
 
-rm "${CHANGE_LOG_YAML}"
+rm "${change_log_yaml}"
+
+regexp=".*-alpha-[0-9]+(\.[0-9]+){,2}$"
+if [[ "${new_tag}" =~ $regexp ]]; then
+  yq --inplace '.annotations."artifacthub.io/prerelease" = "true"' "${chart_file}"
+else
+  yq --inplace '.annotations."artifacthub.io/prerelease" = "false"' "${chart_file}"
+fi

.gitea/workflows/release-version.yml

@@ -1,109 +1,160 @@
-name: generate-chart
+name: Release
+
+env:
+  GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key
+  GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }}
+  GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt
 
 on:
   push:
     tags: [ '**' ]
 
 jobs:
-  generate-chart-publish:
+  publish-chart:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5.0.0
+      - uses: azure/setup-helm@v4.3.1
+        with:
+          version: "v4.0.1" # renovate: datasource=github-tags depName=helm/helm
+
+      - name: Install helm plugins
+        env:
+          HELM_SIGSTORE_VERSION: "0.3.0" # renovate: datasource=github-tags depName=sigstore/helm-sigstore extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_SCHEMA_VALUES_VERSION: "2.3.1" # renovate: datasource=github-tags depName=losisin/helm-values-schema-json extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+          HELM_UNITTEST_VERSION: "1.0.3" # renovate: datasource=github-tags depName=helm-unittest/helm-unittest extractVersion='^v(?<version>\d+\.\d+\.\d+)$'
+        run: |
+          helm plugin install --verify=false https://github.com/sigstore/helm-sigstore.git --version "${HELM_SIGSTORE_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git --version "${HELM_SCHEMA_VALUES_VERSION}" 1> /dev/null
+          helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null
+          helm plugin list
+
+      - name: GPG configuration
+        env:
+          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPGSIGN_KEY }}
+        run: |
+          # Configure GPG and GPG Agent
+          mkdir --parents "${HOME}/.gnupg"
+          chmod 0700 "${HOME}/.gnupg"
+
+          cat > "${HOME}/.gnupg/gpg.conf" <<EOF
+          use-agent
+          pinentry-mode loopback
+          EOF
+
+          cat > "${HOME}/.gnupg/gpg-agent.conf" <<EOF
+          allow-loopback-pinentry
+          max-cache-ttl 86400
+          default-cache-ttl 86400
+          EOF
+
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+
+          # Import GPG private key
+          cat 1> "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+          cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}"
+          gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+          # Export GPG keyring
+          gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg"
+          gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+      - uses: actions/checkout@v6.0.2
         with:
           fetch-depth: 0
 
-      - name: Install packages via apt
-        run: |
-          apt update --yes
-          apt install --yes curl ca-certificates curl gnupg jq
-
-      - name: Install helm
-        env:
-          # renovate: datasource=docker depName=alpine/helm
-          HELM_VERSION: "3.18.6"
-        run: |
-          curl --fail --location --output /dev/stdout --silent --show-error https://get.helm.sh/helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
-          mv linux-$(dpkg --print-architecture)/helm /usr/local/bin/
-          rm --force --recursive linux-$(dpkg --print-architecture) helm-v${HELM_VERSION}-linux-$(dpkg --print-architecture).tar.gz
-          helm version
-
-      - name: Install yq
-        env:
-          YQ_VERSION: v4.45.4 # renovate: datasource=github-releases depName=mikefarah/yq
-        run: |
-          curl --fail --location --output /dev/stdout --silent --show-error https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_$(dpkg --print-architecture).tar.gz | tar --extract --gzip --file /dev/stdin
-          mv yq_linux_$(dpkg --print-architecture) /usr/local/bin
-          rm --force --recursive yq_linux_$(dpkg --print-architecture) yq_linux_$(dpkg --print-architecture).tar.gz
-          yq --version
-
-      - name: Install docker-ce via apt
-        run: |
-          install -m 0755 -d /etc/apt/keyrings
-          curl --fail --location --silent --show-error https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-          chmod a+r /etc/apt/keyrings/docker.gpg
-          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-          apt update --yes
-          apt install --yes python3 python3-pip apt-transport-https docker-ce-cli
-
-      - name: Install awscli
-        run: |
-          pip install awscli --break-system-packages
-          aws --version
-
-      - name: Import GPG key
-        id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
-
       - name: Add Artifacthub.io annotations
         run: |
           NEW_TAG="$(git tag --sort=-version:refname | head --lines 1)"
           OLD_TAG="$(git tag --sort=-version:refname | head --lines 2 | tail --lines 1)"
           .gitea/scripts/add-annotations.sh "${OLD_TAG}" "${NEW_TAG}"
 
-      - name: Print Chart.yaml on stdout
-        run: cat Chart.yaml
-
-      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
-      - name: Package Helm chart
+      - name: Extract meta information
+        run: |
+          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV
+          echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2)" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV
+
+      - name: Package chart
         run: |
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
-          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
-          helm plugin install https://github.com/pat-s/helm-gpg
           helm dependency build
-          helm package --version "${GITHUB_REF#refs/tags/v}" ./
-          mkdir gitea
-          mv gitea*.tgz gitea/
-          curl --fail --location --output gitea/index.yaml --silent --show-error https://dl.gitea.com/charts/index.yaml
-          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
-          # push to dockerhub
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
-          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
-          helm registry logout registry-1.docker.io
+          helm package \
+            --sign \
+            --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \
+            --keyring "${HOME}/.gnupg/secring.gpg" \
+            --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \
+            --version "${PACKAGE_VERSION}" ./
 
-      - name: Configure AWS credentials
-        uses: https://github.com/aws-actions/configure-aws-credentials@v5
+      - uses: docker/login-action@v3.7.0
         with:
-          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.AWS_REGION }}
+          username: ${{ secrets.DOCKER_IO_USERNAME }}
+          password: ${{ secrets.DOCKER_IO_PASSWORD }}
 
-      - name: Copy files to S3 and clear cache
+      - name: Upload package as OCI artifact to docker.io
+        env:
+          DOCKER_IO_REPO_NAME: ${{ vars.DOCKER_IO_REPO_NAME }}
         run: |
-          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
+          helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz "oci://registry-1.docker.io/${DOCKER_IO_REPO_NAME}"
 
-  release-gitea:
-    container: docker.io/thegeeklab/git-sv:2.0.5
-    needs: generate-chart-publish
+      - uses: docker/login-action@v3.7.0
+        with:
+          registry: ${{ github.server_url }}
+          username: ${{ secrets.GITEA_PACKAGE_REGISTRY_USERNAME }}
+          password: ${{ secrets.GITEA_PACKAGE_REGISTRY_TOKEN }}
+
+      - name: Upload package as OCI artifact to Gitea
+        run: |
+          helm push ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz "oci://${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}"
+
+
+      # - name: Build new index.yaml
+      #   run: |
+      #     mkdir gitea
+      #     curl \
+      #       --fail \
+      #       --header \
+      #       --location \
+      #       --output gitea/index.yaml \
+      #       --show-error \
+      #       --silent \
+      #         https://dl.gitea.com/charts/index.yaml
+
+      #     helm repo index \
+      #       --merge gitea/index.yaml \
+      #       --url https://dl.gitea.com/charts \
+      #         gitea/
+
+      # - uses: aws-actions/configure-aws-credentials@v6.0.0
+      #   with:
+      #     aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+      #     aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      #     aws-region: ${{ secrets.AWS_REGION }}
+
+      # - name: Upload package as Helm chart to AWS S3
+      #   run: |
+      #     aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET }}/charts/
+
+  publish-release-notes:
+    needs: publish-chart
     runs-on: ubuntu-latest
     steps:
-      - name: Install packages via apt
+      - name: Install gitsv
+        env:
+          GITSV_VERSION: v2.0.9 # renovate: datasource=github-releases depName=thegeeklab/git-sv
         run: |
-          apk add -q --update --no-cache nodejs
-      - uses: actions/checkout@v5.0.0
+          curl \
+            --fail \
+            --location \
+            --output git-sv \
+            --output-dir /usr/local/bin \
+            --silent \
+            --show-error \
+              https://github.com/thegeeklab/git-sv/releases/download/${GITSV_VERSION}/git-sv-linux-$(dpkg --print-architecture)
+          git-sv --version
+
+      - uses: actions/checkout@v6.0.0
         with:
           fetch-tags: true
           fetch-depth: 0
@@ -111,12 +162,12 @@ jobs:
       - name: Create changelog
         run: |
           git sv current-version
-          git sv release-notes -t ${GITHUB_REF#refs/tags/} -o CHANGELOG.md
-          sed -i '1,2d' CHANGELOG.md # remove version
+          git sv release-notes -t "${PACKAGE_VERSION}" -o CHANGELOG.md
+          sed -i '1,2d' CHANGELOG.md
           cat CHANGELOG.md
 
       - name: Release
-        uses: https://github.com/akkuman/gitea-release-action@v1
+        uses: akkuman/gitea-release-action@v1.3.5
         with:
           body_path: CHANGELOG.md
           token: "${{ secrets.RELEASE_TOKEN }}"

Chart.yaml

@@ -7,6 +7,11 @@ version: 0.0.0
 appVersion: 1.24.6
 icon: https://gitea.com/assets/img/logo.svg
 
+annotations:
+  artifacthub.io/links: |
+    - name: support
+      url: https://gitea.com/gitea/helm-gitea/issues
+
 keywords:
   - git
   - issue tracker
@@ -14,23 +19,22 @@ keywords:
   - wiki
   - gitea
   - gogs
+
 sources:
   - https://gitea.com/gitea/helm-gitea
   - https://github.com/go-gitea/gitea
   - https://docker.gitea.com/gitea
+
 maintainers:
   # https://gitea.com/rossigee
   - name: Ross Golder
     email: ross@golder.org
-
   # https://gitea.com/volker.raschek
   - name: Markus Pesch
     email: markus.pesch+apps@cryptic.systems
-
   # https://gitea.com/DaanSelen
   - name: Daan Selen
     email: dselen@nerthus.nl
-
   # https://gitea.com/ChristopherHX
   - name: Christopher Homberger
     email: christopher.homberger@web.de

Makefile

@@ -20,7 +20,10 @@ unittests-helm:
 unittests-bash:
 	./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats
 
-.PHONY: helm
+.PHONY: update-helm-dependencies
 update-helm-dependencies:
 	helm dependency update
 
+.PHONY: yamllint
+yamllint:
+	yamllint -c .yamllint .

templates/deployment.yaml

@@ -364,9 +364,9 @@ spec:
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- range $key, $value := .Values.nodeSelector }}
+      {{- with .Values.nodeSelector }}
       nodeSelector:
-        {{ $key }}: {{ $value | quote }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
     {{- with .Values.affinity }}
       affinity:

unittests/helm/deployment/basic.yaml

@@ -29,6 +29,24 @@ tests:
           path: spec.template.metadata.labels
           content:
             hello: world
+  - it: nodeSelector is undefined
+    asserts:
+      - notExists:
+          path: spec.template.spec.nodeSelector
+        template: templates/deployment.yaml
+  - it: nodeSelector is defined
+    set:
+      nodeSelector:
+        foo: bar
+        bar: foo
+    asserts:
+      - isSubset:
+          path: spec.template.spec.nodeSelector
+          content:
+            foo: bar
+            bar: foo
+        template: templates/deployment.yaml
+
   - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container"
     template: templates/deployment.yaml
     asserts: